Cisco SCOR / CCNP Security Core 350-701 (350-701) — Questions 901975

988 questions total · 14pages · All types, answers revealed

Page 12

Page 13 of 14

Page 14
901
Multi-Selectmedium

A security analyst is investigating an alert from Cisco AMP for Endpoints. The analyst wants to perform remote actions on the endpoint. Which TWO actions are available in AMP for Endpoints? (Choose two.)

Select 2 answers
A.Just-in-time access
B.File quarantine
C.Remote shell
D.Password vaulting
E.Process isolation
AnswersB, C

Correct. AMP can quarantine a file on the endpoint.

Why this answer

AMP for Endpoints allows file quarantine and remote shell for investigation. Process isolation is not a standard action; endpoint isolation is a separate action.

902
MCQhard

A company uses AWS and wants to ensure that no EC2 instance has a public IP address attached to a security group that allows inbound SSH from 0.0.0.0/0. Which service can continuously monitor and alert on such misconfigurations?

A.Cisco Umbrella
B.CSPM
C.AWS CloudTrail
D.AWS WAF
AnswerB

Correct. CSPM checks cloud configurations against best practices.

Why this answer

CSPM tools continuously monitor cloud configurations against security benchmarks and alert on violations like open SSH.

903
MCQhard

An engineer is deploying Cisco ISE for guest access. The guest portal uses a self-provisioned username and password. To ensure secure credential transmission, which protocol should be enforced on the portal?

A.DNSSEC
B.RADIUS over TLS
C.HTTPS with a valid certificate
D.HTTP with redirect to captive portal
AnswerC

Encrypts credentials between client and portal.

Why this answer

Option C is correct because HTTPS with a valid certificate ensures that the username and password submitted by the guest are encrypted in transit between the browser and the Cisco ISE portal. This prevents man-in-the-middle attacks and credential sniffing, which is critical for a self-provisioned guest portal where users create their own credentials over an untrusted network.

Exam trap

Cisco often tests the distinction between securing the control plane (RADIUS/TLS) versus securing the user-facing portal (HTTPS), leading candidates to confuse RADIUS over TLS with web encryption.

How to eliminate wrong answers

Option A is wrong because DNSSEC is a protocol for authenticating DNS responses, not for securing HTTP traffic or credential transmission on a web portal. Option B is wrong because RADIUS over TLS (RadSec) secures communication between ISE and network devices (e.g., switches, WLCs), not between the end-user's browser and the guest portal. Option D is wrong because HTTP with redirect to captive portal transmits credentials in cleartext before any redirection occurs, exposing them to interception; the redirect itself does not provide encryption.

904
MCQhard

An administrator reviewed the log entry from the Cisco ESA exhibit. The DLP policy is set to 'Continue (with disclaimer)' for credit card matches. How should the policy be changed to prevent this data leakage?

A.Remove the DLP policy assignment for the Finance mail flow.
B.Change the DLP policy action from 'Continue' to 'Drop'.
C.Lower the DLP sensitivity threshold.
D.Enable TLS encryption on the policy.
AnswerB

Drop prevents delivery of messages containing credit card numbers.

Why this answer

Option B is correct because the current DLP policy action 'Continue (with disclaimer)' allows the email to be delivered after appending a disclaimer, which does not prevent data leakage. Changing the action to 'Drop' will block the email entirely, preventing the credit card data from leaving the organization. This directly addresses the requirement to stop the data leakage.

Exam trap

Cisco often tests the misconception that adding a disclaimer or encryption is sufficient to prevent data leakage, when in fact only blocking (Drop) or quarantining the message stops the actual transmission of sensitive content.

How to eliminate wrong answers

Option A is wrong because removing the DLP policy assignment for the Finance mail flow would disable all DLP scanning for that flow, which is an overreaction and does not target the specific issue of credit card matches; it would leave other potential violations unmonitored. Option C is wrong because lowering the DLP sensitivity threshold would make the policy match more easily, potentially increasing false positives and not preventing the leakage of already-detected credit card data. Option D is wrong because enabling TLS encryption only secures the transmission channel between mail servers; it does not inspect or block the content of the email, so it cannot prevent data leakage of credit card numbers.

905
MCQhard

A Cisco FTD device is deployed in inline mode and is configured with an access control policy that includes an Intrusion Policy set to 'Balanced Security and Connectivity' and a File Policy with Malware & File blocking enabled. Traffic from a host inside to an external server is allowed by an access control rule. The administrator notices that a file download (PDF) is being blocked even though the file has a good reputation. What is the most likely cause?

A.The AMP cloud lookup returned an 'unknown' disposition and the policy blocks unknowns.
B.The access control rule requires a 'trust' action to bypass inspection.
C.The intrusion policy is set to 'Balanced' and the PDF contains a known exploit signature.
D.The file policy is configured to block PDF files regardless of disposition.
AnswerD

Correct. File policy can block file types even if they are not malicious.

Why this answer

The file policy may be configured to block files based on file type or other criteria regardless of malware disposition. In this case, the PDF may be blocked by file type restriction, not by malware detection. The Intrusion policy might also generate alerts but not block the file; the file policy is the one blocking.

906
MCQeasy

A network administrator wants to centrally manage and enforce access policies for wired and wireless users. Which Cisco product provides this functionality?

A.Cisco Identity Services Engine (ISE)
B.Cisco Prime Infrastructure
C.Cisco Adaptive Security Appliance (ASA)
D.Cisco Wireless LAN Controller (WLC)
AnswerA

Central policy engine for network access.

Why this answer

Cisco Identity Services Engine (ISE) is the correct answer because it provides centralized policy management for both wired and wireless users through a unified, context-aware platform. ISE uses 802.1X, MAC Authentication Bypass (MAB), and posture assessment to enforce access policies based on user identity, device type, and location, integrating with network devices via RADIUS (RFC 2865) and TACACS+ for authentication, authorization, and accounting (AAA).

Exam trap

Cisco often tests the distinction between management/monitoring tools (Prime Infrastructure) and policy enforcement engines (ISE), leading candidates to confuse Prime's visibility features with ISE's centralized policy control.

How to eliminate wrong answers

Option B (Cisco Prime Infrastructure) is wrong because it is primarily a network management and monitoring tool for wired and wireless infrastructure, not a policy enforcement engine; it lacks the AAA and policy decision point capabilities of ISE. Option C (Cisco Adaptive Security Appliance (ASA)) is wrong because it is a firewall and VPN concentrator focused on perimeter security and traffic inspection, not centralized user access policy management for wired/wireless endpoints. Option D (Cisco Wireless LAN Controller (WLC)) is wrong because it manages wireless access points and client roaming but relies on an external AAA server like ISE for policy enforcement; it cannot centrally manage policies across both wired and wireless domains independently.

907
MCQmedium

An organization is using Cisco FMC with FTD devices. They want to detect and block malware in HTTP traffic. Which policy component must be configured to inspect files and submit SHA-256 hashes to AMP cloud for disposition?

A.File Policy
B.Access Control Policy
C.Network Discovery Policy
D.Intrusion Policy
AnswerA

File policy inspects files and can perform AMP cloud lookup using SHA-256 to determine malware disposition.

Why this answer

File policy is used to inspect files, and it can be configured to send SHA-256 hashes to AMP cloud for malware detection. Intrusion policy is for signatures, access control policy for traffic flow, and network discovery for host detection.

908
Multi-Selecteasy

Which TWO are valid methods for determining the SGT (Security Group Tag) assigned to an endpoint in a TrustSec deployment?

Select 2 answers
A.DNS resolution of the endpoint hostname
B.Static assignment on the network access device (switch) using the 'cts role-based sgt' command
C.The IP address of the endpoint
D.DHCP Option 141
E.Dynamic assignment from ISE based on authentication or authorization policy
AnswersB, E

The switch can be configured with a static SGT per port or per VLAN.

Why this answer

Option B is correct because the 'cts role-based sgt' command on a network access device (switch) statically assigns an SGT to an endpoint based on its IP address or MAC address. Option E is correct because ISE can dynamically assign an SGT to an endpoint as part of an authorization policy during authentication, using RADIUS attributes like cisco-av-pair=CTS:SGT=value.

Exam trap

Cisco often tests the distinction between how an SGT is assigned to an endpoint (static on switch or dynamic from ISE) versus how an endpoint learns its own SGT (DHCP Option 141), leading candidates to incorrectly select DHCP Option 141 as a method for the network to determine the SGT.

909
MCQhard

A cloud security team is investigating a possible data exfiltration incident involving an AWS S3 bucket configured with cross-region replication. Which Cisco Cloudlock feature can detect unusual replication patterns that may indicate data theft?

A.Umbrella threat intelligence
B.Stealthwatch Cloud flow logs
C.Firepower IPS signatures
D.Cloudlock User and Entity Behavior Analytics (UEBA)
AnswerD

UEBA detects behavioral anomalies in cloud services.

Why this answer

Cloudlock UEBA is the correct answer because it establishes behavioral baselines for user and entity activities, such as S3 bucket replication patterns. When cross-region replication deviates from the learned baseline—e.g., unusual volume, frequency, or destination—UEBA generates an anomaly alert, directly detecting potential data exfiltration. This is a core capability of Cisco Cloudlock's cloud access security broker (CASB) functionality.

Exam trap

The trap here is that candidates often confuse UEBA with network-based detection tools (like IPS or flow logs) or general threat intelligence feeds, failing to recognize that UEBA specifically addresses anomalous user and entity behavior in cloud environments like AWS S3.

How to eliminate wrong answers

Option A is wrong because Umbrella threat intelligence provides DNS-layer security and web proxy filtering, not behavioral analysis of cloud storage replication patterns. Option B is wrong because Stealthwatch Cloud flow logs analyze network traffic flows and IP behaviors, not S3 bucket replication events within AWS. Option C is wrong because Firepower IPS signatures detect known network-based attack patterns via deep packet inspection, not anomalous user or entity behavior in cloud APIs.

910
MCQeasy

Which Cisco security product is primarily designed to provide DNS-layer security by blocking requests to malicious domains?

A.AMP for Endpoints
B.Firepower NGFW
C.Stealthwatch
D.Cisco Umbrella
AnswerD

Umbrella provides DNS-layer security as a key feature.

Why this answer

Cisco Umbrella is a cloud-based security solution that provides DNS-layer protection to block malicious domains before a connection is established.

