ExamTopics 300-710 Flashcards
What is the result of enabling Cisco FTD clustering?
A. For the dynamic routing feature, if the master unit fails, the newly elected master unit maintains all existing connections.
B. Integrated Routing and Bridging is supported on the master unit.
C. Site-to-site VPN functionality is limited to the master unit, and all VPN connections are dropped if the master unit fails.
D. All Firepower appliances support Cisco FTD clustering.
C. Site-to-site VPN functionality is limited to the master unit, and all VPN connections are dropped if the master unit fails.
Verified
Reference:https://www.cisco.com/c/en/us/td/docs/security/firepower/640/configuration/guide/fpmc-config-guide-v64/clustering_for_the_firepower_threat_defense.html
Remote access VPN is not supported with clustering.
VPN functionality is limited to the control unit and does not take advantage of the cluster high availability capabilities. If the control unit fails, all existing VPN connections are lost, and VPN users will see a disruption in service. When a new control unit is elected, you must reestablish the VPN connections.
Which two conditions are necessary for high availability to function between two Cisco FTD devices? (Choose two.)
A. The units must be the same version
B. Both devices can be part of a different group that must be in the same domain when configured within the FMC.
C. The units must be different models if they are part of the same series.
D. The units must be configured only for firewall routed mode.
E. The units must be the same model.
A. The units must be the same version
E. The units must be the same model.
Reference:
https://www.cisco.com/c/en/us/support/docs/security/firepower-management-center/212699-configure-ftd-high-availability-on-firep.html
On the advanced tab under inline set properties, which allows interfaces to emulate a passive interface?
A. transparent inline mode
B. TAP mode
C. strict TCP enforcement
D. propagate link state
B. TAP mode
Tap Mode is the right anwer Link state propagation automatically brings down the second interface in the inline interface pair when one of the interfaces in an inline set goes down
https: //www.cisco.com/c/en/us/td/docs/security/firepower/640/configuration/guide/fpmc-config-guide-v64/inline_sets_and_passive_interfaces_for_firepower_threat_defense.html With tap mode, the FTD is deployed inline, but the network traffic flow is undisturbed.
https: //www.cisco.com/c/en/us/td/docs/security/firepower/650/configuration/guide/fpmc-config-guide-v65/interface_overview_for_firepower_threat_defense.html#concept_DB45E8BBB07946728427FF98DB2DC56D
What are the minimum requirements to deploy a managed device inline?
A. inline interfaces, security zones, MTU, and mode
B. passive interface, MTU, and mode
C. inline interfaces, MTU, and mode
D. passive interface, security zone, MTU, and mode
C. inline interfaces, MTU, and mode
Verified
- You must assign a pair of inline interfaces to an inline set before they can handle traffic in an inline deployment.
- The maximum transmission unit for the inline set. The range of MTU values can vary depending on the model of the managed device and the interface type.
Reference:
https://www.cisco.com/c/en/us/td/docs/security/firepower/650/configuration/guide/fpmc-config-guide-v65/ ips_device_deployments_and_configuration.html
C, as a security zone ON the interface, is not required to add to an inline pair. The GUI will tell you when you add the interfaces as a pair that it will remove any existing zone.
upvoted 4 times
What is the difference between an inline and inline tap on Cisco Firepower?
A. Inline tap mode can send a copy of the traffic to another device.
B. Inline tap mode does full packet capture.
C. Inline mode cannot do SSL decryption.
D. Inline mode can drop malicious traffic.
D. Inline mode can drop malicious traffic.
Verified
“A threat defense in inline interface mode can block unintended traffic while it remains invisible to the network hosts. Inline mode allows a threat defense to block traffic based on the access control and intrusion rules you enable.”
INLINE TAP Copies the data to the SNORT Engine to be checked but then dropped while the actual data flow continues uninterrupted. Therefore, INLINE TAP does not send traffic to another device. The Data is copied but not captured. You still would need to enable packet capture to capture packets (AKA Save PCAP).
The difference between inline and inline tap on Cisco Firepower is:
D. Inline mode can drop malicious traffic¹²³⁴⁵.
In inline mode, all traffic passes through the Firepower Threat Defense (FTD) and traffic can be dropped¹²³⁴⁵. This mode allows the FTD to actively block or shape traffic¹²³⁴⁵.
On the other hand, in inline tap mode, the FTD is deployed inline, but the network traffic flow is undisturbed¹²³⁴⁵. Instead, the FTD makes a copy of each packet so that it can analyze the packets¹²³⁴⁵. However, in inline tap mode, it is not possible to drop intrusions and they will be just alerted³.
I hope this helps! If you have any more questions, feel free to ask. 😊
Source: Conversation with Bing, 12/8/2023
(1) Firepower Management Center Configuration Guide, Version 6.0.1 - Inline …. https://www.cisco.com/c/en/us/td/docs/security/firepower/601/configuration/guide/fpmc-config-guide-v601/fpmc-config-guide-v601_chapter_01110010.html.
(2) Firepower Management Center Configuration Guide, Version 6.5. https://www.cisco.com/c/en/us/td/docs/security/firepower/650/configuration/guide/fpmc-config-guide-v65/inline_sets_and_passive_interfaces_for_firepower_threat_defense.html.
(3) 22. Cisco Firepower Deployment Modes - RAYKA. https://rayka-co.com/lesson/cisco-firepower-deployment-modes/.
(4) Cisco Secure Firewall Management Center Device Configuration Guide, 7.2. https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/device-config/720/management-center-device-config-72/interfaces-settings-ifcs-ips.html.
(5) Firepower Threat Defense - brdige or inline? - Cisco Community. https://community.cisco.com/t5/network-security/firepower-threat-defense-brdige-or-inline/td-p/4177794.
With Cisco FTD software, which interface mode must be configured to passively receive traffic that passes through the appliance?
A. inline set
B. passive
C. routed
D. inline tap
B. passive
Verified
Reference:
https://www.cisco.com/c/en/us/td/docs/security/firepower/640/configuration/guide/fpmc-config-guide-v64/ interface_overview_for_firepower_threat_defense.html
Passive or ERSPAN Passive—Passive interfaces monitor traffic flowing across a network using a switch SPAN or mirror port. The SPAN or mirror port allows for traffic to be copied from other ports on the switch. This function provides the system visibility within the network without being in the flow of network traffic. When you configure the FTD in a passive deployment, the FTD cannot take certain actions such as blocking or shaping traffic. Passive interfaces receive all traffic unconditionally. and no traffic received on these interfaces is retransmitted. Encapsulated remote switched port analyzer (ERSPAN) interfaces allow you to monitor traffic from source ports distributed over multiple switches, and uses GRE to encapsulate the traffic. ERSPAN interfaces are only allowed when the FTD is in routed firewall mode.
Passive is the correct answer, think about it like that. In passive mode, the FTD is (IDS) detects but can’t do anything else, you are just getting a copy of the traffic On the other hand, Inline Mode is (IPS) you detect, and prevent.
Which two deployment types support high availability? (Choose two.)
A. transparent
B. routed
C. clustered
D. intra-chassis multi-instance
E. virtual appliance in public cloud
B. routed
D. intra-chassis multi-instance
Reference:
https://www.cisco.com/c/en/us/td/docs/security/firepower/610/configuration/guide/fpmc-config-guide-v61/ firepower_threat_defense_high_availability.html
Which protocol establishes network redundancy in a switched Firepower device deployment?
A. STP
B. HSRP
C. GLBP
D. VRRP
A. STP
Switched Deployment Redundancy You establish redundancy in a switched deployment using the Spanning Tree Protocol (STP), one of the advanced virtual switch settings. STP is a protocol that manages the topology of bridged networks. It is specifically designed to allow redundant links to provide automatic backup for switched interfaces without configuring backup links. Devices in a switched deployment rely on STPtomanagetraffic betweenredundant interfaces. Two devices connected to the same broadcast network receive traffic based on the topology calculated by STP.
Reference:
https://www.cisco.com/c/en/us/td/docs/security/firepower/620/configuration/guide/fpmc-config-guide-v62/ firepower_threat_defense_high_availability.html
Which interface type allows packets to be dropped?
A. passive
B. inline
C. ERSPAN
D. TAP
B. inline
Verified
Reference:
https://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/200908-configuring-firepower-threat-defense-int.html
With Cisco Firepower Threat Defense, which two interface settings are required when configuring a routed interface? (Choose two.)
A. Redundant Interface
B. EtherChannel
C. Speed
D. Media Type
E. Duplex
C. Speed
E. Duplex
Verified
Step 6
(Physical interface only.) Modify the speed and duplex settings.
The default is that the interface negotiates the best duplex and speed with the interface at the other end of the wire, but you can force a specific duplex or speed if necessary. Before setting these options for interfaces on a network module, please read Limitations for Interface Configuration.
Duplex—Choose Auto, Half, or Full. Auto is the default.
Speed—Choose 10, 100, 1000 Mbps, or Auto. Auto is the default.
Limitations for Interface Configuration
You cannot configure EtherChannel or redundant interfaces.
Reference:
https://www.cisco.com/c/en/us/td/docs/security/firepower/610/fdm/fptd-fdm-config-guide-610/fptd-fdm-interfaces.html
Which two dynamic routing protocols are supported in Cisco FTD without using FlexConfig? (Choose two.)
A. EIGRP
B. OSPF
C. static routing
D. IS-IS
E. BGP
B. OSPF
E. BGP
Verified from our own FMC
https://www.cisco.com/c/en/us/td/docs/security/firepower/660/configuration/guide/fpmc-config-guide-v66/virtual-routing-for-firepower-threat-defense.html
Which policy rule is included in the deployment of a local DMZ during the initial deployment of a Cisco NGFW through the Cisco FMC GUI?
A. a default DMZ policy for which only a user can change the IP addresses.
B. deny ip any
C. no policy rule is included
D. permit ip any
C. no policy rule is included
Verified
What are two application layer preprocessors? (Choose two.)
A. CIFS
B. IMAP
C. SSL
D. DNP3
E. ICMP
B. IMAP
C. SSL
Verified
The following topics explain application layer preprocessors and how to configure them:
Introduction to Application Layer Preprocessors
- The DCE/RPC Preprocessor
- The DNS Preprocessor
- The FTP/Telnet Decoder
- The HTTP Inspect Preprocessor
- The Sun RPC Preprocessor
- The SIP Preprocessor
- The GTP Preprocessor
- The IMAP Preprocessor
- The POP Preprocessor
- The SMTP Preprocessor
- The SSH Preprocessor
- The SSL Preprocessor
Reference:
https://www.cisco.com/c/en/us/td/docs/security/firepower/60/configuration/guide/fpmc-config-guide-v60/Application_Layer_Preprocessors.html
An engineer is implementing Cisco FTD in the network and is determining which Firepower mode to use. The organization needs to have multiple virtual Firepower devices working separately inside of the FTD appliance to provide traffic segmentation. Which deployment mode should be configured in the Cisco Firepower Management Console to support these requirements?
A. multi-instance
B. multiple deployment
C. single deployment
D. single-context
A. multi-instance
Verified
About Multi-Instance Capability
The Firepower chassis includes a supervisor and up to three security modules on which you can install logical devices. A logical device lets you run one application instance (Firepower Threat Defense or ASA). When you add a logical device, you also define the application instance type and version, assign interfaces, and configure bootstrap settings that are pushed to the application configuration. The application type determines whether you can run a single instance (native) or multiple instances (container).
Multi-instance capability is similar to ASA multiple context mode, although the implementation is different. Multiple context mode partitions a single application instance, while multi-instance capability allows independent container instances. Container instances allow hard resource separation, separate configuration management, separate reloads, separate software updates, and full Firepower Threat Defense feature support. Multiple context mode, due to shared resources, supports more contexts on a given platform. Multiple context mode is not available on the Firepower Threat Defense.
https://www.cisco.com/c/en/us/td/docs/security/firepower/fxos/multi-instance/multi-instance_solution.html#concept_vc4_2lh_3hb
A network engineer is extending a user segment through an FTD device for traffic inspection without creating another IP subnet. How is this accomplished on an
FTD device in routed mode?
