350-701 Dec-2022
350-701 Dec-2022
350-701 Dec-2022
Question 1
Which two protocols must be configured to authenticate end users to the Web Security Appliance? (Choose
two)
A. NTLMSSP
B. Kerberos
C. CHAP
D. TACACS+
E. RADIUS
Answer: A B
Question 2
An engineer is configuring Dropbox integration with Cisco Cloudlock. Which action must be taken before
granting API access in the Dropbox admin console?
A. Authorize Dropbox within the Platform settings in the Cisco Cloudlock portal.
B. Add Dropbox to the Cisco Cloudlock Authentication and API section in the Cisco Cloudlock portal.
C. Send an API request to Cisco Cloudlock from Dropbox admin portal.
D. Add Cisco Cloudlock to the Dropbox admin portal.
Answer: A
Question 3
Answer: B
Question 3
Drag and drop the cryptographic algorithms for IPsec from the left onto the cryptographic processes on
the right.
Answer:
willsonliam55@gmail.com Skype Apple Kid
Authentication
+ esp-md5-hmac
+ esp-sha-hmac
Encryption
+ esp-3des
+ esp-aes-256
Explanation
Question 4
Which security solution is used for posture assessment of the endpoints in a BYOD solution?
A. Cisco FTD
B. Cisco ASA
C. Cisco Umbrella
D. Cisco ISE
Answer: D
Question 5
Answer: A
Question 6
Answer: A E
Question 7
What are two benefits of using Cisco Duo as an MFA solution? (Choose two)
Answer: B C
willsonliam55@gmail.com Skype Apple Kid
Question 8
What is a benefit of using GET VPN over FlexVPN within a VPN deployment?
Answer: B
Question 9
Which solution allows an administrator to provision, monitor, and secure mobile devices on Windows and
Mac computers from a centralized dashboard?
A. Cisco Umbrella
B. Cisco AMP for Endpoints
C. Cisco ISE
D. Cisco Stealthwatch
Answer: C
Question 10
Which type of data does the Cisco Stealthwatch system collect and analyze from routers, switches, and
firewalls?
A. NTP
B. syslog
C. SNMP
D. NetFlow
Answer: D
Question 11
What is the term for the concept of limiting communication between applications or containers on the
same node?
A. container orchestration
B. software-defined access
C. microservicing
D. microsegmentation
Answer: D
Explanation
Microservices are about dissecting applications to smaller units and run those units independently
instead of running them in a monolithic application. But this question asks about communication between
applications so “microservicing” is not correct.
Micro-segmentation is a network security technique that isolates different workloads from one another
within a data center. A workload can be broadly defined as the resources and processes needed to run an
application. Hosts, virtual machines and containers are a few examples of workloads.
Question 12
Answer: B
Question 13
Drag and drop the security solutions from the left onto the benefits they provide on the right.
Answer:
+ detection, blocking, tracking, analysis, and remediation to protect the enterprise against
targeted and persistent malware attacks: Cisco AMP for Endpoints
+ policy enforcement based on complete visibility of users, mobile devices, client-side
applications, communication between virtual machines, vulnerabilities, threats, and URLs: Full
contextual awareness
+ unmatched security and web reputation intelligence provides real-time threat intelligence
and security protection: Collective Security Intelligence
+ superior threat prevention and mitigation for known and unknown threats: NGIPS
Question 14
Based on the NIST 800-145 guide, which cloud architecture may be owned, managed, and operated by
one or more of the organizations in the community, a third party, or some combination of them, and it
may exist on or off premises?
A. hybrid cloud
B. private cloud
C. public cloud
D. community cloud
Answer: D
Question 15
Answer: B
Question 16
A company has 5000 Windows users on its campus. Which two precautions should IT take to prevent
WannaCry ransomware from spreading to all clients? (Choose two)
A. Segment different departments to different IP blocks and enable Dynamic ARP inspection on all VLANs
B. Ensure that noncompliant endpoints are segmented off to contain any potential damage.
C. Ensure that a user cannot enter the network of another department.
D. Perform a posture check to allow only network access to those Windows devices that are already
patched.
E. Put all company users in the trusted segment of NGFW and put all servers to the DMZ segment of the
Cisco NGFW.
Answer: B D
Question 17
What are two characteristics of the RESTful architecture used within Cisco DNA Center? (Choose two)
Answer: A E
Question 18
What is the process In DevSecOps where all changes in the central code repository are merged and
synchronized?
A. CD
B. EP
C. CI
D. QA
Answer: C
Question 19
Which Cisco platform onboards the endpoint and can issue a CA signed certificate while also automatically
configuring endpoint network settings to use the signed endpoint certificate, allowing the endpoint to gain
network access?
A. Cisco ISE
B. Cisco NAC
C. Cisco TACACS+
D. Cisco WSA
Answer: A
Question 20
Which cloud service offering allows customers to access a web application that is being hosted, managed,
and maintained by a cloud service provider?
A. IaC
B. SaaS
willsonliam55@gmail.com Skype Apple Kid
C. IaaS
D. PaaS
Answer: B
Question 21
How does Cisco Workload Optimization portion of the network do EPP solutions solely performance issues?
Answer: B
Question 22
Email security has become a high priority task for a security engineer at a large multi- national
organization due to ongoing phishing campaigns. To help control this, the engineer has deployed an
Incoming Content Filter with a URL reputation of (-10.00 to -6.00) on the Cisco ESA. Which action will the
system perform to disable any links in messages that match the filter?
A. Defang
B. Quarantine
C. FilterAction
D. ScreenAction
Answer: A
Question 23
A. SaaS
B. IaaS
C. on-premises
D. off-premises
E. PaaS
Answer: C D
Question 24
Which API method and required attribute are used to add a device into DNAC with the native API?
Answer: B
Question 25
What provides total management for mobile and PC including managing inventory and device tracking,
remote view, and live troubleshooting using the included native remote desktop support?
Answer: A
Question 26
What is the most common type of data exfiltration that organizations currently experience?
Answer: A
Question 27
An administrator is configuring NTP on Cisco ASA via ASDM and needs to ensure that rogue NTP servers
cannot insert themselves as the authoritative time source. Which two steps must be taken to accomplish
this task? (Choose two)
Answer: C D
Explanation
Reference: https://www.cisco.com/c/en/us/td/docs/security/asa/asa98/asdm78/general/asdm-78-
general-config/basic-hostname-pw.html
Question 28
Which two criteria must a certificate meet before the WSA uses it to decrypt application traffic? (Choose
two)
Answer: A B
Question 29
A. phishing attacks
B. flood attacks
C. virus attacks
D. trojan attacks
Answer: B
Question 30
Which Cisco solution integrates Encrypted Traffic Analytics to perform enhanced visibility, promote
compliance, shorten response times, and provide administrators with the information needed to provide
educated and automated decisions to secure the environment?
A. Cisco SDN
B. Cisco ISE
C. Cisco Security Compliance Solution
D. Cisco DNA Center
Answer: D
Explanation
Recently announced at the June 2017 Cisco Live Event, Encrypted Traffic Analytics will be built into the
Cisco DNA Center (the single window UI for Cisco Apic-Em) and will provide the ability to detect Encrypted
Malware throughout your enterprise network.
Reference: https://www.linkedin.com/pulse/understanding-ciscos-new-anti-malware-tech-eta-austin-
emuang-stubbs
Question 31
A. Cisco CTA
B. Cisco AnyConnect
C. Cisco FTD
D. Cisco ASA
Answer: A
Explanation
Attackers often try to exfiltrate sensitive data, including credentials, using HTTP and HTTPS requests
themselves. Cognitive Threat Analytics uses multiple indications of compromise (IOCs), including global
statistics and local anomaly scores, to reliably distinguish malicious tunneling from benign use of the
technique.
Reference: https://www.cisco.com/c/dam/en/us/products/collateral/security/cognitive-threat-analytics/at-
a-glance-c45-736555.pdf
Question 32
What is a functional difference between Cisco AMP for Endpoints and Cisco Umbrella Roaming Client?
A. The Umbrella Roaming client stops and tracks malicious activity on hosts, and AMP for Endpoints tracks
only URL-based threats.
B. The Umbrella Roaming Client authenticates users and provides segmentation, and AMP for Endpoints
allows only for VPN connectivity
C. AMP for Endpoints authenticates users and provides segmentation, and the Umbrella Roaming Client
allows only for VPN connectivity.
D. AMP for Endpoints stops and tracks malicious activity on hosts, and the Umbrella Roaming Client tracks
only URL-based threats.
willsonliam55@gmail.com Skype Apple Kid
Answer: D
Explanation
Cisco Advanced Malware Protection (AMP) for Endpoints is a malware and virus protection platform that
you can use to protect your environment from intrusion, infected files, and malicious behavior.
Question 33
Answer: A
Explanation
Reference: https://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/flexible-
netflow/product_data_sheet0900aecd804b590b.html
Question 34
An engineer recently completed the system setup on a Cisco WSA. Which URL information does the system
send to SensorBase Network servers?
Answer: D
Explanation
Note: Standard SensorBase Network Participation is enabled by default during system setup -> Answer D
is not correct.
Reference: https://www.cisco.com/c/en/us/td/docs/security/wsa/wsa11-
5/user_guide/b_WSA_UserGuide_11_5_1/b_WSA_UserGuide_11_5_1_chapter_00.pdf
The “Standard” SensorBase Network Participation is enabled by default during system setup so this
question implies we are using standard level, not Limited level -> Answer D is correct while answer A is
not correct.
willsonliam55@gmail.com Skype Apple Kid
Question 35
Answer: A
Explanation
The Endpoint Indication of Compromise (IOC) feature is a powerful incident response tool for scanning of
post-compromise indicators across multiple computers.
Reference: https://docs.amp.cisco.com/Cisco%20Endpoint%20IOC%20Attributes.pdf
Question 36
Which Cisco DNA Center RESTful PNP API adds and claims a device into a workflow?
A. api/v1/fie/config
B. api/v1/onboarding/workflow
C. api/v1/onboarding/pnp-device
D. api/v1/onboarding/pnp-device/import
Answer: D
Explanation
The Device Onboarding API supports the PnP process, giving the developer the option to create a workflow
that detects when a device joins the network and communicates with Cisco DNA Center, and then sending
the onboarding configuration to the device.
This API is composed of 28 endpoints, that can be used to manage workflows, include devices in the PnP
Process, claim devices, amongst other things.
PYTHON script:
ONBOARDING_PNP_IMPORT_URL = ‘/dna/intent/api/v1/onboarding/pnp-device/import’
Reference: https://developer.cisco.com/docs/dna-center/#!device-onboarding/onboarding-pnp-api
Question 37
What does endpoint isolation in Cisco AMP for Endpoints security protect from?
Answer: A
Question 38
An engineer is deploying Cisco Advanced Malware Protection (AMP) for Endpoints and wants to create a
policy that prevents users from executing file named abc424952615.exe without quarantining that file.
What type of Outbreak Control list must the SHA-256 hash value for the file be added to in order to
accomplish this?
Answer: B
Explanation
A Simple Custom Detection list is similar to a blacklist. These are files that you want to detect and
quarantine. Not only will an entry in a Simple Custom Detection list quarantine future files, but through
Retrospective it will quarantine instances of the file on any endpoints in your organization that the service
has already seen it on -> Answer C is not correct.
A blocked applications list is composed of files that you do not want to allow users to execute but do not
want to quarantine. You may want to use this for files you are not sure are malware, unauthorized
applications, or you may want to use this to stop applications with vulnerabilities from executing until a
patch has been released.
Reference: https://docs.amp.cisco.com/en/SecureEndpoint/Secure%20Endpoint%20User%20Guide.pdf
Question 39
Answer: C
Explanation
In the infrastructure-as-a-service (IaaS) model, the subscriber leases just the hardware infrastructure
(networking, data center space, storage, servers, and virtualization services), but establishes and
maintains all other components of the technology stack (applications, data, runtime, middleware,
operating systems, etc.).
Question 40
Which VMware platform does Cisco ACI integrate with to provide enhanced visibility, provide policy
integration and deployment, and implement security policies with access lists?
A. VMware APIC
B. VMware vRealize
C. VMware fusion
D. VMware horizons
Answer: B
Question 41
Answer: B C
Question 42
willsonliam55@gmail.com Skype Apple Kid
What are two recommended approaches to stop DNS tunneling for data exfiltration and command and
control call backs? (Choose two)
Answer: C E
Question 43
In which two ways does the Cisco Advanced Phishing Protection solution protect users? (Choose two)
Answer: B C
Question 44
A. reputation filtering
B. data obfuscation
C. data encryption
D. deep packet inspection
Answer: D
Question 45
An organization is implementing AAA for their users. They need to ensure that authorization is verified for
every command that is being entered by the network administrator. Which protocol must be configured in
order to provide this capability?
A. EAPOL
B. SSH
C. RADIUS
D. TACACS+
Answer: D
Question 46
Drag and drop the deployment models from the left onto the explanations on the right.
willsonliam55@gmail.com Skype Apple Kid
Answer:
Explanation
Monitoring (passive) mode is the mode where the Cisco NGFW or NGIPS device does not usually prevent
attacks. The device uses one interface to silently inspect traffic and identify malicious activity without
interrupting traffic flow.
Passive with ERSPAN Mode: You can configure one physical interface operating as a sniffer – very
similar to a traditional remote intrusion detection system (IDS). A Generic Routing Encapsulation (GRE)
tunnel between the capture point and the Cisco FTD carries the packets to be inspected.
Reference: CCNP and CCIE Security Core SCOR 350-701 Official Cert Guide
Question 47
When network telemetry is implemented, what is important to be enabled across all network infrastructure
devices to correlate different sources?
A. CDP
B. NTP
C. syslog
D. DNS
Answer: B
Question 48
A. EPP focuses primarily on threats that have evaded front-line defenses that entered the environment.
B. Having an EPP solution allows an engineer to detect, investigate, and remediate modern threats.
C. EDR focuses solely on prevention at the perimeter.
D. Having an EDR solution gives an engineer the capability to flag offending files at the first sign of
malicious behavior.
Answer: D
Explanation
EPP (Endpoint Protection Platform) covers traditional anti-malware scanning, whereas EDR (Endpoint
Detection and Response) covers some more advanced capabilities like detecting and investigating security
incidents, and ability to remediate endpoints to pre-infection state.
Refefence: https://www.sans.org/webcasts/epp-edr-both-choose-generation-endpoint-security-109470/
willsonliam55@gmail.com Skype Apple Kid
EDR focuses primarily on threats that have evaded front-line defenses and entered into your environment.
An endpoint protection platform, however, focuses solely on prevention -> Answer A and answer C are not
correct.
An EPP can often be described as a traditional anti-virus solution. While deploying an anti-virus solution
will improve your front-line security, it does not protect your endpoints from more sophisticated threats
that may find a way into your network. Endpoint security solutions should have endpoint protection
platform capabilities, but they must also have the capabilities of an endpoint detection and response
solution -> Answer B is not correct.
Reference: https://www.cisco.com/c/en/us/products/security/what-is-endpoint-protection-platform.html
Question 49
An engineer is adding a Cisco router to an existing environment. NTP authentication is configured on all
devices in the environment with the command ntp authentication-key 1 md5 Clsc427128380. There
are two routers on the network that are configured as NTP servers for redundancy, 192.168.1.110 and
192.168.1.111. 192.168.1.110 is configured as the authoritative time source. What command must be
configured on the new router to use 192.168.1.110 as its primary time source without the new router
attempting to offer time to existing devices?
Answer: A
Explanation
A router can be configured to prefer an NTP source over another. A preferred server’s responses are
discarded only if they vary dramatically from the other time sources. Otherwise, the preferred server is
used for synchronization without consideration of the other time sources. Preferred servers are usually
specified when they are known to be extremely accurate. To specify a preferred server, use
the prefer keyword appended to the ntp server command.
Question 50
A. HMAC
B. SHA-1
C. MD5
D. SHA-2
Answer: D
Question 51
A university policy must allow open access to resources on the Internet for research, but internal
workstations are exposed to malware. Which Cisco AMP feature allows the engineering team to determine
whether a file is installed on a selected few workstations?
A. file prevalence
B. file discovery
C. file conviction
D. file manager
Answer: A
Explanation
willsonliam55@gmail.com Skype Apple Kid
Prevalence: AMP displays all files that are running across your organization, ordered by prevalence (from
lowest to highest number of instances), to help you surface previously undetected threats seen by a small
number of users. Files opened by only a few users may be malicious.
Reference: https://cstor.com/wp-content/uploads/2016/10/Cisco_Advanced-Malware-Protection-for-
Endpoints_Data-Sheet.pdf
Question 52
During a recent security audit, a Cisco IOS router with a working IPSEC configuration using IKEv1 was
flagged for using a wildcard mask with the crypto isakmp key command. The VPN peer is a SOHO router
with a dynamically assigned IP address. Dynamic DNS has been configured on the SOHO router to map
the dynamic IP address to the host name of vpn.sohoroutercompany.com. In addition to the
command crypto isakmp key Cisc123456789 hostname vpn.sohoroutercompany.com, what other
two commands are now required on the Cisco IOS router for the VPN to continue to function after the
wildcard command is removed? (Choose two)
Answer: A B
Explanation
The command “crypto isakmp identity hostname” configures the identity of the ISAKMP peer to the host
name concatenated with the domain name (fully qualified domain name for example,
myhost.domain.com).
If you use the host name identity method, you may need to specify the host name for the remote peer if a
DNS server is not available for name resolution. An example of this follows:
RouterA(config)# ip host RouterB.domain.com 172.30.2.2
Reference: https://www.ccexpert.us/bcran/step-3configure-isakmp-identity.html
Question 53
Answer: A
Explanation
Question 54
A company identified a phishing vulnerability during a pentest. What are two ways the company can
protect employees from the attack? (Choose two)
Answer: D E
Explanation
The following are the benefits of deploying Cisco Advanced Phishing Protection on the Cisco Email
Security Gateway (ESA):
willsonliam55@gmail.com Skype Apple Kid
Reference: https://www.cisco.com/c/en/us/td/docs/security/esa/esa13-
5/user_guide/b_ESA_Admin_Guide_13-5/m_advanced_phishing_protection.html
Cisco Umbrella protects users from accessing malicious domains by proactively analyzing and blocking
unsafe destinations – before a connection is ever made. Thus it can protect from phishing attacks by
blocking suspicious domains when users click on the given links that an attacker sent.
Question 55
Which feature is used in a push model to allow for session identification, host reauthentication, and session
termination?
A. CoA request
B. AAA attributes
C. carrier-grade NAT
D. AV pair
Answer: A
Explanation
The Cisco software supports the RADIUS CoA request defined in RFC 5176 that is used in a pushed model,
in which the request originates from the external server to the device attached to the network, and
enables the dynamic reconfiguring of sessions from external authentication, authorization, and accounting
(AAA) or policy servers.
– Session reauthentication
– Session termination
– Session termination with port shutdown
– Session termination with port bounce
– Security and Password Accounting
Question 56
What are the components of endpoint protection against social engineering attacks?
A. firewall
B. IDS
C. IPsec
D. ESA
Answer: D
Question 57
A company recently discovered an attack propagating throughout their Windows network via a file named
abc4350G8l99xyz.exe. The malicious file was uploaded to a Simple Custom Detection list in the AMP for
Endpoints Portal and the currently applied policy for the Windows clients was updated to reference the
detection list. Verification testing scans on known infected systems shows that AMP for Endpoints is not
detecting the presence of this file as an indicator of compromise. What must be performed to ensure
detection of the malicious file?
Answer: D
Explanation
We can upload the SHA-256 hash of this file to the Simple Customer Detection List so that AMP for
Endpoints can block it.
Reference: https://www.cisco.com/c/en/us/support/docs/security/amp-endpoints/215176-configure-a-
simple-custom-detection-list.pdf
willsonliam55@gmail.com Skype Apple Kid
Question 1
A. CRL publishing
B. verifying user identity
C. certificate re-enrollment
D. accepts enrollment requests
Answer: A
Explanation
A Registration Authority (RA) is an authority in a network that verifies user requests for a digital certificate
and tells the Certificate Authority (CA) to issue it. RAs are part of a public key infrastructure (PKI), a
networked system that enables companies and users to exchange information and money safely and
securely.
Certificate revocation list (CRL): This is a list of certificates, based on their serial numbers, that had
initially been issued by a CA but have since been revoked and as a result should not be trusted.
Question 2
A. DES
B. 3DES
C. AES 256
D. AES 128
Answer: C
Question 3
A hacker initiated a social engineering attack and stole username and passwords of some users within a
company. Which product should be used as a solution to this problem?
A. Cisco NGFW
B. Cisco AMP for Endpoints
C. Cisco Duo
D. Cisco AnyConnect
Answer: C
Question 4
A. If an ICMP ping fails three consecutive times between a router and the WSA, traffic is no longer
transmitted to the router.
B. If an ICMP ping fails three consecutive times between a router and the WSA, traffic is no longer
transmitted to the WSA.
C. The router sends a Here-I-Am message every 10 seconds, and the WSA acknowledges with an I-See-
You message.
D. The WSA sends a Here-I-Am message every 10 seconds, and the router acknowledges with an I-See-
You message.
Answer: D
Explanation
If WCCP proxy health checking is enabled, the WSA’s WCCP daemon sends a proxy health check message
(xmlrpc client request) to the xmlrpc server running on the Web proxy every 10 seconds. If the proxy is
willsonliam55@gmail.com Skype Apple Kid
up and running, the WCCP service receives a response from the proxy and the WSA sends a WCCP “here I
am” (HIA) message to the specified WCCP-enabled routers every 10 seconds. If the WCCP service doesn’t
receive a reply from the proxy, then HIA messages are not sent to the WCCP routers.
