Cisco SCOR / CCNP Security Core 350-701 (350-701) — Questions 175

500 questions total · 7pages · All types, answers revealed

Page 1 of 7

Page 2
1
Multi-Selecthard

Which THREE of the following are valid considerations when deploying Cisco Advanced Malware Protection (AMP) for Networks on a Firepower system? (Choose three.)

Select 3 answers
A.AMP for Networks should be deployed in inline mode behind the firewall.
B.An AMP subscription must be active on the Firepower Management Center.
C.File inspection must be enabled in the access control policy.
D.The Firepower device must have outbound internet connectivity to the AMP cloud.
E.A dedicated bridge group must be created on the Firepower device.
AnswersB, C, D

Cloud-based file analysis requires a valid license.

Why this answer

Option B is correct because an active AMP subscription on the Firepower Management Center (FMC) is required to enable the AMP for Networks feature. Without a valid subscription license tied to the FMC, the system cannot authenticate with the AMP cloud or enforce file-based threat policies.

Exam trap

Cisco often tests the misconception that AMP for Networks requires inline mode or a specific interface configuration like a bridge group, when in fact it works in multiple deployment modes and only requires a valid subscription, file inspection enabled, and outbound cloud connectivity.

2
MCQeasy

Which Cisco TrustSec feature uses a classification packet to carry security group information across network devices?

A.Security Group Tag (SGT)
B.Security Group Access Control List (SGACL)
C.MACsec
D.Cisco TrustSec (CTS)
AnswerA

SGTs are inserted into packets to carry group information.

Why this answer

The Security Group Tag (SGT) is the Cisco TrustSec mechanism that embeds security group information directly into a packet's Ethernet frame (typically as a Cisco Meta Data or inline tag). This allows the packet to carry its source group identity across network devices, enabling consistent policy enforcement without requiring per-hop reclassification.

Exam trap

Cisco often tests the distinction between the tag that carries the group information (SGT) and the policy that enforces rules based on that tag (SGACL), so candidates mistakenly choose SGACL because they associate it with security group enforcement.

How to eliminate wrong answers

Option B is wrong because a Security Group Access Control List (SGACL) is a policy rule that defines permitted or denied actions based on SGTs, not a classification packet that carries group information. Option C is wrong because MACsec (802.1AE) provides link-layer encryption and integrity, not a mechanism to carry security group tags across devices. Option D is wrong because Cisco TrustSec (CTS) is the overarching architecture that includes SGT, SGACL, and other components; it is not a specific classification packet that carries group information.

3
Multi-Selectmedium

A network engineer is implementing Cisco TrustSec in an enterprise network. Which two components are required for TrustSec to function correctly? (Choose two.)

Select 2 answers
A.ISE
B.AAA server
C.Firepower
D.SXP
E.SGACL
AnswersA, D

ISE is the policy server that defines TrustSec policies and distributes SGTs.

Why this answer

Cisco TrustSec uses the Identity Services Engine (ISE) as the centralized policy server to define and enforce security group tags (SGTs) and access policies. ISE is the mandatory policy decision point that assigns SGTs to endpoints and distributes them to network devices via SXP or inline tagging. Without ISE, there is no mechanism to create, manage, or propagate the SGT-based policies that TrustSec relies on.

Exam trap

Cisco often tests the distinction between required components (ISE and SXP) and optional or derivative elements (AAA server, Firepower, SGACLs) to catch candidates who confuse the policy enforcement mechanism with the foundational infrastructure.

4
Multi-Selectmedium

A company is deploying Cisco Secure Endpoint and wants to ensure that endpoints are protected against zero-day exploits. Which two features should be enabled to provide this protection? (Choose two.)

Select 2 answers
A.File Reputation
B.Exploit Prevention
C.Malware Analytics (sandboxing)
D.Application Control
E.Device Control
AnswersB, C

Exploit Prevention protects against exploit techniques used by zero-day attacks.

Why this answer

Exploit Prevention (B) is correct because it uses exploit-specific signatures and behavioral monitoring to block common exploitation techniques (e.g., heap spray, ROP, SEH overwrite) without relying on known malware signatures, making it effective against zero-day exploits. Malware Analytics (C) is correct because it detonates suspicious files in a sandboxed environment to analyze behavior and detect previously unknown threats, providing protection against zero-day malware before signatures are available.

Exam trap

Cisco often tests the distinction between signature-based detection (File Reputation) and behavior-based detection (Exploit Prevention and Malware Analytics), leading candidates to mistakenly choose File Reputation because they assume it covers all unknown threats.

5
MCQeasy

Refer to the exhibit. The tunnel is established but no traffic is encrypted. What is the most likely issue?

A.The transform set uses wrong encryption
B.The crypto map is not applied to the external interface
C.The access-list is too permissive
D.The peer address is wrong
AnswerB

The crypto map must be attached to an interface to enable encryption.

Why this answer

The most likely issue is that the crypto map is not applied to the external interface. In IPsec VPN configuration, the crypto map must be applied to the interface that sends and receives encrypted traffic (typically the outside/public-facing interface). Without this application, the router does not know which traffic to protect or how to negotiate the IPsec tunnel, even if the tunnel is established (e.g., IKE Phase 1 completes).

The tunnel may show as up due to successful ISAKMP negotiation, but no traffic will be encrypted because the crypto map's policy (including the access-list and transform set) is never enforced on the interface.

Exam trap

Cisco often tests the distinction between tunnel establishment (IKE Phase 1) and traffic encryption (IPsec Phase 2 + crypto map application), trapping candidates who assume a tunnel being 'up' means all components are correctly applied.

How to eliminate wrong answers

Option A is wrong because if the transform set used the wrong encryption algorithm (e.g., AES instead of 3DES), the tunnel would fail to establish entirely during IPsec Phase 2 negotiation due to mismatched proposals; the question states the tunnel is established, so the transform set is compatible. Option C is wrong because an overly permissive access-list (e.g., permitting all IP traffic) would actually cause more traffic to be encrypted, not less; the issue is that no traffic is encrypted, which points to the crypto map not being applied, not the ACL being too broad. Option D is wrong because if the peer address were incorrect, the router would be unable to reach the remote peer for IKE negotiation, and the tunnel would not be established at all; since the tunnel is up, the peer address is correctly configured.

6
Multi-Selecthard

A company is deploying Cisco ISE for network access control. Which three policies must be configured to enforce access based on device posture? (Choose three)

Select 3 answers
A.Authorization policy
B.Posture policy
C.Guest access policy
D.Authentication policy
E.Profiling policy
AnswersA, B, D

Defines access based on posture results.

Why this answer

Options A, B, and D are correct. Authentication policy (A) determines how users/devices are authenticated (e.g., 802.1X, MAB). Authorization policy (B) defines the access rights based on conditions including posture.

Posture policy (D) defines posture requirements and remediation. Profiling policy (C) identifies device type but is not directly required for posture enforcement; guest policy (E) is separate. However, profiling is often helpful but not strictly required; posture policy directly handles the compliance check.

7
MCQmedium

A multinational corporation is implementing ISE for wired network access using 802.1X with EAP-TLS certificate authentication. Their Windows 10 laptops have certificates issued by an internal PKI. During testing, some users report that they are repeatedly prompted to select a certificate after connecting, and eventually authentication fails. ISE logs show 'Authentication failed - No matching certificate found'. The engineer checks the client machine and sees multiple certificates, including the correct one, in the personal store. The ISE endpoint identity store is populated with the user's AD credentials. What is the most likely cause of this failure?

A.The client's certificate is expired
B.The Windows supplicant requires a registry modification to enable auto-selection
C.ISE trusted CA certificate list does not include the issuing CA
D.The client certificates lack the 'Client Authentication' extended key usage (EKU)
AnswerD

EAP-TLS requires a certificate with Client Authentication EKU; if missing, ISE will not accept it.

Why this answer

EAP-TLS requires the client to send a certificate that ISE can validate. If the client does not automatically select the correct certificate due to multiple certificates, and ISE receives the wrong one, it may reject if that certificate is not trusted for client authentication. Option A is correct because the client may not have a certificate with the proper EKU (Client Authentication) that matches the ISE configuration.

Option B would cause other errors. Option C is possible but not the primary cause. Option D would affect all users but not specific.

8
MCQmedium

A cloud security architect is designing a zero-trust architecture for an enterprise using AWS and Azure. They need to enforce micro-segmentation between application tiers. Which Cisco solution is most appropriate?

A.Cisco Umbrella SIG
B.Cisco Secure Firewall
C.Cisco Secure Workload
D.Cisco Secure Cloud Analytics
AnswerC

Designed for micro-segmentation in zero-trust.

Why this answer

B is correct because Cisco Secure Workload provides micro-segmentation based on application dependencies. A is for firewall, not workload-centric. C is for secure internet gateway.

D is for cloud security posture.

9
MCQhard

A company is connecting multiple VPCs in AWS to a shared services VPC using AWS Transit Gateway. They want to inspect east-west traffic between VPCs with a common security policy. Which design best achieves this using Cisco solutions?

A.Deploy a Cisco Firepower instance in each VPC
B.Use VPC peering with no inspection
C.Direct Connect to on-premises Cisco ASA
D.Use AWS Transit Gateway with a centralized Cisco Firepower instance for inspection
AnswerD

Centralized inspection simplifies policy management.

Why this answer

Option D is correct because AWS Transit Gateway allows you to route traffic between multiple VPCs through a centralized inspection VPC, where a Cisco Firepower instance can apply a consistent security policy to all east-west traffic. This design avoids deploying separate firewalls in each VPC and ensures that traffic between any two VPCs is inspected by a single, centrally managed policy engine.

Exam trap

Cisco often tests the misconception that deploying a firewall in each VPC (Option A) is the only way to inspect east-west traffic, but the trap here is that a centralized inspection model using Transit Gateway is more scalable and policy-consistent, and candidates may overlook the routing configuration required to force traffic through the inspection VPC.

How to eliminate wrong answers

Option A is wrong because deploying a Cisco Firepower instance in each VPC creates a distributed, per-VPC security model that is difficult to manage and does not enforce a common security policy across all east-west traffic; each VPC would require its own policy configuration and traffic would not be centrally inspected. Option B is wrong because VPC peering with no inspection provides direct connectivity between VPCs without any security appliance, meaning east-west traffic flows unmonitored and violates the requirement to inspect traffic with a common security policy. Option C is wrong because Direct Connect to an on-premises Cisco ASA forces all east-west traffic to hairpin through the on-premises network, which introduces unnecessary latency, bandwidth costs, and dependency on the on-premises link, and is not designed for native AWS VPC-to-VPC traffic inspection.

10
MCQmedium

An incident responder uses the Cisco AMP for Endpoints console to investigate a potential malware outbreak. The endpoint shows multiple files with high prevalence and cloud verdicts of 'unknown'. The responder wants to quickly identify files that were executed from a malicious parent process. Which console feature best assists this analysis?

A.Device Trajectory to review the event timeline.
B.Group Policy to check applied policies.
C.Dashboard to view overall threat scores.
D.File Search to find files with unknown verdict.
AnswerA

Device Trajectory shows process execution details and parent-child relationships.

Why this answer

Option B is correct because the Device Trajectory feature provides a time-ordered sequence of events, including parent-child process relationships. Option A is wrong because File Search only lists files, not process relationships. Option C is wrong because the Dashboard gives a high-level overview.

Option D is wrong because the Group Policy shows policy settings, not events.

11
MCQeasy

A company wants to prevent users from downloading executable files (.exe) from the internet via the WSA. Which policy type should be configured?

A.URL filtering policy with category blocking
B.Data Security policy
C.Access policy with file type filtering
D.Web Reputation Security policy
AnswerC

File type filtering blocks specific MIME types or extensions.

Why this answer

C is correct because an Access policy in WSA allows granular control over web traffic, including the ability to block specific file types such as .exe via the 'File Type Filtering' action. This directly prevents users from downloading executable files from the internet, as the WSA inspects the MIME type or file extension in the HTTP response and applies the configured block action.