A. by assigning an inline set interface
B. by using a BVI and creating a BVI IP address in the same subnet as the user segment
C. by leveraging the ARP to direct traffic through the firewall
D. by bypassing protocol inspection by leveraging pre-filter rules
B. by using a BVI and creating a BVI IP address in the same subnet as the user segment
Strongly supported in the community but needs verification
An engineer is configuring a Cisco FTD appliance in IPS-only mode and needs to utilize fail-to-wire interfaces. Which interface mode should be used to meet these requirements?
A. passive
B. routed
C. transparent
D. inline set
D. inline set
Verified
Link state propagation automatically brings down the second interface in the inline interface pair when one of the interfaces in an inline set goes down. When the downed interface comes back up, the second interface automatically comes back up, also. In other words, if the link state of one interface changes, the device senses the change and updates the link state of the other interface to match it. Note that devices require up to 4 seconds to propagate link state changes. Link state propagation is especially useful in resilient network environments where routers are configured to reroute traffic automatically around network devices that are in a failure state.
Reference:
https://www.cisco.com/c/en/us/td/docs/security/firepower/630/configuration/guide/fpmc-config-guide-v63/ inline_sets_and_passive_interfaces_for_firepower_threat_defense.html
An organization has noticed that malware was downloaded from a website that does not currently have a known bad reputation. How will this issue be addressed globally in the quickest way possible and with the least amount of impact?
A. by creating a URL object in the policy to block the website.
B. Cisco Talos will automatically update the policies.
C. by denying outbound web access
D. by isolating the endpoint
A. by creating a URL object in the policy to block the website.
Verified
The event dashboard within the Cisco FMC has been inundated with low priority intrusion drop events, which are overshadowing high priority events. An engineer has been tasked with reviewing the policies and reducing the low priority events. Which action should be configured to accomplish this task?
A. drop packet
B. generate events
C. drop connection
D. drop and generate
D. drop and generate
Verified
In this scenario, the engineer is tasked with reducing low priority intrusion drop events in the FMC event dashboard to better highlight high priority events. To accomplish this, the engineer should configure the system to drop and generate events.
When an intrusion event is detected by FMC, the system has several options for handling the event. The options include dropping the packet, generating an event, dropping the connection, or dropping and generating an event.
If the engineer chooses to drop the packet, it means that the system will discard the packet entirely without generating any event. This option is not suitable for the current situation since the engineer wants to reduce low priority events, not eliminate them altogether.
If the engineer chooses to generate events, the system will create an event and log it in the event dashboard. This option may help reduce the number of low priority intrusion drop events, but it does not prevent them from occurring.
If the engineer chooses to drop the connection, the system will terminate the connection and generate an event. This option is useful when the system detects a malicious activity that could affect the entire network. However, it does not help to reduce low priority events.
Therefore, the best option for the engineer is to configure the system to drop and generate events. This option will drop the packet, discard the event, and generate a new event with lower priority. This way, the engineer can reduce the number of low priority events in the event dashboard while still capturing the information for future analysis.
In summary, the correct answer is D, drop and generate.
With Cisco FTD integrated routing and bridging, which interface does the bridge group use to communicate with a routed interface?
A. subinterface
B. switch virtual
C. bridge virtual
D. bridge group member
C. bridge virtual
Verified
With Integrated Routing and Bridging, you can use a “bridge group” where you group together multiple interfaces on a network, and the Firepower Threat Defense device uses bridging techniques to pass traffic between the interfaces. Each bridge group includes a Bridge Virtual Interface (BVI) to which you assign an IP address on the network. The Firepower Threat Defense device routes between BVIs and regular routed interfaces. If you do not need clustering or EtherChannel member interfaces, you might consider using routed mode instead of transparent mode. In routed mode, you can have one or more isolated bridge groups like in transparent mode, but also have normal routed interfaces as well for a mixed deployment.
Reference:
https://www.cisco.com/c/en/us/td/docs/security/firepower/640/configuration/guide/fpmc-config-guide-v64/ transparent_or_routed_firewall_mode_for_firepower_threat_defense.html
An engineer is setting up a new Firepower deployment and is looking at the default FMC policies to start the implementation. During the initial trial phase, the organization wants to test some common Snort rules while still allowing the majority of network traffic to pass. Which default policy should be used?
A. Balanced Security and Connectivity
B. Security Over Connectivity
C. Maximum Detection
D. Connectivity Over Security
D. Connectivity Over Security
Verified
An engineer is configuring a second Cisco FMC as a standby device but is unable to register with the active unit. What is causing this issue?
A. The code versions running on the Cisco FMC devices are different.
B. The licensing purchased does not include high availability.
C. The primary FMC currently has devices connected to it.
D. There is only 10 Mbps of bandwidth between the two devices.
A. The code versions running on the Cisco FMC devices are different.
Verified
While configuring FTD, a network engineer wants to ensure that traffic passing through the appliance does not require routing or VLAN rewriting. Which interface mode should the engineer implement to accomplish this task?
A. inline set
B. passive
C. transparent
D. inline tap
A. inline set
Verified
Inline Set, with optional Tap mode—An inline set acts like a bump on the wire, and binds two interfaces together to slot into an existing network. This function allows the FTD to be installed in any network environment without the configuration of adjacent network devices. Inline interfaces receive all traffic unconditionally, but all traffic received on these interfaces is retransmitted out of an inline set unless explicitly dropped.
A mid-sized company is experiencing higher network bandwidth utilization due to a recent acquisition. The network operations team is asked to scale up their one
Cisco FTD appliance deployment to higher capacities due to the increased network bandwidth. Which design option should be used to accomplish this goal?
A. Deploy multiple Cisco FTD HA pairs in clustering mode to increase performance.
B. Deploy multiple Cisco FTD appliances in firewall clustering mode to increase performance.
C. Deploy multiple Cisco FTD appliances using VPN load-balancing to scale performance.
D. Deploy multiple Cisco FTD HA pairs to increase performance.
B. Deploy multiple Cisco FTD appliances in firewall clustering mode to increase performance.
Verified
https://www.cisco.com/c/en/us/td/docs/security/firepower/fxos/clustering/ftd-cluster-solution.html#concept_C8502505F840451C9E600F1EED9BC18E
In a multi-tenant deployment where multiple domains are in use, which update should be applied outside of the Global Domain?
A. minor upgrade
B. local import of intrusion rules
C. Cisco Geolocation Database
D. local import of major upgrade
B. local import of intrusion rules
Verified
In a multidomain deployment, you can import local intrusion rules in any domain. You can view local intrusion rules imported in the current domain and ancestor domains.
An organization has a compliance requirement to protect servers from clients, however, the clients and servers all reside on the same Layer 3 network. Without readdressing IP subnets for clients or servers, how is segmentation achieved?
A. Change the IP addresses of the servers, while remaining on the same subnet.
B. Deploy a firewall in routed mode between the clients and servers.
C. Change the IP addresses of the clients, while remaining on the same subnet.
D. Deploy a firewall in transparent mode between the clients and servers.
D. Deploy a firewall in transparent mode between the clients and servers.
Verified
Network traffic coming from an organization’s CEO must never be denied. Which access control policy configuration option should be used if the deployment engineer is not permitted to create a rule to allow all traffic?
A. Change the intrusion policy from security to balance.
B. Configure a trust policy for the CEO.
C. Configure firewall bypass.
D. Create a NAT policy just for the CEO.
B. Configure a trust policy for the CEO.
Verified
What is a characteristic of bridge groups on a Cisco FTD?
A. In routed firewall mode, routing between bridge groups is supported.
B. Routing between bridge groups is achieved only with a router-on-a-stick configuration on a connected router.
C. In routed firewall mode, routing between bridge groups must pass through a routed interface.
D. In transparent firewall mode, routing between bridge groups is supported.
A. In routed firewall mode, routing between bridge groups is supported.
Verified
In routed mode: The BVI acts as the gateway between the bridge group and other routed interfaces. To route between bridge groups/routed interfaces, you must name the BVI. For some interface-based features, you can use the BVI itself. https://www.cisco.com/c/en/us/td/docs/security/asa/asa97/configuration/general/asa-97-general-config/intro-fw.pdf
A Cisco FTD device is running in transparent firewall mode with a VTEP bridge group member ingress interface. What must be considered by an engineer tasked with specifying a destination MAC address for a packet trace?
A. The output format option for the packet logs is unavailable.
B. Only the UDP packet type is supported.
C. The destination MAC address is optional if a VLAN ID value is entered.
D. The VLAN ID and destination MAC address are optional.
C. The destination MAC address is optional if a VLAN ID value is entered.
Verified
Specify a Destination MAC Address for the packet trace.
If the Firepower Threat Defense device is running in transparent firewall mode, and the ingress interface is VTEP, Destination MAC Address is required if you enter a value in VLAN ID. Whereas if the interface is a bridge group member, Destination MAC Address is optional if you enter a VLAN ID value, but required if you do not enter a VLAN ID value.
https://www.cisco.com/c/en/us/td/docs/security/firepower/620/configuration/guide/fpmc-config-guide-v62/troubleshooting_the_system.html
With Cisco FTD software, which interface mode must be configured to passively receive traffic that passes through the appliance?
A. ERSPAN
B. firewall
C. tap
D. IPS-only
D. IPS-only
Verified
IPS-only, the traffic passes through the appliance. With ERSPAN, the traffic is coming from the network.
IPS-only interfaces can be deployed as the following types:
Inline Set, with optional Tap mode—An inline set acts like a bump on the wire, and binds two interfaces together to slot into an existing network. This function allows the FTD to be installed in any network environment without the configuration of adjacent network devices. Inline interfaces receive all traffic unconditionally, but all traffic received on these interfaces is retransmitted out of an inline set unless explicitly dropped.
With tap mode, the FTD is deployed inline, but the network traffic flow is undisturbed. Instead, the FTD makes a copy of each packet so that it can analyze the packets. Note that rules of these types do generate intrusion events when they are triggered, and the table view of intrusion events indicates that the triggering packets would have dropped in an inline deployment. There are benefits to using tap mode with FTDs that are deployed inline. For example, you can set up the cabling between the FTD and the network as if the FTD were inline and analyze the kinds of intrusion events the FTD generates. Based on the results, you can modify your intrusion policy and add the drop rules that best protect your network without impacting its efficiency. When you are ready to deploy the FTD inline, you can disable tap mode and begin dropping suspicious traffic without having to reconfigure the cabling between the FTD and the network.
Why it is not A. ERSPAN
The SPAN or mirror port allows for traffic to be copied from other ports on the switch. This function provides the system visibility within the network without being in the flow of network traffic.
An engineer is monitoring network traffic from their sales and product development departments, which are on two separate networks. What must be configured in order to maintain data privacy for both departments?
A. Use passive IDS ports for both departments.
B. Use a dedicated IPS inline set for each department to maintain traffic separation.
C. Use 802.1Q inline set Trunk interfaces with VLANs to maintain logical traffic separation.
D. Use one pair of inline set in TAP mode for both departments.
B. Use a dedicated IPS inline set for each department to maintain traffic separation.
netwguy
9 months, 2 weeks ago
The phrasing of answer D is terrible. “Use one pair of inline set in TAP mode for both departments”. If what is meant is a dedicated pair for each department (two pairs, 4 interfaces), then Answer D is a correct answer (tap for monitoring). If what is meant is only one pair for both networks, then answer D is incorrect, and Answer B more appropriate. Also, note that by “dedicated IPS inline set”, what is meant is likely IPS-only, which makes sense for monitoring as well. I will be answering B if this one pops up.
upvoted 4 times
cryptofetti
9 months, 2 weeks ago
Key word here is “monitoring” -> going w/ B here
upvoted 1 times
Bobster02
11 months, 2 weeks ago
I am still convinced that B is a correct answer: Guidelines for Inline Sets and Passive Interfaces General Guidelines Inline sets and passive interfaces support physical interfaces and EtherChannels only, and cannot use redundant interfaces, VLANs, and so on. Firepower 4100/9300 subinterfaces are also not supported for IPS-only interfaces. For inline sets and passive interfaces, the FTD supports up to two 802.1Q headers in a packet (also known as Q-in-Q support), with the exception of the Firepower 4100/9300, which only supports one 802.1Q header. Note: Firewall-type interfaces do not support Q-in-Q, and only support one 802.1Q header.
upvoted 4 times
A hospital network needs to upgrade its Cisco FMC-managed devices and needs to ensure that a disaster recovery process is in place. What must be done in order to minimize downtime on the network?