After a WCCP router misses three consecutive HIA messages, the router removes the WSA from its service
group and traffic is no longer forwarded to the WSA.
Reference: https://www.cisco.com/c/en/us/td/docs/security/wsa/wsa11-
0/user_guide/b_WSA_UserGuide/b_WSA_UserGuide_chapter_0111.html
Question 5
Answer: A
Explanation
The ASA and ASASM implementations of NSEL provide a stateful, IP flow tracking method that exports
only those records that indicate significant events in a flow -> Answer A is correct.
The ASA and ASASM implementations of NSEL provide the following major functions:
…
+ Tracks configured NSEL collectors and delivers templates and data records to these configured NSEL
collectors through NetFlow over UDP only -> Answer D is not correct.
+ Filters NSEL events based on the traffic and event type through Modular Policy Framework, then sends
records to different collectors -> Answer C is not correct.
Reference: https://www.cisco.com/c/en/us/td/docs/security/asa/asa91/asdm71/general/asdm_71_general
_config/monitor_nsel.pdf
Question 6
An administrator needs to configure the Cisco ASA via ASDM such that the network management system
can actively monitor the host using SNMPv3. Which two tasks must be performed for this configuration?
(Choose two)
Answer: A D
Explanation
willsonliam55@gmail.com Skype Apple Kid
Next, click on the Add button above and the window below appears:
Question 7
Which technology enables integration between Cisco ISE and other platforms to gather and share network
and vulnerability data and SIEM and location information?
A. pxGrid
B. SNMP
C. NetFlow
D. Cisco Talos
willsonliam55@gmail.com Skype Apple Kid
Answer: A
Explanation
Cisco ISE uses Cisco Platform Exchange Grid (pxGrid) technology to share contextual data with leading
SIEM and TD partner solutions.
Reference: https://www.cisco.com/c/en/us/products/collateral/security/identity-services-engine/at-a-
glance-c45-732858.html
Question 8
A large organization wants to deploy a security appliance in the public cloud to form a site-to-site VPN and
link the public cloud environment to the private cloud in the headquarters data center. Which Cisco
security appliance meets these requirements?
Answer: C
Question 9
Answer: C
Explanation
Cisco Secure Workload (formerly Tetration) collects packet header metadata, process details and installed
software package information. This is collected via the software sensors deployed on the workloads and
made available as part of the solution. More detailed information is available in the Cisco Secure Workload
product documentation. Below are the high-level details regarding the telemetry data that is collected by
Cisco Secure Workload:
+ Flow information: Contains details about flow endpoints, protocols, and ports, when the flow started,
how long the flow was active, etc.
+ Inter-packet variation: Captures any inter-packet variations seen within the flow, including variations in
the packetʼs Time to Live (TTL), IP/TCP flags, packet length, etc.
+ Process details: Captures processes executed on the server, including information about process
parameters, start and stop time, process binary hash, etc.
+ Software packages: Inventory of all software packages installed on the server along with the version
and publisher information
+ Cisco Secure Workload forensics capability: If a customer turns on the Cisco Secure Workload forensics
capability, additional Personally Identifiable Information may be collected.
Reference: https://trustportal.cisco.com/c/dam/r/ctp/docs/privacydatasheet/security/cisco-tetration-
privacy-data-sheet.pdf
Question 10
A. IoC
B. TAXII
C. MITRE
D. STIX
willsonliam55@gmail.com Skype Apple Kid
Answer: B
Explanation
Structured Threat Information Expression (STIX) and Trusted Automated Exchange of Intelligence
Information (TAXII) are standards developed in an effort to improve the prevention and mitigation of
cyber-attacks. STIX states the “what” of threat intelligence, while TAXII defines “how” that information is
relayed. Unlike previous methods of sharing, STIX and TAXII are machine-readable and therefore easily
automated.
TAXII should be the best answer here because it is Trusted Automated Exchange of Intelligence
Information.
Question 11
Which security solution uses NetFlow to provide visibility across the network, data center, branch offices,
and cloud?
Answer: D
Question 12
An email administrator is setting up a new Cisco ESA. The administrator wants to enable the blocking of
greymail for the end user. Which feature must the administrator enable first?
A. IP Reputation Filtering
B. Anti-Virus Filtering
C. File Analysis
D. Intelligent Multi-Scan
Answer: D
Explanation
For graymail detection, anti-spam scanning must be enabled globally. This can be either the IronPort Anti-
Spam, the Intelligent Multi-Scan feature, or Outbreak Filters.
Reference: https://www.cisco.com/c/en/us/td/docs/security/esa/esa12-
0/user_guide/b_ESA_Admin_Guide_12_0/b_ESA_Admin_Guide_chapter_01101.html
Question 13
Drag and drop the exploits from the left onto the type of security vulnerability on the right.
willsonliam55@gmail.com Skype Apple Kid
Answer:
Explanation
The directory traversal/path traversal attack (also known as dot dot slash attack) is an HTTP exploit that
allows an attacker to access restricted files, directories and commands that reside outside the web server’s
root directory.
Question 14
Which technology provides the benefit of Layer 3 through Layer 7 innovative deep packet inspection,
enabling the platform to identify and output various applications within the network traffic flows?
A. Cisco ASAv
B. Cisco Prime Infrastructure
C. Cisco NBAR2
D. Account on Resolution
Answer: C
Explanation
Operating on Cisco IOS and Cisco IOS XE, NBAR2 utilizes innovative deep packet inspection (DPI)
technology to identify a wide variety of applications within the network traffic flow, using L3 to L7 data.
Reference: https://www.cisco.com/c/en/us/td/docs/ios/solutions_docs/avc/guide/avc-user-
guide/avc_tech_overview.pdf
Question 15
An organization must add new firewalls to its infrastructure and wants to use Cisco ASA or Cisco FTD. The
chosen firewalls must provide methods of blocking traffic that include offering the user the option to
bypass the block for certain sites after displaying a warning page and to reset the connection. Which
solution should the organization choose?
A. Cisco ASA because it has an additional module that can be installed to provide multiple blocking
capabilities, whereas Cisco FTD does not.
B. Cisco FTD because it enables interactive blocking and blocking with reset natively, whereas Cisco ASA
does not.
C. Cisco FTD because it supports system rate level traffic blocking, whereas Cisco ASA does not.
D. Cisco ASA because it allows for interactive blocking and blocking with reset to be configured via the
GUI, whereas Cisco FTD does not.
Answer: B
Explanation
Reference: https://www.cisco.com/c/en/us/td/docs/security/firepower/620/configuration/guide/fpmc-
config-guide-v62/http_response_pages_and_interactive_blocking.html
Question 16
An engineer is configuring web filtering for a network using Cisco Umbrella Secure Internet Gateway. The
requirement is that all traffic needs to be filtered. Using the SSL decryption feature, which type of
certificate should be presented to the end-user to accomplish this goal?
willsonliam55@gmail.com Skype Apple Kid
A. third-party
B. SubCA
C. self-signed
D. organization owned root
Answer: D
Explanation
The SSL Decryption feature does require the root certificate be installed.
Reference: https://community.cisco.com/t5/security-blogs/cisco-umbrella-intelligent-proxy-and-ssl-
decryption/ba-p/4453056
Question 17
Which two parameters are used to prevent a data breach in the cloud? (Choose two)
A. encryption
B. complex cloud-based web proxies
C. strong user authentication
D. antispoofing programs
E. DLP solutions
Answer: A C
Explanation
A data breach is a security violation or incident that leads to the theft of sensitive or critical data or its
exposure to an unauthorized party. These incidents can be intentional, such as a database hack, or
accidental, such as an employee emailing confidential files to the wrong recipient.
Two-factor authentication and secure access solutions for cloud apps make it more difficult for
malicious hackers or insiders to compromise users, including those who work remotely or on a contract
basis -> Answer C is correct.
Reference: https://www.cisco.com/c/en/us/products/security/what-is-data-breach.html#~how-to-
prevent-a-breach
In the Data Breaches in Cloud Computing article, encryption is one of the top five methods to prevent data
breach in the cloud -> Answer A is correct.
Question 18
What is the term for when an endpoint is associated to a provisioning WLAN that is shared with guest
access, and the same guest portal is used as the BYOD portal?
A. streamlined access
B. multichannel GUI
C. single-SSID BYOD
D. dual-SSID BYOD
Answer: D
Explanation
If guest access is utilizing one of the named guest account, then same guest portal can be used for
employee BYOD portal. This flow is called Dual-SSID BYOD, where the endpoint is associated to a
provisioning WLAN which is typically shared with guest access.
Reference: https://community.cisco.com/t5/security-documents/ise-byod-dual-vs-single-ssid-
onboarding/ta-p/3641422
Question 19
willsonliam55@gmail.com Skype Apple Kid
What is the function of the crypto isakmp key cisc414685095 address 192.168.50.1
255.255.255.255 command when establishing an IPsec VPN tunnel?
Answer: C
Explanation
Note:
+ “address 192.168.60.1 255.255.255.255” means remote peer is host 192.168.50.1
+ The Phase 1 password is “cisc414685095”.
Question 20
Which CLI command is used to enable URL filtering support for shortened URLs on the Cisco ESA?
A. outbreakconfig
B. websecurityadvancedconfig
C. webadvancedconfig
D. websecurityconfig
Answer: B
Explanation
Enabling URL filtering support for shortened URLs is able to be done by CLI only, using
websecurityadvancedconfig
Reference: https://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/118775-
technote-esa-00.html
Question 21
Which Cisco ASA deployment model is used to filter traffic between hosts in the same IP subnet using
higher-level protocols without readdressing the network?
Answer: C
Explanation
An ASA Firewall is capable of operating at Layer 2 when running in transparent mode. Ability to filter traffic
between hosts using higher-level protocols (e.g. IP addressing and ports) without readdressing the
network.
Reference: https://grumpy-networkers-
journal.readthedocs.io/en/latest/VENDOR/CISCO/FIREWALL/ASA/TRANSPARENTFW.html
Question 22
Which open source tool does Cisco use to create graphical visualizations of network telemetry on Cisco IOS
XE devices?
A. SNMP
B. Splunk
willsonliam55@gmail.com Skype Apple Kid
C. Grafana
D. InfluxDB
Answer: C
Explanation
Reference: https://blogs.cisco.com/developer/getting-started-with-model-driven-telemetry
Question 23
Which Cisco DNA Center Intent API action is used to retrieve the number of devices known to a DNA
Center?
A. GET https://fqdnOrlPofDnaCenterPlatform/dna/intent/api/v1/network-device/count
B. GET https://fqdnOrlPofDnaCenterPlatform/dna/intent/api/v1/network-
device/startIndex/recordsToReturn
C. GET https://fqdnOrlPofDnaCenterPlatform/dna/intent/api/v1/network-device
D. GET https://fqdnOrlPofDnaCenterPlatform/dna/intent/api/v1/network-
device?parameter1=value¶meter2=value&…
Answer: A
Explanation
Once the developer has the token, it is possible to get the network devices count.
DEVICES_COUNT_URL = '/dna/intent/api/v1/network-device/count'
response = requests.get(BASE_URL + DEVICES_COUNT_URL, headers = headers, verify=False)
print(response.json())
Reference: https://developer.cisco.com/docs/dna-center/#!devices/devices-api
Question 24
When NetFlow is applied to an interface, which component creates the flow monitor cache that is used to
collect traffic based on the key and nonkey fields in the configured record?
A. flow sampler
B. flow exporter
C. records
D. flow monitor
Answer: D
Explanation
The Netflow flow monitor component is used to provide the actual traffic monitoring on a configured
interface. When a flow monitor is applied to an interface, a flow monitor cache is created that is used to
collect the traffic based on the key and nonkey fields in the configured record.
Reference: https://www.ciscopress.com/articles/article.asp?p=1730890
Question 25
Global policy:
Service-policy: global_policy
Class-map: SFR
SFR: card status Up, mode fail-open monitor-only
packet input 0, packet output 44715478687, drop 0, reset-drop 0
What are two indications of the Cisco Firepower Services Module configuration? (Choose two)
Answer: D E
Explanation
In a passive deployment, a copy of the traffic is sent to the SFR service module, but it is not returned to
the ASA. Passive mode allows you to view the actions that the SFR module would have completed in
regards to the traffic. It also allows you to evaluate the content of the traffic, without an impact to the
network.
If you want to configure the SFR module in passive mode, use the monitor-only keyword. If you do not
include the keyword, the traffic is sent in inline mode.
Reference: https://www.cisco.com/c/en/us/support/docs/security/asa-firepower-services/118644-
configure-firepower-00.html
-> This SFR module is configured in passive mode (monitor-only)-> Answer E is correct.
In monitor-only mode, the input counters remain at zero. -> Answer B is not correct.
The Cisco ASA 5500 security appliance is not just a plain firewall. With an add-on security module (AIP-
SSM), you can transform the ASA 5500 into an IDS/IPS sensor as well.
The Sensor operates in either “Promiscuous Mode” (IDS functionality) or “Inline Mode” (IPS functionality).
In Promiscuous Mode, the sensor does not intervene in traffic flow, but just “sniffs” the traffic that passes
through the firewall and takes appropriate actions in the event of an attack -> This module is operating in
IDS mode.
Reference: https://www.networkstraining.com/cisco-ids-ips-module-for-cisco-asa-firewalls-aip-ssm/
Question 26
Answer: A
Question 27
Which system is InfluxDB and Grafana be used on to pull the data and display the visualization
information?
willsonliam55@gmail.com Skype Apple Kid
A. Docker containers
B. Windows Server 2019
C. specialized Cisco Linux system
D. Windows Server 2016
Answer: C
Question 28
Which Cisco ASA Platform mode disables the threat detection features except for Advanced Threat
Statistics?
A. routed
B. multiple context
C. cluster
D. transparent
Answer: B
Explanation
Cisco ASA Threat Detection does not support multiple context mode.
Reference: https://grumpy-networkers-
journal.readthedocs.io/en/latest/VENDOR/CISCO/FIREWALL/ASA/THREATDETECT.html
Question 29
Which two parameters are used for device compliance checks? (Choose two)
Answer: A D
Question 30
A network engineer entered the snmp-server user asmith myv7 auth sha cisco priv aes 256
cisc0414685095 command and needs to send SNMP information to a host at 10.255.255.1. Which
command achieves this goal?
Answer: A
Explanation
The command snmp-server user asmith myv7 auth sha cisco priv aes 256
cisc0414685095 creates a user name “asmith” and he belongs to group “myv7”. The password for this
user is “cisco” and “cisc0414685095” is the shared secret.
In order to send SNMP information to a remote host, we have to configure the username (not password) in
the “snmp-server host …” command. So the command must include “asmith” as the username. And we
configure SNMPv3 by using keyword “version 3”, not “snmpv3”.
Question 31
willsonliam55@gmail.com Skype Apple Kid
An engineer is configuring Cisco WSA and needs to enable a separated email transfer flow from the
Internet and from the LAN. Which deployment mode must be used to accomplish this goal?
A. two-interface
B. single interface
C. multi-context
D. transparent
Answer: A
Explanation
The Cisco ESA can be deployed in different ways. Similar to the Cisco WSA, the Cisco ESA can be deployed
with a single physical interface to filter email to and from your mail servers or in a two-interface
configuration. When you configure the Cisco ESA with two interfaces, one interface is used for email
transfers to and from the Internet and the other interface is used for email transfers to and from the
internal servers.
Reference: CCNP And CCIE Security Core SCOR 350-701 Official Cert Guide
Question 32
A small organization needs to reduce the VPN bandwidth load on their headend Cisco ASA in order to
ensure that bandwidth is available for VPN users needing access to corporate resources on the 10.0.0.0/24
local HQ network. How is this accomplished without adding additional devices to the network?
A. Configure VPN load balancing to send non-corporate traffic straight to the internet.
B. Use split tunneling to tunnel traffic for the 10.0.0.0/24 network only.
C. Configure VPN load balancing to distribute traffic for the 10.0.0.0/24 network.
D. Use split tunneling to tunnel all traffic except for the 10.0.0.0/24 network.
Answer: B
Question 33
A. DMVPN can be used over the public Internet, and GETVPN requires a private network
B. DMVPN is a tunnel-less VPN, and GETVPN is tunnel-based.
C. DMVPN supports QoS, multicast, and routing, and GETVPN supports only QoS.
D. DMVPN supports non-IP protocols, and GETVPN supports only IP protocols.
Answer: A
Explanation
Question 34
Which system facilitates deploying microsegmentation and multi-tenancy services with a policy-based
container?
A. Docker
B. SDLC
C. Lambda
D. Contiv
Answer: D
Explanation
Contiv is an Open Source Project to deliver Policy-Based container for Networking. The idea behind Contiv
is to make it easier for end users to deploy micro-services in their environments.
Contiv provides a higher level of networking abstraction for microservices. Contiv secures your application
using a rich policy framework. It provides built-in service discovery and service routing for scale out
services.
Reference: http://contiv.ciscolive.com/pod5/Intro/contiv_intro
Question 35
An engineer needs to configure an access control policy rule to always send traffic for inspection without
using the default action. Which action should be configured for this rule?
A. monitor
B. allow
C. trust
D. block
Answer: B
Explanation
Monitor evaluates traffic first. Monitor rules track and log network traffic. The system continues to match
traffic against additional rules to determine whether to permit or deny it. -> Therefore monitor rule still
uses other rules below, including the default action.
willsonliam55@gmail.com Skype Apple Kid
For Allow rule, matching traffic is allowed; however, prohibited files, malware, intrusions, and exploits
within that traffic are detected and blocked. Remaining non-prohibited, non-malicious traffic is allowed to
its destination, though it is still subject to identity requirements and rate limiting. You can configure Allow
rules that perform only file inspection, or only intrusion inspection, or neither.
Reference: https://www.cisco.com/c/en/us/td/docs/security/firepower/610/configuration/guide/fpmc-
config-guide-v61/access_control_rules.html
Question 36
Which two functions does the Cisco Advanced Phishing Protection solution perform in trying to protect from
phishing attacks? (Choose two)
Answer: B E
Explanation
Reference: https://www.cisco.com/c/en/us/td/docs/security/esa/esa13-
5/user_guide/b_ESA_Admin_Guide_13-5/m_advanced_phishing_protection.html
Question 37
What are two things to consider when using PAC files with the Cisco WSA? (Choose two)
A. If the WSA host port is changed, the default port redirects web traffic to the correct port automatically
B. The WSA hosts PAC files on port 6001 by default.
C. PAC files use if-else statements to determine whether to use a proxy or a direct connection for traffic
between the PC and the host.
willsonliam55@gmail.com Skype Apple Kid
D. By default, they direct traffic through a proxy when the PC and the host are on the same subnet
E. The WSA hosts PAC files on port 9001 by default.
Answer: C E
Explanation
By default, the proxy PAC file would be hosted on port 9001. When using WSA to host PAC files, by
default, we need to point the browser to the following location http://WSA_IP:9001/pacfile.pac -> Answer
B is not correct while answer E is correct.
The PAC file checks the local IP subnet address of the PC and then makes a decision based on IF / ELSE
statement/s -> Answer C is correct.
If the default port is changed in the PAC file hosting settings, then we would need to change the port
accordingly in the above URL -> Answer A is not correct.
Reference: https://www.cisco.com/c/en/us/support/docs/security/web-security-appliance/118082-qanda-
wsa-00.html
Question 38
When implementing transparent user identification for single sign-on with Internet Explorer, how is the
redirect hostname configured?
A. as an IP address
B. as a FQDN
C. as a distinguished name
D. as a short host name
Answer: D
Explanation
Configuring Single-Sign-on
Obtaining credentials transparently facilitates a single-sign-on environment. Transparent user identification
is an authentication realm setting.
For Internet Explorer, be sure the Redirect Hostname is the short host name (containing no dots) or the
NetBIOS name rather than a fully qualified domain.
Reference: https://www.cisco.com/c/en/us/td/docs/security/wsa/wsa11-
0/user_guide/b_WSA_UserGuide/b_WSA_UserGuide_chapter_01001.html
Question 39
What kind of service that user can access to web application that managed, updated, maintained by
service provider?
A. IaC
B. IaaS
C. PaaS
D. SaaS
Answer: D
Question 40
What are two ways a network administrator transparently identifies users using Active Directory on the
Cisco WSA? (Choose two)
A. Create NTLM or Kerberos authentication realm and enable transparent user identification
B. The eDirectory client must be installed on each client workstation
C. Deploy a separate eDirectory server; the client IP address is recorded in this server
D. Create an LDAP authentication realm and disable transparent user identification
E. Deploy a separate Active Directory agent such as Cisco Context Directory Agent
willsonliam55@gmail.com Skype Apple Kid
Answer: A E
Explanation
Transparently identify users with authentication realms – This option is available when one or more
authentication realms are configured to support transparent identification using one of the following
authentication servers:
Active Directory – Create an NTLM or Kerberos authentication realm and enable transparent user
identification. In addition, you must deploy a separate Active Directory agent such as Cisco’s Context
Directory Agent.
LDAP – Create an LDAP authentication realm configured as an eDirectory, and enable transparent user
identification.
Reference: https://www.cisco.com/c/en/us/td/docs/security/wsa/wsa11-
0/user_guide/b_WSA_UserGuide/b_WSA_UserGuide_chapter_01001.html
Question 41
Which technology limits communication between nodes on the same network segment to individual
applications?
A. serverless infrastructure
B. machine-to-machine firewalling
C. SaaS deployment
D. microsegmentation
Answer: D
Explanation
Micro-segmentation creates secure zones across cloud and data center environments to isolate application
workloads from one another and secure them individually.
