Cisco SCOR / CCNP Security Core 350-701 (350-701) — Questions 151225

500 questions total · 7pages · All types, answers revealed

Page 2

Page 3 of 7

Page 4
151
Multi-Selecteasy

Which TWO of the following are indicators of compromise (IOCs) that can be detected by Cisco AMP for Endpoints?

Select 2 answers
A.The endpoint's last login time
B.The version of the operating system
C.MD5 hash of a malicious file
D.IP address of a command-and-control server
E.The username of the logged-in user
AnswersC, D

File hashes are common IOCs.

Why this answer

AMP can detect file hashes and IP connections as IOCs; behavioral rules are also used but not listed as typical IOCs.

152
MCQeasy

A network administrator wants to implement 802.1X authentication on a switch port that connects a printer. The printer does not support 802.1X, so the administrator configures MAC Authentication Bypass (MAB) as a fallback method. Which command must be included in the switch port configuration to ensure MAB is attempted after 802.1X times out?

A.authentication priority dot1x mab
B.authentication order dot1x mab
C.dot1x timeout tx-period 30
D.authentication port-control auto
AnswerB

This configures the switch to attempt 802.1X first, and if it fails, fall back to MAB.

Why this answer

Option C is correct because 'authentication order dot1x mab' sets the order: first 802.1X, then MAB. Option A is wrong because 'authentication priority' is not a valid command. Option B is wrong because 'authentication port-control auto' enables authentication but does not set order.

Option D is wrong because 'dot1x timeout tx-period' only affects 802.1X timers.

153
MCQmedium

A company is deploying a new remote access solution for teleworkers. They need to ensure that only company-owned devices can connect, and that the devices meet security posture requirements. Which combination of technologies should be used?

A.Cisco AnyConnect VPN with posture assessment
B.IPsec VPN with pre-shared keys
C.DMVPN
D.SSL VPN without client
AnswerA

AnyConnect integrates with ISE for posture checks to enforce compliance.

Why this answer

Cisco AnyConnect VPN with posture assessment is correct because it provides both device authentication (ensuring only company-owned devices connect) and security posture checks (e.g., OS patch level, antivirus status, firewall enabled) via the Cisco Secure Client (formerly AnyConnect) and ISE (Identity Services Engine). This combination enforces compliance before granting network access, meeting the requirement for teleworker remote access.

Exam trap

Cisco often tests the distinction between user authentication and device posture assessment, where candidates mistakenly assume any VPN technology (like IPsec or SSL VPN) inherently provides device compliance checking, but only a client-based solution with posture assessment (e.g., AnyConnect + ISE) can enforce both device identity and security posture.

How to eliminate wrong answers

Option B is wrong because IPsec VPN with pre-shared keys only authenticates the VPN gateway or user, not the device itself, and lacks any posture assessment capability to verify security compliance. Option C is wrong because DMVPN is a dynamic multipoint VPN technology designed for site-to-site connectivity, not for teleworker remote access with device posture enforcement. Option D is wrong because SSL VPN without a client (clientless VPN) typically uses a web browser and cannot perform deep posture assessment or enforce device ownership policies, as it lacks the endpoint visibility and control that a full VPN client provides.

154
Multi-Selectmedium

Which TWO methods can be used to propagate SGT information between devices that do not support SGT inline tagging?

Select 2 answers
A.NetFlow
B.CDP
C.LLDP
D.SXP
E.VRF-lite
AnswersB, D

CDP can advertise SGTs in its TLVs.

Why this answer

Options A and B are correct because SXP (SGT Exchange Protocol) is the primary protocol for SGT propagation, and CDP can also carry SGT information in some implementations. Option C is incorrect because LLDP does not support SGT. Option D is incorrect because VRF-lite is not related to SGT.

Option E is incorrect because NetFlow does not propagate SGTs.

155
MCQeasy

During a ransomware attack, an endpoint protected by AMP for Endpoints successfully blocked the ransomware file. Which AMP policy action was likely applied?

A.Allow
B.Quarantine
C.Detect
D.Block
AnswerD

Block prevents the file from executing, stopping ransomware.

Why this answer

When AMP for Endpoints successfully blocks a ransomware file, the 'Block' policy action is applied. This action prevents the file from executing on the endpoint by terminating the process and quarantining the file in the local quarantine, ensuring the threat is neutralized immediately. The 'Block' action is the most restrictive and is designed to stop known malware, including ransomware, from causing harm.

Exam trap

Cisco often tests the distinction between 'Detect' and 'Block' actions, where candidates mistakenly think 'Detect' can stop an attack, but it only generates alerts without preventing execution.

How to eliminate wrong answers

Option A is wrong because 'Allow' would permit the file to execute, which contradicts the scenario where the ransomware was successfully blocked. Option B is wrong because 'Quarantine' is not a standalone AMP policy action; it is a consequence of the 'Block' action, where the file is moved to quarantine after being blocked. Option C is wrong because 'Detect' only logs and alerts on the file without preventing its execution, which would not stop a ransomware attack.

156
MCQhard

A security engineer deploys Cisco Advanced Malware Protection (AMP) for Endpoints with cloud-based detection. After installation, a sample malware is executed on a test endpoint, but the AMP console shows no detection or trajectory data. The endpoint shows a 'Connected' status. What is the most likely reason for the lack of detection?