A. Configure a second circuit to an ISP for added redundancy.
B. Keep a copy of the current configuration to use as a backup.
C. Configure the Cisco FMCs for failover.
D. Configure the Cisco FMC-managed devices for clustering.
B. Keep a copy of the current configuration to use as a backup.
Verified
An organization has implemented Cisco Firepower without IPS capabilities and now wants to enable inspection for their traffic. They need to be able to detect protocol anomalies and utilize the Snort rule sets to detect malicious behavior. How is this accomplished?
A. Modify the network discovery policy to detect new hosts to inspect.
B. Modify the access control policy to redirect interesting traffic to the engine.
C. Modify the intrusion policy to determine the minimum severity of an event to inspect.
D. Modify the network analysis policy to process the packets for inspection.
B. Modify the access control policy to redirect interesting traffic to the engine.
Verified
To apply intrusion policies to network traffic, you select the policy within an access control rule that allows
traffic. You do not directly assign intrusion policies.
You can assign different intrusion policies to provide variable intrusion protection based on the relative risks
of the networks you are protecting. For example, you might use the more stringent Security over Connectivity
policy for traffic between your inside network and external networks. On the other hand, you might apply the
more lenient Connectivity over Security policy for traffic between inside networks.
You can also simplify your configuration by using the same policy for all networks. For example, the Balanced
Security and Connectivity policy is design to provide good protection without excessively impacting
connectivity
https://www.cisco.com/c/en/us/td/docs/security/firepower/670/fdm/fptd-fdm-config-guide-670/fptd-fdm-intrusion.html
An engineer is tasked with deploying an internal perimeter firewall that will support multiple DMZs. Each DMZ has a unique private IP subnet range. How is this requirement satisfied?
A. Deploy the firewall in transparent mode with access control policies
B. Deploy the firewall in routed mode with access control policies
C. Deploy the firewall in routed mode with NAT configured
D. Deploy the firewall in transparent mode with NAT configured
B. Deploy the firewall in routed mode with access control policies
May want to verify. The community strongly suggest B, the site says C with this reference:
https://www.cisco.com/c/en/us/td/docs/security/asa/asa96/configuration/general/asa-96-general-config/intro-fw.html
An engineer must configure high availability for the Cisco Firepower devices. The current network topology does not allow for two devices to pass traffic concurrently. How must the devices be implemented in this environment?
A. in active/active mode
B. in a cluster span EtherChannel
C. in active/passive mode
D. in cluster interface mode
C. in active/passive mode
Verified
When deploying a Cisco ASA Firepower module, an organization wants to evaluate the contents of the traffic without affecting the network. It is currently configured to have more than one instance of the same device on the physical appliance. Which deployment mode meets the needs of the organization?
A. inline tap monitor-only mode
B. passive monitor-only mode
C. passive tap monitor-only mode
D. inline mode
A. inline tap monitor-only mode
Verified
Double verified
You can configure your ASA FirePOWER module using one of the following deployment models:
Inline mode—In an inline deployment, the actual traffic is sent to the ASA FirePOWER module, and the module’s policy affects what happens to the traffic. After dropping undesired traffic and taking any other actions applied by policy, the traffic is returned to the ASA for further processing and ultimate transmission.
Inline tap monitor-only mode (ASA inline)—In an inline tap monitor-only deployment, a copy of the traffic is sent to the ASA FirePOWER module, but it is not returned to the ASA. Inline tap mode lets you see what the ASA FirePOWER module would have done to traffic, and lets you evaluate the content of the traffic, without impacting the network. However, in this mode, the ASA does apply its policies to the traffic, so traffic can be dropped due to access rules, TCP normalization, and so forth.
Passive monitor-only (traffic forwarding) mode—If you want to prevent any possibility of the ASA with FirePOWER Services device impacting traffic, you can configure a traffic-forwarding interface and connect it to a SPAN port on a switch. In this mode, traffic is sent directly to the ASA FirePOWER module without ASA processing. The traffic is dropped, and nothing is returned from the module, nor does the ASA send the traffic out any interface. You must operate the ASA in single context transparent mode to configure traffic forwarding.
Community based answer
” Let you evaluate the content of the traffic, without impacting the network. “ The question is taken exact sentence from the Cisco site for the Inline tap monitor-only Mode. Please see link below. So A is the correct answer. https://www.cisco.com/c/en/us/td/docs/security/asa/asa910/configuration/firewall/asa-910-firewall-config/access-sfr.html
The deployment mode that meets the needs of the organization is:
A. Inline tap monitor-only mode⁶⁵
In an inline tap monitor-only deployment, a copy of the traffic is sent to the ASA FirePOWER module, but it is not returned to the ASA⁶⁵. This mode allows the organization to see what the ASA FirePOWER module would have done to traffic, and lets them evaluate the content of the traffic, without impacting the network⁶⁵.
I hope this helps! If you have any more questions, feel free to ask. 😊
Source: Conversation with Bing, 12/8/2023
(1) CLI Book 2: Cisco ASA Series Firewall CLI Configuration Guide, 9.10. https://www.cisco.com/c/en/us/td/docs/security/asa/asa910/configuration/firewall/asa-910-firewall-config/access-sfr.html.
(2) CLI Book 2: Cisco ASA Series Firewall CLI Configuration Guide, 9.16. https://www.cisco.com/c/en/us/td/docs/security/asa/asa916/configuration/firewall/asa-916-firewall-config/access-sfr.html.
(3) Cisco ASA FirePOWER Module Quick Start Guide - Cisco. https://www.cisco.com/c/en/us/td/docs/security/asa/quick_start/sfr/firepower-qsg.html.
(4) Cisco ASA Firepower - Monitor-Only Mode Deployment Question. https://community.cisco.com/t5/network-security/cisco-asa-firepower-monitor-only-mode-deployment-question/td-p/2964686.
(5) CLI Book 2: Cisco ASA Series Firewall CLI Configuration Guide, 9.10. https://bing.com/search?q=Cisco+ASA+Firepower+module+deployment+mode+for+evaluating+traffic+contents+without+affecting+network.
(6) Deploying a Cisco ASA Firepower Module: Best Deployment Mode for …. https://www.exam-answer.com/deploy-cisco-asa-firepower-module-multiple-instances.
(7) undefined. http://www.cisco.com/c/en/us/td/docs/security/asa/asa93/configuration/firewall/asa-firewall-cli/modules-sfr.pdf.
An organization has a Cisco FTD that uses bridge groups to pass traffic from the inside interfaces to the outside interfaces. They are unable to gather information about neighboring Cisco devices or use multicast in their environment. What must be done to resolve this issue?
A. Create a firewall rule to allow CDP traffic
B. Create a bridge group with the firewall interfaces
C. Change the firewall mode to transparent
D. Change the firewall mode to routed
D. Change the firewall mode to routed
Not verified
Reference:
https://www.cisco.com/c/en/us/td/docs/security/firepower/623/configuration/guide/fpmc-config-guide-v623/ transparent_or_routed_firewall_mode_for_firepower_threat_defense.html
A network engineer implements a new Cisco Firepower device on the network to take advantage of its intrusion detection functionality. There is a requirement to analyze the traffic going across the device, alert on any malicious traffic, and appear as a bump in the wire. How should this be implemented?
A. Specify the BVI IP address as the default gateway for connected devices
B. Enable routing on the Cisco Firepower
C. Add an IP address to the physical Cisco Firepower interfaces
D. Configure a bridge group in transparent mode
D. Configure a bridge group in transparent mode
Verified
Traditionally, a firewall is a routed hop and acts as a default gateway for hosts that connect to one of its screened subnets. A transparent firewall, on the other hand, is a Layer 2 firewall that acts like a “bump in the wire,” or a “stealth firewall,” and is not seen as a router hop to connected devices. However, like any other firewall, access control between interfaces is controlled, and all of the usual firewall checks are in place. Layer 2 connectivity is achieved by using a “bridge group” where you group together the inside and outside interfaces for a network, and the ASA uses bridging techniques to pass traffic between the interfaces. Each bridge group includes a Bridge Virtual Interface (BVI) to which you assign an IP address on the network. You can have multiple bridge groups for multiple networks. In transparent mode, these bridge groups cannot communicate with each other.
https://www.cisco.com/c/en/us/td/docs/security/asa/asa97/configuration/general/asa-97-general-config/intro-fw.html
Which two conditions must be met to enable high availability between two Cisco FTD devices? (Choose two.)
A. same flash memory size
B. same NTP configuration
C. same DHCP/PPoE configuration
D. same hostname
E. same number of interfaces
B. same NTP configuration
E. same number of interfaces
Verified
https://www.cisco.com/c/en/us/support/docs/security/firepower-management-center/212699-configure-ftd-high-availability-on-firep.html
Conditions In order to create an HA between 2 FTD devices, these conditions must be met:
Same model
Same version (this applies to FXOS and to FTD - (major (first number), minor (second number), and maintenance (third number) must be equal)) Same number of interfaces Same type of interfaces
Both devices as part of same group/domain in FMC Have identical Network Time Protocol (NTP) configuration
Be fully deployed on the FMC without uncommitted changes Be in the same firewall mode: routed or transparent. Note that this must be checked on both FTD devices and FMC GUI since there have been cases where the FTDs had the same mode, but FMC does not reflect this.
Does not have DHCP/Point-to-Point Protocol over Ethernet (PPPoE) configured in any of the interfaces Different hostname (Fully Qualified Domain Name (FQDN)) for both chassis.
In order to check the chassis hostname navigate to FTD CLI and run this command Therefore original answers are correct: B and E
An engineer is building a new access control policy using Cisco FMC. The policy must inspect a unique IPS policy as well as log rule matching. Which action must be taken to meet these requirements?
A. Configure an IPS policy and enable per-rule logging
B. Disable the default IPS policy and enable global logging
C. Configure an IPS policy and enable global logging
D. Disable the default IPS policy and enable per-rule logging
A. Configure an IPS policy and enable per-rule logging
Not verified, but probably is correct based on community.
Which two OSPF routing features are configured in Cisco FMC and propagated to Cisco FTD? (Choose two.)
A. OSPFv2 with IPv6 capabilities
B. virtual links
C. SHA authentication to OSPF packets
D. area boundary router type 1 LSA filtering
E. MD5 authentication to OSPF packets
B. virtual links
E. MD5 authentication to OSPF packets
Verified
B & E are the correct answers as per below :
The Firepower Threat Defense device supports the following OSPF features
Intra-area, inter-area, and external (Type I and Type II) routes. Virtual links. LSA flooding. Authentication to OSPF packets (both password and MD5 authentication).
Configuring the Firepower Threat Defense device as a designated router or a designated backup router. The Firepower Threat Defense device also can be set up as an ABR. Stub areas and not-so-stubby areas. Area boundary router Type 3 LSA filtering. Reference :
https://www.cisco.com/c/en/us/td/docs/security/firepower/610/configuration/guide/fpmc-config-guide-v61/ospf_for_firepower_threat_defense.html
When creating a report template, how are the results limited to show only the activity of a specific subnet?
A. Create a custom search in Cisco FMC and select it in each section of the report.
B. Add an Input Parameter in the Advanced Settings of the report, and set the type to Network/IP.
C. Add a Table View section to the report with the Search field defined as the network in CIDR format.
D. Select IP Address as the X-Axis in each section of the report.
B. Add an Input Parameter in the Advanced Settings of the report, and set the type to Network/IP.
https://www.cisco.com/c/en/us/td/docs/security/firesight/541/user-guide/FireSIGHT-System-UserGuide-v5401/Reports.html#87267
What is the disadvantage of setting up a site-to-site VPN in a clustered-units environment?
A. VPN connections can be re-established only if the failed master unit recovers.
B. Smart License is required to maintain VPN connections simultaneously across all cluster units.
C. VPN connections must be re-established when a new master unit is elected.
D. Only established VPN connections are maintained when a new master unit is elected.
C. VPN connections must be re-established when a new master unit is elected
https://www.cisco.com/c/en/us/td/docs/security/firepower/fxos/clustering/ftd-cluster-solution.html#concept_g32_yml_y2b
What are two features of bridge-group interfaces in Cisco FTD? (Choose two.)