Question 42
Answer: C
Explanation
Reference: https://www.cloudwifiworks.com/Solutions-Mobile-Device-Management.asp
Question 43
Drag and drop the concepts from the left onto the correct descriptions on the right.
Answer: x
Explanation
willsonliam55@gmail.com Skype Apple Kid
Posture assessment includes a set of rules in a security policy that define a series of checks before an
endpoint is granted access to the network. Posture assessment checks include the installation of operating
system patches, host-based firewalls, antivirus and antimalware software, disk encryption, and more.
Cisco Identity Services Engine (Cisco ISE) guest services enable you to provide secure network access to
guests such as visitors, contractors, consultants, and customers.
Sponsor Accounts: Use the Sponsor portal to create temporary accounts for authorized visitors to securely
access your corporate network or the Internet. After creating the guest accounts, you can also use the
Sponsor portal to manage these accounts and provide account details to the guests.
Reference: https://www.cisco.com/c/en/us/td/docs/security/ise/2-
4/admin_guide/b_ISE_admin_guide_24/m_ise_guest.html
Question 44
An engineer is configuring device-hardening on a router in order to prevent credentials from being seen if
the router configuration was compromised. Which command should be used?
Answer: D
Question 45
Answer: B C
Question 46
The DHCP snooping database resides on router R1, and dynamic ARP inspection is configured only on
switch SW2. Which ports must be configured as untrusted so that dynamic ARP inspection operates
normally?
A. P2 and P3 only
B. P5, P6, and P7 only
C. P1, P2, P3, and P4 only
D. P2, P3, and P6 only
Answer: B
Explanation
In a typical network configuration for DAI, all ports connected to host ports are configured as untrusted,
while all ports connected to switches are configured as trusted. With this configuration, all ARP packets
entering the network from a given switch will have passed the security check.
Configuring interfaces as untrusted when they should be trusted can result in a loss of connectivity.
Configuring interfaces to be trusted when they are actually untrusted leaves a security hole in the
network.
Reference: https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst4500/12-
2/25ew/configuration/guide/conf/dynarp.html
Question 47
Which Cisco platform provides an agentless solution to provide visibility across the network including
encrypted traffic analytics to detect malware in encrypted traffic without the need for decryption?
Answer: B
Question 48
A network engineer is tasked with configuring a Cisco ISE server to implement external authentication
against Active Directory. What must be considered about the authentication requirements? (Choose two)
A. RADIUS communication must be permitted between the ISE server and the domain controller
B. The ISE account must be a domain administrator in Active Directory to perform JOIN operations
C. Active Directory only supports user authentication by using MSCHAPv2
D. LDAP communication must be permitted between the ISE server and the domain controller
E. Active Directory supports user and machine authentication by using MSCHAPv2
Answer: D E
Explanation
Cisco ISE supports user and machine authentication and change password against Active Directory using
EAP-FAST and PEAP with an inner method of Microsoft Challenge Handshake Authentication Protocol
version 2 (MS-CHAPv2) and Extensible Authentication Protocol-Generic Token Card (EAP-GTC) -> Answer
C is not correct while answer E is correct.
The Active Directory username that you provide while joining to an Active Directory domain should be
predefined in Active Directory and should have any one of the following permissions:
–Add the workstation to the domain to which you are trying to connect.
–On the computer where the Cisco ISE account was created, establish permissions for creating computer
objects or deleting computer objects before you join Cisco ISE to the domain.
–Permissions for searching users and groups that are required for authentication.
willsonliam55@gmail.com Skype Apple Kid
-> Therefore the ISE account must not be a domain administrator in Active Directory -> Answer B is not
correct.
Reference: https://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_man_id_stores.html
ISE will use LDAP, KRB, and MSRBC to communicate with AD during the join/leave and authentication
process -> Answer D is correct.
Reference: https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/215233-
identity-service-engine-ise-and-active.html
Question 49
Which CoA response code is sent if an authorization state is changed successfully on a Cisco IOS device?
A. CoA-ACK
B. CoA-NAK
C. CoA-MAB
D. CoA-NCL
Answer: A
Explanation
Reference: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_aaa/configuration/15-sy/sec-usr-
aaa-15-sy-book/sec-rad-coa.html
Question 50
A. ability to deploy Amazon ECS clusters by using the Cisco Container Platform data plane
B. ability to deploy Kubernetes clusters in air-gapped sites
C. ability to deploy Amazon EKS clusters by using the Cisco Container Platform data plane
D. automated daily updates
Answer: B
Explanation
Reference: https://www.cisco.com/c/en/us/products/cloud-systems-management/container-
platform/index.html#~stickynav=3
Question 51
Which metric is used by the monitoring agent to collect and output packet loss and jitter information?
A. WSAv performance
B. AVC performance
C. RTP performance
D. OTCP performance
Answer: C
Explanation
Reference: https://www.cisco.com/c/en/us/td/docs/ios/solutions_docs/avc/ios15-4-3T-ios-xe3-13/avc-
user-guide-ios15-4-3T-ios-xe3-13.pdf
Question 52
Which solution for remote workers enables protection, detection, and response on the endpoint against
known and unknown threats?
Answer: A
Question 53
Which two components do southbound APIs use to communicate with downstream devices? (Choose two)
Answer: C E
Question 54
Which solution detects threats across a private network, public clouds, and encrypted traffic?
A. Cisco Stealthwatch
B. Cisco CTA
C. Cisco Encrypted Traffic Analytics
D. Cisco Umbrella
Answer: A
Explanation
Stealthwatch provides a consistent experience for detecting threats across private networks and multiple-
public clouds such as Microsoft Azure, Amazon Web Services, and Google Public Cloud. Stealthwatch
closely monitors the activity of every device on the network and is able to create a baseline of normal
behavior. Stealthwatch automatically normalizes traffic events gathered natively from your network
telemetry and natively from flow logs generated by your cloud infrastructure, presents with you a single
view of the threats across your entire environment.
Reference: https://blogs.cisco.com/security/cisco-stealthwatch-becomes-the-only-security-analytics-
product-to-detect-threats-across-private-networks-public-clouds-and-encrypted-traffic
Question 55
A. microservicing
B. container orchestration
C. microsegmentation
D. Software-Defined Access
Answer: C
Explanation
willsonliam55@gmail.com Skype Apple Kid
Microservices are about dissecting applications to smaller units and run those units independently
instead of running them in a monolithic application. But this question asks about communication between
applications so “microservicing” is not correct.
Micro-segmentation is a network security technique that isolates different workloads from one another
within a data center. A workload can be broadly defined as the resources and processes needed to run an
application. Hosts, virtual machines and containers are a few examples of workloads.
Question 56
Which Cisco security solution integrates with cloud applications like Dropbox and Office 365 while
protecting data from being exfiltrated?
A. Cisco Talos
B. Cisco Stealthwatch Cloud
C. Cisco Cloudlock
D. Cisco Umbrella Investigate
Answer: C
Question 57
What do tools like Jenkins, Octopus Deploy, and Azure DevOps provide in terms of application and
infrastructure automation?
A. container orchestration
B. cloud application security broker
C. compile-time instrumentation
D. continuous integration and continuous deployment
Answer: D
Question 58
A. ping of death
B. phishing
C. teardrop
D. syn flood
Answer: B
Explanation
Reference: https://www.onelogin.com/learn/mfa-types-of-cyber-attacks
Question 59
An engineer enabled SSL decryption for Cisco Umbrella intelligent proxy and needs to ensure that traffic is
inspected without alerting end-users. Which action accomplishes this goal?
Answer: A
Explanation
Other features are dependent on SSL Decryption functionality, which requires the Cisco Umbrella root
certificate. Having the SSL Decryption feature improves:
Custom URL Blocking—Required to block the HTTPS version of a URL.
Umbrella’s Block Page and Block Page Bypass features present an SSL certificate to browsers that make
connections to HTTPS sites. This SSL certificate matches the requested site but will be signed by the Cisco
Umbrella certificate authority (CA). If the CA is not trusted by your browser, an error page may be
displayed. Typical errors include “The security certificate presented by this website was not issued by a
trusted certificate authority” (Internet Explorer), “The site’s security certificate is not trusted!” (Google
Chrome) or “This Connection is Untrusted” (Mozilla Firefox). Although the error page is expected, the
message displayed can be confusing and you may wish to prevent it from appearing.
To avoid these error pages, install the Cisco Umbrella root certificate into your browser or the
browsers of your users—if you’re a network admin.
Reference: https://docs.umbrella.com/deployment-umbrella/docs/rebrand-cisco-certificate-import-
information
Question 60
A network engineer has configured a NTP server on a Cisco ASA. The Cisco ASA has IP reachability to the
NTP server and is not filtering any traffic. The show ntp association detail command indicates that the
configured NTP server is unsynchronized and has a stratum of 16. What is the cause of this issue?
Answer: B
Question 61
Which direction do attackers encode data in DNS requests during exfiltration using DNS tunneling?
A. inbound
B. north-south
C. east-west
D. outbound
Answer: D
Question 62
A. SSL WebVPN
B. remote access client
C. Duo Network Gateway
D. Cisco FTD network gateway
Answer: C
Explanation
Continuous integration/continuous delivery, known as CI/CD, is a set of processes that help software
development teams deliver code changes more frequently and reliably. CI/CD is part of DevOps, which
helps shorten the software development lifecycle.
willsonliam55@gmail.com Skype Apple Kid
Using Cisco Secure Access by Duo will establish user-device trust and highly secure access to applications
to help you identify corporate versus personal devices with easy certificate deployment, block untrusted
endpoints, and give users secure access to internal applications without using VPNs. Furthermore, Duo
Network Gateway provides granular user and endpoint access control to CI/CD applications and
infrastructure over HTTPS, SSH and RDP.
Reference: https://blogs.cisco.com/developer/cloudnativesecurity01
Question 63
Which type of data exfiltration technique encodes data in outbound DNS requests to specific servers and
can be stopped by Cisco Umbrella?
A. DNS tunneling
B. DNS flood attack
C. cache poisoning
D. DNS hijacking
Answer: A
Question 64
A. OTP
B. MDM
C. AMP
D. ISE
Answer: B
Explanation
The MDM service usually offers a “corporate wipe”, which only deletes the vendor’s configuration from the
device (not the whole device). The user can also remove the files. For example, on an iOS device, the user
can go to the Settings > General >Device management window, and click Remove Management. Or the
user can go to the MyDevices portal in Cisco ISE and click Corporate Wipe.
Reference: https://www.cisco.com/c/en/us/td/docs/security/ise/2-
4/admin_guide/b_ISE_admin_guide_24/m_ise_interoperability_mdm.html
Question 65
Answer: A
Question 66
What are two facts about WSA HTTP proxy configuration with a PAC file? (Choose two)
Answer: C D
Explanation
A Proxy Auto-Configuration (PAC) file is a JavaScript function that instructs a browser to forward traffic to
a proxy server, instead of directly to the destination server.
PAC files are used to support explicit proxy deployments (-> Answer A and answer E are not correct while
answer D is correct) in which client browsers are explicitly configured to send traffic to the web proxy. The
big advantage of PAC files is that they are usually relatively easy to create and maintain.
When a user initiates a browser session, a request is sent to a Proxy server to download the Proxy Auto-
Configuration (PAC) file to the client PC -> Answer C is correct.
Question 67
How does Cisco Umbrella protect clients when they operate outside of the corporate network?
Answer: D
Explanation
Umbrella Roaming is a cloud-delivered security service for Cisco’s next-generation firewall. It protects your
employees even when they are off the VPN.
Question 68
Answer: B
Explanation
willsonliam55@gmail.com Skype Apple Kid
File Sandboxing provides you with the ability to analyze unknown files that are traversing the Cisco Web
Security gateway.
Reference: https://www.cisco.com/c/dam/global/th_th/assets/docs/seminar/AMP_WSA.pdf
Question 69
When a next-generation endpoint security solution is selected for a company, what are two key
deliverables that help justify the implementation? (Choose two)
Answer: A E
Question 70
Which two actions does the Cisco Identity Services Engine posture module provide that ensures endpoint
security? (Choose two)
Answer: A C
Explanation
You can create a patch management remediation, which updates clients with up-to-date file definitions for
compliance after remediation.
Reference: https://www.cisco.com/c/en/us/td/docs/security/ise/2-
4/admin_guide/b_ISE_admin_guide_24/m_client_posture_policies.html
Question 71
Answer: A
Question 72
Answer: D
Question 73
willsonliam55@gmail.com Skype Apple Kid
Which Cisco solution extends network visibility, threat detection, and analytics to public cloud
environments?
A. Cisco Umbrella
B. Cisco Stealthwatch Cloud
C. Cisco Appdynamics
D. Cisco CloudLock
Answer: B
Question 74
Which two Cisco ISE components must be configured for BYOD? (Choose two)
A. central WebAuth
B. local WebAuth
C. null WebAuth
D. guest
E. dual
Answer: A D
Question 75
Which configuration method provides the options to prevent physical and virtual endpoint devices that are
in the same base EPG or uSeg from being able to communicate with each other with Vmware VDS or
Microsoft vSwitch?
A. inter-EPG isolation
B. intra-EPG isolation
C. inter-VLAN security
D. placement in separate EPGs
Answer: B
Explanation
Intra-EPG Isolation is an option to prevent physical or virtual endpoint devices that are in the same base
EPG or uSeg EPG from communicating with each other. By default, endpoint devices included in the same
EPG are allowed to communicate with one another. However, conditions exist in which total isolation of the
endpoint devices from on another within an EPG is desirable. For example, you may want to enforce intra-
EPG isolation if the endpoint VMs in the same EPG belong to multiple tenants, or to prevent the possible
spread of a virus.
Reference: https://www.cisco.com/c/en/us/td/docs/switches/datacenter/aci/apic/sw/3-
x/virtualization/b_ACI_Virtualization_Guide_3_1_1/b_ACI_Virtualization_Guide_3_1_1_chapter_0101.html
Question 76
Answer: D
Question 77
What are two ways that Cisco Container Platform provides value to customers who utilize cloud service
providers? (Choose two)
willsonliam55@gmail.com Skype Apple Kid
Answer: A D
Question 78
What is the recommendation in a zero-trust model before granting access to corporate applications and
resources?
Answer: A
Question 79
An organization must add new firewalls to its infrastructure and wants to use Cisco ASA or Cisco FTD. The
chosen firewalls must provide methods of blocking traffic that include offering the user the option to
bypass the block for certain sites after displaying a warning page and to reset the connection. Which
solution should the organization choose?
A. Cisco FTD because it supports system rate level traffic blocking, whereas Cisco ASA does not
B. Cisco ASA because it allows for interactive blocking and blocking with reset to be configured via the
GUI, whereas Cisco FTD does not.
C. Cisco FTD because it enables interactive blocking and blocking with reset natively, whereas Cisco ASA
does not
D. Cisco ASA because it has an additional module that can be installed to provide multiple blocking
capabilities, whereas Cisco FTD does not.
Answer: C
Question 80
A. 81 Message-Authenticator
B. 30 Calling-Station-ID
C. 42 Acct-Session-ID
D. 24 State
Answer: D
Explanation
The RADIUS Change of Authorization (CoA) feature provides a mechanism to change the attributes of an
authentication,authorization,and accounting(AAA)session after it is authenticated.When a policy changes
for a user or user group in AAA,administrators can send the RADIUS CoA packets from the AAA server
such as a Cisco Secure Access Control Server (ACS) to reinitialize authentication and apply the new policy
The following table shows the IETF attributes that are supported for the RADIUS Change of Authorization
(CoA) feature.
willsonliam55@gmail.com Skype Apple Kid
Reference: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_aaa/configuration/xe-16-10/sec-
usr-aaa-xe-16-10-book/sec-rad-coa.pdf
Question 81
Which Cisco cloud security software centrally manages policies on multiple platforms such as Cisco ASA,
Cisco Firepower, Cisco Meraki, and AWS?
A. Cisco Secureworks
B. Cisco Configuration Professional
C. Cisco Defense Orchestrator
D. Cisco DNAC
Answer: C
Explanation
Cisco Defense Orchestrator is a cloud-based management solution that allows you to manage security
policies and device configurations with ease across multiple Cisco and cloud-native security platforms.
Reference: https://www.cisco.com/c/en/us/products/collateral/security/defense-orchestrator/datasheet-
c78-736847.html
Question 82
Which Cisco DNA Center Intent API action is used to retrieve the number of devices known to a DNA
Center?
A. GET https://fqdnOrlPofDnaCenterPlatform/dna/intent/api/v1/network-device/count
B. GET https://fqdnOrlPofDnaCenterPlatform/dna/intent/api/v1/network-device
C. GET
https://fqdnOrlPofDnaCenterPlatform/dna/intent/api/v1/networkdevice?parameter1=value¶meter2=v
alue&….
D. GET https://fqdnOrlPofDnaCenterPlatform/dna/intent/api/v1/networkdevice/startIndex/recordsToReturn
Answer: A
Explanation
willsonliam55@gmail.com Skype Apple Kid
“/dna/intent/api/v1/network-device/count”
Description: Returns the count of network devices based on the filter criteria by management IP address,
mac address, hostname and location name.
Reference: https://developer.cisco.com/docs/dna-center/#!get-device-count-1
Question 83
Answer: D
Explanation
A vulnerability is a weakness in a software system. And an exploit is an attack that leverages that
vulnerability.
Question 84
An administrator needs to configure the Cisco ASA via ASDM such that the network management system
can actively monitor the host using SNMPv3. Which two tasks must be performed for this configuration?
(Choose two)
Answer: A E
Explanation
Next, click on the Add button above and the window below appears:
willsonliam55@gmail.com Skype Apple Kid
Question 85
Which Cisco security solution determines if an endpoint has the latest OS updates and patches installed on
the system?
Answer: D
Question 86
When a transparent authentication fails on the Web Security Appliance, which type of access does the end
user get?
A. guest
B. limited Internet
C. blocked
D. full Internet
Answer: C
Question 87
Using Cisco Cognitive Threat Analytics, which platform automatically blocks risky sites, and test unknown
sites for hidden advanced threats before allowing users to click them?
Answer: C
Question 88
Which technology provides a combination of endpoint protection endpoint detection, and response?
A. Cisco AMP
B. Cisco Talos
C. Cisco Threat Grid
D. Cisco Umbrella
Answer: A
Question 89
When a Cisco WSA checks a web request, what occurs if it is unable to match a user-defined policy?
Answer: B
Question 90
Which solution supports high availability in routed or transparent mode as well as in northbound and
southbound deployments?
Answer: B
Question 91
Which endpoint protection and detection feature performs correlation of telemetry, files, and intrusion
events that are flagged as possible active breaches?
A. retrospective detection
B. elastic search
C. file trajectory
D. indication of compromise
Answer: D
Explanation
Indications of compromise (IoCs): File and telemetry events are correlated and prioritized as potential
active breaches. AMP automatically correlates multisource security event data, such as intrusion and
malware events, to help security teams connect events to larger, coordinated attacks and also prioritize
high-risk events.
Reference: https://www.cisco.com/c/en/us/solutions/collateral/enterprise-networks/advanced-malware-
protection/solution-overview-c22-734228.html
willsonliam55@gmail.com Skype Apple Kid
Question 92
Which RADIUS feature provides a mechanism to change the AAA attributes of a session after it is
authenticated?
A. Authorization
B. Accounting
C. Authentication
D. CoA
Answer: D
Question 93
Which two authentication protocols are supported by the Cisco WSA? (Choose two)
A. WCCP
B. NTLM
C. TLS
D. SSL
E. LDAP
Answer: B E
Question 94
Which technology should be used to help prevent an attacker from stealing usernames and passwords of
users within an organization?
A. RADIUS-based REAP
B. fingerprinting
C. Dynamic ARP Inspection
D. multifactor authentication
Answer: D
Explanation
Credential stuffing is a type of cyberattack in which a cybercriminal uses stolen usernames and passwords
from one organization (obtained in a breach or purchased off of the dark web) to access user accounts at
another organization.
Multi-factor authentication (MFA) is a highly effective way to prevent credential stuffing because it requires
users to log in with another form of authentication in addition to a username-password combination. For
example, this could mean biometric authentication such as a fingerprint, a one-time code sent to a device
associated with the user, or an email sent to a secured account — none of which a cybercriminal will have
access to.
Reference: https://auth0.com/blog/what-is-credential-stuffing/
Question 95
A. SDNS
B. NetFlow
willsonliam55@gmail.com Skype Apple Kid
C. passive taps
D. SNMP
Answer: D
Question 96
Consider that any feature of DNS requests, such as the length off the domain name and the number of
subdomains, can be used to construct models of expected behavior to which observed values can be
compared. Which type of malicious attack are these values associated with?
A. Spectre Worm
B. Eternal Blue Windows
C. Heartbleed SSL Bug
D. W32/AutoRun worm
Answer: D
Question 97
Drag and drop the posture assessment flow actions from the left into a sequence on the right.
Answer:
Question 98
Which Cisco WSA feature supports access control using URL categories?
willsonliam55@gmail.com Skype Apple Kid
Answer: A
Question 99
Answer: B
Explanation
The Umbrella roaming client enables security at the DNS and IP layers, in the cloud, no matter where the
endpoint is located. The client simply forwards DNS requests or tunnels suspect IP connections to the
Umbrella global network.
Reference: https://learn-umbrella.cisco.com/feature-briefs/lightweight-transparent-roaming-client
Question 100
An organization has DHCP servers set up to allocate IP addresses to clients on the LAN. What must be
done to ensure the LAN switches prevent malicious DHCP traffic while also distributing IP addresses to the
correct endpoints?
