Refer to the exhibit. Which statement about the policy map named test is true?
A. Only HTTP inspection will be applied to the TCP port 21 traffic.
B. Only FTP inspection will be applied to the TCP port 21 traffic.
C. both HTTP and FTP inspections will be applied to the TCP port 21 traffic.
D. No inspection will be applied to the TCP port 21 traffic, because the http class map configuration conflicts with the ftp class map.
E. All FTP traffic will be denied, because the FTP traffic will fail the HTTP inspection.
A is correct.
https://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_config/mpf_service_policy.html#56325
Feature Matching Within a Service Policy
See the following information for how a packet matches class maps in a policy map for a given interface:
1.blank.gif A packet can match only one class map in the policy map for each feature type.
2.blank.gif When the packet matches a class map for a feature type, the ASA does not attempt to match it to any subsequent class maps for that feature type.
3.blank.gif If the packet matches a subsequent class map for a different feature type, however, then the ASA also applies the actions for the subsequent class map, if supported. See the “Incompatibility of Certain Feature Actions” section for more information about unsupported combinations.
note.gif
Noteblank.gif Application inspection includes multiple inspection types, and most are mutually exclusive. For inspections that can be combined, each inspection is considered to be a separate feature.
For example, if a packet matches a class map for connection limits, and also matches a class map for an application inspection, then both actions are applied.
If a packet matches a class map for HTTP inspection, but also matches another class map that includes HTTP inspection, then the second class map actions are not applied.
If a packet matches a class map for HTTP inspection, but also matches another class map that includes FTP inspection, then the second class map actions are not applied because HTTP and FTP inspections cannpt be combined.
If a packet matches a class map for HTTP inspection, but also matches another class map that includes IPv6 inspection, then both actions are applied because the IPv6 inspection can be combined with any other type of inspection.
Order in Which Multiple Feature Actions are Applied
The order in which different types of actions in a policy map are performed is independent of the order in which the actions appear in the policy map.
Anonymous: You can bind any service to any port. So http could use port 21 and it would then be possible to inspect http on port 21.
The answer can’t be A because HTTP can’t use port 21
Why the right answer is B in the place of A? The first match in the policy map is http.