A. The BVI IP address must be in a separate subnet from the connected network.
B. Bridge groups are supported in both transparent and routed firewall modes.
C. Bridge groups are supported only in transparent firewall mode.
D. Bidirectional Forwarding Detection echo packets are allowed through the FTD when using bridge-group members.
E. Each directly connected network must be on the same subnet.
B. Bridge groups are supported in both transparent and routed firewall modes
E. Each directly connected network must be on the same subnet
Verified
A bridge group is a group of interfaces that the FTD device bridges instead of routes. All interfaces are on the same network. Bridge groups are supported in both transparent and routed firewall modes. Each bridge group includes a Bridge Virtual Interface (BVI) to which you assign an IP address on the network. The bridge group is represented by a Bridge Virtual Interface (BVI) that has an IP address on the bridge network.
Which command is run on an FTD unit to associate the unit to an FMC manager that is at IP address 10.0.0.10, and that has the registration key Cisco123?
A. configure manager local 10.0.0.10 Cisco123
B. configure manager add Cisco123 10.0.0.10
C. configure manager local Cisco123 10.0.0.10
D. configure manager add 10.0.0.10 Cisco123
D. configure manager add 10.0.0.10 Cisco123
Verified
https://www.cisco.com/c/en/us/td/docs/security/firepower/misc/fmc-ftd-mgmt-nw/fmc-ftd-mgmt-nw.html#id_106101
Which two actions can be used in an access control policy rule? (Choose two.)
A. Block with Reset
B. Monitor
C. Analyze
D. Discover
E. Block ALL
A. Block with Reset
B. Monitor
Verified
Correct Answer: AB 🗳️
Reference:
https://www.cisco.com/c/en/us/td/docs/security/firesight/541/firepower-module-user-guide/asa-firepower-module-user-guide-v541/AC-Rules-Tuning-
Overview.html#71854
Which two routing options are valid with Cisco FTD? (Choose two.)
A. BGPv6
B. ECMP with up to three equal cost paths across multiple interfaces
C. ECMP with up to three equal cost paths across a single interface
D. BGPv4 in transparent firewall mode
E. BGPv4 with nonstop forwarding
A. BGPv6
C. ECMP with up to three equal cost paths across a single interface
Verified
Equal-Cost Multi-Path (ECMP) Routing
The FTD device supports Equal-Cost Multi-Path (ECMP) routing.
You can have up to 8 equal cost static or dynamic routes per interface. For example, you can configure multiple default routes on the outside interface that specify different gateways.
route for 0.0.0.0 0.0.0.0 through outside to 10.1.1.2
route for 0.0.0.0 0.0.0.0 through outside to 10.1.1.3
route for 0.0.0.0 0.0.0.0 through outside to 10.1.1.4
In this case, traffic is load-balanced on the outside interface between 10.1.1.2, 10.1.1.3, and 10.1.1.4. Traffic is distributed among the specified gateways based on an algorithm that hashes the source and destination IP addresses, incoming interface, protocol, source and destination ports.
https://www.cisco.com/c/en/us/td/docs/security/firepower/660/fdm/fptd-fdm-config-guide-660/fptd-fdm-ospf.html
Which object type supports object overrides?
A. time range
B. security group tag
C. network object
D. DNS server group
C. network object
Verified
https://www.cisco.com/c/en/us/td/docs/security/firepower/60/configuration/guide/fpmc-config-guide-v60/Reusable_Objects.html#concept_8BFE8B9A83D742D9B647A74F7AD50053
Which Cisco Firepower rule action displays an HTTP warning page?
A. Monitor
B. Block
C. Interactive Block
D. Allow with Warning
C. Interactive Block
Need to verify
https://www.cisco.com/c/en/us/td/docs/security/firesight/541/user-guide/FireSIGHT-System-UserGuide-v5401/AC-Rules-Tuning-Overview.html#76698
What is the result a specifying of QoS rule that has a rate limit that is greater than the maximum throughput of an interface?
A. The rate-limiting rule is disabled.
B. Matching traffic is not rate limited.
C. The system rate-limits all traffic.
D. The system repeatedly generates warnings.
B. Matching traffic is not rate-limited.
Verified
If you specify a limit greater than the maximum throughput of an interface, the system does not rate limit matching traffic. Maximum throughput may be affected by an interface’s hardware configuration, which you specify in each device’s properties (Devices > Device Management).
Reference: https://www.cisco.com/c/en/us/td/docs/security/firepower/640/configuration/guide/fpmc-config-guide-v64/quality_of_service__qos__for_firepower_threat_defense.html
Which Firepower feature allows users to configure bridges in routed mode and enables devices to perform Layer 2 switching between interfaces?
A. FlexConfig
B. BDI
C. SGT
D. IRB
D. IRB
Verified
Integrated Routing and Bridging (IRB) : Customers often want to have multiple physical interfaces configured to be part of the same VLAN. The IRB feature meets this demand by allowing users to configure bridges in routed mode, and enables the devices to perform L2 switching between interfaces (including subinterfaces).
https: //www.cisco.com/c/en/us/td/docs/security/firepower/620/relnotes/Firepower_System_Release_Notes_Version_620/new_features_and_functionality.html
https: //www.cisco.com/c/en/us/td/docs/security/firepower/620/relnotes/Firepower_System_Release_Notes_Version_620/ new_features_and_functionality.html
In which two places are thresholding settings configured? (Choose two.)
A. on each IPS rule
B. globally, within the network analysis policy
C. globally, per intrusion policy
D. on each access control rule
E. per preprocessor, within the network analysis policy
A. on each IPS rule
C. globally, per intrusion policy
Verified
Global Rule Thresholding Basics
The global rule threshold sets limits for event logging by an intrusion policy. You can set a global rule threshold across all traffic to limit how often the policy logs events from a specific source or destination and displays those events per specified time period. You can also set thresholds per shared object rule, standard text rule, or preprocessor rule in the policy. When you set a global threshold, that threshold applies for each rule in the policy that does not have an overriding specific threshold. Thresholds can prevent you from being overwhelmed with a large number of events.
Every intrusion policy contains a default global rule threshold that applies by default to all intrusion rules and preprocessor rules. This default threshold limits the number of events on traffic going to a destination to one event per 60 seconds.
You can:
Change the global threshold.
Disable the global threshold.
Override the global threshold by setting individual thresholds for specific rules.
For example, you might set a global limit threshold of five events every 60 seconds, but then set a specific threshold of ten events for every 60 seconds for SID 1315. All other rules generate no more than five events in each 60-second period, but the system generates up to ten events for each 60-second period for SID 1315.
In which two ways do access control policies operate on a Cisco Firepower system? (Choose two.)
A. Traffic inspection is interrupted temporarily when configuration changes are deployed.
B. The system performs intrusion inspection followed by file inspection.
C. They block traffic based on Security Intelligence data.
D. File policies use an associated variable set to perform intrusion prevention.
E. The system performs a preliminary inspection on trusted traffic to validate that it matches the trusted parameters.
B. The system performs intrusion inspection followed by file inspection.
C. They block traffic based on Security Intelligence data.
Needs verified.
Reference:
https://www.cisco.com/c/en/us/td/docs/security/firepower/60/configuration/guide/fpmc-config-guide-v60/
Access_Control_Using_Intrusion_and_File_Policies.html
It seems to be A and C When deploying changes SNORT can restart causing traffic interruptions –> https://www.cisco.com/c/en/us/td/docs/security/firepower/623/configuration/guide/fpmc-config-guide-v623/policy_management.html#reference_F11C552688424DEF85ED145FA97283B7 I disagree with D because File policies don’t make use of Variable sets, those are used for Intrusion policies.
Which two types of objects are reusable and supported by Cisco FMC? (Choose two.)
A. dynamic key mapping objects that help link HTTP and HTTPS GET requests to Layer 7 application protocols.
B. reputation-based objects that represent Security Intelligence feeds and lists, application filters based on category and reputation, and file lists
C. network-based objects that represent IP addresses and networks, port/protocol pairs, VLAN tags, security zones, and origin/destination country
D. network-based objects that represent FQDN mappings and networks, port/protocol pairs, VXLAN tags, security zones and origin/destination country
E. reputation-based objects, such as URL categories
B. reputation-based objects that represent Security Intelligence feeds and lists, application filters based on category and reputation, and file lists
C. network-based objects that represent IP addresses and networks, port/protocol pairs, VLAN tags, security zones, and origin/destination country
Double Verified
https://www.cisco.com/c/en/us/td/docs/security/firepower/620/configuration/guide/fpmc-config-guide-v62/reusable_objects.html#ID-2243-00000414
The two types of objects that are reusable and supported by Cisco FMC are:
B. Reputation-based objects that represent Security Intelligence feeds and lists, application filters based on category and reputation, and file lists¹².
C. Network-based objects that represent IP addresses and networks, port/protocol pairs, VLAN tags, security zones, and origin/destination country¹².
These objects are used for increased flexibility and web interface ease-of-use in the Firepower System¹². They are reusable configurations that associate a name with a value¹². The system supports object use in various places in the web interface, including many policies and rules, event searches, reports, dashboards, and so on¹².
Source: Conversation with Bing, 12/7/2023
(1) Firepower Management Center Configuration Guide, Version 6.2 - Cisco. https://www.cisco.com/c/en/us/td/docs/security/firepower/620/configuration/guide/fpmc-config-guide-v62/reusable_objects.html.
(2) Firepower Management Center Configuration Guide, Version 7.0 - Cisco. https://www.cisco.com/c/en/us/td/docs/security/firepower/70/configuration/guide/fpmc-config-guide-v70/reusable_objects.html.
(3) Reusable Objects Supported by Cisco FMC - Exam-Answer. https://www.exam-answer.com/best-practices-cisco-fmc-reusable-objects.
(4) Firepower Management Center Configuration Guide, Version 6.0 - Cisco. https://www.cisco.com/c/en/us/td/docs/security/firepower/60/configuration/guide/fpmc-config-guide-v60/Reusable_Objects.html.
A security engineer is configuring an Access Control Policy for multiple branch locations. These locations share a common rule set and utilize a network object called INSIDE_NET which contains the locally significant internal network subnets at each location. What technique will retain the policy consistency at each location but allow only the locally significant network subnet within the application rules?
A. utilizing a dynamic ACP that updates from Cisco Talos
B. creating a unique ACP per device
C. utilizing policy inheritance
D. creating an ACP with an INSIDE_NET network object and object overrides
D. creating an ACP with an INSIDE_NET network object and object overrides
Creating an ACP with an INSIDE_NET network object and object overrides is the most appropriate technique to retain policy consistency at each location while allowing only the locally significant network subnet within the application rules
An organization has seen a lot of traffic congestion on their links going out to the internet. There is a Cisco Firepower device that processes all of the traffic going to the internet prior to leaving the enterprise. How is the congestion alleviated so that legitimate business traffic reaches the destination?
A. Create a NAT policy so that the Cisco Firepower device does not have to translate as many addresses.
B. Create a flexconfig policy to use WCCP for application aware bandwidth limiting.
C. Create a QoS policy rate-limiting high bandwidth applications.
D. Create a VPN policy so that direct tunnels are established to the business applications.
C. Create a QoS policy rate-limiting high bandwidth applications.
Verified
An engineer configures an access control rule that deploys file policy configurations to security zone or tunnel zones, and it causes the device to restart. What is the reason for the restart?
A. Source or destination security zones in the access control rule matches the security zones that are associated with interfaces on the target devices.
B. The source tunnel zone in the rule does not match a tunnel zone that is assigned to a tunnel rule in the destination policy.
C. Source or destination security zones in the source tunnel zone do not match the security zones that are associated with interfaces on the target devices.
D. The source tunnel zone in the rule does not match a tunnel zone that is assigned to a tunnel rule in the source policy.
A. Source or destination security zones in the access control rule matches the security zones that are associated with interfaces on the target devices.
Verified
Note that access control rules that deploy these file policy configurations to security zones or tunnel zones cause a restart only when your configuration meets the following conditions: Source or destination security zones in your access control rule must match the security zones associated with interfaces on the target devices. Unless the destination zone in you access control rule is any, a source tunnel zone in the rule must match a tunnel zone assigned to a tunnel rule in the prefilter policy
https://www.cisco.com/c/en/us/td/docs/security/firepower/623/configuration/guide/fpmc-config-guide-v623/policy_management.html
An engineer is attempting to create a new dashboard within the Cisco FMC to have a single view with widgets from many of the other dashboards. The goal is to have a mixture of threat and security-related widgets along with Cisco Firepower device health information. Which two widgets must be configured to provide this information? (Choose two.)