Exam trap

Cisco often tests the distinction between URL filtering (which controls access based on site categories) and file type filtering (which controls downloads based on file type), and the trap here is that candidates confuse 'blocking executable downloads' with 'blocking malicious sites' or 'blocking categories,' leading them to choose URL filtering or Web Reputation policies instead.

How to eliminate wrong answers

Option A is wrong because URL filtering policy with category blocking controls access based on URL categories (e.g., gambling, social media), not on the file type of downloaded content; it cannot block .exe files from allowed categories. Option B is wrong because Data Security policy (DLP) is designed to prevent sensitive data leakage (e.g., credit card numbers, PII) by inspecting content, not to block executable file downloads. Option D is wrong because Web Reputation Security policy uses reputation scores to block malicious or risky sites, but it does not filter by file type; a site with good reputation could still serve .exe files.

12
MCQhard

Based on the exhibit, what is the most likely reason that traffic matching the AMP_block access-list is not being blocked?

A.The remark command is incorrectly formatted
B.The policy-map does not include a pass or block action for the access-list
C.The access-list is not referenced in any policy-map or class-map
D.The access-list is not applied to an interface
AnswerC

The access-list must be referenced in a policy-map (e.g., via a class-map) to be enforced; the exhibit shows no such reference.

Why this answer

Option D is correct. The AMP_block access-list is defined but not referenced in any policy-map, so it is not applied to traffic. Option A is wrong because the policy-map uses inspect commands, which do not automatically apply access-lists.

Option B is wrong because remarks do not affect functionality. Option C is wrong because an access-list applied globally on an FTD does not require an interface; however, the issue is that it is not referenced in a policy, not that an interface is missing.

13
MCQmedium

A network engineer is implementing TrustSec on a Cisco switch. The goal is to tag traffic from the engineering VLAN with Security Group Tag (SGT) 10 and enforce policies on upstream switches. Which configuration is required on the access switch to propagate the SGT?

A.cts manual policy static sgt 10
B.switchport voice vlan 10
C.authentication host-mode multi-domain
D.spanning-tree portfast
AnswerA

This enables manual SGT tagging on the interface.

Why this answer

Option A is correct because the 'cts manual policy static sgt 10' command assigns a static Security Group Tag (SGT) to the switch port, which is then propagated to upstream switches via Cisco TrustSec (CTS) using SGT Exchange Protocol (SXP) or inline tagging. This ensures that traffic from the engineering VLAN is tagged with SGT 10, enabling policy enforcement on upstream devices.

Exam trap

The trap here is that candidates confuse VLAN configuration (e.g., voice VLAN) with Security Group Tag assignment, or assume that authentication or STP features are involved in SGT propagation.

How to eliminate wrong answers

Option B is wrong because 'switchport voice vlan 10' configures a voice VLAN for VoIP traffic, not a Security Group Tag; it does not propagate SGTs. Option C is wrong because 'authentication host-mode multi-domain' is used for 802.1X multi-domain authentication (e.g., voice and data devices), not for static SGT assignment or propagation. Option D is wrong because 'spanning-tree portfast' accelerates the port transition to forwarding state to avoid STP delays, but it has no role in SGT tagging or propagation.

14
MCQhard

A security engineer is analyzing logs from a Cisco ASA. They notice that a specific internal host is generating a high volume of outbound TCP SYN packets to multiple external IP addresses on port 443, but no SYN-ACK responses are received. What is the most likely explanation?

A.The ASA is configured to block outbound HTTPS traffic
B.The host is downloading a large malware file via HTTPS
C.The host is infected with malware that is performing a SYN flood denial-of-service attack
D.The host is establishing legitimate HTTPS connections
AnswerC

Spoofed or high-volume SYN packets without responses indicate a SYN flood attack.

Why this answer

Option C is correct because the host is sending a high volume of TCP SYN packets to multiple external IPs on port 443 without receiving SYN-ACK responses, which is characteristic of a SYN flood attack. In a SYN flood, the attacker (or infected host) sends many SYN packets to exhaust the target's connection table, but the lack of SYN-ACK responses indicates the targets are not completing the handshake, often because the source IP is spoofed or the targets are unresponsive. The Cisco ASA logs show outbound SYN packets with no corresponding SYN-ACKs, which aligns with the host being used as a source for a denial-of-service attack.

Exam trap

Cisco often tests the distinction between a host being the source of an attack versus being the victim, and the trap here is that candidates may assume the host is simply making legitimate outbound connections (Option D) without recognizing that the absence of SYN-ACK responses is the key anomaly that indicates an attack rather than normal traffic.

How to eliminate wrong answers

Option A is wrong because if the ASA were blocking outbound HTTPS traffic, the SYN packets would be dropped at the ASA and not reach the external IPs, so the logs would not show outbound SYN packets to port 443. Option B is wrong because downloading a large malware file via HTTPS would involve a full TCP three-way handshake (SYN, SYN-ACK, ACK) and subsequent data transfer, not just a flood of SYN packets with no responses. Option D is wrong because legitimate HTTPS connections require a completed three-way handshake, so the ASA logs would show SYN-ACK responses from the external servers, which are absent in this scenario.

15
MCQhard

A network administrator is configuring Cisco ASA with FirePOWER services. The administrator wants to inspect SSL traffic but is concerned about certificate pinning in modern applications. Which action should the administrator take to ensure that SSL inspection does not break applications that use certificate pinning?

A.Configure SSL inspection to bypass all traffic to avoid any issues
B.Install a custom root CA on all clients and configure the ASA to use that CA
C.Create an SSL decryption rule to exclude traffic from applications known to use certificate pinning
D.Use a decryption policy that decrypts the traffic but does not re-encrypt
AnswerC

Excluding pinned applications prevents the ASA from interfering with certificate validation.

Why this answer

Option C is correct because certificate pinning hardcodes the expected certificate or public key within an application. If the ASA decrypts and re-encrypts the traffic using a different certificate (even one signed by a trusted CA), the pinned certificate will not match, causing the application to reject the connection. By creating an SSL decryption rule that excludes traffic from applications known to use certificate pinning, the administrator avoids breaking those applications while still inspecting other SSL traffic.

Exam trap

Cisco often tests the misconception that installing a trusted root CA on clients is sufficient to handle all SSL inspection scenarios, but the trap here is that certificate pinning bypasses CA trust entirely by comparing against a hardcoded certificate or public key.

How to eliminate wrong answers

Option A is wrong because bypassing all SSL traffic defeats the purpose of SSL inspection and leaves all encrypted traffic uninspected, which is not a valid security strategy. Option B is wrong because installing a custom root CA on all clients does not solve certificate pinning; pinned applications compare the server certificate against a hardcoded value, not against a trusted CA chain, so the ASA's re-encrypted certificate will still fail the pinning check. Option D is wrong because decrypting without re-encrypting would send plaintext traffic to the client, which breaks TLS protocol expectations and would be rejected by the client; the ASA must re-encrypt to maintain a valid TLS session.

16
MCQhard

A Cisco WSA receives intermittent complaints that legitimate websites are being blocked. The access policy uses reputation scoring and URL filtering. The administrator checks the logs and finds that the blocked requests have a web reputation score of -2.0. What action should be taken to allow these legitimate sites while still blocking malicious ones?

A.Create a custom URL category for the legitimate sites and apply an allow action above the reputation policy.
B.Lower the reputation threshold to -1.0.
C.Set the reputation action to 'Monitor' for suspicious scores.
D.Disable web reputation filtering for that policy.
AnswerA

Allow override bypasses reputation blocking for specific sites.

Why this answer

Option A is correct because creating a custom URL category for the legitimate sites and placing an allow action above the reputation policy ensures that traffic matching that category bypasses the reputation scoring check. This allows the legitimate sites while the reputation policy continues to block malicious sites with scores below the threshold. In Cisco WSA, access policies are evaluated in order, so a higher-priority allow rule for trusted URLs overrides the lower-priority reputation-based block.

Exam trap

Cisco often tests the concept of policy evaluation order in WSA, where candidates mistakenly think adjusting the reputation threshold or disabling filtering is the correct fix, rather than using a higher-priority allow rule for trusted sites.

How to eliminate wrong answers

Option B is wrong because lowering the reputation threshold to -1.0 would allow more sites with poor reputation (scores between -2.0 and -1.0) to pass, increasing the risk of allowing malicious sites. Option C is wrong because setting the reputation action to 'Monitor' for suspicious scores would only log the requests without blocking them, which does not selectively allow the legitimate sites while still blocking malicious ones. Option D is wrong because disabling web reputation filtering entirely removes the reputation-based protection for the whole policy, leaving all sites unguarded against malicious threats.

17
MCQhard

Refer to the exhibit. An engineer configured 802.1X on two switch ports. On Gi1/0/1, a VoIP phone and a PC are connected via a hub. On Gi1/0/2, only a single PC is connected. Which port will successfully authenticate both devices, and what is the issue with the other port?

A.Both ports will authenticate all connected devices because 802.1X supports multiple hosts by default.
B.Gi1/0/2 will authenticate the PC; Gi1/0/1 will fail because multi-auth is not supported on access ports.
C.Gi1/0/1 will authenticate both devices; Gi1/0/2 will fail because the tx-period is too long.
D.Gi1/0/1 will authenticate both devices; Gi1/0/2 will only authenticate the PC, and any additional device will be denied.
AnswerD

Multi-auth allows multiple devices; single-host allows only one.

Why this answer

Option D is correct because Gi1/0/1 is configured with the `authentication port-control auto` and `authentication host-mode multi-auth` commands, which allow both the VoIP phone and the PC to authenticate independently. Gi1/0/2 is configured with `authentication host-mode single-host` (the default), which only permits a single authenticated device; any additional device, such as a second PC connected via a hub, will be denied access.

Exam trap

Cisco often tests the distinction between `multi-auth` and `single-host` modes, and the trap here is that candidates assume 802.1X inherently supports multiple devices or that a long tx-period is the cause of failure, rather than recognizing the default single-host restriction on Gi1/0/2.

How to eliminate wrong answers

Option A is wrong because 802.1X does not support multiple hosts by default; the default host mode is single-host, which only allows one authenticated MAC address per port. Option B is wrong because multi-auth is supported on access ports; the issue with Gi1/0/1 is not about support but about the specific host-mode configuration shown in the exhibit. Option C is wrong because the tx-period (60 seconds) does not cause a failure on Gi1/0/2; the tx-period is a timer for reauthentication or EAP retransmission, and the exhibit shows Gi1/0/2 is configured with single-host mode, which is the actual reason it cannot authenticate multiple devices.

18
MCQmedium

A company uses Cisco ISE for posture assessment. They require that all endpoints meet a certain set of compliance rules before being granted network access. Which service is responsible for performing the posture assessment on the endpoint?

A.ISE Policy Service
B.Cisco AnyConnect ISE Posture Module
C.Cisco ISE pxGrid
D.Network Access Device (switch)
AnswerB

The AnyConnect Posture Module runs on the endpoint and performs the actual posture checks.

Why this answer

Option B is correct because the Cisco AnyConnect ISE Posture Module runs on the endpoint, collects posture information, and sends it to ISE. Option A is incorrect because ISE Policy Service evaluates posture reports, not performs the assessment. Option C is incorrect because the network access device only forwards EAP packets.

Option D is incorrect because pxGrid is for data sharing between security products.

19
Multi-Selectmedium

A company uses Amazon Web Services (AWS) and wants to integrate with Cisco Defense Orchestrator (CDO) for centralized security management. Which THREE capabilities does CDO provide when managing AWS security services? (Choose three.)

Select 3 answers
A.Monitor AWS CloudTrail logs for security events.
B.Manage AWS Identity and Access Management (IAM) roles.
C.Deploy and manage Cisco virtual firewalls in AWS.
D.Create and modify AWS security group rules.
E.Provision and configure AWS VPC subnets.
AnswersA, C, D

Correct: CDO can ingest CloudTrail logs for analysis.

