DB Flashcards
1
Q
A network administrator notices that SI events are not being updated. The Cisco FTD device cannot load all SI event entries, and traffic is not being blocked as expected. What should be done to fix this issue?
A. Restart the affected devices to reset configurations
B. Manually update the SI event entries to block the appropriate traffic
C. Redeploy configurations to affected devices to allocate more memory to the SI module
D. Replace affected devices with those that have more memory
A
Answer: C - Redeploying configurations allows the system to allocate additional memory to the SI module, ensuring it can handle all event entries and apply security measures correctly.
2
Q
Explain in simple terms how memory allocation affects firewall event processing.
A
Firewalls need memory to store and process security events. If there isn’t enough memory, some events may be ignored, making the network vulnerable. Increasing memory allocation ensures the firewall can track and block all suspicious activities effectively.
3
Q
An organization has a Cisco FTD that uses bridge groups to pass traffic from inside to outside interfaces. However, they cannot gather information about neighboring Cisco devices or use multicast. What should they do?
A. Change the firewall mode to transparent
B. Change the firewall mode to routed
C. Create a bridge group with the firewall interfaces
D. Create a firewall rule to allow CDP traffic
A
Answer: A - Transparent mode allows the firewall to operate at Layer 2, which enables it to process multicast and neighbor discovery protocols like CDP.
4
Q
Explain in simple terms how firewall modes impact network communication.
A
Firewalls can work in two main ways: routed mode (which changes IP addresses and works like a router) and transparent mode (which acts like an invisible security filter). Transparent mode helps keep devices connected while still filtering traffic.
5
Q
An engineer must export a packet capture from Cisco Secure Firewall Management Center to troubleshoot an issue on a Secure Firewall Threat Defense device. When trying to access the capture file at:
https://<FMC>/capture/CAPVpcap/test.pcap
they receive a 403: Forbidden error. What must they do to resolve this issue?</FMC>
A. Disable the proxy setting on the browser
B. Disable the HTTPS server and use HTTP instead
C. Use the Cisco FTD IP address as the proxy server setting on the browser
D. Enable the HTTPS server for the device platform policy
A
Answer: D - The HTTPS server must be enabled in the device platform policy to allow secure access to the capture file.
6
Q
Explain in simple terms why enabling HTTPS is necessary for secure file access.
A
HTTPS encrypts data so that only authorized users can access it. If it’s not enabled, the system might block access to sensitive files like firewall logs to prevent unauthorized access.
7
Q
An analyst is investigating a potentially compromised endpoint and retrieves a host report for metrics and documentation. What information should be collected from this report?
A. Threat detections over time and application protocols transferring malware
B. Number of attacked machines, attack sources, and traffic patterns
C. Intrusion events, host connections, and user sessions
D. Client applications by user, web applications, and user connections
A
Answer: C - Intrusion events, host connections, and user sessions provide key insights into suspicious activities and how the endpoint interacts with the network.
8
Q
Explain in simple terms why intrusion event logs are important in cybersecurity.
A
Intrusion event logs act like a security camera for a network. They record when and how an attacker tries to break in, helping security teams understand and stop threats before they cause harm.
9
Q
A company uses multiple Cisco FTD devices managed by Cisco FMC. The security team wants to collect logs for analysis but is concerned about high traffic volume. How can they ensure efficient log processing?
A. Send connection and security events to FMC, then forward logs to a SIEM for storage and analysis
B. Send connection and security events to a cluster of FMC devices for analysis
C. Send connection events directly to a SIEM and forward security events from FMC to SIEM
D. Send connection and security events directly to a SIEM system for storage and analysis
A
Answer: C - Sending connection events directly to a SIEM while forwarding security events from FMC optimizes storage and analysis without overloading FMC.
10
Q
Explain in simple terms why using a SIEM system helps with cybersecurity.
A
A SIEM (Security Information and Event Management) system works like a security guard that watches over all logs and alerts, helping detect threats faster by analyzing huge amounts of data automatically.
11
Q
An engineer is troubleshooting DNS connectivity issues on a Cisco FTD device. Hosts cannot send DNS queries to servers in the DMZ. What should they do to analyze real DNS packets?
A. Use the packet capture tool to check where the traffic is blocked and adjust policies
B. Use the packet tracer tool to determine where packets are dropped
C. Use the Connection Events dashboard to check block reasons
D. Use the show blocks command in the CLI to identify blocked traffic
A
Answer: A - Packet capture helps identify where traffic is blocked, allowing the engineer to adjust access control or intrusion policies.
12
Q
Explain in simple terms how packet capture helps in network troubleshooting.
A
Packet capture is like a traffic camera for the internet. It records every piece of data traveling through the network, helping engineers see what’s blocked or where problems occur.
13
Q
An administrator must use Cisco FMC to install a backup route within Cisco FTD to route traffic if the primary route fails. What should they do?
A. Use a default route instead of multiple routes
B. Configure EIGRP routing to ensure updates
C. Install a static backup route and modify the metric to be lower than the primary route
D. Create a backup route and use route tracking for failover
A
Answer: D - Route tracking ensures the backup route is only used if the primary one fails, preventing unnecessary routing changes.
14
Q
Explain in simple terms why backup routes are important in networking.
A
Backup routes act like detours on a road. If the main road is blocked, the network can use an alternative path to keep traffic moving smoothly.
15
Q
An administrator notices that malware with an .exe extension is present in the network. They need to verify if any systems are running this executable file. What must be configured within Cisco AMP for Endpoints to show this data?
A. File analysis
B. Threat root cause
C. Vulnerable software
D. Prevalence
A
Answer: D - The prevalence feature tracks how often a file appears across the network, helping detect the spread of malware.
16
Q
Explain in simple terms how Cisco AMP helps detect malware.
A
Cisco AMP watches all files moving in a network. If a suspicious file appears on many computers, it raises an alarm, like a security guard noticing an unfamiliar person in a building.
17
Q
An organization is migrating their Cisco ASA devices running in multi-context mode to Cisco FTD devices. How can they ensure each ASA context remains logically separated in FTD?
A. Add the FTD device to ASA port channels
B. Configure the FTD to use port channels spanning multiple networks
C. Configure a container instance in the FTD for each ASA context
D. Add a native instance to distribute traffic across FTD contexts
A
Answer: C - Container instances in FTD provide logical separation similar to multi-context mode in ASA.
18
Q
Explain in simple terms how container instances work in Cisco FTD.
A
A container instance is like a separate room in a house. Even though it’s inside the same building (firewall), it has its own space and rules, keeping it isolated from other rooms.
19
Q
A Cisco FTD has two physical interfaces assigned to a BVI (Bridge Virtual Interface), each connected to a different VLAN on the same switch. What firewall mode is being used?
A. Transparent
B. High availability clustering
C. Routed
D. Active/active failover
A
Answer: C - The routed mode supports BVI with VLAN separation, allowing the firewall to route traffic between VLANs.
20
Q
Explain in simple terms the difference between transparent mode and routed mode in firewalls.
