PASSLEADER BY aNTON DUMP CCNA SEC
PASSLEADER BY aNTON DUMP CCNA SEC
PASSLEADER BY aNTON DUMP CCNA SEC
*Q02 Which type of malicious software can create a back‐door into a device or network?
A. worm
B. trojan
C. virus
D. bot
Answer: B
*Q04 Which SNMPv3 security level provides authentication using HMAC with MD5, but does not use
encryption?
A. authNoPriv
B. noAuthNoPriv
C. noAuthPriv
D. authPriv
Answer: A
*Q05 What are two advanced features of the Cisco AMP solution for endpoints? (Choose two)
A. reflection
B. foresight
C. sandboxing
D. contemplation
E. reputation
Answer: C, E
*Q07 In which two modes can the Cisco Web Security Appliance be deployed? (Choose two)
A. explicit proxy mode
B. as a transparent proxy using the Secure Sockets Layer protocol
C. as a transparent proxy using the Hyper Text Transfer Protocol
D. as a transparent proxy using the Web Cache Communication Protocol
E. explicit active mode
Answer: A, D
*Q08 Which type of mechanism does Cisco FirePOWER deploy to protect against email threats that
are detected moving across other networks?
A. reputation‐based
B. signature‐based
C. antivirus scanning
D. policy‐based
Answer: A
*Q09 Which action does standard antivirus software perform as part of the file‐analysis process?
A. execute the file in a simulated environment to examine its behaviour
B. examine the execution instructions in the file
C. flag the unexamined file as a potential threat
D. create a backup copy of the file
Answer: B
*Q10 When you edit an IPS subsignature, what is the effect on the parent signature and the family of
signatures?
A. The change applies to the parent signature and the subsignature that you edit.
B. The change applies to the parent signature and the entire family of subsignatures.
C. The change applies only to subsignatures that are numbered sequentially after the subsignature
that you edit.
D. Other signatures are unaffected; the change applies only to the subsignature that you edit.
Answer: D
Q11 Which two ESA services are available for incoming and outgoing mails? (Choose two)
A. DLP
B. reputation filter
C. content filter
D. anti-Dos
E. antispam
Answer: C, E
*Q13 You have implemented a dynamic blacklist, using intelligence to block illicit network activity.
However, the blacklist contains several approved connections that users must access for business
purposes. Which action can you take to retain the blacklist while allowing users to access the
approved sites?
A. Disable the dynamic blacklist and create a static blacklist in its place.
B. Create a whitelist and manually add the approved addresses.
C. Disable the dynamic blacklist and deny the specific address on a whitelist while permitting the
others.
D. Edit the dynamic blacklist to remove the approved addresses.
Answer: B
*Q14 Which two configurations can prevent VLAN hopping attack from attackers at VLAN 10?
(Choose two)
A. creating VLAN 99 and using switchport trunk native vlan 99 command on trunk ports
B. enabling BPDU guard on all access ports
C. using switchport trunk native vlan 10 command on trunk ports
D. using switchport nonegotiate command on dynamic desirable ports
E. applying ACL between VLANs
F: using switchport mode access command on all host ports
Answer: A, F
Q16 Which statement represents a difference between an access list on an ASA versus an access list
on a router?
A. The ASA does not support extended access lists
B. The ASA does not support number access lists
C. The ASA does not ever use a wildcard mask
D. The ASA does not support standard access lists
Answer: C
*Q18 Which two models of ASA tend to be used in a data centre? (Choose two)
A. 5555X
B. ASA service module
C. 5585X
D. 5540
E. 5520
F. 5512X
Answer: B, C
*Q19 Which statement about interface and global access rules is true?
A. Interface access rules are processed before global access rules.
B. The implicit allow is processed after both the global and interface access rules.
C. If an interface access rule is applied, the global access rule is ignored.
D. Global access rules apply only to outbound traffic, but interface access rules can be applied in
either direction.
Answer: A
*Q20 Which security term refers to the likelihood that a weakness will be exploited to cause damage
to an asset?
A. threat
B. vulnerability
C. risk
D. countermeasure
Answer: C
*Q22 Which term refers to the electromagnetic interference that can radiate from network cables?
A. emanations
B. multimode distortion
C. Gaussian distributions
D. Doppler waves
Answer: A
*Q23 Which mitigation technology for web-based threats prevents the removal of confidential data
from the network?