911
MCQmedium

An attacker uses ARP spoofing to intercept traffic between two devices on the same subnet. After successfully becoming a man-in-the-middle, the attacker can then perform which further attack to downgrade HTTPS connections to HTTP?

A.SSL stripping
B.Session hijacking
C.DNS cache poisoning
D.Typosquatting
AnswerA

SSL stripping downgrades secure connections to plaintext.

Why this answer

SSL stripping is a MITM attack that downgrades HTTPS connections to HTTP by intercepting the initial HTTPS request and maintaining a plaintext connection with the client.

912
MCQhard

An organization is using Cisco Umbrella alongside Cisco AMP for Endpoints. A user reports that they cannot access a legitimate file-sharing website. However, the site is not categorized as malicious by Umbrella. What is the most likely reason for the block?

A.Cisco AMP's Intelligent Proxy detected the file download as potentially malicious and blocked it
B.The website's domain is in a custom block list
C.The endpoint's firewall is blocking the connection
D.The user is behind a proxy that is not configured with Umbrella
AnswerA

Umbrella's Intelligent Proxy can block files based on AMP's file reputation, even if the website is safe.

Why this answer

Cisco AMP for Endpoints includes an Intelligent Proxy feature that can inspect and block file downloads based on real-time threat intelligence, even if the website itself is not categorized as malicious by Cisco Umbrella. In this scenario, the user can access the site but the file download is blocked, which aligns with AMP's Intelligent Proxy intercepting the download and determining it to be potentially malicious.

Exam trap

Cisco often tests the distinction between Umbrella's DNS-layer security (which blocks based on domain category) and AMP's Intelligent Proxy (which blocks based on file reputation), leading candidates to incorrectly assume that a domain-level block is the cause when the issue is actually file-level.

How to eliminate wrong answers

Option B is wrong because a custom block list would block the entire domain, not just the file download, and the user reports they cannot access the site, but the site is not categorized as malicious by Umbrella, so a custom block list is unlikely. Option C is wrong because an endpoint firewall blocking the connection would prevent any access to the site entirely, not just the file download, and the user specifically reports inability to access the site, not a firewall alert. Option D is wrong because if the user were behind a proxy not configured with Umbrella, Umbrella would not be able to enforce any policy, and the block would not occur; the issue is specifically about a block that is happening, which requires Umbrella or AMP to be in the path.

913
MCQeasy

In the shared responsibility model for cloud security, which of the following is the customer responsible for in an IaaS deployment?

A.Hypervisor security
B.Operating system and application security
C.Network infrastructure security
D.Physical security of the data center
AnswerB

The customer is responsible for the OS, applications, and data.

Why this answer

In IaaS, the cloud provider manages the physical infrastructure, virtualization, and network, while the customer manages the operating system, applications, and data.

914
MCQmedium

Refer to the exhibit. What is the most likely reason for the high number of 'No route to host' drops on a Cisco ASA?

A.Firewall is in transparent mode
B.Interface is down
C.Missing static route on the ASA
D.Incorrect NAT rule
AnswerC

Without a route to the destination, the ASA cannot forward the packet.

Why this answer

The 'No route to host' drop on a Cisco ASA indicates that the firewall has no valid route in its routing table to reach the destination IP address of the packet. Option C is correct because a missing static route (or dynamic route) for the destination network prevents the ASA from performing a route lookup, causing it to drop the packet with this specific syslog message. This is a Layer 3 forwarding issue, not a policy or NAT problem.

Exam trap

Cisco often tests the distinction between Layer 3 routing drops ('No route to host') and Layer 2/interface drops, or between routing issues and NAT/policy failures, so candidates must remember that 'No route to host' is exclusively a routing table lookup failure, not a firewall rule or interface problem.

How to eliminate wrong answers

Option A is wrong because transparent mode (Layer 2 bridge) does not perform IP routing; 'No route to host' drops are a Layer 3 routing issue that only occurs in routed mode. Option B is wrong because if an interface were down, the ASA would generate 'Interface down' or 'No buffer' drops, not 'No route to host' — the latter specifically indicates a missing route, not a link failure. Option D is wrong because an incorrect NAT rule would cause 'NAT failed' or 'Translation creation failed' drops, or asymmetric routing issues, but not a 'No route to host' drop, which occurs before NAT processing in the packet flow.

915
MCQmedium

A university is implementing 802.1X for student wireless networks using Cisco Wireless LAN Controllers (WLCs) and ISE. Students connect with their personal devices using PEAP-MSCHAPv2. During heavy usage, some students report authentication failures and sporadic disconnections. The network team examines the ISE live logs and sees many 'Authentication failed' entries with reason 'Internal error - unable to find a suitable proxy target'. The team has configured two ISE nodes as authentication proxies for the wireless subnets. What is the most likely cause of this issue?

A.The WLC is not configured to use the ISE proxy nodes as RADIUS servers
B.The RADIUS shared secret is mismatched between WLC and ISE
C.ISE node CPU is overloaded due to high authentication load
D.The proxy target rules in ISE do not match the WLC's NAS-IP-Address
AnswerD

Proxy target rules must include the NAS-IP-Address of the WLC to forward requests to the appropriate authentication node.

Why this answer

The error 'unable to find a suitable proxy target' indicates that the ISE node cannot determine which proxy to use for the authentication request, often due to proxy target rules not matching the incoming request attributes like NAS-IP-Address. Option D is correct because if the proxy target rules are missing or incorrect, ISE cannot forward the request. Option A would cause different errors.

Option B might cause performance but not internal error. Option C would cause connection errors, not proxy target errors.

916
Multi-Selecthard

An organization wants to deploy endpoint hardening measures. Which three of the following are considered endpoint hardening techniques? (Choose three.)

Select 3 answers
A.Application whitelisting
B.RADIUS authentication
C.EDR capabilities (file quarantine, process isolation)
D.Host-based IPS
E.SNMP polling
AnswersA, C, D

Correct. Whitelisting only allows approved applications to run.

Why this answer

Application whitelisting, host-based IPS, and EDR capabilities are all endpoint hardening techniques that protect endpoints by controlling what runs, detecting threats, and enabling response.

917
MCQhard

A company with 5,000 endpoints is using Cisco Secure Endpoint. The security team receives an alert that a specific file (SHA256: 8f4a...b2c) has been detected as malware on 10 endpoints. The file has been quarantined on those endpoints. The team wants to ensure that no other endpoints in the organization have this file. Which feature should be used to locate the file across all endpoints?

A.The Policy editor with file blacklist
B.Orbital Advanced Search
C.TETRA traffic analysis
D.The AMP Dashboard with event filters
AnswerB

Orbital can search across all endpoints for a specific file hash.

Why this answer

Orbital Advanced Search is the correct feature because it provides a powerful, query-based search capability across all endpoints managed by Cisco Secure Endpoint. It allows the security team to search for specific file hashes (like SHA256: 8f4a...b2c) across the entire endpoint fleet, identifying any endpoint that has the file present, regardless of whether it has been quarantined or not. This is the only option that enables proactive, organization-wide file discovery beyond simple alert-based or policy-driven actions.

Exam trap

Cisco often tests the distinction between reactive alert-based tools (like the AMP Dashboard) and proactive search capabilities (like Orbital), and the trap here is that candidates assume the dashboard's event filters can locate files across all endpoints, when in fact they only show events that have already been logged.

How to eliminate wrong answers

Option A is wrong because the Policy editor with file blacklist is a preventive control that blocks files from executing or being written, but it does not provide a search or discovery capability to locate files already present on endpoints. Option C is wrong because TETRA traffic analysis is a network-based detection and response tool that analyzes encrypted traffic patterns, not a file search mechanism for endpoints. Option D is wrong because the AMP Dashboard with event filters shows historical events and alerts, but it cannot perform a proactive, query-based search for a specific file hash across all endpoints; it only displays events that have already triggered alerts.

918
MCQhard

A network engineer is troubleshooting a site-to-site IPsec VPN that fails to establish. The IKE phase 1 completes successfully, but phase 2 fails. The debug output shows 'IPSEC(validate_proposal): transform set proposal mismatch'. Both peers have the same transform set configured. What is the most likely cause?

A.Mismatched IPsec lifetime values
B.Missing route for the remote subnet
C.Mismatched encryption/authentication algorithms in the transform set
D.Incorrect pre-shared key
AnswerC

Even if both sets are named the same, the actual algorithms might differ; 'transform set proposal mismatch' indicates algorithm mismatch.

Why this answer

The error 'IPSEC(validate_proposal): transform set proposal mismatch' indicates that the IPsec transform sets proposed by the two peers do not match during IKE phase 2 negotiation. Even if the transform sets appear identical in configuration, a mismatch in the encryption algorithm (e.g., AES-256 vs AES-128) or authentication algorithm (e.g., SHA-1 vs SHA-256) will cause this failure. Since IKE phase 1 completed successfully, the pre-shared key and routing are not the issue, and lifetime mismatches typically generate a different error.

Exam trap

Cisco often tests the distinction between IKE phase 1 and phase 2 failures, and the trap here is that candidates assume identical transform set names mean identical algorithms, ignoring that default values (like AES key length) can differ between devices or IOS versions.

How to eliminate wrong answers

Option A is wrong because mismatched IPsec lifetime values (e.g., 3600 vs 86400 seconds) would cause a 'lifetime mismatch' or 'proposal mismatch' error, but the debug output specifically mentions 'transform set proposal mismatch', which points to algorithms, not lifetimes. Option B is wrong because a missing route for the remote subnet would prevent traffic from triggering the VPN or cause packets to be dropped, but it would not produce a transform set mismatch error during phase 2 negotiation. Option D is wrong because an incorrect pre-shared key would cause IKE phase 1 to fail (e.g., 'invalid pre-shared key' or 'authentication failure'), not phase 2, and the question states phase 1 completes successfully.

919
MCQeasy

Which Cisco Duo authentication method involves a one-time code generated by a hardware token?

A.Bypass codes
B.TOTP
C.Push notification
D.Hardware token
AnswerD

Hardware token generates OTPs physically.

Why this answer

Hardware token generates a one-time passcode (OTP) that the user enters to authenticate.

920
MCQmedium

A network engineer is configuring 802.1X on a switch port that connects to a VoIP phone and a PC behind the phone. Which authentication method should be used to authenticate both devices separately?