A.The AMP cloud subscription has expired, but the console still shows connectivity.
B.The endpoint's network connection to the AMP cloud is intermittent, causing files to be evaluated locally instead of being sent for analysis.
C.The AMP connector version is outdated and does not support the malware family.
D.The malware is packed and requires a signature update that is not yet available.
AnswerB

If the cloud connection is unstable, the connector may use local analysis which might not detect the malware.

Why this answer

Option B is correct because when the AMP for Endpoints connector detects intermittent connectivity to the AMP cloud, it falls back to local file evaluation using only the local signature cache. Since cloud-based detection relies on sending file hashes and behavioral telemetry for advanced analysis, a disrupted connection prevents the cloud from performing deep analysis, resulting in no detection or trajectory data despite the endpoint showing a 'Connected' status.

Exam trap

Cisco often tests the misconception that a 'Connected' status guarantees full cloud functionality, when in reality intermittent connectivity can cause the endpoint to operate in a local-only mode without alerting the administrator.

How to eliminate wrong answers

Option A is wrong because if the AMP cloud subscription had expired, the endpoint would typically show a 'Disconnected' or 'Unregistered' status, not 'Connected', and the console would display a license warning. Option C is wrong because an outdated connector version might miss certain detections, but the core issue here is the lack of cloud communication; the connector would still attempt to send files for analysis and would show some error or queuing status. Option D is wrong because packed malware is handled by AMP's cloud-based machine learning and behavioral analysis, not solely by signature updates; the lack of detection is due to the cloud not receiving the file for analysis, not because of missing signatures.

157
MCQeasy

A company is deploying Cisco Umbrella for web security. They want to enforce that all DNS requests from remote users using VPN are filtered. Which deployment method should be used?

A.Use a PAC file to redirect web traffic to Umbrella.
B.Configure the corporate DNS servers to forward to Umbrella.
C.Install the Cisco Umbrella Roaming Security client on remote endpoints.
D.Deploy a virtual appliance as a DNS forwarder at the branch office.
AnswerC

The client ensures DNS filtering anywhere.

Why this answer

The Cisco Umbrella Roaming Security client is the correct deployment method for filtering DNS requests from remote VPN users because it installs a local DNS forwarder on the endpoint that intercepts all DNS traffic and sends it directly to Umbrella's cloud resolvers, even when the user is off the corporate network. This ensures that DNS queries are filtered regardless of the VPN tunnel state, as the client operates independently of the VPN connection.

Exam trap

Cisco often tests the distinction between DNS-layer security and proxy-based web security, and the trap here is that candidates may assume a PAC file or corporate DNS forwarding is sufficient for remote users, overlooking that the Roaming client is specifically designed for off-network enforcement.

How to eliminate wrong answers

Option A is wrong because a PAC file redirects HTTP/HTTPS web traffic via a proxy, not DNS requests, and Umbrella filters at the DNS layer, not the HTTP layer. Option B is wrong because configuring corporate DNS servers to forward to Umbrella only filters DNS queries that reach those servers, which does not cover remote users whose DNS requests may bypass the corporate network entirely. Option D is wrong because deploying a virtual appliance as a DNS forwarder at the branch office would only filter DNS traffic from users within that branch, not from remote VPN users who are not connected through that branch.

158
Multi-Selectmedium

Which THREE considerations must be taken when deploying SSL decryption on a Cisco WSA in explicit proxy mode?

Select 3 answers
A.Create an HTTPS decryption policy to specify which traffic to decrypt.
B.Install the WSA's CA certificate on all client browsers.
C.Ensure that the WSA can listen on TCP ports below 1024.
D.Configure the WSA to inspect decrypted content for malware and policy violations.
E.Enable DLP scanning on the WSA to inspect decrypted content.
AnswersA, B, D

Policy defines what to decrypt based on URL categories or users.

Why this answer

Option A is correct because an explicit HTTPS decryption policy is required to define which traffic should be intercepted and decrypted. Without this policy, the WSA will not decrypt any HTTPS traffic, even if the CA certificate is installed. The policy specifies criteria such as source IP, destination URL category, or user identity to selectively decrypt traffic.

Exam trap

Cisco often tests the distinction between explicit and transparent proxy modes; the trap here is that candidates mistakenly think the WSA must listen on privileged ports (below 1024) for explicit proxy, when that requirement only applies to transparent proxy deployments.

159
MCQhard

During a security audit, a penetration tester discovers that a Cisco ASA firewall is configured with a rule that permits traffic from the inside interface with a source IP address in the RFC 1918 range to the outside interface. The rule uses the 'inspect' command for HTTP and FTP. Which potential vulnerability does this configuration introduce?

A.FTP inspection permits anonymous login commands
B.The configuration allows traffic without network address translation (NAT)
C.The HTTP inspection may allow SQL injection attacks to bypass the firewall
D.The firewall may allow IP spoofing if antispoofing is not enabled
AnswerD

Permitting RFC 1918 addresses from the inside without antispoofing checks can allow an attacker to spoof internal IP addresses.

