CCNP SCOR 350-701 - Actual Exam Questions Flashcards
1
Q
Which functions of an SDN architecture require southbound APIs to enable communication?
A. SDN controller and the network elements
B. management console and the SDN controller
C. management console and the cloud
D. SDN controller and the cloud
A
A) SDN controller and the network elements
Southbound APIs that relay information between the controller and the individual network devices (such as switches, access points, routers, and firewalls)
https://www.cisco.com/c/en/us/solutions/software-defined-networking/overview.html
2
Q
Which two request methods of REST API are valid on the Cisco ASA Platform? (Choose two.)
A. put
B. options
C. get
D. push
E. connect
A
A-C
Request Structure
Available request methods are:
GET – Retrieves data from the specified object.
PUT – Adds the supplied information to the specified object; returns a 404 Resource Not Found error if the object does not exist.
POST – Creates the object with the supplied information.
DELETE – Deletes the specified object.
PATCH – Applies partial modifications to the specified object.
https://www.cisco.com/c/en/us/td/docs/security/asa/api/qsg-asa-api.html#pgfId-68826
3
Q
The main function of northbound APIs in the SDN architecture is to enable communication between which two areas of a network?
A. SDN controller and the cloud
B. management console and the SDN controller
C. management console and the cloud
D. SDN controller and the management solution
A
D) SDN controller and the management solution
Northbound APIs are the link between the applications and the SDN controller. The applications can tell the network what they need (data, storage, bandwidth, and so on) and the network can deliver those resources, or communicate what it has. These APIs support a wide variety of applications
4
Q
What is a feature of the open platform capabilities of Cisco DNA Center?
A. application adapters
B. domain integration
C. intent-based APIs
D. automation adapters
A
C) intent-based APIs
The Cisco DNA Center open platform for intent-based networking provides 360-degree extensibility across multiple components, including:
● Intent-based APIs
● Process adapters
● Domain adapters
● SDKs
5
Q
Refer to the exhibit. What does the API do when connected to a Cisco security appliance?
A. create an SNMP pull mechanism for managing AMP
B. gather network telemetry information from AMP for endpoints
C. get the process and PID information from the computers in the network
D. gather the network interface information about the computers AMP sees
A
D. Gather the network interface information about the computers AMP sees
Verified correct.
6
Q
Which form of attack is launched using botnets?
A. TCP flood
B. DDOS
C. DOS
D. virus
A
B
7
Q
In which form of attack is alternate encoding, such as hexadecimal representation, most often observed?
A. smurf
B. distributed denial of service
C. cross-site scripting
D. rootkit exploit
A
C. cross-site scripting
Verified correct
8
Q
Which flaw does an attacker leverage when exploiting SQL injection vulnerabilities?
A. user input validation in a web page or web application
B. Linux and Windows operating systems
C. database
D. web page images
A
A. user input validation in a web page or web application
Verified correct
9
Q
What is the difference between deceptive phishing and spear phishing?
A. Deceptive phishing is an attack aimed at a specific user in the organization who holds a C-level role.
B. A spear-phishing campaign is aimed at a specific person versus a group of people.
C. Spear phishing is when the attack is aimed at the C-level executives of an organization.
D. Deceptive phishing hijacks and manipulates the DNS server of the victim and redirects the user to a false webpage.
A
B. A spear-phishing campaign is aimed at a specific person versus a group of people
Verified correct
10
Q
Which two behavioral patterns characterize a ping of death attack? (Choose two.)
A. The attack is fragmented into groups of 16 octets before transmission
B. The attack is fragmented into groups of 8 octets before transmission
C. Short synchronized bursts of traffic are used to disrupt TCP connections
D. Malformed packets are used to crash systems
E. Publicly accessible DNS servers are typically used to execute the attack
A
B) The attack is fragmented into groups of 8 octets before transmission
D) Malformed packets are used to crash systems
11
Q
Which two mechanisms are used to control phishing attacks? (Choose two.)
A. Enable browser alerts for fraudulent websites.
B. Define security group memberships.
C. Revoke expired CRL of the websites.
D. Use antispyware software.
E. Implement email filtering techniques.
A
A. Enable browser alerts for fraudulent websites.
E
12
Q
Which attack is commonly associated with C and C++ programming languages?
A. Cross-site scripting
B. Water holing
C. DDoS
D. Buffer overflow
A
D. Buffer overflow
https://en.wikipedia.org/wiki/Buffer_overflow
13
Q
Which two prevention techniques are used to mitigate SQL injection attacks? (Choose two.)
A. Check integer, float, or Boolean string parameters to ensure accurate values.
B. Use prepared statements and parameterized queries.
C. Secure the connection between the web and the app tier.
D. Write SQL code instead of using object-relational mapping libraries.
E. Block SQL code execution in the web application database login.
A
A. Check integer, float, or Boolean string parameters to ensure accurate values.
B. Use prepared statements and parameterized queries.
https://en.wikipedia.org/wiki/SQL_injection
14
Q
Which two kinds of attacks are prevented by multifactor authentication? (Choose two.)
A. phishing
B. brute force
C. man-in-the-middle
D. DDOS
E. teardrop
A
A. phishing
B. brute force
https://www.cisco.com/c/dam/en_us/about/doing_business/trust-center/docs/cisco-mfa-password-security-infographic.pdf
MFA protects against phishing, social engineering, and password brute-force attacks and secures your logins from attackers exploiting weak or stolen credentials.
15
Q
What are two rootkit types? (Choose two.)
A. registry
B. buffer mode
C. user mode
D. bootloader
E. virtual
A
C. User mode
D. Bootloader
16
Q
How is DNS tunneling used to exfiltrate data out of a corporate network?
A. It leverages the DNS server by permitting recursive lookups to spread the attack to other DNS servers
B. It encodes the payload with random characters that are broken into short strings and the DNS server rebuilds the exfiltrated data
C. It redirects DNS requests to a malicious server used to steal user credentials, which allows further damage and theft on the network
D. It corrupts DNS servers by replacing the actual IP address with a rogue address to collect information or start other attacks
A
B) It encodes the payload with random characters that are broken into short strings and the DNS server rebuilds the exfiltrated data
Once the desired data is obtained, the payload encodes the data as a series of 32 characters (0-9, A-Z) broken into short strings (3KJ242AIE9, PO28X977W, .
17
Q
Which type of attack is social engineering?
A. trojan
B. MITM
C. phishing
D. malware
A
C. phishing
18
Q
What are two DDoS attack categories? (Choose two.)
A. protocol
B. source-based
C. database
D. sequential
E. volume-based
A
A. protocol
E. volume-based
Protocol Attacks: Includes SYN floods, fragmented packet attacks, Ping of Death, Smurf DDoS and more
Volume Based: Includes UDP floods, ICMP floods, and other spoofed-packet floods. … . … Application Layer Attacks.
19
Q
In which type of attack does the attacker insert their machine between two hosts that are communicating with each other?
A. man-in-the-middle
B. LDAP injection
C. insecure API
D. cross-site scripting
A
A. man-in-the-middle
20
Q
How does Cisco Advanced Phishing Protection protect users?
A. It utilizes sensors that send messages securely.
B. It uses machine learning and real-time behavior analytics.
C. It validates the sender by using DKIM.
D. It determines which identities are perceived by the sender.
A
B. It uses machine learning and real-time behavior analytics.
Verified
Cisco Advanced Phishing Protection provides Business Email Compromise (BEC) and phishing detection capabilities. It detects identity deception-based threats by performing reputation checks on sender addresses by using advanced machine learning techniques and added intelligence. This intelligence continuously adapts to drive a real-time understanding of senders and provides enhanced protection.
21
Q
How does DNS Tunneling exfiltrate data?
A. An attacker registers a domain that a client connects to based on DNS records and sends malware through that connection.
B. An attacker opens a reverse DNS shell to get into the clients system and installs malware on it.
C. An attacker sends an email to the target with hidden DNS resolvers in it to redirect them to a malicious domain.
D. An attacker uses a non-standard DNS port to gain access to the organizations DNS servers in order to poison the resolutions.
A
A) An attacker registers a domain that a client connects to based on DNS records and sends malware through that connection.
DNS tunneling exploits the DNS protocol to tunnel malware and other data through a client-server model. The attacker registers a domain, such as badsite.com. The domain’s name server points to the attacker’s server, where a tunneling malware program is installed.
22
Q
An attacker needs to perform reconnaissance on a target system to help gain access to it. The system has weak passwords, no encryption on the VPN links, and software bugs on the systems applications. Which vulnerability allows the attacker to see the passwords being transmitted in clear text?
A. unencrypted links for traffic
B. weak passwords for authentication
C. improper file security
D. software bugs on applications
A
A. unencrypted links for traffic
23
Q
A user has a device in the network that is receiving too many connection requests from multiple machines. Which type of attack is the device undergoing?
A. SYN flood
B. slowloris
C. phishing
D. pharming
A
A. SYN flood
24
Q
Which two preventive measures are used to control cross-site scripting? (Choose two.)
A. Enable client-side scripts on a per-domain basis.
B. Incorporate contextual output encoding/escaping.
C. Disable cookie inspection in the HTML inspection engine.
D. Run untrusted HTML input through an HTML sanitization engine.
E. SameSite cookie attribute should not be used.
A
A. Enable client-side scripts on a per-domain basis
D. Run untrusted HTML input through an HTML sanitization engine.
Verified correct
25
Which threat involves software being used to gain unauthorized access to a computer system?
A. ping of death
B. HTTP flood
C. NTP amplification
D. virus
D. virus
26
Which two capabilities does TAXII support? (Choose two.)
A. exchange
B. pull messaging
C. binding
D. correlation
E. mitigating
A. exchange
B. pull messaging
Verified correct
27
Which two conditions are prerequisites for stateful failover for IPsec? (Choose two.)
A. Only the IKE configuration that is set up on the active device must be duplicated on the standby device; the IPsec configuration is copied automatically.
B. The active and standby devices can run different versions of the Cisco IOS software but must be the same type of device.
C. The IPsec configuration that is set up on the active device must be duplicated on the standby device.
D. Only the IPsec configuration that is set up on the active device must be duplicated on the standby device; the IKE configuration is copied automatically.
E. The active and standby devices must run the same version of the Cisco IOS software and must be the same type of device.
C. The IPsec configuration that is set up on the active device must be duplicated on the standby device.
E. The active and standby devices must run the same version of the Cisco IOS software and must be the same type of device.
https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec\_conn\_vpnav/configuration/15-mt/sec-vpn-availability-15-mt-book/sec-state-fail-ipsec.html#:~:text=Stateful%20failover%20for%20IPsec%20requires,accelerator%20or%20identical%20encryption%20accelerators.
Restrictions for Stateful Failover for IPsec When configuring redundancy for a VPN, the following restrictions apply: Both the active and standby devices must run the identical version of the Cisco IOS software, and both the active and standby devices must be connected via a hub or switch.
28
Which algorithm provides encryption and authentication for data plane communication?
A. AES-GCM
B. SHA-96
C. AES-256
D. SHA-384
A. AES-GCM
https://en.wikipedia.org/wiki/Galois/Counter\_Mode
In the Cisco SD-WAN network for unicast traffic, data plane encryption is done by AES-256-GCM, a symmetric-key algorithm that uses the same key to encrypt outgoing packets and to decrypt incoming packets. Each router periodically generates an AES key for its data path (specifically, one key per TLOC) and transmits this key to the vSmart controller in OMP route packets, which are similar to IP route updates. These packets contain information that the vSmart controller uses to determine the network topology, including the router's TLOC (a tuple of the system IP address and traffic color) and AES key. The vSmart controller then places these OMP route packets into reachability advertisements that it sends to the other routers in the network. In this way, the AES keys for all the routers are distributed across the network. Even though the key exchange is symmetric, the routers use it in an asymmetric fashion. The result is a simple and scalable key exchange process that uses the Cisco vSmart Controller. https://www.cisco.com/c/en/us/td/docs/routers/sdwan/configuration/security/vedge/security-book/security-overview.html#id\_112385
29
DRAG DROP -
Drag and drop the capabilities from the left onto the correct technologies on the right.