A. AMP
B. DLP
C. DCA
D. CTA
Answer: B
Q24 What are two limitations of the self-zone policies on a zone-based firewall? (Choose two)
A. They restrict SNMP traffic.
B. They are unable to implement application inspection.
C. They are unable to block HTTPS traffic.
D. They are unable to support HTTPS traffic.
E. They are unable to perform rate limiting.
Answer: B, E
*Q25 What are two default behaviours of the traffic on a zone-based firewall? (Choose two)
A. The CBAC rules that are configured on router interfaces apply to zone interfaces.
B. Communication is blocked between interfaces that are members of the same zone.
C. Traffic within self zone uses an implicit deny all
D. All traffic between zones is implicitly blocked.
E. Communication is allowed between interfaces that are members of the same zone.
Answer: D, E
*Q26 Which two statements about Hardware-Based encryption are true? (Choose two)
A. It is potentially easier to compromise than software-based encryption.
B. It can be implemented without impacting performance.
C. It is widely accessible.
D. It is highly cost-effective
E. It requires minimal configuration
Answer: B, E
*Q27 Which path do you follow to enable AAA through the SDM?
A. Configure >Tasks >AAA
B. Configure > Authentication >AAA
C. Configure > Additional Authentication > AAA
D. Configure > Additional Tasks > AAA
E. Configure > AAA
Answer: D
*Q28 Refer to the exhibit. Which type of NAT is configured on a Cisco ASA?
A. dynamic NAT
B. source identity NAT
C. dynamic PAT
D. identity twice NAT
Answer: C
*Q29 When connecting to an external resource, you must change a source IP address to use one IP
address from a range of 207.165.201.1 to 207.165.201.30. Which option do you implement?
A. static destination NAT that uses a subnet as a real destination
B. dynamic source NAT that uses a range as a mapped source
C. dynamic source NAT that uses an IP address as a mapped source
D. static destination NAT that uses a subnet as a real source
Answer: B
*Q30 Refer to the exhibit. What is the effect of the given configuration?
A. It establishes the preshared key for the router
B. It establishes the preshared key for the switch
C. It establishes the preshared key for the firewall
D. It establishes the preshared key for the Cisco ISE appliance.
Answer: C
*Q31 In which type of attack does an attacker overwrite an entry in the CAM table to divert traffic
destined to a legitimate host?
A. MAC spoofing
B. ARP spoofing
C. CAM table overflow
D. DHCP spoofing
Answer: A
*Q34 What is the maximum number of methods that a single method list can contain?
A. 4
B. 3
C. 2
D. 5
Answer: A
*Q35 Which attack involves large numbers of ICMP packets with a spoofed source IP address?
A. Teardrop attack
B. smurf attack
C. Nuke attack
D. SYN Flood attack
Answer: B
Q37 Which command can you enter to verify the statistics of cisco IOS resilient configuration on cisco
router?
A. show binary file
B. show secure bootset
C. secure boot-config
D. secure boot-image
Answer: B
*Q39 You have just deployed SNMPv3 in your environment. Your manager asks you make sure that
your agents can only talk to the SNMP Manager. What would you configure on your SNMP agents to
satisfy this request?
A. Routing Filter with the SNMP managers in it applied outbound
B. A SNMP View containing the SNMP managers
C. A standard ACL containing the SNMP managers applied to the SNMP configuration.
D. A SNMP Group containing the SNMP managers
Answer: C
*Q40 Drag and drop each feature that can protect against DHCP attacks from the left onto the correct
description on the right.
Answer:
*Q41 (same as Q26) Which two statements about hardware-based encryption are true? (Choose two)
A. It is potentially easier to compromise than software-based encryption.
B. It can be implemented without impacting performance.
C. It is widely accessible.
D. It is highly cost effective.
E. It requires minimal configuration.
Answer: B, E
*Q42 Which command do you enter to verify the Phase 1 status of a VPN connection?
A. debug crypto isakmp
B. sh crypto session
C. sh crypto isakmp sa
D. sh crypto ipsec sa
Answer: C
*Q43 What are two major considerations when choosing between a SPAN and a TAP when
implementing IPS? (Choose two)
A. the amount of bandwidth available
B. the way in which dropped packets will be handled
C. the type of analysis the IPS will perform
D. whether RX and TX signals will use separate ports
E. the way in which media errors will be handled
Answer: A, C
*Q44 Which information can you display by executing the show crypto ipsec sa command?