Why this answer

A is correct because Cisco Defense Orchestrator (CDO) can ingest and monitor AWS CloudTrail logs to detect security events, such as unauthorized API calls or policy violations. This integration allows CDO to correlate cloud-native audit logs with firewall events for centralized visibility and alerting, which is a key capability for cloud security management.

Exam trap

Cisco often tests the distinction between security management (CDO) and infrastructure provisioning (AWS native services), so candidates mistakenly assume CDO can manage IAM roles or VPC subnets, but CDO is strictly a security orchestration tool, not a cloud infrastructure manager.

20
MCQmedium

An engineer is troubleshooting a user who cannot access the network after successful 802.1X authentication. The user's PC receives an IP address from DHCP, but cannot reach the internet. The switch port is in the correct VLAN (10) after authentication. The ISE posture policy requires the user to install a corporate certificate, but the user skipped that step. What is the most likely cause of the internet access failure?

A.The user is not logged into the domain
B.The switchport is still in the default VLAN
C.The DHCP server does not have a scope for VLAN 10
D.The ISE posture policy returned 'NonCompliant' and ISE applied a Change of Authorization (CoA) to place the port in a remediation VLAN
AnswerD

ISE can use CoA to dynamically move the port to a remediation VLAN with no internet access.

Why this answer

Option B is correct because ISE can send a CoA to place the port in a restricted VLAN after authentication if posture is not compliant. Option A is wrong because AD login is not required for internet access. Option C is wrong because the switchport is already in the correct VLAN as stated.

Option D is wrong because there is no indication of DHCP issues.

21
MCQeasy

A company wants to use Cisco Umbrella to block access to malicious domains. They have deployed the Umbrella roaming client on all endpoints. However, traffic from a specific application is still reaching a known malicious domain. What is the most likely reason?

A.The Umbrella policy is configured to allow that specific application.
B.The domain is not categorized as malicious in Umbrella's database.
C.The Umbrella roaming client is not installed on the server.
D.The application uses a hardcoded IP address or non-DNS protocol.
AnswerD

Umbrella blocks at the DNS layer; if the application does not use DNS, the block does not apply.

Why this answer

Cisco Umbrella operates at the DNS layer, meaning it can only block domains that are resolved via DNS queries. If an application uses a hardcoded IP address or communicates using a non-DNS protocol (e.g., direct IP connections or protocols like HTTP/HTTPS without DNS resolution), the traffic bypasses Umbrella's DNS-based enforcement entirely. This is why the malicious domain is still reachable despite the roaming client being deployed.

Exam trap

Cisco often tests the misconception that Umbrella blocks all traffic regardless of how the destination is resolved, when in fact it only blocks based on DNS queries, not direct IP connections or non-DNS protocols.

How to eliminate wrong answers

Option A is wrong because Umbrella policies apply globally to all traffic passing through the DNS layer; there is no per-application allow/block policy that would override DNS-based blocking for a specific application. Option B is wrong because even if a domain is not categorized as malicious, Umbrella can still block it via custom block lists or security categories; the question states the domain is known malicious, implying it should be blocked. Option C is wrong because the roaming client is deployed on all endpoints, and the traffic originates from an endpoint, not a server; the roaming client on the endpoint handles DNS resolution for all applications on that endpoint.

22
MCQmedium

A network engineer is trying to establish a site-to-site IPsec VPN between two Cisco routers. The IKEv2 proposal uses AES-256 encryption and SHA-256 hash. On the remote router, the configuration shows only AES-128 and SHA-1. What will happen during IKEv2 negotiation?

A.The router with stronger proposal will override the other.
B.The IKEv2 negotiation will fail because no common proposal exists.
C.The routers will automatically fall back to IKEv1.
D.The routers will negotiate and use AES-128 with SHA-256.
AnswerB

Both sides must have at least one matching proposal for IKEv2 to establish.

Why this answer

IKEv2 negotiation requires that both peers have at least one matching proposal (encryption, hash, DH group, etc.) in their configured transform sets. Since the local router offers AES-256/SHA-256 and the remote router only offers AES-128/SHA-1, there is no common proposal. IKEv2 does not perform automatic fallback or mixing of parameters; it simply fails if no match is found.

Exam trap

Cisco often tests the misconception that IKEv2 will automatically negotiate a 'best common' set of parameters or fall back to IKEv1, when in fact it requires an exact match on the entire proposal and has no backward compatibility with IKEv1.

How to eliminate wrong answers

Option A is wrong because IKEv2 does not allow one peer to override the other's proposal; negotiation is a matching process, not a strength-based override. Option C is wrong because IKEv2 and IKEv1 are separate protocols; there is no automatic fallback from IKEv2 to IKEv1 during negotiation—the administrator must explicitly configure IKEv1 if desired. Option D is wrong because IKEv2 does not mix parameters from different proposals; it requires an exact match on the entire proposal set (encryption AND hash), so AES-128 with SHA-256 is not a valid negotiated combination unless explicitly configured on both sides.

23
MCQeasy

Refer to the exhibit. An engineer configured ISE to use both Active Directory and LDAP for authentication. Users from Active Directory are unable to authenticate. What is the most likely reason?

A.Active Directory users are not allowed in the policy
B.The LDAP identity store is unreachable and ISE is attempting LDAP before AD
C.The Active Directory identity store is disconnected
D.The authentication sequence is set to 'AD then LDAP'
AnswerB

If LDAP is configured as the first authentication source, the timeout causes authentication to fail before AD is tried.

Why this answer

Option A is correct because the LDAP server is showing a timeout error, and if LDAP is ranked higher, ISE may attempt LDAP first and fail before falling back. Option B is wrong because AD shows connected. Option C is wrong because the sequence is not shown but the LDAP error indicates the problem.

Option D is wrong because authentication failure does not change the AD identity store.

24
MCQhard

A multinational company has recently deployed Cisco WSA with explicit proxy for 10,000 users across two data centers. The WSA is configured with multiple identities based on IP subnets and authentication via LDAP. Users in the R&D department (subnet 192.168.10.0/24) are configured with an access policy that blocks all social media, but they can access web-based email like Gmail. The administrator receives complaints that R&D users cannot access a critical partner's HTTPS website (https://portal.partner.com) that is not categorized. The access policy for R&D has a default action of 'Monitor' for uncategorized URLs, but the site is blocked. The web reputation score for the site is +1.5 (low risk). The global web reputation threshold is set to -1.0. The administrator checks the access logs and sees that the request is denied with the reason 'URL is blocked by policy'. The R&D policy has an explicit 'Deny' action for the URL category 'Uncategorized URLs' set to 'Block', but the default action for the policy is 'Monitor'. The identity matching is correct. What is the most likely cause and solution?

A.Change the R&D policy's Uncategorized URLs action from Block to Monitor.
B.Lower the global web reputation threshold to -2.0 to allow more sites.
C.Create a custom URL category for portal.partner.com and configure the R&D policy to allow it.
D.Disable authentication for the R&D identity to bypass policy.
AnswerC

Custom allow rule overrides the category block.

Why this answer

Option C is correct because the R&D access policy has an explicit 'Deny' action for the 'Uncategorized URLs' category, which overrides the default 'Monitor' action. Since portal.partner.com is uncategorized, it is blocked by this explicit deny. Creating a custom URL category for the partner site and configuring an explicit 'Allow' action in the R&D policy will bypass the uncategorized URL block while preserving the rest of the policy.

Exam trap

Cisco often tests the concept that explicit policy actions for a URL category override the default action, leading candidates to incorrectly assume the default 'Monitor' action would allow the traffic when an explicit 'Deny' is present.

How to eliminate wrong answers

Option A is wrong because changing the Uncategorized URLs action from Block to Monitor would allow all uncategorized sites, including potentially malicious ones, which violates the security intent of blocking social media and could expose the R&D department to risks. Option B is wrong because the global web reputation threshold is already set to -1.0, and the site has a reputation score of +1.5 (low risk), so lowering the threshold would not affect this block; the block is due to the explicit policy action on uncategorized URLs, not reputation. Option D is wrong because disabling authentication would bypass identity-based policy matching, potentially applying a different policy that might allow the site, but it would also remove access controls for all R&D users, breaking the intended security posture and is not a recommended practice.

25
MCQmedium

A company deploys a web application firewall (WAF) from Cisco on AWS Marketplace. They want to integrate with AWS CloudTrail for logging. What is the primary benefit?

A.Simplified compliance reporting
B.Elimination of false positives
C.Automatic WAF rule updates
D.Centralized logging of WAF events in CloudTrail
AnswerD

Enables centralized audit and monitoring.

Why this answer

Integrating a Cisco WAF deployed via AWS Marketplace with AWS CloudTrail provides centralized logging of all WAF events, including allowed and blocked requests, directly into CloudTrail. This enables a single, auditable log stream for security monitoring and compliance, as CloudTrail captures API calls and WAF events for analysis in AWS services like CloudWatch Logs or Amazon S3.

Exam trap

The trap here is that candidates may confuse the primary benefit of CloudTrail integration (centralized logging) with secondary benefits like compliance or automation, but Cisco specifically tests the understanding that CloudTrail's core function is logging and monitoring, not rule management or false positive reduction.

How to eliminate wrong answers

Option A is wrong because simplified compliance reporting is a potential benefit of centralized logging, but it is not the primary or direct benefit of CloudTrail integration; CloudTrail provides raw event logs, not pre-built compliance reports. Option B is wrong because false positive reduction is achieved through tuning WAF rules and signatures, not through logging integration with CloudTrail. Option C is wrong because automatic WAF rule updates are managed by Cisco or the WAF service itself, not by CloudTrail, which is solely a logging and monitoring service.

26
MCQhard

After deploying a Cisco Cloudlock policy, a user reports that a sanctioned application (Salesforce) is being blocked for file downloads. What is the most likely cause?

A.The Salesforce API token has expired
B.The file being downloaded contains sensitive data flagged by DLP
C.The user's browser is not configured with the corporate proxy
D.The Cloudlock policy for Salesforce is set to 'Block' due to misconfiguration
AnswerD

A misconfigured policy can block sanctioned applications.

Why this answer

Option D is correct because Cloudlock policies are configured to enforce actions such as 'Allow', 'Block', or 'Monitor' on sanctioned applications like Salesforce. If a policy is misconfigured to 'Block' for file downloads, Cloudlock will intercept the API call and deny the download regardless of the file's content. This is a common administrative error when setting granular controls for cloud app activities.

Exam trap

The trap here is that candidates may assume DLP is the only reason for blocking downloads, but Cisco tests whether you understand that Cloudlock policies have explicit actions (Allow/Block/Monitor) that can be misconfigured independently of DLP rules.

How to eliminate wrong answers

Option A is wrong because an expired Salesforce API token would cause authentication failures across all API interactions, not selectively block file downloads while other operations succeed. Option B is wrong because DLP-triggered blocking would only occur if the policy is set to 'Monitor' or 'Block' for sensitive data; the question states the policy is blocking all downloads, not just those with sensitive content. Option C is wrong because Cloudlock operates at the API level for sanctioned apps, not via browser proxy configuration; browser proxy settings affect web traffic interception, not API-based policy enforcement.

27
MCQmedium

A security administrator notices that several endpoints in the finance department are exhibiting unusual network behavior, including connections to known malicious IP addresses. The administrator has deployed Cisco Secure Endpoint (formerly AMP for Endpoints) with TETRA and has enabled the built-in firewall. What is the best course of action to quickly identify the root cause and contain the threat?

A.Disable the built-in firewall on the endpoints to allow full traffic inspection by the TETRA engine.
B.Use the Cisco Secure Endpoint console to review the TETRA engine's real-time traffic analysis and isolate the affected endpoints.
C.Wait for the weekly threat report from Cisco Talos to identify the malware family and then apply a signature update.
D.Uninstall the Cisco Secure Endpoint connector and reinstall it with a fresh policy.
AnswerB

TETRA provides real-time traffic analysis; the console allows immediate visibility and isolation.