A. Configure Dynamic ARP Inspection and add entries in the DHCP snooping database
B. Configure DHCP snooping and set an untrusted interface for all clients
C. Configure Dynamic ARP Inspection and antispoofing ACLs in the DHCP snooping database
D. Configure DHCP snooping and set a trusted interface for the DHCP server
Answer: D
Explanation
Dynamic ARP inspection is a security feature that validates ARP packets in a network. Dynamic ARP
inspection determines the validity of packets by performing an IP-to-MAC address binding inspection
stored in a trusted database, (the DHCP snooping binding database) before forwarding the packet to the
appropriate destination.
But this question asks about “prevent malicious DHCP traffic” so DHCP snooping is a better choice.
DHCP snooping is a feature which allows a Cisco switch to inspect DHCP traffic traversing a layer two
segment and track which IP addresses have been assigned to hosts on which switch ports.
We need to set a trusted interface (which is connected to the real DHCP server) because all the interfaces
are untrusted by default.
Question 101
A. It uses the POST HTTP method to obtain a username and password to be used for authentication
B. It uses the POST HTTP method to obtain a token to be used for authentication
C. It uses the GET HTTP method to obtain a token to be used for authentication
D. It uses the GET HTTP method to obtain a username and password to be used for authentication
Answer: B
Question 102
Which solution stops unauthorized access to the system if a user’s password is compromised?
A. VPN
B. MFA
C. AMP
D. SSL
Answer: B
Question 103
Which feature enables a Cisco ISR to use the default bypass list automatically for web filtering?
A. filters
B. group key
C. company key
D. connector
Answer: D
Question 104
Which industry standard is used to integrate Cisco ISE and pxGrid to each other and with other
interoperable security platforms?
A. IEEE
B. IETF
C. NIST
D. ANSI
Answer: B
Question 105
A. blocks traffic from URL categories that are known to contain malicious content
B. decrypts SSL traffic to monitor for malicious content
C. monitors suspicious traffic across all the TCP/UDP ports
D. prevents data exfiltration by searching all the network traffic for specified sensitive information
willsonliam55@gmail.com Skype Apple Kid
Answer: C
Explanation
The Web Security appliance has an integrated Layer-4 Traffic Monitor that detects rogue traffic across all
network ports and stops malware attempts to bypass port 80.
Reference: https://www.cisco.com/c/en/us/td/docs/security/wsa/wsa11-
0/user_guide/b_WSA_UserGuide/b_WSA_UserGuide_chapter_010110.html
Question 106
Which solution is made from a collection of secure development practices and guidelines that developers
must follow to build secure applications?
A. OWASP
B. Fuzzing Framework
C. Radamsa
D. AFL
Answer: A
Explanation
OWASP secure coding is a set of secure coding best practices and guidelines put out by the Open Source
Foundation for Application Security. It outlines both general software security principles and secure coding
requirements.
Reference: https://snyk.io/learn/secure-coding-practices/
Question 107
What is the process of performing automated static and dynamic analysis of files against preloaded
behavioral indicators for threat analysis?
Answer: C
Question 108
Which Cisco ISE service checks the compliance of endpoints before allowing the endpoints to connect to
the network?
A. posture
B. profiler
C. Cisco TrustSec
D. Threat Centric NAC
Answer: A
Explanation
Posture is a service in Cisco Identity Services Engine (Cisco ISE) that allows you to check the compliance,
also known as posture, of endpoints, before allowing them to connect to your network.
Reference: https://www.cisco.com/c/en/us/td/docs/security/ise/2-
2/admin_guide/b_ise_admin_guide_22/b_ise_admin_guide_22_chapter_010111.html
Question 109
import requests
client_id = ‘a1b2c3d4e5f6g7h8i9j0’
api_key = ‘a1b2c3d4-e5f6-g7h8-i9j0-
k1l2m3n4o5p6’
A. displays client ID
B. HTTP authorization
C. Imports requests
D. HTTP authentication
Answer: D
Explanation
Use API keys for APIs and data extraction. API keys authenticate your client application with Cisco GMM
and includes an access key ID and a secret access key in place of a username and password. API keys are
used by partners who do not have access to the Cisco GMM Cloud Application.
Reference: https://developer.cisco.com/docs/GMM/#!generate-api-keys/generate-api-keys
Question 110
How does the Cisco WSA enforce bandwidth restrictions for web applications?
Answer: D
Explanation
Defining bandwidth limits only throttles the data going to users. It does not block data based on reaching
a quota. The Web Proxy introduces latency into each application transaction to mimic a slower link to the
server.
Reference: https://www.cisco.com/c/en/us/td/docs/security/wsa/wsa11-
8/user_guide/b_WSA_UserGuide_11_8/b_WSA_UserGuide_11_7_chapter_01111.html
Question 111
Which feature within Cisco ISE verifies the compliance of an endpoint before providing access to the
network?
A. Posture
B. Profiling
C. pxGrid
D. MAB
Answer: A
Question 112
Which Cisco AMP feature allows an engineer to look back to trace past activities, such as file and process
activity on an endpoint?
willsonliam55@gmail.com Skype Apple Kid
A. endpoint isolation
B. advanced search
C. advanced investigation
D. retrospective security
Answer: D
Explanation
Retrospective security lets administrators look at their systems as if they had a time machine. They can
view any point in the past with tools such as retrospection, attack chain correlation, behavioral indications
of compromise (IOCs), trajectory and breach hunting. Plus, they can see how their security environments
have changed, rather than just viewing network aspects at a single point.
Reference: https://imaginenext.ingrammicro.com/security/comparison-point-in-time-vs-retrospective-
security
willsonliam55@gmail.com Skype Apple Kid
Question 1
What is a functional difference between a Cisco ASA and a Cisco IOS router with Zone-based policy
firewall?
A. The Cisco ASA denies all traffic by default whereas the Cisco IOS router with Zone-Based Policy Firewall
starts out by allowing all traffic, even on untrusted interfaces.
B. The Cisco IOS router with Zone-Based Policy Firewall can be configured for high availability, whereas
the Cisco ASA cannot
C. The Cisco IOS router with Zone-Based Policy Firewall denies all traffic by default, whereas the Cisco
ASA starts out by allowing all traffic until rules are added
D. The Cisco ASA can be configured for high availability whereas the Cisco IOS router with Zone-Based
Policy Firewall cannot
Answer: A
Explanation
Both Cisco ASA and Cisco IOS router with Zone-based policy firewall support High Availability (HA).
Zone-Based Policy Firewall drops traffic if it is from a different zone by default. So we cannot say if Cisco
IOS router with Zone-Based Policy Firewall allows or denies traffic by default.
Cisco ASA drops all traffic by default.
The ASA denies all traffic by default, while the IOS router starts out by allowing all traffic, even on your
untrusted interfaces.
Reference: https://www.plixer.com/blog/cisco-zone-based-firewall-reporting/
So maybe this question wanted to say Cisco IOS router allows all traffic by default (before implementing
Zone-Based Policy Firewall).
Question 2
Answer: A
Question 3
Which cloud model is a collaborative effort where infrastructure is shared and jointly accessed by several
organizations from a specific group?
A. hybrid
B. community
C. private
D. public
Answer: B
Explanation
Community Cloud allows system and services to be accessible by group of organizations. It shares the
infrastructure between several organizations from a specific community. It may be managed internally by
organizations or by the third-party.
Question 4
willsonliam55@gmail.com Skype Apple Kid
Which cryptographic process provides origin confidentiality, integrity, and origin authentication for
packets?
A. IKEv1
B. AH
C. ESP
D. IKEv2
Answer: C
Question 5
An organization wants to secure users, data, and applications in the cloud. The solution must be API-based
and operate as a cloud-native CASB. Which solution must be used for this implementation?
A. Cisco Cloudlock
B. Cisco Cloud Email Security
C. Cisco Firepower Next-Generation Firewall
D. Cisco Umbrella
Answer: A
Explanation
Cisco Cloudlock: Secure your cloud users, data, and applications with the cloud-native Cloud Access
Security Broker (CASB) and cloud cybersecurity platform.
Reference: https://www.cisco.com/c/dam/en/us/products/collateral/security/cloud-web-security/at-a-
glance-c45-738565.pdf
Question 6
A. frontdoor
B. rootkit
C. smurf
D. backdoor
E. sync
Answer: B D
Question 7
Answer: B
Explanation
Umbrella Roaming is a cloud-delivered security service for Cisco’s next-generation firewall. It protects your
employees even when they are off the VPN.
Question 8
Answer: A
Question 9
A. Anycast IP
B. AMP Threat grid
C. Cisco Talos
D. BGP route reflector
Answer: A
Explanation
Cisco Umbrella Uses Anycast IP routing in order to provide reliability of the recursive DNS service.
Question 10
Answer: A
Explanation
Mobile Device Management (MDM) software secures, monitors, manages and supports mobile devices
deployed across mobile operators, service providers and enterprises. A typical MDM product consists of a
policy server, a mobile device client and an optional inline enforcement point that controls the use of some
applications on a mobile device (like email) in the deployed environment. However the network is the only
entity that can provide granular access to endpoints (based on ACL’s, TrustSec SGT’s etc). It is envisaged
that Cisco Identity Services Engine (ISE) would be an additional network based enforcement point while
the MDM policy server would serve as the policy decision point. ISE expects specific data from MDM
servers to provide a complete solution
The following are the high level use cases in this solution.
+ Device registration- Non registered endpoints accessing the network on-premises will be redirected to
registration page on MDM server for registration based on user role, device type, etc
+ Remediation- Non compliant endpoints will be given restricted access based on compliance state
+ Periodic compliance check – Periodically check with MDM server for compliance
+ Ability for ISE administrators to issue remote actions on the device through the MDM server (e.g.:
remote wiping of the managed device)
+ Ability for end user to leverage the ISE My Devices Portal to manage personal devices, e.g. Full Wipe,
Corporate Wipe and PIN Lock.
Reference: https://community.cisco.com/t5/security-documents/cisco-ise-integration-with-mobile-device-
management-mdm/ta-p/3784691
If the user device is not in compliant to the posture (compliance) policies configured on MDM, they will be
notified that the device is out of compliance, reason for non-compliance and the need to be in compliance
to access network resources.
Question 11
willsonliam55@gmail.com Skype Apple Kid
An administrator configures a new destination list in Cisco Umbrella so that the organization can block
specific domains for its devices. What should be done to ensure that all subdomains of domain.com are
blocked?
Answer: D
Explanation
It is not possible to use an asterisk to wildcard a different part of the domain. The following will not work:
*.domain.com
subdomain.*.com
sub*.com
domain.*
Reference: https://docs.umbrella.com/deployment-umbrella/docs/wild-cards
By configuring domain.com address in the block list, we implied to block *.domain.com/* (all subdomains
would be blocked too).
Question 12
An organization wants to provide visibility and to identify active threats in its network using a VM. The
organization wants to extract metadata from network packet flow while ensuring that payloads are not
retained or transferred outside the network. Which solution meets these requirements?
Answer: B
Explanation
Private Network Monitoring (PNM) provides visibility and threat detection for the on-premises network,
delivered from the cloud as a SaaS solution. It is the perfect solution for organizations who prefer SaaS
products and desire better awareness and security in their on-premises environments while reducing
capital expenditure and operational overhead. It works by deploying lightweight software in a virtual
machine or server that can consume a variety of native sources of telemetry or extract metadata from
network packet flow. It encrypts this metadata and sends it to the Stealthwatch Cloud analytics platform
for analysis. Stealthwatch Cloud consumes metadata only. The packet payloads are never retained or
transferred outside the network.
This lab focuses on how to configure a Stealthwatch Cloud Private Network Monitoring (PNM) Sensor, in
order to provide visibility and effectively identify active threats, and monitors user and device behavior
within on-premises networks.
The Stealthwatch Cloud PNM Sensor is an extremely flexible piece of technology, capable of being utilized
in a number of different deployment scenarios. It can be deployed as a complete Ubuntu based virtual
appliance on different hypervisors (e.g. –VMware, VirtualBox). It can be deployed on hardware running a
number of different Linux-based operating systems.
Reference: https://www.ciscolive.com/c/dam/r/ciscolive/us/docs/2019/pdf/5eU6DfQV/LTRSEC-2240-
LG2.pdf
Question 13
An organization deploys multiple Cisco FTD appliances and wants to manage them using one centralized
solution. The organization does not have a local VM but does have existing Cisco ASAs that must migrate
over to Cisco FTDs. Which solution meets the needs of the organization?
willsonliam55@gmail.com Skype Apple Kid
A. Cisco FMC
B. CSM
C. Cisco FDM
D. CDO
Answer: A
Question 14
An organization wants to secure data in a cloud environment. Its security model requires that all users be
authenticated and authorized. Security configuration and posture must be continuously validated before
access is granted or maintained to applications and data. There is also a need to allow certain application
traffic and deny all other traffic by default. Which technology must be used to implement these
requirements?
Answer: B
Explanation
Zero Trust is a security framework requiring all users, whether in or outside the organization’s network, to
be authenticated, authorized, and continuously validated for security configuration and posture before
being granted or keeping access to applications and data. Zero Trust assumes that there is no traditional
network edge; networks can be local, in the cloud, or a combination or hybrid with resources anywhere as
well as workers in any location.
The Zero Trust model uses microsegmentation — a security technique that involves dividing perimeters
into small zones to maintain separate access to every part of the network — to contain attacks.
Question 15
A Cisco FTD engineer is creating a new IKEv2 policy called s2s00123456789 for their organization to allow
for additional protocols to terminate network devices with. They currently only have one policy established
and need the new policy to be a backup in case some devices cannot support the stronger algorithms
listed in the primary policy. What should be done in order to support this?
A. Change the integrity algorithms to SHA* to support all SHA algorithms in the primary policy
B. Make the priority for the new policy 5 and the primary policy 1.
C. Change the encryption to AES* to support all AES algorithms in the primary policy
D. Make the priority for the primary policy 10 and the new policy 1
Answer: B
Explanation
All IKE policies on the device are sent to the remote peer regardless of what is in the selected policy
section. The first IKE Policy matched by the remote peer will be selected for the VPN connection. Choose
which policy is sent first using the priority field. Priority 1 will be sent first.
Reference: https://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-
protocols/215470-site-to-site-vpn-configuration-on-ftd-ma.html
Question 16
A. asymmetric
B. symmetric
C. linear
D. nonlinear
willsonliam55@gmail.com Skype Apple Kid
Answer: A
Question 17
Answer: A E
Explanation
Reference: https://www.cisco.com/en/US/docs/switches/lan/catalyst3850/software/release/3se/consolidat
ed_guide/b_consolidated_3850_3se_cg_chapter_011010.html
+ Except in PFC3A mode, NetFlow supports bridged IP traffic. PFC3A mode does not support NetFlow
bridged IP traffic.
+ NetFlow supports multicast IP traffic.
Reference: https://www.cisco.com/en/US/docs/general/Test/dwerblo/broken_guide/netflow.html
The Flexible NetFlow – MPLS Egress NetFlow feature allows you to capture IP flow information for packets
that arrive on a router as Multiprotocol Label Switching (MPLS) packets and are transmitted as IP packets.
This feature allows you to capture the MPLS VPN IP flows that are traveling through the service provider
backbone from one site of a VPN to another site of the same VPN
Reference: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/netflow/configuration/15-mt/nf-15-mt-
book/cfg-mpls-netflow.html
Question 18
A customer has various external HTTP resources available including Intranet Extranet and Internet, with a
proxy configuration running in explicit mode. Which method allows the client desktop browsers to be
configured to select when to connect direct or when to use the proxy?
A. Transport mode
B. Forward file
C. PAC file
D. Bridge mode
Answer: C
Explanation
A Proxy Auto-Configuration (PAC) file is a JavaScript function definition that determines whether web
browser requests (HTTP, HTTPS, and FTP) go direct to the destination or are forwarded to a web proxy
server.
PAC files are used to support explicit proxy deployments in which client browsers are explicitly configured
to send traffic to the web proxy. The big advantage of PAC files is that they are usually relatively easy to
create and maintain.
willsonliam55@gmail.com Skype Apple Kid
Question 19
Which Talos reputation center allows for tracking the reputation of IP addresses for email and web traffic?
Answer: A
Question 20
An engineer is configuring IPsec VPN and needs an authentication protocol that is reliable and supports
ACK and sequence. Which protocol accomplishes this goal?
A. AES-192
B. IKEv1
C. AES-256
D. ESP
Answer: D
Question 21
An administrator is establishing a new site-to-site VPN connection on a Cisco IOS router. The organization
needs to ensure that the ISAKMP key on the hub is used only for terminating traffic from the IP address of
172.19.20.24. Which command on the hub will allow the administrator to accomplish this?
Answer: B
Explanation
The command “crypto isakmp identity address 172.19.20.24” is not valid. We can only use “crypto isakmp
identity {address | hostname}. The following example uses preshared keys at two peers and sets both
their ISAKMP identities to the IP address.
At the local peer (at 10.0.0.1) the ISAKMP identity is set and the preshared key is specified:
crypto isakmp identity address
crypto isakmp key sharedkeystring address 192.168.1.33
At the remote peer (at 192.168.1.33) the ISAKMP identity is set and the same preshared key is specified:
crypto isakmp identity address
crypto isakmp key sharedkeystring address 10.0.0.1
Reference: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/a1/sec-a1-cr-book/sec-cr-
c4.html#wp3880782430
The command “crypto ca identity …” is only used to declare a trusted CA for the router and puts you in the
ca-identity configuration mode. Also it should be followed by a name, not an IP address. For example:
“crypto ca identity CA-Server” -> Answer A is not correct.
Question 22
A. SQL injection is a hacking method used to attack SQL databases, whereas XSS attacks can exist in
many different types of applications
B. XSS is a hacking method used to attack SQL databases, whereas SQL injection attacks can exist in
many different types of applications
C. SQL injection attacks are used to steal information from databases whereas XSS attacks are used to
redirect users to websites where attackers can steal data from them
D. XSS attacks are used to steal information from databases whereas SQL injection attacks are used to
redirect users to websites where attackers can steal data from them
Answer: C
Explanation
In XSS, an attacker will try to inject his malicious code (usually malicious links) into a database. When
other users follow his links, their web browsers are redirected to websites where attackers can steal data
from them. In a SQL Injection, an attacker will try to inject SQL code (via his browser) into forms, cookies,
or HTTP headers that do not use data sanitizing or validation methods of GET/POST parameters.
Question 23
An engineer has been tasked with configuring a Cisco FTD to analyze protocol fields and detect anomalies
in the traffic from industrial systems. What must be done to meet these requirements?
Answer: A
Explanation
The Modbus, DNP3, and CIP SCADA preprocessors detect traffic anomalies and provide data to intrusion
rules. Therefore in this question only answer A or answer C is correct.
The DNP3 preprocessor detects anomalies in DNP3 traffic and decodes the DNP3 protocol for processing by
the rules engine, which uses DNP3 keywords to access certain protocol fields.
The Common Industrial Protocol (CIP) is a widely used application protocol that supports industrial
automation applications. EtherNet/IP is an implementation of CIP that is used on Ethernet-based
networks.The CIP preprocessor detects CIP and ENIP traffic running on TCP or UDP and sends it to the
intrusion rules engine. You can use CIP and ENIP keywords in custom intrusion rules to detect attacks in
CIP and ENIP traffic.
Reference: https://www.cisco.com/c/en/us/td/docs/security/firepower/630/configuration/guide/fpmc-
config-guide-v63/scada_preprocessors.html
Both DNP3 and CIP preprocessors can be used to detect traffic anomalies but we choose CIP as it is widely
used in industrial applications.
Note:
+ An intrusion rule is a specified set of keywords and arguments that the system uses to detect attempts
to exploit vulnerabilities in your network. As the system analyzes network traffic, it compares packets
against the conditions specified in each rule, and triggers the rule if the data packet meets all the
conditions specified in the rule.
+ Preprocessor rules, which are rules associated with preprocessors and packet decoder detection options
in the network analysis policy. Most preprocessor rules are disabled by default.
Question 24
Which posture assessment requirement provides options to the client for remediation and requires the
remediation within a certain timeframe?
A. Audit
B. Mandatory
willsonliam55@gmail.com Skype Apple Kid
C. Optional
D. Visibility
Answer: B
Explanation
A posture requirement is a set of compound conditions with an associated remediation action that can be
linked with a role and an operating system. All the clients connecting to your network must meet
mandatory requirements during posture evaluation to become compliant on the network.
Posture-policy requirements can be set to mandatory, optional, or audit types in posture policies. If
requirements are optional and clients fail these requirements, then the clients have an option to continue
during posture evaluation of endpoints.
Mandatory Requirements
During policy evaluation, the agent provides remediation options to clients who fail to meet the mandatory
requirements defined in the posture policy. End users must remediate to meet the requirements within the
time specified in the remediation timer settings.
For example, you have specified a mandatory requirement with a user-defined condition to check the
existence of C:\temp\text.file in the absolute path. If the file does not exist, the mandatory requirement
fails and the user will be moved to Non-Compliant state.
Reference: https://www.cisco.com/c/en/us/td/docs/security/ise/1-
4/admin_guide/b_ise_admin_guide_14/b_ise_admin_guide_14_chapter_010111.html
Question 25
Which attribute has the ability to change during the RADIUS CoA?
A. NTP
B. authorization
C. accessibility
D. membership
Answer: B
Explanation
The RADIUS Change of Authorization (CoA) feature provides a mechanism to change the attributes of an
authentication, authorization, and accounting (AAA) session after it is authenticated.