A.Single-host authentication
B.Multi-domain authentication (MDA)
C.MAC Authentication Bypass (MAB)
D.Guest VLAN
AnswerB

MDA enables separate authentication for voice and data domains on the same port.

Why this answer

Multi-domain authentication (MDA) allows a switch port to authenticate multiple devices (e.g., phone and PC) separately, each with its own VLAN.

921
Multi-Selecthard

An organization is implementing Privileged Access Management (PAM) using CyberArk integrated with Cisco SecureX. Which THREE capabilities are typically provided by such a PAM solution?

Select 3 answers
A.Firewall rule management
B.Session recording of administrative activities
C.Password vaulting for service accounts
D.Antivirus scanning of administrative workstations
E.Just-in-time access to critical systems
AnswersB, C, E

Session recording captures actions for auditing.

Why this answer

Session recording of administrative activities (Option B) is a core capability of CyberArk PAM, as it captures and logs all keystrokes, commands, and screen activity during privileged sessions. This recording is stored securely and can be replayed for audit and compliance purposes, integrating with Cisco SecureX for centralized visibility and threat detection.

Exam trap

The trap here is that candidates often confuse PAM capabilities with general security functions like firewall management or antivirus, forgetting that PAM specifically addresses privileged credential vaulting, session monitoring, and just-in-time access, not network or endpoint protection tasks.

922
MCQmedium

Refer to the exhibit. An engineer configures this interface for 802.1X. Users report that after successful authentication, they are forced to reauthenticate every hour even though the authentication session is still active. What configuration change should be made to prevent reauthentication unless triggered by a change?

A.Increase 'dot1x timeout tx-period' to 60.
B.Change 'authentication timer reauthenticate' to 0.
C.Remove 'authentication periodic'.
D.Add 'authentication event server dead action authorize'.
AnswerC

Removing this command disables periodic reauthentication.

Why this answer

Option A is correct. The 'authentication periodic' command enables periodic reauthentication. Removing it stops automatic reauthentication.

Option B is incorrect because setting the timer to 0 is invalid. Option C is incorrect because increasing the tx-period affects initial timeout, not reauthentication. Option D is incorrect because it configures server dead action, not reauthentication behavior.

923
MCQmedium

Refer to the exhibit. A user has successfully authenticated via 802.1X. However, the SGT (Security Group Tag) assigned is 0, which is the default untagged value. Which configuration change would most likely allow ISE to assign a non-zero SGT for this user?

A.In ISE authorization profile, add Cisco AV pair 'cts:security-group-tag=15'
B.Enable 'cts manual' globally on the switch
C.Ensure that the switch has a RADIUS server defined with 'radius-server host 10.1.1.1 auth-port 1645'
D.Configure 'aaa authorization network default group radius' on the switch
E.Enable 'sgt caching' on the switch port
AnswerA

ISE must send the SGT as a RADIUS attribute in the Access-Accept. Currently, it is not sending any SGT, so SGT is 0.

Why this answer

Option A is correct because the SGT (Security Group Tag) is assigned by ISE via a RADIUS AV (Attribute-Value) pair during the 802.1X authorization phase. The Cisco AV pair 'cts:security-group-tag=15' explicitly instructs ISE to send SGT value 15 in the RADIUS Access-Accept message. Without this AV pair in the authorization profile, ISE defaults to SGT 0 (untrusted/unassigned), even if the user successfully authenticates.

Exam trap

Cisco often tests the misconception that simply enabling 802.1X authentication or configuring RADIUS server details is sufficient to receive a non-zero SGT, when in fact the SGT must be explicitly defined in the ISE authorization profile using the Cisco AV pair 'cts:security-group-tag'.

How to eliminate wrong answers

Option B is wrong because 'cts manual' globally on the switch enables manual SGT assignment on the switch itself, but it does not cause ISE to send a non-zero SGT via RADIUS; manual mode bypasses ISE’s dynamic SGT assignment. Option C is wrong because defining a RADIUS server with 'radius-server host 10.1.1.1 auth-port 1645' is a basic connectivity requirement for 802.1X, but it does not influence the SGT value ISE assigns; the user already authenticated, so RADIUS server reachability is not the issue. Option D is wrong because 'aaa authorization network default group radius' enables RADIUS-based authorization for network access, but it does not configure ISE to send a specific SGT; the authorization profile on ISE must include the CTS AV pair.

Option E is wrong because 'sgt caching' on the switch port is used to store and reuse SGTs learned from other sources (e.g., from a trusted switch), but it does not cause ISE to assign a non-zero SGT; the SGT must first be assigned via RADIUS.

924
MCQmedium

A DevOps team is building a CI/CD pipeline for a cloud-native application. They want to automatically check Terraform scripts for insecure configurations before deployment. Which tool should be integrated into the pipeline?

A.Container image scanner
B.SAST scanner
C.DAST scanner
D.Checkov
AnswerD

Checkov scans Terraform, CloudFormation, etc., for security issues.

Why this answer

Checkov is a static analysis tool specifically designed to scan Infrastructure as Code (IaC) files like Terraform for security misconfigurations.

925
MCQeasy

In the shared responsibility model for cloud security, which responsibility is the customer's in an IaaS deployment?

A.Physical security of data centers
B.Operating system security patches and updates
C.Network infrastructure including switches and routers
D.Hypervisor vulnerability management
AnswerB

The customer manages the OS, including patches.

Why this answer

In IaaS, the cloud provider manages the physical infrastructure and hypervisor, while the customer manages the operating system, applications, and data.

926
MCQmedium

An engineer is configuring an ASA to allow inbound HTTP traffic from the outside to a server on the DMZ. The outside interface has security level 0 and the DMZ interface has security level 50. Which set of commands correctly implements the required access and NAT?

A.nat (outside,dmz) static 10.1.1.10; access-list dmz_access_in permit tcp any host 10.1.1.10 eq 80; access-group dmz_access_in in interface dmz
B.nat (inside,outside) static 10.1.1.10; access-list outside_access_in permit tcp any host 10.1.1.10 eq 80; access-group outside_access_in in interface outside
C.nat (dmz,outside) dynamic 10.1.1.10; access-list outside_access_in permit tcp any host 10.1.1.10 eq 80; access-group outside_access_in in interface outside
D.nat (dmz,outside) static 10.1.1.10; access-list outside_access_in permit tcp any host 10.1.1.10 eq 80; access-group outside_access_in in interface outside
AnswerD

Correct static NAT from DMZ to outside and ACL applied inbound on outside.

Why this answer

The ASA requires a static NAT for inbound traffic and an ACL on the outside interface to permit the traffic.

927
MCQeasy

Which Cisco Firepower management option is used for on-box management of a single FTD device, without a separate management center?

A.FDM (Firepower Device Manager)
B.Cisco Defense Orchestrator
C.FMC (Firepower Management Center)
D.ASA CLI
AnswerA

Correct. FDM is built into the FTD and manages a single device.

Why this answer

Firepower Device Manager (FDM) is the on-box management interface for a single FTD device. FMC is a centralized management platform for multiple devices.

928
MCQmedium

A network administrator is configuring site-to-site IPsec VPN between two Cisco ASAs using IKEv2. They want to ensure that only specific subnets are encrypted, using Virtual Tunnel Interface (VTI). Which configuration element is essential for VTI?

A.A crypto map applied to the physical interface.
B.A tunnel interface with an IP address and a crypto map.
C.A transform set with ESP encryption and authentication.
D.An ISAKMP policy with pre-shared key.
AnswerB

Correct. VTI requires a tunnel interface with an assigned IP address and a crypto map applied to it.

Why this answer

VTI uses a tunnel interface that is dedicated to the VPN, and the crypto map is applied to the tunnel interface rather than the physical interface. For IKEv2, the tunnel mode is enabled and the crypto map is applied to the VTI.

929
Multi-Selecthard

An organization is deploying Cisco WSA to enforce acceptable use policies. The administrator wants to block access to social media and streaming video, while also decrypting HTTPS traffic for these categories. Which THREE configuration steps are required?

Select 3 answers
A.Install a trusted root CA certificate on all client devices
B.Enable SSL decryption for those categories
C.Configure URL filtering to block the 'Social Networking' and 'Streaming Media' categories
D.Enable AMP file scanning
E.Configure WCCP on the router
AnswersA, B, C

Clients must trust the WSA's CA to avoid certificate warnings.

Why this answer

To block and decrypt HTTPS traffic for specific categories, you need URL filtering, decryption policy, and identity-based policies for granular control.

930
MCQmedium

A network administrator wants to deploy Cisco WSA as a transparent proxy to inspect web traffic without changing browser settings. Which protocol should be used to redirect traffic to the WSA?

A.PAC files
B.WCCP
C.WPAD
D.GRE tunneling
AnswerB

Correct. WCCP is used for transparent redirection.

Why this answer

WCCP (Web Cache Communication Protocol) allows routers to redirect web traffic to the WSA transparently.

931
MCQmedium

An organization uses Cisco ESA and wants to implement a policy that automatically encrypts emails containing credit card numbers before delivery. What feature should be used?

A.Anti-spam engine
B.Anti-virus engine
C.Email authentication (SPF, DKIM)
D.DLP policy with encryption action
AnswerD

DLP can trigger encryption based on policy.

Why this answer

D is correct because Cisco ESA includes a Data Loss Prevention (DLP) feature that can scan email content for sensitive data patterns, such as credit card numbers (matching Luhn algorithm and known issuer prefixes). When a match is found, the DLP policy can trigger an encryption action, automatically encrypting the email before delivery to protect the sensitive information in transit.

Exam trap

The trap here is that candidates confuse DLP with anti-spam or anti-virus engines, assuming any security feature can handle content-based encryption, but only DLP policies have the specific content inspection and policy-driven encryption action capability in Cisco ESA.

How to eliminate wrong answers

Option A is wrong because the Anti-spam engine is designed to detect and filter unsolicited bulk email (spam) based on reputation and content analysis, not to identify sensitive data like credit card numbers or apply encryption. Option B is wrong because the Anti-virus engine scans for malware signatures and malicious attachments, not for pattern-based sensitive data, and cannot enforce encryption actions. Option C is wrong because Email authentication (SPF, DKIM) validates the sender's domain and message integrity to prevent spoofing and phishing, but it does not inspect message content for credit card numbers nor apply encryption.

932
MCQmedium

Refer to the exhibit. A host with IP address 10.0.0.5 sends traffic to destination 192.168.2.10. The traffic is not being translated. What is the most likely cause?

