Cisco SCOR / CCNP Security Core 350-701 (350-701) — Questions 826900

988 questions total · 14pages · All types, answers revealed

Page 11

Page 12 of 14

Page 13
826
MCQmedium

An organization wants to deploy Cisco Firepower in a high-availability pair with active/standby failover. Which management solution allows this configuration?

A.CLI only
B.FDM (on-box management)
C.FMC
D.ASDM
AnswerC

FMC supports HA configuration for FTD.

Why this answer

FMC (Firepower Management Center) supports high-availability configurations for FTD devices.

827
MCQhard

Refer to the exhibit. A network engineer applies a zone-based firewall policy to a router. Users in the INSIDE zone report they can access HTTP servers on the OUTSIDE zone but cannot resolve DNS names or access MS-SQL servers. What does the policy do to DNS and MS-SQL traffic?

A.They are allowed because no 'inspect' action is applied to the class.
B.They are dropped because the BAD_TRAFFIC class explicitly drops them.
C.They are inspected and allowed through the firewall.
D.They are dropped because they do not match the GOOD_TRAFFIC class.
AnswerB

The class BAD_TRAFFIC includes DNS and MS-SQL and applies the drop action.

Why this answer

The correct answer is B because the zone-based firewall policy explicitly defines a class map (BAD_TRAFFIC) that matches DNS (UDP/53) and MS-SQL (TCP/1433) traffic and applies the 'drop' action. Since the policy-map uses a 'class-default' action of 'inspect' for GOOD_TRAFFIC, any traffic not matching GOOD_TRAFFIC but matching BAD_TRAFFIC is dropped before inspection can occur. The users' symptoms confirm that DNS and MS-SQL are being dropped, while HTTP (matched by GOOD_TRAFFIC) is inspected and allowed.

Exam trap

Cisco often tests the misconception that 'inspect' in class-default automatically allows all traffic, but the trap here is that explicit 'drop' actions in higher-priority class maps (like BAD_TRAFFIC) override any default inspection, causing candidates to overlook the sequential processing order of class maps in a policy-map.

How to eliminate wrong answers

Option A is wrong because the 'inspect' action is applied to the GOOD_TRAFFIC class, not to DNS or MS-SQL; the BAD_TRAFFIC class explicitly drops them, so they are not allowed by default. Option C is wrong because DNS and MS-SQL are not inspected or allowed; they are matched by the BAD_TRAFFIC class, which applies a 'drop' action, overriding any default inspection behavior. Option D is wrong because the traffic is not dropped due to a lack of match with GOOD_TRAFFIC; it is dropped because it explicitly matches the BAD_TRAFFIC class, which has a 'drop' action, and the policy processes class matches in order (BAD_TRAFFIC before class-default).

828
MCQhard

In a DevSecOps pipeline, a team wants to prevent secrets (e.g., API keys) from being stored in source code. Which approach is most effective?

A.Store secrets in environment variables
B.Use container image scanning
C.Encrypt secrets in code
D.Use a secrets management tool like Vault
AnswerD

Correct. Vault securely stores and manages access to secrets.

Why this answer

Using a secrets management tool like HashiCorp Vault ensures secrets are stored securely and not in code.

829
MCQeasy

An administrator needs to ensure that only authorized hosts can connect to a switch port. The port is connected to a single PC. Which 802.1X host mode should be configured?

A.Single-Host
B.Multi-Domain
C.Multi-Auth
D.Multi-Host
AnswerA

Allows only one authenticated device.

Why this answer

The Single-Host mode (option A) is correct because it allows only one authenticated host per port, which matches the requirement of a single PC connected to the switch port. In this mode, the port is authorized only after a single supplicant successfully completes 802.1X authentication, and no other devices can gain network access through that port, ensuring strict access control.

Exam trap

Cisco often tests the distinction between Single-Host and Multi-Host modes, where the trap is that candidates confuse 'single PC' with allowing multiple hosts after one authentication (Multi-Host), forgetting that Multi-Host does not enforce per-host authentication.

How to eliminate wrong answers

Option B (Multi-Domain) is wrong because it allows two hosts (one voice domain and one data domain) to authenticate on the same port, which is unnecessary for a single PC and could permit unauthorized devices. Option C (Multi-Auth) is wrong because it allows multiple hosts to authenticate individually on the same port, but the requirement specifies only one PC, so this mode would permit more than one device. Option D (Multi-Host) is wrong because it allows any number of hosts after a single successful authentication, which would bypass per-host authorization and could let unauthorized devices connect without authentication.

830
MCQeasy

A financial company uses Cisco AMP for Endpoints to protect 500 Windows workstations. The security administrator notices that several endpoints in the accounting department are showing 'Out-of-Date' status for over a week. The administrator checks the AMP console and sees that the group policy for accounting has been modified to disable certain scanning features. The endpoints have Internet connectivity but are not updating their policy or receiving new definitions. The administrator suspects a misconfiguration. What should the administrator do first to resolve this issue?

A.Restart the AMP services on a few affected endpoints to force a policy update.
B.Verify that the endpoints can communicate with the AMP cloud by checking the connector's connectivity status.
C.Increase the policy polling interval from 60 minutes to 30 minutes.
D.Reinstall the AMP connector on all affected endpoints.
AnswerB

This identifies if the issue is network-related.

Why this answer

Option A is correct because the most common cause of 'Out-of-Date' endpoints is a communication issue. Checking the AMP connector's connection status (e.g., via the connector GUI) can reveal if the endpoint can reach the cloud. Option B (restart services) might temporarily fix but not identify root cause.

Option C (reinstall connector) is drastic and should be last resort. Option D (increase polling interval) does not help if there is a connectivity obstacle.

831
MCQeasy

Which encryption algorithm is classified as symmetric?

A.RSA
B.Diffie-Hellman
C.AES
D.ECDSA
AnswerC

AES is symmetric.

Why this answer

AES is a symmetric encryption algorithm, using the same key for encryption and decryption.

832
Multi-Selecthard

Which THREE actions should a security engineer take when configuring a Cisco AMP for Endpoints policy to minimize false positives while maintaining strong protection?

Select 3 answers
A.Configure custom whitelist exclusions for trusted applications
B.Use group-based policies to apply different rules to different endpoint populations
C.Enable all exploit prevention rules regardless of environment
D.Set file reputation to block only files with 'Malicious' disposition
E.Disable file reputation to reduce cloud queries
AnswersA, B, D

Whitelisting reduces false positives.

Why this answer

Option A is correct because configuring custom whitelist exclusions for trusted applications prevents Cisco AMP for Endpoints from flagging legitimate software as malicious, which directly reduces false positives. This is done by adding file hashes, paths, or certificate signers to the exclusion list, ensuring that known safe executables are not subjected to further analysis or blocked.

Exam trap

Cisco often tests the misconception that enabling all exploit prevention rules maximizes security, but the trap here is that doing so ignores environmental context and leads to false positives, while disabling file reputation is a dangerous overreaction that sacrifices protection for performance.

833
MCQeasy

An organization wants to implement endpoint protection that uses behavioral analysis to detect ransomware. The solution must be able to roll back changes made by the ransomware after detection. Which Cisco endpoint security feature provides this capability?

A.Exploit prevention with ransomware rollback
B.File reputation scanning
C.Device flow telemetry
D.Application blocking via policy
AnswerA

Exploit prevention uses behavioral analysis to detect ransomware and can roll back file changes automatically.

Why this answer

Option A is correct because Cisco's endpoint protection includes a behavioral analysis engine that monitors for ransomware-like activities (e.g., mass file encryption, rapid file modifications). Upon detection, the feature automatically triggers a rollback, restoring affected files to their pre-encryption state using Volume Shadow Copy Service (VSS) snapshots or similar mechanisms, effectively reversing the ransomware's changes.

Exam trap

Cisco often tests the distinction between prevention (blocking before execution) and remediation (rolling back after execution), so candidates may confuse file reputation or application blocking with the rollback capability, missing that only behavioral analysis with rollback addresses post-infection recovery.

How to eliminate wrong answers

Option B is wrong because file reputation scanning relies on static or cloud-based hash lookups (e.g., Talos intelligence) to block known malware, but it does not perform behavioral analysis or rollback changes. Option C is wrong because device flow telemetry (e.g., NetFlow or IPFIX) provides network traffic visibility and anomaly detection, but it is not an endpoint security feature and cannot reverse file modifications. Option D is wrong because application blocking via policy uses allow/deny lists or path-based rules to prevent execution, but it lacks behavioral detection and the ability to undo changes after an attack.

834
MCQhard

An organization deploys AMP for Endpoints with the Orbital module to perform advanced endpoint telemetry. The team wants to create a query that retrieves all running processes with a network connection to an external IP address. Which Orbital query language syntax is correct?

A.SELECT * FROM all_processes WHERE ip = 'external'
B.SELECT * FROM all_processes WHERE listening = 'true'
C.SELECT * FROM processes WHERE network_connection = 'true'
D.SELECT * FROM all_processes WHERE remote_ip IN (SELECT ip FROM connections WHERE direction = 'OUT')
AnswerD

This correctly uses the 'all_processes' table with a subquery on 'connections' to filter processes with outgoing remote connections.

Why this answer

Option D is correct because the Orbital query language uses SQL-like syntax, and the correct way to retrieve all running processes with a network connection to an external IP address is to join the `all_processes` table with the `connections` table, filtering for outbound connections (`direction = 'OUT'`) and checking that the `remote_ip` is not a private IP (though the query as written uses a subquery to get IPs from outbound connections). This directly matches the requirement of processes with external network connections.

Exam trap

Cisco often tests the distinction between listening (inbound) and outbound connections, and candidates mistakenly choose options that filter for listening processes or use non-existent columns/table names, assuming a simpler boolean flag exists instead of understanding the relational join required.

How to eliminate wrong answers

Option A is wrong because `ip = 'external'` is not valid Orbital syntax; there is no literal string 'external' for IP addresses, and the `all_processes` table does not have an `ip` column—it uses `remote_ip` and `local_ip`. Option B is wrong because `listening = 'true'` retrieves processes that are listening for inbound connections, not processes with outbound network connections to external IPs. Option C is wrong because `processes` is not a valid table name in Orbital (the correct table is `all_processes`), and `network_connection = 'true'` is not a valid column or filter; Orbital does not have a boolean column indicating whether a process has a network connection.

835
MCQeasy

Which Cisco ESA feature uses SHA-256 cloud lookups to detect malware in email attachments?

A.AMP for Email
B.Outbreak Filters
C.DLP Policies
D.Anti-spam (SenderBase)
AnswerA

AMP for Email performs SHA-256 lookup and sandboxing.

Why this answer

Cisco ESA's AMP for Email (Advanced Malware Protection) leverages SHA-256 cloud lookups to compare file hashes of email attachments against Talos threat intelligence. When an attachment is processed, its SHA-256 hash is computed and sent to the AMP cloud for real-time verdict (malicious, clean, or unknown). This is distinct from signature-based detection, as it relies on cloud-based file reputation analysis.

Exam trap

Cisco often tests the distinction between cloud-based file reputation (AMP) and heuristic/rule-based outbreak detection (Outbreak Filters), leading candidates to confuse Outbreak Filters as the answer because both deal with malware outbreaks.

