Cisco SCOR / CCNP Security Core 350-701 (350-701) — Questions 676750

988 questions total · 14pages · All types, answers revealed

Page 9

Page 10 of 14

Page 11
676
MCQhard

An engineer is configuring a Modular Policy Framework (MPF) on a Cisco ASA to inspect HTTP traffic and apply QoS. The engineer creates a class-map to match HTTP traffic using the 'match port tcp 80' command. However, the policy is not being applied correctly. What is the most likely reason?

A.The class-map should use 'match any' instead of 'match port tcp 80'.
B.The ASA does not support HTTP inspection via MPF.
C.The service-policy must be applied globally, not to an interface.
D.The default global inspection policy already inspects HTTP traffic, and the new policy may be overridden.
AnswerD

The default policy inspects HTTP; the new policy must be inserted before it or the default must be modified.

Why this answer

The default inspection policy (global_policy) already inspects HTTP. Applying a new policy for HTTP with default actions may conflict or be overridden. Also, class-map matching on port alone may not be sufficient if traffic is already handled by default inspection.

But the most common mistake is that the default policy already inspects HTTP traffic, and the new policy must be applied with higher priority or modified.

677
MCQhard

A company uses Azure AD Conditional Access policies to enforce security for cloud applications. They need to require MFA for all external users accessing a sensitive SaaS app, but only when the access is from an untrusted network. Which condition should be configured in the policy?

A.Use device compliance condition
B.Use risk-based conditional access
C.Configure the policy for 'All locations'
D.Configure the policy for 'Any location' and exclude 'All trusted locations'
AnswerD

This ensures MFA is required only when not from a trusted location.

Why this answer

Conditional Access can use network location conditions, such as 'All trusted locations' or 'Any location'. To enforce MFA only from untrusted networks, the policy should target 'Any location' and exclude 'All trusted locations'. The other options are less precise.

678
Multi-Selectmedium

A network administrator is deploying Cisco ISE for network access control. The administrator needs to profile devices that connect to the network. Which TWO probes can be used to gather information for device profiling? (Choose two.)

Select 2 answers
A.SNMP probe
B.DNS probe
C.DHCP probe
D.HTTP probe
E.Device Sensor
AnswersC, D

DHCP probe gathers information from DHCP requests, such as hostname and vendor class.

Why this answer

DHCP probe collects hostname and other DHCP options; HTTP probe captures User-Agent strings. Both are common profiling probes. SNMP and Device Sensor are also probes, but the question asks for TWO only.

679
MCQeasy

Which Cisco WSA feature allows administrators to control bandwidth usage per user or group by limiting the amount of bandwidth consumed for specific applications?

A.URL filtering
B.AVC (Application Visibility and Control)
C.Bandwidth controls
D.Decryption policies
AnswerC

Bandwidth controls enforce traffic shaping and limits per policy.

Why this answer

The WSA includes bandwidth controls that can be applied per user/group and per application category, allowing traffic shaping and rate limiting.

680
MCQeasy

An organization wants to implement zero trust principles for cloud access. Which of the following is a key component of a zero trust architecture in the cloud?

A.Site-to-site VPN to cloud
B.Strong perimeter firewall
C.Multi-factor authentication (MFA) for all access
D.Single sign-on with one password
AnswerC

MFA verifies identity regardless of location, aligning with zero trust.

Why this answer

Zero trust assumes no implicit trust and requires continuous verification. Identity is the new perimeter, and MFA is a core enforcement mechanism. VPNs create a trusted network model, which is contrary to zero trust.

Perimeter firewalls are less relevant. Single password only is inadequate.

681
Multi-Selectmedium

A security analyst is investigating a potential insider threat. Which TWO indicators are most commonly associated with malicious insider activity? (Choose two.)

Select 2 answers
A.Frequent password changes as required by policy
B.Receiving a promotion to a higher security clearance
C.Using a company-approved VPN for remote access
D.Accessing files outside normal working hours without justification
E.Attempting to disable security logging on a workstation
AnswersD, E

This is a common indicator of anomalous behavior.

Why this answer

Insider threats often involve unusual access patterns (e.g., accessing sensitive data not needed for the role) and attempts to bypass security controls (e.g., disabling logging).

682
MCQhard

A company using Cisco ESA receives an email that appears to be from the CEO requesting an urgent wire transfer. The email fails SPF and DKIM checks but passes DMARC. What is the most likely explanation?

A.The email passed SPF alignment
B.DMARC policy is set to 'p=none'
C.DKIM signature was valid but not aligned
D.The sender IP is in the SPF whitelist
AnswerB

Correct. DMARC with 'p=none' only monitors, does not affect delivery.

Why this answer

DMARC policy can be set to 'none' (monitoring only) or 'quarantine'/'reject' based on SPF/DKIM alignment. If DMARC passes, it means the policy is not enforced, or the SPF/DKIM alignment still passes despite individual failures. However, if SPF and DKIM both fail, DMARC would also fail unless the policy is 'none'.

The scenario suggests DMARC is set to 'none', so no action is taken.

683
Multi-Selecthard

Which THREE symptoms indicate that a Cisco ESA is experiencing a mail loop?

Select 3 answers
A.A high number of messages in the 'Bounced' queue.
B.Messages fail DKIM signature verification.
C.Multiple 'Received:' headers from the same ESA in the same message.
D.A rapid increase in the 'Spam Quarantine' count.
E.The same Message-ID appears multiple times in the mail logs with different mid values.
AnswersA, C, E

Loops often cause bounce messages to accumulate.

Why this answer

A high number of messages in the 'Bounced' queue is a classic symptom of a mail loop on a Cisco ESA. When a loop occurs, messages are repeatedly sent back and forth between mail servers, eventually exceeding the maximum hop count or delivery attempts, causing them to be moved to the Bounced queue. This queue specifically holds messages that could not be delivered due to permanent failures, and loops generate many such failures.

Exam trap

Cisco often tests the distinction between symptoms of a mail loop (bounced queue, duplicate Received headers, repeated Message-IDs) and symptoms of other issues like spam or authentication failures, so candidates mistakenly associate DKIM failures or quarantine increases with loops.

684
MCQmedium

A security team is implementing AWS WAF to protect a web application. They want to block requests that contain SQL injection patterns in the query string. Which AWS WAF component should be used?

A.Security group allowing only HTTPS
B.Network ACL with deny rule for port 80
C.Managed rule group for SQL injection
D.Custom rule matching on source IP
AnswerC

AWS WAF managed rules detect SQL injection in requests.

Why this answer

AWS WAF uses managed rule groups (e.g., the SQL injection rule group) to detect common attack patterns. Custom rules can also be written but the easiest is to use the managed rule group. NACLs and security groups operate at network level, not application layer.

685
MCQeasy

In a DevSecOps pipeline, which tool would be used to scan Infrastructure as Code (IaC) templates for security misconfigurations?

A.SAST tool
B.Container image scanner
C.DAST tool
D.Checkov
AnswerD

Checkov scans IaC for misconfigurations.

Why this answer

Checkov is an open-source tool that scans Terraform, CloudFormation, and other IaC templates for security issues.

686
MCQeasy

A company wants to use Cisco DUO for MFA to protect access to its Azure AD applications. Which authentication method should be configured for cloud applications?

A.Secondary authentication via DUO after Azure AD
B.DUO for RADIUS authentication
C.DUO as a SAML identity provider
D.Primary authentication via DUO
AnswerA

DUO provides MFA as a second factor after Azure AD validates the user identity.

Why this answer

When integrating Cisco DUO with Azure AD for MFA, the recommended approach is to configure DUO as a secondary authentication provider after Azure AD handles primary authentication. This is achieved by using DUO's Azure AD integration, which acts as a custom control or a conditional access policy that triggers DUO MFA after the user has already authenticated against Azure AD. This ensures that Azure AD remains the identity provider (IdP) for primary authentication, while DUO provides an additional layer of security via a secondary push, phone call, or passcode.

Exam trap

Cisco often tests the misconception that DUO can serve as a primary identity provider for cloud applications, but the trap here is that DUO is strictly a secondary authentication factor and must be layered after the primary IdP (Azure AD) to protect existing cloud applications without breaking the authentication chain.