A.The security-level of the inside interface is too high to allow NAT.
B.The ACL INSIDE_NAT does not permit traffic to the destination network 192.168.2.0/24.
C.The interface outside does not have a valid IP address assigned.
D.The NAT statement uses source dynamic instead of source static; dynamic cannot translate internal IPs.
AnswerB

The ACL only permits traffic to 192.168.3.0/24, so 192.168.2.0/24 traffic is not matched and hence not translated.

Why this answer

The access-list INSIDE_NAT permits traffic to network 192.168.3.0/24, but the destination is 192.168.2.10, which is not matched. Therefore, NAT is not applied to that traffic. Option A is correct.

Options B, C, and D are not relevant because dynamic NAT is allowed, outside interface has an IP, and security-level does not affect NAT.

933
MCQmedium

An engineer is configuring Cisco ISE for 802.1X authentication. The network has many printers and IP phones that do not support 802.1X supplicant software. Which ISE feature should be used to allow these devices to authenticate?

A.Posture assessment
B.MAC Authentication Bypass (MAB)
C.Guest access with sponsor portal
D.Profiling via DHCP probe
AnswerB

MAB authenticates devices by MAC address when 802.1X supplicant is not available.

Why this answer

MAC Authentication Bypass (MAB) allows non-802.1X-capable devices to authenticate based on their MAC address.

934
MCQhard

A large enterprise uses Cisco ISE for network access control with 802.1X authentication (PEAP-MSCHAPv2) on wired ports. Access switches are Cisco Catalyst 3850s running IOS-XE 16.9, and ISE is version 2.7 with all patches. Recently, users in the finance department report intermittent connectivity issues when connecting to the network. The issue is sporadic: a user may connect successfully one day, then fail multiple times the next day. Switch logs show frequent 'EAP timeout' errors for these users. The network team has verified that the RADIUS servers are reachable and have sufficient CPU and memory. The ISE logs show no authentication failures, only that some EAP conversations are dropped mid-exchange. What is the most likely cause of these intermittent failures?

A.The switch is configured with a RADIUS timeout value that is too low.
B.The switch port is configured with a dynamic VLAN assignment that does not exist on the switch.
C.The user's machine certificate has expired.
D.The ISE server is configured with an incorrect shared secret for the switch.
AnswerA

A low timeout can cause the switch to abort EAP exchanges when network latency spikes, leading to intermittent timeouts.

Why this answer

The EAP timeout errors and intermittent nature point to the RADIUS timeout being too low on the switch, causing it to drop EAP conversations during periods of high latency. Options A, B, and D would cause consistent failures for affected users, not intermittent issues.

935
Multi-Selectmedium

A security analyst is investigating a malware outbreak. Analysis reveals a remote access trojan (RAT) that communicates with a command-and-control (C2) server. Which TWO behaviors are typical of a RAT? (Choose two.)

Select 2 answers
A.Encrypts files and demands ransom
B.Steals sensitive data from the system
C.Logs keystrokes and captures credentials
D.Performs distributed denial-of-service attacks
E.Allows remote control of the infected system
AnswersC, E

Many RATs include keylogging functionality.

Why this answer

RATs provide remote control, often allowing data exfiltration and keystroke logging. Ransomware encrypts files, and botnets perform DDoS; those are not typical RAT behaviors.

936
MCQeasy

Which cryptographic algorithm is considered deprecated and should be avoided due to known vulnerabilities, especially when used in digital signatures and certificate signing?

A.SHA-256
B.SHA-3
C.AES-256
D.MD5
AnswerD

MD5 is broken and should not be used for cryptographic purposes.

Why this answer

MD5 is a hashing algorithm with known collision vulnerabilities, making it unsuitable for security-sensitive applications like digital signatures.

937
Multi-Selecthard

A security analyst needs to investigate a potential breach on an endpoint. Cisco AMP for Endpoints provides several EDR capabilities. Which three actions can the analyst perform using AMP's EDR features? (Choose three.)

Select 3 answers
A.SGT assignment
B.VLAN reassignment
C.Remote shell investigation
D.Process isolation
E.File quarantine
AnswersC, D, E

Allows interactive command-line investigation of the endpoint.

Why this answer

Cisco AMP's EDR capabilities include file quarantine, process isolation, and remote shell investigation. These allow investigation and containment of threats on endpoints.

938
MCQhard

An enterprise is deploying a hybrid email security solution using Cisco Email Security Appliance (ESA) on-premises and Cisco Cloud Email Security (CES). The organization wants to use the cloud for spam filtering while the on-premises ESA handles DLP and encryption for sensitive data. Inbound emails should be processed by the cloud first, then sent to the on-premises ESA. Which architecture correctly implements this requirement?

A.MX record → On-premises ESA → Internal mail server, with a separate smart host via CES
B.MX record → Dual MX pointing to both CES and ESA
C.MX record → On-premises ESA → Cisco CES → Internal mail server
D.MX record → Cisco CES → On-premises ESA (internal mail server)
AnswerD

This flow ensures cloud spam filtering first, then DLP/encryption on-premises.

Why this answer

Option D is correct because it places Cisco CES (cloud) first in the email flow to handle spam filtering, then forwards the cleaned messages to the on-premises ESA for DLP and encryption before delivery to the internal mail server. This matches the requirement that inbound emails be processed by the cloud first, then the on-premises ESA, with CES acting as the initial SMTP gateway via MX record.

Exam trap

Cisco often tests the order of processing in hybrid email architectures, and the trap here is that candidates mistakenly think the on-premises ESA should be the first hop (Option C) or that dual MX records can enforce sequential processing (Option B), when in reality the MX record must point to the cloud service to ensure the correct flow.

How to eliminate wrong answers

Option A is wrong because it sends inbound emails directly to the on-premises ESA first, bypassing the cloud spam filtering, and the separate smart host via CES would only be used for outbound or relay traffic, not for the required inbound flow. Option B is wrong because dual MX records pointing to both CES and ESA would cause load balancing or failover, not sequential processing; inbound emails could arrive at either device first, violating the requirement that cloud processes first. Option C is wrong because it places the on-premises ESA before CES in the flow, meaning inbound emails hit the on-premises ESA first, which contradicts the requirement that cloud handles spam filtering before the on-premises ESA handles DLP and encryption.

939
MCQmedium

When a certificate is revoked, which protocol allows a client to check the revocation status in real-time without downloading a full CRL?

A.CRL (Certificate Revocation List)
B.PKI certificate chain
C.SSL/TLS handshake
D.OCSP (Online Certificate Status Protocol)
AnswerD

OCSP allows real-time checking.

Why this answer

OCSP (Online Certificate Status Protocol) provides real-time revocation status without the overhead of CRLs.

940
Multi-Selectmedium

An administrator is configuring 802.1X on a switch port for both an IP phone and a PC. Which two commands should be configured to support this scenario? (Choose two)

Select 2 answers
A.authentication host-mode multi-domain
B.dot1x pae authenticator
C.authentication violation restrict
D.authentication port-control auto
E.authentication host-mode multi-auth
AnswersA, D

Allows one voice and one data device.

Why this answer

Option A is correct because the `authentication host-mode multi-domain` command allows one device in the voice domain (IP phone) and one device in the data domain (PC) to authenticate on the same switch port. This is the standard Cisco configuration for a phone-PC daisy-chain topology, where the phone acts as a bridge and the switch must distinguish between the two devices using separate VLANs (voice and data).

Exam trap

Cisco often tests the distinction between `multi-domain` and `multi-auth`; the trap here is that candidates mistakenly choose `multi-auth` thinking it supports multiple devices, but it does not enforce the separate voice and data domains needed for a phone and PC.

941
Multi-Selecthard

Which TWO configuration steps are required to enable Cisco AMP for Endpoints to use the Threat Grid appliance for file analysis?

Select 2 answers
A.Configure the AMP connector policy to submit files to the on-premises Threat Grid appliance.
B.Enable SSL decryption in the AMP connector policy.
C.Register the Threat Grid appliance in the AMP cloud as a private analysis provider.
D.Ensure the firewall allows inbound traffic to the Threat Grid appliance from the internet.
E.Install the Cisco Threat Grid Connector on each endpoint.
AnswersA, C

The connector policy must specify the Threat Grid appliance as the target for file analysis.

Why this answer

Option A is correct because the AMP for Endpoints connector policy must be configured to submit files to the on-premises Threat Grid appliance. This directs the endpoint connector to send suspicious files to the local Threat Grid for dynamic analysis instead of the public cloud. Option C is correct because the Threat Grid appliance must be registered in the AMP cloud as a private analysis provider, which creates a secure tunnel (using TLS) between the AMP cloud and the on-premises appliance, enabling file submission and result retrieval.

Exam trap

Cisco often tests the misconception that inbound firewall rules are needed for on-premises appliances, when in fact the Threat Grid appliance initiates outbound connections to the AMP cloud, making option D a common distractor.

942
MCQhard

A large enterprise recently migrated to Cisco Email Security Appliance (ESA) for inbound email filtering. The security team notices an increasing number of phishing emails that bypass the spam filter. Analysis shows that these emails originate from a legitimate but compromised domain (example-bank.com), use valid DKIM signatures, and have low spam scores due to carefully crafted benign text and embedded images. The team already has SenderBase enabled and uses the default spam threshold. The CEO received a convincing phishing email that led to a credential leak. Which course of action should the security team take to best mitigate this threat without causing significant false positives?

A.Increase the spam threshold to catch lower-scoring emails.
B.Enable graymail filtering to categorize these emails as bulk suspicious.
C.Create a content filter that detects the domain 'example-bank.com' in the envelope sender and sets the action to 'drop'.
D.Implement DMARC with a quarantine policy for the domain.
AnswerC

This directly blocks emails from the known malicious domain without affecting other domains, minimizing false positives.

Why this answer

Option B is correct because creating a content filter to detect the specific malicious domain in the envelope sender (MAIL FROM) and applying a 'drop' action directly blocks emails from that domain. This is a targeted approach that does not affect other domains. Option A is incorrect because graymail filtering is for newsletters and bulk mail, not for targeted phishing.

Option C is incorrect because increasing the spam threshold may cause more false positives and may still not catch these low-scoring emails. Option D is incorrect because DMARC with quarantine would only help if the domain is being spoofed, but the emails are actually coming from the legitimate domain which is compromised.

