PrepAway - Latest Free Exam Questions & Answers

Which of the following is true? (Select the best answer.)

You enable logging at the end of the session in Cisco FireSIGHT Management Center.
Which of the following is true? (Select the best answer.)
A. The log will contain less information than at the beginning of the session.
B. You will not be able to log connections handled by an SSL policy.
C. Information will be based on only the first few packets of a connection.

D. The log will contain information from throughout the course of a connection.

Explanation/Reference:
In Cisco FireSIGHT Management Center, the log will contain information from throughout the course of a connection if you enable logging at the end of the session, which is also known as endofconnection logging. Endofconnection events are generated when a connection closes, times out, or can no longer be tracked because of memory constraints. Endofconnection events contain significantly more information than beginningofconnection events because they can draw upon data collected throughout the course of a connection. This additional information can be used to create traffic profiles, generate connection summaries, or graphically represent connection data. In addition, the data can be used for detailed analysis or to trigger correlation rules based on session data. Endofconnection events are also required to log encrypted connections that are handled by a Secure Sockets Layer (SSL) policy because there is not enough information in the first few packets to indicate that a connection is encrypted.
Beginningofconnection events contain less information than endofconnection events. Cisco FireSIGHT Management Center, which was formerly called Sourcefire Defense Center, can log beginningofconnection events and endofconnection events for various types of network traffic. Although most network traffic will generate both kinds of events, blocked or blacklisted traffic is typically denied without further processing and therefore only generates beginningofconnection events. Beginningofconnection events contain a limited amount of information because they are generated based on the information contained in the first few packets of a connection.
Reference:
Cisco: Logging Connections in Network Traffic: Logging the Beginning or End of Connections


Leave a Reply