A
In transparent mode, the firewall is like a glass door – it filters traffic but doesn’t change addresses. In routed mode, it works like a security checkpoint, controlling and directing traffic between networks.
21
Q
A network administrator checks the file report and notices that all file types except .exe files have a disposition of unknown. What is the likely cause?
A. A file policy has not been applied to the access policy
B. The malware license has not been applied to the Cisco FTD
C. The Cisco FMC cannot reach the Internet for file analysis
D. Only Spero file analysis is enabled
A
Answer: D - Spero analysis provides limited detection, mainly for .exe files, leading to “unknown” dispositions for other file types.
22
Q
Explain in simple terms why Cisco FMC needs file analysis to detect threats.
A
File analysis is like a virus scanner for the network. If the scanner only checks one type of file (like .exe), other files might pass through undetected, just like missing a spot while cleaning a table.
23
Q
Which firewall design allows a firewall to forward traffic at both Layer 2 and Layer 3 for the same subnet?
A. Integrated Routing and Bridging (IRB)
B. Routed mode
C. Cisco Firepower Threat Defense mode
D. Transparent mode
A
Answer: A - Integrated Routing and Bridging (IRB) allows the firewall to act at both Layer 2 and Layer 3, enabling hybrid networking.
24
Q
Explain in simple terms how Integrated Routing and Bridging (IRB) works.
A
IRB is like a multi-purpose bridge that can let traffic pass directly (Layer 2) or redirect it through a checkpoint (Layer 3), depending on the network setup.
25
A NAT policy translates a public IP to an internal web server IP. The access policy allows any source to reach the public IP on port 80, but the web server is still unreachable. What change is needed?
A. Modify NAT to translate the source IP as well as destination
B. Set the access policy rule action to trust
C. Disable the intrusion policy for port 80
D. Allow traffic to the internal web server IP in the access policy
Answer: D - The access policy must permit traffic to the internal IP, not just the public IP, for successful routing.
26
Explain in simple terms how NAT policies affect web server access.
NAT is like a mail forwarding service. If a rule only forwards letters (traffic) to the mailbox (public IP) but not inside the house (internal IP), the message never reaches its destination.
27
What is the role of the casebook feature in Cisco Threat Response?
A. Sharing threat analysis
B. Pulling data via the browser extension
C. Triage automation with alerting
D. Alert prioritization
Answer: A - The casebook feature allows security teams to share threat analysis, making it easier to investigate and respond to security incidents collaboratively.
28
Explain in simple terms how the casebook feature in Cisco Threat Response helps security teams.
The casebook feature is like a shared notebook where security teams write down suspicious activities, allowing everyone to track and respond to threats more efficiently.
29
An engineer is investigating connectivity problems on Cisco Firepower for a specific SGT (Security Group Tag). Which command allows the engineer to capture real packets that pass through the firewall using an SGT of 64?
A. capture CAP headers-only type inline-tag 64 match ip any any
B. capture CAP buffer 64 match ip any any
C. capture CAP match 64 type inline-tag ip any any
D. capture CAP type inline-tag 64 match ip any any
Answer: D - The correct command syntax for capturing real packets using an SGT of 64 is capture CAP type inline-tag 64 match ip any any.
30
Explain in simple terms how packet capture helps diagnose Security Group Tag (SGT) issues.
Capturing packets is like recording a conversation—it lets engineers see exactly what’s happening in the network, helping them find out if the firewall is blocking the right or wrong traffic.
31
An organization recently implemented a transparent Cisco FTD and must ensure it does not respond to insecure SSL/TLS protocols. What should they do?
A. Use Cisco FTD platform policy to change the minimum SSL version to TLS 1.2
B. Configure a flexconfig object to disable insecure TLS protocols
C. Modify the device's settings in Cisco FMC to allow only secure protocols
D. Enable UCAPL/CC compliance to support only the most secure protocols
Answer: A - The Cisco FTD platform policy should be configured to enforce TLS 1.2 as the minimum SSL version, preventing the use of insecure protocols.
32
Explain in simple terms why TLS 1.2 is important for security.
TLS 1.2 is like a strong lock on a door—it keeps data safe from hackers by encrypting it, while older versions (like TLS 1.0) have weak spots that attackers can exploit.
33
An engineer wants to change an existing transparent Cisco FTD to routed mode. The firewall controls traffic between two network segments. What must be done to allow hosts to communicate after this change?
A. Implement non-overlapping IP subnets on each segment
B. Configure multiple BVIs to route between segments
C. Assign unique VLAN IDs to each firewall interface
D. Remove existing dynamic routing protocol settings
Answer: A - Non-overlapping subnets must be configured so the firewall can properly route traffic between the network segments.
34
Explain in simple terms why non-overlapping subnets are needed in routed mode.
Think of subnets like separate neighborhoods—if two neighborhoods have the same street names, deliveries (data packets) get lost. Using different subnets ensures traffic reaches the right place.
35
A network administrator is migrating from Cisco ASA to Cisco FTD. EIGRP is configured on the Cisco ASA, but it is not available in Cisco FMC. How can the administrator enable this feature in Cisco FTD?
A. Enable advanced configuration options in FMC
B. Create a custom variable set and enable EIGRP
C. Configure EIGRP parameters using FlexConfig objects
D. Add the command feature eigrp via the FTD CLI
Answer: C - FlexConfig objects allow manual configuration of EIGRP parameters since EIGRP is not natively available in Cisco FMC.
36
Explain in simple terms why FlexConfig objects are needed for advanced firewall configurations.
FlexConfig is like a custom settings panel—it lets engineers enable features that aren’t available in the normal menus, giving them more control over how the firewall works.
37
A security analyst needs to create a new Cisco FMC report to show an overview of daily attacks, vulnerabilities, and connections. They also want to reuse specific dashboards from other reports. How can this be done?
A. Copy the Malware Report and modify sections to pull data from other reports
B. Create a new dashboard object in Object Management
C. Modify Custom Workflows to feed data into the new report
D. Use the import feature to select dashboards from other reports
Answer: D - The import feature allows the analyst to add existing dashboards from other reports into the new custom report.
38
Explain in simple terms why importing dashboards helps in cybersecurity reporting.
Instead of building a new report from scratch, importing dashboards is like copying and pasting useful charts from old reports, making it easier to get all the needed information quickly.
39
Which feature is supported by IRB (Integrated Routing and Bridging) on Cisco FTD devices?
A. EtherChannel interface
B. Dynamic routing protocol
C. Redundant interface
D. High-availability cluster
Answer: C - Redundant interfaces are supported by IRB, allowing improved failover and resiliency in network environments.
40
Explain in simple terms why redundant interfaces are useful in networking.
Redundant interfaces are like having two roads to the same destination—if one road is blocked, traffic can still reach its goal using the other route, keeping the network running smoothly.
41
A network administrator registered a new FTD to an existing FMC, but they cannot set it to transparent mode. What must be done to enable this mode?