Reference: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_aaa/configuration/15-sy/sec-usr-
aaa-15-sy-book/sec-rad-coa.html
Question 26
With Cisco AMP for Endpoints, which option shows a list of all files that have been executed in your
environment?
A. prevalence
B. file analysis
C. detections
D. vulnerable software
E. threat root cause
Answer: A
Explanation
Prevalence allows you to view files that have been executed in your deployment.
Note: Threat Root Cause shows how malware is getting onto your computers.
willsonliam55@gmail.com Skype Apple Kid
Reference: https://docs.amp.cisco.com/en/A4E/AMP%20for%20Endpoints%20User%20Guide.pdf
Question 27
A company discovered an attack propagating through their network via a file. A custom file policy was
created in order to track this in the future and ensure no other endpoints execute the infected file. In
addition, it was discovered during testing that the scans are not detecting the file as an indicator of
compromise. What must be done in order to ensure that the created is functioning as it should?
A. Create an IP block list for the website from which the file was downloaded
B. Block the application that the file was using to open
C. Upload the hash for the file into the policy
D. Send the file to Cisco Threat Grid for dynamic analysis
Answer: C
Question 28
A network engineer is trying to figure out whether FlexVPN or DMVPN would fit better in their
environment. They have a requirement for more stringent security multiple security associations for the
connections, more efficient VPN establishment as well consuming less bandwidth. Which solution would be
best for this and why?
Answer: C
Explanation
Question 29
How does Cisco Workload Optimization Manager help mitigate application performance issues?
Answer: B
Explanation
Cisco Workload Optimization Manager provides specific real-time actions that ensure workloads get the
resources they need when they need them, enabling continuous placement, resizing, and capacity
decisions that can be automated, driving continuous health in the environment. You can automate the
software’s decisions according to your level of comfort: recommend (view only), manual (select and
apply), or automated (executed in real time by software).
Reference: https://www.cisco.com/c/dam/en/us/solutions/collateral/data-center-virtualization/one-
enterprise-suite/solution-overview-c22-739078.pdf
Question 30
An organization configures Cisco Umbrella to be used for its DNS services. The organization must be able
to block traffic based on the subnet that the endpoint is on but it sees only the requests from its public IP
address instead of each internal IP address. What must be done to resolve this issue?
willsonliam55@gmail.com Skype Apple Kid
A. Set up a Cisco Umbrella virtual appliance to internally field the requests and see the traffic of each IP
address
B. Use the tenant control features to identify each subnet being used and track the connections within the
Cisco Umbrella dashboard
C. Install the Microsoft Active Directory Connector to give IP address information stitched to the requests
in the Cisco Umbrella dashboard
D. Configure an internal domain within Cisco Umbrella to help identify each address and create policy from
the domains
Answer: A
Explanation
Umbrella virtual appliances (VAs) are lightweight virtual machines that are compatible with VMWare
ESX/ESXi, Windows Hyper-V, and KVM hypervisors and the Microsoft Azure, Google Cloud Platform, and
Amazon Web Services cloud platforms. When utilized as conditional DNS forwarders on your network,
Umbrella VAs record the internal IP address information of DNS requests for usage in reports, security
enforcement, and category filtering policies.
VAs act as conditional DNS forwarders in your network, intelligently forwarding public DNS queries to Cisco
Umbrella’s global network, and local DNS queries to your existing local DNS servers and forwarders. Every
public DNS query sent to Umbrella is encrypted, authenticated, and includes the client’s internal IP
address.
Reference: https://docs.umbrella.com/deployment-umbrella/docs/1-introduction
If you’re already pointing DNS to Umbrella, or plan to, all the DNS traffic visible in your Umbrella reports
come from a single Network identity. The VAs provide internal IP visibility, allowing you to track down
malicious or inappropriate traffic within your network to a specific IP address.
Reference: https://docs.umbrella.com/deployment-umbrella/docs/1-introduction
Question 31
A. A DoS attack is where a computer is used to flood a server with TCP and UDP packets whereas a DDoS
attack is where multiple systems target a single system with a DoS attack.
B. A DoS attack is where a computer is used to flood a server with TCP and UDP packets whereas a DDoS
attack is where a computer is used to flood multiple servers that are distributed over a LAN
C. A DoS attack is where a computer is used to flood a server with UDP packets whereas a DDoS attack is
where a computer is used to flood a server with TCP packets
D. A DoS attack is where a computer is used to flood a server with TCP packets whereas a DDoS attack is
where a computer is used to flood a server with UDP packets
Answer: A
Question 32
Which two capabilities of Integration APIs are utilized with Cisco DNA center? (Choose two)
Answer: C D
Explanation
Reference: https://developer.cisco.com/docs/dna-center/#!cisco-dna-center-platform-overview/events-
and-notifications-eastbound
Westbound—Integration APIs
Cisco DNA Center platform can power end-to-end IT processes across the value chain by integrating
various domains such as ITSM, IPAM, and reporting. By leveraging the REST-based Integration Adapter
APIs, bi-directional interfaces can be built to allow the exchange of contextual information between Cisco
DNA Center and the external, third-party IT systems. The westbound APIs provide the capability to publish
the network data, events and notifications to the external systems and consume information in Cisco DNA
Center from the connected systems.
Reference: https://blogs.cisco.com/networking/with-apis-cisco-dna-center-can-improve-your-competitive-
advantage
willsonliam55@gmail.com Skype Apple Kid
Therefore the most suitable choice is Integration APIs can monitor for power utilization of devices and IoT
sensors -> Answer C is correct.
Question 33
Which kind of API that is used with Cisco DNA Center provisions SSIDs, QoS policies, and update software
versions on switches?
A. integration
B. intent
C. event
D. multivendor
Answer: B
Explanation
Northbound-Intent APIs
Intent APIs enable developers to access Cisco DNA Center Automation and Assurance workflows. Through
this access, you can simplify the process of creating workflows that consolidate multiple network actions.
Say, for instance, you’re configuring an SSID on a wireless network. Using Cisco DNA Center and the
intent APIs, you can offload the process of setting WLAN and security settings. This saves time and
provides greater consistency. You can do the same for QoS policies, software images running on the
network devices, and application health.
Reference: https://www.publicnow.com/view/3057F243685FA76A88EFC1651CAAFD66B5B849FE?1603802
892
Question 34
Answer: A
Explanation
A trusted CA is the only entity that can issue trusted digital certificates. This is extremely important
because while PKI manages more of the encryption side of these certificates, authentication is vital to
understanding which entities own what keys. Without a trusted CA, anyone can issue their own keys,
authentication goes out the window and chaos ensues.
Reference: https://cheapsslsecurity.com/blog/understanding-the-role-of-certificate-authorities-in-pki/
Question 35
Which DevSecOps implementation process gives a weekly or daily update instead of monthly or quarterly
in the applications?
A. orchestration
B. CI/CD pipeline
C. container
D. security
Answer: B
Explanation
willsonliam55@gmail.com Skype Apple Kid
Unlike the traditional software life cycle, the CI/CD implementation process gives a weekly or daily update
instead of monthly or quarterly. The fun part is customers won’t even realize the update is in their
applications, as they happen on the fly.
Reference: https://devops.com/how-to-implement-an-effective-ci-cd-pipeline/
Question 36
A. DSCP value
B. source interface
C. exporter name
D. exporter description
Answer: C
Explanation
Question 37
A. virus attacks
B. trojan attacks
C. flood attacks
D. phishing attacks
Answer: C
Question 38
What are two advantages of using Cisco Any connect over DMVPN? (Choose two)
Answer: C E
Question 39
When choosing an algorithm to us, what should be considered about Diffie Hellman and RSA for key
establishment?
Answer: D
Explanation
willsonliam55@gmail.com Skype Apple Kid
Diffie Hellman (DH) uses a private-public key pair to establish a shared secret, typically a symmetric key.
DH is not a symmetric algorithm – it is an asymmetric algorithm used to establish a shared secret for a
symmetric key algorithm.
Question 40
Which type of DNS abuse exchanges data between two computers even when there is no direct
connection?
A. malware installation
B. command-and-control communication
C. network footprinting
D. data exfiltration
Answer: D
Explanation
Malware installation: This may be done by hijacking DNS queries and responding with malicious IP
addresses.
Command & Control communication: As part of lateral movement, after an initial compromise, DNS
communications is abused to communicate with a C2 server. This typically involves making periodic DNS
queries from a computer in the target network for a domain controlled by the adversary. The responses
contain encoded messages that may be used to perform unauthorized actions in the target network.
Network footprinting: Adversaries use DNS queries to build a map of the network. Attackers live off the
terrain so developing a map is important to them.
Data theft (exfiltration): Abuse of DNS to transfer data; this may be performed by tunneling other
protocols like FTP, SSH through DNS queries and responses. Attackers make multiple DNS queries from a
compromised computer to a domain owned by the adversary. DNS tunneling can also be used for
executing commands and transferring malware into the target network.
Reference: https://www.netsurion.com/articles/5-types-of-dns-attacks-and-how-to-detect-them
Question 41
A. GETVPN reduces latency and provides encryption over MPLS without the use of a central hub
B. GETVPN provides key management and security association management
C. GETVPN is based on IKEv2 and does not support IKEv1
D. GETVPN is used to build a VPN network with multiple sites without having to statically configure all
devices
Answer: A
Explanation
By using GETVPN together with DMVPN, the delay caused by IPsec tunnel negotiation is eliminated
because connections are static.
Reference: Network Security Technologies and Solutions (CCIE Professional Development) Book
Question 42
What is a benefit of using telemetry over SNMP to configure new routers for monitoring purposes?
A. Telemetry uses a pull, method which makes it more reliable than SNMP
B. Telemetry uses push and pull, which makes it more scalable than SNMP
C. Telemetry uses push and pull which makes it more secure than SNMP
D. Telemetry uses a push method which makes it faster than SNMP
willsonliam55@gmail.com Skype Apple Kid
Answer: D
Explanation
SNMP polling can often be in the order of 5-10 minutes, CLIs are unstructured and prone to change which
can often break scripts.
The traditional use of the pull model, where the client requests data from the network does not scale when
what you want is near real-time data.
Moreover, in some use cases, there is the need to be notified only when some data changes, like
interfaces status, protocol neighbors change etc.
Model-Driven Telemetry is a new approach for network monitoring in which data is streamed from network
devices continuously using a push model and provides near real-time access to operational statistics.
Referfence: https://developer.cisco.com/docs/ios-xe/#!streaming-telemetry-quick-start-guide/streaming-
telemetry
Question 43
An organization wants to use Cisco FTD or Cisco ASA devices. Specific URLs must be blocked from being
accessed via the firewall which requires that the administrator input the bad URL categories that the
organization wants blocked into the access policy. Which solution should be used to meet this
requirement?
A. Cisco ASA because it enables URL filtering and blocks malicious URLs by default, whereas Cisco FTD
does not
B. Cisco ASA because it includes URL filtering in the access control policy capabilities, whereas Cisco FTD
does not
C. Cisco FTD because it includes URL filtering in the access control policy capabilities, whereas Cisco ASA
does not
D. Cisco FTD because it enables URL filtering and blocks malicious URLs by default, whereas Cisco ASA
does not
Answer: C
Question 44
An administrator configures a Cisco WSA to receive redirected traffic over ports 80 and 443. The
organization requires that a network device with specific WSA integration capabilities be configured to
send the traffic to the WSA to proxy the requests and increase visibility, while making this invisible to the
users. What must be done on the Cisco WSA to support these requirements?
A. Configure transparent traffic redirection using WCCP in the Cisco WSA and on the network device
B. Configure active traffic redirection using WPAD in the Cisco WSA and on the network device
C. Use the Layer 4 setting in the Cisco WSA to receive explicit forward requests from the network device
D. Use PAC keys to allow only the required network devices to send the traffic to the Cisco WSA
Answer: A
Question 45
An administrator configures new authorization policies within Cisco ISE and has difficulty profiling the
devices. Attributes for the new Cisco IP phones that are profiled based on the RADIUS authentication are
seen however the attributes for CDP or DHCP are not. What should the administrator do to address this
issue?
A. Configure the ip dhcp snooping trust command on the DHCP interfaces to get the information to
Cisco ISE
B. Configure the authentication port-control auto feature within Cisco ISE to identify the devices that are
trying to connect
C. Configure a service template within the switch to standardize the port configurations so that the correct
information is sent to Cisco ISE
D. Configure the device sensor feature within the switch to send the appropriate protocol information
willsonliam55@gmail.com Skype Apple Kid
Answer: D
Explanation
Device sensor is a feature of access devices. It allows to collect information about connected endpoints.
Mostly, information collected by Device Sensor can come from the following protocols:
+ Cisco Discovery Protocol (CDP)
+ Link Layer Discovery Protocol (LLDP)
+ Dynamic Host Configuration Protocol (DHCP)
Reference: https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/200292-
Configure-Device-Sensor-for-ISE-Profilin.html
Question 46
A network engineer must monitor user and device behavior within the on-premises network. This data
must be sent to the Cisco Stealthwatch Cloud analytics platform for analysis. What must be done to meet
this requirement using the Ubuntu-based VM appliance deployed in a VMware-based hypervisor?
Answer: B
Explanation
The Stealthwatch Cloud Private Network Monitoring (PNM) Sensor is an extremely flexible piece of
technology, capable of being utilized in a number of different deployment scenarios. It can be deployed as
a complete Ubuntu based virtual appliance on different hypervisors (e.g. –VMware, VirtualBox). It can be
deployed on hardware running a number of different Linux-based operating systems.
Reference: https://www.ciscolive.com/c/dam/r/ciscolive/us/docs/2019/pdf/5eU6DfQV/LTRSEC-2240-
LG2.pdf
Question 47
An organization uses Cisco FMC to centrally manage multiple Cisco FTD devices. The default management
port conflicts with other communications on the network and must be changed. What must be done to
ensure that all devices can communicate together?
A. Manually change the management port on Cisco FMC and all managed Cisco FTD devices
B. Set the tunnel to go through the Cisco FTD
C. Change the management port on Cisco FMC so that it pushes the change to all managed Cisco FTD
devices
D. Set the tunnel port to 8305
Answer: A
Explanation
The FMC and managed devices communicate using a two-way, SSL-encrypted communication channel,
which by default is on port 8305.
Cisco strongly recommends that you keep the default settings for the remote management port, but if the
management port conflicts with other communications on your network, you can choose a different port. If
you change the management port, you must change it for all devices in your deployment that need to
communicate with each other.
Reference: https://www.cisco.com/c/en/us/td/docs/security/firepower/misc/fmc-ftd-mgmt-nw/fmc-ftd-
mgmt-nw.html
Question 48
willsonliam55@gmail.com Skype Apple Kid
Which service allows a user export application usage and performance statistics with Cisco Application
Visibility and control?
A. SNORT
B. NetFlow
C. SNMP
D. 802.1X
Answer: B
Explanation
Application Visibility and control (AVC) supports NetFlow to export application usage and performance
statistics. This data can be used for analytics, billing, and security policies.
Question 49
An engineer adds a custom detection policy to a Cisco AMP deployment and encounters issues with the
configuration. The simple detection mechanism is configured, but the dashboard indicates that the hash is
not 64 characters and is non-zero. What is the issue?
A. The engineer is attempting to upload a hash created using MD5 instead of SHA-256
B. The file being uploaded is incompatible with simple detections and must use advanced detections
C. The hash being uploaded is part of a set in an incorrect format
D. The engineer is attempting to upload a file instead of a hash
Answer: A
Question 50
Drag and drop the cloud security assessment components from the left onto the definitions on the right.
Answer:
cloud data protection assessment: understand the security posture of the data or activity taking place
in public cloud deployments
cloud security strategy workshop: develop a cloud security strategy and roadmap aligned to business
priorities
cloud security architecture assessment: identify strengths and areas for improvement in the current
security architecture during onboarding
user entity behavior assessment: detect potential anomalies in user behavior that suggest malicious
behavior in a Software-as-a-Service application
Explanation
Cloud Data Protection Assessment: We review the security posture of documents stored in one Software-
as-a-Service (SaaS) instance, or review the activity taking place in an Infrastructure-as-a-Service (IaaS)
deployment over a period of time.
willsonliam55@gmail.com Skype Apple Kid
Cloud Data Architecture Assessment: We conduct whiteboarding sessions, interviews, and documentation
reviews to assess the security architecture of your cloud environment
Cloud User Entity Behavior Assessment: We examine how the users provisioned in a SaaS instance
behave, establishes a baseline for each individual user, and monitor user activity
Cloud Security Strategy: Our experts educate your team on cloud security as related to current and future
states, as well as business priorities
Reference: https://www.cisco.com/c/dam/en/us/products/security/security-strategy-advisory-aag.pdf
Question 51
A. It lists the LDAP users from the external identity store configured on Cisco ISE
B. It authenticates to a Cisco ISE server using the username of ersad
C. It allows authentication with TLSv1 SSL protocol
D. It authenticates to a Cisco ISE with an SSH connection
Answer: A
Explanation
In this question the username of “ersad” is just an example and it is in the comment section (which is
started by a #) so it has no effect on the script. In fact the username will be taken from the second
willsonliam55@gmail.com Skype Apple Kid
argument of the command. For example, suppose the file name of the above script is “Internal_user.py”
then if we call the script with the command:
Also from the line above, we are using HTTPS to make a request. It is different from a SSH connection so
answer D is not correct.
Note: The purpose of this Python script is used to get the guest users through ISE External RESTful
Services (ERS) API. ERS is designed to allow external clients to perform CRUD (Create, Read, Update,
Delete) operations on Cisco ISE resources.
Question 52
A network engineer is testing NTP authentication and realizes that any device synchronizes time with this
router and that NTP authentication is not enforced. What is the cause of this issue?
A. The hashing algorithm that was used was MD5 which is unsupported.
B. The key was configured in plain text.
C. NTP authentication is not enabled.
D. The router was not rebooted after the NTP configuration updated
Answer: C
Explanation
Question 53
How does Cisco Umbrella manage traffic that is directed toward risky domains?
Answer: C
Explanation
The ‘greylist’ of risky domains is compromised of domains that host both malicious and safe content—we
consider these “risky” domains. These sites often allow users to upload and share content—making them
difficult to police, even for the admins of the site.
Reference: https://docs.umbrella.com/deployment-msp/docs/what-is-the-intelligent-proxy
But in this question the “Advanced Settings” (located at the bottom of the figure) was not used -> Answer
D is not correct.
Application Settings organize applications into categories based on the type of processes or services
provided; for example, shopping, education, or human resources -> It can only manage applications and it
cannot filter domains -> Answer A is not correct.
In the “Security Setting” there is a category named “Potentially Harmful Domains” and we can considered
them “risky domains”. This category is disabled by default. The exhibit in this question is not clear so if we
don’t see this category is enabled under Security Setting, we can deduce traffic to “Potentially Harmful
Domains” is allowed.
Note:
+ The security settings categories are, at a minimum, the ones listed below:
willsonliam55@gmail.com Skype Apple Kid
+ “Potentially Harmful Domains” are domains that exhibit suspicious behavior and may be part of an
attack. This category has a higher risk of unwanted detections.
Question 54
An administrator is adding a new Cisco ISE node to an existing deployment. What must be done to ensure
that the addition of the node will be successful when inputting the FQDN?
A. Change the IP address of the new Cisco ISE node to the same network as the others
B. Make the new Cisco ISE node a secondary PAN before registering it with the primary
willsonliam55@gmail.com Skype Apple Kid
C. Open port 8905 on the firewall between the Cisco ISE nodes
D. Add the DNS entry for the new Cisco ISE node into the DNS server
Answer: B
Question 55
An engineer is implementing a certificate based VPN. What is the result of the existing configuration?
A. The OU of the IKEv2 peer certificate is used as the identity when matching an IKEv2 authorization
policy
B. Only an IKEv2 peer that has an OU certificate attribute set to MANGLER establishes an IKEv2 SA
successfully
C. The OU of the IKEv2 peer certificate is encrypted when the OU is set to MANGLER
D. The OU of the IKEv2 peer certificate is set to MANGLER
Answer: A
Question 56
An organization wants to implement a cloud-delivered and SaaS-based solution to provide visibility and
threat detection across the AWS network. The solution must be deployed without software agents and rely
on AWS VPC flow logs instead. Which solution meets these requirements?
Answer: A
Question 57
How is data sent out to the attacker during a DNS tunneling attack?
Answer: B
Question 58
A network engineer must configure a Cisco ESA to prompt users to enter two forms of information before
gaining access. The Cisco ESA must also join a cluster machine using preshared keys. What must be
configured to meet these requirements?
A. Enable two-factor authentication through a RADIUS server and then join the cluster by using the Cisco
ESA CLI
B. Enable two-factor authentication through a RADIUS server and then join the cluster by using the Cisco
ESA GUI
C. Enable two-factor authentication through a TACACS+ server and then join the cluster by using the Cisco
ESA GUI
D. Enable two-factor authentication through a TACACS+ server and then join the cluster by using the
Cisco ESA CLI
willsonliam55@gmail.com Skype Apple Kid
Answer: A
Explanation
You cannot create or join a cluster from the Graphical User Interface (GUI). You must use the Command
Line Interface (CLI) to create, join, or configure clusters of machines. Once you have created a cluster,
you can change configuration settings from either the GUI or the CLI.
Reference: https://www.cisco.com/c/en/us/td/docs/security/esa/esa11-
0/user_guide_fs/b_ESA_Admin_Guide_11_0/b_ESA_Admin_Guide_chapter_0100111.html
Question 59
What is the term for having information about threats and threat actors that helps mitigate harmful events
that would otherwise compromise networks or systems?