How to eliminate wrong answers

Option B is wrong because DUO for RADIUS authentication is used for on-premises VPNs, network devices, or legacy applications that support RADIUS, not for cloud-native Azure AD applications that use modern authentication protocols like SAML or OpenID Connect. Option C is wrong because configuring DUO as a SAML identity provider would replace Azure AD as the primary IdP, which is not the goal; the requirement is to protect access to Azure AD applications, meaning Azure AD must remain the IdP. Option D is wrong because primary authentication via DUO would bypass Azure AD entirely, which contradicts the requirement to protect access to Azure AD applications; DUO is designed for secondary MFA, not as a primary authentication source.

687
MCQeasy

Which EAP method used with 802.1X requires a client-side certificate for authentication?

A.LEAP
B.PEAP-MSCHAPv2
C.EAP-TLS
D.EAP-MD5
AnswerC

EAP-TLS requires certificates on both client and server.

Why this answer

EAP-TLS uses certificates on both the client and server sides for mutual authentication. PEAP-MSCHAPv2 uses server certificate and client credentials (password).

688
MCQmedium

Which security model mandates that access decisions should be based on context, device posture, and user identity, and never trust any entity by default?

A.Defense in depth
B.CIA triad
C.Least privilege
D.Zero Trust
AnswerD

Zero Trust is based on 'never trust, always verify' and least privilege.

Why this answer

Zero Trust architecture requires continuous verification and least privilege access, never trusting any user or device automatically.

689
MCQmedium

A company uses Azure NSGs to filter network traffic to VMs. They want to allow RDP access (port 3389) only from the company's public IP range. Which type of NSG rule should be created?

A.Outbound security rule allowing traffic from any source to port 3389
B.Azure Load Balancer rule
C.Inbound security rule with source set to the company's IP range and destination port 3389
D.Inbound security rule with destination set to the company's IP range and source port 3389
AnswerC

This allows inbound RDP only from the specified IP range.

Why this answer

An inbound rule on the NSG applied to the subnet or VM NIC can allow traffic from the company's IP range to port 3389. Outbound rules control traffic leaving the resource. Load balancer rules are different.

690
Matchingmedium

Match each Cisco security command to its function.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Display IKE security associations

Display configured access control lists

Display firewall configuration and statistics

Enable IP packet debugging

Save running configuration to startup

Why these pairings

These are common Cisco IOS security commands.

691
MCQeasy

A Cisco ASA firewall is configured with multiple contexts. The administrator needs to allow traffic from a context to pass through the management context for management purposes. Which type of interface should be used for this inter-context communication?

A.Use a shared interface that is allowed in multiple contexts.
B.Configure a virtual interface in each context and bridge them.
C.Use a dedicated physical interface for each context and route through the backplane.
D.Configure a subinterface on the management interface for each context.
AnswerA

Shared interfaces allow multiple contexts to use the same physical interface, enabling inter-context communication.

Why this answer

In multiple-context mode on a Cisco ASA, inter-context communication (such as allowing a user context to send management traffic to the management context) is achieved by using a shared interface. A shared interface is assigned to multiple security contexts, enabling them to communicate directly without requiring a physical or virtual crossover cable. This design allows the management context to receive traffic from other contexts for monitoring or administrative purposes while maintaining separation of forwarding tables.

Exam trap

Cisco often tests the misconception that inter-context communication requires a physical connection or a dedicated management path, when in fact the shared interface feature is the correct and supported method for allowing traffic between contexts on the same ASA.

How to eliminate wrong answers

Option B is wrong because bridging virtual interfaces between contexts would create a Layer 2 loop and is not a supported method for inter-context communication on the ASA; the ASA uses routed mode between contexts. Option C is wrong because using a dedicated physical interface for each context and routing through the backplane is unnecessary and inefficient—the ASA backplane is not a routable interface, and inter-context traffic should use shared interfaces or context-to-context routing via the system execution space. Option D is wrong because subinterfaces on the management interface cannot be assigned to other contexts; the management interface is reserved for out-of-band management and does not support being shared or used for inter-context data traffic.

692
MCQmedium

A Cisco WSA administrator wants to block access to social media sites for all users during work hours. The proxy is deployed in explicit mode. Which policy type should the administrator use to enforce this restriction?

A.Access policy
B.Identity policy
C.Routing policy
D.Decryption policy
AnswerA

Access policies enforce rules on URL filtering, application control, and time-based restrictions.

Why this answer

In explicit proxy mode, the WSA uses access policies to control web traffic based on URL categories. The administrator should create an access policy that identifies social media traffic and sets the action to 'Block'.

693
MCQmedium

An organization wants to provide network access to guest users through Cisco ISE. Guests must register themselves and accept an acceptable use policy before gaining internet-only access. Which guest access method should be configured?

A.802.1X with PEAP-MSCHAPv2
B.Self-registration
C.MAB
D.Sponsor portal
AnswerB

Correct. Self-registration allows guests to register themselves and accept policies.

Why this answer

Self-registration is the correct guest access method because it allows guest users to create their own credentials and accept an acceptable use policy (AUP) before being granted internet-only access. Cisco ISE's self-registration portal handles the entire workflow: user provides details, accepts the AUP, and ISE provisions a temporary account with restricted access, typically via a sponsored or direct access policy.

Exam trap

The trap here is that candidates often confuse the sponsor portal (which requires an internal user to create accounts) with self-registration (where guests create their own accounts), leading them to select sponsor portal when the question explicitly states 'guests must register themselves'.

How to eliminate wrong answers

Option A is wrong because 802.1X with PEAP-MSCHAPv2 is an enterprise authentication method requiring pre-provisioned credentials and certificates, not a guest self-service registration flow. Option C is wrong because MAB (MAC Authentication Bypass) authenticates devices based on their MAC address without any user interaction, so it cannot enforce user registration or AUP acceptance. Option D is wrong because a sponsor portal requires an existing employee or sponsor to create guest accounts, whereas the question specifies that guests must register themselves without sponsor involvement.

694
Multi-Selectmedium

A Cisco FTD is deployed in a data center and needs to provide intrusion prevention and application control. Which two actions are available in an access control rule? (Choose two.)

Select 2 answers
A.Monitor
B.Encrypt
C.Redirect
D.Trust
E.Allow
AnswersD, E

Trust action allows traffic without further inspection.

Why this answer

In Cisco FTD access control policy, actions include: TRUST (bypass further inspection), ALLOW (permit with inspection), BLOCK (deny), and INTERACTIVE BLOCK (block with user notification).

695
MCQmedium

A security team wants to inspect SSL-encrypted traffic from users accessing SaaS applications through Cisco Umbrella. Which feature should they enable?

A.Roaming client
B.DNS-layer blocking
C.Intelligent Proxy
D.SIG cloud firewall
AnswerC

Correct. Intelligent Proxy performs SSL inspection for selected traffic.

Why this answer

Intelligent Proxy allows selective SSL inspection based on policies.

696
MCQhard

A PKI administrator needs to check the revocation status of a certificate without causing a heavy load on the CA. Which protocol should be used?

A.EST
B.SCEP
C.CRL
D.OCSP
AnswerD

OCSP is a lightweight protocol that queries the CA for individual certificate status.

Why this answer

OCSP (Online Certificate Status Protocol) provides real-time revocation status without requiring clients to download a full CRL.

697
Multi-Selecthard

An organization wants to deploy endpoint hardening measures. Which three capabilities are provided by Cisco AMP for Endpoints as part of EDR (Endpoint Detection and Response)? (Choose three.)

Select 3 answers
A.TrustSec SGT assignment
B.Device Sensor profiling
C.Remote shell investigation
D.File quarantine
E.Process isolation
AnswersC, D, E

Remote shell allows analysts to run commands on endpoints.

Why this answer

EDR capabilities include file quarantine, process isolation, and remote shell investigation for incident response.

698
Multi-Selectmedium

Cisco TrustSec uses Security Group Tags (SGTs) for policy enforcement. Which two components are required for TrustSec to function? (Choose two.)

Select 2 answers
A.SGT assignment via ISE
B.SGT enforcement on switches/firewalls
C.802.1X with EAP-TLS
D.MAC Authentication Bypass
E.Device profiling
AnswersA, B

ISE assigns SGTs to endpoints based on identity.