Why this answer

Option D is correct because the configuration permits traffic from RFC 1918 private IP addresses on the inside interface to the outside interface without any explicit antispoofing or Unicast Reverse Path Forwarding (uRPF) check. This allows an attacker on the inside network to spoof source IP addresses that appear to come from the inside subnet, bypassing the firewall's intended security boundary. Without antispoofing, the ASA will not verify that the source IP actually belongs to the inside network, enabling IP spoofing attacks.

Exam trap

Cisco often tests the misconception that 'inspect' commands automatically provide full security, when in reality they only perform stateful inspection and protocol compliance, not antispoofing or anti-spoofing protections like uRPF.

How to eliminate wrong answers

Option A is wrong because FTP inspection on a Cisco ASA does not inherently permit anonymous login commands; it only inspects FTP control channel commands and dynamic data ports, but does not allow or block specific authentication methods like anonymous logins. Option B is wrong because the question does not mention any NAT configuration, and the absence of NAT is not a vulnerability—it is a design choice; the vulnerability is the lack of antispoofing, not the lack of NAT. Option C is wrong because HTTP inspection on the ASA is designed to enforce protocol compliance and can filter certain application-layer attacks, but it does not specifically prevent SQL injection; SQL injection is a web application vulnerability that occurs at the application layer, not a firewall inspection bypass.

160
MCQhard

A network administrator configures the above policy on a Cisco Firepower Threat Defense (FTD) device. Users report that they cannot access the login page at https://www.example.com/login. What is the most likely cause?

A.The 'match request uri regex ".*evil.*"' in OUTSIDE_INSPECT is blocking the page.
B.The 'match request body regex ".*malware.*"' in OUTSIDE_INSPECT is blocking the page.
C.The 'inspect' action in INSIDE_INSPECT does not permit the traffic; it only inspects.
D.The class-map HTTP_CLASS is incorrectly matching the host header for example.com.
AnswerC

In FTD, the 'inspect' action alone allows traffic, but the issue might be that the policy-map is not applied correctly or the default action is to deny. However, this is the most plausible cause among the options.

Why this answer

Option C is correct because in Cisco Firepower Threat Defense (FTD), the 'inspect' action only monitors traffic for threats without explicitly permitting it. For traffic to be allowed through the device, a separate 'allow' or 'permit' action is required in the access control policy. Since INSIDE_INSPECT uses only 'inspect', the HTTPS traffic to the login page is blocked by default, as FTD implicitly denies traffic that is not explicitly permitted.

Exam trap

Cisco often tests the misconception that the 'inspect' action permits traffic, when in reality it only enables inspection and requires a separate 'allow' action for traffic to pass.

How to eliminate wrong answers

Option A is wrong because the 'match request uri regex ".*evil.*"' in OUTSIDE_INSPECT applies to traffic from the outside zone, not to the inside-to-outside traffic that users are using to reach the login page. Option B is wrong because the 'match request body regex ".*malware.*"' also applies to outside traffic and would not affect inside users accessing example.com. Option D is wrong because the class-map HTTP_CLASS is used to classify traffic for inspection, and matching the host header for example.com would not cause a block; the issue is the lack of a permit action, not the classification.

161
MCQmedium

Refer to the exhibit. An engineer has configured IP Source Guard and DHCP Snooping. A host with MAC 00:11:22:33:44:55 on Gi0/0 is assigned IP 192.168.1.10 via DHCP. However, the host cannot ping its default gateway 192.168.1.1. What is the most likely cause?

A.The DHCP snooping database is not updated because interface Gi0/1 is not trusted
B.The static IP source binding is configured on the wrong VLAN
C.ARP inspection is not enabled, so the switch drops ARP replies
D.The 'ip verify source' command is missing the 'port-security' keyword
AnswerA

Gi0/1 is not configured as trust, so DHCP replies from the server are dropped, and the host may not have a valid lease. However, the static binding exists, but dynamic bindings fail.

Why this answer

The host cannot ping its default gateway because DHCP Snooping marks interface Gi0/1 as untrusted by default. Since the DHCP server is connected to Gi0/1, the switch drops DHCP replies from that interface, preventing the DHCP snooping binding database from being updated with the host's IP address. Without a valid binding, IP Source Guard on Gi0/0 drops all IP traffic from the host, including pings to the gateway.

Exam trap

Cisco often tests the misconception that IP Source Guard works independently of DHCP Snooping, when in fact it relies entirely on the DHCP snooping binding database, and a missing trust configuration on the DHCP server-facing port is a common root cause.

How to eliminate wrong answers

Option B is wrong because the question states the host is assigned IP 192.168.1.10 via DHCP, and there is no mention of static bindings or VLAN mismatch; the issue is with DHCP snooping trust, not static binding configuration. Option C is wrong because Dynamic ARP Inspection (DAI) is not enabled by default and is not required for basic IP Source Guard operation; the problem is that IP Source Guard drops traffic due to missing DHCP snooping bindings, not ARP replies. Option D is wrong because the 'ip verify source' command does not require a 'port-security' keyword; the correct syntax is 'ip verify source' alone or with 'vlan dhcp-snooping', and port-security is a separate feature.