943
MCQeasy

A company has deployed Cisco Umbrella with a virtual appliance (VA) for content filtering. Users report that some websites are not loading properly, and the helpdesk suspects that the VA is blocking legitimate traffic. The network administrator checks the VA dashboard and sees that the VA is passing traffic normally. However, the administrator notices that the VA's upstream DNS server is set to a public resolver (208.67.222.222) instead of the company's internal DNS servers. This causes internal hostnames to resolve incorrectly. The company uses Active Directory with domain-joined computers. What should the administrator do to resolve the issue?

A.Add a conditional forwarder in the internal DNS for all .local domains.
B.Configure the clients to use Umbrella's DNS directly instead of the VA.
C.Disable Umbrella content filtering for internal domain names.
D.Change the upstream DNS server in the VA configuration to point to the internal DNS servers.
AnswerD

Correct: This enables proper resolution of internal names.

Why this answer

The virtual appliance (VA) acts as a forwarding proxy; it receives DNS queries from clients, forwards them to its configured upstream DNS server, and applies content filtering policies. When the upstream DNS is set to a public resolver like 208.67.222.222 (OpenDNS), the VA cannot resolve internal Active Directory domain names (e.g., .local or internal FQDNs) because the public resolver has no knowledge of the private DNS zone. Changing the upstream DNS server to the company's internal DNS servers allows the VA to resolve both internal and external names correctly, while still applying Umbrella's content filtering policies to external traffic.

Exam trap

Cisco often tests the misconception that content filtering policies are the root cause of resolution failures, when in fact the underlying DNS forwarding chain is misconfigured, leading candidates to incorrectly focus on filtering rules or client-side changes rather than the upstream DNS server setting.

How to eliminate wrong answers

Option A is wrong because adding a conditional forwarder in the internal DNS for .local domains does not affect the VA's upstream DNS configuration; the VA itself must be pointed to the internal DNS servers to resolve internal hostnames. Option B is wrong because configuring clients to use Umbrella's DNS directly bypasses the VA entirely, removing the content filtering enforcement that the company has deployed. Option C is wrong because disabling Umbrella content filtering for internal domain names is not a configuration option in the VA; the issue is DNS resolution, not filtering policy, and the VA must be able to resolve internal names before any filtering can be applied.

944
MCQeasy

A network engineer needs to implement a security solution that provides encryption, integrity, and authentication at Layer 2 between two switches. Which technology should be used?

A.SSL/TLS
B.IPsec
C.802.1X
D.MACsec
AnswerD

MACsec provides Layer 2 encryption, integrity, and authentication.

Why this answer

MACsec (IEEE 802.1AE) provides hop-by-hop encryption, integrity, and authentication at Layer 2 (the data link layer) directly on Ethernet frames. It uses GCM-AES-128 or GCM-AES-256 to encrypt the entire payload and authenticate the frame, ensuring confidentiality and integrity between directly connected switches without requiring IP-layer processing.

Exam trap

Cisco often tests the distinction between Layer 2 encryption (MACsec) and Layer 3 encryption (IPsec), and the trap here is that candidates confuse 'encryption between switches' with IPsec because IPsec is the most commonly known encryption protocol, but it operates at a higher layer and requires IP routing.

How to eliminate wrong answers

Option A is wrong because SSL/TLS operates at Layer 4 (Transport Layer) and is designed for securing application-layer communications like HTTPS, not for encrypting Layer 2 Ethernet frames between switches. Option B is wrong because IPsec operates at Layer 3 (Network Layer) and secures IP packets between hosts or networks, requiring IP routing and not providing Layer 2 frame-level encryption between directly connected switches. Option C is wrong because 802.1X is a port-based network access control (NAC) protocol used for authentication of devices at the access layer, but it does not provide encryption or integrity for data frames; it only controls admission to the network.

945
MCQmedium

A network administrator is troubleshooting an issue where users in the finance VLAN are unable to access a critical server in the server VLAN. The switch logs show multiple 'Authentication failed' messages for MAC addresses in the finance VLAN. The switchport security feature is enabled on the access ports. What is the most likely cause of the issue?

A.The switch ports are configured as trunks and are not allowing the finance VLAN.
B.802.1X authentication is failing for the finance users.
C.Spanning Tree Protocol (STP) is blocking the ports in the finance VLAN.
D.Switchport security violation has caused the ports to error-disable or drop traffic.
AnswerD

Switchport security violation can disable the port or drop traffic from unauthorized MAC addresses.

Why this answer

The switch logs show 'Authentication failed' messages for MAC addresses in the finance VLAN, and switchport security is enabled. When a switchport security violation occurs (e.g., due to a MAC address limit or an unauthorized MAC address), the port can be configured to error-disable or drop traffic. This explains why users in the finance VLAN cannot reach the server, as the access ports are effectively blocking traffic due to the security violation.

Exam trap

Cisco often tests the distinction between switchport security MAC authentication and 802.1X authentication; the trap here is assuming 'Authentication failed' always refers to 802.1X, when it can also be generated by switchport security's 'restrict' or 'shutdown' violation modes.

How to eliminate wrong answers

Option A is wrong because the question states switchport security is enabled on access ports, not trunk ports, and the issue is specific to the finance VLAN's access ports, not trunk VLAN filtering. Option B is wrong because 802.1X authentication is a separate IEEE 802.1X-based network access control mechanism; the logs mention 'Authentication failed' in the context of switchport security MAC address authentication, not 802.1X EAPOL exchanges. Option C is wrong because Spanning Tree Protocol (STP) blocking would cause a different log message (e.g., 'topology change' or 'port moved to blocking state') and would not generate 'Authentication failed' messages; STP operates at Layer 2 to prevent loops, not to authenticate MAC addresses.

946
MCQhard

While troubleshooting an issue where Cisco ESA occasionally fails to process inbound messages, the administrator checks the listener settings and sees that the 'Pool of listeners' option is configured. The mail logs show 'Connection refused' errors during peak hours. What is the most likely cause?

A.The listener service is stopped
B.Listener pool has too few listeners or the pool is misconfigured
C.The sender's IP is blacklisted
D.DNS resolution failure for the sending MTA
AnswerB

A pool of listeners uses the same IP:port and can become exhausted if too many simultaneous connections.

Why this answer

The 'Connection refused' error during peak hours indicates that the Cisco ESA's listener service is actively rejecting new SMTP connections because the configured listener pool has reached its maximum capacity. The 'Pool of listeners' option defines a set of listener processes that handle inbound mail; if the pool size is too small for the traffic volume, new connections are refused. This is a resource exhaustion issue specific to the listener pool, not a service outage or external blocking.

Exam trap

Cisco often tests the distinction between a stopped service (which causes persistent failures) and a resource-exhausted pool (which causes intermittent failures during high load), leading candidates to mistakenly choose 'listener service is stopped' when the logs show 'Connection refused' only at peak times.

How to eliminate wrong answers

Option A is wrong because if the listener service were stopped, the error would be 'Connection refused' consistently at all times, not only during peak hours, and the mail logs would show a persistent failure rather than intermittent peak-hour issues. Option C is wrong because a blacklisted sender IP would result in a 5xx rejection with a specific anti-spam or reputation-based message in the logs, not a generic 'Connection refused' error. Option D is wrong because DNS resolution failure for the sending MTA would cause a 'Name or service not known' or timeout error during the SMTP handshake, not a 'Connection refused' which occurs at the TCP layer before any DNS lookup is relevant.

947
MCQmedium

An engineer is configuring Cisco ISE for 802.1X authentication in a corporate network. A printer that does not support 802.1X needs to be granted network access. Which method should the engineer use to authenticate the printer?

A.Guest Portal
B.PEAP-MSCHAPv2
C.EAP-TLS
D.MAB
AnswerD

MAB uses the MAC address of the device for authentication, suitable for non-supplicant devices like printers.

Why this answer

MAC Authentication Bypass (MAB) allows devices that cannot run an 802.1X supplicant to authenticate based on their MAC address. The printer's MAC is used as the credential against the authentication server.

948
MCQmedium

A company receives a spear-phishing email that appears to come from the CEO requesting an urgent wire transfer. What type of email attack is this?

A.Whaling
B.Phishing
C.Spear Phishing
D.Malspam
AnswerA

Whaling specifically targets high-profile executives.

Why this answer

Whaling targets senior executives with personalized attacks.

949
MCQeasy

An S3 bucket policy is shown. What does the condition "aws:SecureTransport": "true" enforce?

A.Only requests from specific IP ranges are allowed
B.Only requests using server-side encryption with KMS are allowed
C.All requests must be authenticated using AWS IAM and MFA
D.All requests to the bucket must use HTTPS
AnswerD

SecureTransport ensures the connection is encrypted via SSL/TLS.

Why this answer

The condition `"aws:SecureTransport": "true"` in an S3 bucket policy enforces that all requests to the bucket must be made over HTTPS (TLS). This ensures that data in transit is encrypted, preventing man-in-the-middle attacks or eavesdropping. The condition evaluates the `aws:SecureTransport` key, which is `true` only when the request uses SSL/TLS.

Exam trap

Cisco often tests the distinction between encryption in transit (HTTPS) and encryption at rest (SSE), so candidates mistakenly associate `aws:SecureTransport` with server-side encryption or KMS rather than the transport layer security.

How to eliminate wrong answers

Option A is wrong because restricting requests to specific IP ranges is enforced using the `aws:SourceIp` condition key, not `aws:SecureTransport`. Option B is wrong because server-side encryption with KMS is enforced using the `s3:x-amz-server-side-encryption-aws-kms-key-id` condition key, not `aws:SecureTransport`. Option C is wrong because requiring IAM authentication and MFA is enforced using the `aws:MultiFactorAuthPresent` condition key, not `aws:SecureTransport`.

950
Multi-Selecthard

Which TWO indicators of compromise (IOCs) can Cisco AMP for Endpoints detect and alert on?

Select 2 answers
A.Malicious DNS queries
B.Phishing email headers
C.Fileless attack techniques (e.g., PowerShell injection)
D.File-based malware (via file reputation and analysis)
E.Anomalous network traffic patterns
AnswersC, D

AMP behavioral analysis detects fileless attacks by monitoring process behavior.