Answer: D
Explanation
Threat intelligence is referred to as the knowledge about an existing or emerging threat to assets,
including networks and systems. Threat intelligence includes context, mechanisms, indicators of
compromise (IoCs), implications, and actionable advice. Threat intelligence is referred to as the
information about the observables, IoCs intent, and capabilities of internal and external threat actors and
their attacks.
Reference: CCNP and CCIE Security Core SCOR 350-701 Official Cert Guide.
Question 60
Which Cisco platform processes behavior baselines, monitors for deviations, and reviews for malicious
processes in data center traffic and servers while performing software vulnerability detection?
A. Cisco Tetration
B. Cisco ISE
C. Cisco AMP for Network
D. Cisco AnyConnect
Answer: A
Explanation
What use cases are supported by the Cisco Secure Workload platform (formerly Tetration)?
A. The platform supports the following use cases:
…
+ Process behavior baseline and deviation: Collect the complete process inventory along with the process
hash information, baseline the behavior, and identify deviations.
+ Software inventory and vulnerability detection: Identify all the software packages and versions installed
on the servers. Using the Common Vulnerabilities and Exposures (CVE) database and additional data
feeds, detect if there are any associated vulnerabilities or exposures and take action to protect against
active exploit.
Reference: https://www.cisco.com/c/en/us/products/collateral/data-center-analytics/tetration-analytics/q-
and-a-c67-737402.html
Question 61
Which portion of the network do EPP solutions solely focus on and EDR solutions do not?
willsonliam55@gmail.com Skype Apple Kid
A. server farm
B. perimeter
C. core
D. East-West gateways
Answer: B
Question 62
A. Cisco CWS eliminates the need to backhaul traffic through headquarters for remote workers whereas
Cisco WSA does not
B. Cisco CWS minimizes the load on the internal network and security infrastructure as compared to Cisco
WSA.
C. URL categories are updated more frequently on Cisco CWS than they are on Cisco WSA
D. Content scanning for SAAS cloud applications is available through Cisco CWS and not available through
Cisco WSA
Answer: A
Explanation
Malware can enter the Cisco network when an infected user PC connects over a direct link in the office or a
VPN link from a remote location. For these connections, Cisco IT uses the Cisco Web Security Appliance
(WSA) to protect the network from malware intrusion. However, WSA protection is not available when a
user connects to the Internet directly, without connecting via the Cisco network, such as when using a
public Wi-Fi service in a coffee shop. In this case, the user’s PC can become infected with malware, which
may disrupt the user’s activity, spread to other networks and devices, and present the risk of a data
security or privacy breach. Cisco IT uses the Cisco Cloud Web Security (CWS) solution to help protect user
PCs from these malware infections.
The Cisco CWS solution, previously known as Cisco Scan Safe, enforces secure communication to and from
the Internet. It uses the Cisco AnyConnect Secure Mobility Client 3.0 to provide remote workers the same
level of security as onsite employees when using a laptop issued by Cisco.
Reference: https://www.cisco.com/c/dam/en_us/about/ciscoitatwork/borderless_networks/docs/Cloud_We
b_Security_IT_Methods.pdf
…
Eliminates the need to backhaul Internet traffic from branch offices, so offices can access the
web directly, without losing control of or visibility into web usage.
Reference: https://www.cisco.com/c/en/us/products/collateral/security/router-security/data_sheet_c78-
655324.pdf
Question 63
An organization wants to improve its cybersecurity processes and to add intelligence to its data. The
organization wants to utilize the most current intelligence data for URL filtering, reputations, and
vulnerability information that can be integrated with the Cisco FTD and Cisco WSA. What must be done to
accomplish these objectives?
A. Create a Cisco pxGrid connection to NIST to import this information into the security products for policy
use
B. Create an automated download of the Internet Storm Center intelligence feed into the Cisco FTD and
Cisco WSA databases to tie to the dynamic access control policies.
C. Download the threat intelligence feed from the IETF and import it into the Cisco FTD and Cisco WSA
databases
D. Configure the integrations with Talos Intelligence to take advantage of the threat intelligence that it
provides
willsonliam55@gmail.com Skype Apple Kid
Answer: D
Explanation
We need an automated solution to deal with the rapid change of cybersecurity so answer A and C are not
correct.
According to the following facts about Talos, we believe answer D is the best choice:
Cisco WSA detects and correlates threats in real time by tapping into the largest threat-detection network
in the world, Cisco Talos. To discover where threats are hiding, Cisco Talos pulls massive quantities of
information across multiple vectors – firewall, IPS, web, email, and VPN. Cisco Talos constantly refreshes
information every 3 to 5 minutes – adding intelligence to and receiving intelligence from Cisco WSA and
other network security devices. This enables Cisco WSA to deliver industry-leading defense hours and even
days ahead of competitors.
Reference: https://www.cisco.com/c/en/us/products/collateral/security/web-security-appliance/solution-
overview-c22-732948.html
Talos’ threat intelligence supports a two-way flow of telemetry and protection across market-leading
security solutions including Next-Generation Intrusion Prevention System (NGIPS), Next-Generation
Firewall (NGFW), Advanced Malware Protection (AMP), Email Security Appliance (ESA), Cloud Email
Security (CES), Cloud Web Security (CWS), Web Security Appliance (WSA), Umbrella, and ThreatGrid, as
well as numerous open-source and commercial threat protection systems.
Reference: https://www.talosintelligence.com/docs/Talos_WhitePaper.pdf
Question 64
Cisco SensorBase gathers threat information from a variety of Cisco products and services and performs
analytics to find patterns on threats. Which term describes this process?
A. deployment
B. consumption
C. authoring
D. sharing
Answer: A
Question 65
An organization has a requirement to collect full metadata information about the traffic going through their
AWS cloud services. They want to use this information for behavior analytics and statistics. Which two
actions must be taken to implement this requirement? (Choose two)
Answer: D E
Question 66
What will occur when this device tries to connect to the port?
A. 802.1X will not work, but MAB will start and allow the device on the network
B. 802.1X will not work and the device will not be allowed network access
C. 802.1X will work and the device will be allowed on the network
D. 802.1X and MAB will both be used and ISE can use policy to determine the access level
Answer: C
Explanation
In this question we don’t see “mab” command so MAC Authentication Bypass (MAB) is not enabled on the
interface -> Answer A and answer D are not correct.
Reference: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_8021x/configuration/xe-
3se/3850/sec-user-8021x-xe-3se-3850-book/config-ieee-802x-pba.html
+ authentication host-mode multi-auth: allows voice and multiple endpoints on the same physical access
port
+ dot1x timeout tx-period 10: sets the retransmit period to 10 seconds
+ device-tracking attach-policy {policy-name}: applies the IP device tracking (IPDT) policy to switchport.
The main task is to keep track of connected hosts (association of MAC and IP address)
These commands enable the SNMP trap for added and removed MACs on the interface:
+ snmp trap mac-notification change added
+ snmp trap mac-notification change removed
Question 67
An engineer is configuring their router to send NetfFow data to Stealthwatch which has an IP address of
1.1.1.1 using the flow record Steathwatch406397954 command. Which additional command is
required to complete the flow record?
willsonliam55@gmail.com Skype Apple Kid
Answer: B
Explanation
The “transport udp …” command can only be used under flow exporter. The “cache timeout active …”
command can only be used under flow monitor.
Under flow record, we cannot type “destination 1.1.1.1”. This command can only be used under flow
exporter. We can only use the “match ipv4 ttl” command under flow record in this question.
Question 68
An engineer needs to add protection for data in transit and have headers in the email message. Which
configuration is needed to accomplish this goal?
Answer: B
Question 69
An administrator is adding a new switch onto the network and has configured AAA for network access
control. When testing the configuration, the RADIUS authenticates to Cisco ISE but is being rejected. Why
is the ip radius source-interface command needed for this configuration?
A. Only requests that originate from a configured NAS IP are accepted by a RADIUS server
B. The RADIUS authentication key is transmitted only from the defined RADIUS source interface
C. RADIUS requests are generated only by a router if a RADIUS source interface is defined
D. Encrypted RADIUS authentication requires the RADIUS source interface be defined
Answer: A
Explanation
The source IP address of the RADIUS packets must match the NAS IP address configured on the RADIUS
server. A mismatch leads to RADIUS packet timeout and the server gets marked “DEAD”.
Reference: https://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/identity-based-
networking-services/whitepaper_C11-731907.html
Question 70
interface GigabitEthernet1/0/18
switchport access vlan 41
switchport mode access
switchport voice vlan 44
device-tracking attach-policy IPDT_MAX_10
authentication periodic
willsonliam55@gmail.com Skype Apple Kid
A Cisco ISE administrator adds a new switch to an 802.1X deployment and has difficulty with some
endpoints gaining access. Most PCs and IP phones can connect and authenticate using their machine
certificate credentials. However printer and video cameras cannot based on the interface configuration
provided. What must be to get these devices on to the network using Cisco ISE for authentication and
authorization while maintaining security controls?
A. Change the default policy in Cisco ISE to allow all devices not using machine authentication
B. Enable insecure protocols within Cisco ISE in the allowed protocols configuration
C. Configure authentication event fail retry 2 action authorize vlan 41 on the interface
D. Add mab to the interface configuration
Answer: A
Question 71
What is the function of the crypto isakmp key cisc406397954 address 0.0.0.0 0.0.0.0 command
when establishing an IPsec VPN tunnel?
Answer: B
Explanation
Note:
+ “address 0.0.0.0 0.0.0.0” means remote peer is any -> any destination can try to negotiate with this
router.
+ The Phase 1 password is “cisc406397954”.
Question 72
An engineer is adding a Cisco DUO solution to the current TACACS+ deployment using Cisco ISE. The
engineer wants to authenticate users using their account when they log into network devices. Which action
accomplishes this task?
A. Configure Cisco DUO with the external Active Directory connector and tie it to the policy set within Cisco
ISE
B. Install and configure the Cisco DUO Authentication Proxy and configure the identity source sequence
within Cisco ISE
C. Create an identity policy within Cisco ISE to send all authentication requests to Cisco DUO
D. Modify the current policy with the condition MFASourceSequence DUO=true in the authorization
conditions within Cisco ISE
Answer: B
Explanation
Duo MFA Integration with ISE for TACACS+ Device Administration with Local/Internal (ISE) Users
willsonliam55@gmail.com Skype Apple Kid
In this setup, ISE will forward the TACACS+ authentication requests to the Duo Authentication proxy. The
proxy will then punt the requests back to ISE for local user authentication. This can be a little bit confusing
but it is necessary for organizations that want to utilize the local user database on ISE and not relay on
external identity sources such as Active Directory, LDAP, etc. If the authentication is successful, the end
user/admin will be send a “DUO Push.” If the local ISE authentication fails, then the process will stop and
no “Duo Push” will occur.
1. Admin user initiates a shell connection to a network device where he/she uses Active Directory based
credentials
2. Network device forwards the request to the TACACS+ server (ISE)
3. ISE sends the authentication request to Duo’s Authentication Proxy
4. The proxy forwards the request back to ISE for the 1st factor authentication
5. ISE informs the Authentication Proxy if the local authentication was successful
6. Upon successful ISE authentication, the Authentication Proxy sends an authentication request to Duo
cloud for 2nd factor authentication
7. Duo cloud sends a “push” to the admin user
8. Admin user “approves” the “push”
9. Duo informs the Authentication Proxy of the successful push
10. Authentication proxy informs ISE of a successful Authentication
11. ISE Authorizes the admin user
Also according to this Cisco link, we need to configure “Identity Source Sequenc” in Cisco ISE:
willsonliam55@gmail.com Skype Apple Kid
Question 73
An organization is selecting a cloud architecture and does not want to be responsible for patch
management of the operating systems. Why should the organization select either Platform as a Service or
Infrastructure as a Service for this environment?
Answer: C
Explanation
We don’t want to manage the OS so we should choose PaaS or SaaS. But this question only wants to
compare between PaaS and IaaS so we must choose PaaS.
willsonliam55@gmail.com Skype Apple Kid
Question 74
A. It is an authentication broker to enable single sign-on and multi-factor authentication for a cloud
solution
B. It integrates with other cloud solutions via APIs and monitors and creates incidents based on events
from the cloud solution
C. It acts as a security information and event management solution and receives syslog from other cloud
solutions
D. It scans other cloud solutions being used within the network and identifies vulnerabilities
Answer: B
Question 75
A Cisco AMP for Endpoints administrator configures a custom detection policy to add specific MD5
signatures. The configuration is created in the simple detection policy section, but it does not work. What
is the reason for this failure?
A. The administrator must upload the file instead of the hash for Cisco AMP to use
B. The MD5 hash uploaded to the simple detection policy is in the incorrect format
C. The APK must be uploaded for the application that the detection is intended
D. Detections for MD5 signatures must be configured in the advanced custom detection policies
Answer: D
Question 76
Answer: B
Explanation
A vulnerability is a weakness in a software system. And an exploit is an attack that leverages that
vulnerability.
Question 77
A. big data
B. storm centers
C. sandboxing
D. blocklisting
Answer: C
Question 78
Which system facilitates deploying microsegmentation and multi-tenancy services with a policy-based
container?
A. SDLC
B. Docker
C. Lambda
D. Contiv
Answer: D
Explanation
Contiv is an open source project that allows you to deploy micro-segmentation policy-based services in
container environments. It offers a higher level of networking abstraction for microservices by providing a
policy framework. Contiv has built-in service discovery and service routing functions to allow you to scale
out services.
Reference: https://www.ciscopress.com/articles/article.asp?p=3004581&seqNum=2
Question 79
An engineer integrates Cisco FMC and Cisco ISE using pxGrid. Which role is assigned for Cisco FMC?
A. client
B. server
C. publisher
D. controller
Answer: C
Explanation
pxGrid stands for Platform Exchange Grid, and it is a technology that allows integrating multiple vendors
security products together and grouping them in an ecosystem domain. The main purpose of using pxGrid
is to share contextual data between the integrated partners.
pxGrid uses a built-in API in ISE and it is comprised of three main components which are the controller,
publisher and the subscriber. The controller is the core component to make everything working and as said
is going to be ISE. The publisher instead is the partner that has some contextual data to be shared with
willsonliam55@gmail.com Skype Apple Kid
the other partners. And finally the subscriber is the partner that is interested in parsing some contextual
data from the other partners.
Reference: https://bluenetsec.com/fmc-pxgrid-integration-with-ise/
FMC is a subscriber but we have no such option so the best answer here is “publisher”.
Question 80
A network security engineer must export packet captures from the Cisco FMC web browser while
troubleshooting an issue. When navigating to the address https://<FMC IP>/capure/CAPI/pcap/test.pcap,
an error 403: Forbidden is given instead of the PCAP file. Which action must the engineer take to resolve
this issue?
Answer: D
Explanation
When you see this HTTP RESPONSE in a packet capture (PCAP), it’s likely that proxy is denying the
request.
To verify this, get a policy trace, and look for the exact HTTP REQUEST sent by the client, and match it
with the policy rules. You will find either a DENY or Denied by Exception result.
You can then modify the rule to allow this HTTP REQUEST, if appropriate.
Reference: https://knowledge.broadcom.com/external/article/167567/why-do-my-pcaps-show-an-http-
response-fr.html
Question 81
A. Cisco Umbrella
B. Cisco ISE
C. Cisco ASA
D. Cisco FTD
Answer: A
Question 82
A. After four unsuccessful log in attempts, the line is blocked for 100 seconds and only permit IP addresses
A are permitted in ACL 60
B. After four unsuccessful log in attempts, the line is blocked for 60 seconds and only permit IP addresses
C are permitted in ACL 100
C. If four log in attempts fail in 100 seconds, wait for 60 seconds to next log in prompt
D. If four failures occur in 60 seconds, the router goes to quiet mode for 100 seconds
Answer: D
Explanation
The following example shows how to configure your router to enter a 100 second quiet period if 15 failed
login attempts is exceeded within 100 seconds; all login requests will be denied during the quiet period
except hosts from the ACL “myacl.”
Reference: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_cfg/configuration/xe-16/sec-usr-
cfg-xe-16-book/sec-login-enhance.html
Question 83
A. scalability
B. security
C. encapsulation
D. accuracy
Answer: A
Explanation
SNMP uses the pull model when retrieving data from a switch. This model cannot scale for today’s high-
density platforms, and offers very limited extensibility. The pull model is based on a client sending a
request to the switch, then the switch responds to that request. On average, network operators using
SNMP poll data every five to thirty minutes. But with today’s speeds and scale that’s not enough to
capture important network events.
These traditional models also impose limits like scale and efficiency -> So we can deduce network
telemetry is more scalable than SNMP pulls.
Reference: https://blogs.cisco.com/developer/its-time-to-move-away-from-snmp-and-cli-and-use-model-
driven-telemetry
Question 84
willsonliam55@gmail.com Skype Apple Kid
Answer: C
Explanation
Multi-factor Authentication (MFA) is an authentication method that requires the user to provide two or
more verification factors to gain access to a resource. MFA requires means of verification that
unauthorized users won’t have.
Note: Single sign-on (SSO) is a property of identity and access management that enables users to
securely authenticate with multiple applications and websites by logging in only once with just one set of
credentials (username and password). With SSO, the application or website that the user is trying to
access relies on a trusted third party to verify that users are who they say they are.
Question 85
An engineer is trying to decide between using L2TP or GRE over IPsec for their site-to-site VPN
implementation. What must be understood before choosing a solution?
A. L2TP uses TCP port 47 and GRE over IPsec uses UDP port 1701.
B. GRE over IPsec cannot be used as a standalone protocol, and L2TP can.
C. GRE over IPsec adds its own header, and L2TP does not
D. L2TP is an IP packet encapsulation protocol, and GRE over IPsec is a tunneling protocol.
Answer: C
Explanation
L2TP uses UDP port 1701 while GRE use IP protocol 47 -> Answer A is not correct.
L2TP stands for Layer 2 Tunneling Protocol while GRE is a simple IP packet encapsulation protocol->
Answer D is not correct
This Oreilly link says: “It is unlikely that you will set up L2TP as a standalone protocol, as it has no
authentication and encryption on its own. The more likely scenario is setting up an L2TP/IPsec tunnel”. So
we understand that L2TP can be set up as a standalone protocol, but should not -> Answer B is not
correct.
The CCNP and CCIE Security Core SCOR 350-701 Official Cert Guide book says “the GRE protocol adds its
own header (4 bytes plus options) between the payload (data) and the delivery header” while the entire
L2TP packet, including payload and L2TP header, is sent within a User Datagram Protocol (UDP) datagram
-> Answer C is correct.
Question 86
What are two functionalities of northbound and southbound APIs within Cisco SDN architecture? (Choose
two.)
A. Southbound APIs are used to define how SDN controllers integrate with applications.
B. Northbound interfaces utilize OpenFlow and OpFlex to integrate with network devices.
C. Northbound APIs utilize RESTful API methods such as GET, POST, and DELETE.
D. Southbound interfaces utilize device configurations such as VLANs and IP addresses.
E. Southbound APIs utilize CLI, SNMP, and RESTCONF.
Answer: C E
Explanation
willsonliam55@gmail.com Skype Apple Kid
Northbound APIs are used to define how SDN controllers integrate with applications -> Answer A is not
correct.
OpenFlow and OpFlex are Southbound APIs -> Answer B is not correct.
Southbound APIs ultilize NETCONF, RESTCONF, SNMP, Telnet, SSH… -> Answer D is not correct while
answer E is correct.
Question 87
Which two solutions help combat social engineering and phishing at the endpoint level? (Choose two)
A. Cisco ISEN
B. Cisco Umbrella
C. Cisco DNA Center
D. Cisco TrustSec
E. Cisco Duo Security
Answer: B E
Question 88
A network engineer must migrate a Cisco WSA virtual appliance from one physical host to another physical
host by using VMware Motion. What is a requirement for both physical hosts?
Answer: C
Explanation
Requirements:
+ Both physical hosts must have the same network configuration.
+ Both physical hosts must have access to the same defined network(s) to which the interfaces on the
virtual appliance are mapped.
+ Both physical hosts must have access to the datastore that the virtual appliance uses. This datastore
can be a storage area network (SAN) or Network-attached storage (NAS).
+ The Cisco Secure Email Virtual Gateway must have no mail in its queue.
Reference: https://www.cisco.com/c/dam/en/us/td/docs/security/content_security/virtual_appliances/Cisc
o_Content_Security_Virtual_Appliance_Install_Guide.pdf
Question 89
An engineer is implementing Cisco CES in an existing Microsoft Office 365 environment and must route
inbound email to Cisco CES addresses. Which DNS record must be modified to accomplish this task?
willsonliam55@gmail.com Skype Apple Kid
A. CNAME
B. МХ
C. DKIM
D. SPF
Answer: B
Explanation
In order to route inbound email to Cisco CES addresses we must change the MX record.
Reference: https://www.ciscolive.com/c/dam/r/ciscolive/emea/docs/2020/pdf/BRKSEC-3433.pdf
At this point, you are ready to cut over the domain through a Mail Exchange (MX) record change. Work
with your DNS administrator to resolve your MX records to the IP addresses for your Cisco Secure Email
Cloud instance as provided in your Cisco Secure Email welcome letter.
Reference: https://www.cisco.com/c/en/us/support/docs/security/cloud-email-security/214812-
configuring-office-365-microsoft-with.html
Question 90
Which method of attack is used by a hacker to send malicious code through a web application to an
unsuspecting user to request that the victims web browser executes the code?
