300-710_Comment_Questions

Question 1

Which command should be used on the Cisco FTD CLI to capture all the packets that hit an interface?

A. configure coredump packet-engine enable
B. capture-traffic
C. capture
D. capture WORD

Answer 1

Answer C

capture
To enable packet capture capabilities for packet sniffing and network fault isolation, use the capture command.

capture-traffic
To intercept and capture packets passing through the threat defense interface, use the capture-traffic command. You can capture traffic on a specified threat defense domain that matches the integer expression from the list of options presented, either the management interface (br1) or traffic interfaces.

Ingress packets are captured before most packet processing
Egress packets are captured after all processing
“>capture-traffic” is a capture in snort which shows packets reads from the DAQ

Question 2

What is the benefit of selecting the trace option for packet capture?

A. The option indicates whether the packet was dropped or successful.
B. The option indicates whether the destination host responds through a different path.
C. The option limits the number of packets that are captured.
D. The option captures details of each packet.

Answer 2

Answer A

Packet capture is available with the trace option, which provides you with a verdict as to whether the packet is dropped or successful.

Question 3

What are two features of bridge-group interfaces in Cisco FTD? (Choose two.)

A. The BVI IP address must be in a separate subnet from the connected network.
B. Bridge groups are supported in both transparent and routed firewall modes.
C. Bridge groups are supported only in transparent firewall mode.
D. Bidirectional Forwarding Detection echo packets are allowed through the FTD when using bridge-group members.
E. Each directly connected network must be on the same subnet.

Answer 3

Answer B and E

About Bridge Groups
* A bridge group is a group of interfaces that the Firepower Threat Defense device bridges instead of routes. Bridge groups are supported in both transparent and routed firewall mode. Like any other firewall interfaces, access control between interfaces is controlled, and all of the usual firewall checks are in place.

Guidelines for Firewall Mode
Bridge Group Guidelines (Transparent and Routed Mode)
You can create up to 250 bridge groups, with 64 interfaces per bridge group.
Each directly-connected network must be on the same subnet.

Question 4

While configuring FTD, a network engineer wants to ensure that traffic passing though the appliance does not require routing or VLAN rewriting. Which interface mode should the engineer implement to accomplish this task?

A. inline set
B. passive
C. transparent
D. inline tap

Answer 4

Answer A

Inline set: it is called bump-on-wire mode. Traffic passes through the appliance, but it does not require routing and Vlan rewriting.

Passive: traffic does not flow through the IPS
Inline Tap: it gets a copy of the packets, traffic does not flow through the IPS
Transparent: it is Transparent inline mode, then this can be an answer as well

Question 5

Which two dynamic routing protocols are supported in Cisco FTD without using FlexConfig? (Choose two.)

A. EIGRP
B. OSPF
C. static routing
D. IS-IS
E. BGP

Answer 5

Answer B & E

The question ask for dynamic routing protocol, “static routing” is wrong, OSPF and BGP are the right choice, both can be configured with Smart CLI without FlexConfig.

Question 6

With Cisco FTD software, which interface mode must be configured to passively receive traffic that passes through the appliance?

A. inline set
B. passive
C. routed
D. inline tap

Answer 6

Answer D

With passive interface configuration, traffic does not “pass through” the device, the FTD is configured in an out of band mode.
Passive mode doesn’t allow to pass traffic trough the appliance. It just receive traffic.
INLINE TAP sends a COPY of the data to the SNORT Engineer where THAT COPY then is dropped… Meanwhile in parallel the actual traffic continues THROUGH the appliance uninterrupted.

Question 7

What are the minimum requirements to deploy a managed device inline?

A. inline interfaces, security zones, MTU, and mode
B. passive interface, MTU, and mode
C. inline interfaces, MTU, and mode
D. passive interface, security zone, MTU, and mode

Answer 7

Answer C

The answer is C: Inline interface, MTU and Mode
Security zone is optional

Question 8

On the advanced tab under inline set properties, which allows interfaces to emulate a passive interface?