A. proxy information for the connection between two peers
B. IPsec SAs established between two peers
C. recent changes to the IP address of a peer router
D. ISAKMP SAs that are established between two peers
Answer: B
Q45 Which command enables port security to use sticky MAC address on a switch?
A. switchport port-security
B. switchport port security mac-address sticky
C. switchport port-security violation protect
D. switchport port-security violation restrict
Answer: B
Q46 When would you configure ip dhcp snooping trust command on a switch?
A. when the switch is connected to DHCP server.
B. when the switch is connected to client system.
C. when the switch is serving as an aggregator.
D. when the switch is working in an edge capacity.
Answer: A
SIM 1
In this simulation, you have access to ASDM only. Review the various ASA configurations using
ASDM then answer the five multiple choice questions about the ASA SSLVPN configurations. To
access ASDM, click the ASA icon in the topology diagram.
Note: Not all ASDM functionalities are enabled in this simulation. To see all the menu options
available on the left navigation pane, you may also need to un-expand the expanded menu first.
*Q49 (SIM1 Q1) Which user authentication method is used when user login to the Clientless
SSL VPN portal using https://209.165.201.2/test ?
A. Both Certificate and AAA with local database.
B. AAA with RADIUS server.
C. Both Certificate and AAA with RADIUS server.
D. AAA with LOCAL database.
E. Certificate.
Answer: D
*Q50 (SIM1 Q2) When users login to the Clientless SSL VPN using the https://209.165.201.2/test
which group policy will be applied?
A. test
B. Sales
C. DefaultRAGroup
D. DefaultWEBVPNGroup
E. clientless
F. DFTGrpPolicy
Answer: B
*Q51 (SIM1 Q3) Which two statements regarding the ASA VPN configurations are correct?
(Choose two)
A. The Inside-SRV bookmark has not been applied to the Sales group policy.
B. The ASA has a certificate issued by an external Certificate Authority associated to the
ASDM_Trustpoint1.
C. The Inside-SRV bookmark references the https://10.2.1.1 URL.
D. Anyconnect, IPsec IKEv1 and IPsec IKEv2 VPN access is enabled on the outside interface.
E. Only Clientless SSL VPN VPN access is allowed with the Sales group Policy.
F. The DefaultWEBVPNGroup Connection Profile is using the AAA with Radius server method.
Answer: E, F
Explanation: To verify, within the ASDM go to “Configuration” “Remote Access VPN”
“Clientless SSL VPN Access” “Portal” “Bookmarks” and find the bookmark called “Inside-SRV”.
You can see by looking at “Group Policies/DAPs/LOCAL Users Using the Bookmarks” that this
bookmark is applied to the group policy called “Sales” which proves the answer “A” is incorrect.
Next highlight the bookmark called “Inside-SRV” and hit “Edit” to see the bookmark’s referenced URL
of http://192.168.1.2 which proves the answer “C” is incorrect (in other dumps the answer “C”
references the correct URL of http://192.168.1.2. If that’s the case, then answer “C” would be the
correct choice here).
Next go to “Configuration” “Remote Access VPN” “Clientless SSL VPN Access” “Connection
Profiles”. Individually highlight each connection profile (“DefaultRAGroup”, “DefaultWEBVPNGroup”,
“clientless”) and hit “Edit” to verify the default group policy. You can see the only connection profile
associated with “Sales” group policy is “clientess” which proves the answer “E” is the correct choice.
Next go to “Configuration” “Remote Access VPN” “Clientless SSL VPN Access” “Connection
Profiles” and find the connection profile called “DefaultWEBVPNGroup”. You can see the
authentication method for that connection profile is AAA(RAD) (AAA with Radius server) which proves
the answer “F” is the correct choice here.
*Q52 (SIM1 Q4) Which four tunnelling protocols are enabled in the DfltGrpPolicy group policy?
(Choose four)
A. IPsec IKEv1
B. IPsec IKEv2
C. L2TP/IPsec
D. Clientless SSL VPN
E. SSL VPN Client
F. PPTP
Answer: A, B, C, D
Q54 Which command successfully creates an administrative user with a password of "cisco" on a
Cisco router?
A. username Operator privilege 7 password Cisco
B. username Operator privilege 1 password Cisco
C. username Operator privilege 15 password Cisco
D. username Operator password cisco privilege 15
Answer: C
*Q55 Which IPS detection method examines network traffic for preconfigured patterns?