162
MCQmedium

Refer to the exhibit. This JSON policy is part of a Cisco Cloudlock DLP configuration. What will happen when a user attempts to upload a file containing the word 'secret' to a cloud storage service?

A.An alert is generated but the file is not blocked
B.The file upload is blocked if the content contains the word 'secret'
C.Only files with 'secret' in the title are blocked
D.All files are blocked regardless of content
AnswerB

Condition checks for 'contains' and action is 'block'.

Why this answer

The JSON policy shown in the exhibit is a Cisco Cloudlock DLP policy that uses a data pattern to match the word 'secret' in file content. The action specified is 'block', which means when a user attempts to upload a file containing 'secret' to a cloud storage service, the upload is blocked and an alert is generated. Option B correctly identifies that the file upload is blocked if the content contains the word 'secret', aligning with the policy's enforcement action.

Exam trap

The trap here is that candidates often confuse the 'alert' and 'block' actions in DLP policies, assuming that a content match only generates an alert without enforcement, but the exhibit explicitly shows the action is 'block', which means the upload is prevented.

How to eliminate wrong answers

Option A is wrong because the policy action is 'block', not just 'alert'; an alert is generated but the file is also blocked, not merely flagged. Option C is wrong because the policy matches content (body) for the word 'secret', not the file title or metadata; the pattern is applied to the file's data, not its name. Option D is wrong because the policy is content-specific, targeting files containing 'secret', not all files; only files matching the pattern are blocked, not every upload.

163
MCQmedium

Refer to the exhibit. An ASA is configured with the above access-list and NAT rule. A web server is reachable from the internet via the public IP 203.0.113.10. However, internal users from the inside network cannot access the web server using its public IP address. What is the most likely cause?

A.The NAT rule is missing a static NAT for the server.
B.The access-list does not permit traffic from inside to outside for that destination.
C.The interface ACL is applied inbound on the inside interface.
D.The default route is missing.
AnswerA

Without a static NAT, internal users cannot access the server via the public IP due to lack of hairpinning.

Why this answer

The correct answer is A because the NAT rule shown is a static NAT for the web server, but it is missing the 'static' keyword or the bidirectional mapping required for internal users to reach the server using its public IP. Without a proper static NAT (e.g., 'nat (inside,outside) static 192.168.1.10 service tcp www www'), the ASA does not translate the source IP of internal traffic destined to 203.0.113.10 back to the server's private IP, causing the traffic to be dropped or misrouted.

Exam trap

The trap here is that candidates assume a single static NAT rule automatically handles all traffic directions, but Cisco tests the nuance that internal-to-internal traffic via the public IP requires explicit NAT configuration (often called 'NAT reflection' or 'hairpinning'), which is not implied by a basic static NAT.

How to eliminate wrong answers

Option B is wrong because the access-list shown permits traffic from inside to outside for the web server's public IP (203.0.113.10) on port 80, so the ACL is not the issue. Option C is wrong because the exhibit does not show an interface ACL applied inbound on the inside interface; the ACL shown is likely a global or NAT-related ACL, and an inbound ACL on the inside would block traffic from inside to outside if it denied the traffic, but no such ACL is indicated. Option D is wrong because a missing default route would affect all outbound traffic, not specifically the ability to reach the web server via its public IP from inside; the server is reachable from the internet, so routing to the public IP is functional.

164
MCQhard

A financial institution with a flat Layer 2 network has experienced a ransomware incident where an infected workstation in the accounting department propagated laterally to a server in the finance department. The network spans 10 switches connected in a star topology with a collapsed core. The IT team wants to implement segmentation to contain such threats in the future, without requiring major hardware upgrades and with minimal change to IP addressing. The network currently uses a single VLAN with /16 subnet. Which of the following approaches would BEST achieve the segmentation goal, considering the constraints?

A.Use Spanning Tree Protocol with Private VLANs on all switches
B.Deploy a full-mesh VPN between all departments to encrypt and restrict traffic
C.Implement internal firewall zones using a next-generation firewall (NGFW) with application inspection and user identity
D.Deploy VLANs for each department and apply ACLs on the core router to restrict inter-VLAN traffic
AnswerC

An NGFW provides stateful, application-aware segmentation that can enforce micro-segmentation without IP changes and leverage existing VLAN trunking.

Why this answer

Implementing internal firewall zones with a next-generation firewall provides granular, stateful inspection and application-level segmentation. It can filter traffic between departments without changing IP addressing and leverages existing switch infrastructure. VLANs with ACLs on the edge router are stateless and can be bypassed; also they require reconfiguring IP addressing if VLANs are separate subnets, and ACLs on a core router do not provide the depth of inspection needed.

Deploying a VPN for all internal traffic is not scalable and adds latency. Using STP and PVLANs on switches can provide some isolation but does not prevent lateral movement at higher layers and is complex to manage across multiple switches without a fabric. Option B is the most effective given the constraints.

165
MCQeasy

An organization is migrating to AWS and wants to ensure that all internet-bound traffic from VPCs is inspected by a central security appliance. Which AWS service should be used to redirect this traffic?

A.AWS Direct Connect
B.VPC Peering
C.Internet Gateway
D.Transit Gateway
AnswerD

Transit Gateway can route traffic through a security VPC for inspection.