A. Assign an IP address to two physical interfaces
B. Deregister the FTD device from FMC and configure transparent mode via CLI
C. Obtain an FTD model that supports transparent mode
D. Add a Bridge Group Interface (BGI) before configuring transparent mode
Answer: B - Transparent mode can only be set before registration to FMC, so the device must be deregistered and reconfigured via CLI.
42
Explain in simple terms why transparent mode must be set before registration in Cisco FTD.
Transparent mode is like choosing between a window or a door before installing a security system—you must decide how the firewall will behave before locking in the setup.
43
A network engineer must provide redundancy between two Cisco FTD devices. The setup should include automatic configuration, translation, and connection updates. What are the two required steps? (Choose two)
A. Ensure the high-availability license is enabled
B. Disable Hellos on the inside interface
C. Configure the standby IP addresses
D. Configure the virtual MAC address on the failover link
E. Configure the failover link with stateful properties
Answer: C and E - The standby IP addresses and a stateful failover link ensure redundancy, preserving active connections during failover.
44
Explain in simple terms how stateful failover helps in firewall redundancy.
Stateful failover is like switching cars while driving—if one firewall fails, another takes over without stopping traffic, so users don’t even notice the change.
45
An engineer needs to pull the configuration of a Cisco FTD sensor to review it with Cisco TAC but does not have direct CLI access to the device. The CLI is managed via Cisco FMC. How can they access the configuration?
A. Export the configuration using the Import/Export tool in FMC
B. Use the show run all command in the FTD CLI feature within FMC
C. Download the configuration file from the File Download section in FMC
D. Create a backup of the configuration within FMC
Answer: B - The show run all command within Cisco FMC's FTD CLI feature allows access to the configuration without direct CLI access.
46
Explain in simple terms why Cisco FMC's CLI feature is useful for managing FTD devices.
Cisco FMC’s CLI feature is like a remote control for the firewall—even if you can’t touch the firewall directly, you can still check and change settings from a central control panel.
47
A network administrator is configuring a Cisco AMP public cloud instance and wants to capture infections and polymorphic variants of a threat to detect malware families. Which detection engine should be used?
A. Spero
B. RBAC
C. Tetra
D. Ethos
Answer: D - Ethos helps detect polymorphic malware (viruses that change shape) by analyzing behavior patterns instead of just looking for known threats.
48
Explain in simple terms how Ethos detection engine helps fight malware.
Ethos is like a security camera that detects strange behavior instead of just checking faces—if a program acts like a virus, it gets flagged, even if it looks different every time.
49
Due to an increase in malicious events, a security engineer must generate a threat report including intrusion events, malware events, and security intelligence events. How can this data be collected in one report?
A. Generate a malware report
B. Run the default Firepower report
C. Export the Attacks Risk report
D. Create a Custom report
Answer: D - A Custom report allows the engineer to combine multiple event types into a single document for better analysis.
50
Explain in simple terms why custom reports are important in cybersecurity.
A custom report is like a personalized weather forecast—instead of checking different sources for rain, wind, and temperature, it combines everything into one easy-to-read summary.
51
A Cisco FMC administrator wants to configure fastpathing of trusted network traffic to increase performance. In which type of policy should this feature be configured?
A. Network Analysis policy
B. Identity policy
C. Prefilter policy
D. Intrusion policy
Answer: C - A Prefilter policy allows traffic to bypass deep inspection, improving firewall performance for trusted traffic.
52
Explain in simple terms why Prefilter policies help improve network performance.
A Prefilter policy is like an express lane on a highway—it lets trusted traffic move quickly without unnecessary security checks, freeing up resources for unknown or suspicious traffic.
53
An engineer is configuring multiple Cisco FTD appliances for use in the network. What rule must be followed when defining interface objects in Cisco FMC for use across multiple devices?
A. Interface groups can contain multiple interface types
B. Interface groups can contain interfaces from many devices
C. Two security zones can contain the same interface
D. An interface cannot belong to both a security zone and an interface group
Answer: B - Interface groups can contain interfaces from multiple devices, allowing centralized policy management.
54
Explain in simple terms why interface groups are useful in Cisco FMC.
An interface group is like a team of security guards—instead of managing each guard separately, you can assign rules to the whole team at once, making security easier to manage.
55
An organization is configuring a new Cisco Firepower High Availability deployment. What must be done to ensure seamless failover for end users?
A. Set the same FQDN for both chassis
B. Set up a virtual failover MAC address between chassis
C. Load the same software version on both chassis
D. Use a dedicated stateful link between chassis
Answer: D - A dedicated stateful link ensures real-time session synchronization, so users don’t experience disruptions during failover.
56
Explain in simple terms why a stateful link is critical for High Availability (HA).
A stateful link is like sharing a notebook between two workers—if one worker takes over, they can continue without asking questions, ensuring smooth transitions without disruptions.
57
An engineer is creating a URL object in Cisco Secure Firewall Management Center. How must it be configured to match HTTPS traffic in an access control policy?
A. Define the path to the individual webpage that uses HTTPS
B. Specify the protocol to match (HTTP or HTTPS)
C. Use the FQDN including the subdomain for the website
D. Use the subject common name from the website certificate
Answer: D - The subject common name from the website certificate ensures accurate matching of HTTPS traffic.
58
Explain in simple terms why the subject common name is needed for HTTPS filtering.
A subject common name is like a website’s ID card—since HTTPS encrypts traffic, firewalls can’t see the full URL, so they use the ID card (certificate) to check if it matches security rules.
59
A network administrator is troubleshooting access to a website behind a Cisco FTD device. External clients cannot access the web server via HTTPS. The web server IP is 192.168.7.46. The administrator runs the command:
capture CAP interface outside match ip any 192.168.7.46 255.255.255.255
but sees no traffic in the capture. What is the most likely reason?
A. The FTD has no route to the web server
B. The packet capture only shows blocked traffic
C. The capture must use the public IP address of the web server
D. The access policy is blocking the traffic
Answer: C - Since external clients are accessing the server, the public IP address must be used in the packet capture to see traffic.
60
Explain in simple terms why using the public IP address is necessary for packet capture.
A packet capture is like checking a mailbox—if you look inside the wrong mailbox (private IP), you won’t see letters (traffic) meant for a different address (public IP).
61
What must be implemented on Cisco Firepower to allow multiple logical devices on a single physical device to have access to external hosts?
A. Add at least two container instances from the same module.
B. Set up a cluster control link between all logical devices.
C. Define VLAN subinterfaces for each logical device.
D. Add one shared management interface on all logical devices.
Answer: D - A shared management interface allows multiple logical devices on the same physical device to communicate externally.
62
Why does a shared management interface enable multiple logical devices to access external hosts in Cisco Firepower?
A shared management interface acts as a common gateway for all logical devices, allowing them to communicate externally without requiring separate external interfaces for each device. This simplifies routing and ensures seamless external connectivity.
63
Which action must be taken on the Cisco FMC when a packet bypass is configured if the Snort engine fails or a packet takes too long to process?
A. Enable Automatic Application Bypass.
B. Enable Inspect Local Router Traffic.
C. Configure Fastpath rules to bypass inspection.
D. Add a Bypass Threshold policy for failures.
Answer: A - The Automatic Application Bypass ensures that traffic continues flowing even if the Snort engine is down.
64
If packets are being dropped due to Snort failure, what configuration should be applied in Cisco FMC to maintain traffic flow?
Enable Automatic Application Bypass in FMC to allow packets to pass through when Snort is unavailable, preventing disruptions in network traffic.
65
A network administrator wants to block traffic to a known malware site (e.g., https://www.badsite.com) and all its subdomains, ensuring that no packets from internal clients are sent to that site. Which policy should be used?
A. SSL policy
B. Prefilter policy
C. Access Control policy with URL filtering
D. DNS policy
Answer: C - An Access Control policy with URL filtering ensures that no requests reach the site by filtering at the URL level.
66
How does a URL filtering policy in Cisco FMC work? Explain using an analogy.
A URL filtering policy is like a security guard at a club entrance. It checks the guest list (allowed websites) and blocks entry to anyone not on the list (malicious sites). This prevents any unwanted traffic from reaching harmful destinations.
67
An engineer must configure a Cisco FMC dashboard in a multidomain deployment. How can they edit a report template from an ancestor domain?
A. Assign themselves ownership of it.
B. Change the document attributes.
C. Add it as a separate widget.
D. Copy it to the current domain.
Answer: D - Copying the report template to the current domain allows modifications without altering the ancestor domain's version.
68
Complete the process for modifying a report template in a multidomain FMC deployment:
1. Identify the report in the ancestor domain.
2___________________________________________
3. Modify the template for local use.
4. Deploy changes in the current domain.
Step 2: Copy the template to the current domain to allow modifications while preserving the original version.
69
A security engineer needs to configure a network discovery policy in Cisco FMC while preventing excessive network discovery events from overloading the FMC database. What should they do?
A. Configure NetFlow exporters for monitored networks.
B. Exclude load balancers and NAT devices in the policy.
C. Change the network discovery method to TCP/SYN.
D. Monitor only the default IPv4 and IPv6 network ranges.
Answer: B - Excluding load balancers and NAT devices prevents unnecessary discovery logs from flooding the database.
70
Cisco FMC is experiencing database overload due to excessive network discovery events. What are some ways to mitigate this issue?
___________________________________
2. Limit discovery to specific subnets.
3. Reduce the number of monitored protocols.
1. Exclude load balancers and NAT devices from network discovery to prevent unnecessary log entries.
71
Which process should be checked when troubleshooting registration issues between Cisco FMC and managed devices to verify that secure communication is occurring?
A. sftunnel
B. sfmgr
C. dhclient
D. fpcollect
Answer: A - The sftunnel process manages the secure communication tunnel between Cisco FMC and its managed devices.
72
A Cisco FTD device is unable to register with Cisco FMC. What process should you check to verify if secure communication is occurring?
Check the sftunnel process, as it handles encrypted communication between Cisco FMC and managed devices. If sftunnel is down, the device won’t be able to register properly.
73
An organization is installing a new Cisco FTD appliance to segment two network sections within the same IP subnet. What step is required to achieve this?
A. Assign an IP address to the Bridge Virtual Interface (BVI)
B. Add a separate bridge group for each segment
C. Permit BPDU packets to prevent loops
D. Specify a name for the bridge group
Answer: A - The BVI (Bridge Virtual Interface) is required to allow traffic between segments within the same subnet.
74
Why is assigning an IP address to the Bridge Virtual Interface (BVI) necessary when configuring a Cisco FTD to segment traffic within the same subnet?
The BVI acts as a bridge between two network segments while allowing Layer 3 communication. Assigning an IP address enables traffic forwarding and management, ensuring devices in different segments can communicate.
75
An administrator needs Cisco FMC to send an alert email when an internal host transfers more than 10 MB outside business hours. What must be configured?
A. Application detector
B. Intrusion policy
C. Correlation policy
D. File and malware policy
Answer: C - A Correlation Policy allows Cisco FMC to detect specific events (e.g., large file transfers after hours) and trigger actions like email alerts.
76
How does a correlation policy in Cisco FMC work? Explain using an analogy.
A correlation policy is like a security alarm in a store. If someone moves a large number of products after closing time (transferring data outside working hours), the system triggers an alert to notify security.
77
A Cisco FTD device is behind a router that translates all outbound traffic to its WAN IP address. The FTD is failing to register to Cisco FMC. Which two steps are required for successful registration? (Choose two.)
A. Reconfigure Cisco FMC to use the device’s private IP instead of the WAN address
B. Configure a NAT ID on both Cisco FMC and the device
C. Remove the IP address defined for the device in Cisco FMC
D. Add the port number used for PAT on the router to the device’s IP address in Cisco FMC
E. Reconfigure the Cisco FMC to use the device’s hostname instead of the IP address
Answer: A & B -
Configuring a NAT ID allows Cisco FMC and FTD to establish a connection despite NAT translation.
Cisco FMC must be configured to use the device’s private IP instead of the public WAN IP.
78
Complete the process for registering a Cisco FTD behind NAT:
1. Enable device registration in Cisco FMC.
2. Configure a NAT ID on both the Cisco FTD and Cisco FMC.
3.___________________
4. Ensure proper firewall rules allow communication.
5. Deploy configurations and verify registration.
Step 3: Configure Cisco FMC to use the private IP address of the FTD instead of the WAN address.
79
A security engineer must integrate an external threat intelligence feed containing STIX/TAXII data with Cisco FMC. What feature must be enabled?
A. Cisco Success Network
B. Threat Intelligence Director
C. Cisco Secure Endpoint Integration
D. Security Intelligence Feeds
Answer: B - Threat Intelligence Director is the feature in Cisco FMC that allows integration of external threat feeds like STIX/TAXII.
80
You need to configure Cisco FMC to receive real-time threat intelligence from external sources. What should you enable?
Answer: Threat Intelligence Director - This feature collects, processes, and applies threat intelligence feeds from external sources, improving firewall security policies.
81
What Cisco FMC feature enables the integration of external threat intelligence feeds such as STIX/TAXII?
Answer: Threat Intelligence Director - This feature collects, processes, and applies threat intelligence feeds from external sources, improving firewall security policies.
82
When a Cisco FTD device is configured in transparent firewall mode, on which two interface types can an IP address be assigned? (Choose two.)
A. Physical
B. Subinterface
C. BVI
D. EtherChannel
E. Diagnostic
Answer: C and E - In transparent mode, IP addresses can be assigned to Bridge Virtual Interfaces (BVI) and Diagnostic interfaces for management purposes.
83
A Cisco FTD in transparent mode requires an IP address for management and routing purposes. Which two interface types support this?
Bridge Virtual Interface (BVI) and Diagnostic interfaces are the only interfaces that can have assigned IPs in transparent mode.
84
A network administrator is configuring a site-to-site IPsec VPN to a router behind a Cisco FTD. The administrator has allowed UDP 500, 4500, and ESP traffic, but the VPN is not working. What action resolves this issue?
A. Set the allow action in the access policy to trust
B. Modify the NAT policy to use interface PAT
C. Change the access policy to allow all ports
D. Enable IPsec inspection on the access policy
Answer: D - IPsec inspection is required to properly handle encrypted VPN traffic, ensuring that ESP packets are correctly processed.
85
Why does enabling IPsec inspection on a Cisco FTD solve VPN connectivity issues?
IPsec inspection ensures that ESP packets are properly tracked and forwarded through the firewall, avoiding session mismatches that could break the VPN tunnel.
86
An engineer defines a new rule while configuring an Access Control Policy in Cisco FMC. After deploying the policy, the rule is not working and the hit counters show zero. What is the most likely cause?
A. The wrong source interface for Snort was selected in the rule
B. An incorrect application signature was used in the rule
C. The rule was not enabled after being created
D. Logging is not enabled for the rule
Answer: C - If a rule is not enabled, it will not be applied, resulting in zero hits in the access control policy.
87
Explain why a disabled firewall rule doesn’t work using an analogy.
A disabled firewall rule is like a "No Parking" sign that is covered with a cloth—even though the rule exists, no one can see or enforce it, so it has no effect.
88
An engineer must deploy a Cisco FTD device while ensuring that:
It examines traffic without disrupting users
Management traffic is separated from data traffic
SSH is used instead of Telnet for remote administration
How should the device be deployed?
A. In transparent mode with a data interface
B. In routed mode with a diagnostic interface
C. In routed mode with a bridge virtual interface
D. In transparent mode with a management interface
Answer: D - Transparent mode with a management interface allows monitoring without affecting traffic flow while ensuring management remains separate from data.
89
Cisco FTD needs to be deployed without disrupting users and keeping management traffic separate. Complete the setup:
step 1: Configure the FTD in transparent mode
step 2: ________________
step 3: Ensure that SSH is enabled for remote access
step 4: Deploy policies for traffic inspection
step 2: Assign a management interface to separate management traffic from data traffic.
90
A security engineer must configure Cisco FMC to generate an alert when five or more connections from external sources occur within 2 minutes. What type of policy should be used?
A. Access Control
B. Correlation
C. Intrusion
D. Application Detector
Answer: B - Correlation policies detect and trigger alerts when specific patterns of events (e.g., multiple connections in a short time) occur.
91
Which Cisco FMC policy type is used to generate alerts based on multiple suspicious connections occurring in a short time frame?
Answer: Correlation Policy - It monitors event sequences and triggers alerts when predefined patterns occur.
92
A company wants to detect suspicious bursts of external connections (e.g., 5+ connections in 2 minutes). What Cisco FMC policy should be used?
Answer: Correlation Policy - It monitors event sequences and triggers alerts when predefined patterns occur.
93
A network administrator must create an EtherChannel interface on a Cisco Secure Firewall Threat Defense 9300 registered with Cisco Secure Firewall Management Center for High Availability. Where must the administrator create the EtherChannel interface?
A. Cisco Secure Firewall Management Center CLI
B. Cisco Secure Firewall Threat Defense CLI
C. Cisco Secure Firewall Management Center GUI
D. Firepower eXtensible Operating System (FXOS) CLI
Answer: D - The Firepower eXtensible Operating System (FXOS) CLI is where the EtherChannel interface must be created in a Cisco Secure Firewall Threat Defense 9300.
94
In a Cisco Secure Firewall Threat Defense 9300 registered with FMC, where should the EtherChannel interface be created?
The EtherChannel interface must be created in the Firepower eXtensible Operating System (FXOS) CLI.
95
When an engineer captures traffic on a Cisco FTD to troubleshoot a connectivity problem, they receive a large amount of output data in the GUI tool. What is the best file format to export the data for analysis with a specialized tool?
A. NetFlow v9
B. PCAP
C. IPFIX
D. NetFlow v5
Answer: B - PCAP format captures raw packet data, making it ideal for deep network traffic analysis.
96
Explain why PCAP files are the best format for analyzing captured network traffic using an analogy.
A PCAP file is like a full surveillance camera recording—it captures everything that happens in network traffic, allowing detailed forensic analysis, unlike NetFlow, which is like a summary report of activity.
97
What is a limitation to consider when running a dynamic routing protocol on a Cisco FTD device in IRB mode?
A. Only non-bridge interfaces are supported
B. Only EtherChannel interfaces are supported
C. Only distance vector routing protocols are supported
D. Only link-state routing protocols are supported
Answer: A - Only non-bridge interfaces support dynamic routing protocols in IRB mode, since IRB is designed primarily for Layer 2 bridging.
98
Why can dynamic routing protocols only be used on non-bridge interfaces in IRB mode?
In IRB mode, bridge interfaces act at Layer 2, meaning they do not participate in Layer 3 routing decisions. Dynamic routing protocols require Layer 3 interfaces to exchange routes.
99
Network users are experiencing intermittent issues with internet access. The issue is caused by NAT exhaustion. How must the engineer modify the NAT configuration to support more users without running out of addresses?
A. Convert the dynamic auto NAT rule to dynamic manual NAT
B. Configure fall-through to interface PAT on the Advanced tab
C. Add an identity NAT rule to handle the overflow of users
D. Define an additional static NAT for the network object in use
Answer: B - Configuring fall-through to interface PAT ensures that when the NAT pool is exhausted, the system falls back to Port Address Translation (PAT).
100
Cisco FTD is experiencing NAT exhaustion, causing intermittent internet issues for users. Complete the solution:
step 1: Identify active NAT rules and check the available address pool
step 2: ________________
step 3: Verify the configuration and monitor resource usage
step 2: Configure fall-through to interface PAT so that when the NAT pool is exhausted, port-based NAT (PAT) takes over.
101
An engineer is configuring URL filtering for a Cisco FTD device in Cisco FMC. Users must receive a warning when they access http://www.badadultsite.com, but they should have the option to continue. No other sites should be blocked. What actions must be taken? (Choose two.)
A. Configure an Access Control Rule matching the URL object for http://www.badadultsite.com and set the action to Interactive Block
B. On the HTTP Responses tab of the Access Control Policy Editor, set the Interactive Block Response Page to System-provided
C. On the HTTP Responses tab, set the Block Response Page to Custom
D. Configure the default action for the Access Control Policy to Interactive Block
E. Configure an Access Control Rule matching the Adult URL category and set the action to Interactive Block
Answer: A & B -
The Interactive Block action allows users to receive a warning and choose to proceed.
The System-provided Interactive Block Response Page is used to present the warning.
102
What Access Control Rule action should be used in Cisco FTD URL filtering if users should receive a warning but still be able to access the site?
Answer: Interactive Block - This option warns users but allows them to proceed if they choose.
103
A company wants to warn users when accessing certain sites (without fully blocking them). What Cisco FTD feature should be used?
Answer: Interactive Block - This option warns users but allows them to proceed if they choose.