A. signature-based detection
B. policy-based detection
C. anomaly-based detection
D. honey-pot detection
Answer: A
*Q57 What action must you take on the ISE to blacklist a wired device?
A. Issue a COA request for the device’s MAC address to each access switch in the network.
B. Add the devices MAC address to a list of blacklisted devices.
C. Locate the switch through which the device is connected and push an ACL restricting all access by
the device.
D. Revoke the device’s certificate so it is unable to authenticate to the network.
Answer: B
*Q58 Which term is most closely aligned with the basic purpose of a SIEM solution?
A. Causality
B. Accountability
C. Non-Repudiation
D. Repudiation
Answer: B
*Q60 How does the 802.1x supplicant communicate with the authentication server?
A. The supplicant creates EAP packets and sends them to the authenticator, which translates them
into RADIUS and forwards them to the authentication server.
B. The supplicant creates EAP packets and sends them to the authenticator, which encapsulates
them into RADIUS and forwards them to the authentication server.
C. The supplicant creates RADIUS packets and sends them to the authenticator, which translates
them into EAP and forwards them to the authentication server.
D. The supplicant creates RADIUS packets and sends them to the authenticator, which encapsulates
them into EAP and forwards them to the authentication server.
Answer: B
Q61 Drag and drop the steps to configure a WSA from the left into the correct order on the right.
Answer:
Q62 Which IKE phase 1 parameter can you use to require the site-to-site VPN to use a pre-shared
key?
A. group
B. hash
C. authentication
D. encryption
Answer: C
*Q63 How can you prevent NAT rules from sending traffic to incorrect interfaces?
A. Configure twice NAT instead of object NAT.
B. Add the no-proxy-arp command to the nat line.
C. Assign the output interface in the NAT statement.
D. Use packet-tracer rules to reroute misrouted NAT entries.
Answer: C
*Q64 What is the minimum Cisco IOS version that supports zone-based firewalls?
A. 12.4(6)T
B. 15.1
C. 15.0
D. 12.1T
Answer: A
*Q67 What are two features of transparent firewall mode? (Choose two)
A. It allows some traffic that is blocked in routed mode.
B. It conceals the presence of the firewall from attackers.
C. It is configured by default.
D. It acts as a routed hop in the network.
E. It enables the ASA perform as a router.
Answer: A, B
Questions from ‘new question ccna security_yako.pdf’ with corrected answers discussed on
the forum.
Q1 How does the Cisco ASA use Active Directory to authorize VPN users?
A. It queries the Active Directory server for a specific attribute for the specific user
B. It sends the username and password to retire an ACCEPT or Reject message from the Active
Directory server
C. It downloads and stores the Active Directory database to query for future authorization
D. It redirects requests to the Active Directory server defined for the VPN group
Answer: A
Q2 Which three statements about host-based IPS are true? (Choose three)
A. It can view encrypted files
B. It can be deployed at the perimeter
C. It uses signature-based policies
D. It can have more restrictive policies than network-based IPS
E. It works with deployed firewalls
F. It can generate alerts based on behaviour at the desktop level.
Answer: A, D, F
Q3 If a router configuration includes the line aaa authentication login default group tacacs+
enable, which events will occur when the TACACS+ server returns an error? (Choose two)
A. The user will be prompted to authenticate using the enable password
B. Authentication attempts to the router will be denied
C. Authentication will use the router`s local database
D. Authentication attempts will be sent to the TACACS+ server
Answer: A, D
Q4 Which of encryption technology has the broadest platform support to protect operating systems?
A. middleware
B. hardware
C. software
D. file-level
Answer: C
*Q5 Which technology can be used to rate data fidelity and to provide an authenticated hash for data
A. network blocking
B. signature updates
C. file analysis
D. file reputation
Answer: D
Q6 Your security team has discovered a malicious program that has been harvesting the CEO’s email
messages and the company’s user database for the last 6 months. What type of attack did your team
discover? (Choose two)
A. social activism
B. drive-by spyware
C. targeted malware
D. advance persistent threat
E. Polymorphic virus……………
Answer: C, D
Q7 If the native VLAN on a trunk is different on each end of the link, what is a potential consequence?
A. The interface on both switches may shut down
B. STP loops may occur
C. The switch with the higher native VLAN may shut down
D. The interface with the lower native VLAN may shut down
Answer: B
*Q9 When using Cisco cloud web protection, in what case proxy scanning is skipped.