A. transparent inline mode
B. TAP mode
C. strict TCP enforcement
D. propagate link state

Answer 8

Answer B

Link state propagation automatically brings down the second interface in the inline interface pair when one of the interfaces in an inline set goes down. When the downed interface comes back up, the second interface automatically comes back up, also. In other words, if the link state of one interface changes, the device senses the change and updates the link state of the other interface to match it. Note that devices require up to 4 seconds to propagate link state changes. Link state propagation is especially useful in resilient network environments where routers are configured to reroute traffic automatically around network devices that are in a failure state.

Question 9

An organization has implemented Cisco Firepower without IPS capabilities and now wants to enable inspection for their traffic. They need to be able to detect protocol anomalies and utilize the Snort rule sets to detect malicious behavior. How is this accomplished?

A. Modify the network discovery policy to detect new hosts to inspect.
B. Modify the access control policy to redirect interesting traffic to the engine.
C. Modify the intrusion policy to determine the minimum severity of an event to inspect.
D. Modify the network analysis policy to process the packets for inspection.

Answer 9

Answer B

A network analysis policy (NAP) governs how traffic is decoded and preprocessed so that it can be further evaluated, especially for anomalous traffic that might signal an intrusion attempt.
To apply intrusion policies to network traffic, you select the policy within an access control rule that allows traffic. You do not directly assign intrusion policies.

Question 10

An engineer is monitoring network traffic from their sales and product development departments, which are on two separate networks. What must be configured in order to maintain data privacy for both departments?

A. Use passive IDS ports for both departments.
B. Use a dedicated IPS inline set for each department to maintain traffic separation.
C. Use 802.1Q inline set Trunk interfaces with VLANs to maintain logical traffic separation.
D. Use one pair of inline set in TAP mode for both departments.

Answer 10

Answer A

Use passive IDS ports for both departments.
There’s nothing wrong with answer A. Especially since they state they are on separate networks. Do they both go out their own firewalls and internet connections? Then you would SPAN or ERSPAN copies of traffic to passive interfaces and do IDS instead of IPS. Not sure what “Data Privacy” is supposed to mean, but in IDS mode, those packets are discarded after inspection in an IDS configuration, and don’t go through the device.

Question 11

With Cisco FTD software, which interface mode must be configured to passively receive traffic that passes through the appliance?

A. ERSPAN
B. firewall
C. tap
D. IPS-only

Answer 11

Answer D

There are only two interface modes on FTD, “You can deploy FTD interfaces in two modes: Regular firewall mode and IPS-only mode. You can include both firewall and IPS-only interfaces on the same device. IPS-only interfaces can be deployed as the following types: Inline Set, with optional Tap mode”. So you could have IPS-only as inline with tap that would make it into IDS and therefore passive. Firewall interface mode can be deployed as Routed or Bridge Groups with BVI.

Question 12

An organization has a compliancy requirement to protect servers from clients, however, the clients and servers all reside on the same Layer 3 network. Without readdressing IP subnets for clients or servers, how is segmentation achieved?

A. Change the IP addresses of the servers, while remaining on the same subnet.
B. Deploy a firewall in routed mode between the clients and servers.
C. Change the IP addresses of the clients, while remaining on the same subnet.
D. Deploy a firewall in transparent mode between the clients and servers.

Answer 12

Answer D

Traditionally, a firewall is a routed hop and acts as a default gateway for hosts that connect to one of its screened subnets. A transparent firewall, on the other hand, is a Layer 2 firewall that acts like a “bump in the wire,” or a “stealth firewall,” and is not seen as a router hop to connected devices. However, like any other firewall, access control between interfaces is controlled, and all of the usual firewall checks are in place. Layer 2 connectivity is achieved by using a “bridge group” where you group together the inside and outside interfaces for a network, and the Firepower Threat Defense device uses bridging techniques to pass traffic between the interfaces. Each bridge group includes a Bridge Virtual Interface (BVI) to which you assign an IP address on the network. You can have multiple bridge groups for multiple networks. In transparent mode, these bridge groups cannot communicate with each other.

Question 13

In a multi-tenant deployment where multiple domains are in use, which update should be applied outside of the Global Domain?