104
An engineer is configuring a custom intrusion rule on Cisco FMC. The rule must search the payload or stream. Which keyword must be used in the rule to create an argument for packet inspection?
A. data
B. metadata
C. content
D. protected content
Answer: C - The content keyword is used to define what the intrusion rule should inspect in the packet payload.
105
Which Cisco FMC keyword is used in a custom intrusion rule to define what to inspect in the payload or stream?
The content keyword is used to specify what to inspect in the payload when creating a custom intrusion rule.
106
A network administrator is reviewing a monthly advanced malware risk report and notices a host listed as CC Connected. Where should the administrator check in Cisco FMC to determine if the host is infected with malware?
A. Analysis > Hosts > Host Attributes
B. Analysis > Hosts > Indications of Compromise
C. Analysis > Files > Network File Trajectory
D. Analysis > Files > Malware Events
Answer: B - The Indications of Compromise (IOC) section in Cisco FMC provides detailed threat intelligence to determine if a host is compromised.
107
A host is flagged as CC Connected in Cisco FMC. Where should an administrator check to determine if it is infected?
step 1: Open Cisco FMC and navigate to the Analysis tab
step 2: ________________
step 3: Review the list of Indicators of Compromise (IOC)
step 4: Analyze if the host is showing signs of an active infection
step 2: Select Hosts > Indications of Compromise to access detailed information on potential malware infections.
108
An engineer must investigate a connectivity issue between an endpoint and a public DNS server. The endpoint cannot resolve domain names. Which action should be taken in Cisco FTD to simulate real DNS traffic while verifying the Snort verdict?
A. Perform a Snort engine capture using tcpdump from the FTD CLI
B. Use the Capture w/Trace wizard in Cisco FMC
C. Create a Custom Workflow in Cisco FMC
D. Run the system support firewall-engine-debug command from the FTD CLI
Answer: B - The Capture w/Trace wizard allows engineers to simulate DNS traffic and analyze how Snort processes it.
109
Explain how the Capture w/Trace wizard in Cisco FMC helps troubleshoot network traffic, using an analogy.
The Capture w/Trace wizard is like replaying a security camera recording—it shows exactly what happened with network traffic, allowing engineers to track DNS requests and responses in real time.
110
Which firewall design allows it to forward traffic at both Layer 2 and Layer 3 for the same subnet?
A. Routed mode
B. Integrated Routing and Bridging (IRB)
C. Transparent mode
D. Cisco Firepower Threat Defense mode
Answer: B - Integrated Routing and Bridging (IRB) allows a firewall to route and bridge traffic simultaneously within a single subnet.
111
Why does Integrated Routing and Bridging (IRB) allow a firewall to forward traffic at both Layer 2 and Layer 3 in the same subnet?
IRB allows Layer 2 bridging while enabling Layer 3 routing for certain traffic, making it useful in hybrid network designs that require routing without breaking broadcast domains.
112
What happens when Cisco FTD clustering is enabled?
A. Site-to-site VPN functionality is limited to the master unit, and all VPN connections are dropped if the master unit fails.
B. For the dynamic routing feature, if the master unit fails, the newly elected master unit maintains all existing connections.
C. All Firepower appliances support Cisco FTD clustering.
D. Integrated Routing and Bridging is supported on the master unit.
Answer: A - Site-to-site VPN functionality is limited to the master unit, and if the master unit fails, all VPN connections are dropped.
113
How does Cisco FTD clustering affect site-to-site VPN functionality?
Answer: VPN connections are lost when the master unit fails because site-to-site VPNs are only supported on the master unit in an FTD cluster.
114
What happens to VPN connections when the master unit in an FTD cluster fails?
Answer: VPN connections are lost when the master unit fails because site-to-site VPNs are only supported on the master unit in an FTD cluster.
115
A connectivity issue is occurring between a client and a server through a Cisco Firepower device. The administrator sees that traffic reaches the server, but the client does not receive a response. What action should be taken to troubleshoot the issue without initiating traffic from the client?
A. Use packet capture to validate that the packet passes through the firewall and is NATed correctly
B. Use packet-tracer to ensure that traffic is not being blocked by an access list
C. Use packet capture to ensure that traffic is not being blocked by an access list
D. Use packet-tracer to validate that the packet passes through the firewall and is NATed correctly
Answer: D - The packet-tracer tool helps verify packet flow and ensure that NAT is applied correctly, diagnosing connectivity issues without generating new traffic.
116
A client is not receiving a response from a server, even though traffic reaches the server through Cisco FTD. What tool should be used to validate NAT and packet flow?
Use packet-tracer to simulate traffic and confirm that NAT translation and routing are functioning properly.
117
A company wants to aggregate the capacity of two Cisco FTD devices to optimize bandwidth and connection management. What is the correct order of steps to create a cluster in Cisco FMC?
A. Configure the FTD interfaces and cluster members, add members to Cisco FMC, and create the cluster in Cisco FMC
B. Add members to the Cisco FMC, configure FTD interfaces, create the cluster in FMC, and configure cluster members
C. Configure the FTD interfaces, add members to FMC, configure cluster members in FMC, and create the cluster
D. Add members to Cisco FMC, configure FTD interfaces in FMC, configure cluster members, create the cluster in FMC
Answer: A - First, FTD interfaces and cluster members are configured. Then, the devices are added to FMC, and finally, the cluster is created.
118
A company needs to aggregate two FTD devices into a cluster. Complete the setup:
step 1: ________________
step 2: Add FTD members to Cisco FMC
step 3: Create the cluster in Cisco FMC
step 4: Verify the cluster and ensure synchronization
step 1: Configure the FTD interfaces and cluster members before adding them to Cisco FMC.
119
An engineer integrates Cisco FMC and Cisco ISE using pxGrid. What role does Cisco FMC assume in this integration?
A. Publisher
B. Controller
C. Server
D. Client
Answer: D - In pxGrid integration, Cisco FMC acts as a client, pulling identity and security data from Cisco ISE.
120
Explain how the Cisco FMC and Cisco ISE integration via pxGrid works using an analogy.
Cisco FMC and Cisco ISE work like a security checkpoint and a VIP guest list. Cisco ISE (server) holds the list of authorized users, while Cisco FMC (client) checks identities against that list to apply security policies dynamically.
121
An organization does not want to use the default Cisco Firepower block page when blocking HTTP traffic. Instead, they want to display a custom page with security policies. What two actions must be taken? (Choose two.)
A. Edit the HTTP request handling in the access control policy to customized block
B. Modify the system-provided block page using Python
C. Create an HTML page with policy and procedure details
D. Change the HTTP response in the access control policy to custom
E. Write a CSS page with policy information
Answer: C & D -
A custom HTML page must be created with the security policies.
The HTTP response block page must be changed to custom in the access control policy.
122
Why is it necessary to edit both the HTTP request handling and the response block page when customizing Cisco Firepower’s block page?
The HTTP request handling defines when a page should be blocked, while the response block page specifies what message the user sees. Both must be configured to enforce security and provide user guidance.