Why this answer

TrustSec requires SGT assignment and SGT-based policies on network devices. Profiling is used to assign SGTs but is not a core component; MAB and 802.1X are authentication methods.

699
MCQmedium

An organization wants to grant temporary administrative access to a server for a specific task and automatically revoke the access after the task is completed. Which Cisco solution should be used?

A.Cisco Duo
B.Cisco SecureX with CyberArk
C.Cisco ISE
D.Cisco AMP for Endpoints
AnswerB

SecureX integrates with CyberArk to provide JIT access and session management for privileged accounts.

Why this answer

Cisco SecureX integrates with CyberArk to provide just-in-time (JIT) privileged access management.

700
MCQhard

An engineer is deploying a Cisco FTD in inline mode and wants to inspect SSL/TLS traffic using the 'decrypt-resign' action. What must be configured on the client devices to avoid certificate errors?

A.Disable certificate validation on all client browsers.
B.Install the organization's CA certificate in the client's trusted root store.
C.Install the FTD's self-signed certificate on each client.
D.Use 'decrypt-known-key' instead, which does not require client configuration.
AnswerB

This ensures the re-signed certificates are trusted.

Why this answer

When using 'decrypt-resign', the FTD generates a new certificate signed by a CA that the organization controls. Clients must trust the organization's CA certificate (root CA) that is used to sign the re-encrypted certificates. Without that, clients will see certificate errors.

701
MCQhard

A Cisco FTD is configured with a file policy to detect malware. The policy includes a rule to block files with a SHA-256 hash that is known to be malicious. Which component provides the SHA-256 disposition?

A.Network discovery database
B.Local malware cache
C.Cisco AMP cloud
D.Snort rules
AnswerC

Correct. AMP cloud provides SHA-256 disposition for known files.

Why this answer

Cisco AMP (Advanced Malware Protection) cloud provides threat intelligence including SHA-256 dispositions (clean, malicious, unknown). The FTD queries the AMP cloud for file disposition.

702
MCQhard

During a cloud migration, an administrator notices that a workload in Azure is generating outbound traffic that is being blocked by the cloud security group. The workload requires connectivity to a specific SaaS application (Office 365) using TLS. The security group denies all outbound traffic except to specific IP ranges. Which action should the administrator take?

A.Implement a proxy server
B.Use Azure Private Link
C.Add the Office 365 IP ranges and FQDNs to the allowed list
D.Disable the security group temporarily
AnswerC

Allows required traffic while maintaining security.

Why this answer

Option C is correct because the administrator needs to allow outbound traffic to Office 365, which uses TLS over TCP/443. Since the security group denies all outbound traffic except to specific IP ranges, the most direct and secure method is to add the published Office 365 IP ranges and FQDNs to the allowed list. This ensures the workload can reach the SaaS application without bypassing security controls or introducing additional latency.

Exam trap

The trap here is that candidates often confuse Azure Private Link (which is for private connectivity to Azure services) with general SaaS connectivity, or they incorrectly assume a proxy server is always required for outbound traffic control, when in fact the simplest solution is to update the security group rules with the correct IP ranges and FQDNs.

How to eliminate wrong answers

Option A is wrong because implementing a proxy server would add an unnecessary intermediary, increasing complexity and latency, and does not address the root cause of the security group blocking traffic; the proxy itself would still need its outbound traffic allowed. Option B is wrong because Azure Private Link is used to privately connect to Azure PaaS services (e.g., Azure SQL, Storage) over the Microsoft backbone, not to external SaaS applications like Office 365, which are not hosted in Azure and cannot be accessed via Private Link. Option D is wrong because disabling the security group temporarily removes all outbound restrictions, exposing the workload to potential security risks and violating the principle of least privilege; it is a poor operational practice that should never be recommended.

703
MCQmedium

Cisco ISE posture assessment requires that endpoints meet certain security requirements before being granted network access. Which of the following is a typical posture requirement?

A.SGT assignment
B.Device type identification via profiling
C.Antivirus definition file version
D.MAC address registration
AnswerC

Posture can verify that antivirus definitions are current.

Why this answer

Posture assessment checks for compliance with security policies, such as having antivirus software installed and up-to-date, patch levels, and disk encryption enabled.

704
MCQhard

An attacker intercepts traffic between a client and server using ARP spoofing. Which type of attack is this?

A.Session hijacking
B.DNS poisoning
C.Man-in-the-middle
D.Denial of Service
AnswerC

Correct answer. ARP spoofing is a common MITM technique.

Why this answer

ARP spoofing allows an attacker to intercept traffic, enabling man-in-the-middle (MITM) attacks.

705
MCQmedium

A security architect is designing a hybrid cloud with AWS and on-premises data center. They need to enforce consistent security policies across both environments. Which approach is most effective?

A.Deploy separate Cisco Firepower instances in AWS and on-prem, each with independent policies
B.Use Cisco Secure Cloud Analytics (Stealthwatch) with AWS Cloud integration
C.Use AWS CloudTrail and AWS Config for on-premises resources
D.Establish a site-to-site VPN and use AWS Security Groups for both environments
AnswerB

Provides unified visibility and policy enforcement across hybrid environments.

Why this answer

Option B is correct because Cisco Secure Cloud Analytics (Stealthwatch) integrates with AWS Cloud via API to ingest flow logs, VPC logs, and NetFlow, enabling centralized visibility and consistent policy enforcement across hybrid environments. This approach avoids policy fragmentation by applying a unified security analytics layer that can detect anomalies and enforce responses in both AWS and on-premises networks without requiring separate policy management.

Exam trap

Cisco often tests the misconception that VPN connectivity alone (Option D) or separate firewalls (Option A) can achieve consistent policy enforcement, when in reality they require a centralized analytics and orchestration layer like Stealthwatch to unify policy management across hybrid clouds.

How to eliminate wrong answers

Option A is wrong because deploying separate Cisco Firepower instances with independent policies creates policy silos, leading to inconsistent security enforcement and increased administrative overhead, which defeats the goal of consistent policies. Option C is wrong because AWS CloudTrail and AWS Config are designed for auditing and compliance of AWS resources, not for managing or enforcing security policies on on-premises resources; they lack the capability to apply policies to non-AWS environments. Option D is wrong because a site-to-site VPN provides encrypted connectivity but does not enforce security policies; AWS Security Groups are stateful firewalls that only apply to AWS VPC resources and cannot extend to on-premises hosts or networks.

706
MCQmedium

An incident responder notices that an AMP connector on a critical server has stopped sending 'IP to Application' mapping events after a software update. Which step should be taken to restore this telemetry?

A.Enable the 'Network' component in the AMP connector settings and restart the service.
B.Uninstall and reinstall the AMP connector with default settings.
C.Update the AMP policy on the connector to force a configuration reload.
D.Restart the AMP connector service on the server.
AnswerA

The 'IP to Application' mapping is part of the 'Network' component, which can be disabled during update.

Why this answer

The AMP connector's 'IP to Application' mapping telemetry is provided by the Network component, which is separate from the File and Malware components. After a software update, this component may be disabled by default or reset. Enabling the Network component in the AMP connector settings and restarting the service restores the telemetry stream without requiring a full reinstall or policy reload.

Exam trap

Cisco often tests the misconception that restarting a service or reinstalling the connector will restore all functionality, when in fact specific components like Network must be explicitly re-enabled after an update.

How to eliminate wrong answers

Option B is wrong because uninstalling and reinstalling with default settings would not guarantee the Network component is enabled, and it introduces unnecessary risk and downtime. Option C is wrong because updating the AMP policy on the connector forces a configuration reload but does not specifically enable the Network component; the policy may not control per-component settings at the connector level. Option D is wrong because restarting the AMP connector service alone does not enable the disabled Network component; it only restarts the existing configuration, which still lacks the Network telemetry.

707
MCQmedium

A security team wants to gain visibility into Shadow IT usage of SaaS applications and enforce data loss prevention policies. Which cloud security solution should they deploy?

A.CSPM
B.CASB
C.Cisco Umbrella
D.CWPP
AnswerB

Correct. CASB provides visibility, DLP, and threat detection for cloud apps.

