Cisco SCOR / CCNP Security Core 350-701 (350-701) — Questions 751825

988 questions total · 14pages · All types, answers revealed

Page 10

Page 11 of 14

Page 12
751
Multi-Selecteasy

Cisco AMP for Endpoints provides endpoint protection. Which two are core capabilities of AMP? (Choose two.)

Select 2 answers
A.Privileged access management
B.Exploit prevention
C.Continuous monitoring
D.Multi-factor authentication
E.Retrospective security
AnswersC, E

AMP continuously monitors file activity and network connections.

Why this answer

C is correct because Cisco AMP for Endpoints provides continuous monitoring of file activity and telemetry across endpoints, analyzing behavior in real time to detect threats. This capability ensures that even if a file is initially deemed safe, any subsequent malicious activity is identified and blocked, leveraging cloud-based threat intelligence and analytics.

Exam trap

Cisco often tests the distinction between 'continuous monitoring' and 'retrospective security' as unique AMP capabilities versus generic security features like exploit prevention or MFA, which are associated with other Cisco products (e.g., Firepower, Duo).

752
MCQmedium

An organization uses Cisco Umbrella for DNS-layer security. They want to block access to a newly discovered malicious domain (malware.example.com) immediately. Which action should the administrator take in the Umbrella dashboard?

A.Add the domain to the 'Global Block List' under 'Managed Networks'.
B.Add the domain to the 'Temporary Block List' under 'Security Settings'.
C.Add the domain to the 'Block List' under the policy's 'Destination Lists'.
D.Add the domain to the 'IP Layer Enforcement' list.
AnswerC

Policy block list immediately blocks DNS queries to the domain for users under that policy.

Why this answer

Option C is correct because in Cisco Umbrella, the most immediate way to block a specific malicious domain is to add it to the 'Block List' under the policy's 'Destination Lists'. This list is evaluated in real-time for DNS queries, allowing the administrator to enforce the block without waiting for threat intelligence updates or affecting other policies.

Exam trap

The trap here is that candidates confuse the 'Global Block List' (which applies to IP addresses at the network layer) with the policy-specific 'Block List' (which applies to domains at the DNS layer), leading them to select Option A instead of C.

How to eliminate wrong answers

Option A is wrong because the 'Global Block List' under 'Managed Networks' is used for blocking IP addresses or networks at the network layer, not for domain-level DNS blocking. Option B is wrong because there is no 'Temporary Block List' under 'Security Settings' in Cisco Umbrella; temporary blocks are typically handled via the 'Block List' within a policy or via the 'Temporary Block' feature in the Investigate console, not under Security Settings. Option D is wrong because 'IP Layer Enforcement' is used for blocking traffic based on IP addresses, not domain names, and it applies after DNS resolution, not at the DNS layer.

753
MCQeasy

A company wants to ensure that only authorized applications can run on endpoints. Which feature of Cisco AMP for Endpoints should be used to create a whitelist of allowed applications?

A.Application Control
B.Exploit Prevention
C.Orbital Advanced Search
D.File Reputation
AnswerA

Application Control allows whitelisting of approved applications and blocks unauthorized ones.

Why this answer

Application Control in Cisco AMP for Endpoints allows administrators to define a whitelist of approved applications by specifying SHA-256 hashes, file paths, or publisher certificates. This feature enforces a 'deny-by-default' policy, blocking any executable not explicitly allowed, which directly meets the requirement to ensure only authorized applications can run on endpoints.

Exam trap

Cisco often tests the distinction between 'Application Control' (whitelisting/blacklisting based on static criteria) and 'File Reputation' (cloud-based dynamic analysis), leading candidates to mistakenly choose File Reputation because they associate 'reputation' with trust, but it does not enforce a strict allowlist.

How to eliminate wrong answers

Option B (Exploit Prevention) is wrong because it focuses on detecting and blocking exploit techniques (e.g., buffer overflows, privilege escalation) rather than controlling which applications are allowed to execute. Option C (Orbital Advanced Search) is wrong because it is a remote investigation and threat-hunting tool that queries endpoint data for forensic analysis, not a mechanism to enforce application whitelisting. Option D (File Reputation) is wrong because it uses cloud-based reputation scores (e.g., known good, known bad, unknown) to assess files, but it does not create a static whitelist; it relies on dynamic analysis and can allow unknown files if not explicitly blocked.

754
MCQmedium

An organization is migrating from on-premises Cisco ESA to Cisco Cloud Email Security (CES). They need to ensure that email encryption policies remain consistent after migration. What is the best approach to migrate the encryption policies?

A.Export the configuration from on-premises ESA and import into CES
B.Use the Cisco ESA API to migrate policies automatically
C.Recreate the policies manually in CES based on existing documentation
D.Synchronize the two appliances using Cisco Security Management Suite
AnswerA

Export/import preserves exact policy settings and is the recommended migration approach.

Why this answer

Option A is correct because Cisco Cloud Email Security (CES) supports importing configuration files exported from on-premises Cisco ESA, including encryption policies. This ensures consistency by directly transferring the policy definitions without manual re-creation, leveraging the same underlying policy engine and encryption protocols (e.g., TLS, S/MIME, or PGP) used on-premises.

Exam trap

Cisco often tests the misconception that API-based migration or centralized management tools like SMS can handle cloud migrations, when in fact the export/import feature is the only supported method for transferring ESA policies to CES.

How to eliminate wrong answers

Option B is wrong because the Cisco ESA API is designed for programmatic management of the on-premises appliance, not for migrating policies to CES; it lacks endpoints to push configurations to the cloud service. Option C is wrong because manually recreating policies in CES based on documentation introduces risk of human error and inconsistency, especially with complex encryption settings like key management or cipher suites. Option D is wrong because Cisco Security Management Suite (SMS) is a centralized management tool for on-premises security appliances, not a migration tool for cloud services, and it does not synchronize policies to CES.

755
MCQhard

An engineer observes that the Cisco ASA connection table shows a consistent number of entries for UDP traffic, but the xlate table shows no entries. What is the most likely reason?

A.The traffic is being dropped by ACLs
B.NAT is not configured for this traffic
C.The ASA is in transparent mode
D.UDP traffic does not create connections
AnswerB

Without NAT, xlate table is empty.

Why this answer

The xlate table holds NAT translations; if no NAT is configured, traffic passes without xlate entries, but connections are still tracked.

756
MCQmedium

A company uses Cisco ISE for network access control. Users connecting via wired 802.1X are successfully authenticated but cannot reach the internet. The administrator checks the authorization policy and notices that the correct dACL is being applied. What is the most likely cause of the issue?

A.The switchport is configured as dynamic desirable
B.The RADIUS server is not sending the dACL attribute in the Access-Accept
C.The switch port MTU is set to 1500 bytes
D.ISE is out of licenses for endpoint devices
AnswerB

If the dACL is not included in the RADIUS response, the switch will not apply it.

Why this answer

The most likely cause is that the RADIUS server (ISE) is not sending the dACL attribute in the Access-Accept packet. Even though the authorization policy applies a dACL, if the RADIUS message does not include the dACL name (e.g., Cisco-AV-Pair = "ip:inacl#100=...") or the switch does not receive it, the switch cannot enforce the filter, leaving the user authenticated but with no internet access due to default deny-all behavior.

Exam trap

Cisco often tests the misconception that a correctly configured authorization policy in ISE guarantees the dACL is sent; the trap is that the policy must be linked to an authorization profile that explicitly includes the dACL, and the RADIUS message must carry it—otherwise the switch never receives the filter.

How to eliminate wrong answers

Option A is wrong because switchport mode dynamic desirable is a DTP setting for trunk negotiation and does not affect 802.1X authentication or dACL enforcement. Option C is wrong because an MTU of 1500 bytes is standard and would not prevent internet access after successful authentication; it might cause fragmentation issues but not a complete lack of connectivity. Option D is wrong because ISE license depletion affects the ability to authenticate new endpoints, not the enforcement of already-applied dACLs for authenticated users.

757
MCQhard

A multinational corporation is migrating its on-premises data center to a public cloud provider. The security policy requires that all traffic between cloud VPCs and the on-premises network must be inspected by a next-generation firewall (NGFW) deployed in the cloud. The on-premises network uses BGP for dynamic routing. Which design meets the requirement while minimizing latency and administrative overhead?

A.Deploy a transit VPC with an NGFW instance and configure BGP dynamic routing between the transit VPC, other VPCs, and the on-premises network.
B.Use AWS Transit Gateway with static routes pointing to the NGFW instance for inspection.
C.Create a site-to-site VPN between each VPC and the on-premises network, and configure the NGFW on-premises.
D.Use AWS Direct Connect to connect all VPCs to the on-premises network and place the NGFW on-premises.
AnswerA

Transit VPC with NGFW and BGP allows traffic inspection and dynamic route exchange.

Why this answer

Option A is correct because a transit VPC with an NGFW instance allows centralized traffic inspection while using BGP dynamic routing to exchange routes between the transit VPC, other VPCs, and the on-premises network. This design minimizes administrative overhead by avoiding static route management and reduces latency by keeping inspection within the cloud, rather than hair-pinning traffic on-premises. BGP enables automatic failover and route propagation, meeting the dynamic routing requirement.

Exam trap

Cisco often tests the misconception that a cloud-native service like AWS Transit Gateway inherently supports dynamic routing with NGFW inspection, but the trap is that Transit Gateway uses static routes for traffic steering unless integrated with a transit VPC and BGP, leading candidates to choose Option B incorrectly.

