Which of the following policies on a Cisco Firepower NGIPS can provide a centralized source of information regarding the status of registered devices?
A. network discovery
B. intrusion
C. health
D. network analysis
Explanation:
On a Cisco Firepower Next-Generation Intrusion Prevention System (NGIPS), a health policy can provide a centralized source of information regarding the status of registered devices. The FMC health monitor uses a health policy to define a group of tests, which are referred to as health modules, that should be performed for one or more managed devices. A default health policy is provided to facilitate the rapid implementation of health monitoring. This policy typically includes all supported health modules available for a specific hardware platform and is automatically applied to devices. Although the default policy cannot be edited, it can be copied and the copy can be used as the starting point for a custom policy.
The tests defined in a health policy are usually run at intervals that can be modified to meet the needs of the administrator. These intervals are specific to each test or health module. An administrator can manually initiate tests when necessary. Health modules can generate alerts in the form of Syslog messages, Simple Network Management Protocol (SNMP) traps, or email notifications. Alert thresholds can be configured to reduce the number of repeated alerts.
Traffic that passes through a Firepower NGIPS may pass through a number of security modules before it is either forwarded to its destination or ultimately discarded. Although the number of security modules through which a particular flow of traffic passes is dependent on the configuration, the order through which those modules are traversed remains constant.
First, traffic passes through the security intelligence module. Security intelligence provides basic blacklist and whitelist filtering based on a combination of Cisco-curated feeds and manual configuration. Unencrypted traffic that is passed by the security intelligence module is then forwarded directly to the network analysis policies, whereas encrypted traffic is first passed to Secure Sockets Layer (SSL) policies for decryption and preprocessing. Network analysis policies perform additional traffic decoding and preprocessing to facilitate more efficient pattern matching and threat detection in subsequent modules.
After being processed by network analysis policies, traffic is passed to the access control module, which uses access control rules to determine how traffic will be handled. Access control rules can identify traffic as being either monitored, trusted, blocked, or allowed. Once matched by an access control rule, traffic is passed to the network discovery policy, which can be used to extract host, application, and user information from the traffic. If file policies exist, traffic is then checked for malware and other prohibited types of files. Finally, the traffic is passed to the network intrusion policies for pattern-based threat analysis. Any traffic that has not been discarded or redirected after passing through the network intrusion policies is forwarded to its destination.
Reference: https://www.cisco.com/c/en/us/td/docs/security/firepower/630/configuration/guide/fpmc-config-guide-v63/health_monitoring.html#ID-2227-0000001f