Why this answer

CASB provides visibility, DLP, and threat detection for sanctioned and unsanctioned SaaS apps.

708
MCQeasy

In the shared responsibility model for cloud computing, which responsibility is managed by the customer in all service models (IaaS, PaaS, SaaS)?

A.Data and access management
B.Network infrastructure maintenance
C.Physical security of data centers
D.Hypervisor patching
AnswerA

Data and access management are customer responsibilities across IaaS, PaaS, and SaaS.

Why this answer

In all cloud service models, the customer is always responsible for their own data and access management, including who has access to the data and how it is protected.

709
Multi-Selecthard

Which THREE of the following are capabilities of Cisco Threat Response (CTR) that integrate with endpoint telemetry for accelerated detection and response?

Select 3 answers
A.Real-time blocking of malicious processes at the endpoint
B.Device Trajectory to visualize the timeline of events on an endpoint
C.Centralized search across endpoint, network, and email telemetry
D.Automatic deployment of software patches to endpoints
E.Casebook creation to document investigation steps and share with team
AnswersB, C, E

Device Trajectory is a key feature in AMP/CTR for reconstructing events.

Why this answer

Device Trajectory is a core capability of Cisco Threat Response (CTR) that ingests endpoint telemetry from Cisco Secure Endpoint (formerly AMP for Endpoints). It visualizes a timeline of events—such as process executions, file modifications, and network connections—on a specific endpoint, enabling security analysts to quickly reconstruct the sequence of an attack and accelerate detection and response.

Exam trap

The trap here is that candidates confuse the capabilities of the endpoint protection agent (e.g., real-time blocking or patching) with the investigative and orchestration functions of Cisco Threat Response, which is a separate cloud service that aggregates telemetry but does not perform active prevention or remediation actions.

710
MCQhard

A security analyst discovers that a user downloaded a CSV file containing social security numbers from a sanctioned cloud storage app, but no alert was generated. The DLP policy shown in the exhibit was applied. What is the most likely reason the policy failed to trigger?

A.The user bypassed the DLP policy using an API call.
B.The policy was not applied to the cloud storage app used by the user.
C.The policy only notifies the admin and does not block the download.
D.The social security numbers in the file did not contain dashes, so the regex did not match.
AnswerD

The regex specifically requires dashes; numbers without dashes would not match.

Why this answer

The DLP policy uses a regex pattern that expects dashes in the social security numbers (e.g., \d{3}-\d{2}-\d{4}). If the CSV file contained SSNs without dashes (e.g., 123456789), the regex would not match, and no alert would be generated. This is the most likely reason the policy failed to trigger, as the data format did not meet the policy's detection criteria.

Exam trap

Cisco often tests the nuance that DLP regex patterns are literal and do not automatically account for formatting variations (like missing dashes), leading candidates to overlook the mismatch and incorrectly assume a policy misapplication or bypass.

How to eliminate wrong answers

Option A is wrong because bypassing DLP via an API call would require the user to have direct API access and the policy to lack API inspection, but the scenario describes a download from a sanctioned cloud storage app, which typically uses HTTPS and is subject to DLP inspection; there is no evidence of API bypass. Option B is wrong because the policy is explicitly applied to the cloud storage app (as shown in the exhibit), and the app is sanctioned, so the policy should cover it. Option C is wrong because the policy's action (notify admin vs. block) does not affect whether an alert is generated; the policy would still trigger an alert if the content matched, but it failed to match due to the regex issue.

711
Multi-Selectmedium

A security engineer is configuring Cisco TrustSec on a network. Which TWO actions are required to enable TrustSec on a Cisco switch?

Select 2 answers
A.Enable MACsec encryption on all trunk links.
B.Define Security Group Tags (SGTs) on the switch using the 'cts role-based sgt' command or via RADIUS.
C.Deploy Cisco ISE as the only policy server.
D.Apply IP access-lists on interfaces to filter traffic based on source IP.
E.Configure 802.1X or MAC Authentication Bypass (MAB) on the switch ports.
AnswersB, E

SGTs must be defined to tag traffic.

Why this answer

B is correct because Security Group Tags (SGTs) are the fundamental building blocks of Cisco TrustSec, used to classify traffic and enforce role-based access control. SGTs can be defined locally on the switch using the 'cts role-based sgt' command or dynamically assigned via a RADIUS server (such as Cisco ISE) during authentication. Without SGTs, the switch cannot perform the source-based or destination-based policy enforcement that TrustSec relies on.

Exam trap

Cisco often tests the misconception that MACsec encryption is a prerequisite for TrustSec, when in fact it is an optional enhancement; the real requirement is the definition and assignment of SGTs, along with port-based authentication (802.1X or MAB) to dynamically bind SGTs to endpoints.

712
MCQmedium

An engineer is configuring Cisco ISE for 802.1X authentication. The organization has a mix of devices, including some that do not support 802.1X supplicants. Which method should the engineer use to allow these non-supplicant devices to authenticate?

A.Enable MAC Authentication Bypass on the authenticator
B.Deploy Cisco AMP connectors on all endpoints
C.Configure a guest portal for self-registration
D.Use EAP-TLS with device certificates
AnswerA

Correct. MAB allows devices to authenticate using their MAC address when they cannot run an 802.1X supplicant.

Why this answer

MAC Authentication Bypass (MAB) allows devices that cannot run an 802.1X supplicant to authenticate based on their MAC address, which is sent as the username and password.

713
Multi-Selecthard

A Cisco FTD is configured with an access control policy that includes an intrusion policy. Which three actions can be set in an access control rule regarding intrusion inspection? (Choose three.)

Select 3 answers
A.Block with intrusion inspection
B.Interactive Block with intrusion inspection
C.Allow with intrusion inspection
D.Trust
E.Allow without intrusion inspection
AnswersC, D, E

Correct; traffic allowed and inspected.

Why this answer

Access control rules can be set to 'Allow' with intrusion inspection, 'Allow' without inspection, 'Trust' (bypass inspection), 'Block', or 'Interactive Block'. The question asks for actions regarding intrusion inspection; 'Allow' with inspection, 'Allow' without, and 'Trust' are three possible actions.

714
MCQeasy

A company's Cisco WSA is configured with explicit proxy mode. Users report that they can browse the internet but cannot access internal websites hosted on the company's intranet. What is the most likely cause?

A.The WSA is in transparent proxy mode.
B.Users are not authenticated to the WSA.
C.The internal websites are not in the proxy bypass list.
D.SSL decryption is blocking the internal sites.
AnswerC

Proxy bypass list needed for internal traffic.

Why this answer

In explicit proxy mode, the WSA requires clients to be configured to send traffic to it. If internal websites are not added to the proxy bypass list (or the WSA's PAC file does not direct internal traffic directly), the WSA will attempt to proxy requests for internal sites, which may fail because the WSA cannot route to internal IPs or the internal DNS resolution fails. This is the most likely cause because users can browse the internet (proxied traffic works) but cannot reach internal sites (which should bypass the proxy).

Exam trap

Cisco often tests the distinction between explicit and transparent proxy modes, and the trap here is that candidates assume authentication or SSL decryption is the cause, when the real issue is the proxy bypass list not covering internal destinations.

How to eliminate wrong answers

Option A is wrong because the scenario explicitly states the WSA is configured with explicit proxy mode, so transparent mode is not in use. Option B is wrong because authentication is not required for basic HTTP/HTTPS access in explicit proxy mode; unauthenticated users can still browse the internet and internal sites if the proxy bypass list is correct. Option D is wrong because SSL decryption, if enabled, would affect both internal and external HTTPS sites equally, not selectively block only internal sites; moreover, internal sites often use self-signed certificates that would cause decryption failures, but the question states users can browse the internet (which includes HTTPS sites), so SSL decryption is not the issue.

715
Multi-Selectmedium

A company is adopting a zero-trust security model for its cloud environment. Which THREE practices align with zero-trust principles? (Choose three.)

Select 3 answers
A.Use privileged identity management (PIM) for just-in-time access
B.Trust all traffic from within the corporate network
C.Grant permanent administrative privileges for convenience
D.Require multi-factor authentication (MFA) for all cloud access
E.Implement conditional access policies based on user and device posture
AnswersA, D, E

PIM provides time-bound access to privileged roles.