How to eliminate wrong answers

Option B (Outbreak Filters) is wrong because it uses URL reputation and heuristic rules to detect fast-spreading malware outbreaks, not SHA-256 cloud lookups on attachments. Option C (DLP Policies) is wrong because Data Loss Prevention focuses on content inspection (e.g., regex, keywords, data patterns) to prevent sensitive data leakage, not malware detection via file hashing. Option D (Anti-spam / SenderBase) is wrong because it relies on sender reputation, IP blacklists, and email header analysis to filter spam, not SHA-256 cloud lookups for attachment malware.

836
MCQhard

A security team suspects that malware is exfiltrating data by encoding it in DNS queries. Which Cisco security solution is specifically designed to analyze DNS traffic for malicious activity?

A.Cisco Firepower NGFW
B.Cisco Stealthwatch
C.Cisco Email Security Appliance
D.Cisco Umbrella
AnswerD

Umbrella provides DNS security and can detect tunneling.

Why this answer

Cisco Umbrella is a cloud-delivered security solution that provides DNS-layer security by intercepting and analyzing DNS queries. It can detect and block DNS-based data exfiltration techniques, such as DNS tunneling, by inspecting DNS request patterns and comparing them against threat intelligence feeds. This makes it the correct choice for analyzing DNS traffic for malicious activity.

Exam trap

Cisco often tests the distinction between network security appliances that inspect traffic (like Firepower) versus cloud-based DNS security (Umbrella), leading candidates to mistakenly choose Firepower because they think 'DNS traffic analysis' implies a firewall feature.

How to eliminate wrong answers

Option A is wrong because Cisco Firepower NGFW is a next-generation firewall that inspects network traffic at layers 3-7 but does not have native, dedicated DNS traffic analysis for detecting data exfiltration via DNS tunneling; it relies on Snort rules or external integrations. Option B is wrong because Cisco Stealthwatch focuses on network visibility and behavioral analytics using NetFlow/IPFIX data, not deep DNS query inspection, and is not specifically designed to analyze DNS traffic for malicious activity. Option C is wrong because Cisco Email Security Appliance (ESA) is designed to protect against email-based threats such as spam, phishing, and malware, and does not analyze DNS traffic.

837
MCQmedium

A security analyst notices a high number of false positives from an intrusion detection system (IDS) using signature-based detection. Which action would best reduce false positives while maintaining detection of real threats?

A.Increase the sensor sensitivity level
B.Switch to anomaly-based detection
C.Disable all signatures with a high false positive rate
D.Decrease the severity threshold for alerts
AnswerC

Correct. Disabling specific problematic signatures reduces false positives while keeping others active.

Why this answer

False positives can be reduced by tuning signatures, such as adjusting thresholds or disabling specific signatures that are known to trigger incorrectly, rather than reducing sensor sensitivity broadly.

838
MCQhard

Refer to the exhibit. An engineer is analyzing an intrusion policy on Cisco Firepower Management Center (FMC). The network uses Windows servers and clients. A flood of HTTP traffic is being detected as a potential attack, but it is legitimate. Which preprocessor configuration change would most likely reduce false positives without losing detection of real attacks?

A.Disable the http_inspect preprocessor
B.Change global_sensitivity to medium
C.Change frag3 policy to bsd
D.Change stream5_tcp policy to linux
AnswerB

Lowering sensitivity reduces false positives for benign traffic while still detecting true attacks.

Why this answer

The http_inspect preprocessor's global_sensitivity setting controls how aggressively it normalizes HTTP traffic before analysis. Setting it to 'medium' reduces false positives from legitimate HTTP floods by relaxing the threshold for anomalous HTTP behavior, while still allowing the preprocessor to detect real attacks that exhibit more extreme deviations. This is the most targeted change because it directly addresses the flood of HTTP traffic without disabling the preprocessor entirely.

Exam trap

Cisco often tests the misconception that disabling a preprocessor or changing unrelated protocol policies (like TCP or IP fragmentation) is the solution, when the correct answer is a targeted tuning parameter within the relevant preprocessor.

How to eliminate wrong answers

Option A is wrong because disabling the http_inspect preprocessor would remove all HTTP normalization and inspection, likely causing the intrusion policy to miss real HTTP-based attacks (e.g., SQL injection, cross-site scripting) and potentially increasing false negatives. Option C is wrong because changing the frag3 policy to 'bsd' alters IP fragment reassembly behavior (e.g., handling overlapping fragments), which is unrelated to HTTP traffic floods and would not reduce false positives for HTTP-based events. Option D is wrong because changing the stream5_tcp policy to 'linux' modifies TCP stream reassembly parameters (e.g., handling of TCP retransmissions or window scaling), which does not address the HTTP flood issue and could disrupt legitimate TCP connections without affecting HTTP-level false positives.

839
MCQeasy

In a DevSecOps pipeline, a security engineer wants to automatically scan Infrastructure as Code (IaC) templates for security misconfigurations before deployment. Which tool is commonly used for static analysis of Terraform templates?

A.SAST scanner
B.Checkov
C.DAST scanner
D.Container image scanner
AnswerB

Checkov scans IaC templates for security issues.

Why this answer

Checkov is a static analysis tool specifically designed for scanning IaC files like Terraform to find security misconfigurations.

840
MCQeasy

A network administrator is troubleshooting an issue where users in the Sales VLAN cannot access the internet through the Cisco Firepower Threat Defense (FTD) device. The FTD is configured with a security policy that allows traffic from the Sales subnet to any destination. However, the traffic is being blocked. Which feature should the administrator check first to resolve the issue?

A.Identity policy
B.SSL decryption policy
C.Intrusion prevention policy
D.URL filtering policy
AnswerD

URL filtering can block traffic even if the security policy allows it.

Why this answer

The correct answer is D, URL filtering policy. Even though the security policy allows traffic from the Sales subnet to any destination, a URL filtering policy can block internet access by categorizing or matching the destination URLs. If the policy is set to block all URLs or a specific category (e.g., 'Uncategorized URLs'), traffic will be dropped before it reaches the internet, regardless of the allow rule in the access control policy.

Exam trap

The trap here is that candidates assume an 'Allow' rule in the access control policy guarantees traffic flow, but Cisco tests the understanding that subordinate policies (like URL filtering) can override the parent rule's action, causing traffic to be blocked despite a seemingly permissive policy.

How to eliminate wrong answers

Option A is wrong because Identity policy is used to map users to groups for authentication and authorization, not to block or allow internet traffic based on URL or destination; it does not directly block traffic that is already allowed by the security policy. Option B is wrong because SSL decryption policy controls whether encrypted traffic is decrypted for inspection, but it does not block traffic by itself; traffic can still flow even if decryption is disabled or bypassed. Option C is wrong because Intrusion prevention policy (IPS) inspects traffic for malicious patterns and can drop malicious packets, but it would not block all internet traffic from a subnet unless a specific signature triggered; it is not a blanket block for internet access.

841
MCQhard

During a threat hunt, you need to retrieve forensic data from a remote endpoint that is currently not communicating with the AMP cloud. Which Cisco tool enables you to perform an on-demand scan and collect telemetry from that endpoint even when it is offline?

A.Cisco Threat Response
B.Cisco Stealthwatch
C.Cisco Orbital
D.Cisco AMP Console
AnswerC

Orbital provides advanced endpoint querying and can execute on-demand or scheduled tasks even if endpoint is offline.

Why this answer

Cisco Orbital is the correct answer because it is a remote endpoint investigation and response tool that can execute live queries, on-demand scans, and collect forensic telemetry from endpoints even when they are not currently communicating with the AMP cloud. It uses a lightweight agent that caches queries locally and returns results once connectivity is restored, enabling offline data collection.

Exam trap

Cisco often tests the distinction between cloud-dependent tools (like AMP Console) and those with offline capabilities (like Orbital), so the trap here is assuming that the AMP Console can perform on-demand scans on non-communicating endpoints when it actually requires active cloud connectivity for any interactive action.

How to eliminate wrong answers

Option A is wrong because Cisco Threat Response (CTR) is a threat intelligence and orchestration platform that aggregates alerts from multiple sources but does not directly perform on-demand scans or collect telemetry from offline endpoints. Option B is wrong because Cisco Stealthwatch is a network traffic analysis tool that monitors NetFlow/IPFIX data for behavioral anomalies, not endpoint-level forensic collection. Option D is wrong because the AMP Console is the management interface for Cisco AMP that provides historical and real-time endpoint data, but it cannot initiate on-demand scans or retrieve telemetry from endpoints that are currently offline and not communicating with the cloud.

842
Multi-Selecteasy

A security architect is evaluating Cisco Cloud Security portfolio for SaaS access protection. Which two solutions provide inline traffic inspection for cloud applications? (Choose two.)

Select 2 answers
A.Cisco Secure Firewall
B.Cisco Umbrella SIG
C.Cisco Cloudlock
D.Cisco DUO
E.Cisco Secure Workload
AnswersA, B

Secure Firewall can be deployed as a virtual appliance in the cloud for inline traffic inspection.

Why this answer

Cisco Secure Firewall (A) provides inline traffic inspection for cloud applications through its Next-Generation Firewall (NGFW) capabilities, including Application Visibility and Control (AVC) and SSL/TLS decryption, allowing it to inspect and enforce policies on traffic to and from SaaS applications. Cisco Umbrella SIG (B) is a cloud-delivered Secure Internet Gateway (SIG) that performs inline proxy-based inspection of all web traffic, including SaaS applications, by intercepting DNS and HTTP/HTTPS requests to enforce security policies such as URL filtering, malware detection, and data loss prevention.

Exam trap

Cisco often tests the distinction between API-based CASB (like Cloudlock) and inline proxy-based SIG (like Umbrella), where candidates mistakenly assume all cloud security solutions perform inline inspection, but Cloudlock only provides out-of-band API access for compliance and data protection, not real-time traffic inspection.

843
MCQeasy

Refer to the exhibit. A network administrator is troubleshooting a wired client that has successfully authenticated using MAB. However, the client is unable to access resources beyond the local subnet. What is the most likely cause?

A.The client's IP address is from a DHCP scope that does not include a default gateway.
B.The VLAN policy is incorrect; the client should be in VLAN 20.
C.The switch is not configured for inter-VLAN routing.
D.The authorization policy is missing a downloadable ACL (dACL) to allow traffic.
AnswerD

Without a dACL, the switch may default to deny all traffic beyond the local subnet.

Why this answer

Option C is correct because the authorization policy 'Permit_Access' likely does not include a downloadable ACL (dACL), so no traffic filtering is applied on the switch to allow inter-subnet traffic. Option A is incorrect because VLAN 10 is assigned; subnet routing is separate. Option B is incorrect because routing is not configured per port.

Option D is incorrect because the DHCP scope is not directly related to the issue.

844
MCQhard

A security architect is designing a zero-trust architecture for a remote workforce using Cisco SD-WAN. The company requires that all traffic between branch sites and the data center is encrypted and authenticated, and that no device can access resources unless it has a valid certificate. Which technology should be used to enforce device identity?

A.802.1X with EAP-TLS
B.Network Access Control (NAC)
C.Cisco TrustSec
D.IPsec VPN
AnswerC

TrustSec uses SGTs to enforce access based on device identity and is a key component of zero trust.

