Probably D since sending connection events straight from FTDs to the SIEM could help reduce FMC load, but does the question specify if both event types must be centralized before forwarding? If all events have to go through FMC, that would change things.

saw pretty similar problem in my exam in official labs. Choosing B makes sense since 'drop packet' will block the low priority intrusion traffic without generating extra events, so the dashboard won't get cluttered. Official Cisco guides touch on this. Anyone disagree?

If you want to edit a report template from an ancestor domain in Cisco FMC, you need to copy it to your current domain. So that's B. You can't directly edit the inherited one until it's copied over. Pretty sure that's how FMC handles template inheritance.

B imo, that's the only way to actually edit an inherited template. FMC doesn't let you change ancestor domain assets directly, so you have to copy it first. Saw similar behavior in practice. Someone correct me if I missed something here.

A imo since transparent mode lets the firewall monitor intra-subnet traffic without routing it, so hop count doesn't change. Had something like this in a mock before, pretty sure that's the point. Agree?

Pretty straightforward, it's B. Denying multicast and broadcast by default in transparent mode helps prevent L2 loops since those types of frames could flood and cause looping. Saw a similar question in some exam reports. Anyone disagree?