Why this answer

Option B is correct because Cisco Secure Endpoint with TETRA provides real-time traffic analysis and endpoint isolation capabilities directly from the console. The TETRA engine inspects network flows using behavioral analysis and machine learning, and the administrator can immediately isolate affected endpoints to prevent lateral movement while reviewing the root cause.

Exam trap

Cisco often tests the misconception that disabling security controls (like the firewall) will improve detection, when in fact the TETRA engine operates independently and isolation is the correct containment step.

How to eliminate wrong answers

Option A is wrong because disabling the built-in firewall removes a critical layer of defense and does not improve TETRA's inspection; TETRA operates independently of the host firewall. Option C is wrong because waiting for a weekly Talos report is too slow for an active threat, and signature updates are reactive rather than providing immediate containment. Option D is wrong because reinstalling the connector with a fresh policy is disruptive, time-consuming, and does not address the need for rapid root cause analysis and containment.

28
MCQeasy

Which Cisco security product provides network visibility and traffic analytics using NetFlow and IPFIX?

A.Cisco Firepower Management Center
B.Cisco Stealthwatch
C.Cisco Umbrella
D.Cisco ISE
AnswerB

Stealthwatch analyzes network flows for visibility and security.

Why this answer

Option B is correct. Cisco Stealthwatch uses NetFlow/IPFIX for network visibility and threat detection. Option A (FMC) is for firewall management.

Option C (ISE) is for identity services. Option D (Umbrella) is for cloud security.

29
MCQeasy

A network administrator notices that an endpoint running the AMP connector is not sending events to the cloud. The connector status shows 'Connected' in the AMP console. What is the most likely cause?

A.The AMP license has expired.
B.The endpoint is behind a proxy that does not allow HTTPS traffic to the AMP cloud.
C.Inbound firewall rules block incoming connections to the AMP connector.
D.The AMP connector service is stopped on the endpoint.
AnswerB

The connector can establish a TCP connection (appear connected) but event submission over HTTPS fails through the proxy.

Why this answer

The AMP connector status shows 'Connected' in the AMP console, which indicates that the endpoint has successfully established a TCP connection and authenticated with the AMP cloud. However, if the endpoint is behind a proxy that does not allow HTTPS (TCP/443) traffic to the AMP cloud, the connector may appear connected (due to a persistent keep-alive or cached status) but cannot send event data because the proxy is blocking the actual data-plane traffic. This is a common misconfiguration where the proxy allows the initial handshake but filters subsequent HTTPS requests.

Exam trap

Cisco often tests the distinction between a 'Connected' status (which only indicates a control-plane or registration state) and actual data-plane functionality (event uploads), leading candidates to overlook proxy or firewall egress issues that block HTTPS traffic.

How to eliminate wrong answers

Option A is wrong because an expired AMP license would prevent the connector from authenticating or registering, resulting in a 'Disconnected' or 'Unlicensed' status, not 'Connected'. Option C is wrong because inbound firewall rules block incoming connections to the endpoint, but the AMP connector initiates outbound HTTPS connections to the cloud; inbound rules are irrelevant for event uploads. Option D is wrong because if the AMP connector service is stopped on the endpoint, the connector would not be able to maintain a 'Connected' status in the AMP console; the status would show 'Disconnected' or 'Offline'.

30
MCQeasy

A company uses Cisco Umbrella for cloud-delivered security. Users report that some websites are incorrectly blocked. The security team wants to allow a specific website temporarily while investigating. Which action should the administrator take?

A.Disable the Umbrella policy entirely.
B.Configure a Proxy Auto-Config (PAC) file to exclude the domain.
C.Create a custom policy rule to allow the specific domain.
D.Change the internal DNS servers to use a public resolver like 8.8.8.8.
AnswerC

Correct: This adds a targeted bypass without affecting other security.

Why this answer

The correct action is to create a custom policy rule to allow the specific domain. Cisco Umbrella uses policy-based rules to control DNS and web traffic; a custom allow rule overrides the default block for that domain without affecting other security settings. This provides a temporary, targeted exception while the investigation continues.

Exam trap

The trap here is that candidates may confuse PAC file configuration (a proxy bypass mechanism) with Umbrella's cloud-based policy enforcement, but PAC files only affect proxy traffic and cannot override DNS-layer filtering in Umbrella.

How to eliminate wrong answers

Option A is wrong because disabling the entire Umbrella policy removes all security controls, exposing the network to threats, which is excessive for a single domain issue. Option B is wrong because a PAC file controls proxy settings on endpoints, not Umbrella's cloud-based DNS or web filtering; it cannot bypass Umbrella's enforcement at the DNS layer. Option D is wrong because changing internal DNS servers to a public resolver like 8.8.8.8 bypasses Umbrella's DNS security entirely, breaking all cloud-delivered protection, not just for the specific domain.

31
Multi-Selecthard

Which THREE of the following are required for a successful 802.1X authentication on a Cisco switch? (Choose THREE)

Select 3 answers
A.Security Group Tag (SGT) must be assigned
B.A downloadable ACL (dACL) must be configured on ISE
C.The switch must be configured as a RADIUS client to ISE
D.The switch port must be configured with 'authentication port-control auto'
E.The endpoint must have a valid credential (certificate or password)
AnswersC, D, E

The switch must communicate with ISE via RADIUS for authentication.

Why this answer

For 802.1X authentication, the switch must act as a RADIUS client (authenticator) forwarding EAP frames to the ISE (authentication server). Without this configuration, the switch cannot communicate with ISE to validate the endpoint's credentials, making it a mandatory requirement.

Exam trap

Cisco often tests the distinction between authentication prerequisites and post-authentication policies, leading candidates to mistakenly select optional features like dACLs or SGTs as mandatory for the 802.1X authentication step.

32
MCQhard

You are troubleshooting a Cisco ISE deployment where some endpoints are stuck in the 'Not Compliant' posture after a posture scan. ISE logs show 'Conditional NAC Agent result: Not Compliant due to missing required application.' The application is installed on the endpoint. What should you check?

A.The NAC Agent is running an outdated version.
B.The posture policy requires a specific version that is not installed.
C.The endpoint's firewall is blocking the ISE posture probe.
D.The antivirus definition file is outdated.
AnswerB

The policy may require a particular version or update, causing the check to fail even if the application exists.

Why this answer

Option B is correct. The log indicates a missing application, but it is installed. This often occurs when the posture policy requires a specific version or patch level.

Option A is incorrect because antivirus definitions are separate. Option C is incorrect because agent version would cause a different error. Option D is incorrect because firewall blocking would prevent scan results.

33
MCQhard

Refer to the exhibit. Enter the command output from a Cisco Umbrella deployment. An administrator observes that 25 DNS queries were blocked. What does this indicate?

A.Successful DNS resolution for those queries
B.Internal DNS resolution failures
C.Network congestion causing queries to timeout
D.Policy enforcement blocking malicious or unwanted domains
AnswerD

Umbrella's security policy blocks malicious domains, resulting in blocked queries.

Why this answer

The command output from a Cisco Umbrella deployment shows that 25 DNS queries were blocked. In Umbrella, DNS queries are blocked due to policy enforcement, typically when the domain being queried matches a security category (e.g., malware, phishing, command-and-control) or a custom block list. This indicates that Umbrella's cloud-delivered security policy actively prevented resolution of those 25 domains, protecting the network from malicious or unwanted content.

Exam trap

The trap here is that candidates may confuse 'blocked' with 'failed to resolve' due to network issues (like timeouts or internal DNS failures), but Cisco specifically tests that Umbrella's block count is a deliberate policy enforcement action, not a connectivity or resolution error.

How to eliminate wrong answers

Option A is wrong because a blocked DNS query means the resolution was not successful; Umbrella returns a sinkhole IP or NXDOMAIN response, preventing the client from reaching the domain. Option B is wrong because internal DNS resolution failures (e.g., server timeout, misconfiguration) would not be logged as 'blocked' by Umbrella; Umbrella blocks based on policy, not internal infrastructure issues. Option C is wrong because network congestion causing timeouts would result in query failures or retransmissions, not a deliberate block count; Umbrella's block count specifically reflects policy-driven denials, not transport-layer timeouts.

34
MCQmedium

A company is deploying Cisco Web Security Appliance (WSA) to enforce acceptable use policies. Users report that some legitimate websites are being blocked incorrectly. The security team wants to allow these sites while still blocking known malware sites. Which action should the administrator take?

A.Create a custom URL filtering policy to allow the specific URLs.
B.Disable HTTPS decryption to bypass filtering for encrypted sites.
C.Enable Data Loss Prevention (DLP) to allow the sites.
D.Increase the HTTPS decryption depth to inspect more content.
AnswerA

Custom URL filtering policies can whitelist specific URLs while keeping other blocking rules intact.

Why this answer

Option A is correct because the Cisco WSA uses URL filtering policies to control access based on URL categories and individual URLs. By creating a custom URL filtering policy that allows the specific URLs, the administrator can whitelist legitimate sites while the WSA continues to block known malware sites through its reputation-based and category-based filtering. This approach maintains security enforcement without disabling broader protections.

Exam trap

Cisco often tests the distinction between URL filtering policies (which control access based on URL categories) and other security features like DLP or HTTPS decryption, leading candidates to confuse content inspection with access control.

How to eliminate wrong answers

Option B is wrong because disabling HTTPS decryption would prevent the WSA from inspecting encrypted traffic, potentially allowing malware to pass through encrypted connections, and it does not address the issue of incorrectly blocked legitimate sites. Option C is wrong because Data Loss Prevention (DLP) is designed to prevent sensitive data from leaving the network, not to allow or block websites based on URL filtering. Option D is wrong because increasing HTTPS decryption depth allows the WSA to inspect more layers of encrypted content, but it does not resolve false positives in URL categorization; it could even increase inspection overhead without fixing the whitelisting need.

35
MCQhard

A user in the Engineering group reports that they cannot access a banking website (https://www.examplebank.com). The website is categorized as 'Financial' by the WSA. Based on the exhibit, what is the most likely cause?

A.The Malware Scanning action is set to 'Scan' but blocks the site
B.The user identification is not configured correctly
C.The Web Reputation threshold of -6.0 is blocking the site due to a low reputation score
D.The Social Networking category is set to 'Monitor' and is blocking the site
AnswerC

If the site's reputation is below -6.0, it will be blocked regardless of URL filtering.

Why this answer

The exhibit shows a Web Reputation threshold of -6.0, meaning any website with a reputation score lower than -6.0 will be blocked. The banking site 'examplebank.com' likely has a low reputation score (e.g., due to being newly registered or hosting malicious content), causing it to fall below the threshold and be blocked. This is the most direct cause because the WSA applies reputation-based filtering before other policies, and the user's inability to access the site aligns with a reputation block rather than a category or scanning issue.

Exam trap

Cisco often tests the distinction between URL category actions (Allow, Block, Monitor) and Web Reputation thresholds, where candidates mistakenly think a category like 'Financial' being allowed means the site is accessible, ignoring that a low reputation score can override category-based policies.

How to eliminate wrong answers

Option A is wrong because Malware Scanning set to 'Scan' does not block sites; it scans traffic for malware and may block only if malware is detected, but the question does not indicate malware presence. Option B is wrong because user identification misconfiguration would affect policy application based on user/group, but the exhibit shows a global reputation threshold that applies regardless of user identity, and the user is in the Engineering group which is not explicitly blocked by any policy shown. Option D is wrong because the Social Networking category is set to 'Monitor', which logs traffic without blocking it; 'Monitor' actions do not deny access, so it cannot be the cause of the block.

36
Multi-Selecthard

Which TWO of the following are valid action types that can be assigned to a file in an AMP policy rule?

Select 2 answers
A.Scan
B.Monitor
C.Quarantine
D.Block
E.Delete
AnswersC, D

Quarantine moves the file to a secure location and prevents access.

Why this answer

Options B and D are correct. AMP policy rules can set actions such as 'Block' (B) and 'Quarantine' (D). Option A is incorrect because 'Delete' is not a direct action in AMP; quarantine effectively removes it.