Why this answer

Cisco AMP for Endpoints uses advanced endpoint detection capabilities, including behavioral analysis and machine learning, to detect fileless attack techniques such as PowerShell injection. These techniques do not rely on traditional file-based signatures, but AMP monitors process execution, script activity, and memory patterns to identify malicious behavior in real time.

Exam trap

Cisco often tests the distinction between endpoint-based detection (AMP) and network-based detection (e.g., Umbrella, Stealthwatch), leading candidates to incorrectly select network-related IOCs like malicious DNS queries or anomalous traffic patterns.

951
MCQhard

A large enterprise uses Cisco TrustSec to enforce segmentation between departments. The network consists of Cisco Catalyst switches running IOS XE with IP ACLs and Security Group Tags (SGTs). The security policy requires that traffic from the Engineering group (SGT=10) to the Finance group (SGT=20) be allowed only to TCP port 443. The administrator configures a Security Group Access Control List (SGACL) on Cisco ISE with a permit statement for TCP 443 and a deny for all other traffic, and pushes it to the switches. After deployment, they notice that Engineering users can access Finance servers not only on TCP 443 but also on other ports. The administrator verifies that the SGACL is correctly configured on ISE and that the switches are receiving the SGTs. Additionally, the switches have IP ACLs on the interfaces. What is the most likely cause of this issue?

A.The SGT classification is not occurring on the access switches.
B.The SGACL is applied only on the inbound direction of the interface.
C.The switches are not running Cisco TrustSec-compatible software.
D.The IP ACLs on the switches are overriding the SGACL.
AnswerD

IP ACLs are evaluated before SGACLs and can permit traffic that SGACLs would deny.

Why this answer

The most likely cause is that IP ACLs on the switch interfaces are overriding the SGACL. In Cisco TrustSec, SGACLs are applied after SGT classification and are evaluated in the forwarding path, but if a traditional IP ACL is configured on the same interface, it is processed first and can permit or deny traffic independently of the SGACL. Since the IP ACLs are present and not configured to match the required policy, they allow traffic on ports other than TCP 443, bypassing the SGACL enforcement.

Exam trap

Cisco often tests the interaction between traditional ACLs and SGACLs, where candidates assume SGACLs always take precedence, but in reality, IP ACLs are evaluated first and can override the SGACL policy.

How to eliminate wrong answers

Option A is wrong because the administrator verified that the switches are receiving the SGTs, indicating SGT classification is occurring correctly. Option B is wrong because SGACLs in Cisco TrustSec are applied in both directions by default (based on the SGT source and destination), not just inbound; the direction of application is not the issue here. Option C is wrong because the switches are running IOS XE with IP ACLs and SGTs, which implies they support TrustSec features; the problem is not software incompatibility but a configuration conflict.

952
MCQhard

An organization has a Cisco ASA with two interfaces: inside (security 100) and outside (security 0). They want to allow traffic from inside to outside without NAT for a specific subnet. Which configuration achieves this?

A.nat (inside,outside) dynamic interface
B.nat (inside,outside) source dynamic any interface
C.access-list outside_access_in permit ip 192.168.1.0 255.255.255.0 any
D.nat (inside,outside) source static 192.168.1.0 192.168.1.0 no-proxy-arp route-lookup
AnswerD

This creates an identity NAT (no translation) for the subnet.

Why this answer

A NAT exemption rule with 'nat 0' (on ASA 9.x+) or 'nat (inside,outside) source static' with an identity NAT can be used. In modern ASA, 'nat (inside,outside) source static NET NET no-proxy-arp route-lookup' is typical.

953
MCQeasy

A network engineer is configuring 802.1X on a Cisco switch for wired clients. After configuration, some clients fail authentication. The engineer notices that the clients are not sending any EAP packets. What is the most likely cause?

A.The switch port is configured with access VLAN instead of voice VLAN.
B.The RADIUS server is unreachable.
C.The clients do not have an 802.1X supplicant enabled.
D.The switch port is configured with 'authentication port-control auto'.
AnswerC

Without a supplicant, clients cannot initiate EAP.

Why this answer

Option C is correct because if no EAP packets are sent, the client likely does not have an 802.1X supplicant enabled. Option A is incorrect because access VLAN assignment does not affect EAP transmission. Option B is incorrect because 'authentication port-control auto' is the correct command to enable 802.1X.

Option D is incorrect because if the RADIUS server were unreachable, the switch would still see EAP packets from the client.

954
MCQhard

Refer to the exhibit. An engineer notices that a malicious file disguised as 'app.exe' in the FinanceApp folder (SHA-256 unknown to AMP) was blocked. However, another unknown executable in the same folder was also blocked, causing a false positive. What should the engineer change in the policy to allow only the legitimate 'app.exe' while still blocking unknown executables?

A.Remove the file exclusion for the FinanceApp folder entirely.
B.Remove the process exclusion for app.exe.
C.Change the action for unknown files from 'block' to 'detect'.
D.Change the file exclusion path to the exact full path of app.exe instead of a wildcard.
AnswerD

A specific path exclusion for app.exe will allow it while still blocking other unknown executables in the folder.

Why this answer

Option D is correct because the current policy uses a wildcard file exclusion for the entire FinanceApp folder, which causes the AMP engine to skip scanning all files within that folder, including unknown executables. By changing the exclusion to the exact full path of the legitimate 'app.exe', only that specific file is excluded from scanning, while other unknown executables in the folder remain subject to the 'block' action for unknown files. This allows the known good file to execute without being blocked, while still blocking other unknown files that may be malicious.

Exam trap

Cisco often tests the distinction between file exclusions (which bypass scanning) and process exclusions (which bypass behavioral analysis), and the trap here is that candidates confuse the two or assume that removing the folder exclusion entirely is the solution, rather than narrowing the exclusion to a specific file path.

How to eliminate wrong answers

Option A is wrong because removing the file exclusion entirely would cause the legitimate 'app.exe' to be scanned and potentially blocked if its SHA-256 is unknown to AMP, which does not solve the false positive issue. Option B is wrong because removing the process exclusion for app.exe is irrelevant; the issue is with file scanning, not process behavior, and process exclusions control behavior-based detection, not file reputation. Option C is wrong because changing the action for unknown files from 'block' to 'detect' would allow all unknown files, including the malicious one, to execute and only generate an alert, which defeats the security requirement to block the malicious file.

955
MCQmedium

A security engineer is troubleshooting an issue where Cisco AMP for Endpoints is not detecting a known malware sample on a Windows endpoint. The endpoint is running Windows 10 with the latest AMP connector installed and is connected to the corporate network. The malware sample was downloaded from a trusted source for testing. Which configuration is most likely causing the lack of detection?

A.The connector is configured to operate in offline mode.
B.The file reputation scanning is disabled.
C.Custom detections are not configured for the malware.
D.Real-time scanning is disabled for the download directory.
AnswerA

In offline mode, the connector cannot perform cloud lookups for file hashes, so known malware may not be detected.

Why this answer

When Cisco AMP for Endpoints is in offline mode, the connector cannot communicate with the cloud-based threat intelligence and reputation servers. This prevents it from performing file reputation lookups and retrieving the latest malware signatures, so even known malware samples will not be detected. The connector relies on cloud lookups for real-time detection of new or known threats, and offline mode disables this critical function.

Exam trap

Cisco often tests the misconception that disabling real-time scanning or file reputation scanning is the primary cause of missed detections, when in fact the connector's inability to communicate with the cloud (offline mode) is the most direct and common reason for failing to detect known malware.

How to eliminate wrong answers

Option B is wrong because file reputation scanning is a core function that is enabled by default and cannot be disabled; the connector always performs reputation checks when online. Option C is wrong because custom detections are user-defined rules for specific indicators, but the question states the malware is a known sample that should be detected by built-in signatures, not custom rules. Option D is wrong because real-time scanning is a separate feature that monitors file system activity; even if disabled for a specific directory, the connector would still detect the malware via on-access or scheduled scans unless the entire connector is offline.

956
MCQmedium

A company uses Cisco Umbrella SIG to enforce security policies. An employee attempts to visit a website categorized as 'Phishing' but the request is allowed. What is the most likely cause?

A.The employee is using a VPN that bypasses the proxy
B.The policy is set to 'Allow' for the Phishing category
C.DNS security is disabled
D.The website uses HTTPS and Umbrella cannot inspect it
AnswerB

If the policy allows the category, the request will be permitted.

Why this answer

If the security policy does not block the 'Phishing' category, or if the destination is not categorized, the request may be allowed by default.

957
Multi-Selecthard

An engineer is configuring a Cisco ASA to support a DMZ segment. Which three of the following are best practices for DMZ design? (Choose three.)

Select 3 answers
A.Place public-facing servers in the DMZ.
B.Restrict traffic initiated from the DMZ to the inside network.
C.Assign the DMZ interface a security level of 0.
D.Implement strict ACLs between outside and DMZ.
E.Use the same subnet for DMZ and inside networks.
AnswersA, B, D

DMZ hosts services accessible from outside.

Why this answer

DMZ should have a different security level (typically between inside and outside). Traffic from DMZ to inside should be restricted. Services in DMZ should be hardened.

The DMZ interface should be a separate physical or VLAN interface.

958
MCQmedium

A company uses Cisco Stealthwatch Cloud for network visibility in AWS. They notice a spike in encrypted traffic from an EC2 instance to an unknown external IP. Which Stealthwatch Cloud feature can analyze this traffic for threats without decrypting it?

A.NetFlow generation
B.Encrypted Traffic Analytics (ETA)
C.Deep Packet Inspection (DPI)
D.SSL Decryption
AnswerB

ETA uses ML to analyze encrypted traffic patterns for threats.

Why this answer

Encrypted Traffic Analytics (ETA) is the correct feature because it uses machine learning and behavioral analysis to inspect metadata (e.g., flow records, packet lengths, timing) of encrypted traffic without decrypting it. This allows Stealthwatch Cloud to detect anomalies like command-and-control communication or data exfiltration even when the payload is encrypted.

Exam trap

The trap here is that candidates often confuse 'Encrypted Traffic Analytics' with 'SSL Decryption' or 'DPI,' assuming that threat analysis of encrypted traffic always requires decryption, when in fact ETA uses metadata and machine learning to bypass that need.