How to eliminate wrong answers

Option B is wrong because AWS Transit Gateway with static routes pointing to the NGFW instance introduces administrative overhead from manual route updates and does not leverage BGP dynamic routing as required, leading to potential misconfigurations and higher latency due to forced traffic paths. Option C is wrong because creating a site-to-site VPN between each VPC and the on-premises network with the NGFW on-premises forces all traffic to hair-pin through the on-premises network, increasing latency and failing to inspect traffic within the cloud; it also does not centralize inspection in the cloud as required. Option D is wrong because using AWS Direct Connect to connect all VPCs to the on-premises network and placing the NGFW on-premises violates the requirement that inspection must occur in the cloud, and it introduces significant latency by routing all cloud traffic back to the on-premises NGFW.

758
MCQmedium

An organization uses Cisco Umbrella to block malicious domains. The security team notices that some malware traffic bypasses DNS-layer blocking because the malware uses hardcoded IP addresses. Which Umbrella feature should be enabled to additionally inspect traffic at the IP layer?

A.Intelligent Proxy
B.Secure Internet Gateway (SIG)
C.DNS-layer security
D.Umbrella Roaming Client
AnswerB

SIG includes a cloud-delivered firewall that can block traffic based on IP addresses.

Why this answer

Cisco Umbrella's Secure Internet Gateway (SIG) provides cloud-delivered firewall and web proxy that can inspect IP-based traffic, not just DNS.

759
MCQmedium

Which protocol does Cisco ISE use to communicate with network devices for 802.1X authentication?

A.RADIUS
B.LDAP
C.SNMP
D.TACACS+
AnswerA

RADIUS is the protocol for network access control.

Why this answer

Cisco ISE uses RADIUS for authentication, authorization, and accounting. 802.1X leverages EAP over RADIUS.

760
MCQhard

During a security incident, an engineer needs to quickly quarantine an endpoint that is connected to a switch via 802.1X. The engineer wants to use ISE to send a Change of Authorization (CoA) to move the port to a restrictive VLAN. What must be configured on the switch to allow ISE to send CoA?

A.The switch must listen on UDP port 1700 for CoA packets
B.The switch must have 'aaa server radius dynamic-author' configured with a client entry for ISE
C.The switch must have a VTY line configured with 'transport input ssh'
D.RADIUS accounting must be enabled on the switch
E.The switch must have 'authentication event server dead action authorize' configured
AnswerB

This command enables the switch to accept CoA requests from ISE.

Why this answer

Option B is correct because the `aaa server radius dynamic-author` command defines a local RADIUS dynamic-author server on the switch, which listens for Change of Authorization (CoA) and Disconnect messages from ISE. The client entry specifies the ISE server's IP address and shared secret, allowing the switch to accept and process the CoA request to dynamically change the VLAN assignment for the 802.1X-authenticated endpoint.

Exam trap

Cisco often tests the misconception that CoA uses UDP port 1700 (the standard RADIUS authentication port) rather than the correct port 3799 defined in RFC 5176 for dynamic authorization changes.

How to eliminate wrong answers

Option A is wrong because CoA packets are sent to UDP port 3799 (as per RFC 5176), not UDP port 1700 (which is used for RADIUS accounting). Option C is wrong because VTY line configuration with 'transport input ssh' is for remote management access to the switch CLI, not for receiving CoA messages from ISE. Option D is wrong because while RADIUS accounting is often used in conjunction with CoA for session identification, it is not a mandatory prerequisite for the switch to accept CoA packets; the dynamic-author server configuration alone enables CoA processing.

Option E is wrong because 'authentication event server dead action authorize' is a fallback mechanism for when the RADIUS server is unreachable, not a configuration that allows the switch to receive CoA messages.

761
MCQmedium

An organization wants to ensure that digital certificates issued by its internal CA are validated for revocation in real-time. Which protocol should be implemented to allow clients to check certificate status without downloading a full CRL?

A.SCEP
B.EST
C.OCSP
D.CRL
AnswerC

OCSP provides real-time revocation status for individual certificates.

Why this answer

OCSP (Online Certificate Status Protocol) enables real-time checking of a certificate's revocation status by querying the CA's responder, avoiding the need to download the entire CRL.

762
Multi-Selecthard

A company wants to deploy a DMZ segment accessible from the internet. Which THREE considerations are critical for firewall zone design and security?

Select 3 answers
A.Use separate firewall interfaces for inside, outside, and DMZ
B.DMZ servers should not initiate connections to the inside network
C.DMZ interface should have a security level of 100
D.Restrict inbound traffic from outside to DMZ to only required services
E.Allow all traffic from inside to DMZ without inspection
AnswersA, B, D

Segmentation requires separate interfaces/zones.

Why this answer

DMZ should have its own interface with a security level between inside and outside. Traffic from outside to DMZ should be restricted to necessary services. Inside to DMZ traffic should be permitted for management but initiated from inside.

763
MCQhard

A company has deployed Cisco ISE for network access control. After a recent upgrade, the operations team notices that some users are being assigned incorrect authorization profiles. The ISE logs show that the users are being matched to the correct identity group, but the authorization result is different from expected. What is the most likely cause?

A.The passive identity feature is overriding the user's group assignment.
B.The authorization policy rules are not in the correct order, causing a different rule to match first.
C.The network device group assignment has changed, causing the device to be in a different group.
D.The authentication policy is misconfigured, causing users to be placed in the wrong identity group.
AnswerB

ISE uses first-match logic for authorization policies.

Why this answer

In Cisco ISE, authorization policies are evaluated in top-down order, and the first matching rule is applied. Even if users are correctly assigned to an identity group, a higher-priority authorization policy rule that matches on other conditions (e.g., endpoint profile, device type, or time condition) can override the expected result. This is the most likely cause when authentication and group assignment are correct but the authorization result is unexpected.

Exam trap

Cisco often tests the concept that authorization policies are evaluated in order of precedence, and candidates mistakenly focus on authentication or group assignment when the real issue is rule ordering in the authorization policy.

How to eliminate wrong answers

Option A is wrong because the passive identity feature (e.g., Active Directory passive identity) is used for identity mapping and does not override group assignments; it only provides identity context for authentication. Option C is wrong because if the network device group assignment had changed, the device would likely fail authentication or be matched to a different policy set, not cause incorrect authorization profiles while still matching the correct identity group. Option D is wrong because the question states that users are being matched to the correct identity group, which means the authentication policy is working correctly; a misconfigured authentication policy would place users in the wrong group, not result in correct group matching with wrong authorization.

764
MCQmedium

An organization is adopting a zero-trust model for cloud access. Which component enforces conditional access policies based on user, device, location, and risk level in Azure AD?

A.Azure AD Identity Protection
B.Azure AD Conditional Access
C.Azure Security Center
D.Privileged Identity Management (PIM)
AnswerB

Conditional Access enforces policies based on conditions.

Why this answer

Azure AD Conditional Access evaluates signals (user, device, location, risk) and enforces policies like requiring MFA or blocking access.

765
MCQmedium

A company deploys a solution that uses a root certificate authority (CA) and intermediate CAs to issue certificates. What is the term for the hierarchical structure of certificates from the root CA to the end entity?

A.Certificate signing request
B.Certificate revocation list
C.Certificate chaining
D.Public key infrastructure
AnswerC

The chain of trust from root to leaf.

Why this answer

Certificate chaining refers to the path from the root CA through intermediates to the end-entity certificate.

766
MCQhard

A security engineer is configuring a Cisco Firepower NGFW to detect a buffer overflow attack. Which attack vector is this?

A.Malware delivery
B.Exploitation
C.Reconnaissance
D.Denial of Service
AnswerB

Correct answer. Buffer overflow is a classic exploitation technique.

Why this answer

Buffer overflow is an exploitation technique where an attacker writes beyond the allocated buffer to execute arbitrary code.

767
MCQeasy

A small business uses Cisco Umbrella for DNS-layer security. They recently enabled multi-factor authentication (MFA) for all administration accounts. The IT manager is unable to log into the Umbrella dashboard; the login page accepts his password but then asks for an MFA code. However, he never set up MFA. He checks his email and finds no registration email. He is the only administrator. How should he regain access to the Umbrella dashboard?

A.Create a new Umbrella account and transfer the organization.
B.Use the Umbrella API to programmatically disable MFA.
C.Have another administrator in the organization disable MFA for his account.
D.Contact Cisco TAC and prove ownership of the account to have MFA reset.
AnswerD

Correct: TAC can verify identity and reset MFA.

Why this answer

When an administrator is locked out of Cisco Umbrella due to MFA that was never configured, and there is no other administrator to assist, the only recovery path is to contact Cisco TAC. TAC can verify account ownership through a proof-of-ownership process and then reset the MFA enrollment, allowing the administrator to set it up fresh. This is the standard escalation procedure for Umbrella when self-service recovery options are unavailable.

Exam trap

Cisco often tests the misconception that API or self-service options can bypass MFA recovery, but in reality, MFA is a security boundary that requires administrative or TAC-level intervention to reset.

How to eliminate wrong answers

Option A is wrong because creating a new Umbrella account and transferring the organization is not a supported feature; Umbrella organizations are tied to a single primary account and cannot be transferred without TAC involvement. Option B is wrong because the Umbrella API does not expose an endpoint to disable MFA for an administrator account; MFA settings are managed through the dashboard or by TAC only. Option C is wrong because the scenario states the IT manager is the only administrator, so there is no other administrator to perform the disable action.