Why this answer

Zero trust assumes no implicit trust; verify every request. MFA, conditional access, and privileged identity management are key components.

716
MCQmedium

An organization using Cisco Firepower NGFW wants to block all social media traffic while allowing other web traffic. Which feature should be configured?

A.Intrusion prevention
B.URL filtering
C.TLS server identity discovery
D.Application control
AnswerB

URL filtering blocks entire categories of websites.

Why this answer

Firepower URL filtering can block categories such as 'Social Networking' to prevent access to social media sites.

717
MCQmedium

In Cisco ISE, profiling is used to identify device types. Which probe must be enabled for ISE to determine the operating system of a device by analyzing DHCP options?

A.Device Sensor
B.DHCP Probe
C.HTTP Probe
D.SNMP Probe
AnswerB

Correct. DHCP Probe extracts device information from DHCP packets for profiling.

Why this answer

DHCP Probe analyzes DHCP packet options (e.g., option 55) to identify the device's OS or vendor class, enabling ISE to profile the device type.

718
MCQeasy

Which statement accurately describes the difference between signature-based and anomaly-based intrusion detection?

A.Signature-based detection generates fewer false positives than anomaly-based detection.
B.Anomaly-based detection compares traffic against a baseline of normal behavior.
C.Anomaly-based detection is more effective against known attacks than signature-based.
D.Signature-based detection uses machine learning to identify unknown attacks.
AnswerB

Correct. Anomaly-based detection establishes a baseline and flags deviations.

Why this answer

Signature-based detection matches known attack patterns; anomaly-based detects deviations from a baseline of normal traffic.

719
MCQhard

In a PKI hierarchy, which component is responsible for issuing and revoking certificates for end entities, and is directly subordinate to the root CA?

A.Intermediate CA
B.Registration Authority (RA)
C.Root CA
D.Certificate Revocation List (CRL)
AnswerA

Intermediate CAs are subordinate to the root and issue certificates to end entities or other CAs.

Why this answer

An intermediate CA (subordinate CA) is a CA that is signed by the root CA and issues certificates to end entities, forming a chain of trust.

720
MCQeasy

A company is planning to use Cisco Umbrella to secure internet access for branch offices. They already have Cisco Meraki MX appliances at each branch. What is the best way to send DNS traffic from the branches to Umbrella?

A.Enable the Umbrella integration in Meraki dashboard
B.Deploy the Umbrella virtual appliance at each branch
C.Install the Umbrella Roaming Client on each user device
D.Configure IPSec tunnels between branches and Umbrella data centers
AnswerA

Meraki MX has built-in connector to Umbrella for DNS forwarding.

Why this answer

Option A is correct because Cisco Meraki MX appliances have a native, built-in integration with Cisco Umbrella that can be enabled directly from the Meraki dashboard. This integration automatically redirects all DNS traffic from the branch to Umbrella's DNS resolvers (208.67.222.222 and 208.67.220.220) without requiring additional hardware, software, or complex tunnel configurations. It is the simplest and most efficient method for securing DNS traffic when Meraki MX devices are already deployed.

Exam trap

The trap here is that candidates often assume a separate security appliance or client software is required for cloud-based DNS security, but Cisco tests the understanding that Meraki MX devices have a direct, dashboard-enabled integration with Umbrella that eliminates the need for additional components.

How to eliminate wrong answers

Option B is wrong because deploying the Umbrella virtual appliance at each branch is unnecessary and adds complexity; the Meraki MX already has native Umbrella integration, making a separate virtual appliance redundant. Option C is wrong because the Umbrella Roaming Client is designed for endpoint devices (laptops, smartphones) to enforce security when users are off-network, not for branch-level DNS redirection where the MX appliance can handle all traffic centrally. Option D is wrong because IPSec tunnels between branches and Umbrella data centers are not required for DNS forwarding; Umbrella operates as a cloud-based DNS security service that works over standard DNS (port 53) or DNS-over-TLS (port 853), and the Meraki MX integration handles this without tunnels.

721
MCQhard

In Cisco ESA, which feature uses TALOS intelligence to provide real-time protection against newly identified email threats before signature updates are available?

A.Outbreak Filters
B.DLP Policies
C.Anti-Spam
D.AMP for Email
AnswerA

Outbreak Filters use TALOS to catch zero-hour threats.

Why this answer

Outbreak Filters leverage TALOS to detect emerging threats in near real-time.

722
MCQhard

A large enterprise uses Cisco WSA with integrated Cisco Advanced Malware Protection (AMP) to inspect web traffic. The security policy dictates that all downloaded files should be scanned by AMP. Recently, a user downloaded a PDF file from a trusted vendor site, but the download was blocked by the WSA. The administrator checks the WSA logs and sees that the file was blocked due to AMP's 'File Reputation' score of 10 (high risk). However, the vendor confirms the file is legitimate. The administrator notes that the file is digitally signed by the vendor. What is the most appropriate next step to allow the file while maintaining security?

A.Add the vendor's domain to the WSA's global URL whitelist.
B.Lower the AMP file reputation threshold from 10 to 7 to allow files with lower risk scores.
C.Add the file's SHA-256 hash to the AMP custom allow list to override the reputation.
D.Disable AMP scanning for the vendor's domain in the WSA policy.
AnswerC

Permits only this specific file.

Why this answer

Option C is correct because Cisco AMP allows administrators to create custom allow lists using file hashes (SHA-256) to override the file reputation score. Since the file is digitally signed and confirmed legitimate, adding its SHA-256 hash to the AMP custom allow list will permit the download while still scanning other files from that domain, preserving security. This approach directly addresses the false positive without broadly reducing security controls.

Exam trap

The trap here is that candidates may think whitelisting the domain or disabling AMP for that domain is sufficient, but Cisco tests the understanding that AMP's custom allow list is the precise mechanism to handle false positives without compromising security for other files from the same source.

How to eliminate wrong answers

Option A is wrong because adding the vendor's domain to the WSA's global URL whitelist would bypass all security scanning for that domain, including URL filtering, DLP, and AMP, which is overly permissive and violates the policy that all downloaded files should be scanned. Option B is wrong because lowering the AMP file reputation threshold from 10 to 7 would allow all files with a score of 7 or higher, potentially permitting malicious files that have not yet been analyzed, weakening overall security posture. Option D is wrong because disabling AMP scanning for the vendor's domain would completely remove file reputation analysis for all files from that domain, contradicting the security policy that mandates scanning all downloads.

723
MCQmedium

A security engineer is deploying Cisco AMP for Endpoints in an organization. To ensure that any malicious file that was initially allowed but later determined to be malicious can be traced, which feature should be used?

A.SHA-256 file disposition
B.Exploit Prevention
C.Device Trajectory
D.Endpoint IOC scanning
AnswerC

Device Trajectory provides a timeline of file activity, enabling retrospective analysis and visibility into file propagation.

Why this answer

Cisco AMP uses retrospective security to continuously analyze file behavior. If a file is later deemed malicious, the Device Trajectory shows its propagation path and actions, allowing for containment and remediation.

724
MCQhard

A large enterprise has deployed Cisco ISE for network access control with 802.1X and MAB across its wired and wireless networks. The network consists of Cisco Catalyst switches, Cisco Wireless LAN Controllers (WLCs), and ISE in a distributed deployment with three Policy Service Nodes (PSNs) and an Admin Node. Recently, the company implemented a new security policy requiring all endpoints to pass posture assessment before gaining full network access. The posture assessment uses AnyConnect ISE Posture Module. Shortly after the change, users report that some wired clients are unable to connect to the network. The ISE logs show that the authentication is successful, but the session is terminated immediately with a 'Session-Timeout' attribute set to 0. The network team notices that the affected clients are all connected to switches running older Cisco IOS versions. The ISE administrator confirms that the authorization profiles for the affected clients include a session-timeout of 1 hour. Which course of action should the network engineer take to resolve the issue?

A.Upgrade the switch IOS to a version that supports the new ISE posture attributes.
B.Disable posture assessment for the affected switch ports using a different authorization policy.
C.Configure the switches to ignore the Session-Timeout attribute sent by ISE.
D.Increase the session-timeout value in the ISE authorization profile to a larger value.
AnswerA

Upgrading resolves the incompatibility and allows proper handling of posture attributes.