Why this answer

Transit Gateway is correct because it acts as a central hub that can route traffic between VPCs and on-premises networks, and it supports route tables that can direct all internet-bound traffic to a central security appliance (such as a firewall or IDS/IPS) via a VPC attachment or a Network Virtual Appliance. This enables traffic inspection and policy enforcement without requiring individual VPCs to manage their own internet gateways or NAT devices.

Exam trap

Cisco often tests the misconception that VPC Peering can be used for transitive routing or central traffic inspection, but VPC Peering is non-transitive and cannot route traffic through a central hub without additional components like a Transit Gateway.

How to eliminate wrong answers

Option A is wrong because AWS Direct Connect is a dedicated network connection from on-premises to AWS, not a service for redirecting internet-bound traffic within VPCs. Option B is wrong because VPC Peering provides direct one-to-one connectivity between two VPCs but does not support transitive routing or central inspection of internet-bound traffic. Option C is wrong because an Internet Gateway is a VPC component that allows outbound internet traffic but does not redirect that traffic to a central security appliance; it simply provides a path to the internet.

166
MCQmedium

An administrator configures Cisco Email Security Appliance (ESA) to add a disclaimer to all outgoing emails using a content filter. The filter is enabled and matches all outgoing mail. However, some users report that the disclaimer is missing from their sent emails. Which action should the administrator take to troubleshoot?

A.Increase the memory allocated to the content filter engine.
B.Review the message filters in the 'Incoming' or 'Outgoing' mail policies that might be taking precedence.
C.Verify that the mail flow policy for outgoing mail is set to 'Accept'.
D.Check if the content filter is disabled or has an invalid condition.
AnswerB

Message filters are processed before content filters and could be silently discarding or modifying messages before the disclaimer is added.

Why this answer

Option B is correct because content filters on Cisco ESA are evaluated after message filters. If a message filter (e.g., one that strips headers or drops attachments) is applied in the same or a higher-priority mail policy, it can prevent the content filter from processing the message, causing the disclaimer to be missing. The administrator should review the message filters in the 'Incoming' or 'Outgoing' mail policies to identify any that might be taking precedence and interfering with the content filter's action.

Exam trap

Cisco often tests the concept that content filters are not the only filtering mechanism; message filters have higher priority and can preempt content filter execution, leading candidates to overlook the need to check message filter precedence.

How to eliminate wrong answers

Option A is wrong because increasing memory allocated to the content filter engine would not resolve a missing disclaimer issue; memory allocation affects performance under load, not the logical execution order of filters. Option C is wrong because the mail flow policy for outgoing mail must already be set to 'Accept' for the ESA to deliver messages; if it were set to 'Reject' or 'Bounce', the emails would not be sent at all, not just missing a disclaimer. Option D is wrong because the scenario states the filter is enabled and matches all outgoing mail, so checking if it is disabled or has an invalid condition is redundant; the issue lies in filter precedence, not the filter's configuration.

167
MCQmedium

A university is using Cisco ISE to provide secure wireless access for students and faculty. The wireless network uses WPA2-Enterprise with PEAP-MSCHAPv2. Recently, some faculty members reported that they cannot connect to the wireless network from their personal laptops, while student devices connect without issues. The faculty members are using the same SSID and entering their credentials correctly. The ISE logs show that the authentication attempts from faculty devices are failing with 'RADIUS Access-Reject' due to incorrect credentials. However, the faculty members are certain they are using the correct password. The IT department has verified that the user accounts in Active Directory are active and not locked. What is the most likely cause of the issue?

A.The ISE authentication policy is not configured to query Active Directory for faculty users
B.The faculty laptops do not have a valid client certificate
C.The faculty accounts are locked due to multiple failed attempts
D.The RADIUS shared secret on the wireless controller is incorrect
AnswerA

If the identity store sequence does not include AD, authentication fails.

Why this answer

The most likely cause is that the ISE authentication policy is not configured to query Active Directory for faculty users. Since student devices connect successfully, the policy likely matches students to an AD identity source but fails for faculty because their accounts are in a different AD group or domain not included in the policy. The 'RADIUS Access-Reject' with 'incorrect credentials' error in ISE logs indicates the authentication policy is not finding the user in the configured identity stores, even though the password is correct.

Exam trap

Cisco often tests the misconception that 'incorrect credentials' always means a wrong password, when in fact it can indicate a missing or misconfigured identity source in the authentication policy, especially when some users succeed and others fail.

How to eliminate wrong answers

Option B is wrong because PEAP-MSCHAPv2 does not require client certificates; only the server side presents a certificate for the TLS tunnel, so missing client certificates would not cause authentication failures. Option C is wrong because the IT department has verified that the faculty accounts are active and not locked, so account lockout is not the issue. Option D is wrong because if the RADIUS shared secret were incorrect, the wireless controller would not even forward authentication requests to ISE, and the logs would show a different error (e.g., 'RADIUS Request dropped' or 'Invalid Shared Secret'), not an Access-Reject due to incorrect credentials.

168
MCQeasy

A company uses Cisco Umbrella to protect its remote users. The security team notices that some users are able to bypass Umbrella by using a different DNS resolver. Which deployment method ensures that all DNS traffic is forced through Umbrella?