Option C is incorrect because 'Monitor' is a logging level, not an action. Option E is incorrect because 'Scan' is not an action; scanning is inherent.

37
MCQeasy

A network engineer is troubleshooting an IPsec VPN tunnel that fails to establish. The configuration includes a crypto map with a matching access list. Which command should be used to verify the security associations and error counters for the IPsec phase?

A.show crypto ipsec sa
B.show crypto engine statistics
C.debug crypto isakmp
D.show crypto isakmp sa
AnswerA

Displays IPsec security associations and packet/error counters.

Why this answer

The 'show crypto ipsec sa' command displays the IPsec security associations (SAs) and their associated packet/byte counters, including error counters such as 'pkts encaps failed' and 'pkts decap failed'. This directly verifies the IPsec Phase 2 SAs and identifies failures in encryption/decryption or integrity checks, which is essential for troubleshooting a tunnel that fails to establish.

Exam trap

Cisco often tests the distinction between IKE Phase 1 (ISAKMP) and IPsec Phase 2 (IPsec SA) commands, so the trap here is that candidates confuse 'show crypto isakmp sa' (Phase 1) with 'show crypto ipsec sa' (Phase 2) when the question specifically asks about IPsec phase verification.

How to eliminate wrong answers

Option B is wrong because 'show crypto engine statistics' shows the overall cryptographic hardware/software engine utilization and throughput, not per-SA IPsec phase details or error counters. Option C is wrong because 'debug crypto isakmp' is a debug command that shows IKEv1/IKEv2 Phase 1 negotiation messages, not the IPsec Phase 2 SA state or error counters; it is disruptive and should not be used for initial verification. Option D is wrong because 'show crypto isakmp sa' displays IKE Phase 1 security associations (ISAKMP SAs), not the IPsec Phase 2 SAs that are established after IKE negotiation completes.

38
MCQmedium

A company uses Cisco ISE for network access control. They want to allow employee-owned devices to access the guest network after a simple registration, while corporate devices get full access. Which ISE configuration best achieves this?

A.Use 802.1X with PEAP and machine certificates for all devices.
B.Use MAB for unknown devices, then perform posture assessment; redirect to registration portal if needed.
C.Use MAB only for corporate devices and deny all others.
D.Configure a single PSK for the guest SSID.
AnswerB

MAB captures MAC, posture checks compliance, registration portal allows onboarding.

Why this answer

Option D is correct because MAB for unknown devices with posture check is a common BYOD flow. Option A forces 802.1X on all devices, which may not be supported on guest devices. Option B uses PSK which is less secure.

Option C is for corporate devices.

39
MCQeasy

A small business uses Cisco AMP for Endpoints with a cloud-based console. The owner receives an email from Cisco that the AMP connector on a specific endpoint has gone offline. The endpoint is a Windows 10 laptop used for remote work. The owner checks the AMP console and sees the endpoint's last check-in was three days ago. The owner contacts the remote user, who says the laptop is running normally and they can access the internet. What should the owner do to resolve the issue?

A.Instruct the user to disable Windows Firewall temporarily.
B.Ask the user to install the latest Windows updates.
C.Ask the user to uninstall and reinstall the AMP connector.
D.Instruct the user to restart the AMP connector service (Cisco AMP for Endpoints Connector).
AnswerD

Restarting the service often resolves check-in issues.

Why this answer

Option C is correct because the most likely issue is that the AMP connector service has stopped or crashed. Restarting the service will re-establish communication. Option A (reinstall connector) is unnecessary.

Option B (check firewall) is less likely since internet access works. Option D (update Windows) is not directly related.

40
MCQeasy

An organization wants to implement MAC Authentication Bypass (MAB) for devices that do not support 802.1X. Which configuration is required on a Cisco switch to allow MAB fallback?

A.authentication priority dot1x mab
B.authentication port-control auto
C.authentication fallback mab
D.authentication order mab dot1x
AnswerD

This command configures MAB as the primary method with 802.1X as fallback.

Why this answer

Option A is correct. The command 'authentication order mab dot1x' sets the order of authentication methods, trying MAB first and then 802.1X. Option B is incorrect because 'authentication priority' does not exist in IOS.

Option C is required for port control but not specifically for MAB fallback. Option D is not a valid command.

41
Multi-Selectmedium

Which TWO configuration steps are required to implement 802.1X authentication on a Cisco switch for wired clients?

Select 2 answers
A.Enable dot1x globally on the switch
B.Set the switchport mode to trunk
C.Define the RADIUS server IP and shared secret
D.Configure AAA authentication using RADIUS
E.Configure the interface as a switchport in access mode
AnswersD, E

AAA authentication is required for 802.1X.

Why this answer

Option D is correct because 802.1X requires AAA authentication to be configured on the switch to forward EAP frames to a RADIUS server for user credential verification. Without the 'aaa authentication dot1x default group radius' command, the switch cannot process authentication requests, making this a mandatory step.

Exam trap

The trap here is that candidates often confuse enabling dot1x globally (Option A) as a required step, but Cisco tests that the two mandatory steps are AAA authentication using RADIUS and configuring the interface as an access switchport, while global enablement is optional if per-interface 'dot1x port-control auto' is used.

42
Multi-Selectmedium

Which TWO actions are best practices when configuring a Cisco WSA to block malicious websites? (Choose two.)

Select 2 answers
A.Configure URL filtering categories to block known malicious categories
B.Set the default action to 'Monitor' for all categories
C.Disable user authentication to simplify policy
D.Allow all HTTPS traffic to improve performance
E.Enable Web Reputation filtering
AnswersA, E

Blocking categories like malware, phishing provides protection.

Why this answer

Option A is correct because Cisco WSA URL filtering categories allow administrators to block entire groups of known malicious sites, such as malware, phishing, or spyware categories, which are pre-classified by Cisco Talos. This provides a broad, proactive defense against threats without needing to maintain individual URL block lists. Option E is correct because Web Reputation filtering uses a scoring system (1–10, with lower scores being more malicious) to dynamically block or warn users about websites with poor reputation, even if they are not in a specific malicious category, adding a layer of behavioral analysis.

Exam trap

Cisco often tests the misconception that 'Monitor' mode is a safe default for security, when in fact it only logs traffic and does not block threats, leading candidates to incorrectly select Option B.

43
MCQmedium

Refer to the exhibit. The file invoice.pdf was determined to be malicious by the AMP cloud, yet the endpoint allowed it to execute. What is the most likely reason?

A.The endpoint was not up to date with the latest AMP connector patches.
B.The AMP policy was configured to allow files with a certain confidence level or based on a custom rule.
C.The file was not analyzed locally because local analysis was disabled.
D.The AMP connector lost connectivity after sending the file and fell back to a local allow policy.
AnswerB

The log explicitly states the action was due to a policy rule that allows on low confidence, overriding the malicious determination.

Why this answer

Option D is correct because the policy rule 'Allow on low confidence' overrides the cloud verdict. Option A is wrong because the patch level is not indicated as an issue. Option B is wrong because the file was analyzed locally, and a verdict was returned.

Option C is wrong because the action was explicit, not a fallback

44
Multi-Selectmedium

A company is implementing a cloud security posture management (CSPM) solution. Which TWO of the following are primary functions of CSPM?

Select 2 answers
A.Real-time inspection of network traffic for malicious patterns.
B.Vulnerability scanning of virtual machine operating systems.
C.Managing user identities and access permissions.
D.Detection and remediation of cloud resource misconfigurations (e.g., open S3 buckets).
E.Continuous monitoring of cloud infrastructure against compliance frameworks (e.g., CIS, PCI DSS).
AnswersD, E

CSPM detects misconfigurations such as publicly accessible storage.

Why this answer

CSPM is designed to detect and remediate cloud resource misconfigurations, such as publicly accessible S3 buckets, which are a leading cause of data breaches. It continuously assesses cloud infrastructure against security best practices and compliance frameworks like CIS and PCI DSS. Unlike network-based tools, CSPM focuses on the configuration state of cloud resources rather than inspecting traffic or managing identities.

Exam trap

Cisco often tests the distinction between CSPM (configuration and compliance monitoring) and CWPP (workload protection, including vulnerability scanning and runtime security), leading candidates to incorrectly select vulnerability scanning as a CSPM function.

45
Multi-Selecthard

Which THREE elements are essential components of a secure network architecture according to Cisco's SAFE model? (Choose three.)

Select 3 answers
A.Encryption for data in transit
B.A single firewall at the internet edge
C.Authentication, authorization, and accounting (AAA)
D.Network segmentation using VLANs or VRF
E.Large broadcast domains to simplify management
AnswersA, C, D

Protects confidentiality of data traversing the network.

Why this answer

Encryption for data in transit is a core component of Cisco's SAFE model because it ensures confidentiality and integrity of traffic traversing the network. SAFE mandates encryption protocols such as IPsec, TLS, or MACsec to protect against eavesdropping and man-in-the-middle attacks. This aligns with the model's principle of maintaining trustworthiness across all communication paths.

Exam trap

Cisco often tests the misconception that a single firewall is sufficient for edge security, but the SAFE model explicitly requires a layered security stack (firewall, IPS, and web/email security) at the internet edge to achieve defense-in-depth.

46
MCQhard

An administrator is troubleshooting an issue where emails sent to a specific external domain are being delayed by up to 30 minutes. The Cisco ESA is configured with multiple mail exchangers (MX) for delivery. The logs show that the ESA is attempting delivery to the primary MX, which is unresponsive, and failing over to the secondary MX after 30 minutes. What change should be made to reduce the delivery delay?

A.Enable SMTP over TLS (ESMTP) for the delivery
B.Reduce the delivery queue retry interval in the ESA settings
C.Increase the number of MX records for that domain
D.Remove the primary MX record from DNS
AnswerB

Lowering retry interval causes faster failover to secondary MX.

Why this answer

Configuring a shorter timeout or retry interval on the delivery queue will cause the ESA to fail over faster. Option A is wrong because increasing the number of MX records doesn't change the timeout. Option B is wrong because disabling the primary MX is not a good practice.

Option D is wrong because enabling ESMTP does not affect timeout.

47
MCQhard

Refer to the exhibit. Based on the exhibit, what is the current state of the client and what action should the network administrator take to allow full network access?

A.The client is in a quarantine state due to posture assessment failure; the administrator should check the ISE posture policy and ensure the client meets compliance.
B.The client's authentication succeeded but authorization is incomplete; the administrator should configure a new dACL on the switch.
C.The client is being redirected to a guest portal; the administrator should disable the URL redirect and assign a new VLAN.
D.The client is fully authenticated and authorized; no action is needed.
AnswerA

The quarantine SGT and dACL, along with guest portal redirect, indicate the client failed posture assessment; fixing the client's compliance will allow full access.

Why this answer

Option D is correct because the output shows "Authz Success" but the presence of a URL redirect to a guest portal and a dACL named "PERMIT_QUARANTINE" along with SGT value 2 (commonly quarantine) indicates the client is in a quarantine state, likely due to posture assessment failure. The administrator should check the ISE posture policy. Option A is wrong because the redirect and quarantine dACL imply limited access.

Option B is wrong because simply disabling the redirect would not resolve the underlying compliance issue. Option C is wrong because the dACL is assigned by ISE based on policy, not manually configured on the switch.

48
MCQhard

A company using Cisco Web Security Appliance (WSA) in explicit proxy mode has enabled HTTPS decryption with a custom CA certificate. A user reports that a specific banking website displays a certificate error message. The administrator verifies that the WSA is generating a certificate for that site. What is the most likely cause of the error?

A.The banking website uses HTTP Public Key Pinning (HPKP) or Certificate Pinning.
B.The WSA's time is not synchronized with the NTP server, causing certificate validity issues.
C.The WSA is not configured to generate certificates for that domain.
D.The user's browser does not trust the WSA's CA certificate.
AnswerA

Pinned certificates are compared to the original, and the WSA's generated certificate does not match, causing an error.