Why this answer

Option B is correct because older IOS versions may not properly interpret the new RADIUS attributes sent by ISE during posture assessment, causing session termination. Upgrading to a supported IOS version resolves the compatibility issue. Option A is incorrect because ignoring the Session-Timeout attribute is not a recommended practice and may cause security issues.

Option C is incorrect because disabling posture for these ports is a workaround, not a solution. Option D is incorrect because increasing the timeout does not address the root cause, which is the switch's inability to handle the attribute.

725
MCQhard

A network administrator is configuring Cisco ISE for device profiling. The goal is to identify the type of device (e.g., Windows PC, iPhone, printer) connecting to the network. Which probe should be used to gather the DHCP option 60 (vendor class identifier) and option 12 (hostname) information?

A.DHCP probe
B.Cisco Device Sensor
C.SNMP probe
D.HTTP probe
AnswerA

The DHCP probe captures DHCP packets and extracts options like vendor class and hostname.

Why this answer

The DHCP probe in ISE collects information from DHCP packets, including option 60 (vendor class identifier) and option 12 (hostname), which are used for device profiling.

726
MCQhard

A security engineer is configuring Cisco WSA for HTTPS inspection but notices that some encrypted traffic is being bypassed. The WSA is configured with a decryption policy that excludes traffic to financial websites. What is the most likely reason for the bypass?

A.The WSA's certificate is not trusted by clients
B.The WSA is in explicit proxy mode
C.TLS version is incompatible
D.The decryption policy has an exception for financial services
AnswerD

Explicit exceptions in decryption policies prevent inspection.

Why this answer

If the decryption policy excludes certain categories (e.g., Financial), those sites will not be decrypted and will bypass inspection.

727
Matchingmedium

Match each Cisco security product to its category.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Next-Generation Firewall

Cloud-Delivered Security

Advanced Malware Protection

Identity Services Engine

Network Visibility and Detection

Why these pairings

These are key Cisco security solutions and their categories.

728
MCQmedium

A company with 500 endpoints uses Cisco AMP for Endpoints with a private cloud and a single Threat Grid appliance for file analysis. The security team notices that some endpoints are not receiving updates to the local malware signatures for over 24 hours. The AMP console shows these endpoints as 'Out of Date'. The network team confirms that the endpoints can reach the private cloud server on TCP port 443. The endpoints are running Windows 10 with the latest AMP connector version. The private cloud server has sufficient disk space and is running normally. The AMP console shows that the 'Update Policy' is enabled and set to download signatures every 4 hours. Which action should the administrator take to resolve the issue?

A.Restart the Cisco AMP for Endpoints connector service on the affected endpoints.
B.Clear the update cache on the affected endpoints by running 'c:\Program Files\Cisco\AMP\xxxxx\amp_update.exe --clear-cache' from an elevated command prompt.
C.Change the update policy interval from 4 hours to 1 hour to force more frequent checks.
D.Check if the firewall is blocking the signature update port 443 for those specific endpoints.
AnswerB

Clearing the update cache forces a fresh download of signature updates, resolving stuck updates.

Why this answer

The correct action is to clear the update cache on the affected endpoints. When endpoints show as 'Out of Date' despite being able to reach the private cloud on TCP 443 and having the correct update policy, the local signature cache is often corrupted or stale. Running `amp_update.exe --clear-cache` forces the connector to discard its cached signature data and download a fresh copy from the private cloud, resolving the update failure without requiring a service restart or policy change.

Exam trap

The trap here is that candidates assume connectivity issues (firewall) or service restarts are the fix, but Cisco specifically tests the knowledge that a corrupted local signature cache requires clearing the cache, not restarting the service or changing the update interval.

How to eliminate wrong answers

Option A is wrong because restarting the AMP connector service only restarts the process; it does not address a corrupted or stale local signature cache, which is the root cause of the 'Out of Date' status. Option C is wrong because changing the update interval from 4 hours to 1 hour does not fix the underlying issue—if the cache is corrupted, more frequent checks will still fail to download valid signatures. Option D is wrong because the network team already confirmed that endpoints can reach the private cloud on TCP port 443, so a firewall block is not the problem.

729
MCQeasy

An engineer needs to allow inbound HTTP traffic from the internet to a web server in the DMZ on a Cisco ASA. The DMZ interface security level is 50, and the outside interface is 0. Which interface direction should the access control entry be applied?

A.Inbound on the outside interface
B.Outbound on the DMZ interface
C.Outbound on the outside interface
D.Inbound on the DMZ interface
AnswerA

Correct. Traffic from lower to higher security level requires an ACL inbound on the lower security interface.

Why this answer

Traffic from outside (level 0) to DMZ (level 50) is inbound to the DMZ interface, so the ACL should be applied inbound on the outside interface or outbound on the DMZ interface; the standard approach is inbound on the lower security interface.

730
MCQeasy

Which interface security level is assigned to the inside interface on a Cisco ASA by default?

A.100
B.255
C.0
D.50
AnswerA

Default security level for inside is 100.

Why this answer

The Cisco ASA assigns security level 100 to the inside interface, 0 to the outside, and intermediate values for DMZ interfaces.

731
MCQhard

Refer to the exhibit. An engineer has configured the ACL on the GigabitEthernet0/0 interface. Which of the following is true about the effect of this ACL?

A.It blocks all IP traffic from entering G0/0 because of the deny statement.
B.It blocks traffic sourced from 10.0.0.0/8 entering G0/0, but allows other traffic.
C.It permits all traffic because the ACL is misconfigured.
D.It blocks traffic destined to 10.0.0.0/8 entering G0/0, but allows other traffic.
AnswerB

The deny statement blocks source 10.0.0.0/8, and the permit any any allows all else.

Why this answer

The ACL is applied inbound on GigabitEthernet0/0 with a single deny statement for source IP 10.0.0.0/8. Since ACLs have an implicit deny any at the end, traffic from the 10.0.0.0/8 range is blocked, but all other IP traffic is implicitly permitted because the explicit deny only matches that source range. This makes option B correct.

Exam trap

Cisco often tests the misconception that a single deny statement in an ACL blocks all traffic, when in fact the implicit permit any allows all other traffic unless a permit any is explicitly omitted or the ACL is applied in a way that triggers the implicit deny.

How to eliminate wrong answers

Option A is wrong because the ACL does not block all IP traffic; it only blocks traffic sourced from 10.0.0.0/8, and the implicit permit any allows other traffic. Option C is wrong because the ACL is not misconfigured; it correctly denies traffic from the specified source network and permits all other traffic due to the implicit permit. Option D is wrong because the ACL filters based on source IP address, not destination IP address; the deny statement matches source 10.0.0.0/8, not destination.

732
MCQeasy

A network administrator wants to implement 802.1X on a Cisco switch port for a device that does not support 802.1X. Which feature should be configured to allow the device to connect?

A.802.1X with EAP-MSCHAPv2
B.Downloadable ACL (dACL)
C.Web Authentication (WA)
D.MAC Authentication Bypass (MAB)
AnswerD

MAB allows non-802.1X devices to authenticate using their MAC address.

Why this answer

MAC Authentication Bypass (MAB) is the correct feature because it allows a device that does not support 802.1X supplicant software to authenticate by using its MAC address as the identity. The switch acts as a proxy, sending the MAC address as the username and password to the RADIUS server, which can then grant or deny access based on the MAC address in its database.

Exam trap

The trap here is that candidates confuse MAB with a bypass that skips all security, when in fact MAB still enforces authentication via the RADIUS server using the MAC address as credentials.

How to eliminate wrong answers

Option A is wrong because 802.1X with EAP-MSCHAPv2 requires the endpoint to run an 802.1X supplicant that can respond to EAP challenges, which the non-802.1X device cannot do. Option B is wrong because a downloadable ACL (dACL) is a policy enforcement mechanism applied after authentication, not an authentication method; it does not allow an unsupported device to connect. Option C is wrong because Web Authentication (WA) requires the user to open a web browser to authenticate, which is not suitable for a headless device (e.g., printer, IP phone) that cannot perform interactive web login.