768
MCQhard

An administrator is migrating an ASA firewall to a cloud environment and wants to use FlexConfig to push additional configuration. After applying the FlexConfig, the ASA does not show the expected commands. Which of the following is a likely reason?

A.The ASA model does not support FlexConfig.
B.The ASA must be rebooted for FlexConfig to take effect.
C.The FlexConfig is not associated with the device in ASDM.
D.The FlexConfig contains syntax errors that are silently ignored.
AnswerC

FlexConfig must be associated with the device in ASDM or CLI; otherwise, it will not be applied.

Why this answer

FlexConfig is a feature of Cisco ASDM that allows administrators to push additional CLI commands to an ASA that are not natively supported by the ASDM GUI. For FlexConfig to work, the configuration template must be explicitly associated with the target device within ASDM. If this association is missing, the ASA will not receive or apply the FlexConfig commands, even if the template is correctly written and the device supports the feature.

Exam trap

Cisco often tests the distinction between creating a FlexConfig template and actually associating it with a device, because candidates mistakenly believe that simply uploading a template is sufficient for it to be applied.

How to eliminate wrong answers

Option A is wrong because FlexConfig is supported on all ASA models that run ASA software version 8.4(2) or later, including virtual ASAv instances used in cloud environments. Option B is wrong because FlexConfig changes take effect immediately after the ASA reloads its configuration; no system reboot is required. Option D is wrong because FlexConfig templates with syntax errors are not silently ignored; the ASA will reject the invalid commands and generate error messages in the syslog or CLI output, alerting the administrator to the problem.

769
MCQhard

A network administrator needs to provide network access to a legacy printer that does not support 802.1X. Which Cisco ISE feature should be used to authenticate this device?

A.Posture assessment
B.Guest access with self-registration
C.Profiling using DHCP probe
D.MAC Authentication Bypass
AnswerD

MAB uses the device's MAC address for authentication, suitable for non-802.1X devices.

Why this answer

MAC Authentication Bypass (MAB) allows devices that cannot run 802.1X supplicant software to authenticate based on their MAC address. ISE can be configured to accept the MAC address as the credential.

770
Multi-Selectmedium

An organization is deploying Cisco Duo for multi-factor authentication. Which TWO authentication methods can be used with Duo? (Choose two.)

Select 2 answers
A.Kerberos ticket
B.Smart card
C.Time-based one-time password (TOTP)
D.Biometric authentication
E.Push notification
AnswersC, E

Duo Mobile can generate TOTP codes for offline authentication.

Why this answer

Duo provides push notifications to a mobile app and time-based one-time passwords (TOTP) as authenticator methods. Biometrics is not a Duo method; SMS passcodes are available but legacy; hardware tokens are supported but the question asks for TWO, and push and TOTP are the most common. However, hardware token is also valid.

The exam expects push and TOTP as primary.

771
MCQmedium

A security administrator is reviewing firewall logs and notices that an internal user is generating excessive outbound DNS queries to a known malicious domain. The company uses Cisco Umbrella for DNS-layer security. How should the administrator investigate and block this traffic?

A.Check the Cisco Umbrella dashboard for the domain, identify the internal IP, and block the domain via policy.
B.Create a firewall ACL to block the IP address of the DNS server from the internal user.
C.Disable the user's network access temporarily and inform the IT department.
D.Enable full packet capture on the internal network and wait for the next occurrence.
AnswerA

Umbrella provides visibility and enforcement at the DNS layer, stopping malicious queries before connection.

Why this answer

Option A is correct because Cisco Umbrella is a DNS-layer security solution that can log and block DNS queries to malicious domains. The administrator should first check the Umbrella dashboard to identify the internal IP generating the excessive queries, then create a policy to block the domain, which will prevent all subsequent DNS resolutions to that domain without affecting other traffic.

Exam trap

Cisco often tests the candidate's understanding that DNS-layer security (like Umbrella) is the appropriate tool for blocking malicious domains at the DNS level, rather than using traditional firewall ACLs or reactive measures that do not leverage the solution's policy-based blocking capabilities.

How to eliminate wrong answers

Option B is wrong because blocking the DNS server IP address would prevent the user from resolving any domains, not just the malicious one, and does not leverage the DNS-layer security capabilities of Umbrella. Option C is wrong because disabling the user's network access is a reactive, disruptive measure that does not address the root cause or allow for forensic analysis; it also bypasses the proper use of Umbrella's policy controls. Option D is wrong because enabling full packet capture is a passive monitoring technique that does not block the traffic and delays remediation; it is inefficient compared to using the existing Umbrella dashboard and policy enforcement.

772
Multi-Selecteasy

Which TWO benefits does centralized RADIUS authentication provide over local authentication on network devices? (Choose two.)

Select 2 answers
A.Centralized accounting and logging of all authentication attempts
B.Ability to change passwords or permissions in one place
C.Faster authentication because of local caching
D.Support for multiple authentication protocols like PAP, CHAP, EAP
E.No need for a backup authentication method
AnswersA, B

RADIUS server provides unified logs.

Why this answer

Centralized RADIUS authentication aggregates all authentication, authorization, and accounting (AAA) data on a single server. This provides a unified audit trail for all login attempts across network devices, enabling comprehensive logging and accounting that local authentication cannot offer. Local authentication logs are device-specific and lack centralized aggregation, making forensic analysis and compliance reporting more difficult.

Exam trap

Cisco often tests the misconception that centralized authentication is faster or eliminates the need for a backup method, when in reality it introduces dependency on network reachability and requires a fallback like local authentication for resilience.

773
MCQmedium

A security analyst needs to investigate a potential breach on an endpoint running Cisco AMP. The analyst wants to remotely execute commands to gather forensic data and potentially isolate the endpoint from the network. Which Cisco AMP EDR capability should the analyst use?

A.Process isolation
B.Device Trajectory
C.File quarantine
D.Remote shell investigation
AnswerD

Remote shell provides command-line access to the endpoint for investigation and response.

Why this answer

Remote shell investigation allows security analysts to execute commands on an endpoint remotely for live forensics, and process isolation can be used to contain threats.

774
Multi-Selecthard

Which THREE are characteristics of Cisco Stealthwatch?

Select 3 answers
A.Can integrate with Cisco ISE for automated threat response
B.Provides behavioral analysis to detect threats
C.Acts as a next-generation firewall
D.Uses NetFlow and IPFIX for network traffic visibility
E.Functions as an intrusion prevention system (IPS)
AnswersA, B, D

Integration allows ISE to enforce policies based on Stealthwatch alerts.

Why this answer

Option A is correct because Cisco Stealthwatch can integrate with Cisco ISE (Identity Services Engine) via pxGrid or REST API to enable automated threat response. When Stealthwatch detects anomalous behavior, it can trigger ISE to enforce policy changes such as quarantining an endpoint or dynamically applying a security group access control list (SGACL), closing the loop between detection and remediation.

Exam trap

Cisco often tests the distinction between detection/visibility tools (Stealthwatch) and inline enforcement devices (NGFW/IPS), so the trap here is that candidates confuse Stealthwatch's behavioral analysis and flow-based monitoring with the packet-inspecting, blocking capabilities of a next-generation firewall or intrusion prevention system.

775
Multi-Selectmedium

A network engineer is troubleshooting 802.1X authentication failures. Which two components are required for a successful 802.1X authentication? (Choose two.)

Select 2 answers
A.DHCP server
B.Authentication server (ISE)
C.Supplicant (client software)
D.DNS server
E.RADIUS proxy
AnswersB, C

ISE validates credentials and grants access.

Why this answer

In 802.1X authentication, the supplicant (client software) initiates the authentication process by sending an EAPOL-Start message, and the authentication server (ISE) validates the client's credentials via RADIUS. Without both, the authentication cannot complete. The supplicant provides identity, while the authentication server makes the final permit/deny decision.

Exam trap

Cisco often tests that candidates mistakenly include supporting infrastructure (DHCP, DNS) as required components, but 802.1X authentication is purely Layer 2 and does not depend on IP-based services until after successful authentication.

776
MCQeasy

Which Cisco security product provides DNS-layer security to block malicious domains and cloud-based threats?

A.Cisco Stealthwatch
B.Cisco Umbrella
C.Cisco ISE
D.Cisco AMP
AnswerB

Correct answer. Umbrella offers DNS-layer security.

Why this answer

Cisco Umbrella is a cloud-delivered security service that provides DNS-layer filtering to block malicious destinations.

777
MCQmedium

A company uses Cisco Umbrella to provide DNS-layer security. An employee tries to visit a website that is hosting malware, but the domain is not yet categorized. How does Umbrella handle this request?

A.The request is redirected to a captive portal for user awareness
B.The request is allowed because the domain is not categorized
C.The request is blocked if the domain is identified as malicious by Umbrella's threat intelligence
D.The request is proxied through the intelligent proxy for inspection
AnswerC

Umbrella uses threat intelligence to block malicious domains regardless of category.

Why this answer

Umbrella's DNS-layer security can block domains based on intelligence feeds, including newly observed malicious domains. It does not need categorization; it uses real-time threat intelligence. The intelligent proxy is separate.

778
Multi-Selecthard

A security team is investigating a breach where the attacker gained access to a server using stolen credentials. Later, the attacker moved laterally and exfiltrated data. Which three security controls would best help detect and prevent lateral movement? (Choose three.)

Select 3 answers
A.Microsegmentation
B.Stateful firewall at perimeter
C.SSL inspection
D.Network behavioral analytics (e.g., Stealthwatch)
E.Endpoint detection and response (EDR)
AnswersA, D, E

Microsegmentation divides the network into small zones, limiting lateral movement.

Why this answer

Microsegmentation, network behavioral analytics, and endpoint detection help limit and detect lateral movement.

779
Multi-Selectmedium

A Cisco TrustSec deployment is being implemented to enforce micro-segmentation. The security team needs to ensure that Security Group Tags (SGTs) are propagated across the network. Which THREE methods can be used to distribute SGT information in a TrustSec environment? (Choose three.)

Select 3 answers
A.SGT over SXP (SGT Exchange Protocol)
B.SGT over Cisco Discovery Protocol (CDP)
C.SGT over VXLAN
D.SGT inline tagging (in the Ethernet header)
E.SGT over MPLS
AnswersA, C, D

SXP is a standard protocol to propagate SGTs between network devices without inline tagging.

Why this answer

The correct methods are SGT over SXP (SGT Exchange Protocol), SGT over VXLAN, and SGT inline tagging in the Ethernet header. SGT over MPLS is not a standard TrustSec propagation method. SGT over CDP is not supported; CDP is used for device discovery, not SGT propagation.

780
MCQmedium

An email administrator sees the above log entry in the Cisco ESA. What will happen to the email?

A.The email will be quarantined and an administrator will review it
B.The email will be dropped and not delivered
C.The email will be encrypted before delivery
D.The email will be delivered with a warning
AnswerA

Quarantine action holds the email for review.

Why this answer

The log entry indicates that the email triggered a content filter action set to 'quarantine' in the Cisco ESA. When an email is quarantined, it is held in a designated quarantine mailbox for administrative review, allowing the administrator to release, delete, or further analyze the message. This is the default behavior for policies that require human intervention before delivery.

Exam trap

Cisco often tests the distinction between 'quarantine' (administrative review required) and 'drop' (silent discard) to see if candidates understand that quarantine preserves the message for later action, while drop permanently removes it.

How to eliminate wrong answers

Option B is wrong because 'drop' means the email is silently discarded without any notification or quarantine, which is not indicated by the log entry. Option C is wrong because encryption is a separate action applied during delivery, not a quarantine action, and the log does not reference any encryption policy. Option D is wrong because delivering with a warning would add a header or subject tag but still deliver the email, whereas the log shows the email was not delivered and was instead held for review.

781
MCQeasy

Refer to the exhibit. A user attempts to SSH to the router. The RADIUS server is unreachable. What will happen?

A.The user will be denied access because RADIUS is unreachable
B.The router will try TACACS+ as a fallback
C.The user will be authenticated using the local database
D.The user will be authenticated using RADIUS after a timeout
AnswerC

When RADIUS is unreachable, the router uses local authentication.

Why this answer

When RADIUS is unreachable and the router is configured for AAA authentication, the default behavior is to fall back to the local database if the 'local' keyword is included in the authentication method list. In this scenario, the user will be authenticated using the local database because the RADIUS server is unreachable, and the router has a local user account configured. This is a standard AAA fallback mechanism to ensure administrative access is not completely lost.

Exam trap

Cisco often tests the misconception that a RADIUS timeout will eventually allow authentication, but the trap here is that the router immediately falls back to the next method in the list (local) when the server is unreachable, not after a timeout.

How to eliminate wrong answers

Option A is wrong because the router does not immediately deny access; it falls back to the local database if configured. Option B is wrong because TACACS+ is only tried as a fallback if it is explicitly listed in the authentication method list; the exhibit does not show TACACS+ in the method list. Option D is wrong because RADIUS authentication will not proceed after a timeout; the router will move to the next method in the list (local) immediately upon RADIUS being unreachable.

782
MCQmedium

A network engineer is configuring a site-to-site VPN between two Cisco ASAs using IKEv2. Which component defines the encryption and hash algorithms for Phase 2?

A.IKEv2 proposal
B.Crypto map
C.ISAKMP policy
D.Transform set
AnswerD

Transform set defines Phase 2 proposals.

Why this answer

Transform sets define the Phase 2 parameters such as encryption and integrity algorithms.

783
Multi-Selectmedium

A security administrator is configuring URL filtering on Cisco FTD. Which three categories are commonly used in URL filtering policies? (Choose three.)

Select 3 answers
A.Social Networking
B.Encrypted Traffic
C.Malware
D.Adult Content
E.Phishing
AnswersA, C, D

Correct; common category.

Why this answer

Common URL categories include Social Networking, Malware, and Adult Content. Phishing is a subcategory of Malware, but Malware is a top-level category. Streaming Media is also a standard category.

784
MCQeasy

A network engineer is configuring Cisco Umbrella to secure remote users connecting to a SaaS application. The users are not assigned a static public IP and often connect from various locations. Which deployment method best protects these users?

A.Roaming Client
B.Virtual Appliances
C.DNS forwarding with Network Device binding
D.IP layer enforcement with Anycast
AnswerA

Installs a lightweight client that routes traffic through Umbrella regardless of network.

Why this answer

The Roaming Client (Cisco Umbrella Roaming Security Module) is the correct deployment method because it provides DNS-layer security directly on the endpoint, regardless of the user's location or IP address. This ensures that remote users without a static public IP are protected by Umbrella's DNS filtering and threat intelligence, even when connecting from various networks (e.g., home, coffee shop, hotel). The client automatically selects the closest Umbrella data center via Anycast and encrypts DNS queries over HTTPS (DoH) to prevent tampering.

Exam trap

Cisco often tests the misconception that DNS forwarding or IP-based enforcement can protect roaming users, but the trap here is that those methods require a stable, known source IP or a managed network device, which fails when users connect from arbitrary locations without a static public IP.

How to eliminate wrong answers

Option B (Virtual Appliances) is wrong because virtual appliances are deployed on-premises within a corporate network and cannot protect remote users who are not connected to the corporate VPN or network. Option C (DNS forwarding with Network Device binding) is wrong because DNS forwarding relies on a specific network device (e.g., router, firewall) with a static public IP or a configured IP binding, which fails when users roam and their source IP changes. Option D (IP layer enforcement with Anycast) is wrong because IP layer enforcement (e.g., using policy based on source IP) is ineffective for roaming users whose IP addresses are dynamic and unpredictable; Anycast alone does not provide per-user identity or enforcement without a client.

785
MCQmedium

During a security audit, it is discovered that some users are bypassing the proxy by using HTTPS tunnels over port 443. The WSA is configured with an explicit proxy mode. What additional configuration is needed to prevent such bypass?

A.Implement a firewall rule to block outbound HTTP/HTTPS traffic except from the WSA
B.Enable SSL decryption on the WSA
C.Configure identity-based authentication for all users
D.Create a custom URL category for tunneling websites and block them
AnswerA

This forces all web traffic through the proxy, preventing bypass.

Why this answer

In explicit proxy mode, the WSA only intercepts traffic that is explicitly configured to use it as a proxy. Users can bypass the proxy by configuring their browser or application to use a direct HTTPS connection (e.g., using CONNECT tunnels over port 443). To prevent this, a firewall rule must block all outbound HTTP/HTTPS traffic except traffic originating from the WSA's IP address, forcing all web traffic through the proxy.

Exam trap

Cisco often tests the distinction between proxy enforcement (network-layer control) and proxy features (SSL decryption, authentication, URL filtering), leading candidates to mistakenly choose SSL decryption as the solution to a bypass problem.

How to eliminate wrong answers

Option B is wrong because SSL decryption alone does not prevent bypass; it only allows inspection of encrypted traffic that already passes through the proxy. Option C is wrong because identity-based authentication controls user access but does not force traffic through the proxy; users can still bypass by not using the proxy settings. Option D is wrong because custom URL categories can block specific tunneling websites, but they cannot prevent users from using arbitrary HTTPS tunnels (e.g., SSH over port 443) that do not match a predefined URL.

786
MCQmedium

A network engineer is troubleshooting an endpoint that failed to receive policy updates from the Cisco AMP cloud. The endpoint shows 'Out-of-Date' in the AMP console. The engineer verifies that the endpoint has outbound HTTPS access to the AMP cloud. What additional step should the engineer take to resolve the issue?

A.Configure the AMP connector to use a static IP address for the cloud.
B.Reboot the endpoint to force a policy download.
C.Verify that SNMP is enabled on the endpoint.
D.Verify that the endpoint can resolve the AMP cloud hostname using DNS.
AnswerD

The connector must resolve the cloud hostname for HTTPS connections.

Why this answer

Option D is correct because the AMP connector must resolve the AMP cloud hostname (e.g., `amp.cisco.com`) via DNS to establish the HTTPS connection. Even if outbound HTTPS is allowed, a DNS resolution failure would prevent the endpoint from reaching the cloud, causing the 'Out-of-Date' status. Verifying DNS ensures the endpoint can translate the hostname to an IP address, which is a prerequisite for policy updates.

Exam trap

Cisco often tests the misconception that outbound HTTPS access alone guarantees connectivity, when in fact DNS resolution is a separate prerequisite that must be verified, especially in environments with internal DNS servers or strict DNS filtering policies.

How to eliminate wrong answers

Option A is wrong because the AMP connector does not require a static IP address for the cloud; it uses dynamic DNS resolution and the cloud's IP addresses can change. Option B is wrong because rebooting the endpoint may temporarily force a connection attempt but does not address the underlying cause (e.g., DNS failure or connectivity issues) and is not a recommended troubleshooting step for policy updates. Option C is wrong because SNMP is used for network monitoring and management, not for AMP policy updates or cloud communication; the AMP connector uses HTTPS (TCP/443) and does not rely on SNMP.

787
MCQmedium

A company deploys Cisco ISE for network access control. They want to enforce that only employees with a valid certificate and a compliant posture can access the corporate Wi-Fi. Which policy combination should be used?

A.Authorization profile with dACL and a Posture Enforcement Policy (PEP)
B.Authentication using PEAP-MSCHAPv2 and a Posture Enforcement Policy (PEP)
C.Authentication using EAP-TLS and a Posture Enforcement Policy (PEP)
D.Guest portal with self-registration and a Posture Enforcement Policy (PEP)
AnswerC

EAP-TLS uses certificates for authentication, and PEP enforces posture compliance.

Why this answer

Option C is correct because EAP-TLS provides certificate-based mutual authentication, ensuring only employees with a valid certificate can authenticate. The Posture Enforcement Policy (PEP) then checks the endpoint's compliance (e.g., antivirus, patch level) before granting network access. This combination meets the requirement for both certificate validation and posture compliance enforcement on corporate Wi-Fi.

Exam trap

Cisco often tests the distinction between authentication protocols (EAP-TLS vs. PEAP-MSCHAPv2) and their ability to enforce certificate-based access, leading candidates to mistakenly choose PEAP-MSCHAPv2 (Option B) because it is commonly used with machine certificates, but it does not require a client certificate for user authentication.

How to eliminate wrong answers

Option A is wrong because an authorization profile with a downloadable ACL (dACL) controls post-authentication permissions but does not enforce certificate-based authentication; it assumes the user is already authenticated. Option B is wrong because PEAP-MSCHAPv2 uses a username/password (or machine credentials) for authentication, not a certificate, so it cannot enforce that only employees with a valid certificate gain access. Option D is wrong because a guest portal with self-registration is designed for unauthenticated guests, not for employees with certificates, and it does not enforce certificate-based authentication.

788
MCQmedium

A SOC analyst notices that after deploying Cisco AMP for Endpoints, some legitimate business software is being blocked by the Exploit Prevention engine. What is the recommended action to allow this software while maintaining maximum security?

A.Disable Exploit Prevention entirely on affected endpoints
B.Create an application exception in Exploit Prevention policy
C.Add the software's executable hash to the file exclusion list
D.Set Exploit Prevention to 'Audit' mode
AnswerB

Allows the specific application while maintaining protection for others.

Why this answer

Option B is correct because Cisco AMP for Endpoints' Exploit Prevention engine uses behavioral analysis to block suspicious activities, and legitimate software may trigger these heuristics. Creating an application exception in the Exploit Prevention policy allows the specific software to run without disabling the entire engine, preserving protection against other exploits. This targeted exception maintains maximum security by only exempting the known legitimate application from exploit detection rules.

Exam trap

Cisco often tests the distinction between file exclusions (for malware detection) and application exceptions (for Exploit Prevention), leading candidates to mistakenly choose the file exclusion list option.

How to eliminate wrong answers

Option A is wrong because disabling Exploit Prevention entirely removes protection against all exploit-based attacks on affected endpoints, significantly reducing security posture. Option C is wrong because file exclusion lists are used for file reputation and malware detection, not for Exploit Prevention behavioral rules; adding the executable hash does not bypass exploit heuristics. Option D is wrong because setting Exploit Prevention to 'Audit' mode only logs detections without blocking, which reduces security by allowing the exploit-like behavior to proceed unblocked on all applications, not just the legitimate one.

789
MCQmedium

A security analyst notices traffic from an internal host to an external IP address on port 4444, and the host's CPU is high. The host has been running unknown processes. Which type of malware is most likely involved?

A.Ransomware
B.Keylogger
C.Remote Access Trojan (RAT)
D.Botnet C2 client
AnswerC

A RAT provides remote control and often uses ports like 4444 for C2 communication.

Why this answer

Port 4444 is commonly associated with Blaster worm and remote access tools. A Remote Access Trojan (RAT) allows remote control and often communicates on such ports.

790
Multi-Selecthard

A security analyst detects a DDoS attack targeting the company's web server. Which three attack types are classified as application layer attacks? (Choose three.)

Select 3 answers
A.DNS query flood
B.Slowloris
C.DNS amplification
D.SYN flood
E.HTTP flood
AnswersA, B, E

Correct. DNS query flood targets the DNS application.

Why this answer

Application layer DDoS attacks target specific applications, such as HTTP floods, Slowloris, and DNS query floods.

791
MCQeasy

A company is moving its on-premises applications to AWS EC2 instances. According to the shared responsibility model, which of the following is the customer's responsibility?

A.Hypervisor security
B.Network infrastructure hardening
C.Patching the guest operating system
D.Physical security of the data center
AnswerC

The customer controls the guest OS and must apply patches.

Why this answer

In IaaS, the cloud provider manages the physical infrastructure (hosts, network, hypervisor), while the customer is responsible for securing the guest OS, applications, and data. Patching the OS is a customer responsibility.

792
MCQeasy

A network engineer is configuring a new firewall to enforce security policies between two internal VLANs. The goal is to allow only HTTP traffic from the finance VLAN to the HR VLAN, while blocking all other traffic. Which type of firewall rule should be applied to achieve this requirement with minimal administrative overhead?

A.Explicit deny rule
B.Implicit deny rule
C.Stateful rule
D.Default-permit rule
AnswerA

An explicit deny at the end of the rule base ensures that only explicitly permitted traffic (HTTP) is allowed, following best practice.

Why this answer

Option A is correct because an explicit deny rule is required to block all traffic except HTTP from finance to HR. While firewalls have an implicit deny at the end of the rulebase, the requirement to 'block all other traffic' with minimal administrative overhead is best met by creating an explicit deny rule that matches the specific traffic flows to be blocked, ensuring clarity and preventing unintended implicit allow behavior. This approach avoids relying on the implicit deny, which could be overridden by a later default-permit rule or misconfiguration.

Exam trap

Cisco often tests the distinction between explicit deny and implicit deny, trapping candidates who think the implicit deny alone is sufficient to block traffic, when in fact an explicit deny rule is needed to enforce a specific block with minimal administrative overhead and to avoid reliance on default behaviors that can be overridden.

How to eliminate wrong answers

Option B is wrong because an implicit deny rule is automatically applied at the end of the firewall rulebase, but it does not block traffic before it; it only denies traffic that does not match any explicit rule. Relying solely on implicit deny would require an explicit permit rule for HTTP, but the question asks for blocking 'all other traffic' with minimal overhead, and implicit deny is not a rule you configure—it is a default behavior. Option C is wrong because a stateful rule refers to the firewall's ability to track connection states (e.g., allowing return traffic for established sessions), but it does not inherently block traffic; it is a property of how rules are processed, not a rule type that denies traffic.

Option D is wrong because a default-permit rule would allow all traffic by default, which directly contradicts the requirement to block all other traffic; this is the opposite of what is needed.

793
MCQmedium

A security engineer is configuring Duo for VPN authentication with AnyConnect. Which authentication factor does Duo provide in addition to the user's primary credentials?

A.RADIUS accounting
B.SAML assertion
C.Machine certificate validation
D.Second-factor authentication (push, TOTP, etc.)
AnswerD

Correct. Duo provides a second factor after primary authentication.

Why this answer

Duo provides second-factor authentication, typically via push notification, TOTP, or hardware token, which is used after the user enters their primary credentials (e.g., LDAP password).

794
Multi-Selectmedium

A company is implementing zero trust architecture in the cloud. Which TWO principles are fundamental to zero trust? (Choose two.)

Select 2 answers
A.Assume breach
B.Implicit trust for internal traffic
C.Use static passwords
D.Use perimeter firewalls only
E.Verify explicitly
AnswersA, E

Design systems assuming an attacker is present.

Why this answer

Option A is correct because zero trust architecture operates on the principle of 'never trust, always verify,' which includes assuming that a breach has already occurred or is inevitable. This assumption drives continuous validation of every access request, regardless of source, and enforces least-privilege access to limit lateral movement. In cloud environments, this means treating every API call, workload, and user session as potentially compromised until proven otherwise.

Exam trap

Cisco often tests the misconception that zero trust still allows implicit trust for internal traffic or that traditional perimeter defenses are sufficient, leading candidates to select 'Implicit trust for internal traffic' or 'Use perimeter firewalls only' instead of recognizing that zero trust requires explicit verification for all traffic.

795
MCQhard

An organization is deploying Cisco ISE with passive identity mapping from Active Directory. They notice that users are not being correctly identified on the network, and some workstations are appearing with multiple IP addresses. What is the most likely cause?

A.ISE is configured with incorrect Active Directory domain join credentials.
B.The DHCP server is not configured to forward DHCP packets to ISE.
C.The ISE node is not configured for passive identity service.
D.The network switches are not configured with SNMP traps for MAC notification.
AnswerB

Without DHCP forwarding, ISE cannot correlate IP addresses to MAC addresses, leading to identification issues.

Why this answer

Option B is correct because passive identity mapping via DHCP requires the DHCP server to forward DHCP packets to ISE. Without this, IP-to-MAC mappings are incomplete. Option A is incorrect because domain join credentials affect ISE-AD communication, not DHCP mapping.

Option C is incorrect because SNMP traps are used for endpoint classification, not passive identity. Option D is incorrect because the passive identity service must be enabled, but the symptom points to missing DHCP data.

796
MCQmedium

A company uses multiple cloud providers (AWS and Azure) and wants to unify security monitoring and policy enforcement. They have on-premises data centers as well. Which Cisco solution is best suited for this?

A.Cisco Secure Cloud Analytics
B.Cisco Secure Firewall Cloud Native
C.Cisco Secure Workload
D.Cisco Secure Network Analytics
AnswerA

Unified monitoring and policy enforcement for multi-cloud and on-prem.

Why this answer

Cisco Secure Cloud Analytics (formerly Stealthwatch Cloud) is designed to provide unified visibility and security monitoring across multi-cloud environments (AWS, Azure, GCP) and on-premises data centers. It uses NetFlow/IPFIX data and cloud-native API integrations to detect anomalies and enforce consistent security policies, making it the best fit for the company's requirement to unify security monitoring and policy enforcement across hybrid and multi-cloud deployments.

Exam trap

Cisco often tests the distinction between 'monitoring and policy enforcement across multiple clouds' (Secure Cloud Analytics) versus 'micro-segmentation for workloads' (Secure Workload) or 'on-premises network analytics' (Secure Network Analytics), leading candidates to confuse the scope of each solution.

How to eliminate wrong answers

Option B (Cisco Secure Firewall Cloud Native) is wrong because it is a virtual firewall appliance specifically for public cloud environments, focusing on network segmentation and threat inspection, but it does not provide unified monitoring or policy enforcement across multiple cloud providers and on-premises. Option C (Cisco Secure Workload) is wrong because it is a micro-segmentation and workload protection solution that focuses on application-level visibility and policy enforcement within data centers and clouds, but it is not designed for unified security monitoring across disparate cloud providers and on-premises. Option D (Cisco Secure Network Analytics) is wrong because it is an on-premises network traffic analysis tool that relies on NetFlow/IPFIX from physical network devices, lacking native multi-cloud API integrations and the ability to monitor cloud-native workloads without additional agents.

797
MCQmedium

An organization uses Cisco Umbrella to block malicious domains. Which layer does Umbrella primarily operate at to prevent connections before they are established?

A.Network layer (IP filtering)
B.Application layer
C.Transport layer
D.DNS layer
AnswerD

Correct. Umbrella blocks DNS requests to malicious domains.

Why this answer

Cisco Umbrella operates at the DNS layer to block requests to malicious domains before any connection is made.

798
MCQmedium

A company uses Cisco WSA in transparent mode. They want to bypass proxy processing for all traffic to a specific internal server (10.0.0.5) to reduce latency. They create an access policy with a custom URL category and add the server's IP to the 'Proxy Bypass' list. However, traffic to that server is still being proxied. What is the most likely cause?

A.The IP address is incorrectly formatted in the bypass list
B.The access policy is placed after a deny rule
C.The proxy bypass list does not apply in transparent mode; instead use network ACLs to bypass WSA
D.The client is required to authenticate
AnswerC

In transparent mode, bypass must be done at the network level (WCCP redirect ACL or PBR) to avoid sending traffic to WSA.

Why this answer

In transparent mode, the Cisco WSA intercepts traffic at the network layer without explicit client configuration. The 'Proxy Bypass' list is designed for explicit proxy deployments where clients are configured to send traffic to the WSA; it does not function in transparent mode because the WSA cannot distinguish bypass requests from intercepted traffic. To bypass proxy processing in transparent mode, you must use network ACLs on upstream routers or switches to redirect traffic away from the WSA, or configure WCCP exclusion rules.

Exam trap

Cisco often tests the misconception that the 'Proxy Bypass' list is a universal bypass mechanism across all deployment modes, when in fact it only applies to explicit proxy configurations, not transparent mode.

How to eliminate wrong answers

Option A is wrong because IP address formatting errors (e.g., typos or subnet mismatches) would cause a different failure, but the bypass list itself is not applicable in transparent mode, so formatting is irrelevant. Option B is wrong because access policy ordering (e.g., a deny rule before the bypass policy) could affect traffic matching, but the core issue is that the bypass list mechanism is non-functional in transparent mode, not a policy sequence problem. Option D is wrong because client authentication requirements do not prevent bypass list functionality; authentication is a separate policy action and does not override the fundamental limitation of the bypass list in transparent mode.

799
Multi-Selectmedium

A company uses Cisco AnyConnect for remote access VPN. Which two components are used to enforce policies based on endpoint posture? (Choose two.)

Select 2 answers
A.Transform set
B.Dynamic Access Policy (DAP)
C.ISAKMP policy
D.Crypto map
E.Group policy
AnswersB, E

DAP uses endpoint attributes to dynamically apply access policies.

Why this answer

Dynamic Access Policies (DAP) and Group Policies are used with AnyConnect. DAP evaluates endpoint attributes (like antivirus status) to assign access policies, while Group Policies define VPN parameters.

800
Multi-Selectmedium

A security analyst notices that emails from a trusted partner's domain are being quarantined by the Cisco ESA. The analyst wants to verify the email authentication status. Which TWO authentication mechanisms should be checked?

Select 2 answers
A.SenderBase
B.DKIM
C.SPF
D.DMARC
E.TALOS
AnswersB, C

DKIM provides a digital signature.

Why this answer

SPF and DKIM are used to authenticate email senders and verify domain ownership.

801
Multi-Selectmedium

Cisco ISE can profile endpoints using various probes. Which three probes are used for device profiling? (Choose three.)

Select 3 answers
A.HTTP probe
B.DNS probe
C.DHCP probe
D.SNMP probe
E.RADIUS probe
AnswersA, C, D

HTTP probe analyzes HTTP traffic to identify device type.

Why this answer

The HTTP probe (A) is correct because Cisco ISE uses it to profile endpoints by inspecting HTTP user-agent strings and other HTTP header fields, which reveal the operating system or browser type. This passive fingerprinting helps classify devices like smartphones, tablets, or PCs without requiring credentials.

Exam trap

Cisco often tests the distinction between authentication/authorization protocols (RADIUS) and profiling probes, leading candidates to mistakenly select RADIUS because it is commonly associated with endpoint identity in ISE.

802
MCQeasy

Refer to the exhibit. A security administrator implements this S3 bucket policy to restrict access to the bucket 'my-bucket'. What type of condition is being used?

A.String condition
B.IpAddress condition
C.Bool condition
D.Numeric condition
AnswerB

Condition key is IpAddress.

Why this answer

The condition in the S3 bucket policy uses the `IpAddress` condition key to restrict access based on the requester's IP address. This is explicitly an IP address condition, which evaluates the source IP of the request against the specified CIDR range. Option B is correct because the `aws:SourceIp` key is only valid with the `IpAddress` (or `NotIpAddress`) condition operator.

Exam trap

Cisco often tests the distinction between the condition key (`aws:SourceIp`) and the condition operator (`IpAddress`), leading candidates to confuse it with a String condition because the IP address is a string value.

How to eliminate wrong answers

Option A is wrong because a String condition uses operators like `StringEquals` or `StringLike` to compare string values, not IP addresses. Option C is wrong because a Bool condition uses the `Bool` operator to check boolean values like `aws:SecureTransport` true/false, not IP ranges. Option D is wrong because a Numeric condition uses operators like `NumericEquals` or `NumericLessThan` to compare numbers, not IP addresses.

803
MCQeasy

Which cloud security control is specifically designed to protect workloads such as VMs and containers from threats?

A.CSPM
B.CASB
C.CWPP
D.SIG
AnswerC

Correct. CWPP protects workloads.

Why this answer

CWPP (Cloud Workload Protection Platform) provides security for workloads across clouds.

804
MCQeasy

An organization wants to prevent outbound email containing credit card numbers from leaving the network. Which Cisco ESA feature should be configured?

A.AMP for Email
B.DLP Policies
C.Anti-spam (SenderBase)
D.Outbreak Filters
AnswerB

DLP policies inspect outbound email for regulated content.

Why this answer

The Cisco ESA DLP feature scans outbound email for sensitive data like credit card numbers and can block or quarantine such messages.

805
MCQmedium

A company uses multiple SaaS applications and wants to enforce data loss prevention (DLP) policies to prevent sensitive data from being shared externally. Which technology provides the ability to scan data in transit and at rest within these SaaS applications?

A.Cisco Umbrella
B.CASB
C.CSPM
D.CWPP
AnswerB

CASB provides DLP capabilities for SaaS applications.

Why this answer

CASB solutions can inspect data in transit and at rest within SaaS applications to enforce DLP policies.

806
MCQeasy

A network administrator wants to deploy Cisco AMP for Endpoints to protect endpoints. Which feature allows the detection of a file that was initially deemed benign but later discovered to be malicious?

A.File Reputation
B.IOC Scanning
C.Exploit Prevention
D.Retrospective Security
AnswerD

Correct. Retrospective security enables detection after execution by analyzing file behavior over time.

Why this answer

Retrospective security in Cisco AMP for Endpoints continuously monitors file behavior and can re-evaluate files that were previously allowed, updating their disposition if malicious activity is detected later.

807
MCQeasy

In the shared responsibility model for PaaS, which of the following is the customer responsible for?

A.Operating system patching
B.Runtime environment
C.Applications and data
D.Physical infrastructure
AnswerC

Correct. The customer is responsible for their apps and data.

Why this answer

In PaaS, the provider manages the runtime, middleware, and OS; the customer manages applications and data.

808
MCQhard

An organization uses Cisco ISE with TrustSec to assign Security Group Tags (SGTs) to endpoints based on their role. An endpoint initially receives an SGT for 'Employees' but after a posture check reveals missing antivirus updates, ISE changes the SGT to 'Quarantine'. Which ISE feature dynamically updates the SGT?

A.Change of Authorization (CoA)
B.Posture assessment
C.Guest access
D.Profiling
AnswerA

CoA allows ISE to update session attributes, including SGT, without reauthentication.

Why this answer

Change of Authorization (CoA) is the correct answer because it is the RADIUS-based mechanism (RFC 5176) that allows Cisco ISE to dynamically update an endpoint's Security Group Tag (SGT) after a posture check. When the posture assessment detects missing antivirus updates, ISE sends a CoA request to the network access device (e.g., switch or wireless LAN controller) to reauthenticate the session or push a new SGT, effectively moving the endpoint from 'Employees' to 'Quarantine' without requiring the user to manually reconnect.

Exam trap

Cisco often tests the distinction between the feature that triggers the change (posture assessment) and the protocol that enforces the change (CoA), leading candidates to mistakenly select 'Posture assessment' as the answer.

How to eliminate wrong answers

Option B (Posture assessment) is wrong because posture assessment is the process that evaluates the endpoint's compliance (e.g., antivirus status), but it does not directly update the SGT; it triggers the CoA to enforce the change. Option C (Guest access) is wrong because guest access is a separate ISE feature for managing temporary network access for visitors, not for dynamically updating SGTs based on posture results. Option D (Profiling) is wrong because profiling identifies endpoint attributes (e.g., OS, device type) to assign initial SGTs, but it does not dynamically change SGTs in response to real-time posture compliance changes.

809
MCQhard

A company uses Cisco WSA with multiple authentication realms (LDAP, RADIUS, and local). They want to require multi-factor authentication (MFA) for external users but allow single sign-on (SSO) for internal corporate users. Which configuration approach should be used?

A.Use a single authentication realm with both LDAP and RADIUS configured, and rely on the client IP to choose method
B.Configure a SSL VPN on WSA to differentiate user groups
C.Configure two authentication realms: one for internal (LDAP with Kerberos SSO) and one for external (RADIUS with MFA), then assign each realm to appropriate access policies
D.Use SAML authentication with an Identity Provider that supports MFA
AnswerC

Multiple realms allow different authentication methods per policy.

Why this answer

Option C is correct because Cisco WSA supports multiple authentication realms, allowing you to assign different realms to different access policies. By configuring an internal realm with LDAP and Kerberos SSO for seamless authentication, and a separate external realm with RADIUS and MFA for stronger security, you can enforce MFA only for external users while maintaining SSO for internal users. This approach directly maps authentication methods to user groups based on policy, not on client IP or a single realm.

Exam trap

Cisco often tests the misconception that a single authentication realm can handle multiple authentication methods simultaneously, or that features like SSL VPN or SAML alone can solve policy-based MFA differentiation without realm-level configuration.

How to eliminate wrong answers

Option A is wrong because a single authentication realm cannot simultaneously support both LDAP and RADIUS as separate methods; WSA realms are configured with one primary authentication protocol, and relying on client IP to choose the method is not a supported feature for differentiating MFA vs. SSO. Option B is wrong because SSL VPN is not a feature of Cisco WSA; WSA is a web proxy and does not terminate VPN connections, so this configuration is irrelevant and would not differentiate user groups for authentication.

Option D is wrong because while SAML with an IdP can support MFA, it does not inherently allow you to enforce MFA only for external users while using SSO for internal users within the same WSA configuration; you would still need separate realms or policies to differentiate the authentication flow, and SAML alone does not provide the granular policy-based realm assignment that option C does.

810
MCQhard

Refer to the exhibit. An administrator notices that DNS responses larger than 512 bytes are being dropped. Which configuration change should be made to allow larger DNS responses?

A.Remove the DNS inspection policy
B.Add an access-list to permit the traffic
C.Disable the set connection advanced-options command
D.Increase the message-length maximum under the DNS map
AnswerD

Raising the limit (e.g., to 4096) allows larger DNS responses.

Why this answer

The correct answer is D because DNS inspection on Cisco ASA/Firepower devices uses a DNS map to enforce a default maximum message length of 512 bytes, which aligns with the original DNS specification (RFC 1035). To allow larger DNS responses (e.g., those using EDNS0, which can exceed 512 bytes), you must increase the message-length maximum under the DNS map. This change permits the firewall to reassemble and forward DNS packets that exceed the default limit without dropping them.

Exam trap

Cisco often tests the misconception that ACLs or removing inspection policies are the solution for application-layer drops, when in fact the issue is a specific inspection parameter (DNS message-length) that must be tuned via a DNS map.

How to eliminate wrong answers

Option A is wrong because removing the DNS inspection policy entirely would disable all DNS inspection, including security checks like DNS query/response validation, which is an overly broad and insecure solution. Option B is wrong because an access-list permits traffic at the network layer based on IP addresses and ports, but it does not affect the application-layer inspection of DNS message length; the drop occurs due to the inspection engine, not a firewall ACL. Option C is wrong because the 'set connection advanced-options' command is used for advanced TCP connection settings (e.g., timeout, sequence number randomization) and has no bearing on DNS message-length limits.

811
Multi-Selectmedium

A company is using Azure and wants to enforce security compliance across their cloud resources. Which TWO services are part of CSPM (Cloud Security Posture Management) in Azure? (Choose two.)

Select 2 answers
A.Azure Security Center (Defender for Cloud)
B.Azure Policy
C.Azure Active Directory
D.Azure Monitor
E.Azure WAF
AnswersA, B

Provides security posture management and recommendations.

Why this answer

Azure Security Center (now Defender for Cloud) provides CSPM capabilities including continuous assessment and secure score. Azure Policy enforces compliance rules. Azure AD is identity, WAF is application protection, and Monitor is monitoring.

812
MCQeasy

A small business uses Cisco ISE to authenticate employees via Active Directory. The company has a single ISE node and two Catalyst 2960-X switches. Employees connect to the network and are successfully authenticated using 802.1X with PEAP. The business wants to provide guest wireless access using a separate SSID with a captive portal. The engineer configures a new WLAN on the WLC (Cisco 2504) pointing to the same ISE node. Guest users can associate to the WLAN and get an IP address, but when they open a browser, they do not see the captive portal page; instead, they get a 'Connection refused' error. The engineer verifies that the guest portal is enabled on ISE and the WLC is configured to use ISE for RADIUS. What is the most likely cause?

A.The ISE guest portal service is not running
B.The guest user's device does not have a valid DNS server
C.The WLC is not configured with the ISE portal IP address for redirection
D.The guest WLAN does not have a pre-authentication ACL
AnswerC

The WLC needs to know where to redirect HTTP traffic; without that, the captive portal cannot appear.

Why this answer

The captive portal requires the guest traffic to be redirected to ISE's portal service. Typically, this is done by the WLC redirecting HTTP traffic to the ISE IP. If the DNS resolution for the portal fails or the WLC does not know the portal address, the redirect fails.

Option C is correct because the WLC must be configured with the portal IP (or domain) for redirection. Option A would affect all authentication. Option B might be needed but without proper redirect, portal won't show.

Option D is irrelevant.

813
MCQmedium

A company wants to provide both corporate and guest wireless access using the same access points. They require that guest users be placed into a separate VLAN and have internet-only access. Which Cisco solution should be used?

A.Cisco Identity Services Engine (ISE) with dACL and VLAN assignment
B.Cisco Prime Infrastructure
C.Cisco Flexible NetFlow
D.Cisco TrustSec with SGT
AnswerA

ISE can assign VLANs and downloadable ACLs based on user or device identity.

Why this answer

Cisco ISE with downloadable ACLs (dACL) and VLAN assignment is the correct solution because it enables dynamic per-user policy enforcement. When a guest user authenticates, ISE can place them into a dedicated guest VLAN and apply a dACL that restricts traffic to internet-only access, while corporate users remain in their native VLAN with full internal access. This leverages RADIUS CoA (Change of Authorization) and 802.1X to dynamically assign VLANs and filter traffic at the access point or switch.

Exam trap

The trap here is that candidates often confuse Cisco Prime Infrastructure or TrustSec as policy enforcement tools, but Prime is only for management and TrustSec uses SGTs for role-based access, not direct VLAN assignment for guest isolation.

How to eliminate wrong answers

Option B is wrong because Cisco Prime Infrastructure is a management and monitoring platform, not a policy enforcement engine; it cannot dynamically assign VLANs or apply per-user access control lists. Option C is wrong because Cisco Flexible NetFlow is a traffic monitoring and analysis tool that provides visibility into network flows, but it does not enforce access control or VLAN assignment. Option D is wrong because Cisco TrustSec with SGT (Security Group Tags) provides role-based access control using tag propagation, but it does not natively support VLAN assignment for guest segmentation; it relies on SGT-to-VLAN mapping which is not the direct mechanism for placing guest users into a separate VLAN with internet-only access.

814
MCQeasy

An administrator wants to prevent confidential data (e.g., credit card numbers) from being sent via email using Cisco ESA. Which feature should be enabled and configured with the appropriate dictionary?

A.Outbreak Filters with file reputation
B.Anti-Spam with URL reputation
C.Message Filters with regex pattern matching
D.Data Loss Prevention (DLP) with a predefined credit card dictionary
AnswerD

DLP is designed for sensitive data detection using predefined dictionaries.

Why this answer

Cisco ESA's Data Loss Prevention (DLP) feature is specifically designed to inspect outbound messages for sensitive data patterns, such as credit card numbers, using predefined dictionaries. By enabling DLP and selecting the appropriate credit card dictionary, the administrator can enforce policies to block or quarantine emails containing confidential information, directly addressing the requirement.