123
An engineer is modifying an access control policy to add a rule to inspect all DNS traffic that passes through the firewall. After deploying the policy, they see that DNS traffic is not being inspected by Snort. What is the most likely cause?
A. The rule must define the source network for inspection as well as the port
B. The action of the rule is set to trust instead of allow
C. The rule must specify the security zone that originates the traffic
D. The rule is configured with the wrong setting for the source port
Answer: B - If the rule action is set to “trust”, the traffic bypasses Snort inspection and is not analyzed.
124
A newly created DNS inspection rule in an Access Control Policy is not working in Cisco FMC. What setting might be incorrect?
Answer: Ensure that the rule action is set to "allow" instead of "trust", as "trust" bypasses Snort inspection.
125
If a DNS traffic inspection rule is failing to trigger in Cisco FMC, what should be checked?
Answer: Ensure that the rule action is set to "allow" instead of "trust", as "trust" bypasses Snort inspection.
126
After applying a new access control policy in Cisco FMC, users can no longer access a web server in the cloud. What is the best way to verify what is blocking the connection?
A. Use a packet capture on the Cisco FTD to analyze traffic flow
B. Check the Security Intelligence logs for blocked traffic
C. Inspect the connection events in Cisco FMC
D. Revert the policy to the previous version
Answer: C - Connection events in Cisco FMC allow administrators to see why traffic is being blocked and determine the correct adjustment.
127
After deploying a new access control policy in Cisco FMC, a cloud-based web server becomes inaccessible. What is the best way to identify what is blocking the traffic?
Check the connection events in Cisco FMC, which log traffic actions and reveal why a session is being blocked.
128
A Cisco FTD with limited resources needs to perform malware protection without relying on cloud analysis. What feature should be enabled?
A. AMP with Threat Grid integration
B. Local Malware Analysis
C. Threat Intelligence Director
D. Security Intelligence Feeds
Answer: B - Local Malware Analysis allows Cisco FTD to perform malware detection without cloud dependency, making it ideal for resource-constrained environments.
129
Why is Local Malware Analysis the preferred option for Cisco FTD devices with limited resources instead of Threat Grid integration?
Threat Grid requires cloud access for sandboxing, which consumes bandwidth and processing time. Local Malware Analysis allows the firewall to analyze threats locally, reducing dependency on external services.
130
A Cisco IPS is connected to a switch, but the connection drops when an interface goes down. What is the most likely cause?
A. The IPS is using an inline pair configuration without fail-open settings
B. The switch’s STP configuration is blocking the IPS connection
C. The IPS is configured with link-state propagation
D. The IPS is using an invalid VLAN configuration
Answer: C - Link-state propagation ensures that when one link fails, the IPS propagates the failure, causing the switch to drop the connection.
131
Explain how Link-State Propagation (LSP) works using an analogy.
Link-State Propagation is like a row of dominoes—if one falls (a link goes down), the rest fall too (other connected devices shut down their ports) to prevent communication failures from going unnoticed.
132
Which Cisco Threat Response API allows automated synchronization of domain blocklists between Cisco FMC and Cisco Umbrella?
A. Cisco SecureX API
B. Investigate API
C. Enforcement API
D. Eventing API
Answer: C - The Enforcement API allows Cisco Threat Response to synchronize domain blocklists with Cisco Umbrella.
133
What Cisco Threat Response API is used to synchronize blocked domains with Cisco Umbrella?
The Enforcement API enables automated domain block synchronization between Cisco Threat Response and Cisco Umbrella.
134
A company wants to block malicious URLs in Cisco FMC without performing SSL decryption. How should the URL object be defined?
A. Use the FQDN of the site
B. Use the full HTTPS URL including the path
C. Use the Subject Common Name (CN) from the site’s SSL certificate
D. Use an IP address-based rule
Answer: C - The Subject Common Name (CN) from the SSL certificate allows filtering without requiring SSL decryption.
135
Why is it necessary to use the Subject Common Name (CN) from an SSL certificate instead of the FQDN when defining a URL object in Cisco FMC without SSL decryption?
Because HTTPS traffic is encrypted, Cisco FMC cannot see the full URL. The CN from the SSL certificate is visible during the handshake, allowing filtering without decrypting the traffic.
136
A network engineer needs to configure a backup NAT rule in Cisco FTD that activates only if the primary NAT translation fails. What feature should be enabled?
A. NAT Rule Failover
B. Dynamic NAT Rule Priority
C. Fallback to Interface PAT
D. Auto NAT Failover
Answer: C - Fallback to Interface PAT allows traffic to use Port Address Translation (PAT) automatically if the primary NAT pool is exhausted.
137
Why is it important to configure Fallback to Interface PAT when setting up NAT in Cisco FTD? How does it activate when the primary NAT fails?
Fallback to Interface PAT prevents NAT exhaustion by automatically switching to PAT when the primary NAT pool runs out of addresses. This ensures continuous connectivity without manual intervention.
138
An administrator suspects that a Cisco FTD device is not processing security events in real time. What is the best way to confirm this in Cisco FMC?
A. Check the System Health dashboard
B. Run the "show events" command in the CLI
C. Monitor the Connection Events in Cisco FMC
D. Enable Security Intelligence logging
Answer: C - Monitoring Connection Events in Cisco FMC allows real-time verification of traffic processing and security enforcement.
139
Which Cisco FMC tool should be used to confirm whether a Cisco FTD is processing events in real time?
Use Connection Events in Cisco FMC to monitor real-time security event processing.
140
An engineer needs to configure failover in a Cisco FTD cluster. What is the correct order of steps to ensure a smooth failover setup?
A. Enable clustering in FMC → Assign a priority to each unit → Configure state synchronization → Deploy the cluster
B. Configure state synchronization → Enable clustering in FMC → Assign failover roles → Deploy the cluster
C. Assign failover roles → Configure clustering settings → Enable stateful failover → Deploy the cluster
D. Enable clustering in FMC → Configure state synchronization → Assign failover roles → Deploy the cluster
Answer: A - Enabling clustering in FMC first ensures that the devices can be configured correctly before setting up failover priorities and state synchronization.
141
A company is setting up failover in a Cisco FTD cluster. Complete the correct order of configuration steps:
step 1: Enable clustering in FMC
step 2: ________________
step 3: Assign a priority to each unit
step 4: Configure state synchronization
step 5: Deploy the cluster
step 2: Configure failover roles and cluster settings before assigning unit priorities.
142
A company wants to filter traffic based on application categories rather than manually defining ports and protocols. Which feature in Cisco FMC should be used?
A. Application Detector
B. Security Intelligence Feeds
C. Access Control Policy with Application Filtering
D. Intrusion Policy Rules
Answer: C - Access Control Policies with Application Filtering allow administrators to classify and filter traffic based on application categories instead of manual port definitions.
143
Explain how Application Filtering in Cisco FMC works using an analogy.
Application Filtering is like office access control—instead of checking everyone's ID manually, security grants or denies access based on employee roles (categories), making management easier.