A. buffer overflow
B. SQL injection
C. browser WGET
D. cross-site scripting
Answer: D
Question 91
willsonliam55@gmail.com Skype Apple Kid
What are two ways a network administrator transparently identifies users using Active Directory on the
Cisco WSA? (Choose two)
Answer: C E
Explanation
Consider the following when you identify users transparently using Active Directory:
+ Transparent user identification with Active Directory works with an NTLM or Kerberos authentication
scheme only. You cannot use it with an LDAP authentication realm that corresponds to an Active Directory
instance.
+ Transparent user identification works with the versions of Active Directory supported by an Active
Directory agent.
Reference: https://www.cisco.com/c/en/us/td/docs/security/wsa/wsa11-
0/user_guide/b_WSA_UserGuide/b_WSA_UserGuide_chapter_01001.html
Question 92
Answer: A
Explanation
Umbrella Roaming is a cloud-delivered security service for Cisco’s next-generation firewall. It protects your
employees even when they are off the VPN. No additional agents are required. Simply enable the Umbrella
functionality in the Cisco AnyConnect client. You’ll get seamless protection against malware, phishing, and
command-and-control callbacks wherever your users go.
Reference: https://www.cisco.com/c/en/us/products/security/umbrella/umbrella-roaming.html
Question 93
An engineer is configuring Cisco Umbrella and has an identity that references two different policies. Which
action ensures that the policy that the identity must use takes precedence over the second one?
A. Configure only the policy with the most recently changed timestamp.
B. Make the correct policy first in the policy order.
C. Configure the default policy to redirect the requests to the correct policy.
D. Place the policy with the most-specific configuration last in the policy order.
Answer: B
Question 94
Which configuration item makes it possible to have the AAA session on the network?
Answer: A
Explanation
+ The exhibit in this question shows a a successful MAB authorization for the MAC address (from the line
“Status: Authorized” the last line “mab Authc Success”) so we need the keyword “authorization” in our
AAA command.
+ The authorized device is a Microsoft WorkStation so we need the keyword “network” in our AAA
command.
->The command “aaa authorization network default group ise” is the correct answer. This command
configures network authorization via ISE.
Question 95
What is the function of the Python script code snippet for the Cisco ASA REST API?
Answer: D
Explanation
Reference: https://github.com/timwukp/Cisco-ASA-REST-
API/blob/master/POST__api_access_global_rules_input_loop.py
Question 96
willsonliam55@gmail.com Skype Apple Kid
When creating an access rule for URL filtering, a network engineer adds certain categories and individual
URLs to block. What is the result of the configuration?
A. Only URLs for botnets with a reputation score of 3 will be allowed while the rest will be blocked
B. Only URLs for botnets with reputation scores of 1-3 will be blocked
C. Only URLs for botnets with reputation scores of 3-5 will be blocked
D. Only URLs for botnets with a reputation score of 3 will be blocked
Answer: B
Explanation
When you create a rule to Block traffic based on a reputation level, selection of a reputation level also
selects all of the reputation levels more severe than the level you originally selected. For example, if you
configure a rule to block Benign Sites with security risks (level 3), it also automatically blocks Suspicious
sites (level 2) and High risk (level 1) sites.
Reference: https://www.cisco.com/c/en/us/support/docs/security/firesight-management-center/118852-
technote-firesight-00.html
Question 97
A. Northbound APIs provide a programmable interface for applications to dynamically configure the
network.
B. Northbound APIs form the interface between the SDN controller and business applications.
C. Northbound APIs use the NETCONF protocol to communicate with applications.
D. Northbound APIs form the interface between the SDN controller and the network switches or routers.
E. OpenFlow is a standardized northbound API protocol.
Answer: A B
Explanation
Northbound APIs present an abstraction of network functions with a programmable interface for
applications to consume the network services and configure the network dynamically -> Answer A is
correct.
Northbound APIs usually use RESTful APIs to communicate with applications -> Answer C is not correct.
willsonliam55@gmail.com Skype Apple Kid
Southbound APIs form the interface between the SDN controller and the network switches or routers ->
Answer D is not correct.
OpenFlow and NETCONF are Southbound APIs used for most SDN implementations -> Answer E is not
correct.
Question 98
A. two-factor authentication
B. end-to-end encryption
C. application security gateway
D. modular policy framework
Answer: A
Explanation
According to this link, we can use the following to secure SaaS-based applications:
+ Set up single sign-on (SSO) integrations
+ Use multi-factor authentication (MFA) -> Answer A is correct.
+ Install and integrate an identity governance solution
+ Stay up to date
Question 99
A Cisco ISE engineer configures Central Web Authentication (CWA) for wireless guest access and must
have the guest endpoints redirect to the guest portal for authentication and authorization. While testing
the policy, the engineer notices that the device is not redirected and instead gets full guest access. What
must be done for the redirect to work?
Answer: C
Explanation
built-in profile called Cisco_WebAuth that references a built-in self-registered Guest portal. The WLC and
switch require a preconfigured redirect ACL.
AireOS does not support downloadable ACLs. Therefore, ACLs must be configured locally on the wireless
controller (or access points in FlexConnect mode). The ACL names must match in both ISE and in AireOS.
The figure below indicates for a wireless guest:
Reference: https://community.cisco.com/t5/security-documents/ise-guest-access-prescriptive-
deployment-guide/ta-p/3640475
Question 100
What is a difference between Cisco AMP for Endpoints and Cisco Umbrella?
A. Cisco AMP for Endpoints prevents, detects, and responds to attacks before damage can be done, and
Cisco Umbrella provides the first line of defense against Internet threats.
B. Cisco AMP for Endpoints prevents connections to malicious destinations, and Cisco Umbrella works at
the file level to prevent the initial execution of malware.
C. Cisco AMP for Endpoints automatically researches indicators of compromise and confirms threats, and
Cisco Umbrella does not
D. Cisco AMP for Endpoints is a cloud-based service, and Cisco Umbrella is not
Answer: A
Question 101
Answer: C
willsonliam55@gmail.com Skype Apple Kid
Explanation
A SYN flood (half-open attack) is a type of denial-of-service (DDoS) attack which aims to make a server
unavailable to legitimate traffic by consuming all available server resources. By repeatedly sending initial
connection request (SYN) packets, the attacker is able to overwhelm all available ports on a targeted
server machine, causing the targeted device to respond to legitimate traffic sluggishly or not at all.
Question 102
Which open standard creates a framework for sharing threat intelligence in a machine-digestible format?
A. OpenC2
B. OpenIoC
C. STIX
D. Cybox
Answer: B
Explanation
OpenIOC is an open framework, meant for sharing threat intelligence information in a machine-readable
format. It was developed by the American cybersecurity firm MANDIANT in November 2011. It is written in
eXtensible Markup Language (XML) and can be easily customized for additional intelligence so that incident
responders can translate their knowledge into a standard format. Organizations can leverage this format
to share threat-related latest Indicators of Compromise (IoCs) with other organizations, enabling real-time
protection against the latest threats.
Question 103
Which two methods must be used to add switches into the fabric so that administrators can control how
switches are added into DCNM for private cloud management? (Choose two)
Answer: A C
Explanation
Cisco Data Center Network Manager (DCNM) offers network management system (NMS) support for
traditional or multiple-tenant LAN and SAN fabrics. Cisco DCNM uses PowerOn Auto Provisioning (POAP) to
automate the process of upgrading software images and installing configuration files on Cisco Nexus
switches that are being deployed in the network.
Reference: https://www.cisco.com/c/en/us/products/collateral/cloud-systems-management/prime-data-
center-network-manager/guide-c07-740626.html
Question 104
A. Full-Time
B. Contractor
C. Yearly
D. Monthly
Answer: B
Explanation
Each guest account must be associated with a guest type. Guest types allow a sponsor to assign different
levels of access and different network connection times to a guest account. These guest types are
willsonliam55@gmail.com Skype Apple Kid
associated with particular network access policies. Cisco ISE includes these default guest types:
Contractor – Users who need access to the network for an extended amount of time, up to a year.
Daily – Guests who need access to the resources on the network for just 1 to 5 days.
Weekly – Users who need access to the network for a couple of weeks.
Reference: https://www.cisco.com/c/en/us/td/docs/security/ise/1-
3/admin_guide/b_ise_admin_guide_13/b_ise_admin_guide_sample_chapter_01111.html
Question 105
An engineer configures new features within the Cisco Umbrella dashboard and wants to identify and proxy
traffic that is categorized as risky domains and may contain safe and malicious content. Which action
accomplishes these objectives?
A. Configure intelligent proxy within Cisco Umbrella to intercept and proxy the requests for only those
categories
B. Upload the threat intelligence database to Cisco Umbrella for the most current information on
reputations and to have the destination lists block them.
C. Create a new site within Cisco Umbrella to block requests from those categories so they can be sent to
the proxy device.
D. Configure URL filtering within Cisco Umbrella to track the URLs and proxy the requests for those
categories and below.
Answer: A
Explanation
The ‘greylist’ of risky domains is compromised of domains that host both malicious and safe content—we
consider these “risky” domains. These sites often allow users to upload and share content—making them
difficult to police, even for the admins of the site.
Reference: https://docs.umbrella.com/deployment-msp/docs/what-is-the-intelligent-proxy
Question 106
An administrator enables Cisco Threat Intelligence Director on a Cisco FMC. Which process uses STIX and
allows uploads and downloads of block lists?
A. consumption
B. editing
C. sharing
D. authoring
willsonliam55@gmail.com Skype Apple Kid
Answer: A
Question 107
Answer: B
Question 108
A. Environments deploy a container orchestration platform, such as Kubernetes, to manage the application
delivery
B. Environments apply a zero-trust model and specify how applications on different servers or containers
can communicate
C. Environments implement private VLAN segmentation to group servers with similar applications
D. Environments deploy centrally managed host-based firewall rules on each server or container
Answer: B
Explanation
Zero Trust is a security framework requiring all users, whether in or outside the organization’s network, to
be authenticated, authorized, and continuously validated for security configuration and posture before
being granted or keeping access to applications and data. Zero Trust assumes that there is no traditional
network edge; networks can be local, in the cloud, or a combination or hybrid with resources anywhere as
well as workers in any location.
The Zero Trust model uses microsegmentation — a security technique that involves dividing perimeters
into small zones to maintain separate access to every part of the network — to contain attacks.
Question 109
Which security product enables administrators to deploy Kubernetes clusters in air-gapped sites without
needing Internet access?
Answer: B
Explanation
Reference: https://www.cisco.com/c/en/us/products/cloud-systems-management/container-
platform/index.html#~stickynav=3
Question 110
What are two functions of TAXII in threat intelligence sharing? (Choose two)
Answer: A B
Explanation
In short, TAXII is about how parties communicate to exchange threat intelligence and STIX is about
describing that threat intelligence in a structured way.
Reference: https://logsentinel.com/blog/the-importance-of-threat-intelligence-sharing-through-taxii-and-
stix/?cookie-state-change=1639912854054
STIX states the “what” of threat intelligence, while TAXII defines “how” that information is relayed.
Reference: https://www.anomali.com/resources/what-are-stix-taxii
Question 111
An engineer must modify a policy to block specific addresses using Cisco Umbrella. The policy is created
already and is actively used by devices, using many of the default policy elements. What else must be
done to accomplish this task?
Answer: A
Explanation
Content Categories – Allows you to block access to categories of websites – groupings of sites with
similarly themed content. For example, sports, gambling, or astrology…, not specific addresses -> Answer
B is not correct.
Application Settings – Allows you to block access to specific applications (not specific addresses). For
example, Netflix, Facebook, or Amazon -> Answer D is not correct.
Destination Lists allows you to create a unique list of destinations (for example, domain name or URL) to
which you can block or allow access -> Answer A is correct.
Reference: https://docs.umbrella.com/deployment-umbrella/docs/customize-your-policies-1
An identity list cannot be an address as Umbrella uses the following identities:Network, Network Device,
Roaming Computers, Mobile Devices, Chrome Book, Network Tunnel and WebUsers and Groups.
Reference: https://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise/design-zone-
security/umbrella-design-guide.pdf
Question 112
Drag and drop the descriptions from the right onto the correct positions on the left.
willsonliam55@gmail.com Skype Apple Kid
Answer:
+ threat prevention and mitigation for known and unknown threats: NGIPS
+ real-time threat intelligence and security protection: Collective Security Intelligence
+ detection, blocking and remediation to protect the enterprise against targeted malware attacks: AMP
+ policy enforcement based on complete visibility of users and communication between virtual machines:
Full Context Awareness
Question 113
All servers are in the same VLAN/Subnet. DNS Server-1 and DNS Server-2 must communicate with each
other, and all servers must communicate with default gateway multilayer switch. Which type of private
VLAN ports should be configured to prevent communication between DNS servers and the file server?
Answer: A
willsonliam55@gmail.com Skype Apple Kid
Explanation
* Isolated: only communicate with promiscuous ports. Notice that it cannot even communicate with
another isolated port. Also, there can be only 1 isolated VLAN per PVLAN.
* Promiscuous: can communicate with all other ports. The default gateway is usually connected to this
port so that all devices in PVLAN can go outside.
* Community: can communicate with other members of that community and promiscuous ports but
cannot communicate with other communities. There can be multiple community VLANs per PVLAN.
Question 1
willsonliam55@gmail.com Skype Apple Kid
A Cisco ESA network administrator has been tasked to use a newly installed service to help create policy
based on the reputation verdict. During testing, it is discovered that the Cisco ESA is not dropping files
that have an undetermined verdict. What is causing this issue?
Answer: C
Explanation
If the file is known to the reputation service but there is insufficient information for a definitive verdict, the
reputation service returns a reputation score based on characteristics of the file such as threat fingerprint
and behavioral analysis. If this score meets or exceeds the configured reputation threshold, the appliance
applies the action that you have configured in the mail policy for files that contain malware.
Reference: https://www.cisco.com/c/en/us/td/docs/security/esa/esa11-
1/user_guide/b_ESA_Admin_Guide_11_1/b_ESA_Admin_Guide_chapter_010000.html
From the reference we can deduce that the file reputation score is below the threshold so ESA is not
dropping it.
Question 2
An administrator is trying to determine which applications are being used in the network but does not want
the network devices to send metadata to Cisco Firepower. Which feature should be used to accomplish
this?
A. NetFlow
B. Packet Tracer
C. Network Discovery
D. Access Control
Answer: C
Explanation
NetFlow is a network protocol developed by Cisco for the collection and monitoring of network traffic flow
data generated by NetFlow-enabled routers and switches. The flows do not contain actual packet data, but
rather the metadata for communications. It is a standard form of session data that details who, what,
when, and where of network traffic -> Answer A is not correct.
Reference: https://www.cisco.com/c/en/us/solutions/collateral/enterprise-networks/enterprise-network-
security/white-paper-c11-736595.html
Question 3
Which attack is preventable by Cisco ESA but not by the Cisco WSA?
A. buffer overflow
B. DoS
C. SQL injection
D. phishing
Answer: D
Explanation
The following are the benefits of deploying Cisco Advanced Phishing Protection on the Cisco Email Security
Gateway:
Reference: https://www.cisco.com/c/en/us/td/docs/security/esa/esa13-
5/user_guide/b_ESA_Admin_Guide_13-5/m_advanced_phishing_protection.html
Question 4
A Cisco ESA administrator has been tasked with configuring the Cisco ESA to ensure there are no viruses
before quarantined emails are delivered. In addition, delivery of mail from known bad mail servers must
be prevented. Which two actions must be taken in order to meet these requirements? (Choose two)
Answer: A E
Explanation
We should scan emails using AntiVirus signatures to make sure there are no viruses attached in emails.
Note: A virus signature is the fingerprint of a virus. It is a set of unique data, or bits of code, that allow it
to be identified. Antivirus software uses a virus signature to find a virus in a computer file system, allowing
to detect, quarantine, and remove the virus.
SenderBase is an email reputation service designed to help email administrators research senders, identify
legitimate sources of email, and block spammers. When the Cisco ESA receives messages from known or
highly reputable senders, it delivers them directly to the end user without any content scanning. However,
when the Cisco ESA receives email messages from unknown or less reputable senders, it performs
antispam and antivirus scanning.
Reference: https://www.cisco.com/c/en/us/td/docs/security/esa/esa12-
0/user_guide/b_ESA_Admin_Guide_12_0/b_ESA_Admin_Guide_12_0_chapter_0100100.html
-> Therefore Outbreak filters can be used to block emails from bad mail servers.
Web servers and email gateways are generally located in the DMZ so
Note: The recipient access table (RAT), not to be confused with remote-access Trojan (also RAT), is a
Cisco ESA term that defines which recipients are accepted by a public listener.
Question 5
Which type of dashboard does Cisco DNA Center provide for complete control of the network?
A. service management
B. centralized management
C. application management
D. distributed management
Answer: B
Explanation
Cisco’s DNA Center is the only centralized network management system to bring all of this functionality
into a single pane of glass.
Reference: https://www.cisco.com/c/en/us/products/collateral/cloud-systems-management/dna-
center/nb-06-dna-center-faq-cte-en.html
Question 6
In an IaaS cloud services model, which security function is the provider responsible for managing?
willsonliam55@gmail.com Skype Apple Kid
A. Internet proxy
B. firewalling virtual machines
C. CASB
D. hypervisor OS hardening
Answer: B
Explanation
In this IaaS model, cloud providers offer resources to users/machines that include computers as virtual
machines, raw (block) storage, firewalls, load balancers, and network devices.
Reference: https://ieeexplore.ieee.org/document/8777457
This is a controversial question but according to the above reference, IaaS is responsible for both virtual
machines and firewall so we believe the answer “firewalling virtual machines” is better than “hypervisor OS
hardening”.
Note: Cloud access security broker (CASB) provides visibility and compliance checks, protects data against
misuse and exfiltration, and provides threat protections against malware such as ransomware.
Question 7
A network engineer has been tasked with adding a new medical device to the network. Cisco ISE is being
used as the NAC server, and the new device does not have a supplicant available. What must be done in
order to securely connect this device to the network?
Answer: A
Explanation
As the new device does not have a supplicant, we cannot use 802.1X.
MAC Authentication Bypass (MAB) is a fallback option for devices that don’t support 802.1x. It is virtually
always used in deployments in some way shape or form. MAB works by having the authenticator take the
connecting device’s MAC address and send it to the authentication server as its username and password.
The authentication server will check its policies and send back an Access-Accept or Access-Reject just like
it would with 802.1x.
Cisco ISE Profiling Services provides dynamic detection and classification of endpoints connected to the
network. Using MAC addresses as the unique identifier, ISE collects various attributes for each network
endpoint to build an internal endpoint database. The classification process matches the collected attributes
to prebuilt or user-defined conditions, which are then correlated to an extensive library of profiles. These
profiles include a wide range of device types, including mobile clients (iPads, Android tablets,
Chromebooks, and so on), desktop operating systems (for example, Windows, Mac OS X, Linux, and
others), and numerous non-user systems such as printers, phones, cameras, and game consoles.
Once classified, endpoints can be authorized to the network and granted access based on their profile. For
example, endpoints that match the IP phone profile can be placed into a voice VLAN using MAC
Authentication Bypass (MAB) as the authentication method. Another example is to provide differentiated
network access to users based on the device used. For example, employees can get full access when
accessing the network from their corporate workstation but be granted limited network access when
accessing the network from their personal iPhone.
Reference: https://community.cisco.com/t5/security-documents/ise-profiling-design-guide/ta-p/3739456
Question 8
An engineer is implementing NTP authentication within their network and has configured both the client
and server devices with the command ntp authentication-key 1 md5 Cisc392368270. The server at 1.1.1.1
willsonliam55@gmail.com Skype Apple Kid
is attempting to authenticate to the client at 1.1.1.2, however it is unable to do so. Which command is
required to enable the client to accept the server’s authentication key?
Answer: B
Explanation
To configure an NTP enabled router to require authentication when other devices connect to it, use the
following commands:
Then you must configure the same authentication-key on the client router:
Note: To configure a Cisco device as a NTP client, use the command ntp server <IP address>. For
example: Router(config)#ntp server 10.10.10.1. This command will instruct the router to query
10.10.10.1 for the time.
Question 9
Answer: C
Question 10
Drag and drop the NetFlow export formats from the left onto the descriptions on the right.
Answer:
willsonliam55@gmail.com Skype Apple Kid
Explanation
The Version 1 format was the initially released version. Do not use the Version 1 format unless you are
using a legacy collection system that requires it. Use Version 9 or Version 5 export format.
Version 5 export format is suitable only for the main cache; it cannot be expanded to support new
features.
Version 8 export format is available only for aggregation caches; it cannot be expanded to support new
features.
Reference: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/netflow/configuration/15-mt/nf-15-mt-
book/cfg-nflow-data-expt.html
Question 11
An organization has noticed an increase in malicious content downloads and wants to use Cisco Umbrella
to prevent this activity for suspicious domains while allowing normal web traffic. Which action will
accomplish this task?
Answer: B
Explanation
Obviously, if you allow all traffic to these risky domains, users might access malicious content, resulting in
an infection or data leak. But if you block traffic, you can expect false positives, an increase in support
inquiries, and thus, more headaches. By only proxying risky domains, the intelligent proxy delivers more
granular visibility and control.
The intelligent proxy bridges the gap by allowing access to most known good sites without being proxied
and only proxying those that pose a potential risk. The proxy then filters and blocks against specific URLs
hosting malware while allowing access to everything else.
Reference: https://docs.umbrella.com/deployment-umbrella/docs/what-is-the-intelligent-proxy
Question 12
With which components does a southbound API within a software-defined network architecture
communicate?