Why this answer

Banking websites often use dynamic certificates with extended validation (EV) and may implement certificate pinning. However, the WSA's generated certificate will not match the original certificate's public key or subject alternative names if the site uses pinning. Option B is correct because certificate pinning will cause a mismatch.

Option A is incorrect because the CA certificate is already trusted. Option C is incorrect because the WSA's certificate is generated on the fly. Option D is possible but less specific to banking sites.

49
MCQhard

A company is deploying Cisco Umbrella to enforce security policies for remote users. They want to ensure that DNS requests from roaming clients are routed through Umbrella's DNS resolvers. However, some users are bypassing Umbrella by using third-party DNS servers like Google (8.8.8.8). Which configuration should be applied to prevent this?

A.Configure Content Filtering to block Google DNS
B.Add a firewall rule on each client to block port 53 to all but Umbrella
C.Enable IP Layer Enforcement in the Umbrella dashboard
D.Enable DNS Policy in the Umbrella roaming client
AnswerD

This forces all DNS requests through Umbrella and blocks alternative DNS servers.

Why this answer

Option D is correct because the Umbrella roaming client's DNS Policy feature forces all DNS traffic from the endpoint to use Umbrella's DNS resolvers, even if the user manually configures a third-party DNS server like Google (8.8.8.8). This is achieved by intercepting DNS requests at the OS level and redirecting them to the Umbrella resolvers, effectively preventing bypass attempts without relying on network-level blocks.

Exam trap

Cisco often tests the distinction between network-level enforcement (like IP Layer Enforcement) and endpoint-level enforcement (like DNS Policy in the roaming client), leading candidates to mistakenly choose IP Layer Enforcement because it sounds like a global solution, but it fails for roaming clients not connected to the corporate network.

How to eliminate wrong answers

Option A is wrong because Content Filtering in Umbrella blocks specific domains or categories, not IP addresses or DNS server endpoints; it cannot prevent a client from using a third-party DNS resolver like 8.8.8.8. Option B is wrong because adding a firewall rule on each client to block port 53 to all but Umbrella is impractical for roaming users, as it requires manual configuration on every device and does not scale; it also fails if the user has administrative rights to disable the rule. Option C is wrong because IP Layer Enforcement in Umbrella applies to network traffic based on IP addresses, but it does not intercept or redirect DNS queries at the endpoint level; it relies on the network gateway to enforce policies, which is ineffective for roaming clients that are not behind a corporate network.

50
Multi-Selecteasy

Which TWO of the following are features of Cisco Umbrella? (Choose two.)

Select 2 answers
A.Secure web gateway
B.Cloud access security broker
C.Next-generation firewall
D.Data loss prevention
E.DNS-layer security
AnswersA, E

Umbrella includes SWG capabilities.

Why this answer

Cisco Umbrella provides DNS-layer security as a core feature, which blocks requests to malicious domains before a connection is established, effectively preventing malware, phishing, and command-and-control callbacks. It also includes a Secure Web Gateway (SWG) that enforces URL filtering, application controls, and HTTPS inspection to protect users from web-based threats. These two capabilities are fundamental to Umbrella's cloud-delivered security architecture.

Exam trap

Cisco often tests the distinction between DNS-layer security and SWG as separate features of Umbrella, while tempting candidates to confuse Umbrella with a full NGFW or CASB, which are separate products in Cisco's security portfolio.

51
MCQeasy

A small business uses Cisco Duo for multi-factor authentication. They want to ensure that employees accessing cloud apps from personal devices are compliant with device security policies. Which Duo feature should they use?

A.Duo Mobile
B.Duo Device Health
C.Duo Network Gateway
D.Duo Access Gateway
AnswerB

Checks device compliance.

Why this answer

D is correct because Duo Device Health checks device security posture (OS version, encryption, etc.) before allowing access. A is for SSO. B is for VPN.

C is the authenticator app.

52
Multi-Selectmedium

A company is deploying Cisco Email Security Appliance (ESA) to protect against phishing attacks. The security team wants to implement two security features to detect malicious URLs in emails. Which two features should be enabled? (Choose two.)

Select 2 answers
A.DomainKeys Identified Mail (DKIM) signing
B.Sender Policy Framework (SPF) verification
C.Domain-based Message Authentication, Reporting & Conformance (DMARC)
D.URL reputation filtering
E.Cisco Advanced Phishing Protection
AnswersD, E

Checks URLs against threat intelligence databases.

Why this answer

URL reputation filtering is correct because it uses the Cisco Talos threat intelligence to analyze and block emails containing malicious URLs based on real-time reputation scores. Cisco Advanced Phishing Protection is correct because it uses machine learning and behavioral analysis to detect and block sophisticated phishing URLs that may bypass traditional reputation checks.

Exam trap

Cisco often tests the distinction between email authentication protocols (DKIM, SPF, DMARC) and content-based security features, so candidates mistakenly choose authentication methods when the question explicitly asks for features that detect malicious URLs in emails.

53
MCQmedium

A company is implementing a Zero Trust architecture. The security team needs to ensure that all traffic between workloads in a private cloud is encrypted and mutually authenticated. Which solution best meets these requirements?

A.MACsec on the network interfaces
B.IPsec VPN between each pair of workloads
C.SSH tunnels between workloads
D.Mutual TLS (mTLS) between workloads
AnswerD

mTLS provides both encryption and mutual authentication, making it ideal for Zero Trust workload communication.

Why this answer

Mutual TLS (mTLS) provides both encryption and mutual authentication by requiring each workload to present a valid X.509 certificate during the TLS handshake. This ensures that only verified workloads can communicate, and all traffic is encrypted at the application layer, making it the ideal choice for a Zero Trust architecture where every connection is authenticated and authorized regardless of network location.

Exam trap

Cisco often tests the distinction between network-layer encryption (IPsec, MACsec) and application-layer mutual authentication (mTLS), leading candidates to choose IPsec because it is familiar for site-to-site VPNs, but they overlook that Zero Trust requires per-workload identity verification, not just encryption.

How to eliminate wrong answers

Option A is wrong because MACsec operates at Layer 2 and provides encryption and authentication only between directly connected network interfaces (e.g., switch-to-switch or host-to-switch), not between individual workloads across a routed network; it cannot enforce per-workload mutual authentication. Option B is wrong because IPsec VPN between each pair of workloads creates a full-mesh of tunnels that is operationally complex and does not natively support mutual authentication using certificates without additional configuration (e.g., IKE with certificates), and it is not designed for the dynamic, service-to-service communication typical in private clouds. Option C is wrong because SSH tunnels provide encryption and authentication but are typically used for interactive sessions or port forwarding, not for automated, high-volume workload-to-workload traffic; they lack the standardized certificate-based mutual authentication and scalability of mTLS in a service mesh.

54
MCQhard

Refer to the exhibit. An ISE administrator sees this error in the logs. What is the most likely cause?

A.The ISE license does not support SGT.
B.The PassiveID identity source is not configured with the correct SGT mapping.
C.The SGT number is out of range.
D.The pxGrid connection is down.
AnswerB

PassiveID requires mapping between SGTs and identity groups; if missing, it cannot resolve the identity.

Why this answer

Option D is correct. The error indicates that PassiveID received an SGT from a network device but does not have a mapping to convert it to an identity. This typically happens when the PassiveID identity source is not configured with the correct SGT-to-identity mapping.

Option A is incorrect because pxGrid connection would show different errors. Option B is incorrect because SGT number range is not the issue. Option C is incorrect because license issues would produce different errors.

55
Multi-Selectmedium

Which TWO are valid methods for implementing Network Admission Control (NAC) in a Cisco environment?

Select 2 answers
A.802.1X authentication
B.Dynamic ARP Inspection (DAI)
C.IP source guard
D.DHCP snooping
E.MAC Authentication Bypass (MAB)
AnswersA, E

802.1X is a standard for network access control.

Why this answer

802.1X authentication is a valid NAC method because it enforces port-based access control by requiring end devices to authenticate via EAP (Extensible Authentication Protocol) before gaining network access. It integrates with a RADIUS server (e.g., Cisco ISE) to validate credentials and dynamically assign VLANs or ACLs based on policy, making it a core NAC technology.

Exam trap

Cisco often tests the distinction between NAC enforcement mechanisms (like 802.1X and MAB) and Layer 2 security features (like DAI, IP source guard, and DHCP snooping), causing candidates to confuse port security or DHCP snooping with actual admission control methods.

56
Drag & Dropmedium

Drag and drop the steps to configure 802.1X port-based authentication on a Cisco switch in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

AAA and RADIUS must be configured first, then the authentication list, global 802.1X enable, and finally interface-level enable.

57
MCQeasy

A company wants to deploy a site-to-site VPN between two branch offices using Cisco IOS routers. The security policy requires that all traffic between the sites must be encrypted and authenticated using strong encryption. The engineer chooses IPsec with IKEv2. Which IPsec transform set configuration provides the strongest encryption and authentication?

A.transform-set ESP-AES128 ESP-SHA-HMAC
B.transform-set ESP-AES256 ESP-SHA256-HMAC
C.transform-set ESP-DES ESP-MD5-HMAC
D.transform-set ESP-3DES ESP-SHA-HMAC
AnswerB

AES-256 and SHA-256 provide strong encryption and authentication.

Why this answer

Option B is correct because it specifies AES-256 encryption, which is the strongest symmetric cipher available in IPsec transform sets, combined with ESP-SHA256-HMAC for integrity and authentication. IKEv2 supports these modern algorithms, and this configuration meets the requirement for strong encryption and authentication.

Exam trap

Cisco often tests the distinction between ESP-SHA-HMAC (which implies SHA-1) and ESP-SHA256-HMAC (which implies SHA-256), leading candidates to mistakenly choose the weaker SHA-1 option when 'strongest' is required.

How to eliminate wrong answers

Option A is wrong because AES-128 provides only 128-bit encryption, which is weaker than AES-256 and does not meet the 'strongest' requirement. Option C is wrong because DES uses a 56-bit key, which is cryptographically weak and easily broken, and MD5 is a deprecated hash algorithm with known collision vulnerabilities. Option D is wrong because 3DES, while stronger than DES, uses only 168-bit effective key strength and is considered legacy, and ESP-SHA-HMAC refers to SHA-1 (160-bit), which is no longer recommended due to collision attacks.

58
MCQhard

A DevOps team is deploying microservices in Azure Kubernetes Service (AKS). They need to enforce inter-container communication policies based on labels. Which Cisco solution provides micro-segmentation for containers in AKS?

A.Cisco Firepower
B.Cisco ACI
C.Cisco ISE
D.Cisco Secure Workload
AnswerD

Secure Workload provides micro-segmentation and visibility for containers.

Why this answer

Cisco Secure Workload (formerly Tetration) is the correct solution because it provides micro-segmentation for containers in Azure Kubernetes Service (AKS) by enforcing inter-container communication policies based on labels. It uses a Kubernetes-native approach, integrating with the Kubernetes API to discover pods and services, and applies label-based policies via eBPF or sidecar proxies to control traffic between containers without modifying the application.

Exam trap

Cisco often tests the distinction between network-level micro-segmentation (ACI) and workload-level micro-segmentation (Secure Workload), so the trap here is assuming ACI can natively enforce Kubernetes label-based policies, when in fact Secure Workload is the only option that directly integrates with Kubernetes labels for container micro-segmentation in AKS.

How to eliminate wrong answers

Option A is wrong because Cisco Firepower is a next-generation firewall (NGFW) designed for perimeter and network-layer security, not for container-level micro-segmentation within Kubernetes clusters; it cannot enforce policies based on Kubernetes labels. Option B is wrong because Cisco ACI (Application Centric Infrastructure) is a data center networking solution that provides micro-segmentation at the network fabric level using endpoint groups (EPGs), but it is not designed for container-native label-based policies in AKS and requires integration with a container networking interface (CNI) plugin, not direct Kubernetes label enforcement. Option C is wrong because Cisco ISE (Identity Services Engine) is a network access control (NAC) and policy management platform for user and device authentication on wired/wireless networks, not for container workload segmentation; it does not understand Kubernetes labels or container runtime contexts.