How to eliminate wrong answers

Option A is wrong because NetFlow generation provides basic flow metadata (IPs, ports, protocols) but lacks the advanced behavioral analysis needed to detect threats in encrypted traffic without decryption. Option C is wrong because Deep Packet Inspection (DPI) requires access to unencrypted payloads, which is not possible with encrypted traffic and would require decryption. Option D is wrong because SSL Decryption explicitly decrypts the traffic, which violates the requirement to analyze without decrypting and introduces privacy and compliance concerns.

959
MCQmedium

A company uses Google Cloud and needs to securely connect their on-premises data center to a VPC without traversing the public internet. Which solution should they use?

A.Cloud NAT
B.Cloud VPN
C.Private Service Connect
D.Dedicated Interconnect
AnswerD

Correct. Dedicated Interconnect provides a private connection from on-premises to GCP.

Why this answer

Private connectivity options like Dedicated Interconnect or Partner Interconnect provide direct, private connections to GCP.

960
Multi-Selecthard

An organization is adopting a cloud-first strategy and wants to ensure least-privilege access for cloud resources. Which THREE measures should be implemented as part of a cloud IAM strategy? (Select three.)

Select 3 answers
A.Use managed identities for access
B.Regularly review and remove unused roles
C.Store secrets in source code repositories for ease of deployment
D.Enable single sign-on with multi-factor authentication
E.Implement role-based access control with scoping
AnswersA, B, E

Avoids long-term credentials and provides temporary permissions.

Why this answer

Managed identities (such as Azure Managed Identities or AWS IAM Roles for EC2) eliminate the need to store credentials in code or configuration files. The cloud provider automatically rotates the credentials and binds the identity to the compute resource, enforcing least-privilege by granting only the permissions required for that resource to function.

Exam trap

Cisco often tests the distinction between authentication mechanisms (like SSO/MFA) and authorization mechanisms (like RBAC with scoping), leading candidates to incorrectly select SSO/MFA as a least-privilege measure when it only addresses identity verification, not permission restriction.

961
MCQmedium

A network engineer is configuring OSPF on a Cisco router and needs to enable authentication between neighbors. The authentication type should be MD5. Which configuration step is required?

A.ospf authentication-key under router ospf
B.ip ospf authentication message-digest under the interface
C.area 0 authentication command in router configuration
D.ip ospf authentication null
AnswerB

This interface command enables MD5 authentication.

Why this answer

Option B is correct because to enable OSPF MD5 authentication on a Cisco router, the 'ip ospf authentication message-digest' command must be applied under the specific interface. This command tells OSPF to use MD5 (message-digest) authentication for that interface, and it must be paired with an 'ip ospf message-digest-key' command to define the actual key. The authentication type is configured at the interface level, not globally under the OSPF routing process.

Exam trap

Cisco often tests the distinction between area-level authentication (which defaults to simple) and interface-level MD5 authentication, causing candidates to mistakenly choose 'area 0 authentication' thinking it covers MD5.

How to eliminate wrong answers

Option A is wrong because 'ospf authentication-key' is a command used under the interface, not under router ospf, and it configures simple (type 1) authentication, not MD5. Option C is wrong because 'area 0 authentication' enables authentication for the entire area but defaults to simple authentication unless 'message-digest' is appended; it does not specify MD5 by itself and still requires interface-level commands. Option D is wrong because 'ip ospf authentication null' explicitly disables authentication on the interface, which is the opposite of what is required.

962
MCQmedium

A security engineer is evaluating authentication methods. Which authentication factor category does a fingerprint scanner fall under?

A.Possession
B.Knowledge
C.Location
D.Inherence
AnswerD

Inherence factors are biometric characteristics.

Why this answer

Fingerprints are inherent characteristics of a person, placing them in the 'inherence' category (something you are).

963
MCQmedium

A company is deploying a multi-tier application in AWS. The web servers must be accessible from the internet, but the database servers should only be reachable from the web servers. Which AWS security controls should be used to enforce this?

A.Use network ACLs to allow inbound traffic to web servers from 0.0.0.0/0 and deny all traffic to database servers
B.Assign a security group to web servers allowing HTTP/S from 0.0.0.0/0, and a separate security group for databases allowing traffic only from the web server security group
C.Place web servers in a public subnet and database servers in a private subnet, and use a network ACL to block all traffic to the private subnet
D.Use AWS WAF to restrict access to database servers based on source IP
AnswerB

Security groups support referencing other security groups, enabling this granular control.

Why this answer

Security groups act as virtual firewalls for EC2 instances, and network ACLs provide subnet-level filtering. Security groups are stateful and can be used to allow traffic from web servers to database servers based on source security group. NACLs are stateless and less granular for this purpose.

964
MCQeasy

A security engineer is configuring a Cisco ASA to block traffic from a specific IP address. Which access control entry (ACE) should be applied to the inbound direction of the outside interface?

A.access-list outside_in extended deny ip any host 10.1.1.1
B.access-list outside_in extended deny ip host 10.1.1.1 any
C.access-list outside_in extended deny tcp any host 10.1.1.1
D.access-list outside_in extended deny tcp host 10.1.1.1 any eq 80
AnswerB

Correctly blocks all IP traffic from the specified host.

Why this answer

Option B is correct because the ACE uses the 'ip' protocol to block all traffic from the specific source host 10.1.1.1 to any destination, which is the most comprehensive way to block all IP traffic from that address. In Cisco ASA ACLs, the order of source and destination is 'source destination', so 'deny ip host 10.1.1.1 any' correctly matches packets with source IP 10.1.1.1 and any destination, applied inbound on the outside interface to block traffic entering the network.

Exam trap

Cisco often tests the source-destination order in ACL syntax, and the trap here is that candidates mistakenly reverse the order (putting the target IP as the destination instead of the source) or unnecessarily restrict the protocol, thinking that blocking TCP alone is sufficient.

How to eliminate wrong answers

Option A is wrong because it specifies 'any' as the source and 'host 10.1.1.1' as the destination, which would block traffic from any source going to 10.1.1.1, not traffic originating from 10.1.1.1. Option C is wrong because it restricts the protocol to TCP only, so non-TCP traffic (e.g., UDP, ICMP) from 10.1.1.1 would not be blocked, leaving a security gap. Option D is wrong because it further narrows the rule to TCP traffic from host 10.1.1.1 to any destination on port 80 only, which fails to block other protocols or ports from that IP address.

965
MCQhard

In Cisco Firepower, a file policy is configured with a rule that detects malware. The action is set to 'Malware Cloud Lookup'. What happens if the SHA-256 hash of a file is unknown to the AMP cloud?

A.The file is blocked immediately.
B.The file is quarantined until the cloud responds.
C.The file is allowed and a retrospective alert is generated if later found malicious.
D.The file is sent for dynamic analysis in a sandbox.
AnswerC

Correct. Unknown files are typically allowed but later may be flagged.

Why this answer

When the hash is unknown, the file may be submitted for static or dynamic analysis depending on the disposition. If the hash is unknown, the file may be allowed or blocked based on additional configuration; typically it is allowed pending analysis.

966
MCQmedium

You are tasked with securing a new cloud deployment on AWS. The environment consists of a web application running on EC2 instances behind an Application Load Balancer (ALB), with data stored in an RDS database. The security requirements include: (1) protect against web application attacks (SQL injection, XSS), (2) ensure only authorized users can access the application, (3) monitor for anomalous behavior. You have decided to use AWS WAF for web application protection, AWS Cognito for user authentication, and Amazon GuardDuty for threat detection. However, the CISO also wants to integrate with Cisco's security portfolio for centralized management and visibility. Which Cisco product would best integrate with these AWS services to provide centralized security management?

A.Cisco Firepower NGFW
B.Cisco Secure Cloud Analytics (Stealthwatch)
C.Cisco Cloudlock
D.Cisco Tetration
AnswerB

Provides centralized visibility and integrates with AWS services.

Why this answer

Cisco Secure Cloud Analytics (Stealthwatch) is the correct choice because it provides centralized visibility and threat detection across hybrid cloud environments, including AWS. It integrates with AWS CloudWatch and VPC Flow Logs to ingest network telemetry, and it can correlate alerts from AWS GuardDuty, WAF, and Cognito into a single pane of glass for security operations. This aligns with the CISO's requirement for centralized management and visibility using Cisco's security portfolio.

Exam trap

Cisco often tests the distinction between products that provide centralized visibility (Stealthwatch) versus those that enforce inline security (Firepower NGFW) or focus on SaaS security (Cloudlock) or micro-segmentation (Tetration), leading candidates to confuse 'integration with AWS services' with 'deployment in AWS'.

How to eliminate wrong answers

Option A is wrong because Cisco Firepower NGFW is a network firewall appliance designed for on-premises or virtual deployments (e.g., AWS Marketplace), but it does not natively aggregate logs or alerts from AWS-native services like WAF, Cognito, or GuardDuty into a centralized management console; it focuses on inline traffic inspection and policy enforcement, not multi-service log correlation. Option C is wrong because Cisco Cloudlock is a cloud access security broker (CASB) focused on SaaS application security (e.g., Office 365, Salesforce) and data loss prevention, not on integrating with AWS infrastructure services like EC2, ALB, or RDS for centralized threat monitoring. Option D is wrong because Cisco Tetration is a workload security and micro-segmentation platform that uses agents and flow data to enforce zero-trust policies, but it does not provide centralized management of AWS-native security services; it is more about application dependency mapping and segmentation, not log aggregation from WAF, Cognito, or GuardDuty.

967
Multi-Selectmedium

Which two Cisco solutions can be used to provide cloud-based content security including DNS-layer protection and cloud proxy? (Choose two.)

Select 2 answers
A.Cisco ThousandEyes
B.Cisco ESA
C.Cisco Umbrella DNS-layer security
D.Cisco WSA
E.Cisco Umbrella SIG
AnswersC, E

Correct. Umbrella DNS-layer blocks malicious domains.

Why this answer

Cisco Umbrella offers both DNS security and cloud proxy (SIG). Cisco ThousandEyes is for performance, not security. WSA and ESA are on-premises.

968
MCQhard

A financial company is deploying Cisco ISE with TrustSec to enforce segmentation between application tiers (web, app, DB). They have a Cisco Catalyst 9500 as the core, and Catalyst 9300s as access switches. The SXP is configured between ISE and core switch, and the core switch propagates SGTs to access switches via SGT inline tagging on trunk ports. The engineer has configured SGTs for web (SGT=2), app (SGT=3), DB (SGT=4). However, when testing from a web server (IP 10.1.1.10, SGT=2) to an app server (IP 10.1.2.20, SGT=3), the app server sees the traffic without SGT in the packet, so the access switch cannot enforce policy. The engineer checks 'show cts role-based sgt-map' on the core and sees the mapping for 10.1.1.10 -> 2. What is the most likely issue?