Answer: D
Explanation
willsonliam55@gmail.com Skype Apple Kid
The Southbound API is used to communicate between Controllers and network devices.
Question 13
A network administrator needs to find out what assets currently exist on the network. Third-party systems
need to be able to feed host data into Cisco Firepower. What must be configured to accomplish this?
Answer: A
Explanation
You can configure discovery rules to tailor the discovery of host and application data to your needs.
The Firepower System can use data from NetFlow exporters to generate connection and discovery events,
and to add host and application data to the network map.
A network analysis policy governs how traffic is decoded and preprocessed so it can be further
evaluated, especially for anomalous traffic that might signal an intrusion attempt -> Answer D is not
correct.
Question 14
When configuring ISAKMP for IKEv1 Phase1 on a Cisco IOS router, an administrator needs to input the
command crypto isakmp key cisco address 0.0.0.0. The administrator is not sure what the IP
addressing in this command issued for. What would be the effect of changing the IP address from 0.0.0.0
to 1.2.3.4?
A. The key server that is managing the keys for the connection will be at 1.2.3.4
B. The remote connection will only be allowed from 1.2.3.4
C. The address that will be used as the crypto validation authority
D. All IP addresses other than 1.2.3.4 will be allowed
Answer: B
Explanation
The command crypto isakmp key cisco address 1.2.3.4 authenticates the IP address of the 1.2.3.4
peer by using the key cisco. The address of “0.0.0.0” will authenticate any address with this key.
Question 15
Which suspicious pattern enables the Cisco Tetration platform to learn the normal behavior of users?
Answer: A
Explanation
The various suspicious patterns for which the Cisco Tetration platform looks in the current release are:
+ Shell code execution: Looks for the patterns used by shell code.
+ Privilege escalation: Watches for privilege changes from a lower privilege to a higher privilege in the
process lineage tree.
+ Side channel attacks: Cisco Tetration platform watches for cache-timing attacks and page table fault
bursts. Using these, it can detect Meltdown, Spectre, and other cache-timing attacks.
+ Raw socket creation: Creation of a raw socket by a nonstandard process (for example, ping).
+ User login suspicious behavior: Cisco Tetration platform watches user login failures and user login
methods.
+ Interesting file access: Cisco Tetration platform can be armed to look at sensitive files.
+ File access from a different user: Cisco Tetration platform learns the normal behavior of which file is
accessed by which user.
+ Unseen command: Cisco Tetration platform learns the behavior and set of commands as well as the
lineage of each command over time. Any new command or command with a different lineage triggers the
interest of the Tetration Analytics platform.
Reference: https://www.cisco.com/c/en/us/products/collateral/data-center-analytics/tetration-
analytics/white-paper-c11-740380.html
Question 16
Due to a traffic storm on the network, two interfaces were error-disabled, and both interfaces sent SNMP
traps. Which two actions must be taken to ensure that interfaces are put back into service? (Choose two)
A. Have Cisco Prime Infrastructure issue an SNMP set command to re-enable the ports after the pre
configured interval.
B. Use EEM to have the ports return to service automatically in less than 300 seconds.
C. Enter the shutdown and no shutdown commands on the interfaces.
D. Enable the snmp-server enable traps command and wait 300 seconds
E. Ensure that interfaces are configured with the error-disable detection and recovery feature
Answer: C E
Explanation
Question 17
What is the difference between Cross-site Scripting and SQL Injection attacks?
A. Cross-site Scripting is an attack where code is injected into a database, whereas SQL Injection is an
attack where code is injected into a browser.
B. Cross-site Scripting is a brute force attack targeting remote sites, whereas SQL Injection is a social
engineering attack.
C. Cross-site Scripting is when executives in a corporation are attacked, whereas SQL Injection is when a
database is manipulated.
D. Cross-site Scripting is an attack where code is executed from the server side, whereas SQL Injection is
an attack where code is executed from the client side.
Answer: A
willsonliam55@gmail.com Skype Apple Kid
Explanation
Answer B is not correct because Cross-site Scripting (XSS) is not a brute force attack.
Answer C is not correct because the statement “Cross-site Scripting is when executives in a corporation
are attacked” is not true. XSS is a client-side vulnerability that targets other application users.
Answer D is not correct because the statement “Cross-site Scripting is an attack where code is executed
from the server side”. In fact, XSS is a method that exploits website vulnerability by injecting scripts
that will run at client’s side.
Therefore only answer A is left. In XSS, an attacker will try to inject his malicious code (usually malicious
links) into a database. When other users follow his links, their web browsers are redirected to websites
where attackers can steal data from them. In a SQL Injection, an attacker will try to inject SQL code (via
his browser) into forms, cookies, or HTTP headers that do not use data sanitizing or validation methods of
GET/POST parameters.
Note: The main difference between a SQL and XSS injection attack is that SQL injection attacks are used
to steal information from databases whereas XSS attacks are used to redirect users to websites where
attackers can steal data from them.
Question 18
A network administrator is configuring a switch to use Cisco ISE for 802.1X. An endpoint is failing
authentication and is unable to access the network. Where should the administrator begin troubleshooting
to verify the authentication details?
Answer: D
Explanation
Reference: https://community.cisco.com/t5/security-documents/how-to-troubleshoot-ise-failed-
authentications-amp/ta-p/3630960
Question 19
A. Place the Cisco ISE server and the AD server in the same subnet
B. Configure a common administrator account
C. Configure a common DNS server
D. Synchronize the clocks of the Cisco ISE server and the AD server
Answer: D
Explanation
The following are the prerequisites to integrate Active Directory with Cisco ISE.
+ Use the Network Time Protocol (NTP) server settings to synchronize the time between the Cisco ISE
server and Active Directory. You can configure NTP settings from Cisco ISE CLI.
+ If your Active Directory structure has multidomain forest or is divided into multiple forests, ensure that
trust relationships exist between the domain to which Cisco ISE is connected and the other domains that
have user and machine information to which you need access. For more information on establishing trust
relationships, refer to Microsoft Active Directory documentation.
+ You must have at least one global catalog server operational and accessible by Cisco ISE, in the domain
to which you are joining Cisco ISE.
Reference: https://www.cisco.com/c/en/us/td/docs/security/ise/2-
0/ise_active_directory_integration/b_ISE_AD_integration_2x.html#reference_8DC463597A644A5C9CF5D5
82B77BB24F
Question 20
An organization recently installed a Cisco WSA and would like to take advantage of the AVC engine to
allow the organization to create a policy to control application specific activity. After enabling the AVC
engine, what must be done to implement this?
Answer: C
Explanation
The Application Visibility and Control (AVC) engine lets you create policies to control application activity on
the network without having to fully understand the underlying technology of each application. You can
configure application control settings in Access Policy groups. You can block or allow applications
individually or according to application type. You can also apply controls to particular application types.
Question 21
Which method is used to deploy certificates and configure the supplicant on mobile devices to gain access
to network resources?
A. BYOD on boarding
B. Simple Certificate Enrollment Protocol
C. Client provisioning
D. MAC authentication bypass
Answer: A
Explanation
willsonliam55@gmail.com Skype Apple Kid
When supporting personal devices on a corporate network, you must protect network services and
enterprise data by authenticating and authorizing users (employees, contractors, and guests) and their
devices. Cisco ISE provides the tools you need to allow employees to securely use personal devices on a
corporate network.
Guests can add their personal devices to the network by running the native supplicant provisioning
(Network Setup Assistant), or by adding their devices to the My Devices portal.
Because native supplicant profiles are not available for all devices, users can use the My Devices portal to
add these devices manually; or you can configure Bring Your Own Device (BYOD) rules to register these
devices.
Reference: https://www.cisco.com/c/en/us/td/docs/security/ise/2-
4/admin_guide/b_ISE_admin_guide_24/m_ise_devices_byod.html
Question 22
import requests
url = https://api.amp.cisco.com/v1/computers
headers = {
'accept' : application/json
'content-type' : application/json
'authorization' : Basic API Credentials
'cache-control' : "no cache"
}
response = requests.request ("GET", url, headers = headers)
print (response.txt)
A. The compromised computers and malware trajectories will be received from Cisco AMP
B. The list of computers and their current vulnerabilities will be received from Cisco AMP
C. The compromised computers and what compromised them will be received from Cisco AMP
D. The list of computers, policies, and connector statuses will be received from Cisco AMP
Answer: D
Explanation
Reference: https://api-
docs.amp.cisco.com/api_actions/details?api_action=GET+%2Fv1%2Fcomputers&api_host=api.apjc.amp.ci
sco.com&api_resource=Computer&api_version=v1
It also lists policies and connector statuses as well. The figure below shows partial output of this script:
willsonliam55@gmail.com Skype Apple Kid
Question 23
An organization is trying to implement micro-segmentation on the network and wants to be able to gain
visibility on the applications within the network. The solution must be able to maintain and force
compliance. Which product should be used to meet these requirements?
A. Cisco Umbrella
B. Cisco AMP
C. Cisco Stealthwatch
D. Cisco Tetration
Answer: D
Explanation
Micro-segmentation secures applications by expressly allowing particular application traffic and, by default,
denying all other traffic. Micro-segmentation is the foundation for implementing a zero-trust security
model for application workloads in the data center and cloud.
Cisco Tetration is an application workload security platform designed to secure your compute instances
across any infrastructure and any cloud. To achieve this, it uses behavior and attribute-driven
microsegmentation policy generation and enforcement. It enables trusted access through automated,
exhaustive context from various systems to automatically adapt security policies.
willsonliam55@gmail.com Skype Apple Kid
To generate accurate microsegmentation policy, Cisco Tetration performs application dependency mapping
to discover the relationships between different application tiers and infrastructure services. In addition, the
platform supports “what-if” policy analysis using real-time data or historical data to assist in the validation
and risk assessment of policy application pre-enforcement to ensure ongoing application availability. The
normalized microsegmentation policy can be enforced through the application workload itself for a
consistent approach to workload microsegmentation across any environment, including virtualized, bare-
metal, and container workloads running in any public cloud or any data center. Once the
microsegmentation policy is enforced, Cisco Tetration continues to monitor for compliance deviations,
ensuring the segmentation policy is up to date as the application behavior change.
Reference: https://www.cisco.com/c/en/us/products/collateral/data-center-analytics/tetration-
analytics/solution-overview-c22-739268.pdf
Question 24
Which factor must be considered when choosing the on-premise solution over the cloud-based one?
A. With an on-premise solution, the provider is responsible for the installation and maintenance of the
product, whereas with a cloud-based solution, the customer is responsible for it
B. With a cloud-based solution, the provider is responsible for the installation, but the customer is
responsible for the maintenance of the product.
C. With an on-premise solution, the provider is responsible for the installation, but the customer is
responsible for the maintenance of the product.
D. With an on-premise solution, the customer is responsible for the installation and maintenance of the
product, whereas with a cloud-based solution, the provider is responsible for it.
Answer: D
Question 25
Which term describes when the Cisco Firepower downloads threat intelligence updates from Cisco Talos?
A. consumption
B. sharing
C. analysis
D. authoring
Answer: A
Explanation
… we will showcase Cisco Threat Intelligence Director (CTID) an exciting feature on Cisco’s Firepower
Management Center (FMC) product offering that automates the operationalization of threat intelligence.
TID has the ability to consume threat intelligence via STIX over TAXII and allows uploads/downloads of
STIX and simple blacklists.
Reference: https://blogs.cisco.com/developer/automate-threat-intelligence-using-cisco-threat-intelligence-
director
Question 26
An organization has a Cisco Stealthwatch Cloud deployment in their environment. Cloud logging is working
as expected, but logs are not being received from the on-premise network, what action will resolve this
issue?
Answer: D
Explanation
willsonliam55@gmail.com Skype Apple Kid
You can also monitor on-premises networks in your organizations using Cisco Stealthwatch Cloud. In order
to do so, you need to deploy at least one Cisco Stealthwatch Cloud Sensor appliance (virtual or physical
appliance).
Reference: CCNP And CCIE Security Core SCOR 350-701 Official Cert Guide
Question 27
What does Cisco AMP for Endpoints use to help an organization detect different families of malware?
Answer: A
Explanation
ETHOS is the Cisco file grouping engine. It allows us to group families of files together so if we see
variants of a malware, we mark the ETHOS hash as malicious and whole families of malware are instantly
detected.
Reference: https://docs.amp.cisco.com/AMP%20for%20Endpoints%20User%20Guide.pdf
Reference: https://www.ciscolive.com/c/dam/r/ciscolive/emea/docs/2016/pdf/BRKSEC-2139.pdf
Question 28
What are two characteristics of Cisco DNA Center APIs? (Choose two)
Answer: D E
Question 29
Answer: B
Question 30
In which two ways does Easy Connect help control network access when used with Cisco TrustSec?
(Choose two)
A. It allows multiple security products to share information and work together to enhance security posture
in the network.
B. It creates a dashboard in Cisco ISE that provides full visibility of all connected endpoints.
C. It allows for the assignment of Security Group Tags and does not require 802.1x to be configured on
the switch or the endpoint.
D. It integrates with third-party products to provide better visibility throughout the network.
E. It allows for managed endpoints that authenticate to AD to be mapped to Security Groups (PassiveID).
willsonliam55@gmail.com Skype Apple Kid
Answer: C E
Explanation
Easy Connect simplifies network access control and segmentation by allowing the assignment of Security
Group Tags to endpoints without requiring 802.1X on those endpoints, whether using wired or wireless
connectivity.
Reference: https://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise-
networks/trustsec/trustsec-with-easy-connect-configuration-guide.pdf
Question 31
Answer: D
Question 32
An administrator is configuring a DHCP server to better secure their environment. They need to be able to
rate-limit the traffic and ensure that legitimate requests are not dropped. How would this be
accomplished?
Answer: A
Explanation
To understand DHCP snooping we need to learn about DHCP spoofing attack first.
DHCP spoofing is a type of attack in that the attacker listens for DHCP Requests from clients and answers
them with fake DHCP Response before the authorized DHCP Response comes to the clients. The fake DHCP
Response often gives its IP address as the client default gateway -> all the traffic sent from the client will
go through the attacker computer, the attacker becomes a “man-in-the-middle”.
The attacker can have some ways to make sure its fake DHCP Response arrives first. In fact, if the
attacker is “closer” than the DHCP Server then he doesn’t need to do anything. Or he can DoS the DHCP
Server so that it can’t send the DHCP Response.
DHCP snooping can prevent DHCP spoofing attacks. DHCP snooping is a Cisco Catalyst feature that
determines which switch ports can respond to DHCP requests. Ports are identified as trusted and
untrusted.
willsonliam55@gmail.com Skype Apple Kid
Only ports that connect to an authorized DHCP server are trusted, and allowed to send all types of DHCP
messages. All other ports on the switch are untrusted and can send only DHCP requests. If a DHCP
response is seen on an untrusted port, the port is shut down.
Question 33
import requests
client_id = '<Client id>'
api_key = '<API Key>'
url = 'https://api.amp.cisco.com/v1/computers'
response = requests.get(url, auth=(client_id, api_key))
response_json = response.json()
for computer in response_json[‘data’]
hostname = computer[‘hostname’]
print(hostname)
Answer: C
Question 34
When configuring a remote access VPN solution terminating on the Cisco ASA, an administrator would like
to utilize an external token authentication mechanism in conjunction with AAA authentication using
machine certificates. Which configuration item must be modified to allow this?
A. Group Policy
B. Method
C. SAML Server
D. DHCP Servers
Answer: B
Explanation
In order to use AAA along with an external token authentication mechanism, set the “Method” as “Both” in
the Authentication.
Question 35
An engineer has been tasked with implementing a solution that can be leveraged for securing the cloud
users, data, and applications. There is a requirement to use the Cisco cloud native CASB and cloud
cybersecurity platform. What should be used to meet these requirements?
A. Cisco Umbrella
B. Cisco Cloud Email Security
C. Cisco NGFW
D. Cisco Cloudlock
willsonliam55@gmail.com Skype Apple Kid
Answer: D
Explanation
Cisco Cloudlock: Secure your cloud users, data, and applications with the cloud-native Cloud Access
Security Broker (CASB) and cloud cybersecurity platform.
Reference: https://www.cisco.com/c/dam/en/us/products/collateral/security/cloud-web-security/at-a-
glance-c45-738565.pdf
Question 36
An engineer needs a cloud solution that will monitor traffic, create incidents based on events, and
integrate with other cloud solutions via an API. Which solution should be used to accomplish this goal?
A. SIEM
B. CASB
C. Adaptive MFA
D. Cisco Cloudlock
Answer: D
Explanation
+ Cisco Cloudlock continuously monitors cloud environments with a cloud Data Loss Prevention (DLP)
engine to identify sensitive information stored in cloud environments in violation of policy.
+ Cloudlock is API-based.
+ Incidents are a key resource in the Cisco Cloudlock application. They are triggered by the Cloudlock
policy engine when a policy detection criteria result in a match in an object (document, field, folder, post,
or file).
Reference: https://docs.umbrella.com/cloudlock-documentation/docs/endpoints
Note:
+ Security information and event management (SIEM) platforms collect log and event data from security
systems, networks and computers, and turn it into actionable security insights.
+ An incident is a record of the triggering of an alerting policy. Cloud Monitoring opens an incident when a
condition of an alerting policy has been met.
Question 37
Answer: C
Question 38
Drag and drop the solutions from the left onto the solution’s benefits on the right.
willsonliam55@gmail.com Skype Apple Kid
Answer:
+ software-defined segmentation that uses SGTs and allows administrators to quickly scale and enforce
policies across the network: Cisco TrustSec
+ rapidly collects and analyzes NetFlow and telemetry data to deliver in-depth visibility and understanding
of network traffic: Cisco Stealthwatch
+ secure Internet gateway in the cloud that provides a security solution that protects endpoints on and off
the network against threats on the Internet by using DNS: Cisco Umbrella
+ obtains contextual identity and profiles for all the users and devices connected on a network: Cisco ISE
Question 39
A network administrator is configuring SNMPv3 on a new router. The users have already been created;
however, an additional configuration is needed to facilitate access to the SNMP views. What must the
administrator do to accomplish this?
Answer: B
Question 40
An organization is using Cisco Firepower and Cisco Meraki MX for network security and needs to centrally
manage cloud policies across these platforms. Which software should be used to accomplish this goal?
Answer: A
Explanation
Cisco Defense Orchestrator is a cloud-based management solution that allows you to manage security
policies and device configurations with ease across multiple Cisco and cloud-native security platforms.
willsonliam55@gmail.com Skype Apple Kid
Reference: https://www.cisco.com/c/en/us/products/collateral/security/defense-orchestrator/datasheet-
c78-736847.html
Question 41
A. It hashes files.
B. It creates one-time use passwords.
C. It encrypts traffic.
D. It generates private keys.
Answer: C
Question 42
Which risk is created when using an Internet browser to access cloud-based service?
Answer: C
Question 43
An organization has a Cisco ESA set up with policies and would like to customize the action assigned for
violations. The organization wants a copy of the message to be delivered with a message added to flag it
as a DLP violation. Which actions must be performed in order to provide this capability?
Answer: D
Explanation
You specify primary and secondary actions that the appliance will take when it detects a possible DLP
violation in an outgoing message. Different actions can be assigned for different violation types and
severities.
Primary actions include:
– Deliver
– Drop
– Quarantine
Reference: https://www.cisco.com/c/en/us/td/docs/security/esa/esa12-
0/user_guide/b_ESA_Admin_Guide_12_0/b_ESA_Admin_Guide_chapter_010001.html
Question 44
Drag and drop the common security threats from left onto the definitions on the right.
Answer:
+ group of computers connected to the Internet that have been compromised by a hacker using a virus or
Trojan horse: botnet
+ a software program that copies itself from one computer to another, without human interaction: worm
+ fraudulent attempts by cyber criminals to obtain private information: phishing
+ unwanted messages in an email inbox: spam
Question 45
An administrator is adding a new Cisco FTD device to their network and wants to manage it with Cisco
FMC. The Cisco FTD is not behind a NAT device. Which command is needed to enable this on the Cisco
FTD?
Answer: D
Explanation
The “Add device” dialog above is from the FMC when we want to add a new FTD. To let FMC manages FTD,
first we need to add manager from the FTD and assign a register key of your choice with the
command configure manager add 1.1.1.1 the_registration_key_you_want, (suppose 1.1.1.1 is the IP
willsonliam55@gmail.com Skype Apple Kid
address of the FMC). You need to use the same registration key in FMC when adding this FTD as a
managed device.
Reference: https://cyruslab.net/2019/09/03/ciscocisco-firepower-lab-setup/
Note:
– If the FMC is behind a NAT device, enter a unique NAT ID along with the registration key, and specify
DONTRESOLVE instead of the hostname, for example:
Example:
> configure manager add DONTRESOLVE regk3y78
natid90
– If the FTD is behind a NAT device, enter a unique NAT ID along with the FMC IP address or hostname,
for example:
Example:
> configure manager add 10.70.45.5 regk3y78
natid56
Now return to our question. In the exhibit we see a value of 16 in the “Unique NAT ID” and the question
stated that “FTD is not behind a NAT device” so we can only suppose FMC is behind a NAT device. So the
correct solution should be “configure manager add DONTRESOLVE <registration key> 16” but there is no
such answer. Therefore we have to suppose there are no NAT device between FMC and FTD.
Question 46
A switch with Dynamic ARP Inspection enabled has received a spoofed ARP response on a trusted
interface. How does the switch behave in this situation?
A. It forwards the packet after validation by using the MAC Binding Table.
B. It drops the packet after validation by using the IP & MAC Binding Table.
C. It forwards the packet without validation.
D. It drops the packet without validation.
Answer: C