A. minor upgrade
B. local import of intrusion rules
C. Cisco Geolocation Database
D. local import of major upgrade

Answer 13

Answer B

In a multidomain deployment, you can import local intrusion rules in any domain. You can view local intrusion rules imported in the current domain and ancestor domains.

Question 14

After using Firepower for some time and learning about how it interacts with the network, an administrator is trying to correlate malicious activity with a user.
Which widget should be configured to provide this visibility on the Cisco Firepower dashboards?

A. Current Sessions
B. Correlation Events
C. Current Status
D. Custom Analysis

Answer 14

Answer B

The Correlation Events widget shows the average number of correlation events per second, by priority.

Question 15

What is the maximum bit size that Cisco FMC supports for HTTPS certificates?

A. 1024
B. 8192
C. 4096
D. 2048

Answer 15

Answer D

The FMC supports 2048-bit HTTPS certificates. If the certificate used by the FMC was generated using a public server key larger than 2048 bits, you will not be able to log in to the FMC web interface. If this happens, contact Cisco TAC.

Newer version of FMC version 6.6 supports 4096

Question 16

Which command must be run to generate troubleshooting files on an FTD?

A. system support view-files
B. sudo sf_troubleshoot.pl
C. system generate-troubleshoot all
D. show tech-support

Answer 16

Answer C

Firepower Devices
Enter this command on FirePower devices/modules and virtual managed devices in order to generate a troubleshoot file:

> system generate-troubleshoot all

FMC (Troubleshoot): sudo sf_troubleshoot.pl
FTD (Troubleshoot): system generate-troubleshoot all

Question 17

Which command is typed at the CLI on the primary Cisco FTD unit to temporarily stop running high-availability?

A. configure high-availability resume
B. configure high-availability disable
C. system support network-options
D. configure high-availability suspend

Answer 17

Answer D

If you choose disable, you will PERMANENTLY break the high availability connection.

The keyword here is “TEMPORARILY”

Question 18

A network administrator is concerned about the high number of malware files affecting users’ machines. What must be done within the access control policy in Cisco FMC to address this concern?

A. Create an intrusion policy and set the access control policy to block
B. Create an intrusion policy and set the access control policy to allow
C. Create a file policy and set the access control policy to allow
D. Create a file policy and set the access control policy to block

Answer 18

Answer C

Blocking in ACP will never use file policy and block everything.
Creating a file policy adding it to the ACP and block within file policy is a good solution.
Can’t further inspect traffic on a block action in ACP.

Question 19

An administrator is creating interface objects to better segment their network but is having trouble adding interfaces to the objects. What is the reason for this failure?

A. The interfaces are being used for NAT for multiple networks
B. The administrator is adding interfaces of multiple types
C. The administrator is adding an interface that is in multiple zones
D. The interfaces belong to multiple interface groups

Answer 19

Answer B

All interfaces in an interface object must be of the same type: all inline, passive, switched, routed, or ASA FirePower. After you create an interface object, you cannot change the type of interfaces it contains.

Question 20

A network administrator notices that remote access VPN users are not reachable from inside the network. It is determined that routing is configured correctly; however, return traffic is entering the firewall but not leaving it. What is the reason for this issue?

A. A manual NAT exemption rule does not exist at the top of the NAT table
B. An external NAT IP address is not configured
C. An external NAT IP address is configured to match the wrong interface
D. An object NAT exemption rule does not exist at the top of the NAT table

Answer 20

Answer A

NAT exemptions can only be done with manual rules before Auto/Object NAT.

Question 21

An organization has a Cisco FTD that uses bridge groups to pass traffic from the inside interfaces to the outside interfaces. They are unable to gather information about neighboring Cisco devices or use multicast in their environment. What must be done to resolve this issue?

A. Create a firewall rule to allow CDP traffic
B. Create a bridge group with the firewall interfaces
C. Change the firewall mode to transparent
D. Change the firewall mode to routed

Answer 21

Answer C

“In routed firewall mode, broadcast and multicast traffic is blocked even if you allow it in an access rule…”
“The bridge group does not pass CDP packets packets…”

Question 22

When deploying a Cisco ASA Firepower module, an organization wants to evaluate the contents of the traffic without affecting the network. It is currently configured to have more than one instance of the same device on the physical appliance. Which deployment mode meets the needs of the organization?