733
Multi-Selecthard

An organization is adopting zero trust principles for cloud access. Which THREE measures are essential for implementing identity-centric security? (Choose three.)

Select 3 answers
A.Site-to-site VPN for connectivity
B.Conditional access policies based on user, device, and location
C.Network segmentation using VLANs
D.Privileged Identity Management (PIM) with just-in-time access
E.Multi-factor authentication for all users
AnswersB, D, E

Conditional access enforces policies dynamically based on identity context.

Why this answer

Zero trust relies on strong identity verification: MFA, privileged identity management (PIM) for just-in-time access, and conditional access policies that enforce context-based controls. VPN and network segmentation are network-centric, not identity-centric.

734
MCQmedium

A network engineer is troubleshooting an issue where a user's device is successfully authenticated via 802.1X, but the user cannot access the corporate network. ISE logs show that the user was granted access with a downloadable ACL (dACL). What could be the cause of no network access?

A.The switch does not support downloadable ACLs.
B.The user's device is in a different subnet.
C.The RADIUS server is not reachable after authentication.
D.The switch port is configured with 'access-session port-control auto'.
AnswerA

Switches that do not support dACLs will ignore the attribute, resulting in no access.

Why this answer

Option A is correct because if the switch does not support downloadable ACLs, it will ignore the dACL attribute and not apply any filtering, potentially blocking traffic. Option B is incorrect because subnet placement does not affect dACL application. Option C is incorrect because the RADIUS server is not involved after authentication.

Option D is incorrect because 'access-session port-control auto' is correct configuration.

735
MCQmedium

A company is deploying Cisco Cloud Web Security (CWS) using an on-premises connector. They want to authenticate users via Active Directory and apply granular policies based on user identity. Which authentication method should be configured on the connector?

A.Local user database on the connector
B.Transparent proxy with explicit authentication via PAC file
C.LDAP authentication with transparent user identification
D.SAML-based authentication
AnswerC

LDAP allows AD integration, and transparent identification via protocols like NTLM is seamless.

Why this answer

Option C is correct because Cisco Cloud Web Security (CWS) with an on-premises connector can integrate with Active Directory via LDAP to perform transparent user identification. This allows the connector to map IP addresses to authenticated user identities without requiring explicit proxy authentication, enabling granular policy enforcement based on AD user or group membership.

Exam trap

The trap here is that candidates often confuse 'transparent proxy' with 'transparent user identification' and assume explicit authentication (Option B) is required, when in fact LDAP-based transparent identification (Option C) is the correct method for integrating with AD without user intervention.

How to eliminate wrong answers

Option A is wrong because a local user database on the connector would require manual user creation and maintenance, which does not scale for enterprise AD integration and cannot provide transparent user identification. Option B is wrong because transparent proxy with explicit authentication via PAC file still requires users to manually authenticate (e.g., via browser pop-up), which defeats the goal of transparent user identification and adds user friction. Option D is wrong because SAML-based authentication is typically used for cloud-based identity federation (e.g., with Cisco Umbrella or web portal access), not for on-premises connector-to-AD integration where LDAP is the standard protocol for transparent user identification.

736
Multi-Selecthard

An organization is adopting Cisco's security portfolio. Which THREE products are correctly paired with their primary function? (Choose three.)

Select 3 answers
A.Cisco Stealthwatch - Endpoint detection and response
B.Cisco Umbrella - Cloud-delivered DNS security and secure web gateway
C.Cisco Firepower - Next-generation firewall and intrusion prevention
D.Cisco ASA - Next-generation firewall with advanced malware protection
E.Cisco ISE - Identity services engine for network access control
AnswersB, C, E

Umbrella provides DNS-layer security and cloud-based protection.

Why this answer

Cisco Firepower is an NGFW/IPS, ISE provides identity and access control, and Umbrella is a DNS/cloud security solution. ASA is a stateful firewall, not NGFW; Stealthwatch is for network detection, not endpoint protection.

737
MCQmedium

A company's server is infected with malware that encrypts files and demands payment for decryption. Which type of malware is this?

A.Remote Access Trojan (RAT)
B.Botnet C2
C.Ransomware
D.Keylogger
AnswerC

Ransomware specifically encrypts files and demands payment.

Why this answer

Ransomware encrypts files and demands a ransom for the decryption key.

738
MCQmedium

Refer to the exhibit. A network analyst reviews a Stealthwatch flow analysis output. What is the most likely interpretation?

A.This is likely a data exfiltration attempt using a non-standard port.
B.This is a typical video streaming session.
C.This is normal database replication traffic.
D.This is a misconfigured backup job.
AnswerA

Large data transfer on an unusual port with high score suggests malicious activity.

Why this answer

Option C is correct. The high volume of data (1.2GB) over a short period (5 minutes) on a non-standard TCP port (4444) with a high threat score (85) is indicative of data exfiltration. Option A is incorrect because database replication typically uses standard ports like 1433 or 1521.

Option B is incorrect because video streaming uses different ports and patterns. Option D is incorrect because backup jobs often use standard ports and have regular patterns.

739
MCQmedium

A company wants to establish private connectivity between its on-premises data center and a VPC in AWS, avoiding the public internet. Which AWS service should be used?

A.AWS VPN
B.AWS Transit Gateway
C.AWS Direct Connect
D.AWS PrivateLink
AnswerD

PrivateLink enables private connectivity to services across VPCs and on-premises.

Why this answer

AWS PrivateLink allows private connectivity between VPCs and on-premises via interface endpoints, without traversing the internet.

740
MCQmedium

Refer to the exhibit. A network administrator applies the ACL to the interface. What is the effect on traffic inbound to the interface?

A.All TCP traffic is permitted; other IP traffic is denied
B.Only TCP traffic destined to 192.168.1.100 on port 80 is permitted; all other IP traffic is denied
C.All IP traffic is permitted
D.The ACL is applied outbound, so it has no effect on inbound traffic
AnswerB

The ACL permits only HTTP to that host and denies the rest.

Why this answer

The ACL is applied inbound on the interface and contains a single entry that permits TCP traffic from any source to destination 192.168.1.100 on port 80. Because there is an implicit deny all at the end of every standard and extended ACL, only traffic matching this specific permit statement is allowed; all other IP traffic is denied.

Exam trap

Cisco often tests the implicit deny all at the end of ACLs, and the trap here is that candidates may overlook that only the explicitly permitted traffic is allowed, assuming that a single permit statement implies all other traffic is also permitted.

How to eliminate wrong answers

Option A is wrong because the ACL does not permit all TCP traffic; it only permits TCP traffic destined to 192.168.1.100 on port 80, and other TCP traffic is denied by the implicit deny. Option C is wrong because the ACL explicitly restricts traffic, so not all IP traffic is permitted; only the specified TCP traffic is allowed. Option D is wrong because the ACL is applied inbound (ip access-group ACL_NAME in), not outbound, so it does affect inbound traffic.

741
MCQeasy

Which authentication factor does a fingerprint scanner represent?

A.Knowledge factor (something you know)
B.Possession factor (something you have)
C.Location factor (somewhere you are)
D.Inherence factor (something you are)
AnswerD

Biometrics are inherence factors.

Why this answer

Inherence factors are based on biological traits like fingerprints.

742
MCQeasy

An organization wants to prevent malware from executing on endpoints by using a file reputation service. Which Cisco technology provides cloud-based file reputation and analysis for endpoint protection?

A.Cisco Stealthwatch
B.Cisco Identity Services Engine (ISE)
C.Cisco Firepower NGFW
D.Cisco Secure Endpoint (AMP for Endpoints)
AnswerD

Cisco Secure Endpoint provides cloud-based file reputation and analysis.

Why this answer

Cisco Secure Endpoint (formerly AMP for Endpoints) is the correct answer because it provides cloud-based file reputation and analysis through its Advanced Malware Protection (AMP) cloud. This service uses global threat intelligence and machine learning to analyze file behavior, assign reputation scores, and block or quarantine malicious files on endpoints in real time.

