Implementing and Operating Cisco Security Core Technologies (SCOR) — Question 134

A Cisco FTD engineer is creating a newIKEv2 policy called s2s00123456789 for their organization to allow additional protocols to terminate network devices with.
They currently only have one policy established and need the new policy to be a backup in case some devices cannot support the stronger algorithms listed in the primary policy. What should be done in order to support this?

Answer options

• A. Change the encryption to AES* to support all AES algorithms in the primary policy.
• B. Make the priority for the primary policy 10 and the new policy 1.
• C. Change the integrity algorithms to SHA* to support all SHA algorithms in the primary policy.
• D. Make the priority for the new policy 5 and the primary policy 1.

Correct answer: D

Explanation

The correct answer is D because setting the priority of the new policy to 5 and the primary policy to 1 ensures that the primary policy is preferred, while still allowing the new policy to act as a backup. Options A and C do not address the priority issue, and option B incorrectly assigns a higher priority to the primary policy than necessary.