You have implemented a Sourcefire IPS and configured it to block certain addresses utilizing Security
Intelligence IP Address Reputation. A user calls and is not able to access a certain IP address. What action can
you take to allow the user access to the IP address?
A.
Create a custom blacklist to allow traffic
B.
Create a whitelist and add the appropriate IP address to allow traffic
C.
Create a user-based access control rule to allow the traffic
D.
Create a network-based access control rule to allow the traffic
E.
Create a rule to bypass inspection to allow the traffic
Explanation:
Brad
Confidence level: 100%
Remember: Blacklists are created to block traffic, not allow
BD
Using Security Intelligence Whitelists
In addition to a blacklist, each access control policy has an associated whitelist, which you can also populate
with Security Intelligence objects. A policy’s whitelist overrides its blacklist. That is, the system evaluates traffic
with a whitelisted source or destination IP address using access control rules, even if the IP address is also
blacklisted. In general, use the whitelist if a blacklist is still useful, but is too broad in scope and incorrectly
blocks traffic that you want to inspect.
Source: http://www.cisco.com/c/en/us/td/docs/security/firesight/541/user-guide/FireSIGHT-System-UserGuidev5401/AC-Secint-Blacklisting.pdf
http://www.cisco.com/c/en/us/support/docs/security/firesight-management-center/117993-technote-firesight-00.html#anc11
The answer is correct check the website above it says
You can whitelist an IP address that is blacklisted by Security Intelligence. A whitelist overrides its blacklist. The FireSIGHT system evaluates traffic with a whitelisted source or destination IP address using access control rules, even if an IP address is also blacklisted. Therefore, you can use a whitelist when a blacklist is still useful, but is too broad in scope and incorrectly blocks traffic that you want to inspect.
0
0