A.The ISE policy does not allow the traffic from web to app
B.The access switch does not have the security group ACL configured
C.The trunk between core and access is not configured for SGT inline tagging
D.The SXP connection between ISE and core is not established
AnswerC

Without 'cts manual' or 'trust sec' on the trunk, the core switch will not insert the SGT into packets going to the access switch.

Why this answer

If the access switch is not receiving the SGT mapping, the issue is likely that the SXP connection is not sharing mappings to the access switch, or the inline tagging is not correctly configured. Option B is correct because if the trunk between core and access does not have 'cts manual' enabled, the access switch will not strip the tag from the packet. Option A would cause no SGT at all.

Option C would affect enforcement. Option D would affect policy, not packet tagging.

969
MCQhard

An endpoint with MAC 0011.2233.4455 and user 'guest' authenticates but fails. However, the device is not assigned to quarantine. Which policy condition is most likely responsible for the unexpected behavior?

A.The authentication failure overrides authorization
B.The quarantine VLAN is not configured on the switch
C.The device is compliant and the device type is in the allowed list
D.The device is authenticated via MAB, bypassing posture
AnswerC

Condition false, so quarantine not applied.

Why this answer

Option C is correct because the condition requires either 'EndPointCompliant EQUALS No' OR device type not in the list. If the device is compliant (posture passed) and the device type is in the list, the condition is false, so the quarantine rule is not applied, and a default permit rule might apply instead. Option A is incorrect because authentication failure would show 'Failed' and not reach authorization.

Option B is incorrect because MAB is not in use here. Option D is incorrect because if the device were in quarantine, it would have been assigned.

970
MCQhard

A security analyst receives an alert that a user clicked a link in an email that led to a malicious website. The email was allowed by the Cisco ESA because it passed SPF, DKIM, and DMARC checks. Later analysis reveals the email was sent from a compromised account within the same domain. Which type of attack best describes this scenario?

A.Account takeover (BEC)
B.Malspam
C.Spear phishing
D.Whaling
AnswerA

Account takeover involves using a compromised legitimate account to send malicious emails, bypassing authentication.

Why this answer

When an attacker compromises a legitimate email account within the organization and uses it to send malicious emails, it is an account takeover attack, which is a form of Business Email Compromise (BEC). Since the email authenticated correctly, it bypassed email authentication checks.

971
MCQhard

A Cisco FTD sensor is deployed in passive mode (IDS) and is receiving traffic via a network tap. The access control policy is configured with an intrusion policy set to 'Security over Connectivity'. However, the administrator notices that the sensor is not generating alerts for some attacks that were identified by a previous inline sensor. What is the most likely reason?

A.The sensor is in passive mode and cannot see return traffic due to asymmetric routing.
B.The access control policy requires an 'allow' action to perform intrusion inspection.
C.The intrusion policy is set to 'Security over Connectivity', which reduces false positives but may miss some attacks.
D.The intrusion policy is not configured to generate alerts.
AnswerA

Correct. Passive sensors rely on seeing both directions of traffic; asymmetric routing can cause missed detections.

Why this answer

In passive mode, the sensor cannot block traffic, but it should still detect and alert. If it's not alerting, perhaps the traffic is not being seen correctly (e.g., due to asymmetric routing or tap issues) or the intrusion policy is not applied correctly. However, given the scenario, a common issue is that passive deployment can miss attacks if traffic is not visible to the sensor.

972
MCQeasy

An organization wants to deploy AMP for Endpoints in an offline environment where endpoints cannot connect to the internet. Which deployment option is appropriate?

A.Deploy the AMP connectors with a local proxy caching all AMP communications.
B.Install a Cisco AMP Private Cloud appliance within the local network and point connectors to it.
C.Configure the AMP connectors in 'Standalone' mode to operate without cloud communication.
D.Use Cisco ESA as an intermediary to proxy AMP requests from endpoints.
AnswerB

Private Cloud provides all cloud functionality locally for offline environments.

Why this answer

Option B is correct because Cisco AMP for Endpoints offers a Private Cloud appliance that can be deployed on-premises in an offline environment. This appliance replicates all cloud-based threat intelligence and analysis locally, allowing endpoints to communicate with it via the AMP connector without requiring internet access. The Private Cloud appliance handles all file disposition, retrospective alerts, and policy updates within the local network.

Exam trap

The trap here is that candidates often assume a local proxy or standalone mode can replace cloud connectivity, but Cisco specifically tests that AMP for Endpoints requires a Private Cloud appliance for offline environments, as the connectors have no offline or standalone capability.

How to eliminate wrong answers

Option A is wrong because a local proxy caching AMP communications does not provide the necessary threat intelligence or analysis engine; AMP requires real-time cloud-based file analysis and dynamic threat updates, which a simple proxy cannot replicate. Option C is wrong because AMP connectors do not have a 'Standalone' mode; they are designed to communicate with a cloud or Private Cloud backend for file reputation, analysis, and policy enforcement, and operating without any cloud communication would leave endpoints unprotected. Option D is wrong because Cisco ESA (Email Security Appliance) is a mail gateway and cannot proxy AMP for Endpoints requests; it uses its own AMP integration for email attachments but does not serve as a general proxy for endpoint AMP communications.

973
MCQhard

An engineer is troubleshooting a Cisco ISE deployment where some endpoints are not being profiled correctly. The administrator notices that the endpoints are not sending DHCP requests. Which profiling probe should be primarily used to identify these endpoints?

A.NetFlow probe
B.DHCP probe
C.HTTP probe
D.DNS probe
AnswerA

NetFlow probe analyzes traffic flows and can profile endpoints based on IP and port information.

Why this answer

The correct answer is A (NetFlow probe) because when endpoints do not send DHCP requests, the DHCP probe cannot collect any data. The NetFlow probe analyzes network traffic flows to identify endpoints based on IP addresses, ports, and protocols, even without DHCP activity. This allows Cisco ISE to profile endpoints by observing their communication patterns, such as HTTP or DNS traffic, which still occur even if DHCP is not used.

Exam trap

Cisco often tests the misconception that DHCP is the only way to profile endpoints, leading candidates to choose the DHCP probe, but the trap here is recognizing that NetFlow provides visibility even when DHCP traffic is absent.

How to eliminate wrong answers

Option B (DHCP probe) is wrong because it relies on DHCP requests and acknowledgments; if endpoints are not sending DHCP requests, this probe will not capture any data to profile them. Option C (HTTP probe) is wrong because it only identifies endpoints that generate HTTP traffic, which may not be present for all devices, and it is not the primary probe for endpoints lacking DHCP activity. Option D (DNS probe) is wrong because it depends on DNS queries, which may not be sent by all endpoints, and it is not the primary method when DHCP is absent.

974
MCQmedium

A network administrator is configuring 802.1X on a Cisco switch for corporate Windows laptops. The organization uses certificates for authentication. Which EAP method should be configured on the supplicant and ISE to provide certificate-based mutual authentication?

A.PEAP-MSCHAPv2
B.EAP-MD5
C.EAP-TLS
D.EAP-FAST
AnswerC

EAP-TLS provides certificate-based mutual authentication.

Why this answer

EAP-TLS (Transport Layer Security) is the correct choice because it provides certificate-based mutual authentication, where both the supplicant (Windows laptop) and the authentication server (ISE) present X.509 certificates to verify each other's identity. This meets the requirement for certificate-based authentication and is the only EAP method listed that inherently requires certificates on both sides for mutual authentication.

Exam trap

Cisco often tests the distinction between EAP methods that use certificates only on the server side (like PEAP) versus those that require certificates on both sides (EAP-TLS), leading candidates to mistakenly choose PEAP-MSCHAPv2 when the question explicitly states 'certificate-based mutual authentication'.

How to eliminate wrong answers

Option A (PEAP-MSCHAPv2) is wrong because while PEAP uses a server-side certificate to create a TLS tunnel, the inner authentication uses MSCHAPv2 (username/password) rather than client certificates, so it does not provide certificate-based mutual authentication. Option B (EAP-MD5) is wrong because it uses only a simple MD5 challenge-response with a shared password, provides no mutual authentication, and is vulnerable to man-in-the-middle attacks; it also does not support certificates at all. Option D (EAP-FAST) is wrong because it relies on a Protected Access Credential (PAC) for authentication, not certificates, and while it can be configured with certificates for server-side authentication, it is not inherently certificate-based for mutual authentication like EAP-TLS.

975
MCQeasy

A company wants to implement network access control for IoT devices that do not support 802.1X. Which Cisco ISE feature can be used to grant these devices network access based on their MAC address?

A.MAB
B.Guest access
C.Profiling
D.Posture assessment
AnswerA

Correct. MAB uses MAC address for authentication.

Why this answer

MAC Authentication Bypass (MAB) is the correct Cisco ISE feature because it allows network access for devices that cannot perform 802.1X, such as IoT devices. MAB works by using the device’s MAC address as the authentication credential; ISE checks the MAC address against an allowed list (e.g., endpoint identity store) and grants or denies access accordingly. This is the standard fallback mechanism for non-802.1X-capable endpoints in a wired or wireless network.

Exam trap

Cisco often tests the misconception that Profiling (Option C) can grant network access, but profiling is a classification tool, not an authentication method; candidates confuse the two because profiling results can influence authorization policies after MAB or 802.1X authentication has occurred.

How to eliminate wrong answers

Option B (Guest access) is wrong because guest access is designed for temporary, unauthenticated users (e.g., visitors) and typically uses a captive portal or sponsor approval, not MAC-based authentication for IoT devices. Option C (Profiling) is wrong because profiling is a passive or active process that identifies device type and attributes (e.g., OS, vendor) but does not itself grant or deny network access; it is often used alongside MAB or 802.1X for policy decisions. Option D (Posture assessment) is wrong because posture assessment checks endpoint compliance (e.g., antivirus, patches) after authentication, and IoT devices usually cannot run posture agents; it is not a method for initial network access based on MAC address.

Page 12

Page 13 of 14

Page 14
Cisco SCOR / CCNP Security Core 350-701 350-701 Questions 901–975 | Page 13/14 | Courseiva