A. inline tap monitor-only mode
B. passive monitor-only mode
C. passive tap monitor-only mode
D. inline mode

Answer 22

Answer A

” Let you evaluate the content of the traffic, without impacting the network. “
The question is taken exact sentence from the Cisco site for the Inline tap monitor-only Mode. Please see link below. So A is the correct answer.

Question 23

A network administrator discovers that a user connected to a file server and downloaded a malware file. The Cisco FMC generated an alert for the malware event, however the user still remained connected. Which Cisco AMP file rule action within the Cisco FMC must be set to resolve this issue?

A. Malware Cloud Lookup
B. Reset Connection
C. Detect Files
D. Local Malware Analysis

Answer 23

Answer B

Cisco recommends that you enable Reset Connection for the Block Files and Block Malware actions to prevent blocked application sessions from remaining open until the TCP connection resets. If you do not reset connections, the client session will remain open until the TCP connection resets itself.

Question 24

A network administrator notices that SI events are not being updated. The Cisco FTD device is unable to load all of the SI event entries and traffic is not being blocked as expected. What must be done to correct this issue?

A. Restart the affected devices in order to reset the configurations.
B. Redeploy configurations to affected devices so that additional memory is allocated to the SI module.
C. Replace the affected devices with devices that provide more memory.
D. Manually update the SI event entries to that the appropriate traffic is blocked.

Answer 24

Answer B

Memory limitations. Cisco Intelligence Feeds are based on the latest threat intelligence from Cisco Talos Intelligence Group (Talos). These feeds tend to get larger as time passes. When a Firepower device receives a feed update, it loads as many entries as it can into the memory it has allocated for Security Intelligence. When a device cannot load all the entries, it may not block traffic as expected. Some connections that should be blocked by a Block list instead continue to be evaluated by access control rules.

Question 25

With a recent summer time change, system logs are showing activity that occurred to be an hour behind real time. Which action should be taken to resolve this issue?

A. Manually adjust the time to the correct hour on all managed devices.
B. Configure the system clock settings to use NTP with Daylight Savings checked.
C. Configure the system clock settings to use NTP.
D. Manually adjust the time to the correct hour on the Cisco FMC.

Answer 25

Answer C

C is the answer because there is no option to enable daylight savings time in the FMC GUI>settings>time* or device>platform>time*

Question 26

An administrator is attempting to remotely log into a switch in the data center using SSH and is unable to connect. How does the administrator confirm that traffic is reaching the firewall?

A. by performing a packet capture on the firewall
B. by attempting to access it from a different workstation
C. by running Wireshark on the administrator’s PC
D. by running a packet tracer on the firewall

Answer 26

Answer A

Packet Capture will show packets arriving to the interface on FW.

Packet tracer is a simulation of a packet flowing through the device.

Question 27

Refer to the exhibit. An organization has an access control rule with the intention of sending all social media traffic for inspection. After using the rule for some time, the administrator notices that the traffic is not being inspected, but is being automatically allowed. What must be done to address this issue?

Answer 27

Answer C

“Trust” traffic is not being inspected.

Question 28

An engineer is attempting to add a new FTD device to their FMC behind a NAT device with a NAT ID of ACME001 and a password of Cisco0391521107. Which command set must be used in order to accomplish this?

A. configure manager add<FMC> <registration>ACME001
B. configure manager add ACME001<registration> <FMC>
C. configure manager add <FMC>ACME001<registration>
D. configure manager add DONTRESOLVE <FMC> AMCE001<registration></registration></FMC></registration></FMC></FMC></registration></registration></FMC>

Answer 28

Answer A

Question 29

An administrator is working on a migration from Cisco ASA to the Cisco FTD appliance and needs to test the rules without disrupting the traffic. Which policy type should be used to configure the ASA rules during this phase of the migration?

A. Prefilter
B. Intrusion
C. Access Control
D. Identity

Answer 29

Answer C

Prefilter requires FTD, question is about ASA.
Using prefilter you do not have so granular filter possibilities. ACP with monitor can be your solution.