A. When connected by wired connection.
B. When connected using wpa2 connection.
C. When connected to trusted corporate network.
D. When connected via vpn with proxy scanning skipped service.
Answer: C
*Q11 On which operating system does the Cisco Email Security Appliance run?
A. Cisco IOS XR
B. Cisco IOS XE
C. Cisco AsyncOS
D. Cisco NX-OS
E. Cisco ESA-OS
Answer: C
*Q12 You are configuring an IPS that must be able to react to potential attack. Which deployment
method do you use?
A. Passive deployment that uses failsafe
B. Passive deployment that uses tap mode
C. Inline deployment that uses a SPAN
D. Transparent Inline Mode
Answer: D
*Q13 Drag and drop each port-security violation mode from the left onto the corresponding action on
the right.
Answer:
Q14 Refer to the exhibit. Your notice the error message in the syslog. Which command do you enter
on the switch to gather more information?
*Q15 Which two statement about STP attacks are true? (Choose two)
A. The attacker sets up a rogue DHCP server to intercept requests
B. They can be performed only when Cisco Discovery protocol is running
C. Then can mitigate by disabling STP
D. They can create the opportunity for subsequent man-in-the middle attacks
E. The attacker sends BPDU messages to become the root bridge
F. They can be executed only from a hub
Answer: D, E
*Q17 You are configuring a site-to-site tunnel between two cisco routers by using IPsec. Which option
do you set to specify the peer to which you want to connect?
A. IP address by using a crypto map
B. IP address of tunnel destination
C. Tunnel group that has a peer P address
D. IP address as part of the ISAKMP configuration
Answer: A
*Q21 Which two advantages does the on-premise model for MDM deployment have over the cloud-
based model? (Choose two)
A. The on-premise model is easier and faster to deploy than the cloud-based model
B. The on-premise model is more scalable than the cloud-based model
C. The on-premise model is generally less expensive than the cloud-based model
D. The on-premise model provides more control of the MDM solution than the cloud-based model
E. The on-premise model generally has less latency than the cloud-based model
Answer: D, E
*Q22 How does the 802.1x supplicant communicate with the authentication server?
A. The supplicant creates EAP packets and sends them to the authenticator, which translates them
into RADIUS and forwards them to the authentication server.
B. The supplicant creates EAP packets and sends them to the authenticator, which encapsulates
them into RADIUS and forwards them to the authentication server.
C. The supplicant creates RADIUS packets and sends them to the authenticator, which translates
them into EAP and forwards them to the authentication server.
D. The supplicant creates RADIUS packets and sends them to the authenticator, which encapsulates
them into EAP and forwards them to the authentication server.
Answer: B
*Q23 Which two actions can an end user take to manage a lost or stolen device in Cisco ISE?
(Choose two)
A. Activate Cisco ISE Endpoint Protection Services to quarantine the device
B. Add the MAC addresses of the device to a list of blacklisted devices
C. Force the device to be locked with a PIN
D. Request revocation of the digital certificate of the device
E. Reinstate a device that the user previously marked as lost or stolen
Answer: C, E
*Q24 How can you prevent NAT rules from sending traffic to incorrect interfaces?
A. Assign the output interface in the NAT statement
B. Add the no-proxy-arp command to the nat line
C. Configure twice NAT instead of object NAT
D. Use packet-tracer rules to reroute misrouted NAT entries
Answer: A
Questions from PassLeader with corrected answers discussed on the forum.
Q392 Which command is to make sure that AAA Authentication is configured and to make sure that
user can access the exec level to configure?
A. AAA authentication enable default local
B. AAA authentication enable local
C. AAA authentication enable tacacs+ default
Answer: A
Q393 Which primary security attributes can be achieved by BYOD Architecture?(Choose two)
A. Trusted enterprise network
B. public wireless network
C. checking compliance with policy
D. pushing patches
Answer: A, C
Q394 A user reports difficulties accessing certain external web pages, when examining traffic to and
from the external domain in full packet captures, you notice many SYNs that have the same sequence
number, source, and destination IP address, but have different payloads. Which problem is a possible
explanation of this situation?
A. insufficient network resources
B. failure of full packet capture solution
C. misconfiguration of web filter
D. TCP injection
Answer: D
Q395 What is the primary purpose of the Integrated Services Routers (ISR) in the BYOD solution?
A. Provide connectivity in the home office environment back to the corporate campus
B. Provide WAN and Internet access for users on the corporate campus
C. Enforce firewall-type filtering in the data centre
D. Provide connectivity for the mobile phone environment back to the corporate campus
Answer: A
Q400 What will happen with traffic if zone-pair created, but policy did not applied?