A.Deploy the Umbrella virtual appliance in the data center.
B.Use BGP to redirect traffic to Umbrella.
C.Install the Umbrella roaming client on all endpoints.
D.Configure Active Directory integration.
AnswerC

The roaming client enforces DNS policy even if users change DNS settings.

Why this answer

The Cisco Umbrella roaming client (C) is the correct deployment method because it installs a local agent on each endpoint that intercepts all DNS queries at the operating system level, regardless of the DNS resolver configured in the network settings. This ensures that all DNS traffic is forced through Umbrella's cloud-based security platform, preventing users from bypassing protection by manually changing their DNS resolver to a non-Umbrella server.

Exam trap

Cisco often tests the misconception that network-level solutions (like a virtual appliance or BGP) can protect remote users, but the trap here is that remote endpoints require an agent-based approach (the roaming client) to enforce DNS policy locally, because network-level controls cannot intercept traffic that does not traverse the corporate network.

How to eliminate wrong answers

Option A is wrong because deploying the Umbrella virtual appliance in the data center only protects DNS traffic that passes through the corporate network; remote users' DNS queries are not routed through the data center, so they can still bypass Umbrella by using a different DNS resolver. Option B is wrong because BGP (Border Gateway Protocol) is used for routing IP traffic between autonomous systems, not for redirecting individual DNS queries from remote endpoints; it would require complex network-level redirection and does not enforce DNS policy on endpoints outside the corporate network. Option D is wrong because Active Directory integration with Umbrella provides identity-based policy enforcement and logging, but it does not force DNS traffic through Umbrella; users can still change their DNS resolver locally and bypass protection.

169
MCQhard

Refer to the exhibit. A switch port is configured for 802.1X with MAB. The switch has reached its maximum number of authentication sessions (platform limit). When a new device attempts to connect, what happens?

A.The new device is not authenticated and remains unauthorized
B.The new device is allowed to pass traffic due to fallback
C.The switch sends a CoA to ISE to free up a session
D.The port is automatically shut down
AnswerA

If the platform limit is reached, the switch cannot create new sessions, so the port remains unauthorized for the new device.

Why this answer

Option C is correct because when the maximum number of authentication sessions is reached, new authentication requests are denied unless 'authentication limit authen-fail-action' is configured otherwise. Option A is wrong because the port does not shut down by default. Option B is wrong because the port does not forward immediately.

Option D is wrong because the switch does not fail open automatically.

170
Multi-Selecteasy

Which TWO benefits does the Cisco ESA provide for email security? (Choose two.)

Select 2 answers
A.Email encryption and data loss prevention
B.DNS-layer security
C.Network firewall functionality
D.Advanced threat protection against malware and phishing
E.Web content filtering
AnswersA, D

ESA offers encryption and DLP.

Why this answer

Option A is correct because the Cisco Email Security Appliance (ESA) includes integrated email encryption capabilities via Cisco Registered Envelope Service (CRES) or PGP/SMIME, and it provides Data Loss Prevention (DLP) through pre-defined or custom DLP policies that scan outbound emails for sensitive data patterns such as credit card numbers or PII. These features are core to the ESA's content security functionality.

Exam trap

Cisco often tests the distinction between the ESA's email-specific security features (encryption, DLP, anti-malware) and features belonging to other Cisco security products like Umbrella (DNS-layer security) or WSA (web filtering), so candidates mistakenly attribute cross-product capabilities to the ESA.

171
Multi-Selectmedium

Which TWO are best practices for securing Cisco ASA remote access VPN? (Choose two.)

Select 2 answers
A.Disable clientless SSL VPN to force full-tunnel client.
B.Use pre-shared keys for user authentication to simplify deployments.
C.Enforce multi-factor authentication (MFA) for VPN users.
D.Use L2TP/IPsec for legacy compatibility.
E.Implement split-tunneling only for trusted networks and applications.
AnswersC, E

MFA adds security layer beyond passwords.

Why this answer

Option C is correct because enforcing multi-factor authentication (MFA) for VPN users adds an additional layer of security beyond just a password, significantly reducing the risk of credential theft and unauthorized access. Cisco ASA supports MFA integration with RADIUS servers (e.g., Cisco ISE, Duo Security) that can require a one-time password (OTP) or push notification, aligning with the principle of defense-in-depth for remote access VPNs.

Exam trap

Cisco often tests the misconception that disabling clientless SSL VPN or using pre-shared keys simplifies security, when in fact these options either do not enforce full-tunnel behavior or introduce significant authentication weaknesses.

172
MCQhard

A financial institution uses Cisco Firepower Threat Defense (FTD) for intrusion prevention and SSL decryption. The security team recently enabled SSL decryption on the FTD to inspect encrypted traffic. After the change, some internal applications that use client certificates for authentication stopped working. The FMC shows that SSL decryption is configured to inspect traffic to specific destination IPs. The applications are using a custom port (TCP 8443) for HTTPS. The administrator has already added the custom port to the SSL decryption policy. What is the most likely reason the applications are failing?