59
Multi-Selectmedium

Which THREE of the following are benefits of using Cisco ISE for network access control?

Select 3 answers
A.Firewall integration
B.Guest access provisioning
C.Centralized policy management
D.Storage encryption
E.URL filtering
AnswersA, B, C

ISE uses pxGrid to share context with firewalls for dynamic policy updates.

Why this answer

Cisco ISE provides centralized policy management (option C) by allowing administrators to define and enforce access policies from a single console, which simplifies network access control across the entire organization. Guest access provisioning (option B) is a native feature of ISE that enables secure, self-service or sponsored guest onboarding with customizable captive portals and role-based access. Firewall integration (option A) is a benefit because ISE can dynamically communicate with Cisco firewalls (e.g., ASA, Firepower) via pxGrid to enforce context-aware policies, such as quarantining an infected endpoint or granting micro-segmentation based on user identity and device posture.

Exam trap

Cisco often tests the distinction between ISE's core AAA and policy management functions versus features like encryption or URL filtering that belong to other security domains, leading candidates to mistakenly attribute all security capabilities to a single product.

60
MCQhard

A Cisco WSA appliance is configured with explicit proxy mode. Users report that they cannot access external HTTPS websites, but HTTP works fine. The proxy logs show 'SSL handshake failed' errors. What is the most likely reason?

A.The HTTPS proxy port is not configured on the WSA.
B.The WSA's SSL certificate is not trusted by the clients.
C.The WSA is configured to forward HTTPS traffic without decryption.
D.Client certificates are required for authentication.
AnswerB

Clients must trust the WSA's certificate for HTTPS interception.

Why this answer

In explicit proxy mode, the Cisco WSA must intercept HTTPS traffic by performing a man-in-the-middle (MITM) decryption. For this to work, the WSA presents its own SSL certificate to the client. If that certificate is not trusted by the client's browser or operating system (i.e., not installed in the trusted root certificate store), the client will reject the SSL handshake, resulting in 'SSL handshake failed' errors.

HTTP traffic is unaffected because it does not involve certificate validation.

Exam trap

Cisco often tests the distinction between proxy configuration (port settings) and SSL decryption trust (certificate validation), leading candidates to mistakenly focus on port numbers or forwarding modes instead of the certificate trust chain.

How to eliminate wrong answers

Option A is wrong because the HTTPS proxy port (typically 3128 or 8080) is configured separately from the decryption function; the error is about the SSL handshake, not about port misconfiguration. Option C is wrong because forwarding HTTPS traffic without decryption (i.e., using the CONNECT method) would not cause an SSL handshake failure at the proxy level—the proxy would simply tunnel the traffic, and the handshake would occur between the client and the destination server. Option D is wrong because client certificate authentication is an optional feature for mutual TLS; it is not required for basic HTTPS decryption, and its absence would not cause a generic 'SSL handshake failed' error.

61
MCQmedium

An engineer applies the ACL shown in the exhibit to the inbound direction of interface GigabitEthernet0/0. The goal is to block all traffic from host 10.1.1.100 to the 192.168.0.0/16 network. However, traffic from 10.1.1.100 to 192.168.1.1 is still being permitted. What is the most likely reason?

A.The deny entry should be placed after the permit entry
B.The ACL should be applied outbound instead of inbound
C.The ACL is applied to the wrong direction; it should be 'out'
D.The traffic from 10.1.1.100 is entering through a different interface
AnswerD

If the traffic does not enter via GigabitEthernet0/0, the ACL will not be applied to it.

Why this answer

Option D is correct because ACLs process traffic only on the interface and direction to which they are applied. If the ACL is applied inbound on GigabitEthernet0/0 but the traffic from host 10.1.1.100 to 192.168.1.1 enters through a different interface (e.g., GigabitEthernet0/1), the ACL will never evaluate that traffic, allowing it to pass. This is a fundamental behavior of interface-based ACL filtering in Cisco IOS.

Exam trap

The trap here is that candidates often assume an ACL applied inbound on one interface will filter all traffic from a source, but Cisco tests the understanding that ACLs are interface- and direction-specific, and traffic can bypass the ACL if it enters through a different interface.

How to eliminate wrong answers

Option A is wrong because the order of entries in an ACL is critical; the deny entry must be placed before any permit entries that could match the same traffic, but here the deny is already first, so moving it after would make the problem worse, not fix it. Option B is wrong because applying the ACL outbound instead of inbound would not help if the traffic is entering through a different interface; the ACL would still only filter traffic exiting that specific interface, not traffic entering elsewhere. Option C is wrong because the direction 'in' vs 'out' is irrelevant if the traffic never traverses the interface where the ACL is applied; the ACL must be placed on the interface where the traffic enters the router.

62
Drag & Dropmedium

Drag and drop the steps to configure a Cisco ISE as a RADIUS server for network access control into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

First add the NAS, then define identity source, authentication policy, authorization policy, and finally test.

63
MCQmedium

A company is deploying a cloud-native application using microservices on AWS. They need to ensure that inter-service communication is encrypted and authenticated. The security team wants to use mutual TLS (mTLS) without managing individual certificates. Which solution should they implement?

A.Use AWS IAM roles for each microservice to authenticate via AWS Signature Version 4.
B.Store certificates in AWS Secrets Manager and configure sidecar proxies to retrieve them.
C.Deploy AWS CloudHSM to generate keys and certificates for each microservice.
D.Use AWS Certificate Manager Private CA with a service mesh (e.g., Istio) to issue and rotate certificates for each service.
AnswerD

ACM Private CA can issue certificates for mTLS, and service mesh can automate certificate distribution.

Why this answer

Option D is correct because AWS Certificate Manager Private CA can integrate with a service mesh like Istio to automatically issue, distribute, and rotate mTLS certificates for each microservice. This eliminates the need for manual certificate management while ensuring encrypted and authenticated inter-service communication via mutual TLS.

Exam trap

Cisco often tests the distinction between authentication mechanisms (IAM SigV4 vs. mTLS) and automation requirements, leading candidates to choose a manual certificate storage solution (like Secrets Manager) instead of an integrated PKI and service mesh approach.

How to eliminate wrong answers

Option A is wrong because AWS IAM roles and Signature Version 4 are used for signing HTTP requests to AWS APIs, not for encrypting or authenticating inter-service communication at the transport layer with mTLS. Option B is wrong because storing certificates in AWS Secrets Manager and having sidecar proxies retrieve them still requires manual certificate generation, renewal, and distribution, which does not meet the requirement of 'without managing individual certificates'. Option C is wrong because AWS CloudHSM provides hardware security module (HSM) capabilities for key generation and storage, but it does not automate certificate issuance, rotation, or distribution for microservices; it also requires significant operational overhead to manage certificates.

64
MCQhard

A financial company has a data center with Cisco FTD firewalls in a high-availability pair. They use Cisco ISE for network access control and Cisco Stealthwatch for network visibility. Recently, they deployed a new web application that is accessed by both internal employees and external customers. The application uses HTTPS on port 443. After deployment, the security team notices that the FTD is dropping some HTTPS sessions that appear legitimate. The drops are inconsistent and seem to occur only during peak hours. The FTD logs show the drop reason as 'TCP state violation'. The team has verified that the web server and clients are configured correctly. The Stealthwatch reports show no anomalies. What is the most likely cause and solution?

A.Enable SSL decryption to inspect the encrypted traffic
B.Increase the TCP timeout values on the FTD to accommodate longer sessions
C.Block all traffic to the web server except from trusted IPs
D.Configure TCP state bypass on the FTD for the web server traffic
AnswerD

Bypassing state tracking allows packets that may be asymmetric to pass without being dropped.

Why this answer

The 'TCP state violation' drops during peak hours indicate that the FTD's stateful inspection engine is seeing TCP segments that do not match the expected state machine, likely due to asymmetric routing or session timeouts under load. Configuring TCP state bypass for the web server traffic disables stateful inspection for those flows, allowing the firewall to forward packets based on ACLs alone without tracking TCP states, which resolves the issue without compromising security for legitimate traffic.

Exam trap

The trap here is that candidates often assume SSL decryption is needed for encrypted traffic issues, but the 'TCP state violation' drop reason directly points to a stateful inspection problem, not an encryption inspection problem.

How to eliminate wrong answers

Option A is wrong because SSL decryption would add processing overhead and is not designed to fix TCP state violations; it addresses content inspection, not stateful firewall drops. Option B is wrong because increasing TCP timeouts might help if sessions are timing out prematurely, but the drops are inconsistent and occur during peak hours, suggesting a state tracking issue under load rather than timeout expiration. Option C is wrong because blocking all traffic except from trusted IPs would deny external customers access, which contradicts the requirement that the application is accessed by both internal employees and external customers, and it does not address the TCP state violation drops.

65
MCQhard

An organization is implementing TrustSec to enforce micro-segmentation. The Security Group Tag (SGT) is assigned to a user via ISE after authentication. However, traffic from this user to a server with SGT 5 is being dropped. The administrator checks the SGACL configuration on the switch and finds the following: 'permit ip source 2 destination 5'. What is the most likely reason for the traffic being dropped?

A.The PAC on the switch has expired
B.SXP is not configured between ISE and the switch
C.The CTRL protocol is not enabled on the switch
D.The SGACL defaults to deny if no explicit permit is found for the source-destination SGT pair
AnswerD

TrustSec applies an implicit deny; the permit rule exists but perhaps the order or condition is not matched.

Why this answer

The SGACL on the switch explicitly permits traffic from source SGT 2 to destination SGT 5. However, TrustSec SGACLs operate with an implicit deny at the end of the access list. Since the administrator only configured a single permit entry and no explicit permit for the specific source-destination SGT pair being tested, the traffic is dropped by the implicit deny.

Option D correctly identifies this default behavior.

Exam trap

Cisco often tests the implicit deny behavior of SGACLs, where candidates mistakenly assume that a single permit entry allows all traffic between the specified SGTs, overlooking that the SGACL must explicitly match the source-destination pair and that any unmatched traffic is denied by default.

How to eliminate wrong answers

Option A is wrong because a PAC (Protected Access Credential) expiration would prevent the switch from establishing a RADIUS or EAP-FAST session with ISE, but the SGACL is already present on the switch, indicating authentication and policy download succeeded. Option B is wrong because SXP (SGT Exchange Protocol) is used to propagate SGT bindings between network devices that do not support inline tagging; the switch already has the SGACL and the SGT assignment from ISE, so SXP is not required for enforcement. Option C is wrong because the CTRL protocol (Cisco TrustSec Control Protocol) is used for environment data download and SGT distribution between TrustSec-capable devices, but the SGACL is already configured on the switch, so the control plane is functioning; the issue is the ACL logic, not the protocol.

66
MCQmedium

Refer to the exhibit. An IPsec VPN tunnel between two routers is not passing traffic. IKE phase 1 is not complete (MM_NO_STATE). Phase 2 has no SA. Which issue is most likely causing the problem?

A.The remote peer is not reachable due to a routing issue.
B.IKE policy mismatch (e.g., encryption, hash, or pre-shared key) causes phase 1 failure.
C.The ACL defining interesting traffic is misconfigured.
D.Mismatched IPsec transform sets between the peers.
AnswerB

MM_NO_STATE indicates no IKE SA; common cause is policy or PSK mismatch.

Why this answer

The IKE phase 1 state is MM_NO_STATE, which indicates that the Internet Key Exchange (IKE) Main Mode negotiation has not completed. This typically occurs when the peers cannot agree on the IKE policy parameters (encryption, hash, Diffie-Hellman group, authentication method, or pre-shared key). Since phase 2 (IPsec SA) depends on a successful phase 1, the failure cascades, making an IKE policy mismatch the most likely root cause.

Exam trap

Cisco often tests the distinction between IKE phase 1 and phase 2 failures, and the trap here is that candidates confuse a phase 2 issue (like ACL or transform set mismatch) with a phase 1 issue, but MM_NO_STATE specifically indicates phase 1 is incomplete.