A. All traffic will be dropped.
B. All traffic will be passed with logging.
C. All traffic will be passed without logging.
D. All traffic will be inspected.
Answer: A
Q401 Which Cisco IOS device support firewall, antispyware, anti-phishing, protection, etc.?
A. Cisco IOS router
B. Cisco 4100 IOS IPS appliance
C. Cisco 5500 series ASA
D. Cisco 5500x next generation ASA
Answer: D
Q403 Which two options are Private-VLAN secondary VLAN types? (Choose two)
A. Isolated
B. Secured
C. Community
D. Common
E. Segregated
Answer: A, C
Q404 Which type of VLANs can communicate to PVLANs? (or something like this) (Choose two)
Which two are valid types of VLANs using PVLANs? (choose two)
A. promiscuous
B. isolated
C. community
D. backup
E. secondary
Answer: B, C
Q406
Drag the recommendations on the left to the Cryptographic Algorithms on the right. Options will be
used more than once.
Answer:
Q440 What are two reasons to recommend SNMPv3 over SNMPv2? (Choose two)
A. SNMPv3 is secure because you can configure authentication and privacy.
B. SNMPv3 is a Cisco proprietary protocol.
C. SNMPv2 is secure because you can configure authentication and privacy.
D. SNMPv2 is insecure because it sends information in clear text.
E. SNMPv3 is insecure because it sends information in clear text.
Answer: A, D
Q 441 Which two are valid types of VLANs using PVLANs? (Choose two)
A. Backup VLAN
B. Secondary VLAN
C. Promiscuous VLAN
D. Community VLAN
E. Isolated VLAN
Answer: D, E
Q442 Refer to the exhibit. Which area represents the data centre?
A. A
B. B
C. C
D. D
Answer: A
Q443 Which security principle has been violated if data is altered in an unauthorized manner?
A. accountability
B. availability
C. confidentiality
D. integrity
Answer: D
Q444 Which two actions can a zone-based firewall apply to a packet as it transits a zone pair?
(Choose two)
A. drop
B. inspect
C. queue
D. quarantine
E. block
Answer: A, B
*Q445 Which information can you display by executing the show crypto ipsec sa command?
A. proxy information for the connection between two peers
B. IPsec SAs established between two peers
C. recent changes to the IP address of a peer router
D. ISAKMP SAs that are established between two peers
Answer: B
Q446 Which command can you enter to configure OSPF to use hashing to authenticate routing
updates?
A. ip ospf authentication message-digest
B. ip ospf priority 1
C. neighbor 192.168.0.112 cost md5
D. ip ospf authentication-key
Answer: A
Q448 Which statement about traffic inspection using the Cisco Modular Policy Framework on the ASA
is true?
A. HTTP inspection is supported with Cloud Web Security inspection.
B. QoS policing and QoS pnonty queuing can be configured for the same traffic.
C. ASA with FirePOWER supports HTTP inspection.
D. Traffic can be sent to multiple modules for inspection.
Answer: A
Q449 Which feature can help a router or switch maintain packet forwarding and protocol states
despite an attack or heavy traffic load on the router or switch?
A. Control Plane Policing
B. Policy Map
C. Service Policy
D. Cisco Express Forwarding
Answer: A
*Q450 Refer to the exhibit. What is the effect of the given configuration?
Q474 Which two actions can an end user take to manage a lost or stolen device in Cisco ISE?
(Choose two)
A. Reinstate a device that the user previously marked as lost or stolen.
B. Activate Cisco ISE Endpoint protection Services to quarantine the device.
C. Request revocation of the digital certificate of the device.
D. Add the MAC address of the device to a list of blacklisted devices.
E. Force the device to be locked with a PIN.
Answer: A, E
*Q475 What are two default behaviours of the traffic on a zone based firewall? (Choose two)
A. The CBAC rules that are configured on router interfaces apply to zone interfaces.
B. Communication is blocked between interfaces that are members of the same zone.
C. Traffic within the self zone uses an implicit deny all.
D. All traffic between zones is implicit blocked.
E. Communication is allowed between interfaces that are members of the same zone.
Answer: D, E
Q481 Which two roles of the Cisco WSA are true? (Choose two)
A. web proxy
B. URL filter
C. antispam
D. IPS
E. firewall
Answer: A, B
*Q482 Which command do you enter to verify the Phase 1 status of a VPN connection?