A. Intrusion Events
B. Correlation Information
C. Appliance Status
D. Current Sessions
E. Network Compliance
A. Intrusion Events
C. Appliance Status
Not verified but resonable
Correct Answer: AC 🗳️
Reference:
https://www.cisco.com/c/en/us/td/docs/security/firepower/640/configuration/guide/fpmc-config-guide-v64/dashboards.html#ID-2206-00000283
There is an increased amount of traffic on the network and for compliance reasons, management needs visibility into the encrypted traffic. What is a result of enabling TLS/SSL decryption to allow this visibility?
A. It prompts the need for a corporate managed certificate.
B. It will fail if certificate pinning is not enforced.
C. It has minimal performance impact.
D. It is not subject to any Privacy regulations.
A. It prompts the need for a corporate managed certificate.
Verified
An organization is setting up two new Cisco FTD devices to replace their current firewalls and cannot have any network downtime. During the setup process, the synchronization between the two devices is failing. What action is needed to resolve this issue?
A. Confirm that both devices are running the same software version.
B. Confirm that both devices are configured with the same types of interfaces.
C. Confirm that both devices have the same flash memory sizes.
D. Confirm that both devices have the same port-channel numbering.
A. Confirm that both devices are running the same software version.
B. Confirm that both devices are configured with the same types of interfaces.
The two units in a High Availability configuration must:
• Be the same model.
• Have the same number and types of interfaces.
https://www.cisco.com/c/en/us/td/docs/security/firepower/610/configuration/guide/fpmc-config-guide-v61/firepower_threat_defense_high_availability.html
An organization wants to secure traffic from their branch office to the headquarters building using Cisco Firepower devices. They want to ensure that their Cisco Firepower devices are not wasting resources on inspecting the VPN traffic. What must be done to meet these requirements?
A. Configure the Cisco Firepower devices to bypass the access control policies for VPN traffic.
B. Tune the intrusion policies in order to allow the VPN traffic through without inspection.
C. Configure the Cisco Firepower devices to ignore the VPN traffic using prefilter policies.
D. Enable a flexconfig policy to re-classify VPN traffic so that it no longer appears as interesting traffic.
A. Configure the Cisco Firepower devices to bypass the access control policies for VPN traffic.
Not verified but community agrees
A is correct answer. Check the following article. https://www.cisco.com/c/en/us/td/docs/security/firepower/620/configuration/guide/fpmc-config-guide-v62/prefiltering_and_prefilter_policies.html#id_31063 According to the article there are limitations to what type of traffic can be offloaded to fastpath. In the above article it is stated that “IPsec and TLS/DTLS VPN connections that terminate on the device” cannot be offloaded.
An administrator is working on a migration from Cisco ASA to the Cisco FTD appliance and needs to test the rules without disrupting the traffic. Which policy type should be used to configure the ASA rules during this phase of the migration?
A. Prefilter
B. Intrusion
C. Access Control
D. Identity
A. Prefilter
Verified
During the migration phase from Cisco ASA to Cisco FTD, if the administrator needs to test the rules without disrupting the traffic, the Prefilter policy type should be used to configure the ASA rules⁴. The Prefilter policy type matches the 5 tuple state like the ASA³. So, the correct answer is A. Prefilter.
Source: Conversation with Bing, 12/5/2023
(1) Which policy type should be used to configure the ASA rules during this …. https://vceguide.com/which-policy-type-should-be-used-to-configure-the-asa-rules-during-this-phase-of-the-migration/.
(2) Solved: Moving from ASA to FTD/FMC - Cisco Community. https://community.cisco.com/t5/network-security/moving-from-asa-to-ftd-fmc/td-p/3853068.
(3) Migrating Cisco Secure Firewall ASA to Cisco Secure Firewall Threat …. https://www.cisco.com/c/en/us/td/docs/security/firepower/migration-tool/migration-guide/ASA2FTD-with-FP-Migration-Tool/m-asa-to-threat-defense-migration-workflow.html.
(4) Migrating Cisco Secure Firewall ASA to Cisco Secure Firewall Threat …. https://www.cisco.com/c/en/us/td/docs/security/firepower/migration-tool/migration-guide/ASA2FTD-with-FP-Migration-Tool/m_migration_tool_faq.html.
(5) Solved: ASA to FTD 1140 migration - Cisco Community. https://community.cisco.com/t5/network-security/asa-to-ftd-1140-migration/td-p/4602199.
A network administrator is seeing an unknown verdict for a file detected by Cisco FTD. Which malware policy configuration option must be selected in order to further analyze the file in the Talos cloud?
A. malware analysis
B. dynamic analysis
C. sandbox analysis
D. Spero analysis
B. dynamic analysis
Verified
Verified twice
https://www.cisco.com/c/en/us/td/docs/security/firepower/60/configuration/guide/fpmc-config-guide-v60/Reference_a_wrapper_Chapter_topic_here.html
An engineer has been tasked with providing disaster recovery for an organization’s primary Cisco FMC. What must be done on the primary and secondary Cisco FMCs to ensure that a copy of the original corporate policy is available if the primary Cisco FMC fails?
A. Restore the primary Cisco FMC backup configuration to the secondary Cisco FMC device when the primary device fails.
B. Connect the primary and secondary Cisco FMC devices with Category 6 cables of not more than 10 meters in length.
C. Configure high-availability in both the primary and secondary Cisco FMCs.
D. Place the active Cisco FMC device on the same trusted management network as the standby device.
C. Configure high-availability in both the primary and secondary Cisco FMCs.
Verified
https://www.cisco.com/c/en/us/td/docs/security/firepower/620/configuration/guide/fpmc-config-guide-v62/firepower_management_center_high_availability.html
An engineer is attempting to add a new FTD device to their FMC behind a NAT device with a NAT ID of ACME001 and a password of Cisco0391521107. Which command set must be used in order to accomplish this?
A. configure manager add ACME001
B. configure manager add ACME001
C. configure manager add ACME001
D. configure manager add DONTRESOLVE AMCE001
A. configure manager add ACME001
Not verified but most likely correct
https://www.cisco.com/c/en/us/support/docs/security/firesight-management-center/118596-configure-firesight-00.html
Refer to the exhibit. An organization has an access control rule with the intention of sending all social media traffic for inspection. After using the rule for some time, the administrator notices that the traffic is not being inspected, but is being automatically allowed. What must be done to address this issue?
A. Add the social network URLs to the block list.
B. Change the intrusion policy to connectivity over security.
C. Modify the selected application within the rule.
D. Modify the rule action from trust to allow.
D. Modify the rule action from trust to allow
Verified
A user within an organization opened a malicious file on a workstation which in turn caused a ransomware attack on the network. What should be configured within the Cisco FMC to ensure the file is tested for viruses on a sandbox system?
A. Spero analysis
B. capacity handling
C. local malware analysis
D. dynamic analysis
D. dynamic analysis
Verified
https://www.cisco.com/c/en/us/td/docs/security/firepower/623/configuration/guide/fpmc-config-guide-v623/ file_policies_and_advanced_malware_protection.html#ID-2199-000005d8
The answer is correct, and this link will explain each option in case you are interested to know the differences: https://www.cisco.com/c/en/us/td/docs/security/firepower/60/configuration/guide/fpmc-config-guide-v60/Reference_a_wrapper_Chapter_topic_here.html#ID-2199-000005fa
An engineer configures a network discovery policy on Cisco FMC. Upon configuration, it is noticed that excessive and misleading events are filling the database and overloading the Cisco FMC. A monitored NAT device is executing multiple updates of its operating system in a short period of time. What configuration change must be made to alleviate this issue?
A. Exclude load balancers and NAT devices.
B. Leave default networks.
C. Increase the number of entries on the NAT device.
D. Change the method to TCP/SYN.
A. Exclude load balancers and NAT devices.
Verified
https://www.cisco.com/c/en/us/td/docs/security/firepower/60/configuration/guide/fpmc-config-guide-v60/Network_Discovery_Policies.html
A network administrator notices that remote access VPN users are not reachable from inside the network. It is determined that routing is configured correctly; however, return traffic is entering the firewall but not leaving it. What is the reason for this issue?
A. A manual NAT exemption rule does not exist at the top of the NAT table
B. An external NAT IP address is not configured
C. An external NAT IP address is configured to match the wrong interface
D. An object NAT exemption rule does not exist at the top of the NAT table
A. A manual NAT exemption rule does not exist at the top of the NAT table
Not verified
Answer A seems to be correct https://www.cisco.com/c/en/us/support/docs/security/firepower-management-center/212702-configure-and-verify-nat-on-ftd.html
Confirmed A is correct: https://www.cisco.com/c/en/us/support/docs/security/firepower-management-center/212702-configure-and-verify-nat-on-ftd.html
An administrator is creating interface objects to better segment their network but is having trouble adding interfaces to the objects. What is the reason for this failure?
A. The interfaces are being used for NAT for multiple networks
B. The administrator is adding interfaces of multiple types
C. The administrator is adding an interface that is in multiple zones
D. The interfaces belong to multiple interface groups
B. The administrator is adding interfaces of multiple types
Verified by community
B is correct. https://www.cisco.com/c/en/us/td/docs/security/firepower/620/configuration/guide/fpmc-config-guide-v62/reusable_objects.html#ID-2243-000009b4 “All interfaces in an interface object must be of the same type: all inline, passive, switched, routed, or ASA FirePOWER. After you create an interface object, you cannot change the type of interfaces it contains.”
https://www.cisco.com/c/en/us/td/docs/security/firepower/620/configuration/guide/fpmc-config-guide-v62/reusable_objects.html#ID-2243-000009b4
An organization is using a Cisco FTD and Cisco ISE to perform identity-based access controls. A network administrator is analyzing the Cisco FTD events and notices that unknown user traffic is being allowed through the firewall. How should this be addressed to block the traffic while allowing legitimate user traffic?
A. Modify the Cisco ISE authorization policy to deny this access to the user
B. Modify Cisco ISE to send only legitimate usernames to the Cisco FTD
C. Add the unknown user in the Access Control Policy in Cisco FTD
D. Add the unknown user in the Malware & File Policy in Cisco FTD
C. Add the unknown user in the Access Control Policy in Cisco FTD
Verified by community
Unkown is a special identity that can be used in a rule if you use identity policies. C is correct.
https://www.cisco.com/c/en/us/td/docs/security/firepower/640/fdm/fptd-fdm-config-guide-640/fptd-fdm- identity.html#concept_655B055575E04CA49B10186DEBDA301A
What is the benefit of selecting the trace option for packet capture?
A. The option indicates whether the packet was dropped or successful.
B. The option indicates whether the destination host responds through a different path.
C. The option limits the number of packets that are captured.
D. The option captures details of each packet.
A. The option indicates whether the packet was dropped or successful.
Verified by community
https://www.cisco.com/c/en/us/td/docs/security/firepower/650/configuration/guide/fpmc-config-guide-v65/troubleshooting_the_system.html#:~:text=Packet%20capture%20is%20available%20with%20the%20trace%20option%2C%20which%20provides%20you%20with%20a%20verdict%20as%20to%20whether%20the%20packet%20is%20dropped%20or%20successful
The packet capture feature with trace option allows real packets that are captured on the ingress interface to be traced through the system. The trace information is displayed at a later stage. These packets are not dropped on the egress interface, as they are real data-path traffic. Packet capture for Firepower Threat Defense devices supports troubleshooting and analysis of data packets. Once the packet is acquired, snort detects the tracing flag that is enabled in the packet. Snort writes tracer elements, through which the packet traverses. Snort verdict as a result of capturing packets can be one of DROP/ALLOW/Would DROP. The file-size option is used when you need to capture packets with the size limit more than 32 MB.
Correct answer is A. Because - Packet capture is available with the trace option, which provides you with a verdict as to whether the packet is dropped or successful.
https://www.cisco.com/c/en/us/td/docs/security/firepower/650/configuration/guide/fpmc-config-guide-v65/troubleshooting_the_system.html#:~:text=Packet%20capture%20is%20available%20with%20the%20trace%20option%2C%20which%20provides%20you%20with%20a%20verdict%20as%20to%20whether%20the%20packet%20is%20dropped%20or%20successful.
After deploying a network-monitoring tool to manage and monitor networking devices in your organization, you realize that you need to manually upload an MIB for the Cisco FMC. In which folder should you upload the MIB file?
A. /etc/sf/DCMIB.ALERT
B. /sf/etc/DCEALERT.MIB
C. /etc/sf/DCEALERT.MIB
D. system/etc/DCEALERT.MIB
C. /etc/sf/DCEALERT.MIB
Not verified
https://www.cisco.com/c/en/us/td/docs/security/firesight/541/firepower-module-user-guide/asa-firepower-module-user-guide-v541/Intrusion-External-
Responses.pdf
Which command is run at the CLI when logged in to an FTD unit, to determine whether the unit is managed locally or by a remote FMC server?
A. system generate-troubleshoot
B. show configuration session
C. show managers
D. show running-config | include manager
C. show managers
Verified
https://www.cisco.com/c/en/us/td/docs/security/firepower/command_ref/b_Command_Reference_for_Firepower_Threat_Defense/c_3.html
Which command should be used on the Cisco FTD CLI to capture all the packets that hit an interface?
A. configure coredump packet-engine enable
B. capture-traffic
C. capture
D. capture WORD
C. capture
Verified by community
Reason: the command “capture-traffic” is used for SNORT Engine Captures. To capture a LINA Engine Capture, you use the “capture” command. Since the Lina Engine represents the actual physical interface of the device, “capture” is the only reasonable choice Reference: https://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/212474-working-with-firepower-threat-defense-f.html#anc10
https://community.cisco.com/t5/network-security/firepower-cli-capture-vs-capture-traffic/td-p/4145462
How many report templates does the Cisco Firepower Management Center support?
A. 20
B. 10
C. 5
D. unlimited
D. unlimited
Verified
https://www.cisco.com/c/en/us/td/docs/security/firepower/60/configuration/guide/fpmc-config-guide-v60/Working_with_Reports.html
Which action should be taken after editing an object that is used inside an access control policy?
A. Delete the existing object in use.
B. Refresh the Cisco FMC GUI for the access control policy.
C. Redeploy the updated configuration.
D. Create another rule using a different object name.
C. Redeploy the updated configuration.
Verified
https://www.cisco.com/c/en/us/td/docs/security/firepower/630/configuration/guide/fpmc-config-guide-v63/reusable_objects.html
Which Cisco Firepower feature is used to reduce the number of events received in a period of time?
A. rate-limiting
B. suspending
C. correlation
D. thresholding
D. thresholding
Verified
https://www.cisco.com/c/en/us/td/docs/security/firesight/541/firepower-module-user-guide/asa-firepower-module-user-guide-v541/Intrusion-Global-
Threshold.html
Which report template field format is available in Cisco FMC?
A. box lever chart
B. arrow chart
C. bar chart
D. benchmark chart
C. bar chart
Verified
C is correct -Format - bar / pie / line / table view / detail view - Table -Preset -Search or Filter -X and y axis
https://www.cisco.com/c/en/us/td/docs/security/firepower/60/configuration/guide/fpmc-config-guide-v60/Working_with_Reports.html
Which group within Cisco does the Threat Response team use for threat analysis and research?
A. Cisco Deep Analytics
B. OpenDNS Group
C. Cisco Network Response
D. Cisco Talos
D. Cisco Talos
Verified
DRAG DROP -
Drag and drop the steps to restore an automatic device registration failure on the standby Cisco FMC from the left into the correct order on the right. Not all options are used.
Select and Place:
Verified
https://www.cisco.com/c/en/us/td/docs/security/firepower/620/configuration/guide/fpmc-config-guide-v62/ firepower_management_center_high_availability.html#id_32288
Which CLI command is used to generate firewall debug messages on a Cisco Firepower?
A. system support firewall-engine-debug
B. system support ssl-debug
C. system support platform
D. system support dump-table
A. system support firewall-engine-debug
Verified
https://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/212330-firepower-management-center-display-acc.html
Which command-line mode is supported from the Cisco FMC CLI?
A. privileged
B. user
C. configuration
D. admin
C. configuration
Verified
https://www.cisco.com/c/en/us/td/docs/security/firepower/660/configuration/guide/fpmc-config-guide-v66/command_line_reference.pdf
Which command is entered in the Cisco FMC CLI to generate a troubleshooting file?
A. show running-config
B. show tech-support chassis
C. system support diagnostic-cli
D. sudo sf_troubleshoot.pl
D. sudo sf_troubleshoot.pl
Verified
https://www.cisco.com/c/en/us/support/docs/security/sourcefire-defense-center/117663-technote-SourceFire-00.html
Which CLI command is used to control special handling of ClientHello messages?
A. system support ssl-client-hello-tuning
B. system support ssl-client-hello-display
C. system support ssl-client-hello-force-reset
D. system support ssl-client-hello-reset
A. system support ssl-client-hello-tuning
Verified
Which command is typed at the CLI on the primary Cisco FTD unit to temporarily stop running high-availability?
A. configure high-availability resume
B. configure high-availability disable
C. system support network-options
D. configure high-availability suspend
D. configure high-availability suspend
Verified by community
configure high-availability disable Disable high-availability configuration resume Resume temporarily suspended high-availability configuration suspend Temporarily suspend high-availability configuration
Confirmed: D is correct choice. https://www.cisco.com/c/en/us/support/docs/security/firepower-management-center/212699-configure-ftd-high-availability-on-firep.html
Which command must be run to generate troubleshooting files on an FTD?
A. system support view-files
B. sudo sf_troubleshoot.pl
C. system generate-troubleshoot all
D. show tech-support
C. system generate-troubleshoot all
Verified
Firepower Devices
Enter this command on FirePOWER devices/modules and virtual managed devices in order to generate a troubleshoot file:
> system generate-troubleshoot all
Starting /usr/local/sf/bin/sf_troubleshoot.pl…
Please, be patient. This may take several minutes.
The troubleshoot option code specified is ALL.
Troubleshoot information successfully created at /var/common/xxxxxx.tar.gz
Correct answer is C (Tip: this is for FTD and not FMC) https://www.cisco.com/c/en/us/support/docs/security/sourcefire-defense-center/117663-technote-SourceFire-00.html#anc12
When is the file-size command needed while troubleshooting with packet capture?
A. when capture packets are less than 16 MB
B. when capture packets are restricted from the secondary memory
C. when capture packets exceed 10 GB
D. when capture packets exceed 32 MB
D. when capture packets exceed 32 MB
Verified
Cisco Documentation = The file-size option is used when you need to capture packets with the size limit more than 32 MB.
https://www.cisco.com/c/en/us/td/docs/security/firepower/620/configuration/guide/fpmc-config-guide-v62/troubleshooting_the_system.html
What is a functionality of port objects in Cisco FMC?
A. to mix transport protocols when setting both source and destination port conditions in a rule
B. to represent protocols other than TCP, UDP, and ICMP
C. to represent all protocols in the same way
D. to add any protocol other than TCP or UDP for source port conditions in access control rules.
B. to represent protocols other than TCP, UDP, and ICMP
Verified
B to represent OTHER protocols. In the FMC GUI, when you create a port object, the Protocol field allows TCP, UDP, ICMP, IPv6-ICMP, and others. When you choose other, a drop-down box becomes enabled, with 50+ additional protocols, none of which I recognized.
https://www.cisco.com/c/en/us/td/docs/security/firepower/620/configuration/guide/fpmc-config-guide-v62/reusable_objects.html
Within Cisco Firepower Management Center, where does a user add or modify widgets?
A. dashboard
B. reporting
C. context explorer
D. summary tool
A. dashboard
Verified
https://www.cisco.com/c/en/us/td/docs/security/firepower/60/configuration/guide/fpmc-config-guide-v60/Using_Dashboards.html
A network engineer is configuring URL Filtering on Cisco FTD. Which two port requirements on the FMC must be validated to allow communication with the cloud service? (Choose two.)
A. outbound port TCP/443
B. inbound port TCP/80
C. outbound port TCP/8080
D. inbound port TCP/443
E. outbound port TCP/80
A. outbound port TCP/443
E. outbound port TCP/80
Verified
https://www.cisco.com/c/en/us/td/docs/security/firepower/60/configuration/guide/fpmc-config-guide-v60/
Security__Internet_Access__and_Communication_Ports.html
What is the maximum bit size that Cisco FMC supports for HTTPS certificates?
A. 1024
B. 8192
C. 4096
D. 2048
C. 4096
Verified
The FMC supports 4096-bit HTTPS certificates. If the certificate used by the FMC was generated using a public server key larger than 4096 bits, you will not be able to log in to the FMC web interface. If this happens, contact Cisco TAC.
Correct Answer is 4096, after updating cisco website https://www.cisco.com/c/en/us/td/docs/security/firepower/660/configuration/guide/fpmc-config-guide-v66/system_configuration.html
Which limitation applies to Cisco FMC dashboards in a multi-domain environment?
A. Child domains are able to view but not edit dashboards that originate from an ancestor domain.
B. Child domains have access to only a limited set of widgets from ancestor domains.
C. Only the administrator of the top ancestor domain is able to view dashboards.
D. Child domains are not able to view dashboards that originate from an ancestor domain.
D. Child domains are not able to view dashboards that originate from an ancestor domain.
Verified
In a multidomain deployment, you cannot view dashboards from ancestor domains; however, you can create new dashboards that are copies of the higher-level dashboards.
https://www.cisco.com/c/en/us/td/docs/security/firepower/60/configuration/guide/fpmc-config-guide-v60/Using_Dashboards.html
Which two considerations must be made when deleting and re-adding devices while managing them via Cisco FMC? (Choose two.)
A. An option to re-apply NAT and VPN policies during registration is available, so users do not need to re-apply the policies after registration is completed.
B. Before re-adding the device in Cisco FMC, the manager must be added back.
C. Once a device has been deleted, it must be reconfigured before it is re-added to the Cisco FMC.
D. The Cisco FMC web interface prompts users to re-apply access control policies.
E. There is no option to re-apply NAT and VPN policies during registration available, so users need to re-apply the policies after registration is completed.
D - Is correct because when a device is deleted and then re-added, the FMC web interface prompts you to re-apply your access control policies. However, there is no option to re-apply the NAT and VPN policies during registration. Any previously applied NAT or VPN configuration will be removed during registration and must be re-applied after registration is complete.
E - Is correct because there is no option to re-apply NAT and VPN policies during registration available, so users need to re-apply the policies after registration is completed.
Verified
A - Is wrong because when a device is deleted and then re-added, the FMC web interface prompts you to re-apply your access control policies. However, there is no option to re-apply the NAT and VPN policies during registration. Any previously applied NAT or VPN configuration will be removed during registration and must be re-applied after registration is complete.
https: //www.cisco.com/c/en/us/td/docs/security/firepower/60/configuration/guide/fpmc-config-guide-v60/Device_Management_Basics.html
https: //www.cisco.com/c/en/us/td/docs/security/firepower/670/configuration/guide/fpmc-config-guide-v67/device_management_basics.html?bookSearch=true
What is the behavior of a Cisco FMC database purge [Choose two]?
A. User login and history data are removed from the database if the User Activity check box is selected.
B. Data is recovered from the device.
C. The appropriate process is restarted.
D. The specified data is removed from Cisco FMC and kept for two weeks.
A. User login and history data are removed from the database if the User Activity check box is selected.
C. The appropriate process is restarted.
Verified
You can use the database purge page to purge discovery, identity, connection, and Security Intelligence data files from the FMC databases. Note that when you purge a database, the appropriate process is restarted.
https://www.cisco.com/c/en/us/td/docs/security/firepower/620/configuration/guide/fpmc-config-guide-v62/management_center_database_purge.pdf
Which two packet captures does the FTD LINA engine support? (Choose two.)
A. Layer 7 network ID
B. source IP
C. application ID
D. dynamic firewall importing
E. protocol
B. source IP
E. protocol
Verified
https://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/212474-working-with-firepower-threat-defense-f.html
An engineer currently has a Cisco FTD device registered to the Cisco FMC and is assigned the address of 10.10.50.12. The organization is upgrading the addressing schemes and there is a requirement to convert the addresses to a format that provides an adequate amount of addresses on the network. What should the engineer do to ensure that the new addressing takes effect and can be used for the Cisco FTD to Cisco FMC connection?
A. Update the IP addresses from IPv4 to IPv6 without deleting from Cisco FMC.
B. Format and reregister the device to Cisco FMC.
C. Cisco FMC does not support devices that use IPv4 IP addresses.
D. Delete and reregister the device to Cisco FMC.
D. Delete and reregister the device to Cisco FMC.
Verified
Correct Answer is D If you registered a FMC and a device using IPv4 and want to convert them to IPv6, you must delete and reregister the device. https://www.cisco.com/c/en/us/td/docs/security/firepower/70/configuration/guide/fpmc-config-guide-v70/device_management_basics.html
Refer to the exhibit. An engineer is analyzing the Attacks Risk Report and finds that there are over 300 instances of new operating systems being seen on the network. How is the Firepower configuration updated to protect these new operating systems?
A. The administrator manually updates the policies.
B. The administrator requests a Remediation Recommendation Report from Cisco Firepower.
C. Cisco Firepower gives recommendations to update the policies.
D. Cisco Firepower automatically updates the policies.
The correct option is:
A. The administrator manually updates the policies.
Firepower Management Center (FMC) provides information about the operating systems, servers, and client application protocols detected on your network⁴. However, it does not automatically update the policies. The administrator needs to manually update the policies based on the information provided by FMC¹². This allows you to tailor your intrusion policy to the specific needs of your monitored network⁴.
Please note that options B, C, and D are not accurate. While Firepower can provide recommendations and reports, it does not automatically update policies or provide a Remediation Recommendation Report.
Source: Conversation with Bing, 10/1/2023
(1) Firepower Management Center Configuration Guide, Version 6.0 - Cisco. https://www.cisco.com/c/en/us/td/docs/security/firepower/60/configuration/guide/fpmc-config-guide-v60/Tailoring_Intrusion_Protection_to_Your_Network_Assets.html.
(2) Firepower Management Center Configuration Guide, Version 6.0. https://www.cisco.com/c/en/us/td/docs/security/firepower/60/configuration/guide/fpmc-config-guide-v60/fpmc-config-guide-v60_chapter_01110011.html.
(3) Firepower Management Center Configuration Guide, Version 6.5. https://www.cisco.com/c/en/us/td/docs/security/firepower/650/configuration/guide/fpmc-config-guide-v65/system_software_updates.html.
(4) Cisco Secure Firewall ASA Upgrade Guide - Upgrade the ASA FirePOWER …. https://www.cisco.com/c/en/us/td/docs/security/asa/upgrade/asa-upgrade/firepower-fmc.html.
After using Firepower for some time and learning about how it interacts with the network, an administrator is trying to correlate malicious activity with a user. Which widget should be configured to provide this visibility on the Cisco Firepower dashboards?
A. Current Sessions
B. Correlation Events
C. Current Status
D. Custom Analysis
B. Correlation Events
Verified
The Correlation Events widget shows the average number of correlation events per second by priority.
ttps://www.cisco.com/c/en/us/td/docs/security/firepower/670/configuration/guide/fpmc-config-guide-v67/dashboards.html#ID-2206-00000283
An engineer is troubleshooting application failures through an FTD deployment. While using the FMC CLI, it has been determined that the traffic in question is not matching the desired policy. What should be done to correct this?
A. Use the system support firewall-engine-debug command to determine which rules the traffic matching and modify the rule accordingly.
B. Use the system support firewall-engine-dump-user-identity-data command to change the policy and allow the application though the firewall.
C. Use the system support application-identification-debug command to determine which rules the traffic matching and modify the rule accordingly.
D. Use the system support network-options command to fine tune the policy.
A. Use the system support firewall-engine-debug command to determine which rules the traffic matching and modify the rule accordingly.
Verified
The correct option is:
A. Use the system support firewall-engine-debug command to determine which rules the traffic is matching and modify the rule accordingly⁹[^10^].
This command can help identify which Access Control Policy (ACP) rule a flow is matching. If the connection events do not clearly show what the ACP is doing with the traffic, debugging can be performed on the Firepower Command Line Interface (CLI)⁸. Once the problematic rule is identified, it can be modified to ensure that the desired traffic is not being blocked.
Please note that options B, C, and D are not valid commands for troubleshooting application failures through an FTD deployment according to the Cisco Secure Firewall Threat Defense Command Reference¹⁵. Always ensure to use the correct commands for your specific troubleshooting needs.
Source: Conversation with Bing, 10/1/2023
(1) Cisco Secure Firewall Threat Defense Command Reference. https://www.cisco.com/c/en/us/td/docs/security/firepower/command_ref/b_Command_Reference_for_Firepower_Threat_Defense/dr.html.
(2) Firepower Data Path Troubleshooting: Overview - Cisco. https://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/214572-firepower-data-path-troubleshooting-ove.html.
(3) Firepower Data Path Troubleshooting Phase 4: Access Control Policy. https://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/214577-firepower-data-path-troubleshooting-phas.html.
(4) Cisco Secure Firewall Threat Defense Command Reference. https://www.cisco.com/c/en/us/td/docs/security/firepower/command_ref/b_Command_Reference_for_Firepower_Threat_Defense/using_the_FTD_CLI.html.
(5) Troubleshoot Firepower Threat Defense Policy Deployments. https://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw-virtual/215258-troubleshooting-firepower-threat-defense.html.
(6) How to troubleshoot (or recover from) FTD/FMC Deployment failure. https://community.cisco.com/t5/network-security/how-to-troubleshoot-or-recover-from-ftd-fmc-deployment-failure/td-p/3378966.
(7) Solved: Deployment failed due to failure to retrieve running …. https://community.cisco.com/t5/network-security/deployment-failed-due-to-failure-to-retrieve-running/td-p/4048886.
(8) Solved: vFMC deploy configuration failed - Cisco Community. https://community.cisco.com/t5/other-security-subjects/vfmc-deploy-configuration-failed/td-p/4600441.
(9) Troubleshoot Firepower Threat Defense High Availability Issues. https://www.cisco.com/c/en/us/support/docs/availability/high-availability/217763-troubleshoot-firepower-threat-defense-hi.html.
(10) undefined. https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvk17813/?rfs=iqvred.
(11) undefined. https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvk42088/?rfs=iqvred.
(12) Debugging FTD Identity-based Policy - Cisco Community. https://community.cisco.com/t5/security-knowledge-base/debugging-ftd-identity-based-policy/ta-p/4287436.
(13) FTD User Identity – integrating IT. https://integratingit.wordpress.com/2019/10/26/ftd-user-identity/.
(14) ISE pxGrid integration with FMC – integrating IT. https://integratingit.wordpress.com/2018/08/25/cisco-ise-pxgrid-integration-with-firepower/.
(15) Solved: FTD CLI SSH Debugging - Cisco Community. https://community.cisco.com/t5/network-security/ftd-cli-ssh-debugging/td-p/3711562.
(16) Use Firepower Threat Defense Captures and Packet Tracer. https://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/212474-working-with-firepower-threat-defense-f.html.
(17) Configure Firepower Threat Defense (FTD) Management Interface - Cisco. https://www2-realm.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-firewalls/212420-configure-firepower-threat-defense-ftd.pdf.
(18) Solved: FMC/FTD - Cisco Community. https://community.cisco.com/t5/network-security/fmc-ftd/td-p/4388027.
(19) undefined. https://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/214574-firepower-data-path-troubleshooting-phas.html.
(20) undefined. https://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/214575-firepower-data-path-troubleshooting-phas.html.
(21) undefined. https://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/214576-firepower-data-path-troubleshooting-phas.html.
(22) undefined. https://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/214581-firepower-data-path-troubleshooting-phas.html.
(23) undefined. https://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw-virtual/214608-firepower-data-path-troubleshooting-phas.html.
(24) undefined. https://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/214609-firepower-data-path-troubleshooting-phas.html.
(25) undefined. https://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/214610-firepower-data-path-troubleshooting-phas.html.
An engineer has been asked to show application usages automatically on a monthly basis and send the information to management. What mechanism should be used to accomplish this task?
A. reports
B. context explorer
C. dashboards
D. event viewer
A. reports
Verified
A network administrator is configuring SNORT inspection policies and is seeing failed deployment messages in Cisco FMC. What information should the administrator generate for Cisco TAC to help troubleshoot?
A. A troubleshoot file for the device in question.
B. A show tech file for the device in question.
C. A troubleshoot file for the Cisco FMC.
D. A show tech for the Cisco FMC.
C. A troubleshoot file for the Cisco FMC.
Not verified
https://www.cisco.com/c/en/us/td/docs/security/firepower/620/configuration/guide/fpmc-config-guide-v62/troubleshooting_the_system.html
An engineer is troubleshooting a device that cannot connect to a web server. The connection is initiated from the Cisco FTD inside interface and attempting to reach 10.0.1.100 over the non-standard port of 9443. The host the engineer is attempting the connection from is at the IP address of 10.20.10.20. In order to determine what is happening to the packets on the network, the engineer decides to use the FTD packet capture tool. Which capture configuration should be used to gather the information needed to troubleshoot the issue?
Image is correct. Could not load all images
A network engineer is receiving reports of users randomly getting disconnected from their corporate applications which traverse the data center FTD appliance.
Network monitoring tools show that the FTD appliance utilization is peaking above 90% of total capacity. What must be done in order to further analyze this issue?
A. Use the Packet Export feature to save data onto external drives.
B. Use the Packet Capture feature to collect real-time network traffic.
C. Use the Packet Tracer feature for traffic policy analysis.
D. Use the Packet Analysis feature for capturing network data.
B. Use the Packet Capture feature to collect real-time network traffic.
Verified
https://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/212474-working-with-firepower-threat-defense-f.html
An administrator is attempting to remotely log into a switch in the data center using SSH and is unable to connect. How does the administrator confirm that traffic is reaching the firewall?
A. by performing a packet capture on the firewall
B. by attempting to access it from a different workstation
C. by running Wireshark on the administrator’s PC
D. by running a packet tracer on the firewall
A. by performing a packet capture on the firewall
Verified
A is the correct answer -Alan
IT management is asking the network engineer to provide high-level summary statistics of the Cisco FTD appliance in the network. The business is approaching a peak season so the need to maintain business uptime is high. Which report type should be used to gather this information?
A. Risk Report
B. SNMP Report
C. Standard Report
D. Malware Report
C. Standard Report
Verified
https://www.cisco.com/c/en/us/td/docs/security/firepower/650/configuration/guide/fpmc-config-guide-v65/working_with_reports.html#id_20016
Standard Reports
The Firepower System provides a flexible reporting system that allows you to quickly and easily generate multi-section reports with the event views or dashboards that appear on your Firepower Management Center. You can also design your own custom reports from scratch.
A report is a document file formatted in PDF, HTML, or CSV with the content you want to communicate. A report template specifies the data searches and formats for the report and its sections. The Firepower System includes a powerful report designer that automates the design of report templates. You can replicate the content of any event view table or dashboard graphic displayed in the web interface.
You can build as many report templates as you need. Each report template defines the individual sections in the report and specifies the database search that creates the report’s content, as well as the presentation format (table, chart, detail view, and so on) and the time frame. Your template also specifies document attributes, such as the cover page and table of contents and whether the document pages have headers and footers (available only for reports in PDF format). You can export a report template in a single configuration package file and import it for reuse on another Firepower Management Center.
You can include input parameters in a template to expand its usefulness. Input parameters allow you to produce tailored variations of the same report. When you generate a report with input parameters, the generation process prompts you to enter a value for each input parameter. The values you type constrain the report contents on a one-time basis. For example, you can place an input parameter in the destination IP field of the search that produces an intrusion event report; at report generation time, you can specify a department’s network segment when prompted for the destination IP address. The generated report then contains only information concerning that particular department.
Refer to the exhibit. An administrator is looking at some of the reporting capabilities for Cisco Firepower and noticed this section of the Network Risk Report showing a lot of SSL activity that could be used for evasion. Which action will mitigate this risk?
A. Use SSL decryption to analyze the packets.
B. Use Cisco Tetration to track SSL connections to servers.
C. Use encrypted traffic analytics to detect attacks.
D. Use Cisco AMP for Endpoints to block all SSL connection.
A. Use SSL decryption to analyze the packets.
Verified
https://www.cisco.com/c/en/us/td/docs/security/firepower/623/fdm/fptd-fdm-config-guide-623/fptd-fdm-ssl-decryption.html
An administrator is setting up Cisco FirePower to send data to the Cisco Stealthwatch appliances. The NetFlow_Set_Parameters objet is already created, but NetFlow is not being sent to the flow collector. What must be done to prevent this from occurring?
A. Create a service identifier to enable the NetFlow service.
B. Add the NetFlow_Send_Destination object to the configuration.
C. Create a Security Intelligence object to send the data to Cisco Stealthwatch.
D. Add the NetFlow_Add_Destination object to the configuration.
D. Add the NetFlow_Add_Destination object to the configuration.
Verified
With a recent summer time change, system logs are showing activity that occurred to be an hour behind real time. Which action should be taken to resolve this issue?
A. Manually adjust the time to the correct hour on all managed devices.
B. Configure the system clock settings to use NTP with Daylight Savings checked.
C. Configure the system clock settings to use NTP.
D. Manually adjust the time to the correct hour on the Cisco FMC.
C. Configure the system clock settings to use NTP.
Verified
Because NTP is based on UTC which does not have a daylight savings time period, a switchover is not necessary inside the NTP system. The operation systems of servers and clients are solely responsible for switching from/to DST. See also: How time zones are handled with NTP?
A network administrator notices that SI events are not being updated. The Cisco FTD device is unable to load all of the SI event entries and traffic is not being blocked as expected. What must be done to correct this issue?
A. Restart the affected devices in order to reset the configurations.
B. Redeploy configurations to affected devices so that additional memory is allocated to the SI module.
C. Replace the affected devices with devices that provide more memory.
D. Manually update the SI event entries to that the appropriate traffic is blocked.
B. Redeploy configurations to affected devices so that additional memory is allocated to the SI module.
Verified by community
Refer to the exhibit. What must be done to fix access to this website while preventing the same communication to all other websites?
A. Create an intrusion policy rule to have Snort allow port 80 to only 172.1.1.50.
B. Create an intrusion policy rule to have Snort allow port 443 to only 172.1.1.50.
C. Create an access control policy rule to allow port 443 to only 172.1.1.50.
D. Create an access control policy rule to allow port 80 to only 172.1.1.50.
D. Create an access control policy rule to allow port 80 to only 172.1.1.50.
Verified
A connectivity issue is occurring between a client and a server which are communicating through a Cisco Firepower device. While troubleshooting, a network administrator sees that traffic is reaching the server, but the client is not getting a response. Which step must be taken to resolve this issue without initiating traffic from the client?
A. Use packet-tracer to ensure that traffic is not being blocked by an access list
B. Use packet capture to ensure that traffic is not being blocked by an access list
C. Use packet capture to validate that the packet passes through the firewall and is NATed to the corrected IP address
D. Use packet-tracer to validate that the packet passes through the firewall and is NATed to the corrected IP address
D. Use packet-tracer to validate that the packet passes through the firewall and is NATed to the correct IP address
Verified by community
D-Packet-tracer/NAT “without generating traffic from the client”, makes this a packet tracer answer. The only problem is that packet tracer doesnt track the return packet from the server, and therefor wont tell you if it is being dropped by an ACL in the return path. What I have seen in my real-life packet tracer use, is packet tracer dropping the initial packet because the return packet would hit an unexpected NAT rule, causing asymmetrical NAT and the connection failing anyways. As such, my answer is
A VPN user is unable to connect to web resources behind the Cisco FTD device, terminating the connection. While troubleshooting, the network administrator determines that the DNS response is not getting through the Cisco FTD. What must be done to address this issue while still utilizing Snort IPS rules?
A. Uncheck the Drop when Inline box in the intrusion policy to allow the traffic
B. Modify the Snort rules to allow legitimate DNS traffic to the VPN users
C. Disable the intrusion rule thresholds to optimize the Snort processing
D. Decrypt the packet after the VPN flow so the DNS queries are not inspected
B. Modify the Snort rules to allow legitimate DNS traffic to the VPN users
Verified
The solution to this issue would be to modify the Snort rules to allow legitimate DNS traffic to the VPN users (Option B).
Snort is a powerful intrusion prevention system that can analyze network traffic in real time and detect a variety of attacks. However, it can sometimes block legitimate traffic, such as DNS responses, if the rules are not configured correctly¹⁵.
In this case, the network administrator should adjust the Snort rules to allow DNS responses to pass through to the VPN users¹⁵. This will ensure that the VPN users can connect to web resources behind the Cisco FTD device without their connections being terminated⁴.
Please note that while other options might seem plausible, they could potentially weaken the security posture of your network. For instance, unchecking the “Drop when Inline” box in the intrusion policy (Option A) or disabling the intrusion rule thresholds (Option C) could allow malicious traffic to pass through¹⁵. Decrypting the packet after the VPN flow so the DNS queries are not inspected (Option D) could also expose sensitive information⁴.
Therefore, modifying the Snort rules to allow legitimate DNS traffic is the most appropriate solution in this scenario¹⁵.
Source: Conversation with Bing, 10/8/2023
(1) How to verify enabled snort rules in FTD - Cisco Community. https://community.cisco.com/t5/network-security/how-to-verify-enabled-snort-rules-in-ftd/td-p/4518910.
(2) Solved: Snort Dropping Packets - Cisco Community. https://community.cisco.com/t5/network-security/snort-dropping-packets/td-p/3710422.
(3) A VPN user is unable to conned lo web resources behind the Cisco FTD …. https://vceguide.com/a-vpn-user-is-unable-to-conned-lo-web-resources-behind-the-cisco-ftd-device-terminating-the-connection-while-troubleshooting-the-network-administrator-determines-that-the-dns-responses-are-not-getti/.
(4) Solved: DNS configuration on FTD - Cisco Community. https://community.cisco.com/t5/network-security/dns-configuration-on-ftd/td-p/4169966.
(5) Configure AnyConnect Remote Access VPN on FTD - Cisco. https://www.cisco.com/c/en/us/support/docs/network-management/remote-access/212424-anyconnect-remote-access-vpn-configurati.html.
(6) undefined. https://www.snort.org/advisories/talos-rules-2021-12-10.
An engineer is restoring a Cisco FTD configuration from a remote backup using the command restore remote-manager-backup location 1.1.1.1 admin /Volume/home/admin BACKUP_Cisc394602314.zip on a Cisco FMC. After connecting to the repository, an error occurred that prevents the FTD device from accepting the backup file. What is the problem?
A. The backup file is not in .cfg format
B. The backup file is too large for the Cisco FTD device
C. The backup file extension was changed from .tar to .zip
D. The backup file was not enabled prior to being applied
C. The backup file extension was changed from .tar to .zip
Verified
https://www.ciscolive.com/c/dam/r/ciscolive/emea/docs/2019/pdf/BRKSEC-3455.pdf
An organization has a Cisco IPS running in inline mode and is inspecting traffic for malicious activity. When traffic is received by the Cisco IPS, if it is not dropped, how does the traffic get to its destination?
A. It is retransmitted from the Cisco IPS inline set
B. The packets are duplicated and a copy is sent to the destination
C. It is transmitted out of the Cisco IPS outside interface
D. It is routed back to the Cisco ASA interfaces for transmission
A. It is retransmitted from the Cisco IPS inline set
Not verified
The Answer is absolutely A. “Inline interfaces receive all traffic unconditionally, but all traffic received on these interfaces is retransmitted out of an inline set unless explicitly dropped.” You can verify my answer here: https://www.cisco.com/c/en/us/td/docs/security/firepower/601/configuration/guide/fpmc-config-guide-v601/fpmc-config-guide-v60_chapter_01011010.pdf The third page, under (Inline IPS Deployments)
An engineer is investigating connectivity problems on Cisco Firepower that is using service group tags. Specific devices are not being tagged correctly, which is preventing clients from using the proper policies when going through the firewall. How is this issue resolved?
A. Use traceroute with advanced options
B. Use Wireshark with an IP subnet filter
C. Use a packet capture with match criteria
D. Use a packet sniffer with correct filtering
C. Use a packet capture with match criteria
Verified
An organization must be able to ingest NetFlow traffic from their Cisco FTD device to Cisco Stealthwatch for behavioral analysis. What must be configured on the
Cisco FTD to meet this requirement?
A. flexconfig object for NetFlow
B. interface object to export NetFlow
C. security intelligence object for NetFlow
D. variable set object for NetFlow
A. flexconfig object for NetFlow
Verified
Step 4. Configure the Netflow Destination In order to configure the Netflow Destination, navigate to Objects > FlexConfig > FlexConfig Objects https://www.cisco.com/c/en/us/support/docs/quality-of-service-qos/netflow/216126-configure-netflow-secure-event-logging-o.html#anc14
An engineer must build redundancy into the network and traffic must continuously flow if a redundant switch in front of the firewall goes down. What must be configured to accomplish this task?
A. redundant interfaces on the firewall cluster mode and switches
B. redundant interfaces on the firewall noncluster mode and switches
C. vPC on the switches to the interface mode on the firewall cluster
D. vPC on the switches to the span EtherChannel on the firewall cluster
D. vPC on the switches to the span EtherChannel on the firewall cluster
Verified
The answer is correct: Virtual Port Channels (vPC) are common EtherChannel deployments, especially in the data center, and allow multiple devices to share multiple interfaces EtherChannel Interface requires stack, VSS or vPC when connected to multiple switches
https://www.ciscolive.com/c/dam/r/ciscolive/us/docs/2018/pdf/BRKSEC-2020.pdf
An engineer installs a Cisco FTD device and wants to inspect traffic within the same subnet passing through a firewall and inspect traffic destined to the Internet. Which configuration will meet this requirement?
A. transparent firewall mode with IRB only
B. routed firewall mode with BVI and routed interfaces
C. transparent firewall mode with multiple BVIs
D. routed firewall mode with routed interfaces only
C. transparent firewall mode with multiple BVIs
Verified
Using the Transparent Firewall in Your Network The FTD device connects the same network between its interfaces. Because the firewall is not a routed hop, you can easily introduce a transparent firewall into an existing network.
An engineer is modifying an access control policy to add a rule to inspect all DNS traffic that passes through the firewall. After making the change and deploying the policy, they see that DNS traffic is not being inspected by the Snort engine. What is the problem?
A. The action of the rule is set to trust instead of allow.
B. The rule is configured with the wrong setting for the source port.
C. The rule must define the source network for inspection as well as the port.
D. The rule must specify the security zone that originates the traffic.
A. The action of the rule is set to trust instead of allow
Verified
Drag and drop the configuration steps from the left into the sequence on the right to enable external authentication on Cisco FMC to a RADIUS server.
Verifed
Refer to the exhibit. What is the effect of the existing Cisco FMC configuration?
A. The remote management port for communication between the Cisco FMC and the managed device changes to port 8443.
B. The managed device is deleted from the Cisco FMC.
C. The SSL-encrypted communication channel between the Cisco FMC and the managed device becomes plain-text communication channel.
D. The management connection between the Cisco FMC and the Cisco FTD is disabled.
D. The management connection between the Cisco FMC and the Cisco FTD is disabled.
Verified
Refer to the exhibit. A systems administrator conducts a connectivity test to their SCCM server from a host machine and gets no response from the server. Which action ensures that the ping packets reach the destination and that the host receives replies?
A. Configure a custom Snort signature to allow ICMP traffic after inspection.
B. Modify the Snort rules to allow ICMP traffic.
C. Create an access control policy rule that allows ICMP traffic.
D. Create an ICMP allow list and add the ICMP destination to remove it from the implicit deny list.
C. Create an access control policy rule that allows ICMP traffic
Verified
Refer to the exhibit. An engineer is analyzing a Network Risk Report from Cisco FMC. Which application must the engineer take immediate action against to prevent unauthorized network use?
A. YouTube
B. TOR
C. Chrome
D. Kerberos
B. TOR
Verified
A network engineer is deploying a Cisco Firepower 4100 appliance and must configure a multi-instance environment for high availability. Drag and drop the actions from the left into sequence on the right for this configuration.
Need to verify
