You have implemented a Sourcefire IPS and configured it to block certain addresses utilizing Security Intelligence IP Address Reputation. A user calls and is not
able to access a certain IP address. What action can you take to allow the user access to the IP address?
A.
Create a whitelist and add the appropriate IP address to allow the traffic.
B.
Create a custom blacklist to allow the traffic.
C.
Create a user based access control rule to allow the traffic.
D.
Create a network based access control rule to allow the traffic.
E.
Create a rule to bypass inspection to allow the traffic.
This is a really dumb idea. 🙂
Using Security Intelligence Whitelists
In addition to a blacklist, each access control policy has an associated whitelist, which you can also
populate with Security Intelligence objects. A policy’s whitelist overrides its blacklist. That is, the
system evaluates traffic with a whitelisted source or destination IP address using access control rules,
even if the IP address is also blacklisted. In general, use the whitelist if a blacklist is still useful, but is
too broad in scope and incorrectly blocks traffic that you want to inspect.
For example, if a reputable feed improperly blocks your access to vital resources but is overall useful to
your organization, you can whitelist only the improperly classified IP addresses, rather than removing
the whole feed from the blacklist.
https://www.cisco.com/c/en/us/td/docs/security/firesight/541/firepower-module-user-guide/asa-firepower-module-user-guide-v541/AC-Secint-Blacklisting.pdf
Wouldn’t A allow access for all users? The question states “a user”, so C would be more appropriate.