Exam trap

Cisco often tests the distinction between content inspection features (DLP) and threat-focused features (Outbreak Filters, Anti-Spam), leading candidates to confuse message filters or outbreak filters with DLP's specialized data classification capabilities.

How to eliminate wrong answers

Option A is wrong because Outbreak Filters with file reputation are designed to block malicious attachments based on file reputation and outbreak rules, not to inspect message content for sensitive data patterns like credit card numbers. Option B is wrong because Anti-Spam with URL reputation focuses on identifying and blocking spam emails based on sender reputation and malicious URLs, not on detecting confidential data within the email body or attachments. Option C is wrong because Message Filters with regex pattern matching can be used for custom content inspection, but they lack the predefined, comprehensive dictionaries and compliance-focused policies that DLP provides for sensitive data like credit card numbers, making DLP the correct and more efficient solution.

815
MCQeasy

The ISE logs show 'Authentication failed - RADIUS attribute Calling-Station-ID is missing' for a wired client. What is the most likely cause?

A.The switch is not configured to include the calling-station-id in RADIUS requests.
B.The switch is configured with 'authentication mac-move deny'.
C.The switch port is configured as a trunk port.
D.The client's MAC address is not registered in ISE.
AnswerA

The switch must send the MAC address via the Calling-Station-ID attribute; if not configured, it is missing.

Why this answer

Option D is correct because the switch must be configured to include the calling-station-id (MAC address) in RADIUS requests; if not, the attribute is missing. Option A is incorrect because the MAC address not being registered would cause a different failure. Option B is incorrect because 'authentication mac-move deny' affects MAC mobility, not attribute delivery.

Option C is incorrect because trunk ports do not affect 802.1X authentication.

816
MCQhard

Refer to the exhibit. A security analyst notices this CloudTrail log entry. Which security best practice is being violated?

A.SSH access is allowed from a single IP
B.Port 22 is open to the internet
C.The user identity is an admin account
D.RDP access is allowed from any IP address (0.0.0.0/0)
AnswerD

0.0.0.0/0 means all IPs, a major security risk.

Why this answer

The CloudTrail log shows an `AuthorizeSecurityGroupIngress` API call that adds a rule allowing RDP (port 3389) from `0.0.0.0/0`, which means any IP on the internet. This violates the security best practice of restricting administrative access to trusted IP addresses only. Allowing RDP from all sources exposes the instance to brute-force attacks and unauthorized access attempts.

Exam trap

Cisco often tests the distinction between the port being open (which is not inherently a violation) versus the source being `0.0.0.0/0` (which is the violation), causing candidates to incorrectly focus on the protocol (RDP vs SSH) rather than the overly permissive source.

How to eliminate wrong answers

Option A is wrong because the log entry does not show any SSH (port 22) rule being modified; the rule added is for RDP (port 3389), and the issue is about overly permissive access, not a single IP. Option B is wrong because the log entry does not mention port 22 or SSH; the open port is 3389 (RDP), and the violation is about the source being 0.0.0.0/0, not the port itself. Option C is wrong because while the user identity is an admin account, the core violation is the overly permissive security group rule, not the use of an admin account; using an admin account for routine tasks is a separate best practice concern, but the direct violation in the log is the 0.0.0.0/0 rule.

817
MCQhard

A security engineer is implementing Cisco Identity Services Engine (ISE) for 802.1X authentication. The requirement is to allow full network access for corporate devices that pass posture assessment, while providing limited access for guest devices. The engineer configures an authorization policy with conditions based on identity group and posture status. However, guest devices are still getting full access. What is the most likely cause?

A.The guest devices are not passing the certificate validation
B.The authorization rule for corporate devices is placed above the guest rule, and guest devices are matching the corporate rule first
C.MAC Authentication Bypass (MAB) is not enabled for the guest devices
D.The RADIUS attributes for dACL are not being sent correctly
AnswerB

ISE uses first-match; if guest devices match an earlier rule, they get the associated permissions.

Why this answer

Cisco ISE authorization policies are evaluated in top-down order, and the first matching rule is applied. If the corporate device rule is placed above the guest rule, guest devices that do not meet the posture condition may still match the corporate rule if the condition is not restrictive enough (e.g., if the identity group condition is broad or the posture check is not enforced as a required match). This results in guest devices receiving full access instead of the intended limited access.

Exam trap

Cisco often tests the concept that authorization rules are processed top-down and that a less specific rule placed above a more specific rule can cause unintended matches, leading candidates to overlook the importance of rule ordering and condition specificity.

How to eliminate wrong answers

Option A is wrong because certificate validation is part of the authentication phase (EAP-TLS or PEAP), not the authorization policy; failing certificate validation would prevent authentication entirely, not cause guest devices to get full access. Option C is wrong because MAB is a fallback authentication method for devices that do not support 802.1X, not a factor in authorization policy ordering; enabling MAB would not change which authorization rule matches first. Option D is wrong because RADIUS attributes for dACL are sent as part of the authorization result, not the cause of a misordered policy; if the wrong rule matches, the dACL attributes would be applied correctly for that rule, but the rule itself is incorrect.

818
MCQmedium

Which cloud workload protection platform (CWPP) capability is essential for protecting containerized applications?

A.Web application firewall
B.Container image vulnerability scanning
C.Network micro-segmentation
D.Identity and access management
AnswerB

Image scanning is a core CWPP capability for containers.

Why this answer

CWPP for containers includes image scanning for vulnerabilities and runtime security, but image scanning is a fundamental capability.

819
MCQmedium

A Cisco Firepower administrator configures an access control policy with a rule that trusts traffic from a specific source network. What is the effect of the trust action on the traffic?

A.The traffic is blocked and logged.
B.The traffic is allowed without further inspection.
C.The traffic is allowed and inspected by the intrusion policy.
D.The traffic is allowed but subject to file policy.
AnswerB

Trust action permits traffic and skips additional inspection.

Why this answer

The trust action in Firepower bypasses further inspection (IPS, file, etc.) for matching traffic. It allows the traffic without any deep inspection, similar to a permit with fast-path.

820
MCQeasy

On a Cisco ASA, which NAT type allows multiple internal hosts to share a single public IP address by using different source ports?

A.PAT (overload)
B.Identity NAT
C.Static NAT
D.Dynamic NAT
AnswerA

Correct. PAT uses port numbers to multiplex multiple internal hosts to a single public IP.

Why this answer

PAT (Port Address Translation) or overload uses unique source ports to distinguish sessions from multiple internal hosts sharing one public IP.

821
MCQeasy

What is the correct order of email authentication checks recommended by Cisco?

A.SPF, DKIM, DMARC
B.SPF, DMARC, DKIM
C.DMARC, SPF, DKIM
D.DKIM, SPF, DMARC
AnswerA

SPF and DKIM are validated first, then DMARC policy applied.

Why this answer

The recommended order is SPF, then DKIM, then DMARC policy.

822
MCQeasy

Which Cisco product provides DNS-layer security to block malicious domains and prevent connections to malware command-and-control servers?

A.Cisco Stealthwatch
B.Cisco Umbrella
C.Cisco Firepower
D.Cisco ASA
AnswerB

Umbrella provides DNS-layer security for threat protection.

Why this answer

Cisco Umbrella is a cloud-based DNS security solution that blocks requests to malicious destinations.

823
MCQmedium

To enforce zero trust principles in a cloud environment, an administrator requires all access to cloud resources to be authenticated and authorized based on user identity and device health. Which Azure AD feature enables policies that consider conditions such as location, device compliance, and risk level?

A.Multi-Factor Authentication (MFA)
B.Azure AD Identity Protection
C.Privileged Identity Management (PIM)
D.Azure AD Conditional Access
AnswerD

Conditional Access policies evaluate multiple conditions to enforce access controls.

Why this answer

Azure AD Conditional Access allows administrators to create policies that enforce access controls based on conditions like user location, device compliance, and sign-in risk.

824
MCQmedium

A user connected to port Gi1/0/1 cannot access the network. Based on the output, what is the most likely cause?

A.The RADIUS server is unreachable
B.The client does not support 802.1X
C.The switch has a misconfigured AAA command
D.The port is in errdisable state
AnswerB

EAP-timeout indicates client not responding to EAP.

Why this answer

Option B is correct because the 'Reason: EAP-timeout' indicates that the client did not respond to 802.1X EAP requests, which typically means the client does not support 802.1X or it is not enabled. Option A is incorrect because if the RADIUS server were unreachable, the switch would likely use a critical VLAN, but the reason is EAP-timeout from the client side. Option C is incorrect because AAA configuration would cause different errors.

Option D is incorrect because 'Errdisable' would show a different port state.

825
MCQeasy

An organization wants to protect against Business Email Compromise (BEC) attacks where attackers spoof the CEO's email address to request wire transfers. Which email authentication method is specifically designed to help prevent domain spoofing by allowing senders to specify how email that fails authentication should be handled?

A.SPF
B.DKIM
C.SenderBase
D.DMARC
AnswerD

DMARC uses SPF and DKIM results and tells receivers how to handle unauthenticated email (e.g., quarantine or reject).

Why this answer

DMARC builds on SPF and DKIM to provide a policy telling receiving mail servers how to handle email that fails authentication, helping prevent spoofing.

Page 10

Page 11 of 14

Page 12
Cisco SCOR / CCNP Security Core 350-701 350-701 Questions 751–825 | Page 11/14 | Courseiva