A.The applications are using client certificates, and the FTD is unable to re-encrypt with the original client certificate.
B.The applications are using IPsec, not SSL.
C.The internal CA certificate is not trusted by the FTD.
D.The FTD is not configured to inspect traffic on port 8443.
AnswerA

SSL decryption terminates the original SSL session, so client certificates are lost and cannot be passed to the server.

Why this answer

When FTD performs SSL decryption, it acts as a man-in-the-middle: it terminates the client's SSL connection, inspects the plaintext, and then initiates a new SSL connection to the server. If the client application presents a client certificate for authentication, the FTD cannot re-encrypt the new connection with that same client certificate because it does not have access to the client's private key. The server then rejects the re-encrypted connection, causing the application to fail.

Exam trap

Cisco often tests the misconception that adding the custom port to the SSL decryption policy is sufficient, when the real issue is the FTD's inability to re-encrypt with the original client certificate during mutual TLS authentication.

How to eliminate wrong answers

Option B is wrong because IPsec operates at Layer 3 and is not inspected by SSL decryption policies; the question explicitly states the applications use HTTPS on TCP 8443, which is SSL/TLS-based. Option C is wrong because the internal CA certificate not being trusted by the FTD would cause certificate validation errors for the server certificate, not specifically break client certificate authentication; the FTD can still forward client certificates if it has the private key, but the core issue is the inability to re-encrypt with the original client certificate. Option D is wrong because the administrator has already added the custom port (TCP 8443) to the SSL decryption policy, so the FTD is configured to inspect traffic on that port.

173
MCQeasy

A network administrator is configuring Cisco ISE to enforce access control based on user authentication. The company requires that only users who authenticate via Active Directory are allowed access to the corporate wireless network. Which policy should be configured in ISE to accomplish this?

A.Profiling policy
B.Authentication policy
C.Authorization policy
D.Policy set
AnswerC

Authorization policy defines what access is granted after authentication.

Why this answer

Option C is correct because authorization policies in Cisco ISE define the access permissions granted to authenticated users, such as allowing or denying network access. In this scenario, after a user authenticates via Active Directory (handled by the authentication policy), the authorization policy evaluates conditions (e.g., AD group membership) to enforce the required access control for the corporate wireless network.

Exam trap

The trap here is confusing authentication (verifying identity) with authorization (granting permissions), leading candidates to select authentication policy when the question explicitly asks about enforcing access control after authentication.

How to eliminate wrong answers

Option A is wrong because profiling policies are used to identify and classify endpoints based on attributes like MAC address or DHCP fingerprints, not to enforce access control based on user authentication. Option B is wrong because authentication policies only verify user credentials (e.g., against Active Directory) and determine the identity store to use, but they do not grant or deny network access; that is the role of authorization. Option D is wrong because a policy set is a container that groups authentication, authorization, and profiling policies together; it is not a specific policy that enforces access control based on user authentication.

174
MCQeasy

An organization uses ISE for wireless LAN authentication via 802.1X with PEAP-MSCHAPv2. Users authenticate against Active Directory. Recently, some users report that after changing their domain password, they cannot connect to the wireless network for about 30 minutes. What is the most likely cause?

A.DNS records for the domain controller have not updated
B.ISE has cached the previous password and is still using it for authentication
C.The wireless controller has a local password cache
D.The RADIUS server on the wireless controller is caching credentials
AnswerB

ISE can cache AD credentials; the cache may take up to 30 minutes to refresh after a password change.

Why this answer

Option C is correct because ISE caches credentials for a period; if the password is changed, the cached version may still be used until the cache expires. Option A is wrong because RADIUS servers do not typically cache credentials by default. Option B is wrong because DNS issues would affect all users, not just those with password changes.

Option D is wrong because the wireless controller does not cache passwords; it passes through to ISE.

175
Multi-Selecthard

Which THREE of the following are valid methods to deploy Cisco AMP for Endpoints Connector on Windows endpoints?

Select 3 answers
A.Cisco Prime Infrastructure
B.Cisco DNA Center
C.Group Policy Software Installation (MSI)
D.SCCM/Configuration Manager
E.Manual installation using the installer executable
AnswersC, D, E

Valid method via AD GPO.

Why this answer

AMP can be deployed via MSI using Group Policy, SCCM, or manual installation; third-party RMM tools may also be used.

176
MCQeasy

A company uses Cisco Web Security Appliance (WSA) to filter web traffic. The security team wants to block access to a specific category of websites (e.g., 'Social Networking') for all users except the HR department. Which WSA feature should be used to achieve this policy?

A.Routing policy
B.Decryption policy
C.Identity-based policy
D.Global access policy
AnswerC

Identity-based policies can apply different rules to different user groups based on authentication.

Why this answer

Identity-based policies in Cisco WSA allow you to apply different access rules based on the user or group identity, typically authenticated via Active Directory or LDAP. By creating an identity-based policy that exempts the HR department (e.g., via an AD group) and blocks the 'Social Networking' category for all other users, you achieve the required granular control without affecting the entire organization.

Exam trap

Cisco often tests the distinction between identity-based policies and global access policies, trapping candidates who think a global policy can be applied with exceptions, when in fact identity-based policies are required for user-specific exemptions.