144
An organization wants to block traffic between hosts on the same VLAN without using traditional ACLs. Which Cisco Firepower feature should be used?
A. Access Control Policies
B. VLAN Grouping Policy
C. Security Zones
D. Private VLANs
Answer: D - Private VLANs allow segmentation within the same VLAN, blocking communication between specific hosts without using ACLs.
145
Which Cisco Firepower feature allows blocking host-to-host communication within a VLAN without ACLs?
Private VLANs (PVLANs) enable segmentation within the same VLAN, preventing direct host communication without ACLs.
146
An administrator suspects that a Cisco FTD access control policy is not being applied correctly to traffic. What is the best way to verify this?
A. Check the FMC system logs for policy deployment errors
B. Monitor the Connection Events in Cisco FMC
C. Run a packet capture on the FTD CLI
D. Check the System Health dashboard in FMC
Answer: B - Monitoring Connection Events in Cisco FMC allows administrators to verify which rules are being applied to traffic in real time.
147
What tool in Cisco FMC should be used to confirm whether an access control policy is correctly applied to traffic?
Use Connection Events in Cisco FMC to verify if traffic is being matched to the expected policy rules.
148
A company wants to configure NAT in Cisco FTD to handle multiple public IP addresses and distribute traffic dynamically among them. What NAT type should be used?
A. Static NAT
B. Dynamic NAT with a PAT fallback
C. Identity NAT
D. Dynamic Manual NAT with multiple mapped addresses
Answer: B - Dynamic NAT with PAT fallback allows multiple public IP addresses to be used, ensuring seamless translation even if the primary NAT pool is exhausted.
149
Why is Dynamic NAT with PAT fallback preferred when configuring NAT with multiple public IP addresses in Cisco FTD?
Because Dynamic NAT allows public IP rotation, while PAT fallback ensures that connections still work if the NAT pool runs out of addresses, preventing connection failures.
150
Which authentication method provides the most secure access to Cisco FMC?
A. Local username and password
B. RADIUS authentication
C. LDAP with Active Directory
D. Two-factor authentication (2FA) with TACACS+
Answer: D - Two-factor authentication (2FA) with TACACS+ adds an extra security layer by requiring both credentials and a secondary authentication factor.
151
Explain why Two-Factor Authentication (2FA) with TACACS+ is the most secure authentication method using an analogy.
2FA with TACACS+ is like having both a keycard and a fingerprint scanner to access a high-security room. Even if someone steals your keycard (password), they still need your biometric authentication (2FA) to enter.
152
An administrator wants to monitor failed login attempts to Cisco FMC. Where should they check?
A. Connection Events in FMC
B. Security Intelligence logs
C. Audit Logs in FMC
D. Packet Captures on the FTD CLI
Answer: C - Audit Logs in Cisco FMC record all authentication attempts, including failed login attempts.
153
Where in Cisco FMC can an administrator check for failed login attempts?
Audit Logs in FMC record all authentication attempts, including failed logins.
154
An engineer is configuring new inspection rules in Cisco Firepower but wants to ensure that they do not impact live network traffic. What is the best approach?
A. Deploy the rules in "Monitor Only" mode first
B. Use an Intrusion Policy with a low-priority rating
C. Create duplicate policies and enable only one at a time
D. Manually adjust the rule severity after deployment
Answer: A - Deploying rules in Monitor Only mode allows testing without actively blocking traffic, ensuring they function correctly before full deployment.
155
A network engineer needs to deploy new inspection rules in Cisco Firepower without impacting production traffic. Complete the steps:
step 1: Create the inspection rules in Cisco FMC
step 2: ________________
step 3: Monitor rule behavior in Connection Events
step 4: Enable full enforcement once testing is complete
step 2: Set the rules to "Monitor Only" mode to observe their impact without affecting production traffic.
156
An engineer is setting up High Availability (HA) on two Cisco FTD devices to ensure redundancy. What is the correct sequence of steps to configure HA in Cisco FMC?
A. Configure failover settings → Assign primary and secondary roles → Enable synchronization → Deploy the HA configuration
B. Enable HA in FMC → Configure failover settings → Assign active/standby roles → Synchronize configuration
C. Assign primary and secondary roles → Enable synchronization → Configure failover settings → Deploy the HA configuration
D. Enable HA in FMC → Assign failover roles → Deploy configuration → Enable stateful failover
Answer: B - The correct sequence is Enable HA in FMC → Configure failover settings → Assign active/standby roles → Synchronize configuration.
157
An engineer is setting up High Availability (HA) in Cisco FTD. Complete the setup steps:
step 1: ________________
step 2: Configure failover settings
step 3: Assign active/standby roles
step 4: Synchronize configuration
step 1: Enable HA in Cisco FMC to start the setup.
158
An administrator suspects that a Security Intelligence rule is blocking certain traffic in Cisco FMC. Where can the blocked traffic logs be reviewed?
A. Intrusion Events
B. Security Intelligence Events
C. Connection Events
D. Packet Captures in CLI
Answer: B - Security Intelligence Events display traffic that has been explicitly blocked by Security Intelligence rules.
159
Where in Cisco FMC can an administrator check logs to confirm that Security Intelligence is blocking specific traffic?
Check the Security Intelligence Events section in Cisco FMC.
160
A company wants to ensure business-critical applications receive priority over non-essential traffic on a Cisco FTD device. What should be configured?
A. Security Intelligence Feeds
B. Quality of Service (QoS) Policy
C. Application Visibility & Control (AVC)
D. Adaptive Security Policy
Answer: B - Quality of Service (QoS) policies allow prioritization of critical traffic, ensuring optimal performance for essential applications.
161
Why is configuring QoS Policies on Cisco FTD important for prioritizing business-critical applications?
QoS policies ensure that high-priority traffic (e.g., VoIP, business applications) is allocated more bandwidth, preventing network congestion from affecting critical services.
162
A company wants to apply Access Control Policies based on user identity instead of only IP addresses. What should they configure in Cisco FMC?
A. Security Intelligence Policies
B. Identity-based Access Control
C. Application Filtering Policies
D. User Mapping in LDAP Directory
Answer: B - Identity-based Access Control allows user-level access control instead of traditional IP-based rules.
163
Explain how Identity-based Access Control in Cisco FMC works using an analogy.
Identity-based Access Control is like a company’s keycard system—instead of allowing entry based on where someone comes from (IP address), it allows or denies access based on who they are (user identity).
164
An engineer needs to configure Cisco FMC to detect suspicious traffic patterns using event sensors. Which feature should be enabled?
A. Correlation Policies
B. Security Intelligence Feeds
C. Intrusion Policy Events
D. NetFlow Analysis
Answer: A - Correlation Policies in Cisco FMC allow real-time detection of traffic anomalies based on pre-defined security rules.
165
Which Cisco FMC feature allows an engineer to configure event sensors for detecting suspicious traffic patterns?
Correlation Policies in Cisco FMC enable real-time event analysis for detecting suspicious activities.
166