Why this answer

Cisco TrustSec uses Security Group Tags (SGTs) and device identity based on certificates to enforce access control in a zero-trust architecture. It integrates with SD-WAN to ensure that only devices with valid certificates can communicate, meeting the requirement for encrypted and authenticated traffic between branch sites and the data center.

Exam trap

The trap here is that candidates often confuse IPsec VPN's encryption and authentication of the tunnel with device identity enforcement, but IPsec authenticates the peer (router or firewall), not the individual device, which is a critical distinction in zero-trust architectures.

How to eliminate wrong answers

Option A is wrong because 802.1X with EAP-TLS is a port-based authentication mechanism for network access control at the edge, not a technology for enforcing device identity across SD-WAN tunnels between branches and data centers. Option B is wrong because Network Access Control (NAC) is a broader framework for admission control, but it does not natively provide the certificate-based device identity enforcement and SGT-based segmentation that TrustSec offers in a zero-trust SD-WAN context. Option D is wrong because IPsec VPN provides encryption and authentication for traffic, but it does not enforce device identity via certificates; it authenticates the VPN gateway or peer, not the individual device accessing resources.

845
Multi-Selectmedium

A security analyst is investigating a potential ARP spoofing attack. Which two symptoms would indicate this type of attack?

Select 2 answers
A.High CPU usage on the switch
B.Duplicate IP addresses in the ARP table
C.Increased broadcast traffic
D.Intermittent connectivity to a server
E.Unusual outbound DNS queries
AnswersB, D

ARP spoofing can cause multiple MACs for one IP.

Why this answer

ARP spoofing involves sending fake ARP messages to associate the attacker's MAC with the IP of another host, causing traffic to be misdirected.

846
Multi-Selectmedium

Which three cryptographic algorithms are considered secure for use in modern systems? (Choose three.)

Select 3 answers
A.ECDSA
B.MD5
C.RSA
D.3DES
E.AES
AnswersA, C, E

Correct. ECDSA is a secure elliptic curve signature algorithm.

Why this answer

AES (symmetric), RSA (asymmetric), and ECDSA (asymmetric) are widely accepted secure algorithms.

847
Multi-Selectmedium

An organization is implementing Cisco Secure Cloud Insights (formerly CloudCenter). Which three capabilities does this tool provide? (Choose three.)

Select 3 answers
A.Cloud security posture management
B.Workload migration planning
C.User behavior analytics
D.Network traffic analysis
E.Cloud cost optimization
AnswersA, B, E

Identifies misconfigurations and compliance violations.

Why this answer

Cisco Secure Cloud Insights (formerly CloudCenter) provides cloud security posture management (CSPM) by continuously monitoring cloud environments for misconfigurations, compliance violations, and security risks. It helps organizations enforce security policies across multi-cloud deployments, ensuring alignment with frameworks like CIS and NIST.

Exam trap

Cisco often tests the distinction between cloud security posture management (CSPM) and cloud workload protection platform (CWPP) capabilities, leading candidates to confuse CloudCenter's CSPM and cost optimization features with unrelated tools like user behavior analytics or network traffic analysis.

848
MCQmedium

A security analyst notices unusual outbound traffic from an internal host to a known malicious IP address on TCP port 4444. The host is also exhibiting high CPU usage and running an unknown process. Which type of malware is most likely present?

A.Ransomware
B.Botnet C2 client
C.Remote Access Trojan (RAT)
D.Keylogger
AnswerC

RATs commonly use ports like 4444 for C2 communication, allowing remote control and data exfiltration.

Why this answer

A RAT (Remote Access Trojan) often uses a command-and-control (C2) channel on high-numbered ports like 4444, allowing attackers to control the host remotely.

849
MCQmedium

A network architect is designing a DMZ for a web server that must be accessible from the internet. The server should not initiate connections to the internal network. Which firewall rule best achieves this?

A.Permit HTTP from DMZ to outside; deny all from inside to DMZ.
B.Permit HTTP from outside to DMZ; deny all from DMZ to inside.
C.Permit any from outside to DMZ; permit any from DMZ to inside.
D.Permit any from outside to DMZ; deny any from DMZ to outside.
AnswerB

Correct; allows external access but blocks DMZ from reaching inside.

Why this answer

To allow inbound traffic to the DMZ server but block outbound from DMZ to inside, an ACL on the DMZ interface should permit inbound traffic from outside and deny outbound to inside.

850
MCQhard

A security administrator discovers that users are evading the corporate firewall by using SSH to tunnel HTTP traffic to external servers. Which action can be taken on a Cisco ASA firewall to detect and prevent this?

A.Configure a dynamic PAT rule to limit the number of SSH sessions
B.Enable SSH inspection using the 'inspect ssh' command in the global policy
C.Create an access-list to block port 22 entirely
D.Implement SSL decryption to inspect the encrypted SSH payload
AnswerB

SSH inspection allows the firewall to apply deep inspection and enforce policies on SSH traffic.

Why this answer

Option B is correct because enabling SSH inspection with the 'inspect ssh' command on a Cisco ASA allows the firewall to monitor SSH control channel negotiations and detect when SSH is being used to tunnel other protocols (like HTTP). The ASA can then enforce policies to block such tunneling, preventing users from bypassing the corporate firewall.

Exam trap

Cisco often tests the misconception that blocking port 22 is a valid solution, but the trap is that this would also block legitimate SSH access, whereas SSH inspection provides granular control without disrupting normal operations.

How to eliminate wrong answers

Option A is wrong because dynamic PAT (Port Address Translation) limits the number of simultaneous translations, not the number of SSH sessions, and does not inspect or prevent SSH tunneling. Option C is wrong because blocking port 22 entirely would also block legitimate SSH administrative access, which is an overly restrictive and impractical solution. Option D is wrong because SSL decryption is designed to inspect HTTPS traffic, not SSH; SSH uses its own encryption protocol (not SSL/TLS), and the ASA cannot decrypt SSH payloads without breaking the SSH protocol.

851
Multi-Selectmedium

Which TWO of the following are capabilities of Cisco Umbrella SIG? (Choose TWO.)

Select 2 answers
A.DLP for outbound email
B.File sandboxing for attachments
C.On-premises email filtering
D.Cloud-based proxy for web traffic
E.DNS-layer security to block malicious domains
AnswersD, E

Umbrella includes a cloud proxy to enforce web security policies.

Why this answer

Cisco Umbrella SIG provides DNS-layer security (blocking malicious domains) and a cloud-based proxy for web traffic filtering.

852
MCQmedium

A company has 500 users who work remotely and connect to cloud-based SaaS applications. The security team is concerned about malware downloads from these applications. They have deployed Cisco Umbrella with the SIG feature. However, after deployment, a test shows that downloading a file from Dropbox is not being inspected by the cloud security stack. The Umbrella dashboard indicates that the policy is active and the SIG feature is enabled. The network team confirms that the users are using the Umbrella roaming client and that the traffic is correctly forwarding to Umbrella. What is the most likely issue?

A.The SIG inspection only applies to HTTP traffic, not HTTPS
B.The Dropbox application uses non-standard ports
C.The users' devices are not configured with the Umbrella roaming client
D.The traffic is bypassed because of an explicit bypass rule for Dropbox
AnswerD

Umbrella SIG includes automatic bypass for high-traffic cloud apps to optimize performance.

Why this answer

Option D is correct because Cisco Umbrella's SIG (Security Internet Gateway) feature can be configured with explicit bypass rules for specific applications or domains. Even when the SIG is enabled and traffic is forwarding correctly, an administrator may have inadvertently created a bypass rule for Dropbox, causing its traffic to skip cloud security inspection. This explains why the policy is active but downloads from Dropbox are not inspected.

Exam trap

Cisco often tests the concept that a feature being 'enabled' does not guarantee all traffic is inspected, as explicit bypass rules or policy misconfigurations can override the inspection, leading candidates to incorrectly assume the issue is with client configuration or protocol support.

How to eliminate wrong answers

Option A is wrong because Cisco Umbrella SIG supports HTTPS inspection via TLS/SSL decryption, so it can inspect HTTPS traffic, not just HTTP. Option B is wrong because Dropbox uses standard HTTPS ports (443) and Umbrella SIG inspects traffic based on domain and application, not just port numbers; non-standard ports would not cause a bypass unless explicitly configured. Option C is wrong because the question states the network team confirmed users are using the Umbrella roaming client and traffic is correctly forwarding to Umbrella, so the client is properly configured.

853
MCQhard

A network administrator is troubleshooting an issue where users cannot send emails with attachments larger than 10 MB through the Cisco Email Security Appliance (ESA). The ESA is configured with a mail flow policy that has a maximum message size of 20 MB. What is the most likely cause of the issue?

A.The mail flow policy maximum message size is set too low.
B.The HAT (Host Access Table) maximum message size is set to 10 MB.
C.The outgoing mail policy has a smaller attachment size limit.
D.The ESA default maximum attachment size is 10 MB.
AnswerD

The default maximum attachment size in ESA is 10 MB, which restricts attachments even if the overall message size is larger.

Why this answer

The Cisco ESA has a built-in default maximum attachment size of 10 MB, which is separate from the mail flow policy's maximum message size. Even though the mail flow policy allows messages up to 20 MB, the attachment size limit is enforced by the ESA's default configuration, which caps individual attachments at 10 MB. This default can be overridden in the mail flow policy or system settings, but if not explicitly changed, it remains the limiting factor.

Exam trap

The trap here is that candidates confuse the mail flow policy's maximum message size with the attachment size limit, assuming that increasing the message size automatically allows larger attachments, when in fact they are independently configured.

How to eliminate wrong answers

Option A is wrong because the mail flow policy maximum message size is set to 20 MB, which is already larger than the 10 MB attachment limit, so it is not the cause. Option B is wrong because the HAT (Host Access Table) controls sender-based access and rate limiting, not attachment size limits; attachment size is governed by mail flow policies or system defaults. Option C is wrong because outgoing mail policies do not have a separate attachment size limit; the attachment size is controlled by the same mail flow policy or global default settings.

854
MCQhard

An organization is deploying containerized applications in a Kubernetes cluster on AWS EKS. They need to ensure that container images are scanned for vulnerabilities before deployment. Which approach aligns with DevSecOps best practices?

A.Scan container images after deployment using a runtime scanner
B.Integrate image scanning into the CI/CD pipeline before pushing to registry
C.Manually review images before deployment
D.Only scan base images, not application layers
AnswerB

Early detection in the pipeline prevents vulnerable images from being deployed.

Why this answer

Integrating image scanning into the CI/CD pipeline (e.g., using tools like Trivy or Amazon ECR scanning) ensures vulnerabilities are caught before deployment. Scanning after deployment or manually is less effective, and only scanning base images ignores application layer vulnerabilities.

855
MCQmedium

A network engineer notices that some Windows 10 clients fail to authenticate via 802.1X after a recent OS update. The supplicant shows 'EAPOL-Start' but never receives an EAP-Request/Identity. The switch port is configured with 'authentication port-control auto' and 'dot1x pae authenticator'. What is the most likely cause?