How to eliminate wrong answers

Option A is wrong because a routing issue would prevent the remote peer from being reachable, but the exhibit shows the peer IP is configured and the tunnel interface is up; IKE would typically show a different error (e.g., 'Waiting for peer' or 'No route to peer') rather than MM_NO_STATE. Option C is wrong because the ACL defining interesting traffic only triggers IKE phase 2 (IPsec SA negotiation); phase 1 (IKE SA) does not depend on interesting traffic and would complete regardless of the ACL. Option D is wrong because mismatched IPsec transform sets affect phase 2 (IPsec SA) negotiation, not phase 1; phase 1 would still complete to MM_ACTIVE even if transform sets differ.

67
Multi-Selectmedium

Which TWO of the following are valid methods for deploying Cisco Firepower Threat Defense (FTD) in high availability?

Select 2 answers
A.Active/Active failover
B.Clustering
C.Load balancing with external load balancer
D.Active/Standby failover
E.StackWise
AnswersB, D

FTD supports clustering for high availability and scalability.

Why this answer

Cisco FTD supports high availability through Active/Standby failover (option D) and clustering (option B). Active/Standby failover provides stateful redundancy with one unit handling traffic while the other monitors and takes over upon failure. Clustering groups multiple FTD devices into a single logical unit for both high availability and scalability, distributing traffic across members.

Exam trap

Cisco often tests the misconception that FTD supports Active/Active failover like ASA, but FTD only supports Active/Standby failover and clustering for high availability.

68
Multi-Selectmedium

A network engineer is implementing Cisco TrustSec. Which two components are required to enforce Security Group Access Control List (SGACL) policies? (Choose two)

Select 2 answers
A.Cisco Wireless LAN Controller
B.Cisco Catalyst switch with CTS
C.Cisco ISE Policy Service Node
D.Cisco ASA Firewall
E.Cisco AnyConnect Secure Mobility Client
AnswersB, C

Enforces SGACL at the switch level.

Why this answer

Options A and C are correct. Cisco ISE (A) is the policy server that defines SGACL rules and distributes them to enforcement points. A Cisco Catalyst switch with CTS (C) is the enforcement point that applies SGACLs based on SGTs.

Option B (ASA) can also enforce but is not required for basic TrustSec deployment. Option D (WLC) can enforce but is not core. Option E (AnyConnect) is an endpoint client, not for enforcement.

69
MCQhard

Refer to the exhibit. An analyst reviews the log from a Cisco Secure Endpoint connector. The file 'invoice.pdf.exe' was quarantined. What best describes the detection process that occurred?

A.The file was blocked at execution time by Exploit Prevention.
B.The cloud reputation was unknown, but local analysis detected malicious behavior, triggering quarantine.
C.The cloud reputation determined the file was malicious and instructed the connector to quarantine.
D.The file was executed and then reverted by the retrospective engine.
AnswerB

Log shows cloud result UNKNOWN, then local analysis verdict Malicious.

Why this answer

Option B is correct because the log shows the file 'invoice.pdf.exe' was quarantined based on local analysis after the cloud reputation returned an unknown verdict. Cisco Secure Endpoint uses a multi-layered approach: if the cloud reputation is unknown, the connector performs local analysis (e.g., static analysis, behavioral monitoring) to detect malicious behavior. In this case, the local analysis flagged the file as malicious, triggering the quarantine action.

Exam trap

Cisco often tests the distinction between cloud reputation, local analysis, and retrospective analysis — the trap here is assuming that quarantine always requires a malicious cloud verdict, when in fact local analysis can independently trigger quarantine when the cloud verdict is unknown.

How to eliminate wrong answers

Option A is wrong because Exploit Prevention blocks exploits at execution time by monitoring for specific exploit techniques (e.g., heap spray, ROP), not by analyzing file reputation or behavior after execution; the log indicates quarantine after analysis, not a block at execution. Option C is wrong because the cloud reputation was unknown, not malicious; if the cloud had determined the file was malicious, it would have instructed the connector to block or quarantine immediately without requiring local analysis. Option D is wrong because the retrospective engine reverts files after they have been executed and later found malicious via cloud or local analysis; the log shows quarantine during the initial analysis, not a post-execution revert.

70
MCQeasy

Refer to the exhibit. A security engineer reviews the Cisco Secure Endpoint policy. If an endpoint is offline when a user downloads a file, what will happen?

A.The file will be held until the endpoint comes online and a cloud lookup completes.
B.The file will be quarantined due to the aggressive exploit prevention level.
C.The file will be allowed because local cache will store an unknown disposition.
D.The file will be blocked immediately by scan-on-write.
AnswerC

Local cache stores unknown disposition; file is allowed until cloud lookup can be performed later.

Why this answer

When an endpoint is offline, Cisco Secure Endpoint cannot perform a cloud lookup to determine the file's disposition. The local cache stores the disposition as 'unknown' for files that have not been seen before, and the file is allowed to execute because the default action for an unknown disposition in an offline scenario is to permit the file. This behavior is controlled by the policy setting for 'Unknown' files, which defaults to 'Allow' when the cloud is unreachable.

Exam trap

Cisco often tests the misconception that offline endpoints will block or quarantine unknown files, when in fact the default behavior is to allow them based on local cache and policy settings for unknown dispositions.

How to eliminate wrong answers

Option A is wrong because Cisco Secure Endpoint does not hold files in a pending state when offline; it uses local caching and allows unknown files by default rather than queuing them for later cloud lookup. Option B is wrong because the aggressive exploit prevention level does not cause file quarantine for offline downloads; exploit prevention focuses on behavioral analysis and exploit detection, not on offline file disposition decisions. Option D is wrong because scan-on-write is a real-time scanning feature that blocks files based on known malware signatures, but it cannot block a file with an unknown disposition when the endpoint is offline and no local signature match exists.

71
MCQmedium

An organization is deploying Cisco Secure Endpoint (AMP) in a high-security environment where endpoints are air-gapped from the internet. The security team needs to maintain up-to-date threat intelligence without direct cloud access. They have a dedicated local server that can download feeds from the AMP cloud once and distribute to endpoints. The server runs the AMP Private Cloud software. However, after installation, endpoints are not receiving updates. The team verifies that the Private Cloud server can reach the AMP cloud via a managed proxy. The endpoints can communicate with the Private Cloud server on TCP 443. What is the most likely cause of the update failure?

A.The proxy is not properly configured to allow HTTPS from the Private Cloud to the AMP cloud.
B.The Private Cloud appliance has not been registered and licensed in the AMP console.
C.The endpoints are using an incorrect certificate to authenticate to the Private Cloud.
D.The Private Cloud server's disk is full, preventing new update downloads.
AnswerB

Registration is required to sync threat intelligence.

Why this answer

Option B is correct because the Private Cloud must be registered and licensed with Cisco to receive updates. Without registration, it cannot download threat intelligence. Option A (proxy misconfiguration) is possible but the team verified the proxy works.

Option C (endpoint certificate issue) is less likely; endpoints authenticate via policy. Option D (Private Cloud out of disk space) would log errors, but not the primary cause if the server is newly set up.

72
Multi-Selectmedium

A network administrator is configuring port security on a Cisco switch port connected to a single endpoint. The requirement is that only the first device that connects to the port is allowed, and any subsequent device that attempts to connect must trigger an error-disabled state. Which two features must be configured to meet this requirement?

Select 2 answers
A.switchport port-security aging type inactivity
B.switchport port-security mac-address sticky
C.switchport port-security mac-address 0000.1111.2222
D.switchport port-security violation shutdown
E.switchport port-security maximum 1
AnswersB, E

Sticky learning dynamically learns and remembers the first MAC.

Why this answer

Option B is correct because the 'switchport port-security mac-address sticky' command dynamically learns the MAC address of the first connected device and saves it as a sticky secure MAC address in the running configuration. Option E is correct because setting the maximum number of secure MAC addresses to 1 ensures that only the first device's MAC address is allowed; any additional device will trigger a security violation. Together, these two features enforce that only the first device can connect, and subsequent devices cause the port to enter an error-disabled state when combined with the shutdown violation mode.

Exam trap

Cisco often tests the misconception that the 'violation shutdown' command must be explicitly configured, when in fact it is the default violation mode for port security, so candidates incorrectly include it as a required feature instead of recognizing that the maximum and sticky commands are the two necessary configurations.

73
MCQhard

Refer to the exhibit. A network administrator configured IP Source Guard and DHCP Snooping on a switch. A host connected to GigabitEthernet0/2 with MAC address 0050.7966.6801 has been assigned IP 192.168.1.10 via DHCP. The host now tries to use IP 192.168.1.20. What will happen?

A.The switch drops all traffic from the host with source IP 192.168.1.20.
B.The switch sends an ARP probe to verify the IP is unused, then updates the binding.
C.The switch updates the binding table to allow 192.168.1.20.
D.The switch allows the traffic because the host is trusted on that port.
AnswerA

IP Source Guard filters traffic based on the binding table; unmatched source IPs are dropped.

Why this answer

IP Source Guard uses DHCP snooping binding table to enforce IP-to-port mapping. When the host at GigabitEthernet0/2 with MAC 0050.7966.6801 attempts to use IP 192.168.1.20 instead of its DHCP-assigned IP 192.168.1.10, the switch compares the source IP of the packet against the binding table. Since 192.168.1.20 is not bound to that port and MAC, the switch drops all traffic from that host with source IP 192.168.1.20, preventing IP spoofing.

Exam trap

Cisco often tests the misconception that IP Source Guard allows traffic from a trusted host or that it dynamically updates bindings via ARP, when in fact it strictly enforces the DHCP snooping binding table and drops any non-matching traffic.

How to eliminate wrong answers

Option B is wrong because IP Source Guard does not send ARP probes; it simply drops traffic that does not match the DHCP snooping binding, and it does not dynamically update bindings based on ARP. Option C is wrong because the binding table is only updated via DHCP snooping (DHCP ACK messages) or static configuration, not by the host arbitrarily changing its IP address. Option D is wrong because the host is not configured as a trusted port for DHCP snooping; trust is applied to uplink ports (e.g., toward the DHCP server), not to access ports like GigabitEthernet0/2.

74
MCQeasy

A junior engineer is configuring MAB (MAC Authentication Bypass) on a Cisco switch for legacy printers. After configuration, the printers are still being placed into the default VLAN instead of the authorized VLAN. Which configuration is missing?

A.authentication port-control auto
B.authentication order mab
C.dot1x pae authenticator
D.spanning-tree portfast
AnswerB

This sets MAB as the first authentication method, ensuring it is used.

Why this answer

Option D is correct because the 'authentication order mab' command ensures that MAB is attempted before 802.1X. Without it, the switch may first try 802.1X, which fails, and then fall back to MAB, but if the order is not set, MAB might not be tried at all. Option A is incorrect because 'authentication port-control auto' enables authentication, which is likely already configured.

Option B is incorrect because 'dot1x pae authenticator' is for 802.1X but not required for MAB. Option C is incorrect because 'spanning-tree portfast' is for convergence, not authentication.

75
MCQhard

A multinational company plans to deploy Cisco AMP for Endpoints across 10,000 endpoints in geographically diverse offices. The security team is concerned about WAN bandwidth usage when endpoints communicate with the AMP cloud. Which design approach best minimizes cloud communication traffic while maintaining effective protection?

A.Disable real-time file scanning and rely on scheduled scans only.
B.Reduce the frequency of file reputation lookups by setting a longer cache time.
C.Deploy a forward proxy to cache AMP cloud responses.
D.Deploy an AMP Private Cloud appliance on-site to handle local reputation queries.
AnswerD

Private Cloud provides local caching and reduces internet traffic.

Why this answer

Option D is correct because using a local private cloud appliance (like the AMP Private Cloud) keeps traffic within the LAN and reduces WAN usage. Option A is wrong because endpoint scanning frequency can be reduced, but that compromises protection. Option B is wrong because proxies add latency and do not reduce cloud queries.

Option C is wrong because disabling certain features reduces protection.

Page 1 of 7

Page 2

All pages