A. debug crypto isakmp
B. show crypto session
C. show crypto isakmp sa
D. show crypto ipsec sa
Answer: C
*Q483 Which command enables authentication at the OSPFv2 routing process level?
A. area 0 authentication message-digest
B. area 0 authentication ipsec spi 500 md5 1234567890ABCDEF1234567890ABCDEF
C. ip ospf authentication message-digest
D. ip ospf message-digest-key 1 md5 C1sc0!
Answer: A
*Q484 What is the maximum number of methods that a single method list can contain?
A. 4
B. 3
C. 2
D. 5
Answer: A
*Q485 Which IPS detection method examines network traffic for preconfigured patterns?
A. signature-based detection
B. policy-based detection
C. anomaly-based detection
D. honey-pot detection
Answer: A
Q491 Which adverse consequence can occur on a network without BPDU guard?
A. The oldest switch can be elected as the root bridge.
B. Unauthorized switches that are connected to the network can cause spanning-tree loops.
C. Double tagging can cause the switches to experience CAM table overload.
D. Rogue switches can be difficult to detect.
Answer: B
Q492 Which two 802.1x features can you enable by running the IOS authentication priority
command? (Choose two)
A. forced authorized port state
B. Telnet authentication
C. automatic selection
D. Web authentication
E. MAC authentication bypass
Answer: D, E
Q493 If a personal Firewall specifically blocks NTP, which type of blocking is the firewall performing?
A. service
B. file
C. application
D. network
Answer: C
Q494 Which two problems can arise when a proxy firewall serves as the gateway between networks?
(Choose two)
A. It can cause reduced throughput.
B. It is unable to prevent direct connections to other networks.
C. It can prevent content caching.
D. It is unable to provide antivirus protection.
E. It can ktrtf application support.
Answer: A, E
Q495 What command could you implement in the firewall to conceal internal IP address?
A. no source-route
B. no cdp run
C. no broadcast
D. no proxy-arp
Answer: D
*Q496 Which two configurations can prevent VLAN hopping attack from attackers at VLAN 10?
(Choose two)
A. creating VLAN 99 and using switchport trunk native vlan 99 command on trunk ports
B. using switchport trunk native vlan 10 command on trunk ports
C: using switchport mode access command on all host ports
D. enabling BPDU guard on all access ports
E. using switchport nonegotiate command on dynamic desirable ports
F. applying ACL between VLANs
Answer: A, C
Q498 What are the direct two methods for redirecting web traffic to cisco web security? (Choose two)
A. Cisco ISE
B. 3rd party proxies
C. PAC file
D. NAC
Answer: B, C
Q501 For the SNMP V3 access control, how to control access of clients & managers? (Choose two)
A. routing filtering
B. create access list
C. make managers view
D. authentication
Answer: B, D
Q503 Why does ISE require its own certification issued by a trusted CA?
A. ISE certificate allow guest device to validate it as a trusted network device.
B. ISE certificate allow it to join the network security framework.
C. It request certificates for guest device from the CA server based on its own certificate.
D. It generate certificates for guest device based on its own certificate.
Answer: A
*Q504Which term is most closely aligned with the basic purpose of a SIEM solution?
A. Causality
B. Accountability
C. Non-Repudiation
D. Repudiation
Answer: B
*Q505 What are two features of transparent firewall mode? (Choose two)
A. It enables the ASA perform as a router.
B. It acts as a routed hop in the network.
C. It is configured by default.
D. It conceals the presence of the firewall from attackers.
E. It allows some traffic that is blocked in routed mode.
Answer: D, E
*Q522 Which path do you follow to enable AAA through the SDM?
A. Configure > Tasks > AAA
B. Configure > Authentication > AAA
C. Configure > Additional Authentication > AAA
D. Configure > Additional Tasks > AAA
E. Configure > AAA
Answer: D
*Q524 In which two models can the Cisco Web Security Appliance be deployed? (Choose two)
A. as a transparent proxy using the Secure Sockets Layer Protocol
B. as a transparent proxy using the HyperText Transfer Protocol
C. explicit active mode
D. as a transparent proxy using the Web Cache Communication Protocol
E. explicit proxy mode
Answer: D, E
*Q525 Which two statements about hardware-based encryption are true? (Choose two)
A. It is potentially easier to compromise than software-based encryption.
B. It requires minimal configuration.
C. It can be implemented without impacting performance.
D. It is widely accessible.
E. It is highly cost-effective.
Answer: B, C
*Q528 How can you mitigate DCE/RPC evasion techniques while allowing access to the DCE/RPC
service?