Select and Place:
30
Which two key and block sizes are valid for AES? (Choose two.)
A. 64-bit block size, 112-bit key length
B. 64-bit block size, 168-bit key length
C. 128-bit block size, 192-bit key length
D. 128-bit block size, 256-bit key length
E. 192-bit block size, 256-bit key length
C. 128-bit block size, 192-bit key length
D. 128-bit block size, 256-bit key length
https://en.wikipedia.org/wiki/Advanced\_Encryption\_Standard
31
Which two descriptions of AES encryption are true? (Choose two.)
A. AES is less secure than 3DES.
B. AES is more secure than 3DES.
C. AES can use a 168-bit key for encryption.
D. AES can use a 256-bit key for encryption.
E. AES encrypts and decrypts a key three times in sequence.
B. AES is more secure than 3DES
D. AES can use a 256-bit key for encryption.
32
What is a language format designed to exchange threat intelligence that can be transported over the TAXII protocol?
A. STIX
B. XMPP
C. pxGrid
D. SMTP
A. STIX
33
DRAG DROP -
Drag and drop the descriptions from the left onto the correct protocol versions on the right.
Select and Place:
34
Which VPN technology can support a multivendor environment and secure traffic between sites?
A. SSL VPN
B. GET VPN
C. FlexVPN
D. DMVPN
C. FlexVPN
35
Which technology must be used to implement secure VPN connectivity among company branches over a private IP cloud with any-to-any scalable connectivity?
A. DMVPN
B. FlexVPN
C. IPsec DVTI
D. GET VPN
D. GET VPN
36
What is the commonality between DMVPN and FlexVPN technologies?
A. FlexVPN and DMVPN use the new key management protocol, IKEv2
B. FlexVPN and DMVPN use IS-IS routing protocol to communicate with spokes
C. IOS routers run the same NHRP code for DMVPN and FlexVPN
D. FlexVPN and DMVPN use the same hashing algorithms
C. IOS routers run the same NHRP code for DMVPN and FlexVPN
37
Which protocol provides the strongest throughput performance when using Cisco AnyConnect VPN?
A. DTLSv1
B. TLSv1
C. TLSv1.1
D. TLSv1.2
A. DTLSv1
38
Which group within Cisco writes and publishes a weekly newsletter to help cybersecurity professionals remain aware of the ongoing and most prevalent threats?
A. Talos
B. PSIRT
C. SCIRT
D. DEVNET
A. Talos
39
When Cisco and other industry organizations publish and inform users of known security findings and vulnerabilities, which name is used?
A. Common Vulnerabilities, Exploits and Threats
B. Common Vulnerabilities and Exposures
C. Common Exploits and Vulnerabilities
D. Common Security Exploits
B. Common Vulnerabilities and Exposures
40
Which two features of Cisco DNA Center are used in a Software-Defined Network solution? (Choose two.)
A. accounting
B. assurance
C. automation
D. authentication
E. encryption
B. Assurance
C. Automation
41
What provides the ability to program and monitor networks from somewhere other than the DNAC GUI?
A. ASDM
B. NetFlow
C. API
D. desktop client
C. API
42
What is a function of 3DES in reference to cryptography?
A. It encrypts traffic.
B. It creates one-time-use passwords.
C. It hashes files.
D. It generates private keys.
A. It encrypts traffic.
43
Which two activities can be done using Cisco DNA Center? (Choose two.)
A. DHCP
B. design
C. accounting
D. DNS
E. provision
B. Design
E. Provision
44
Which PKI enrollment method allows the user to separate authentication and enrollment actions and also provides an option to specify HTTP/TFTP commands to perform file retrieval from the server?
A. terminal
B. selfsigned
C. url
D. profile
D. profile
45
Which type of API is being used when a security application notifies a controller within a software-defined network architecture about a specific security threat?
A. southbound API
B. westbound API
C. eastbound API
D. northbound API
D. northbound API
46
An organization has two machines hosting web applications. Machine 1 is vulnerable to SQL injection while machine 2 is vulnerable to buffer overflows. What action would allow the attacker to gain access to machine 1 but not machine 2?
A. sniffing the packets between the two hosts
B. sending continuous pings
C. overflowing the buffers memory
D. inserting malicious commands into the database
D. inserting malicious commands into the database
47
What is the function of SDN southbound API protocols?
A. to allow for the static configuration of control plane applications
B. to enable the controller to use REST
C. to enable the controller to make changes
D. to allow for the dynamic configuration of control plane applications
C. to enable the controller to make changes
48
DRAG DROP -
Drag and drop the threats from the left onto examples of that threat on the right.
Select and Place:
49
What is the difference between Cross-site Scripting and SQL Injection attacks?
A. Cross-site Scripting is when executives in a corporation are attacked, whereas SQL Injection is when a database is manipulated.
B. Cross-site Scripting is an attack where code is executed from the server-side, whereas SQL Injection is an attack where code is executed from the client-side.
C. Cross-site Scripting is a brute force attack targeting remote sites, whereas SQL Injection is a social engineering attack.
D. Cross-site Scripting is an attack where code is injected into a database, whereas SQL Injection is an attack where code is injected into a browser.
B. Cross-site Scripting is an attack where code is executed from the server-side, whereas SQL Injection is an attack where code is executed from the client-side.
50
Drag and drop the common security threats from the left onto the definitions on the right.
Select and Place:
1. Worm
2. Spam
3. Botnet
4. Phishing
51
Which type of dashboard does Cisco DNA Center provide for complete control of the network?
A. distributed management
B. service management
C. application management
D. centralized management
D. centralized management
52
A. The list of computers, policies, and connector statuses will be received from Cisco AMP.
B. The list of computers and their current vulnerabilities will be received from Cisco AMP.
C. The compromised computers and malware trajectories will be received from Cisco AMP.
D. The compromised computers and what compromised them will be received from Cisco AMP.
A. The list of computers, policies, and connector statuses will be received from Cisco AMP.
53
A. The hostname will be printed for the client in the client ID field.
B. The hostname will be translated to an IP address and printed.
C. The script will pull all computer hostnames and print them.
D. The script will translate the IP address to FQDN and print it.
C. The script will pull all computer hostnames and print them.
54
With which components does a southbound API within a software-defined network architecture communicate?
A. applications
B. controllers within the network
C. appliances
D. devices such as routers and switches
D. devices such as routers and switches
55
Which method is used to deploy certificates and configure the supplicant on mobile devices to gain access to network resources?
A. BYOD onboarding
B. MAC authentication bypass
C. client provisioning
D. Simple Certificate Enrollment Protocol
D. Simple Certificate Enrollment Protocol
56
What are two characteristics of Cisco DNA Center APIs? (Choose two.)
A. They are Cisco proprietary.
B. They do not support Python scripts.
C. They view the overall health of the network.
D. They quickly provision new devices.
E. Postman is required to utilize Cisco DNA Center API calls.
C. They view the overall health of the network.
D. They quickly provision new devices.
57
Which statement about the configuration of Cisco ASA NetFlow v9 Secure Event Logging is true?
A. To view bandwidth usage for NetFlow records, the QoS feature must be enabled.
B. A sysopt command can be used to enable NSEL on a specific interface.
C. NSEL can be used without a collector configured.
D. A flow-export event type must be defined under a policy.
D. A flow-export event type must be defined under a policy.
58
Which feature requires a network discovery policy on the Cisco Firepower NGIPS?
A. security intelligence
B. impact flags
C. health monitoring
D. URL filtering
B. impact flags
https://www.cisco.com/c/en/us/td/docs/security/firepower/610/configuration/guide/fpmc-config-guide-v61/introduction\_to\_network\_discovery\_and\_identity.html?bookSearch=true
59
Which policy is used to capture host information on the Cisco Firepower Next Generation Intrusion Prevention System?
A. correlation
B. intrusion
C. access control
D. network discovery
D. network discovery
60
What is a characteristic of traffic storm control behavior?
A. Traffic storm control drops all broadcast and multicast traffic if the combined traffic exceeds the level within the interval.
B. Traffic storm control cannot determine if the packet is unicast or broadcast.
C. Traffic storm control monitors incoming traffic levels over a 10-second traffic storm control interval.
D. Traffic storm control uses the Individual/Group bit in the packet source address to determine if the packet is unicast or broadcast.
A. Traffic storm control drops all broadcast and multicast traffic if the combined traffic exceeds the level within the interval.
61
DRAG DROP -
Drag and drop the Firepower Next Generation Intrusion Prevention System detectors from the left onto the correct definitions on the right.
Select and Place:
62
Refer to the exhibit. Which statement about the authentication protocol used in the configuration is true?
A. The authentication request contains only a password
B. The authentication request contains only a username
C. The authentication and authorization requests are grouped in a single packet.
D. There is separate authentication and authorization request packets.
C. The authentication and authorization requests are grouped in a single packet.
63
Refer to the exhibit. Which command was used to generate this output and to show which ports are authenticating with dot1x or mab?
A. show authentication registrations
B. show authentication method
C. show dot1x all
D. show authentication sessions
D. show authentication sessions
Verified
64
Refer to the exhibit. What does the number 15 represent in this configuration?
A. privilege level for an authorized user to this router
B. access-list that identifies the SNMP devices that can access the router
C. interval in seconds between SNMPv3 authentication attempts
D. number of possible failed attempts until the SNMPv3 user is locked out
A. privilege level for an authorized user to this router
65
What is the result of running the crypto isakmp key ciscXXXXXXXX address 172.16.0.0 command?
A. authenticates the IKEv2 peers in the 172.16.0.0/16 range by using the key ciscXXXXXXXX
B. authenticates the IP address of the 172.16.0.0/32 peer by using the key ciscXXXXXXXX
C. authenticates the IKEv1 peers in the 172.16.0.0/16 range by using the key ciscXXXXXXXX
D. secures all the certificates in the IKE exchange by using the key ciscXXXXXXXX
B. authenticates the IP address of the 172.16.0.0/32 peer by using the key ciscXXXXXXXX
66
Which command enables 802.1X globally on a Cisco switch?
A. dot1x system-auth-control
B. dot1x pae authenticator
C. authentication port-control auto
D. aaa new-model
A. dot1x system-auth-control
Verified
To globally enable 802.1x authentication on the switch, use the dot1x system-auth-control command in Global Configuration mode.
https://www.cisco.com/c/en/us/support/docs/smb/switches/cisco-small-business-300-series-managed-switches/smb5635-configure-global-802-1x-properties-on-a-switch-through-the-c.html
67
What is a characteristic of Dynamic ARP Inspection?
A. DAI determines the validity of an ARP packet based on valid IP to MAC address bindings from the DHCP snooping binding database.
B. In a typical network, make all ports as trusted except for the ports connecting to switches, which are untrusted.
C. DAI associates a trust state with each switch.
D. DAI intercepts all ARP requests and responses on trusted ports only.
A. DAI determines the validity of an ARP packet based on valid IP to MAC address bindings from the DHCP snooping binding database.
Verified
Dynamic ARP Inspection
To prevent ARP poisoning attacks such as the one described in the previous section, a switch must ensure that only valid ARP requests and responses are relayed. DAI prevents these attacks by intercepting all ARP requests and responses. Each of these intercepted packets is verified for valid MAC address to IP address bindings before the local ARP cache is updated or the packet is forwarded to the appropriate destination. Invalid ARP packets are dropped.
**DAI determines the validity of an ARP packet based on valid MAC address to IP address bindings stored in a trusted database.** This database is built at runtime by DHCP snooping, provided that it is enabled on the VLANs and on the switch in question. In addition, DAI can also validate ARP packets against user-configured ARP ACLs in order to handle hosts that use statically configured IP addresses.
DAI can also be configured to drop ARP packets when the IP addresses in the packet are invalid or when the MAC addresses in the body of the ARP packet do not match the addresses specified in the Ethernet header.
68
Which statement about IOS zone-based firewalls is true?
A. An unassigned interface can communicate with assigned interfaces
B. Only one interface can be assigned to a zone.
C. An interface can be assigned to multiple zones.
D. An interface can be assigned only to one zone.
D. An interface can be assigned only to one zone.
https://www.cisco.com/c/en/us/support/docs/security/ios-firewall/98628-zone-design-guide.html
69
When wired 802.1X authentication is implemented, which two components are required? (Choose two.)
A. authentication server: Cisco Identity Service Engine
B. supplicant: Cisco AnyConnect ISE Posture module
C. authenticator: Cisco Catalyst switch
D. authenticator: Cisco Identity Services Engine
E. authentication server: Cisco Prime Infrastructure
A. authentication server: Cisco Identity Service Engine
C. authenticator: Cisco Catalyst switch
https://www.lookingpoint.com/blog/ise-series-802.1x
70
Which SNMPv3 configuration must be used to support the strongest security possible?
A. asa-host(config)#snmp-server group myv3 v3 priv asa-host(config)#snmp-server user andy myv3 auth sha cisco priv des ciscXXXXXXXX asa-host(config)#snmp-server host inside 10.255.254.1 version 3 andy
B. asa-host(config)#snmp-server group myv3 v3 noauth asa-host(config)#snmp-server user andy myv3 auth sha cisco priv aes 256 ciscXXXXXXXX asa-host(config)#snmp-server host inside 10.255.254.1 version 3 andy
C. asa-host(config)#snmp-server group myv3 v3 noauth asa-host(config)#snmp-server user andy myv3 auth sha cisco priv 3des ciscXXXXXXXX asa-host(config)#snmp-server host inside 10.255.254.1 version 3 andy
D. asa-host(config)#snmp-server group myv3 v3 priv asa-host(config)#snmp-server user andy myv3 auth sha cisco priv aes 256 ciscXXXXXXXX asa-host(config)#snmp-server host inside 10.255.254.1 version 3 andy
D.
asa-host
(config) # SNMP-server group myv3 v3 priv asa-host
(config) #SNMP-server user andy myv3 auth sha cisco priv aes 256 ciscXXXXXXXX asa-host
(config) #SNMP-server host inside 10.255.254.1 version 3 andy
71
Under which two circumstances is a CoA issued? (Choose two.)
A. A new authentication rule was added to the policy on the Policy Service node.
B. An endpoint is deleted on the Identity Service Engine server.
C. A new Identity Source Sequence is created and referenced in the authentication policy.
D. An endpoint is profiled for the first time.
E. A new Identity Service Engine server is added to the deployment with the Administration persona.
B. An endpoint is deleted on the Identity Service Engine server.
D. An endpoint is profiled for the first time.
https://www.cisco.com/en/US/docs/security/ise/1.0/user\_guide/ise10\_prof\_pol.html
An Endpoint is Profiled for the First Time
The profiler service issues a CoA for an endpoint that is not statically assigned and profiled for the first time i.e. the profile changes from an unknown to a known profile.
An Endpoint is Deleted
The profiler service issues a CoA when an endpoint is deleted from the Endpoints page and the endpoint is most likely disconnected or removed from the network.
For more information on CoA exemptions, see the "CoA Exemptions" section.
For more information on CoA configuration details, see Table 17-2.
72
Which ASA deployment mode can provide separation of management on a shared appliance?
A. DMZ multiple zone mode
B. transparent firewall mode
C. multiple context mode
D. routed mode
C. multiple context mode
73
Refer to the exhibit. Which command was used to display this output?
A. show dot1x all
B. show dot1x
C. show dot1x all summary
D. show dot1x interface gi1/0/12
A. show dot1x all
https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec\_usr\_8021x/configuration/xe-3se/3850/sec-user-8021x-xe-3se-3850-book/config-ieee-802x- pba.html
74
What is a characteristic of Cisco ASA NetFlow v9 Secure Event Logging?
A. It tracks flow-create, flow-teardown, and flow-denied events.
B. It provides stateless IP flow tracking that exports all records of a specific flow.
C. It tracks the flow continuously and provides updates every 10 seconds.
D. Its events match all traffic classes in parallel.
**A. It tracks flow-create, flow-teardown, and flow-denied events**
Verified
The ASA and ASASM implementations of NSEL provide the following major functions:
Tracks flow-create, flow-teardown, and flow-denied events, and generates appropriate NSEL data records.
Triggers flow-update events and generate appropriate NSEL data records.
Defines and exports templates that describe the progression of a flow. Templates describe the format of the data records that are exported through NetFlow. Each event has several record formats or templates associated with it.
Tracks configured NSEL collectors and delivers templates and data records to these configured NSEL collectors through NetFlow over UDP only.
Sends template information periodically to NSEL collectors. Collectors receive template definitions, normally before receiving flow records.
Filters NSEL events based on the traffic and event type through Modular Policy Framework, then sends records to different collectors. Traffic is matched based on the order in which classes are configured. After a match is found, no other classes are checked. The supported event types are flow-create, flow-denied, flow-teardown, flow-update, and all. Records can be sent to different collectors. For example, with two collectors, you can do the following:
– Log all flow-denied events that match ACL 1 to collector 1.
– Log all flow-create events to collector 1.
– Log all flow-teardown events to collector 2.
– Log all flow-update events to collector 1.
Delays the export of flow-create events.
https://www.cisco.com/c/en/us/td/docs/security/asa/asa92/configuration/general/asa-general-cli/monitor-nsel.html
75
A network engineer has entered the snmp-server user andy myv3 auth sha cisco priv aes 256 cisc0383320506 command and needs to send SNMP information to a host at 10.255.254.1. Which command achieves this goal?
A. snmp-server host inside 10.255.254.1 snmpv3 andy
B. snmp-server host inside 10.255.254.1 version 3 myv3
C. snmp-server host inside 10.255.254.1 snmpv3 myv3
D. snmp-server host inside 10.255.254.1 version 3 andy
D. SNMP-server host inside 10.255.254.1 version 3 andy
https://www.cisco.com/c/en/us/td/docs/security/asa/snmp/snmpv3\_tools/snmpv3\_1.html
76
An engineer wants to generate NetFlow records on traffic traversing the Cisco ASA. Which Cisco ASA command must be used?
A. flow exporter
B. ip flow-export destination 1.1.1.1 2055
C. flow-export destination inside 1.1.1.1 2055
D. ip flow monitor input
C. flow-export destination inside 1.1.1.1 2055
https://www.cisco.com/c/en/us/td/docs/security/asa/special/netflow/guide/asa\_netflow.html
77
A network engineer is configuring DMVPN and entered the crypto isakmp key cisc0383320506 address 0.0.0.0 command on host A. The tunnel is not being established to host B. What action is needed to authenticate the VPN?
A. Change the password on host A to the default password
B. Enter the command with a different password on host B
C. Enter the same command on host B
D. Change isakmp to ikev2 in the command on host A
C. Enter the same command on host B
78
Which two tasks allow NetFlow on a Cisco ASA 5500 Series firewall? (Choose two.)
A. Define a NetFlow collector by using the flow-export command
B. Create a class map to match interesting traffic
C. Create an ACL to allow UDP traffic on port 9996
D. Enable NetFlow Version 9
E. Apply NetFlow Exporter to the outside interface in the inbound direction
A. Define a NetFlow collector by using the flow-export command
B. Create a class map to match interesting traffic
79
Refer to the exhibit. A network administrator configures command authorization for the admin5 user. What is the admin5 user able to do on HQ\_Router after this configuration?
A. set the IP address of an interface
B. add subinterfaces
C. complete no configurations
D. complete all configurations
C. complete no configurations
80
How many interfaces per bridge group does an ASA bridge group deployment support?
A. up to 16
B. up to 2
C. up to 4
D. up to 8
C. up to 4
81
A network administrator configures Dynamic ARP Inspection on a switch. After Dynamic ARP Inspection is applied, all users on that switch are unable to communicate with any destination. The network administrator checks the Interface status of all interfaces, and there is no err-disabled interface. What is causing this problem?
A. DHCP snooping has not been enabled on all VLANs
B. Dynamic ARP inspection has not been enabled on all VLANs
C. The ip arp inspection limit command is applied on all interfaces and is blocking the traffic of all users
D. The no ip arp inspection trust command is applied on all user host interfaces
A. DHCP snooping has not been enabled on all VLANs
82
DRAG DROP -
Drag and drop the capabilities of Cisco Firepower versus Cisco AMP from the left into the appropriate category on the right.
Select and Place:
83
An engineer needs behavioral analysis to detect malicious activity on the hosts and is configuring the organization's public cloud to send telemetry using the cloud provider's mechanisms to a security device. Which mechanism should the engineer configure to accomplish this goal?
A. sFlow
B. NetFlow
C. mirror port
D. VPC flow logs
D. VPC flow logs
84
An engineer is trying to securely connect to a router and wants to prevent insecure algorithms from being used. However, the connection is failing. Which action should be taken to accomplish this goal?
A. Generate the RSA key using the crypto key generate rsa command.
B. Configure the port using the ip ssh port 22 command.
C. Enable the SSH server using the ip ssh server command.
D. Disable telnet using the no ip telnet command.
A. Generate the RSA key using the crypto key generate rsa command
Verified
Asks about "algorithms" such as RSA, not protocols like ssh.
https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/a1/sec-a1-xe-3se-3650-cr-book/sec-a1-xe-3se-3850-cr-book\_chapter\_0110.pdf
85
Refer to the exhibit. Which type of authentication is in use?
A. POP3 authentication
B. SMTP relay server authentication
C. external user and relay mail authentication
D. LDAP authentication for Microsoft Outlook
D. LDAP authentication for Microsoft Outlook
86
Refer to the exhibit. An organization is using DHCP Snooping within their network. A user on VLAN 41 on a new switch is complaining that an IP address is not being obtained. Which command should be configured on the switch interface in order to provide the user with network connectivity?
A. ip dhcp snooping limit 41
B. ip dhcp snooping verify mac-address
C. ip dhcp snooping trust
D. ip dhcp snooping vlan 41
C. ip dhcp snooping trust
87
Refer to the exhibit. Traffic is not passing through IPsec site-to-site VPN on the Firepower Threat Defense appliance. What is causing this issue?
A. Site-to-site VPN preshared keys are mismatched.
B. Site-to-site VPN peers are using different encryption algorithms.
C. No split-tunnel policy is defined on the Firepower Threat Defense appliance.
D. The access control policy is not allowing VPN traffic in.
D. The access control policy is not allowing VPN traffic in.
88
Refer to the exhibit. A network administrator configured a site-to-site VPN tunnel between two Cisco IOS routers, and hosts are unable to communicate between two sites of VPN. The network administrator runs the debug crypto isakmp sa command to track VPN status. What is the problem according to this command output?
A. interesting traffic was not applied
B. encryption algorithm mismatch
C. authentication key mismatch
D. hashing algorithm mismatch
C. authentication key mismatch
89
Which policy represents a shared set of features or parameters that define the aspects of a managed device that are likely to be similar to other managed devices in a deployment?
A. group policy
B. access control policy
C. device management policy
D. platform settings policy
D. platform settings policy
90
Which policy represents a shared set of features or parameters that define the aspects of a managed device that are likely to be similar to other managed devices in a deployment?
A. group policy
B. access control policy
C. device management policy
D. platform service policy
D. platform service policy
91
The Cisco ASA must support TLS proxy for encrypted Cisco Unified Communications traffic.
Where must the ASA be added on the Cisco UC Manager platform?
A. Certificate Trust List
B. Endpoint Trust List
C. Enterprise Proxy Service
D. Secured Collaboration Proxy
A. Certificate Trust List
92
Which two application layer preprocessors are used by Firepower Next Generation Intrusion Prevention System? (Choose two.)
A. SIP
B. inline normalization
C. SSL
D. packet decoder
E. modbus
A. SIP
C. SSL
93
Which feature is configured for managed devices in the device platform settings of the Firepower Management Center?
A. quality of service
B. time synchronization
C. network address translations
D. intrusion policy
B. time synchronization
94
Which information is required when adding a device to Firepower Management Center?
A. username and password
B. encryption method
C. device serial number
D. registration key
D. registration key
95
What can be integrated with Cisco Threat Intelligence Director to provide information about security threats, which allows the SOC to proactively automate responses to those threats?
A. Cisco Umbrella
B. External Threat Feeds
C. Cisco Threat Grid
D. Cisco Stealthwatch
B. External Threat Feeds
96
Which Cisco command enables authentication, authorization, and accounting globally so that CoA is supported on the device?
A. aaa server radius dynamic-author
B. auth-type all
C. aaa new-model
D. ip device-tracking
C. aaa new-model
97
What is a characteristic of Firepower NGIPS inline deployment mode?
A. ASA with Firepower module cannot be deployed
B. It cannot take actions such as blocking traffic
C. It is out-of-band from traffic
D. It must have inline interface pairs configured
D. It must have inline interface pairs configured
98
A mall provides security services to customers with a shared appliance. The mall wants separation of management on the shared appliance. Which ASA deployment mode meets these needs?
A. routed mode
B. multiple zone mode
C. multiple context mode
D. transparent mode
C. multiple context mode
99
What is managed by Cisco Security Manager?
A. Cisco WLC
B. Cisco ESA
C. Cisco WSA
D. Cisco ASA
D. Cisco ASA
100
An organization is trying to improve its Defense in Depth by blocking malicious destinations prior to a connection being established. The solution must be able to block certain applications from being used within the network. Which product should be used to accomplish this goal?
A. Cisco Firepower
B. Cisco Umbrella
C. Cisco ISE
D. Cisco AMP
B. Cisco Umbrella
101
An engineer notices traffic interruptions on the network. Upon further investigation, it is learned that broadcast packets have been flooding the network. What must be configured, based on a predefined threshold, to address this issue?
A. Storm Control
B. embedded event monitoring
C. access control lists
D. Bridge Protocol Data Unit guard
A. Storm Control
102
What is a feature of Cisco NetFlow Secure Event Logging for Cisco ASAs?
A. Multiple NetFlow collectors are supported.
B. Advanced NetFlow v9 templates and legacy v5 formatting are supported.
C. Secure NetFlow connectors are optimized for Cisco Prime Infrastructure
D. Flow-create events are delayed.
A. Multiple NetFlow collectors are supported.
103
What is a key difference between Cisco Firepower and Cisco ASA?
A. Cisco Firepower provides identity-based access control while Cisco ASA does not.
B. Cisco AS provides access control while Cisco Firepower does not.
C. Cisco ASA provides SSL inspection while Cisco Firepower does not.
D. Cisco Firepower natively provides intrusion prevention capabilities while Cisco ASA does not.
D. Cisco Firepower natively provides intrusion prevention capabilities while Cisco ASA does not.
104
DRAG DROP -
Drag and drop the suspicious patterns for the Cisco Tetration platform from the left onto the correct definitions on the right.
Select and Place:
105
What is the benefit of using Cisco FMC over Cisco ASDM?
A. Cisco FMC uses Java while Cisco ASDM uses HTML5.
B. Cisco FMC provides centralized management while Cisco ASDM does not.
C. Cisco FMC supports pushing configurations to devices while Cisco ASDM does not.
D. Cisco FMC supports all firewall products whereas Cisco ASDM only supports Cisco ASA devices.
B. Cisco FMC provides centralized management while Cisco ASDM does not.
106
Which product allows Cisco FMC to push security intelligence observable to its sensors from other products?
A. Threat Intelligence Director
B. Encrypted Traffic Analytics.
C. Cognitive Threat Analytics.
D. Cisco Talos Intelligence
A. Threat Intelligence Director
107
A Cisco FirePower administrator needs to configure a rule to allow a new application that has never been seen on the network. Which two actions should be selected to allow the traffic to pass without inspection? (Choose two.)
A. permit
B. allow
C. reset
D. trust
E. monitor
D. trust
E. monitor
108
What is a characteristic of a bridge group in a Cisco ASA Firewall running in transparent mode?
A. It has an IP address on its BVI interface and is used for management traffic.
B. It allows ARP traffic with a single access rule.
C. It includes multiple interfaces and access rules between interfaces are customizable.
D. It is a Layer 3 segment and includes one port and customizable access rules.
C. It includes multiple interfaces and access rules between interfaces are customizable.
109
While using Cisco Firepowers Security Intelligence policies, which two criteria is blocking based upon? (Choose two.)
A. IP addresses
B. URLs
C. port numbers
D. protocol IDs
E. MAC addresses
A. IP addresses
B. URLs
110
What features does Cisco FTDv provide over Cisco ASAv?
A. Cisco FTDv provides 1GB of firewall throughput while Cisco ASAv does not.
B. Cisco FTDv runs on VMware while Cisco ASAv does not.
C. Cisco FTDv runs on AWS while Cisco ASAv does not.
D. Cisco FTDv supports URL filtering while Cisco ASAv does not.
D. Cisco FTDv supports URL filtering while Cisco ASAv does not.
https://www.ciscolive.com/c/dam/r/ciscolive/apjc/docs/2018/pdf/BRKSEC-2064.pdf
111
A network engineer is deciding whether to use stateful or stateless failover when configuring two Cisco ASAs for high availability. What is the connection status in both cases?
A. need to be reestablished with stateful failover and preserved with stateless failover
B. preserved with both stateful and stateless failover
C. need to be reestablished with both stateful and stateless failover
D. preserved with stateful failover and need to be reestablished with stateless failover
D. preserved with stateful failover and need to be reestablished with stateless failover
112
Which term describes when the Cisco Firepower downloads threat intelligence updates from Cisco Talos?
A. authoring
B. consumption
C. sharing
D. analysis
B. consumption
113
An administrator is configuring a DHCP server to better secure their environment. They need to be able to rate-limit the traffic and ensure that legitimate requests are not dropped. How would this be accomplished?
A. Set a trusted interface for the DHCP server.
B. Set the DHCP snooping bit to 1.
C. Enable ARP inspection for the required VLAN.
D. Add entries in the DHCP snooping database.
A. Set a trusted interface for the DHCP server.
114
What is a prerequisite when integrating a Cisco ISE server and an AD domain?
A. Configure a common administrator account.
B. Place the Cisco ISE server and the AD server in the same subnet.
C. Synchronize the clocks of the Cisco ISE server and the AD server.
D. Configure a common DNS server.
C. Synchronize the clocks of the Cisco ISE server and the AD server.
115
When configuring ISAKMP for IKEv1 Phase 1 on a Cisco IOS router, an administrator needs to input the command crypto isakmp key cisco address 0.0.0.0.
The administrator is not sure what the IP address in this command is used for. What would be the effect of changing the IP address from 0.0.0.0 to 1.2.3.4?
A. The key server that is managing the keys for the connection will be at 1.2.3.4.
B. The address that will be used as the crypto validation authority.
C. All IP addresses other than 1.2.3.4 will be allowed.
D. The remote connection will only be allowed from 1.2.3.4.
D. The remote connection will only be allowed from 1.2.3.4.
Hide Solution
116
A network administrator is configuring SNMPv3 on a new router. The users have already been created, however an additional configuration is needed to facilitate access to the SNMP views. What must the administrator do to accomplish this?
A. define the encryption algorithm to be used by SNMPv3
B. set the password to be used for SNMPv3 authentication
C. map SNMPv3 users to SNMP views
D. specify the UDP port used by SNMP
C. map SNMPv3 users to SNMP views
117
DRAG DROP -
Drag and drop the NetFlow export formats from the left onto the descriptions on the right.
Select and Place:
118
Refer to the exhibit. When configuring a remote access VPN solution terminating on the Cisco ASA, an administrator would like to utilize an external token authentication mechanism in conjunction with AAA authentication using machine certificates. Which configuration item must be modified to allow this?
A. Method
B. SAML Server
C. AAA Server Group
D. Group Policy
C. AAA Server Group
119
An administrator is trying to determine which applications are being used in the network but does not want the network devices to send metadata to Cisco Firepower. Which feature should be used to accomplish this?
A. Network Discovery
B. Access Control
C. Packet Tracer
D. NetFlow
D. NetFlow
120
An engineer is implementing NTP authentication within their network and has configured both the client and server devices with the command ntp authentication-key 1 md5 Cisc392481137. The server at 1.1.1.1 is attempting to authenticate to the client at 1.1.1.2, however is unable to do so. Which command is required to enable the client to accept the serverג€™s authentication key?
A. ntp server 1.1.1.2 key 1
B. ntp peer 1.1.1.2 key 1
C. ntp server 1.1.1.1 key 1
D. ntp peer 1.1.1.1 key 1
C. ntp server 1.1.1.1 key 1
121
Due to a traffic storm on the network, two interfaces were error-disabled, and both interfaces sent SNMP traps. Which two actions must be taken to ensure that interfaces are put back into service? (Choose two.)
A. Enable the snmp-server enable traps command and wait 300 seconds.
B. Use EEM to have the ports return to service automatically in less than 300 seconds
C. Ensure that interfaces are configured with the error-disable detection and recovery feature.
D. Have Cisco Prime Infrastructure issue an SNMP set command to re-enable the ports after the preconfigured interval.
E. Enter the shutdown and no shutdown commands on the interfaces.
C. Ensure that interfaces are configured with the error-disable detection and recovery feature.
E. Enter the shutdown and no shutdown commands on the interfaces.
122
Refer to the exhibit. An administrator is adding a new Cisco FTD device to their network and wants to manage it with Cisco FMC. The Cisco FTD uses a registration key of Cisc392481137 and is not behind a NAT device. Which command is needed to enable this on the Cisco FTD
A. configure manager add 16
B. configure manager add DONTRESOLVE FTD123
C. configure manager add
D. configure manager add DONTRESOLVE
A. configure manager add 16
123
A network administrator needs to find out what assets currently exist on the network. Third-party systems need to be able to feed host data into Cisco Firepower.
What must be configured to accomplish this?
A. a Network Analysis policy to receive NetFlow data from the host
B. a File Analysis policy to send file data into Cisco Firepower
C. a Network Discovery policy to receive data from the host
D. a Threat Intelligence policy to download the data from the host
C. A Network Discovery policy to receive data from the host
124
Which suspicious pattern enables the Cisco Tetration platform to learn the normal behavior of users?
A. file access from a different user
B. user login suspicious behavior
C. privilege escalation
D. interesting file access
A. file access from a different user
125
Which deployment model is the most secure when considering risks to cloud adoption?
A. public cloud
B. hybrid cloud
C. community cloud
D. private cloud
D. private cloud
126
What does the Cloudlock Apps Firewall do to mitigate security concerns from an application perspective?
A. It allows the administrator to quarantine malicious files so that the application can function, just not maliciously.
B. It discovers and controls cloud apps that are connected to a company's corporate environment.
C. It deletes any application that does not belong in the network.
D. It sends the application information to an administrator to act on.
B. It discovers and controls cloud apps that are connected to a company's corporate environment.
127
Which exfiltration method does an attacker use to hide and encode data inside DNS requests and queries?
A. DNS tunneling
B. DNSCrypt
C. DNS security
D. DNSSEC
A. DNS tunneling
128
Which technology reduces data loss by identifying sensitive information stored in public computing environments?
A. Cisco SDA
B. Cisco Firepower
C. Cisco HyperFlex
D. Cisco Cloudlock
D. Cisco Cloudlock
129
In which cloud services model is the tenant responsible for virtual machine OS patching?
A. IaaS
B. UCaaS
C. PaaS
D. SaaS
A. IaaS
130
What is the function of Cisco Cloudlock for data security?
A. data loss prevention
B. controls malicious cloud apps
C. detects anomalies
D. user and entity behavior analytics
A. data loss prevention
131
Which feature is supported when deploying Cisco ASAv within AWS public cloud?
A. multiple context mode
B. user deployment of Layer 3 networks
C. IPv6
D. clustering
B. user deployment of Layer 3 networks
132
Which cloud service model offers an environment for cloud consumers to develop and deploy applications without needing to manage or maintain the underlying cloud infrastructure?
A. PaaS
B. XaaS
C. IaaS
D. SaaS
A. PaaS
133
Which risk is created when using an Internet browser to access cloud-based service?
A. misconfiguration of Infra, which allows unauthorized access
B. intermittent connection to the cloud connectors
C. vulnerabilities within protocol
D. insecure implementation of API
C. vulnerabilities within protocol
134
What is the Cisco API-based broker that helps reduce compromises, application risks, and data breaches in an environment that is not on-premise?
A. Cisco AppDynamics
B. Cisco Cloudlock
C. Cisco Umbrella
D. Cisco AMP
B. Cisco Cloudlock
135
Which two aspects of the cloud PaaS model are managed by the customer? (Choose two.)
A. middleware
B. applications
C. virtualization
D. operating systems
E. data
B. applications
E. data
136
Which public cloud provider supports the Cisco Next-Generation Firewall Virtual?
A. Google Cloud Platform
B. Red Hat Enterprise Virtualization
C. Amazon Web Services
D. VMware ESXi
C. Amazon Web Services
137
What is an attribute of the DevSecOps process?
A. security scanning and theoretical vulnerabilities
B. development security
C. isolated security team
D. mandated security controls and check lists
B. development security
138
On which part of the IT environment does DevSecOps focus?
A. application development
B. wireless network
C. data center
D. perimeter network
A. application development
139
In a PaaS model, which layer is the tenant responsible for maintaining and patching?
A. hypervisor
B. virtual machine
C. network
D. application
D. application
140
Which two deployment model configurations are supported for Cisco FTDv in AWS? (Choose two.)
A. Cisco FTDv configured in routed mode and managed by an FMCv installed in AWS
B. Cisco FTDv with one management interface and two traffic interfaces configured
C. Cisco FTDv configured in routed mode and managed by a physical FMC appliance on-premises
D. Cisco FTDv with two management interfaces and one traffic interface configured
E. Cisco FTDv configured in routed mode and IPv6 configured
A. Cisco FTDv configured in routed mode and managed by an FMCv installed in AWS
C. Cisco FTDv configured in routed mode and managed by a physical FMC appliance on premises
141
DRAG DROP -
Drag and drop the steps from the left into the correct order on the right to enable Cisco AppDynamics to monitor an EC2 instance in AWS.
Select and Place:
142
What is a required prerequisite to enable malware file scanning for the Secure Internet Gateway?
A. Enable IP Layer enforcement.
B. Activate the Cisco AMP license.
C. Activate SSL decryption.
D. Enable Intelligent Proxy.
D. Enable Intelligent Proxy.
143
A company is experiencing exfiltration of credit card numbers that are not being stored on-premise. The company needs to be able to protect sensitive data throughout the full environment. Which tool should be used to accomplish this goal?
A. Cisco ISE
B. Web Security Appliance
C. Security Manager
D. Cloudlock
D. Cloudlock
144
What are the two types of managed Intercloud Fabric deployment models? (Choose two.)
A. Service Provider managed
B. User managed
C. Public managed
D. Hybrid managed
E. Enterprise managed
A. Service Provider managed
E. Enterprise managed
Intercloud Fabric Deployment Models
Cisco Intercloud Fabric addresses the cloud deployment requirements appropriate for two-hybrid cloud deployment models: **Enterprise Managed and Service Provider Managed**.
145
An engineer needs a cloud solution that will monitor traffic, create incidents based on events, and integrate with other cloud solutions via an API. Which solution should be used to accomplish this goal?
A. CASB
B. Cisco Cloudlock
C. Adaptive MFA
D. SIEM
B. Cisco Cloudlock
146
An organization is using Cisco Firepower and Cisco Meraki MX for network security and needs to centrally manage cloud policies across these platforms. Which software should be used to accomplish this goal?
A. Cisco Defense Orchestrator
B. Cisco Configuration Professional
C. Cisco Secureworks
D. Cisco DNA Center
A. Cisco Defense Orchestrator
147
Which factor must be considered when choosing the on-premise solution over the cloud-based one?
A. With an on-premise solution, the provider is responsible for the installation and maintenance of the product, whereas with a cloud-based solution, the customer is responsible for it.
B. With a cloud-based solution, the provider is responsible for the installation, but the customer is responsible for the maintenance of the product.
C. With an on-premise solution, the provider is responsible for the installation, but the customer is responsible for the maintenance of the product.
D. With an on-premise solution, the customer is responsible for the installation and maintenance of the product, whereas with a cloud-based solution, the provider is responsible for it.
D. With an on-premise solution, the customer is responsible for the installation and maintenance of the product, whereas with a cloud-based solution, the provider is responsible for it.
148
An engineer has been tasked with implementing a solution that can be leveraged for securing the cloud users, data, and applications. There is a requirement to use the Cisco cloud-native CASB and cloud cybersecurity platform. What should be used to meet these requirements?
A. Cisco NGFW
B. Cisco Cloudlock
C. Cisco Cloud Email Security
D. Cisco Umbrella
B. Cisco Cloudlock
149
In an IaaS cloud services model, which security function is the provider responsible for managing?
A. firewalling virtual machines
B. Internet proxy
C. hypervisor OS hardening
D. CASB
C. hypervisor OS hardening
150
An organization is implementing URL blocking using Cisco Umbrella. The users are able to go to some sites but other sites are not accessible due to an error.
Why is the error occurring?
A. Client computers do not have an SSL certificate deployed from an internal CA server.
B. Client computers do not have the Cisco Umbrella Root CA certificate installed.
C. IP-Layer Enforcement is not configured.
D. Intelligent proxy and SSL decryption is disabled in the policy.
B. Client computers do not have the Cisco Umbrella Root CA certificate installed.
151
Which feature within Cisco Umbrella allows for the ability to inspect secure HTTP traffic?
A. File Analysis
B. SafeSearch
C. SSL Decryption
D. Destination Lists
C. SSL Decryption
152
When web policies are configured in Cisco Umbrella, what provides the ability to ensure that domains are blocked when they host malware, command and control, phishing, and more threats?
A. Application Control
B. Security Category Blocking
C. Content Category Blocking
D. File Analysis
B. Security Category Blocking
153
How is Cisco Umbrella configured to log only security events?
A. per policy
B. in the Reporting settings
C. in the Security Settings section
D. per network in the Deployments section
A. per policy
154
Which Cisco solution does Cisco Umbrella integrate with to determine if a URL is malicious?
A. Cisco AMP
B. Cisco AnyConnect
C. Cisco Dynamic DNS
D. Cisco Talos
D. Cisco Talos
155
Where are individual sites specified to be blacklisted in Cisco Umbrella?
A. application settings
B. content categories
C. security settings
D. destination lists
D. destination lists
156
An engineer configured a new network identity in Cisco Umbrella but must verify that traffic is being routed through the Cisco Umbrella network.
Which action tests the routing?
A. Ensure that the client computers are pointing to the on-premises DNS servers.
B. Enable the Intelligent Proxy to validate that traffic is being routed correctly.
C. Add the public IP address that the client computers are behind to a Core Identity.
D. Browse to http://welcome.umbrella.com/ to validate that the new identity is working.
D. Browse to http://welcome.umbrella.com/ to validate that the new identity is working.
157
How does Cisco Umbrella archive logs to an enterprise-owned storage?
A. by using the Application Programming Interface to fetch the logs
B. by sending logs via syslog to an on-premises or cloud-based syslog server
C. by the system administrator downloading the logs from the Cisco Umbrella web portal
D. by being configured to send logs to a self-managed AWS S3 bucket
D. by being configured to send logs to a self-managed AWS S3 bucket
158
Which API is used for Content Security?
A. NX-OS API
B. IOS XR API
C. OpenVuln API
D. AsyncOS API
D. AsyncOS API
159
Which Talos reputation center allows you to track the reputation of IP addresses for email and web traffic?
A. IP Blacklist Center
B. File Reputation Center
C. AMP Reputation Center
D. IP and Domain Reputation Center
D. IP and Domain Reputation Center
Verified
IP and Domain Reputation Center
Talos’ IP and Domain Data Center is the world’s most comprehensive real-time threat detection network. The data is made up of daily security intelligence across millions of deployed web, email, firewall and IPS appliances. Talos detects and correlates threats in real time using the largest threat detection network in the world spanning web requests, emails, malware samples, open-source data sets, endpoint intelligence, and network intrusions. The Email and Web Traffic Reputation Center is able to transform some of Talos' data into actionable threat intelligence and tools to improve your security posture.
160
What is the primary role of the Cisco Email Security Appliance?
A. Mail Submission Agent
B. Mail Transfer Agent
C. Mail Delivery Agent
D. Mail User Agent
B. Mail Transfer Agent
161
Which two services must remain as on-premises equipment when a hybrid email solution is deployed? (Choose two.)
A. DDoS
B. antispam
C. antivirus
D. encryption
E. DLP
Reveal Solution
D. encryption
E. DLP
162
An organization is receiving SPAM emails from a known malicious domain. What must be configured in order to prevent the session during the initial TCP communication?
A. Configure the Cisco ESA to reset the TCP connection.
B. Configure policies to stop and reject communication.
C. Configure the Cisco ESA to drop the malicious emails.
D. Configure policies to quarantine malicious emails.
B. Configure policies to stop and reject communication.
163
Refer to the exhibit. What is a result of the configuration?
A. Traffic from the DMZ network is redirected.
B. Traffic from the inside network is redirected.
C. All TCP traffic is redirected.
D. Traffic from the inside and DMZ networks is redirected.
D. Traffic from the inside and DMZ networks is redirected.
164
An organization received a large amount of SPAM messages over a short time period. In order to take action on the messages, it must be determined how harmful the messages are and this needs to happen dynamically. What must be configured to accomplish this?
A. Configure the Cisco WSA to modify policies based on the traffic seen.
B. Configure the Cisco ESA to modify policies based on the traffic seen.
C. Configure the Cisco WSA to receive real-time updates from Cisco Talos.
D. Configure the Cisco ESA to receive real-time updates from Cisco Talos.
D. Configure the Cisco ESA to receive real-time updates from Cisco Talos.
165
What are two differences between a Cisco WSA that is running in transparent mode and one running in explicit mode? (Choose two.)
A. The Cisco WSA responds with its own IP address only if it is running in explicit mode.
B. The Cisco WSA is configured in a web browser only if it is running in transparent mode.
C. The Cisco WSA responds with its own IP address only if it is running in transparent mode.
D. The Cisco WSA uses a Layer 3 device to redirect traffic only if it is running in transparent mode.
E. When the Cisco WSA is running in transparent mode, it uses the WSAג€™s own IP address as the HTTP request destination.
A. The Cisco WSA responds with its own IP address only if it is running in explicit mode.
D. The Cisco WSA uses a Layer 3 device to redirect traffic only if it is running in transparent mode.
166
Which technology is used to improve web traffic performance by proxy caching?
A. WSA
B. Firepower
C. FireSIGHT
D. ASA
A. WSA
167
Which proxy mode must be used on Cisco WSA to redirect TCP traffic with WCCP?
A. transparent
B. redirection
C. forward
D. proxy gateway
A. transparent
168
What is the purpose of the Decrypt for Application Detection feature within the WSA Decryption options?
A. It decrypts HTTPS application traffic for unauthenticated users.
B. It alerts users when the WSA decrypts their traffic.
C. It decrypts HTTPS application traffic for authenticated users.
D. It provides enhanced HTTPS application detection for AsyncOS.
D. It provides enhanced HTTPS application detection for AsyncOS.
169
A network administrator is using the Cisco ESA with AMP to upload files to the cloud for analysis. The network is congested and is affecting communication. How will the Cisco ESA handle any files which need analysis?
A. The ESA immediately makes another attempt to upload the file.
B. The file upload is abandoned.
C. AMP calculates the SHA-256 fingerprint, caches it, and periodically attempts the upload.
D. The file is queued for upload when connectivity is restored
C. AMP calculates the SHA-256 fingerprint, caches it, and periodically attempts the upload.
170
An engineer is configuring a Cisco ESA and wants to control whether to accept or reject email messages to a recipient address.
Which list contains the allowed recipient addresses?
A. SAT
B. BAT
C. HAT
D. RAT
D. RAT
171
Why would a user choose an on-premises ESA versus the CES solution?
A. Sensitive data must remain onsite.
B. Demand is unpredictable.
C. The server team wants to outsource this service.
D. ESA is deployed inline.
A. Sensitive data must remain onsite.
172
Which two features are used to configure Cisco ESA with a multilayer approach to fight viruses and malware? (Choose two.)
A. Sophos engine
B. white list
C. RAT
D. outbreak filters
E. DLP
A. Sophos engine
D. outbreak filters
173
After a recent breach, an organization determined that phishing was used to gain initial access to the network before regaining persistence. The information gained from the phishing attack was a result of users visiting known malicious websites. What must be done in order to prevent this from happening in the future?
A. Modify web proxy settings.
B. Modify outbound malware scanning policies.
C. Modify identification profiles.
D. Modify an access policy.
A. Modify web proxy settings.
174
An engineer has enabled LDAP accept queries on a listener. Malicious actors must be prevented from quickly identifying all valid recipients. What must be done on the Cisco ESA to accomplish this goal?
A. Configure Directory Harvest Attack Prevention
B. Bypass LDAP access queries in the recipient access table.
C. Use Bounce Verification.
D. Configure incoming content filters.
A. Configure Directory Harvest Attack Prevention
175
In which two ways does a system administrator send web traffic transparently to the Cisco WSA? (Choose two.)
A. use Web Cache Communication Protocol
B. configure AD Group Policies to push proxy settings
C. configure the proxy IP address in the web-browser settings
D. configure policy-based routing on the network infrastructure
E. reference a Proxy Auto-Config file
A. use Web Cache Communication Protocol
D. configure policy-based routing on the network infrastructure
Verified
In the case of the Web Cache Communication Protocol (WCCP), web traffic is redirected to the WSA from another network device along the client’s path to the Internet. In this case, other protocols, such as ICMP, are not redirected to the WSA.
It is possible to use Policy Based Routing (PBR) to redirect web traffic to the WSA. This is achieved by matching the correct traffic (based on TCP ports) and instructing the router/switch to redirect this traffic to the WSA.
176
What is the function of the Context Directory Agent?
A. reads the AD logs to map IP addresses to usernames
B. relays user authentication requests from Cisco WSA to AD
C. maintains usersג€™ group memberships
D. accepts user authentication requests on behalf of Cisco WSA for user identification
A. reads the AD logs to map IP addresses to usernames
177
A network administrator is configuring a rule in an access control policy to block certain URLs and selects the ג€Chat and Instant Messagingג€ category. Which reputation score should be selected to accomplish this goal?
A. 5
B. 10
C. 3
D. 1
D. 1
178
A Cisco ESA network administrator has been tasked to use a newly installed service to help create policy based on the reputation verdict. During testing, it is discovered that the Cisco ESA is not dropping files that have an undetermined verdict. What is causing this issue?
A. The policy was created to send a message to quarantine instead of drop.
B. The file has a reputation score that is below the threshold.
C. The file has a reputation score that is above the threshold.
D. The policy was created to disable file analysis.
D. The policy was created to disable file analysis
Verified
ExamTopic community
179
An organization has a Cisco ESA set up with DLP policies and would like to customize the action assigned for violations. The organization wants a copy of the message to be delivered with a message added to flag it as a DLP violation. Which actions must be performed in order to provide this capability?
A. deliver and add disclaimer text
B. quarantine and send a DLP violation notification
C. quarantine and alter the subject header with a DLP violation
D. deliver and send copies to other recipient
B. quarantine and send a DLP violation notification
Verified
Cisco website
180
A Cisco ESA administrator has been tasked with configuring the Cisco ESA to ensure there are no viruses before quarantined emails are delivered. In addition, delivery of mail from known bad mail servers must be prevented. Which two actions must be taken in order to meet these requirements? (Choose two.)
A. Deploy the Cisco ESA in the DMZ.
B. Use outbreak filters from SenderBase.
C. Configure a recipient access table.
D. Enable a message tracking service.
E. Scan quarantined emails using AntiVirus signatures.
B. Use outbreak filters from SenderBase.
E. Scan quarantined emails using AntiVirus signatures.
Verified correct
https://www.cisco.com/c/dam/en/us/td/docs/solutions/CVD/Aug2013/CVD-EmailSecurityUsingCiscoESADesignGuide-AUG13.pdf
181
An organization has noticed an increase in malicious content downloads and wants to use Cisco Umbrella to prevent this activity for suspicious domains while allowing normal web traffic. Which action will accomplish this task?
A. Use destination block lists.
B. Configure application block lists.
C. Configure the intelligent proxy.
D. Set content settings to High.
C. Configure the intelligent proxy
Verified
The intelligent proxy is the ability for Umbrella to intercept and proxy requests for malicious files embedded within certain so-called "grey" domains. Some websites, especially those with large user communities or the ability to upload and share files, have content that most users want to access while also posing a risk because of the possibility of hosting malware. Administrators wouldn't want to block access to the whole "grey" domain for everyone but they also don't want your users to access files that could harm their computers, compromise your company data or worse!
https://docs.umbrella.com/deployment-msp/docs/what-is-the-intelligent-proxy
182
Which attack is preventable by Cisco ESA but not by the Cisco WSA?
A. SQL injection
B. phishing
C. buffer overflow
D. DoS
B. phishing
183
An organization recently installed a Cisco WSA and would like to take advantage of the AVC engine to allow the organization to create a policy to control application-specific activity. After enabling the AVC engine, what must be done to implement this?
A. Use security services to configure the traffic monitor.
B. Use URL categorization to prevent application traffic.
C. Use an access policy group to configure application control settings.
D. Use web security reporting to validate engine functionality.
C. Use an access policy group to configure application control settings.
184
Which benefit does endpoint security provide the overall security posture of an organization?
A. It streamlines the incident response process to automatically perform digital forensics on the endpoint.
B. It allows the organization to mitigate web-based attacks as long as the user is active in the domain.
C. It allows the organization to detect and respond to threats at the edge of the network.
D. It allows the organization to detect and mitigate threats that the perimeter security devices do not detect.
D. It allows the organization to detect and mitigate threats that the perimeter security devices do not detect.
185
What are two list types within Cisco AMP for Endpoints Outbreak Control? (Choose two.)
A. blocked ports
B. simple custom detections
C. command and control
D. allowed applications
E. URL
B. simple custom detections
D. allowed applications
186
For which two conditions can an endpoint be checked using ISE posture assessment? (Choose two.)
A. computer identity
B. Windows service
C. user identity
D. Windows firewall
E. default browser
B. Windows service
D. Windows firewall
Verified
https://www.cisco.com/c/en/us/td/docs/security/ise/2-2/admin\_guide/b\_ise\_admin\_guide\_22/b\_ise\_admin\_guide\_22\_chapter\_010111.html
187
Which Cisco product provides proactive endpoint protection and allows administrators to centrally manage the deployment?
A. NGFW
B. AMP
C. WSA
D. ESA
B. AMP
188
Which two endpoint measures are used to minimize the chances of falling victim to phishing and social engineering attacks? (Choose two.)
A. Patch for cross-site scripting.
B. Perform backups to the private cloud.
C. Protect against input validation and character escapes in the endpoint.
D. Install a spam and virus email filter.
E. Protect systems with an up-to-date antimalware program.
D. Install a spam and virus email filter.
E. Protect systems with an up-to-date antimalware program
Verified
ExamTopics community
189
An engineer used a posture check on a Microsoft Windows endpoint and discovered that the MS17-010 patch was not installed, which left the endpoint vulnerable to WannaCry ransomware.
Which two solutions mitigate the risk of this ransomware infection? (Choose two.)
A. Configure a posture policy in Cisco Identity Services Engine to install the MS17-010 patch before allowing access on the network.
B. Set up a profiling policy in Cisco Identity Services Engine to check an endpoint patch level before allowing access on the network.
C. Configure a posture policy in Cisco Identity Services Engine to check that an endpoint patch level is met before allowing access on the network.
D. Configure endpoint firewall policies to stop the exploit traffic from being allowed to run and replicate throughout the network.
E. Set up a well-defined endpoint patching strategy to ensure that endpoints have critical vulnerabilities patched in a timely fashion.
C. Configure a posture policy in Cisco Identity Services Engine to check that an endpoint patch level is met before allowing access on the network.
E. Set up a well-defined endpoint patching strategy to ensure that endpoints have critical vulnerabilities patched in a timely fashion.
Verified
Examtopics community
190
What is the primary difference between an Endpoint Protection Platform and an Endpoint Detection and Response?
A. EPP focuses on prevention, and EDR focuses on advanced threats that evade perimeter defenses.
B. EDR focuses on prevention, and EPP focuses on advanced threats that evade perimeter defenses.
C. EPP focuses on network security, and EDR focuses on device security.
D. EDR focuses on network security, and EPP focuses on device security.
A. EPP focuses on prevention, and EDR focuses on advanced threats that evade perimeter defenses.
191
An engineer is configuring AMP for endpoints and wants to block certain files from executing. Which outbreak control method is used to accomplish this task?
A. device flow correlation
B. simple detections
C. application blocking list
D. advanced custom detections
C. application blocking list
Verified
From AMP for Endpoints User Guide, chapter 2: Outbreak Control:
An application blocking list is composed of files that you do not want to allow users to execute but do not want to quarantine. You may want to use this for files you are not sure are malware, unauthorized applications, or you may want to use this to stop applications with vulnerabilities from executing until a patch has been released.
192
An engineer must force an endpoint to re-authenticate an already authenticated session without disrupting the endpoint to apply a new or updated policy from
ISE.
Which CoA type achieves this goal?
A. Port Bounce
B. CoA Terminate
C. CoA Reauth
D. CoA Session Query
C. CoA Reauth
Verified
193
Which two risks is a company vulnerable to if it does not have a well-established patching solution for endpoints? (Choose two.)
A. malware
B. denial-of-service attacks
C. ARP spoofing
D. exploits
E. eavesdropping
A. malware
D. exploits
194
Which benefit is provided by ensuring that an endpoint is compliant with a posture policy configured in Cisco ISE?
A. It adds endpoints to identity groups dynamically
B. It allows the endpoint to authenticate with 802.1x or MAB
C. It allows CoA to be applied if the endpoint status is compliant
D. It verifies that the endpoint has the latest Microsoft security patches installed
D. It verifies that the endpoint has the latest Microsoft security patches installed
Verified
Examtopic community
195
An engineer wants to automatically assign endpoints that have a specific OUI into a new endpoint group. Which probe must be enabled for this type of profiling to work?
A. SNMP
B. NMAP
C. DHCP
D. NetFlow
B. NMAP
Verified
Examtopic community
196
What is the benefit of installing Cisco AMP for Endpoints on a network?
A. It enables behavioral analysis to be used for the endpoints
B. It provides flow-based visibility for the endpointsג€™ network connections.
C. It protects endpoint systems through application control and real-time scanning.
D. It provides operating system patches on the endpoints for security.
C. It protects endpoint systems through application control and real-time scanning
Verified
Examtopic community
197
Why is it important to have logical security controls on endpoints even though the users are trained to spot security threats and the network devices already help prevent them?
A. because defense-in-depth stops at the network
B. because human error or insider threats will still exist
C. to prevent theft of the endpoints
D. to expose the endpoint to more threats
B. because human error or insider threats will still exist
198
What must be configured in Cisco ISE to enforce re-authentication of an endpoint session when an endpoint is deleted from an identity group?
A. SNMP probe
B. CoA
C. external identity source
D. posture assessment
B. CoA
Verified
See -https://www.cisco.com/c/en/us/td/docs/security/ise/2-1/admin\_guide/b\_ise\_admin\_guide\_21/b\_ise\_admin\_guide\_20\_chapter\_010100.html
When an endpoint is deleted from the Endpoints page and the endpoint is disconnected or removed from the network
199
In which situation should an Endpoint Detection and Response solution be chosen versus an Endpoint Protection Platform?
A. when there is a need to have more advanced detection capabilities
B. when there is no firewall on the network
C. when there is a need for traditional anti-malware detection
D. when there is no need to have the solution centrally managed
A. when there is a need to have more advanced detection capabilities
Verified
https://www.esecurityplanet.com/endpoint/antivirus-vs-epp-vs-edr/#:~:text=Endpoint%20detection%20and%20response%20(EDR)%20represents%20the%20newest%20and%20most,advanced%20layer%20of%20endpoint%20protection.&text=Whereas%20EPP%20is%20a%20first,they%20can%20cause%20significant%20damage.
200
Which two probes are configured to gather attributes of connected endpoints using the Cisco Identity Services Engine? (Choose two.)
A. RADIUS
B. TACACS+
C. DHCP
D. sFlow
E. SMTP
A. RADIUS
C. DHCP
Verified
https: //www.cisco.com/c/en/us/td/docs/security/ise/2-1/admin\_guide/b\_ise\_admin\_guide\_21/b\_ise\_admin\_guide\_20\_chapter\_010100.html
https: //www.cisco.com/en/US/docs/security/ise/1.0/user\_guide/ise10\_prof\_pol.html
201
What are two reasons for implementing a multifactor authentication solution such as Cisco Duo Security provide to an organization? (Choose two.)
A. single sign-on access to on-premises and cloud applications
B. identification and correction of application vulnerabilities before allowing access to resources
C. secure access to on-premises and cloud applications
D. integration with 802.1x security using native Microsoft Windows supplicant
E. flexibility of different methods of 2FA such as phone callbacks, SMS passcodes, and push notifications
C. secure access to on-premises and cloud applications
E. flexibility of different methods of 2FA such as phone callbacks, SMS passcodes, and push notifications
Verified
https://duo.com/
202
What are the two most commonly used authentication factors in multifactor authentication? (Choose two.)
A. biometric factor
B. time factor
C. confidentiality factor
D. knowledge factor
E. encryption factor
A. biometric factor
D. knowledge factor
Verified
There are three categories of factors: knowledge (something the user knows), possession (something a user has), and inherence or characteristics (something the user is). Authentication by knowledge is where the user provides a secret that is only known by him or her. An example of authentication by knowledge would be a user providing a password, a personal identification number (PIN) code, or answering security questions. Examples of authentication by ownership or possession include the following: a one-time passcode, memory card, smartcard, and out-of-band communication A system that uses authentication by characteristic authenticates the user based on some physical or behavioral characteristic, sometimes referred to as a biometric attribute. The most used physical or physiological characteristics are as follows: Fingerprints, Face recognition, Retina and iris, ... Examples of behavioral characteristics are as follows: Signature dynamic, Keystroke dynamic/pattern
203
An MDM provides which two advantages to an organization with regards to device management? (Choose two.)
A. asset inventory management
B. allowed application management
C. AD group policy management
D. network device management
E. critical device management
A. asset inventory management
B. allowed application management
Verified
Examtopics
204
What is the purpose of the My Devices Portal in a Cisco ISE environment?
A. to register new laptops and mobile devices
B. to manage and deploy antivirus definitions and patches on systems owned by the end-user
C. to provision userless and agentless systems
D. to request a newly provisioned mobile device
A. to register new laptops and mobile devices
Verified
Q. Why do I need to use the My Devices Portal?
A. Depending on your company policy, you might be able to use your mobile phones, tablets, printers, Internet radios, and other network devices on your company’s network. You can use the My Devices Portal to register and manage these devices on your company’s network. When you use a laptop computer, mobile phone, or tablet to access the Internet, you typically use a web browser on the device itself.
205
In which two ways does Easy Connect help control network access when used with Cisco TrustSec? (Choose two.)
A. It integrates with third-party products to provide better visibility throughout the network.
B. It allows for the assignment of Security Group Tags and does not require 802.1x to be configured on the switch or the endpoint.
C. It creates a dashboard in Cisco ISE that provides full visibility of all connected endpoints.
D. It allows for managed endpoints that authenticate to AD to be mapped to Security Groups (PassiveID).
E. It allows multiple security products to share information and work together to enhance security posture in the net
B. It allows for the assignment of Security Group Tags and does not require 802.1x to be configured on the switch or the endpoint.
D. It allows for managed endpoints that authenticate to AD to be mapped to Security Groups (PassiveID).
Verified
Easy Connect simplifies network access control and **segmentation by allowing the assignment of Security Group Tags to endpoints without requiring 802.1X on those endpoints, whether using wired or wireless connectivity.** Active Directory logins are used to map user information onto network connections, which are then used for authorizing users on the network even when the Identity Services Engine (ISE) is not involved in the authentication process. Consequently, this authorization method only supports devices that authenticate with a Domain Controller. Easy Connect can also be used as a backup authentication method to 802.1X, to ensure that managed assets are classified even when an 802.1X supplicant is not correctly configured. This can dramatically reduce help desk calls
206
What does Cisco AMP for Endpoints use to help an organization detect different families of malware?
A. Tetra Engine to detect malware when the endpoint is connected to the cloud
B. ClamAV Engine to perform email scanning
C. Spero Engine with machine learning to perform dynamic analysis
D. Ethos Engine to perform fuzzy fingerprinting
D. Ethos Engine to perform fuzzy fingerprinting
Verified
Spero: A machine-learning-based technology that proactively identifies threats that were previously unknown. Uses active heuristics to gather execution attributes Needs good data in large sets to tune Built to identify new malware
Ethos: A generic signature capability, again ostensibly similar to the generic detection capabilities that some vendors provide. Directed at families of malware Can have more false positives than 1-to-1 signatures
207
What is the benefit of conducting device compliance checks?
A. It validates if anti-virus software is installed.
B. It scans endpoints to determine if malicious activity is taking place.
C. It indicates what type of operating system is connecting to the network.
D. It detects email phishing attacks.
A. It validates if anti-virus software is installed
Verified
Examtopics community
208
Which Cisco platform ensures that machines that connect to organizational networks have the recommended antivirus definitions and patches to help prevent an organizational malware outbreak?
A. Cisco Prime Infrastructure
B. Cisco ESA
C. Cisco WiSM
D. Cisco ISE
D. Cisco ISE
Verified
209
A network administrator is configuring a switch to use Cisco ISE for 802.1X. An endpoint is failing authentication and is unable to access the network. Where should the administrator begin troubleshooting to verify the authentication details?
A. Context Visibility
B. Accounting Reports
C. Adaptive Network Control Policy List
D. RADIUS Live Logs
D. RADIUS Live Logs
Verified
Examtopics community
210
What is the role of an endpoint in protecting a user from a phishing attack?
A. Ensure that antivirus and antimalware software is up-to-date.
B. Use machine learning models to help identify anomalies and determine expected sending behavior.
C. Use Cisco Stealthwatch and Cisco ISE Integration.
D. Utilize 802.1X network security to ensure unauthorized access to resources.
A. Ensure that antivirus and antimalware software is up-to-date
Verified
Examtopics community
211
Why is it important to implement MFA inside of an organization?
A. To prevent brute force attacks from being successful.
B. To prevent phishing attacks from being successful.
C. To prevent DoS attacks from being successful.
D. To prevent man-in-the-middle attacks from being successful.
A. To prevent brute force attacks from being successful
Verified
Examtopics community
212
Which telemetry data captures variations seen within the flow, such as the packets TTL, IP/TCP flags, and payload length?
A. flow insight variation
B. software package variation
C. interpacket variation
D. process details variation
C. interpacket variation
Verified
* Flow information: This information contains information about endpoints, protocols, ports, when the flow started, how long the flow was active, etc.
* **Interpacket variation: This information captures any interpacket variations within the flow. Examples include variation in Time To Live (TTL), IP and TCP flags, payload length, etc.**
* Context details: Context information is derived outside the packet header, including variation in buffer utilization, packet drops within a flow, association with tunnel endpoints, etc.
213
Which network monitoring solution uses streams and pushes operational data to provide a near real-time view of activity?
A. SNMP
B. SMTP
C. syslog
D. model-driven telemetry
D. model-driven telemetry
214
What two mechanisms are used to redirect users to a web portal to authenticate to ISE for guest services? (Choose two.)
A. TACACS+
B. central web auth
C. single sign-on
D. multiple factor auth
E. local web auth
B. central web auth
E. local web auth
215
Which ID store requires that a shadow user be created on Cisco ISE for the admin login to work?
A. RSA SecureID
B. Internal Database
C. Active Directory
D. LDAP
C. Active Directory
216
An administrator wants to ensure that all endpoints are compliant before users are allowed access on the corporate network. The endpoints must have the corporate antivirus application installed and be running the latest build of Windows 10.
What must the administrator implement to ensure that all devices are compliant before they are allowed on the network?
A. Cisco Identity Services Engine and AnyConnect Posture module
B. Cisco Stealthwatch and Cisco Identity Services Engine integration
C. Cisco ASA firewall with Dynamic Access Policies configured
D. Cisco Identity Services Engine with PxGrid services enabled
A. Cisco Identity Services Engine and AnyConnect Posture module
217
Which solution protects hybrid cloud deployment workloads with application visibility and segmentation?
A. Nexus
B. Stealthwatch
C. Firepower
D. Tetration
D. Tetration
https://www.cisco.com/c/en/us/solutions/security/secure-data-center-solution/index.html#~products
218
An engineer needs a solution for TACACS+ authentication and authorization for device administration. The engineer also wants to enhance wired and wireless network security by requiring users and endpoints to use 802.1X, MAB, or WebAuth.
Which product meets all of these requirements?
A. Cisco Prime Infrastructure
B. Cisco Identity Services Engine
C. Cisco Stealthwatch
D. Cisco AMP for Endpoints
B. Cisco Identity Services Engine
219
How does Cisco Stealthwatch Cloud provide security for cloud environments?
A. It delivers visibility and threat detection.
B. It prevents exfiltration of sensitive data.
C. It assigns Internet-based DNS protection for clients and servers.
D. It facilitates secure connectivity between public and private networks.
A. It delivers visibility and threat detection.
220
Which Cisco security solution protects remote users against phishing attacks when they are not connected to the VPN?
A. Cisco Umbrella
B. Cisco Firepower NGIPS
C. Cisco Stealthwatch
D. Cisco Firepower
A. Cisco Umbrella
221
What must be used to share data between multiple security products?
A. Cisco Platform Exchange Grid
B. Cisco Rapid Threat Containment
C. Cisco Stealthwatch Cloud
D. Cisco Advanced Malware Protection
A. Cisco Platform Exchange Grid
222
Which two characteristics of messenger protocols make data exfiltration difficult to detect and prevent? (Choose two.)
A. Messenger applications cannot be segmented with standard network controls
B. Malware infects the messenger application on the user endpoint to send company data
C. Traffic is encrypted, which prevents visibility on firewalls and IPS systems
D. An exposed API for the messaging platform is used to send large amounts of data
E. Outgoing traffic is allowed so users can communicate with outside organizations
A. Messenger applications cannot be segmented with standard network controls
E. Outgoing traffic is allowed so users can communicate with outside organizations
Verified
Examtopic community
223
Which solution combines Cisco IOS and IOS XE components to enable administrators to recognize applications, collect and send network metrics to Cisco Prime and other third-party management tools, and prioritize application traffic?
A. Cisco Security Intelligence
B. Cisco Application Visibility and Control
C. Cisco Model-Driven Telemetry
D. Cisco DNA Center
B. Cisco Application Visibility and Control
Verified
https://www.cisco.com/c/en/us/products/routers/avc-control.html
224
What provides visibility and awareness into what is currently occurring on the network?
A. CMX
B. WMI
C. Cisco Prime Infrastructure
D. Telemetry
D. Telemetry
Verified
Telemetry- Information and/or data that provides awareness and visibility into what is occurring on the network at any given time from networking devices, appliances, applications or servers in which the core function of the device is not to generate security alerts designed to detect unwanted or malicious activity from computer networks.
https://www.cisco.com/c/dam/en\_us/about/doing\_business/legal/service\_descriptions/docs/activethreat- analytics-premier.pd
225
How is ICMP used as an exfiltration technique?
A. by flooding the destination host with unreachable packets
B. by sending large numbers of ICMP packets with a targeted hosts source IP address using an IP broadcast address
C. by encrypting the payload in an ICMP packet to carry out command and control tasks on a compromised host
D. by overwhelming a targeted host with ICMP echo-request packets
C. by encrypting the payload in an ICMP packet to carry out command and control tasks on a compromised host
Verfied
226
Refer to the exhibit. An engineer configured wired 802.1x on the network and is unable to get a laptop to authenticate. Which port configuration is missing?
A. dot1x reauthentication
B. cisp enable
C. dot1x pae authenticator
D. authentication open
C. dot1x pae authenticator
Verified
227
An engineer is configuring 802.1X authentication on Cisco switches in the network and is using CoA as a mechanism. Which port on the firewall must be opened to allow the CoA traffic to traverse the network?
A. UDP 1700
B. TCP 6514
C. UDP 1812
D. TCP 49
A. UDP 1700
Verified
RADIUS Change of Authorization (CoA) Send: UDP/1700
RADIUS Change of Authorization (CoA) Listen/Relay: UDP/1700, 3799
https://www.cisco.com/c/en/us/td/docs/security/ise/20/installation\_guide/b\_ise\_InstallationGuide20/Cisco\_SNS\_3400\_Series\_Appliance\_Ports\_Reference.html
228
What are two Detection and Analytics Engines of Cognitive Threat Analytics? (Choose two.)
A. data exfiltration
B. command and control communication
C. intelligent proxy
D. snort
E. URL categorization
A. data exfiltration
B. command and control communication
Verified
https://www.cisco.com/c/dam/en/us/products/collateral/security/cognitive-threat-analytics/at-a-glance-c45-736555.pdf
Researchers on our Cognitive Threat Analytics team have found that when attackers have established a foothold within an organization, more than 90 percent of them use the web for **command-and-control communications and to exfiltrate sensitive information.**
229
Which Cisco product is open, scalable, and built on IETF standards to allow multiple security products from Cisco and other vendors to share data and interoperate with each other?
A. Platform Exchange Grid
B. Multifactor Platform Integration
C. Firepower Threat Defense
D. Advanced Malware Protection
A. Platform Exchange Grid
Verified
230
Which compliance status is shown when a configured posture policy requirement is not met?
A. authorized
B. compliant
C. unknown
D. noncompliant
D. noncompliant
Verified
Unknown Profile If no matching posture policy is defined for an endpoint, then the posture compliance status of the endpoint may be set to unknown. A posture compliance status of unknown can also apply to an endpoint where a matching posture policy is enabled but posture assessment has not yet occurred for that endpoint and, therefore no compliance report has been provided by the client agent.
Noncompliant Profile The posture compliance status of an endpoint is set to non-compliant when a matching posture policy is defined for that endpoint but it fails to meet all the mandatory requirements during posture assessment. An endpoint that is postured noncompliant matches a posture requirement with a remediation action, and it should be granted limited network access to remediation resources in order to remediate itself.
231
An organization is trying to implement micro-segmentation on the network and wants to be able to gain visibility on the applications within the network. The solution must be able to maintain and force compliance. Which product should be used to meet these requirements?
A. Cisco Stealthwatch
B. Cisco Tetration
C. Cisco AMP
D. Cisco Umbrella
B. Cisco Tetration
Verified
https://www.cisco.com/c/en/us/products/security/tetration/index.html
232
An organization has a Cisco Stealthwatch Cloud deployment in their environment. Cloud logging is working as expected, but logs are not being received from the on-premise network. What action will resolve this issue?
A. Deploy a Cisco FTD sensor to send events to Cisco Stealthwatch Cloud.
B. Deploy a Cisco Stealthwatch Cloud sensor on the network to send data to Cisco Stealthwatch Cloud.
C. Configure security appliances to send syslogs to Cisco Stealthwatch Cloud.
D. Configure security appliances to send NetFlow to Cisco Stealthwatch Cloud.
B. Deploy a Cisco Stealthwatch Cloud sensor on the network to send data to Cisco Stealthwatch Cloud.
Verified
https://www.braindump2go.com/free-online-pdf/350-701-PDF-Dumps(257-279).pdf
233
A network engineer has been tasked with adding a new medical device to the network. Cisco ISE is being used as the NAC server, and the new device does not have a supplicant available. What must be done in order to securely connect this device to the network?
A. Use 802.1X with posture assessment.
B. Use MAB with profiling.
C. Use 802.1X with profiling.
D. Use MAB with posture assessment.
B. Use MAB with profiling.
Verified
234
Drag and drop the solutions from the left onto the solutionג€™s benefits on the right.
Select and Place:
235
Network traffic between servers (virtual servers or physical servers, containers, and so on).
A. East-West
B. North-South
A. East-West
236
Network traffic flowing in and outside the data center.
A. East-West
B. North-South
B. North-South
237
Communicate between the SDN controller and the switches and routers within the infrastructure. These APIs can be open or proprietary.
A. Northbound API
B. Southbound API
B. Southbound API
238
The link between the applications and the SDN controller.
A. Northbound API
B. Southbound API
A. Northbound API
Northbound APIs (SDN northbound APIs) are typically RESTful APIs that are used to communicate between the SDN controller and the services and applications running over the network. Such northbound APIs can be used for the orchestration and automation of the network components to align with the needs of different applications via SDN network programmability.
Cisco has the concept of intent-based networking. On different occasions, you may see northbound APIs referred to as “intent-based APIs.”
239
An administrator configures a Cisco WSA to receive redirected traffic over ports 80 and 443. The organization requires that a network device with specific WSA integration capabilities be configured to send the traffic to the WSA to proxy the requests and increase visibility while making this invisible to the users. What must be done on the Cisco WSA to support these requirements?
A. Use PAC keys to allow only the required network devices to send the traffic to the Cisco WSA.
B. Configure transparent traffic redirection using WCCP in the Cisco WSA and on the network device.
C. Configure active traffic redirection using WPAD in the Cisco WSA and on the network device.
D. Use the Layer 4 settings in the Cisco WSA to receive explicit forward requests from the network device.
B. Configure transparent traffic redirection using WCCP in the Cisco WSA and on the network device.
Verified
240
An administrator configures a new destination list in Cisco Umbrella so that the organization can block specific domains for its devices. What should be done to ensure that all subdomains of domain.com are blocked?
A. Configure the domain.com address in the block list.
B. Configure the \*.domain.com address in the block list.
C. Configure the \*.com address in the block list.
D. Configure the \*domain.com address in the block list.
A. Configure the domain.com address in the block list.
Verified
https://docs.umbrella.com/deployment-umbrella/docs/wild-cards
241
An organization wants to use Cisco FTD or Cisco ASA devices. Specific URLs must be blocked from being accessed via the firewall, which requires that the administrator input the bad URL categories that the organization wants blocked into the access policy. Which solution should be used to meet this requirement?
A. Cisco FTD because it enables URL filtering and blocks malicious URLs by default, whereas Cisco ASA does not.
B. Cisco ASA because it enables URL filtering and blocks malicious URLs by default, whereas Cisco FTD does not.
C. Cisco ASA because it includes URL filtering in the access control policy capabilities, whereas Cisco FTD does not.
D. Cisco FTD because it includes URL filtering in the access control policy capabilities, whereas Cisco ASA does not.
D. Cisco FTD because it includes URL filtering in the access control policy capabilities, whereas Cisco ASA does not
Verified
Firepower Management Center Configuration Guide, Version 6.0 - Access Control Rules: URL Filtering [Cisco Firepower Management Center] - Cisco
242
Which component of Cisco Umbrella architecture increases reliability of the service?
A. BGP route reflector
B. anycast IP
C. AMP Threat Grid
D. Cisco Talos
B. anycast IP
Verified
AnyCast - https://umbrella.cisco.com/blog/why-the-cisco-umbrella-global-network-uses-anycast-routing
"One of the technologies that helps us maintain our great availability and speed is called anycast routing. In this blog post we’ll explain what anycast routing is, how we use it, and how it helps us maintain our 100% uptime and availability for our customers."
243
A customer has various external HTTP resources available including Intranet, Extranet, and Internet, with a proxy configuration running in explicit mode. Which method allows the client desktop browsers to be configured to select when to connect directly or when to use a proxy?
A. Bridge mode
B. Transparent mode
C. PAC file
D. Forward file
C. PAC file
Verified
A Proxy Auto-Configuration (PAC) file contains a set of rules coded in JavaScript which allows a web browser to determine whether to send web traffic direct to the Internet or be sent via a proxy server.
PAC files can control how a web browser handles HTTP, HTTPS, and FTP traffic.
244
245
What are two list types within Cisco AMP for Endpoints Outbreak Control? (Choose two.)
A. blocked ports
B. simple custom detections
C. command and control
D. allowed applications
E. URL
B. simple custom detections
D. allowed applications
Verified
Secure Endpoint User Guide.book (cisco.com)
246
Which posture assessment requirement provides options to the client for remediation within a certain timeframe?
A. audit
B. mandatory
C. visibility
D. optional
B. mandatory
Verified
Examtopics community
https://www.cisco.com/c/en/us/td/docs/security/ise/2-2/admin\_guide/b\_ise\_admin\_guide\_22/b\_ise\_admin\_guide\_22\_chapter\_010111.html
247
An organization configures Cisco Umbrella to be used for its DNS services. The organization must be able to block traffic based on the subnet that the endpoint is on, but sees only the requests from its public IP addresses instead of each internal IP address. What must be done to resolve this issue?
A. Install the Microsoft Active Directory Connector to give IP address information stitched to the requests in the Cisco Umbrella dashboard.
B. Use the tenant control features to identify each subnet being used and track the connections within the Cisco Umbrella dashboard.
C. Configure an internal domain within Cisco Umbrella to help identify each address and create policy from the domains.
D. Set up a Cisco Umbrella virtual appliance to internally field the requests and see the traffic of each IP address.
D. Set up a Cisco Umbrella virtual appliance to internally field the requests and see the traffic of each IP address.
Verified
https://docs.umbrella.com/deployment-umbrella/docs/internal-networks-setup-guide
248
A network engineer must monitor user and device behavior within the on-premises network. This data must be sent to the Cisco Stealthwatch Cloud analytics platform for analysis. What must be done to meet this requirement, using the Ubuntu-based VM appliance deployed in a VMware-based hypervisor?
A. Deploy a Cisco FTD sensor to send network events to Cisco Stealthwatch Cloud.
B. Configure a Cisco FMC to send syslogs to Cisco Stealthwatch Cloud.
C. Deploy the Cisco Stealthwatch Cloud PNM sensor that sends data to Cisco Stealthwatch Cloud.
D. Configure a Cisco FMC to send NetFlow to Cisco Stealthwatch Cloud.
C. Deploy the Cisco Stealthwatch Cloud PNM sensor that sends data to Cisco Stealthwatch Cloud.
Verified
249
An organization wants to provide visibility and to identify active threats in its network using a VM. The organization wants to extract metadata from network packet flow while ensuring that payloads are not retained or transferred outside the network. Which solution meets these requirements?
A. Cisco Umbrella Cloud
B. Cisco Stealthwatch Cloud PNM
C. Cisco Stealthwatch Cloud PCM
D. Cisco Umbrella Om-Premises
B. Cisco Stealthwatch Cloud PNM
Verified
250
Which type of DNS abuse exchanges data between two computers even when there is no direct connection?
A. malware installation
B. network footprinting
C. command-and-control communication
D. data exfiltration
D. data exfiltration
