SNCF — Securing Networks with Firepower — Question 127

An engineer is troubleshooting connectivity to the DNS servers from hosts behind a new Cisco FTD device. The hosts cannot send DNS queries to servers in the DMZ. Which action should the engineer take to troubleshoot this issue using the real DNS packets?

Answer options

• A. Use the packet capture tool to check where the traffic is being blocked and adjust the access control or intrusion policy as needed
• B. Use the Connection Events dashboard to check the block reason and adjust the inspection policy as needed
• C. Use the packet tracer tool to determine at which hop the packet is being dropped
• D. Use the show blocks command in the Threat Defense CLI tool and create a policy to allow the blocked traffic

Correct answer: A

Explanation

Option A is correct because using the packet capture tool allows the engineer to analyze the actual DNS packets and pinpoint where the traffic is being blocked, enabling necessary adjustments to the policies. The other options do not provide a direct method for capturing and analyzing real DNS packets, making them less effective for this specific troubleshooting scenario.