A. Update the IPS signature for HTTPS to validate DCE/RPC connections.
B. Block suspicious hosts from DCE/RPC port 593.
C. Tunnel DCE/RPC traffic through GRE.
D. Configure the DCE/RPC preprocessor.
Answer: D
*Q529 Which SNMPv3 security level provides authentication using HMAC with MD5, but does not use
encryption?
A. authPriv
B. authNoPriv
C. noAuthPriv
D. noAuthNoPriv
Answer: B
*Q531 Which type of mechanism does Cisco FirePOWER deploy to protect against email threats that
are detected moving across other networks?
A. signature-based
B. reputation-based
C. antivirus scanning
D. policy-based
Answer: B
*Q532 You have implemented a dynamic blacklist, using security intelligence to block illicit network
activity. However, the blacklist contains several approved connections that users must access for
business purposes. Which action can you take to retain the blacklist while allowing users to access
the approved sites?
A. Create a whitelist and manually add the approved addresses.
B. Edit the dynamic blacklist to remove the approved addresses.
C. Disable the dynamic blacklist and deny the specific address on a whitelist while permitting the
others.
D. Disable the dynamic blacklist and create a static blacklist in its place.
Answer: A
Q533 Which command enables port security to use sticky MAC addresses on a switch?
A. switchport port-security mac-address sticky
B. switchport port-security
C. switchport port-security violation protect
D. switchport port-security violation restrict
Answer: A
*Q535 Which mitigation technology for web-based threats prevents the removal of confidential data
from the network?
A. CTA
B. AMP
C. DLP
D. DCA
Answer: C
[Nov-2019] – Answers verified
*Q538 Which component of a security zone firewall policy defines how traffic is handled?
A. ACL
B. Service policy
C. Policy map
D. Class map
Answer: C
*Q539 Of all parameters that are negotiated for the IKE Phase 1 tunnel, which parameter is the only
one that does not have to exactly match between VPN pees to be accepted?
A. DH group
B. Hashing algorithm
C. Encryption algorithm
D. Digital signature
E. Authentication method
F. Lifetime
Answer: F
*Q541 You are configuring an IPS that must be able to react to a potential attack. Which deployment
do you use?
A. Passive deployment that uses tap mode.
B. Transparent inline mode.
C. Passive deployment that uses failsafe.
D. Inline deployment that uses a SPAN.
Answer: B
*Q542 Which two types of malware can self-replica and spread? (Choose two)
A. Backdoors
B. Worms
C. Viruses
D. Trojans
E. Bots
Answer: B, C
*Q543 In a Cisco Cloud Web Security environment, when can network traffic bypass the scanning
proxies?
A. When the client is on a trusted corporate network.
B. When the client is connected to a VPN service that bypass proxies.
C. When the client is connected to a WPA2 Enterprise network.
D. When the client is connected to a wired network.
Answer: A
*Q544 Which option is the logical container used to maintain information about the connections going
through a Cisco ASA firewall?
A. State table
B. NAT table
C. Routing table
D. Cisco Express Forwarding table
Answer: A
*Q545 On which operating system does the Cisco Email Security Appliance run?
A. Cisco ESA-OS
B. Cisco AsyncOS
C. Cisco IOS XE
D. Cisco IOS XR
E. Cisco NX-OS
Answer: B
*Q548 Which two statements about an IPS in tap mode are true? (Choose two.)
A. It requires an synchronous routing configuration for full traffic analysis.
B. The device forwards all traffic, regardless of its source or destination.
C. It directly analyses the actual packets as they pass through the system.
D. It can analyse events without impacting network efficiency.
E. It is unable to drop packets in the main flow.
Answer: D, E
*Q549 How will a stateful firewall handle an inbound packet that it receives and cannot match in its
state table?
A. Passes the traffic.
B. Drops the traffic.
C. Broadcasts the traffic.
D. Looks for an ACL, and acts based upon the ACL.
Answer: D
*Q551 Drag and drop each port-security violation mode from the left onto the corresponding action on
the right.
Answer:
Other Drag&Drop Questions
Q1 Drag functions on the left to the corresponding fields on the right (HIPS – Host base IPS; NIPS –
Network based IPS)
Answer: