Which two statements about application protocol detectors in the Gsco Firepower Systems are true? (Choose two)
A. They can analyze network traffic for specific application fingerprints
B. Port-based application protocol detectors can be modified for use as custom detectors
C. Port-based and Firepower-based application protocol detectors can be imported by the administrator
D. firepower-based application protocol detectors are built in to the Firepower system and can be deactivated only by the system
E. They can be activated by VDB updates, but must be deactivated manually
F. They can detect web-based application activity in HTTP traffic
AF
https://www.cisco.com/c/en/us/td/docs/security/firepower/60/configuration/guide/fpmc-config-guide-v60/Application_Detection.html
A – is correct as Firepower detectors can use application fingerprints
Firepower-based application protocol detectors analyze network traffic using Firepower application fingerprints and are delivered via VDB or system update.
B – is not correct as you can view, but not modify port-based detector
Port-based application protocol detectors use well-known ports to identify network traffic. They are delivered via VDB or system update, or are provided for import by Cisco Professional Services. You can activate and deactivate application protocol detectors, and view a detector definition to use it as the basis for a custom detector.
C- is not correct as only Port detectors can be imported outside of VDB or system updates
Port-based application protocol detectors use well-known ports to identify network traffic. They are delivered via VDB or system update, or are provided for import by Cisco Professional Services.
Firepower-based application protocol detectors analyze network traffic using Firepower application fingerprints and are delivered via VDB or system update.
D – is not correct as you can deactivate Firepower detectors
Firepower-based application protocol detectors analyze network traffic using Firepower application fingerprints and are delivered via VDB or system update. You can activate and deactivate application protocol detectors.
E – is not correct as updates can be activated by VDB updates, but some can’t be deactivated like “internal”, “web applications”
F – is correct
Web application detectors detect web applications in HTTP traffic payloads and are delivered via VDB or system update. Web application detectors are always on.
AE – I do not think B is correct as per:
https://www.cisco.com/c/en/us/td/docs/security/firepower/630/configuration/guide/fpmc-config-guide-v63/application_detection.html
Firepower-based application protocol detectors analyze network traffic using Firepower application fingerprints and are delivered via VDB or system update. You can activate and deactivate application protocol detectors.
Port-based application protocol detectors use well-known ports to identify network traffic. They are delivered via VDB or system update, or are provided for import by Cisco Professional Services. You can activate and deactivate application protocol detectors, and view a detector definition to use it as the basis for a custom detector.