A.The switch port is configured as a trunk port
B.The switch has 'aaa authentication dot1x default none' globally
C.The switch port is configured with 'authentication order mab dot1x'
D.The switch is configured with 'snmp-server community' which disables 802.1X
AnswerA

802.1X is not supported on trunk ports by default. The switch will not respond to EAPOL-Start on trunk ports.

Why this answer

The most likely cause is that the switch port is configured as a trunk port. 802.1X authentication is designed for access ports, not trunk ports. On a trunk port, the switch does not process EAPOL frames correctly because the port is expected to carry multiple VLANs and the switch's 802.1X state machine does not initiate the authentication process. As a result, the supplicant sends EAPOL-Start but the switch never responds with an EAP-Request/Identity, leading to authentication failure.

Exam trap

Cisco often tests the misconception that 802.1X can work on any port type, but the trap here is that 802.1X is only supported on access ports, and trunk ports will silently ignore EAPOL-Start frames.

How to eliminate wrong answers

Option B is wrong because 'aaa authentication dot1x default none' globally disables 802.1X authentication, which would prevent any EAPOL exchange entirely, but the supplicant is still sending EAPOL-Start, indicating that 802.1X is not globally disabled. Option C is wrong because 'authentication order mab dot1x' only changes the fallback order (MAB before 802.1X), but it does not prevent the switch from sending an EAP-Request/Identity; the switch would still attempt 802.1X first unless MAB succeeds. Option D is wrong because 'snmp-server community' does not disable 802.1X; SNMP configuration is unrelated to the EAPOL authentication process.

856
MCQeasy

A security analyst is reviewing logs and sees multiple failed login attempts from a single IP address, followed by a successful login. Which type of attack does this represent?

A.SQL injection
B.Man-in-the-middle attack
C.Brute-force attack
D.Phishing
AnswerC

Multiple failed logins followed by success indicates password guessing.

Why this answer

A brute-force attack involves repeated attempts to guess credentials, often automated, until successful.

857
MCQeasy

A network administrator is configuring 802.1X authentication on Cisco switches for wired endpoints. Which protocol is used between the client (supplicant) and the switch (authenticator)?

A.RADIUS
B.EAP over UDP
C.EAP over LAN (EAPoL)
D.TACACS+
AnswerC

EAPoL is the standard protocol for 802.1X between client and switch.

Why this answer

In 802.1X authentication, the client (supplicant) communicates with the switch (authenticator) using EAP over LAN (EAPoL), which is defined in IEEE 802.1X-2004. EAPoL encapsulates EAP frames in Ethernet frames, allowing the supplicant to send authentication credentials to the authenticator before granting network access. The authenticator then relays these EAP messages to the authentication server (typically a RADIUS server) using RADIUS, but the direct protocol between client and switch is EAPoL.

Exam trap

Cisco often tests the distinction between the protocol used on the client-to-switch link (EAPoL) versus the protocol used on the switch-to-server link (RADIUS), causing candidates to mistakenly select RADIUS or TACACS+ because they are more familiar with AAA protocols.

How to eliminate wrong answers

Option A is wrong because RADIUS is used between the authenticator (switch) and the authentication server, not between the client and the switch; the client never sends RADIUS packets directly to the switch. Option B is wrong because EAP over UDP is not a standard protocol for 802.1X; EAPoL uses Ethernet frames (Layer 2), not UDP (Layer 4), and EAP over UDP is sometimes used in other contexts like EAP-FAST but not for wired 802.1X supplicant-authenticator communication. Option D is wrong because TACACS+ is a Cisco-proprietary protocol used for device administration (AAA for CLI access), not for network access control via 802.1X; it separates authentication, authorization, and accounting but is not used in the 802.1X framework.

858
Matchingmedium

Match each encryption algorithm to its type.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Symmetric block cipher

Asymmetric public-key algorithm

Hash function

Symmetric block cipher (legacy)

Key exchange algorithm

Why these pairings

These are common encryption algorithms and their categories.

859
Multi-Selectmedium

An engineer is configuring a Cisco AnyConnect SSL VPN for remote access. Which TWO features are commonly used to control access based on endpoint security posture?

Select 2 answers
A.IPsec transform set
B.Posture assessment (e.g., AnyConnect Posture module)
C.Group policy
D.Crypto map
E.Dynamic Access Policy (DAP)
AnswersB, E

Posture assessment checks endpoint compliance.

Why this answer

Dynamic Access Policy (DAP) allows access control based on endpoint attributes. Posture assessment checks for compliance. Group policies provide general VPN parameters but not posture-based dynamically.

860
MCQmedium

A company is designing a secure segmentation strategy for a three-tier web application. They want to isolate the web, application, and database tiers while allowing only necessary traffic. Which design best achieves defense-in-depth while minimizing complexity?

A.Place each tier in a separate VLAN and rely on ACLs on the distribution switch.
B.Deploy a dedicated firewall for each tier and connect them in series.
C.Use VRF-Lite with SGTs and enforce policies via Cisco ISE.
D.Place a single stateful firewall between each tier with separate interfaces.
AnswerC

Allows granular, policy-based segmentation without per-tier firewalls.

Why this answer

Option C is correct because VRF-Lite with Security Group Tags (SGTs) and Cisco ISE provides scalable, policy-based segmentation that follows the defense-in-depth principle. VRF-Lite creates separate routing tables for each tier, while SGTs enforce granular, identity-based access control at the network layer, reducing complexity compared to multiple firewalls or ACLs. This design allows necessary traffic between tiers without relying on IP addresses alone, aligning with zero-trust architecture.

Exam trap

Cisco often tests the misconception that stateful firewalls alone (Option D) or VLANs with ACLs (Option A) provide sufficient segmentation, but the trap is that defense-in-depth requires policy-based, identity-aware controls like SGTs to prevent lateral movement and reduce complexity in multi-tier applications.

How to eliminate wrong answers

Option A is wrong because relying solely on ACLs on a distribution switch lacks stateful inspection and cannot enforce application-layer policies, making it vulnerable to IP spoofing and insufficient for defense-in-depth. Option B is wrong because deploying a dedicated firewall for each tier in series introduces unnecessary complexity, latency, and single points of failure, violating the principle of minimizing complexity. Option D is wrong because placing a single stateful firewall between each tier with separate interfaces still creates a bottleneck and does not provide the granular, identity-based segmentation that SGTs offer, nor does it scale well for multi-tier environments.

861
MCQeasy

Which Cisco ISE probe is used to identify the operating system and open ports of an endpoint by actively scanning it?

A.DNS probe
B.DHCP probe
C.HTTP probe
D.SNMP probe
AnswerC

HTTP probe can identify OS via User-Agent string and open ports via web server responses.

Why this answer

The HTTP probe can be used for profiling by analyzing HTTP traffic and headers, but for OS and open ports, the NMAP probe (or similar) is used. However, among the options, the HTTP probe is the only one listed that can provide some OS information via HTTP User-Agent. But the most accurate answer is the NMAP probe, which is not listed.

Given the options, DHCP probe gives vendor info, SNMP gives device type, HTTP gives OS via User-Agent. The question expects 'HTTP probe' as it can identify OS. Actually, the standard Cisco ISE probes: DHCP (vendor), HTTP (OS/browser), SNMP (device type).

So HTTP is correct for OS.

862
MCQeasy

An organization is deploying Cisco Secure Endpoint (AMP) for the first time in a Windows environment. The security team wants to ensure that any file executed from a USB drive is automatically scanned and blocked if malicious. Which policy feature should be enabled to achieve this?

A.Enable File Reputation to check files against the cloud.
B.Enable Exploit Prevention to block malicious code execution.
C.Configure Quarantine actions for all file events.
D.Enable Removable Media Scan in the policy.
AnswerD

This feature automatically scans files on removable media when accessed.

Why this answer

Option D is correct because Cisco Secure Endpoint (AMP) includes a dedicated 'Removable Media Scan' policy feature that automatically scans files executed from USB drives and other removable media. When enabled, this feature triggers a scan of any file launched from a removable device, and if the file is determined to be malicious based on local or cloud reputation, it can be blocked or quarantined before execution completes.

Exam trap

Cisco often tests the distinction between a general security feature (like File Reputation or Exploit Prevention) and a policy-specific trigger (like Removable Media Scan) that activates scanning on a particular event, leading candidates to select a feature that sounds relevant but does not specifically address the USB execution scenario.

How to eliminate wrong answers

Option A is wrong because File Reputation checks files against the cloud for known good or bad hashes, but it is a general scanning mechanism that does not specifically target removable media; it must be combined with a policy trigger like Removable Media Scan to enforce scanning on USB execution. Option B is wrong because Exploit Prevention is designed to block exploit techniques (e.g., buffer overflows, code injection) at runtime, not to scan or block files based on their content or reputation when executed from a USB drive. Option C is wrong because configuring Quarantine actions for all file events would quarantine files based on detection events, but without enabling Removable Media Scan, the policy does not automatically trigger scanning of files executed from USB drives; quarantine is an action, not a trigger.

863
MCQeasy

Which of the following is a benefit of using Dynamic Access Policy (DAP) for AnyConnect SSL VPN?

A.It eliminates the need for group policies.
B.It enables split tunneling automatically.
C.It provides load balancing across multiple VPN peers.
D.It enforces access based on endpoint security posture.
AnswerD

Correct. DAP uses endpoint attributes to determine access rights.

Why this answer

DAP allows granular access based on endpoint attributes such as antivirus status, registry keys, and location.

864
MCQmedium

An engineer is configuring a Cisco ASA to allow inbound HTTPS traffic from the outside to a web server on the DMZ. The outside interface has security level 0, the DMZ interface has security level 50, and the inside has security level 100. Which set of commands correctly allows the traffic considering stateful inspection?

A.static (outside,dmz) tcp 10.1.1.10 443 192.168.1.10 443 netmask 255.255.255.255; access-list OUTSIDE_IN permit tcp any host 10.1.1.10 eq 443; access-group OUTSIDE_IN in interface outside
B.nat (dmz,outside) static 192.168.1.10; access-list OUTSIDE_IN permit tcp any host 10.1.1.10 eq 443; access-group OUTSIDE_IN in interface dmz
C.static (dmz,outside) tcp 192.168.1.10 443 10.1.1.10 443 netmask 255.255.255.255; access-list OUTSIDE_IN permit tcp any host 192.168.1.10 eq 443; access-group OUTSIDE_IN in interface outside
D.access-list OUTSIDE_IN permit tcp any host 10.1.1.10 eq 443; access-group OUTSIDE_IN in interface outside; static (inside,outside) tcp 10.1.1.10 443 10.1.1.10 443 netmask 255.255.255.255
AnswerC

Correct: static NAT from DMZ to outside, ACL permits traffic to mapped IP, and ACL is applied inbound on outside.

Why this answer

By default, ASA allows traffic from higher to lower security levels without ACL, but for lower to higher an ACL is needed. Static NAT is required for inbound access, and an ACL permitting HTTPS from outside to DMZ is needed on the outside interface.

865
MCQmedium

Which Cisco Firepower feature uses SHA-256 hashes to determine the disposition of files and block malware?

A.Intrusion policy
B.File policy
C.SSL policy
D.Network discovery
AnswerB

File policy with AMP uses SHA-256 for disposition.