Exam trap

Cisco often tests the distinction between network-based file inspection (Firepower NGFW with AMP for Networks) and endpoint-based file reputation (Secure Endpoint), so candidates mistakenly choose Firepower NGFW because they associate 'file reputation' with the firewall's AMP feature, not realizing the question specifies 'endpoints' and 'cloud-based file reputation and analysis' for endpoint protection.

How to eliminate wrong answers

Option A is wrong because Cisco Stealthwatch is a network visibility and security analytics tool that uses NetFlow/IPFIX data for behavioral analysis and threat detection, not a cloud-based file reputation service for endpoints. Option B is wrong because Cisco Identity Services Engine (ISE) is a policy-based network access control (NAC) and identity management platform that enforces access policies via 802.1X, MAC Authentication Bypass (MAB), and posture assessment, but it does not perform file reputation analysis. Option C is wrong because Cisco Firepower NGFW is a next-generation firewall that provides network-based intrusion prevention (IPS), URL filtering, and AMP for Networks (file reputation on the network perimeter), not endpoint-level file reputation and analysis.

743
MCQhard

During a network audit, an engineer finds that a switch configured for 802.1X is allowing a device to access the network without authentication. The switch logs show 'MAB failed', 'dot1x failed', but the port is in the forwarding state. The port configuration includes 'authentication fallback final mab' and 'dot1x timeout server-timeout 10'. What is the most likely explanation?

A.The device is using a MAC address that matches a static CAM entry
B.The 'authentication fallback final mab' command allows the port to become authorized even if MAB fails
C.The switch has 'aaa authentication dot1x default local' which allows local fallback
D.The 'dot1x timeout server-timeout' is too short, causing the switch to skip authentication
E.The switch is running an IOS version that treats 'authentication fallback final mab' as a no-op
AnswerB

This command treats 'mab' as the final method; if it fails, the port is still authorized.

Why this answer

The 'authentication fallback final mab' command configures the switch to treat MAB as the final fallback method. When both 802.1X and MAB fail, the 'final' keyword causes the port to be placed in an authorized state (forwarding) regardless of the MAB result. This is why the port is forwarding despite both authentication methods failing.

Exam trap

Cisco often tests the 'final' keyword in 'authentication fallback final mab' as a trap where candidates assume that 'fallback' means only trying MAB after 802.1X fails, but they miss that 'final' forces authorization even if MAB fails.

How to eliminate wrong answers

Option A is wrong because a static CAM entry does not override 802.1X authentication; the port state is controlled by the authentication manager, not by CAM entries. Option C is wrong because 'aaa authentication dot1x default local' would cause fallback to local authentication (e.g., local user database), not bypass authentication entirely; the logs show MAB and dot1x failed, not that local authentication was attempted. Option D is wrong because the 'dot1x timeout server-timeout 10' sets a 10-second timeout for the RADIUS server response; if the server times out, the switch would typically fail authentication, not skip it, and the 'fallback final mab' command is the reason for forwarding, not the timeout.

Option E is wrong because 'authentication fallback final mab' is a valid command in IOS; it is not treated as a no-op, and the observed behavior matches its documented function.

744
MCQmedium

A network administrator is configuring a site-to-site VPN between two Cisco ASA firewalls using IKEv2. Which component defines the encryption and authentication algorithms for the IPsec SA?

A.Crypto map
B.Group policy
C.ISAKMP policy
D.Transform set
AnswerD

Correct. Transform set specifies encryption and authentication for IPsec.

Why this answer

In IKEv2, IPsec SA parameters like encryption and authentication are defined in a transform set, which is then associated with a crypto map or VTI.

745
MCQmedium

A security engineer is configuring a Cisco FTD high availability pair in active/standby mode. Which statement is true about the failover configuration?

A.Failover is triggered only by manual intervention
B.Configuration changes are made independently on each unit
C.Both units process traffic simultaneously
D.The standby unit must have the same hardware and software version
AnswerD

Correct. For failover to work, both units must be identical in hardware and software.

Why this answer

In active/standby failover for FTD, the standby unit monitors the active unit's health via failover link and takes over if the active fails. Configuration synchronization is automatic from active to standby.

746
MCQhard

A cloud architect is designing a hybrid network between on-premises and AWS. They need to ensure traffic to the internet from the VPC uses the on-premises security stack for inspection. The VPC has an Internet Gateway (IGW). What must be configured to force outbound traffic to the on-premises firewall?

A.Use VPC Endpoints for all services
B.Deploy a NAT Gateway and assign it to the route table
C.Update the VPC route table to point 0.0.0.0/0 to the virtual private gateway or transit gateway attachment
D.Configure security groups to block direct internet access
AnswerC

This routes internet traffic through the VPN to on-premises.

Why this answer

Option C is correct because to force all outbound internet traffic from the VPC through the on-premises firewall, the VPC route table must have a default route (0.0.0.0/0) pointing to the virtual private gateway (VPG) or transit gateway (TGW) attachment. This directs traffic over the VPN or Direct Connect to the on-premises network, where the security stack inspects it before reaching the internet. The Internet Gateway (IGW) remains present but is not used for this traffic because the route table entry overrides it.

Exam trap

Cisco often tests the misconception that a NAT Gateway or VPC Endpoints can redirect traffic to on-premises, but the correct mechanism is a route table entry pointing to the virtual private gateway or transit gateway attachment.

How to eliminate wrong answers

Option A is wrong because VPC Endpoints provide private connectivity to AWS services without traversing the internet, but they do not force general outbound internet traffic through an on-premises firewall; they only handle traffic to specific AWS services. Option B is wrong because a NAT Gateway enables outbound internet access from private subnets but sends traffic directly to the IGW, bypassing the on-premises security stack; it does not route traffic through a VPN or Direct Connect. Option D is wrong because security groups are stateful firewalls that control inbound and outbound traffic at the instance level, but they cannot redirect traffic to an on-premises firewall; they only allow or deny traffic, not route it.

747
Multi-Selectmedium

An organization uses Cisco ISE for network access control. They want to authenticate users with certificates for strong security. Which two EAP methods support certificate-based authentication? (Choose two.)

Select 2 answers
A.PEAP-MSCHAPv2
B.LEAP
C.EAP-MD5
D.EAP-TLS
E.EAP-FAST
AnswersA, D

PEAP-MSCHAPv2 uses server certificate for tunnel establishment, then MSCHAPv2 for client authentication.

Why this answer

EAP-TLS and PEAP-MSCHAPv2 both support certificate-based authentication, though PEAP-MSCHAPv2 uses certificates for server-side only.

748
MCQhard

An organization uses Cisco Umbrella to protect remote users. The security team notices that some malicious domains are not blocked because users are bypassing the DNS layer by using direct IP connections or non-DNS protocols. Which Cisco Umbrella feature should be enabled to inspect all traffic, including non-web traffic, and enforce policies regardless of DNS resolution?

A.Secure Internet Gateway (SIG)
B.Intelligent Proxy
C.Umbrella Roaming Client
D.DNS-layer Security
AnswerA

SIG includes a cloud firewall that can inspect all traffic and enforce policies beyond DNS.

Why this answer

The Cisco Umbrella Secure Internet Gateway (SIG) provides a cloud-delivered firewall that can inspect all traffic (including non-web) and enforce policies without relying solely on DNS blocking.

749
MCQhard

An organization implements a policy where every access request must be authenticated and authorized, even if it originates from within the internal network. Network segments are isolated, and lateral movement is restricted through microsegmentation. Which security model does this align with?

A.CIA triad
B.Zero Trust
C.AAA model
D.Defense in depth
AnswerB

Zero Trust principles: never trust, always verify, least privilege, microsegmentation.

Why this answer

Zero Trust requires verification for every request regardless of network location, and uses microsegmentation to limit movement.

750
MCQmedium

An engineer wants to configure high availability on a pair of Cisco Firepower Threat Defense (FTD) devices. Which HA mode supports active/standby failover with stateful replication of connection information?

A.Active/standby with stateful failover
B.Active/standby without stateful failover
C.Active/active with asymmetric routing
D.Clustering
AnswerA

Correct. Active/standby replicates connection tables to the standby unit.

Why this answer

Active/standby HA with stateful failover syncs connection states. Active/active is typically for routed mode with asymmetric routing.

Page 9

Page 10 of 14

Page 11