Why this answer

File policy with AMP cloud lookup uses SHA-256 to check file reputation.

866
Multi-Selectmedium

A security administrator is implementing a zero-trust architecture. Which two principles are core to the zero-trust model? (Choose two.)

Select 2 answers
A.Single perimeter defense
B.Implicit trust for internal networks
C.Never trust, always verify
D.Trust but verify
E.Least privilege access
AnswersC, E

This is a foundational principle of zero trust.

Why this answer

Zero trust is based on 'never trust, always verify' and least privilege access.

867
MCQhard

You are a security engineer for a multinational corporation that uses a hybrid cloud environment with AWS and Azure. The company has deployed Cisco Cloudlock for SaaS security and Cisco Umbrella for DNS-layer security. Recently, the incident response team detected that an employee's credentials were compromised, and the attacker used them to access the company's Office 365 tenant. The attacker exfiltrated sensitive data by sending emails with attachments to external addresses. Cloudlock logs show that the data exfiltration occurred because the policy for 'Outbound Email with Attachments' was set to 'Allow' for all users. The attacker also used a personal Google Drive account to store stolen data, which was not detected by Cloudlock because Google Drive is not sanctioned. You need to recommend a course of action to prevent similar incidents. Which action should you take first?

A.Reset the compromised user's password and revoke all active sessions
B.Implement multi-factor authentication for all Office 365 users
C.Modify the Cloudlock policy to block outbound emails with attachments containing sensitive data for all users
D.Sanction Google Drive and create a Cloudlock policy to monitor it
AnswerC

Directly addresses the exfiltration method used.

Why this answer

Option C is correct because the incident occurred due to a misconfigured Cloudlock policy that allowed outbound emails with attachments. By modifying the policy to block outbound emails containing sensitive data, you directly address the exfiltration vector used by the attacker. This is the most immediate and effective control to prevent recurrence of the same attack method.

Exam trap

Cisco often tests the distinction between immediate remediation (blocking the exfiltration vector) versus long-term security improvements (MFA, password resets), and the trap here is that candidates may choose MFA or password reset because they focus on the credential compromise rather than the policy misconfiguration that allowed the data loss.

How to eliminate wrong answers

Option A is wrong because while resetting the compromised password and revoking sessions is a necessary remediation step, it does not prevent future incidents if the same policy misconfiguration remains. Option B is wrong because multi-factor authentication (MFA) would have helped prevent the initial compromise, but the question asks for the first action to prevent similar incidents, and the immediate vulnerability is the permissive Cloudlock policy that allowed the exfiltration. Option D is wrong because sanctioning Google Drive and creating a monitoring policy does not address the fact that the attacker already used an unsanctioned service; the primary exfiltration method was via Office 365 email, which was allowed by the existing policy.

868
Multi-Selecteasy

A network administrator is configuring PKI for secure communications. Which TWO components are essential for a public key infrastructure? (Choose two.)

Select 2 answers
A.Certificate Authority (CA)
B.Private key of the end user
C.Certificate revocation list (CRL) or OCSP responder
D.Hashing function
E.Symmetric encryption algorithm
AnswersA, C

CA is the trusted entity that issues digital certificates.

Why this answer

PKI relies on a Certificate Authority (CA) to issue certificates and a CRL or OCSP to check revocation. Private keys are part of the key pair, but the PKI components are CA and revocation mechanism.

869
MCQmedium

A network administrator is configuring management access on a Cisco router. The requirement is to provide encrypted remote access with AAA authentication and fallback to local credentials if the AAA server is unavailable. Which configuration best meets these requirements?

A.Enable Telnet with a local username and password.
B.Enable SSHv2 with AAA authentication and 'aaa authentication login default group radius local' configured.
C.Enable HTTP with AAA authentication.
D.Use SNMPv3 with read-write community strings.
AnswerB

SSH provides encryption, AAA with local fallback meets availability.

Why this answer

Option B is correct because SSHv2 provides encrypted remote access, and the command 'aaa authentication login default group radius local' configures AAA authentication with RADIUS as the primary method and local credentials as a fallback if the RADIUS server is unreachable. This meets the requirement for both encrypted access and AAA fallback to local authentication.

Exam trap

Cisco often tests the distinction between encrypted (SSH) and unencrypted (Telnet, HTTP) protocols, and the specific behavior of AAA fallback (local only on server non-response, not on authentication denial).

How to eliminate wrong answers

Option A is wrong because Telnet transmits all data, including credentials, in cleartext, failing the requirement for encrypted remote access. Option C is wrong because HTTP does not encrypt traffic by default; HTTPS would be required for encryption, and the question specifies 'HTTP' without encryption. Option D is wrong because SNMPv3 with read-write community strings is used for network management polling and configuration, not for interactive remote shell access, and community strings are not a secure authentication method for management access.

870
Multi-Selectmedium

An organization is implementing a zero trust architecture. Which two principles are foundational to this model? (Choose two.)

Select 2 answers
A.Single factor authentication
B.Never trust, always verify
C.Implicit trust for internal networks
D.Trust but verify
E.Least privilege access
AnswersB, E

Correct. This is a core tenet of zero trust.

Why this answer

Zero trust is built on 'never trust, always verify' and 'least privilege' to minimize access.

871
MCQmedium

A security analyst needs to enforce that all endpoints have antivirus software running and are up-to-date with patches before granting full network access. Which Cisco ISE feature should be used to enforce this policy?

A.Change of Authorization (CoA)
B.Profiling
C.Posture assessment
D.TrustSec SGT assignment
AnswerC

Posture assessment evaluates endpoint security posture and can restrict access until compliance is met.

Why this answer

Posture assessment checks endpoints for compliance with security policies (e.g., antivirus status, patch level) before granting access.

872
MCQmedium

A company uses Cisco Umbrella SIG to secure internet access for remote users. The security team wants to block access to social media websites but allow access to business-related websites that may share the same IP addresses. Which Umbrella feature should be used to enforce this granular control?

A.DNS security layer
B.ThousandEyes agents
C.Cloud proxy with URL filtering
D.AMP file scanning
AnswerC

The cloud proxy inspects HTTP/HTTPS requests and can apply URL category policies to block social media while allowing business sites.

Why this answer

Option C is correct because Cisco Umbrella's cloud proxy with URL filtering operates at the application layer (HTTP/HTTPS), inspecting full URLs rather than just domain names. This allows the security team to block social media websites while permitting business-related websites that may resolve to the same IP addresses, as the proxy can differentiate based on the URL path and content category.

Exam trap

Cisco often tests the distinction between DNS-layer security (domain-based) and proxy-based URL filtering (full URL inspection), leading candidates to mistakenly choose the DNS security layer when granular control over websites sharing IP addresses is required.

How to eliminate wrong answers

Option A is wrong because the DNS security layer only filters based on domain name resolution (DNS queries), which cannot distinguish between different websites hosted on the same IP address; it would block or allow all traffic to that IP. Option B is wrong because ThousandEyes agents are used for network performance monitoring and visibility, not for enforcing URL-level access control policies. Option D is wrong because AMP file scanning focuses on detecting and blocking malicious files (malware) at the file level, not on controlling access to specific websites or URL categories.

873
MCQeasy

A network administrator is configuring Cisco Email Security Appliance (ESA) to prevent outgoing spam. The company wants to ensure that all outgoing emails contain a legal disclaimer and that any email with more than 20 recipients is delayed. Which two features should be combined?

A.Outgoing mail policy with Disclaimer action and Destination Controls
B.Data Loss Prevention (DLP) and Outbreak Filters
C.Antivirus scanning
D.Message Filters with content scanning
AnswerA

The Disclaimer action adds the legal text, and Destination Controls can set recipient rate limits.

Why this answer

Option A is correct because the requirement to add a legal disclaimer is met by the Disclaimer action within an Outgoing Mail Policy, and the requirement to delay emails with more than 20 recipients is met by Destination Controls, which allow rate-limiting based on recipient count per message. These two features are specifically designed for outgoing email control and can be combined in a single mail policy.

Exam trap

Cisco often tests the distinction between Mail Policies (which include Disclaimer and Destination Controls) and Message Filters (which are more granular but lack Destination Controls), leading candidates to incorrectly choose Message Filters for both requirements.

How to eliminate wrong answers

Option B is wrong because Data Loss Prevention (DLP) focuses on detecting and blocking sensitive data in emails, not adding disclaimers or delaying messages based on recipient count; Outbreak Filters are designed to detect and block new malware outbreaks, not for disclaimer insertion or recipient-based delays. Option C is wrong because Antivirus scanning only detects and removes malware in email attachments, it does not add disclaimers or enforce recipient count limits. Option D is wrong because Message Filters with content scanning can add disclaimers but cannot enforce recipient-based delays; Destination Controls are a separate feature not available within Message Filters.

874
MCQmedium

An organization is using Microsoft 365 and wants to prevent sensitive data from being shared externally via email and OneDrive. Which Cisco cloud security product should they deploy?

A.Cisco Cloudlock
B.Cisco Umbrella
C.Cisco Stealthwatch
D.Cisco Duo
AnswerA

Cloudlock offers DLP for cloud applications like M365.

Why this answer

Cisco Cloudlock is the correct choice because it is a cloud-native CASB (Cloud Access Security Broker) that integrates with Microsoft 365 to enforce data loss prevention (DLP) policies. It can inspect email attachments and OneDrive files for sensitive data patterns (e.g., credit card numbers, PII) and block external sharing based on policy. Cloudlock uses APIs to scan content at rest and in transit, providing granular control over data residency and sharing permissions.

Exam trap

Cisco often tests the distinction between CASB (Cloudlock) and other security products by listing multiple cloud-related tools, and the trap here is that candidates confuse Umbrella's broad web security capabilities with the specific DLP and data-sharing controls that only a CASB like Cloudlock provides.

How to eliminate wrong answers

Option B (Cisco Umbrella) is wrong because it is a DNS-layer security gateway focused on web filtering, threat intelligence, and blocking malicious domains—it does not provide content inspection or DLP for SaaS applications like Microsoft 365. Option C (Cisco Stealthwatch) is wrong because it is a network traffic analysis tool that uses NetFlow and behavioral analytics to detect anomalies and threats within the network, not for controlling data sharing in cloud applications. Option D (Cisco Duo) is wrong because it is a multi-factor authentication (MFA) and zero-trust access solution that verifies user identity but does not inspect or prevent data leakage in email or OneDrive.

875
MCQhard

Refer to the exhibit. A network engineer configures a site-to-site VPN between a Cisco router and an Azure VPN gateway. After configuration, the tunnel is not coming up. Which issue is most likely causing the problem?

A.The access list is not permitting the correct source/destination traffic
B.The tunnel mode is not set to transport
C.Missing IKEv2 proposal match on the Azure side
D.The crypto map does not specify the local identity
AnswerC

Azure VPN gateway requires matching IKE proposals; mismatch prevents tunnel establishment.

Why this answer

The most likely issue is a mismatch in IKEv2 proposals between the Cisco router and the Azure VPN gateway. Azure requires specific IKEv2 encryption (e.g., AES256), integrity (e.g., SHA256), and DH group (e.g., DH Group 14) parameters. If the Cisco router's crypto ikev2 proposal does not exactly match the Azure-side settings, the IKEv2 SA negotiation fails, preventing the tunnel from coming up.

Exam trap

Cisco often tests the concept that IKEv2 proposal mismatches are a frequent cause of tunnel failures when connecting to cloud providers like Azure, AWS, or GCP, and candidates mistakenly blame ACLs or crypto map issues instead of verifying the transform sets.

How to eliminate wrong answers

Option A is wrong because the access list in a site-to-site VPN configuration is used to define interesting traffic (traffic to be encrypted), not to permit the tunnel itself; a misconfigured ACL would cause traffic to be sent in clear text or dropped, but would not prevent the IKE/IPsec tunnel from establishing. Option B is wrong because tunnel mode (transport vs. tunnel) is not relevant to IKEv2 proposal mismatches; for site-to-site VPNs, tunnel mode is the default and correct setting, and transport mode is used for host-to-host or L2L with special requirements. Option D is wrong because the crypto map does not need to specify a local identity; the local identity is derived from the IP address of the interface or the configured identity (e.g., FQDN) in the IKEv2 profile, and its absence would not cause a proposal mismatch.

876
MCQhard

A DevSecOps team is implementing secrets management for a cloud-native application. They want to avoid storing secrets in environment variables or code. Which solution should they use?

A.Embed secrets in the container image
B.Pass secrets via command-line arguments
C.Use HashiCorp Vault to dynamically generate and manage secrets
D.Store secrets in a configuration file in the repository
AnswerC

Vault provides secure secrets storage and rotation.

Why this answer

A dedicated secrets management tool like HashiCorp Vault securely stores and provides access to secrets (API keys, passwords) without embedding them in code or environment variables. Azure Key Vault and AWS Secrets Manager are also valid, but Vault is a common cross-platform solution. The other options are insecure.

877
Multi-Selectmedium

Which THREE are characteristics of Cisco ISE profiler service?

Select 3 answers
A.It can determine the endpoint operating system based on MAC OUI and DHCP fingerprints
B.It uses a combination of active and passive probes to identify endpoint attributes
C.It can provide attributes used in authorization policy conditions
D.It performs posture compliance checking on endpoints
E.It requires the installation of an ISE agent on all endpoints
AnswersA, B, C

Profiling uses these attributes to identify OS.

Why this answer

Option A is correct because Cisco ISE's profiler service uses the MAC OUI (Organizationally Unique Identifier) to identify the hardware vendor, and DHCP fingerprints (specific option ordering in DHCP requests) to determine the exact operating system or device type. This passive profiling technique allows ISE to classify endpoints without requiring any agent installation.

Exam trap

Cisco often tests the distinction between the profiler service (attribute discovery) and the posture service (compliance checking), so candidates mistakenly attribute posture functions to the profiler.

878
MCQeasy

An engineer is troubleshooting a site-to-site IPsec VPN between two Cisco routers. The tunnel is not establishing. Which command would verify that IKE phase 1 negotiations have completed successfully?

A.show crypto ipsec sa
B.show crypto isakmp sa
C.show crypto map
D.debug crypto isakmp
AnswerB

This command displays IKE phase 1 security associations.

Why this answer

The 'show crypto isakmp sa' command displays the state of IKE (Internet Key Exchange) Phase 1 security associations (SAs). A successful Phase 1 negotiation is indicated by a state of 'MM_ACTIVE' (Main Mode) or 'QM_IDLE' (Aggressive Mode), confirming that the peers have mutually authenticated and established a secure ISAKMP tunnel. This is the direct verification command for Phase 1 completion.

Exam trap

Cisco often tests the distinction between Phase 1 (ISAKMP) and Phase 2 (IPsec) commands, trapping candidates who confuse 'show crypto ipsec sa' (Phase 2) with 'show crypto isakmp sa' (Phase 1) for verifying IKE negotiations.

How to eliminate wrong answers

Option A is wrong because 'show crypto ipsec sa' displays IPsec Phase 2 SAs, which are only created after IKE Phase 1 has completed; it cannot verify Phase 1 status. Option C is wrong because 'show crypto map' displays the crypto map configuration and its applied interfaces, but it does not show the dynamic state or negotiation progress of IKE Phase 1 SAs. Option D is wrong because 'debug crypto isakmp' is a real-time troubleshooting tool that shows IKE events as they occur, but it is not a verification command for completed negotiations and can be resource-intensive on a production router.

879
MCQhard

Refer to the exhibit. An administrator in us-west-2 tries to launch an instance. The policy allows only us-east-1. What should the administrator do to successfully launch the instance?

A.Launch the instance in us-east-1
B.Modify the resource ARN to include us-west-2
C.Change the policy to allow all regions
D.Remove the condition from the policy
AnswerA

Complies with the policy condition.

Why this answer

Option A is correct because the IAM policy explicitly restricts the ec2:RunInstances action to the us-east-1 region using a Condition block with ec2:Region set to 'us-east-1'. Since the administrator is attempting to launch the instance in us-west-2, the only way to comply with the policy is to launch in us-east-1. AWS IAM policies are evaluated based on the principal, action, resource, and condition; if any condition is not met, the request is denied by default.

Exam trap

Cisco often tests the misconception that modifying the resource ARN or removing the condition is the solution, when in fact the condition key is the binding constraint that must be satisfied by choosing the correct region.

How to eliminate wrong answers

Option B is wrong because modifying the resource ARN to include us-west-2 would not override the Condition block that explicitly restricts the region; the condition must also be satisfied. Option C is wrong because changing the policy to allow all regions would violate the principle of least privilege and is not necessary; the administrator should work within the existing policy constraints. Option D is wrong because removing the condition from the policy would require modifying the policy itself, which the administrator may not have permissions to do, and it would also weaken security by removing the regional restriction.

880
MCQmedium

A company is deploying Cisco Umbrella to protect against DNS-based threats. Which deployment method provides the most comprehensive coverage for all devices on the network without requiring per-device configuration?

A.Install the Umbrella roaming client on every endpoint.
B.Configure each device's DNS settings to use Umbrella's resolvers.
C.Deploy a PAC file that routes all traffic through a proxy with DNS filtering.
D.Configure the network's DNS forwarders to point to Umbrella's DNS resolvers.
AnswerD

Covers all devices using the network's DNS.

Why this answer

Option D is correct because configuring the network's DNS forwarders to point to Umbrella's DNS resolvers (typically on the organization's DHCP server or router) ensures that all DNS queries from any device on the network are automatically forwarded to Umbrella for filtering, without requiring any per-device configuration. This method provides comprehensive coverage for all devices, including those that cannot run agents (e.g., IoT devices, printers, guest devices), by intercepting DNS traffic at the network level.

Exam trap

Cisco often tests the distinction between endpoint-based and network-based deployment methods, and the trap here is that candidates assume the roaming client (Option A) provides the most comprehensive coverage, when in fact network-level DNS forwarding covers all devices without per-device configuration.

How to eliminate wrong answers

Option A is wrong because installing the Umbrella roaming client on every endpoint requires per-device configuration and ongoing management, and it cannot cover non-managed or legacy devices that cannot run the client. Option B is wrong because configuring each device's DNS settings individually is impractical for large networks, does not scale, and fails to cover devices with hardcoded DNS or those that ignore manual DNS settings. Option C is wrong because deploying a PAC file only affects web traffic routed through a proxy; it does not intercept all DNS queries (e.g., non-HTTP traffic, direct DNS lookups) and still requires per-browser or per-system configuration, leaving gaps in coverage.

881
MCQhard

A security engineer is evaluating a web application firewall (WAF) rule set. The application uses a custom REST API that accepts JSON payloads. Which WAF rule is most effective at preventing SQL injection attacks while minimizing false positives?

A.Apply a generic SQL injection signature set from the WAF vendor
B.Block requests containing 'SELECT' or 'UNION' in the URL
C.Set the maximum request size to 10 MB
D.Use a rule that parses JSON and checks for abnormal structures that indicate injection
AnswerD

JSON-specific validation reduces false positives while catching injection attempts.

Why this answer

Option D is correct because JSON-based APIs require context-aware parsing to detect SQL injection within structured payloads. A rule that parses JSON and checks for abnormal structures can identify injection attempts (e.g., nested objects or unexpected keys) without relying on simple keyword matching, which reduces false positives. This approach aligns with the WAF's ability to decode and inspect JSON fields for malicious SQL patterns while ignoring benign data.

Exam trap

Cisco often tests the misconception that generic signature sets are universally effective, but the trap here is that custom APIs with JSON payloads require context-aware parsing to avoid false positives and catch injection in non-keyword forms.

How to eliminate wrong answers

Option A is wrong because generic SQL injection signature sets often produce high false positives in custom REST APIs, as they match common SQL keywords (e.g., 'SELECT') that may appear legitimately in JSON values (e.g., a field named 'select'). Option B is wrong because blocking requests containing 'SELECT' or 'UNION' in the URL is ineffective for JSON payloads sent via POST or PUT methods, where injection occurs in the request body, not the URL; it also causes false positives for legitimate API calls. Option C is wrong because setting the maximum request size to 10 MB does not prevent SQL injection; it only limits the payload size, which is unrelated to injection detection and may block legitimate large JSON payloads.

882
MCQhard

An organization has deployed Cisco WSA in explicit proxy mode. Users are required to authenticate using their Active Directory credentials. Which WSA feature enables transparent user identification without requiring users to manually log in?

A.URL Filtering
B.WCCP redirection
C.Transparent user identification via Kerberos
D.SSL/TLS Decryption
AnswerC

Kerberos enables automatic user identification without manual login.

Why this answer

Transparent user identification on Cisco WSA can be achieved using Kerberos authentication or NTLM, allowing automatic authentication with AD credentials without manual login.

883
MCQhard

An organization is deploying Cisco ESA and wants to ensure that outbound emails containing credit card numbers are blocked. The administrator configures a DLP policy to scan for credit card patterns. However, some legitimate emails with credit card numbers are being incorrectly blocked. What is the best approach to reduce false positives while still preventing data leakage?

A.Disable the DLP policy for outbound email
B.Change the DLP action from 'Block' to 'Confirm with Sender'
C.Increase the DLP sensitivity threshold
D.Add all senders to a DLP exemption list
AnswerB

This allows the sender to confirm the email is legitimate, reducing false positives while maintaining oversight.

Why this answer

Option B is correct because changing the DLP action from 'Block' to 'Confirm with Sender' allows the Cisco ESA to send a notification to the sender when a credit card pattern is detected, asking them to confirm whether the email should be sent. This reduces false positives by giving legitimate senders a chance to override the block, while still preventing accidental data leakage by requiring explicit confirmation. The DLP policy remains active, so unauthorized or unconfirmed outbound emails containing credit card numbers are still stopped.

Exam trap

Cisco often tests the misconception that increasing sensitivity reduces false positives, when in fact it increases them by matching more patterns, and that exemption lists are a safe way to handle false positives, when they actually bypass all DLP scanning for those senders.

How to eliminate wrong answers

Option A is wrong because disabling the DLP policy for outbound email would completely remove protection against data leakage, which contradicts the organization's goal of preventing credit card numbers from being sent out. Option C is wrong because increasing the DLP sensitivity threshold would make the scanner more strict, likely increasing false positives rather than reducing them; the threshold controls how closely a pattern must match, and raising it would flag more borderline matches. Option D is wrong because adding all senders to a DLP exemption list would bypass the DLP policy entirely for those senders, allowing any credit card numbers to be sent without scanning, which defeats the purpose of preventing data leakage.

884
MCQhard

A Cisco FTD device is deployed in inline mode and configured with an SSL policy to decrypt traffic. The policy uses 'Decrypt - Known Key' for traffic to an internal server. What is required for this decryption to work?

A.The FTD must generate a new certificate for each session.
B.The server's certificate must be signed by a public CA.
C.The FTD must have the server's private key imported.
D.The client must trust the FTD's CA certificate.
AnswerC

Correct; the FTD needs the private key to decrypt traffic encrypted with the server's public key.

Why this answer

'Decrypt - Known Key' requires the server's private key to be imported into the FTD so it can decrypt the traffic by impersonating the server.

885
MCQmedium

A company uses Cisco WSA to proxy web traffic. After configuring a decryption policy to inspect HTTPS traffic to a specific external site, users report they can still access the site without any warning or interruption. Which action should the administrator take to ensure HTTPS inspection is applied?

A.Add the site to the 'HTTPS Bypass' list
B.Import the WSA root CA certificate into client browsers
C.Change the policy action from 'Passthrough' to 'Decrypt'
D.Move the decryption policy to the top of the list
AnswerC

The decryption policy must have the action set to 'Decrypt' to inspect HTTPS traffic.

Why this answer

Option C is correct because the decryption policy must have an action of 'Decrypt' to actually perform HTTPS inspection. If the policy action is set to 'Passthrough', the WSA forwards the traffic without decrypting it, so users experience no warning or interruption. Changing the action to 'Decrypt' forces the WSA to intercept the TLS handshake, decrypt the traffic, and apply security policies.

Exam trap

Cisco often tests the distinction between policy configuration (action) and trust infrastructure (CA certificate), leading candidates to mistakenly choose importing the root CA when the real issue is the policy action not being set to 'Decrypt'.

How to eliminate wrong answers

Option A is wrong because adding the site to the 'HTTPS Bypass' list would explicitly exclude it from decryption, which is the opposite of what is needed. Option B is wrong because importing the WSA root CA certificate into client browsers is necessary for users to trust the decrypted connection, but it does not enable the decryption itself; the policy action must first be set to 'Decrypt'. Option D is wrong because moving the policy to the top of the list only affects rule precedence; if the policy action is still 'Passthrough', it will still bypass decryption regardless of its position.

886
MCQeasy

An enterprise wants to prevent data exfiltration from its SaaS applications to unauthorized personal cloud storage. Which Cisco solution should be deployed?

A.Cisco Umbrella
B.Cisco Cloudlock
C.Cisco Duo
D.Cisco Firepower NGFW
AnswerB

Cloudlock as a CASB can prevent data exfiltration to unauthorized cloud storage.

Why this answer

Cisco Cloudlock is the correct solution because it is a cloud-native CASB (Cloud Access Security Broker) specifically designed to protect SaaS applications like Office 365 and Salesforce. It provides data loss prevention (DLP) policies that can detect and block the exfiltration of sensitive data to unauthorized personal cloud storage services by inspecting API traffic and user activities in real time.

Exam trap

Cisco often tests the distinction between network-layer security tools (Umbrella, Firepower) and cloud-native API-based CASB solutions (Cloudlock), leading candidates to mistakenly choose a DNS or firewall product for SaaS DLP scenarios.

How to eliminate wrong answers

Option A (Cisco Umbrella) is wrong because it is a DNS-layer security solution focused on blocking malicious domains and enforcing web usage policies, not on inspecting SaaS application data flows or preventing data exfiltration to personal cloud storage. Option C (Cisco Duo) is wrong because it is a multi-factor authentication (MFA) and zero-trust access solution that secures user authentication but does not provide DLP or content inspection for SaaS data. Option D (Cisco Firepower NGFW) is wrong because it is a network firewall that inspects traffic at the network and application layers but lacks the native API integration with SaaS applications required to enforce granular DLP policies on data stored or shared within those apps.

887
MCQmedium

A company has a site-to-site VPN between two ASA firewalls using IKEv2. The tunnel was working but after an upgrade, it fails. The engineer verifies that the pre-shared keys match, IKE proposals are compatible, and the crypto ACL is correctly defined. What is the next likely cause to investigate?

A.The firewall rules on the intermediate devices are blocking ISAKMP traffic.
B.The ACL for interesting traffic is missing.
C.The crypto map is not applied to the correct interface.
D.The MTU is too high.
AnswerA

Intermediate firewall changes during upgrade can block UDP ports 500 and 4500, preventing IKE negotiation. This is a common cause.

Why this answer

The correct answer is A because the tunnel was working before the upgrade and the engineer has already verified that the pre-shared keys, IKE proposals, and crypto ACL are correct. After an ASA upgrade, intermediate firewall rules or ACLs may be reset or changed, potentially blocking ISAKMP (UDP 500/4500) traffic. Since the tunnel fails to establish, the next logical step is to check if ISAKMP traffic is being permitted through all intermediate devices, as this is a common post-upgrade issue.

Exam trap

Cisco often tests the misconception that post-upgrade failures are always due to configuration mismatches, but the trap here is that intermediate firewall rules or ACL changes are frequently overlooked after an upgrade, even when all other parameters are verified as correct.

How to eliminate wrong answers

Option B is wrong because the engineer has already verified that the crypto ACL is correctly defined, so missing interesting traffic ACL is not the issue. Option C is wrong because if the crypto map were not applied to the correct interface, the tunnel would never have worked before the upgrade, and the engineer would have seen a misconfiguration during verification. Option D is wrong because an MTU that is too high typically causes fragmentation or performance issues, not a complete failure of IKEv2 tunnel establishment, and the tunnel was working before the upgrade with the same MTU.

888
MCQhard

An engineer notices that the 'show authentication sessions' command on a switch shows a session in 'CRITICAL' state. What does this indicate?

A.The host is being authenticated via MAB
B.The authentication server is unreachable and the port is using the critical VLAN
C.The port is administratively down
D.The authentication attempt was rejected by the RADIUS server
AnswerB

CRITICAL state indicates critical fallback.

Why this answer

The 'CRITICAL' state in 'show authentication sessions' indicates that the switch port has lost connectivity to the authentication server (RADIUS) and has fallen back to the configured critical VLAN. This is a failover mechanism defined in IEEE 802.1X and Cisco's critical-auth feature, where the port is placed into a pre-configured VLAN to maintain network access for the host despite the server being unreachable.

Exam trap

Cisco often tests the distinction between 'CRITICAL' (server unreachable) and 'AUTH_FAILED' (server reachable but rejects the host), so candidates mistakenly choose the rejected authentication option when they see 'CRITICAL'.

How to eliminate wrong answers

Option A is wrong because MAB (MAC Authentication Bypass) is an authentication method, not a state; a session in CRITICAL state means the authentication server is unreachable, not that MAB is being used. Option C is wrong because an administratively down port would show a state like 'DOWN' or 'NOT RUNNING', not 'CRITICAL', which specifically relates to authentication server reachability. Option D is wrong because a rejected authentication attempt by the RADIUS server would result in a state like 'AUTH_FAILED' or 'UNAUTHORIZED', not 'CRITICAL', which is reserved for server unreachability scenarios.

889
Multi-Selectmedium

A security analyst observes a sustained increase in traffic from many different IP addresses to a single web application, causing CPU spikes. The traffic consists of legitimate-looking HTTP GET requests for the same resource. Which TWO types of attack could this be? (Choose two.)

Select 2 answers
A.Volumetric DDoS
B.DNS amplification attack
C.Distributed denial-of-service (DDoS) attack
D.Man-in-the-middle attack
E.Application layer DDoS (Layer 7) attack
AnswersC, E

Multiple sources indicate a distributed attack.

Why this answer

Application layer DDoS (Layer 7) uses legitimate-looking requests. A DDoS attack involves many sources. Volumetric DDoS is about bandwidth, not CPU.

DNS amplification uses UDP reflection.

890
MCQhard

An enterprise is migrating a critical application to AWS. The architecture includes an Application Load Balancer (ALB) in front of EC2 instances across multiple Availability Zones. The application must be protected against common web exploits such as SQL injection and cross-site scripting. The security team decides to use AWS WAF. They also need to ensure that only traffic from the company's corporate IP range (203.0.113.0/24) is allowed to reach the application, except for a partner integration that requires access from a specific IP (198.51.100.5). Additionally, all traffic must be inspected by a third-party NGFW for advanced threat detection. The NGFW is deployed in a separate VPC connected via VPC Peering. The current configuration: ALB is internet-facing, WAF is associated with the ALB, and the NGFW is not in the traffic path. After deployment, traffic from corporate users is not being inspected by the NGFW, and partner traffic is being blocked. What is the most efficient solution to meet all requirements?

A.Configure AWS WAF rate-based rules to block non-corporate IPs and enable managed rules for SQL injection.
B.Change the ALB scheme to internal, update DNS to point to the NGFW's public IP, and configure the NGFW to forward traffic to the ALB after inspection. Create WAF rules to block non-corporate traffic except partner IP.
C.Deploy an additional ALB as a reverse proxy in front of the NGFW, and configure the WAF on the front ALB.
D.Set up a site-to-site VPN between the corporate network and the VPC, and route partner traffic through the VPN.
AnswerB

This ensures all traffic is inspected by the NGFW and only allowed IPs reach the ALB.

Why this answer

Option B is correct because it restructures the traffic flow so that all traffic first hits the NGFW (via its public IP) for advanced threat inspection, then the NGFW forwards clean traffic to the internal ALB. By changing the ALB to internal, it no longer accepts direct internet traffic, ensuring the NGFW is in the path. WAF rules on the ALB then enforce the IP allowlist (corporate range plus partner IP) and protect against SQL injection and XSS, meeting all requirements efficiently.

Exam trap

Cisco often tests the misconception that WAF alone can enforce IP allowlisting and that the NGFW can be placed after the ALB without changing the ALB scheme, but in reality, an internet-facing ALB receives traffic directly from the internet, bypassing any inline NGFW unless the ALB is made internal and traffic is routed through the NGFW first.

How to eliminate wrong answers

Option A is wrong because rate-based rules limit request rates, not enforce IP allowlisting; they would not block non-corporate IPs except the partner IP, and they do not address the NGFW inspection requirement. Option C is wrong because deploying an additional ALB as a reverse proxy in front of the NGFW adds unnecessary complexity and cost; the NGFW itself can receive traffic directly, and the WAF should be on the ALB that serves the application, not on a front-end ALB that would still bypass NGFW inspection if not properly routed. Option D is wrong because a site-to-site VPN only secures traffic between the corporate network and the VPC; it does not solve the partner traffic access issue (partner IP is external, not over VPN) and does not place the NGFW in the traffic path for inspection.

891
MCQeasy

Which of the following is a characteristic of a stateful firewall like Cisco ASA?

A.It filters traffic based solely on packet headers.
B.It maintains a state table of active connections.
C.It can only filter based on source IP address.
D.It requires a separate proxy for each application.
AnswerB

Correct. Stateful firewalls keep track of connections.

Why this answer

Stateful firewalls track the state of active connections and make decisions based on the state of the session.

892
MCQmedium

A company uses Cisco Firepower Management Center (FMC) to manage multiple FTD devices. They want to create an access control policy that allows traffic from a specific user group (Active Directory) to access a web server on the internet, but blocks all other traffic from that group to the internet. Which identity source should be configured in FMC?

A.LDAP
B.Local user database
C.RADIUS
D.Active Directory realm
AnswerD

Correct. FMC integrates with AD via realm to retrieve user and group information.

Why this answer

To map users to traffic, FMC integrates with Active Directory via the Identity Policy. The identity source can be configured using AD realm, and then user identities can be used in access control rules.

893
MCQhard

An engineer is troubleshooting a Cisco WSA that is failing to block malware downloads from a specific cloud storage website. The URL filtering policy is set to block the 'Cloud Storage' category, and the Web Reputation score is set to block scores below -5.0. Users can still download files. What is the most likely cause?

A.The file type is not configured for malware inspection
B.HTTPS proxy decryption is not configured
C.The L4 Traffic Monitor is not enabled
D.The users are not authenticated
AnswerA

Malware inspection only applies to specified file types; if not included, downloads pass through.

Why this answer

The Cisco WSA can block malware downloads only if it inspects the file content. If the file type is not configured for malware inspection, the WSA will allow the download even if the URL category and reputation score are set to block. This is because malware inspection requires explicit configuration of file types (e.g., .exe, .zip) to scan for threats, and without it, the WSA bypasses deep content analysis.

Exam trap

Cisco often tests the misconception that URL filtering and reputation scores alone are sufficient to block malware, but the trap here is that malware inspection must be explicitly configured for specific file types to actually scan and block malicious content.

How to eliminate wrong answers

Option B is wrong because HTTPS proxy decryption is required to inspect encrypted traffic, but the question does not specify that the cloud storage website uses HTTPS; even if it does, the core issue is that the file type is not inspected, not the lack of decryption. Option C is wrong because the L4 Traffic Monitor is used for monitoring traffic flows and does not affect malware inspection or URL filtering decisions. Option D is wrong because user authentication is not required for URL filtering or malware inspection to apply; the WSA can enforce policies based on source IP or other criteria without authentication.

894
MCQhard

A network engineer is deploying a Cisco FTD in active/standby high availability. Which statement is true about the configuration synchronization?

A.Configuration changes on the active unit are automatically replicated to the standby unit.
B.Standby unit must be configured separately with identical settings.
C.Both units can be managed independently via FMC.
D.Failover is configured on the FTD directly without FMC.
AnswerA

FMC pushes configuration to both units; active changes are synced to standby.

Why this answer

In FTD HA, configuration is synchronized from active to standby via FMC. The standby unit does not accept configuration changes directly.

895
MCQhard

Based on the exhibit, what is the root cause of the AMP connector's inability to connect to the cloud?

A.The AMP cloud servers are blocking the connector's IP address.
B.The proxy server address is incorrect in the connector configuration.
C.The proxy requires authentication, and the AMP connector has no credentials configured.
D.The connector has no network connectivity to the internet.
AnswerC

The 407 error explicitly indicates proxy authentication failure.

Why this answer

The AMP connector is configured to use a proxy server, but the proxy requires authentication. Without credentials configured in the connector, the proxy will reject the HTTP CONNECT request (RFC 7231), preventing the connector from establishing the TLS tunnel to the AMP cloud. This is a common scenario when an organization uses an authenticated forward proxy, and the connector's proxy settings lack the username/password fields.

Exam trap

Cisco often tests the distinction between proxy reachability and proxy authentication—candidates see the connector can reach the proxy and incorrectly assume the proxy address is correct, overlooking the missing credentials that cause the 407 error.

How to eliminate wrong answers

Option A is wrong because AMP cloud servers do not block specific connector IP addresses; they authenticate via API keys or certificates, not source IP. Option B is wrong because if the proxy server address were incorrect, the connector would fail to reach any proxy at all, but the exhibit shows the connector is reaching the proxy (as indicated by the proxy error response). Option D is wrong because the connector clearly has network connectivity to the internet—it successfully communicates with the proxy server, which is an internet-facing device.

896
MCQmedium

A large enterprise is migrating legacy applications to AWS. The security team requires that all data in transit between the applications and the on-premises data center be encrypted and inspected for threats. They have deployed a Cisco Firepower NGFW on-premises and are using Amazon VPC with a VPN connection. The team is concerned about east-west traffic within the VPC also being inspected. They consider deploying Cisco Secure Firewall in the cloud (cFMC). However, budget constraints limit the number of virtual firewalls. Which design best meets the requirements while optimizing cost?

A.Inspect all traffic at the on-premises Firepower by routing all cloud traffic through a VPN.
B.Deploy a Cisco Secure Firewall virtual instance in each VPC.
C.Use AWS Network Firewall for east-west inspection and keep Firepower on-premises for north-south.
D.Deploy a single Cisco Secure Firewall virtual instance in a transit VPC and route all inter-VPC traffic through it.
AnswerD

Correct: Central inspection reduces cost while covering east-west.

Why this answer

Option D is correct because deploying a single Cisco Secure Firewall virtual instance in a transit VPC allows centralized inspection of all inter-VPC (east-west) traffic while minimizing costs. By routing traffic through the transit VPC, you avoid the expense of deploying a firewall in every VPC, and the on-premises Firepower NGFW handles north-south traffic (VPN and internet-bound). This design meets the encryption and threat inspection requirements for both east-west and north-south traffic within the budget constraint.

Exam trap

Cisco often tests the concept that a single virtual firewall in a transit VPC can inspect east-west traffic cost-effectively, and the trap here is that candidates mistakenly think AWS Network Firewall (Option C) can replace Cisco Secure Firewall for unified threat inspection across hybrid environments, but it lacks the deep integration with on-premises Firepower and advanced threat detection features required by the scenario.

How to eliminate wrong answers

Option A is wrong because routing all cloud traffic through an on-premises VPN for inspection introduces significant latency, bandwidth bottlenecks, and single points of failure, and it does not efficiently inspect east-west traffic within the VPC (traffic between VPCs would hairpin through the VPN, violating AWS best practices). Option B is wrong because deploying a Cisco Secure Firewall virtual instance in each VPC would exceed the budget constraint and is overkill for east-west inspection; it also creates management complexity without centralizing policy. Option C is wrong because AWS Network Firewall is a managed service that can inspect east-west traffic, but it does not integrate with the on-premises Cisco Firepower NGFW for unified threat intelligence or policy management, and it cannot inspect traffic that is already encrypted end-to-end between applications (it lacks the same deep packet inspection capabilities as Cisco Secure Firewall).

897
MCQmedium

A large enterprise uses Cisco ISE with pxGrid to share context with Firepower for threat containment. When a Firepower detects an infected endpoint, it triggers a pxGrid quarantine action that changes the endpoint's authorization profile. The engineer observes that the quarantine is applied, but after the Firepower clears the threat, the endpoint does not regain its original access. What is the most likely reason?

A.Firepower failed to send the clearance message to ISE
B.The ISE session is not forced to reauthenticate after quarantine release
C.The network access device does not support CoA
D.ISE authorization policy is not ordered correctly
AnswerB

After quarantine release, ISE must send a CoA to reauthenticate the endpoint; otherwise the NAD maintains the original quarantine session.

Why this answer

pxGrid quarantine actions typically override the existing session and require a cleanup. If the endpoint is not configured to reauthenticate after quarantine release, it remains in a quarantine state. Option D is correct because the session on the NAD might not be updated unless a CoA is sent.

Option A: Firepower clearance sends a message but might not trigger re-auth. Option B: ISE policy might be correct. Option C: NAD might not support CoA but it did accept quarantine.

So answer is D.

898
Multi-Selectmedium

Which TWO conditions must be met for a Cisco switch to initiate 802.1X authentication? (Choose two.)

Select 2 answers
A.The switch port is configured with 'authentication port-control auto'.
B.The switch port is configured with 'switchport mode access'.
C.The endpoint has a 802.1X supplicant enabled.
D.The switch has a VLAN configured for guest access.
E.The switch has a reachable RADIUS server configured.
AnswersA, E

This command enables 802.1X on the port.

Why this answer

Option A is correct because the 'authentication port-control auto' command places the switch port in 802.1X authentication mode, allowing it to initiate the authentication process when a new endpoint connects. Without this configuration, the port remains in a force-authorized state and will not trigger 802.1X exchanges.

Exam trap

Cisco often tests the misconception that the endpoint must have a supplicant enabled for the switch to initiate 802.1X, but in reality the switch initiates authentication regardless, and the supplicant is only needed for the endpoint to respond.

899
MCQmedium

An organization uses Cisco ESA to filter inbound email. The security team notices that some phishing emails are reaching users despite having an anti-spam policy. Further analysis reveals that the emails are sent from a domain that is gray-listed but not blocked. What should the administrator do to prevent these emails without impacting legitimate emails?

A.Disable the Gray Mail feature in the anti-spam policy.
B.Create a content filter to quarantine the emails based on malicious URLs or attachment type.
C.Enable Retrospective Scanning to detect the phishing emails after delivery.
D.Add the sender IP address to the SenderBase block list.
AnswerB

Targets specific threat content.

Why this answer

Option B is correct because creating a content filter to quarantine emails based on malicious URLs or attachment type directly addresses the phishing threat without affecting legitimate emails. Since the domain is gray-listed (not blocked), the anti-spam policy considers the sender as suspicious but not malicious; a content filter can inspect the email content for specific indicators of compromise (e.g., known malicious URLs or dangerous attachment types like .exe or .js) and quarantine those emails, bypassing the gray-mail classification.

Exam trap

Cisco often tests the distinction between anti-spam policies (which classify based on sender reputation and content patterns) and content filters (which allow rule-based actions on specific email attributes), leading candidates to mistakenly choose options that modify the anti-spam policy or rely on post-delivery detection instead of pre-delivery prevention.

How to eliminate wrong answers

Option A is wrong because disabling the Gray Mail feature would remove the gray-listing classification entirely, potentially allowing more spam or phishing emails to reach users, and it does not specifically block the phishing emails. Option C is wrong because Retrospective Scanning (using Cisco Advanced Phishing Protection) detects threats after delivery and can recall messages, but it does not prevent the initial delivery; the question asks to 'prevent these emails' from reaching users. Option D is wrong because adding the sender IP address to the SenderBase block list would block all emails from that IP, which could impact legitimate emails if the IP is shared or if the sender uses a legitimate mail server that is temporarily compromised.

900
MCQmedium

An organization implements multi-factor authentication requiring a password and a fingerprint scan. Which two authentication factors are being used?

A.Knowledge and possession
B.Knowledge and inherence
C.Inherence and location
D.Possession and inherence
AnswerB

Correct answer. Password (knowledge) and fingerprint (inherence).

Why this answer

Password is a knowledge factor, fingerprint is an inherence (biometric) factor.

Page 11

Page 12 of 14

Page 13
Cisco SCOR / CCNP Security Core 350-701 350-701 Questions 826–900 | Page 12/14 | Courseiva