How to eliminate wrong answers

Option A is wrong because routing policy controls how traffic is forwarded (e.g., next-hop or proxy chaining), not the per-user or per-group web access rules. Option B is wrong because decryption policy manages SSL/TLS interception and certificate handling, not category-based blocking based on user identity. Option D is wrong because global access policy applies uniformly to all traffic without user or group differentiation, so it cannot selectively exempt the HR department.

177
MCQmedium

An organization is using Cisco ESA and wants to ensure that outgoing emails containing credit card numbers are blocked before leaving the network. Which feature should be configured?

A.Anti-Spam policies
B.Data Loss Prevention (DLP) policies
C.Encryption policies
D.Anti-Virus scanning
AnswerB

DLP inspects content for sensitive data patterns.

Why this answer

Cisco ESA uses Data Loss Prevention (DLP) policies to inspect outgoing email content for sensitive data such as credit card numbers. DLP can identify patterns (e.g., 16-digit card numbers) using predefined or custom dictionaries and enforce actions like blocking, quarantining, or encrypting the message before it leaves the network. Anti-Spam, Encryption, and Anti-Virus policies do not perform content-based pattern matching for sensitive data.

Exam trap

Cisco often tests the distinction between DLP (content inspection for sensitive data) and encryption (protecting data in transit), leading candidates to mistakenly choose Encryption policies when the goal is to block or prevent data exfiltration, not just secure the channel.

How to eliminate wrong answers

Option A is wrong because Anti-Spam policies are designed to filter inbound unwanted bulk email using reputation filters and content analysis, not to detect sensitive data patterns in outbound messages. Option C is wrong because Encryption policies control whether a message is encrypted during transit (e.g., via TLS or S/MIME), but they do not inspect the message body for credit card numbers or enforce blocking based on content. Option D is wrong because Anti-Virus scanning detects malware attachments and malicious code, not structured data like credit card numbers.

178
MCQeasy

A network administrator needs to configure Cisco WSA to decrypt HTTPS traffic for inspection. What is the first step that must be completed?

A.Create a bypass list for internal sites
B.Configure an Access Control List (ACL) to allow decryption
C.Install a Certificate Authority (CA) certificate on the WSA and distribute it to clients
D.Configure user authentication
AnswerC

This allows the WSA to act as a trusted man-in-the-middle.

Why this answer

The first step in configuring Cisco WSA for HTTPS decryption is to install a Certificate Authority (CA) certificate on the WSA and distribute it to client devices. This establishes trust because the WSA acts as a man-in-the-middle, generating a new certificate for each HTTPS session signed by this CA; without the CA certificate in the clients' trusted root store, browsers will display certificate warnings and block the connection.

Exam trap

Cisco often tests the misconception that you first need to configure an ACL or bypass list before installing the CA certificate, but the fundamental prerequisite is establishing trust through certificate installation, otherwise decryption cannot function at all.

How to eliminate wrong answers

Option A is wrong because creating a bypass list for internal sites is an optional step to exclude certain traffic from decryption, not the prerequisite for enabling HTTPS decryption itself. Option B is wrong because an Access Control List (ACL) is used for traffic filtering or redirection, not for authorizing decryption; decryption is controlled by policies on the WSA, not by ACLs. Option D is wrong because user authentication is a separate feature for identity-based policies and is not required to perform HTTPS decryption; decryption can function without any authentication configured.

179
MCQhard

A company uses FMC to manage FTD devices. After deploying a new intrusion policy, the analyst sees that no events are generated for a known vulnerability, even though the policy includes a rule for it. The analyst checks and the rule is enabled and the policy is applied. What is the most likely cause?

A.The rule is configured to 'Drop and Generate Events' but the device is in inline tap mode.
B.The device has not been rebooted after policy deployment.
C.The access control policy before the intrusion policy is blocking traffic.
D.The intrusion policy rule has a false-positive suppression.
AnswerC

If an access control rule denies or fast-paths traffic, it never reaches the intrusion policy for inspection.

Why this answer

Option C is correct because in a Cisco Firepower deployment, the access control policy (ACP) is evaluated before the intrusion policy. If the ACP is configured to block traffic matching the vulnerability's characteristics, the traffic never reaches the intrusion policy for inspection, so no intrusion events are generated even if the intrusion rule is enabled and applied.

Exam trap

The trap here is that candidates assume an enabled intrusion rule guarantees event generation, forgetting that the access control policy acts as a gatekeeper that can block traffic before it reaches the intrusion engine.

How to eliminate wrong answers

Option A is wrong because inline tap mode allows traffic to pass through without being dropped, but it still generates events; 'Drop and Generate Events' in inline tap mode would still generate events, not suppress them. Option B is wrong because FTD devices do not require a reboot after policy deployment; changes are applied via the Snort process restart or policy reload, not a full device reboot. Option D is wrong because false-positive suppression would suppress events for a rule that is generating alerts, but the scenario states no events are generated at all, indicating the traffic never reaches the intrusion rule, not that events are suppressed after generation.

180
MCQmedium

An administrator notices that some users receive spam messages even though the ESA policy is set to 'Quarantine' for suspected spam. The messages are not found in the user's spam quarantine. What is the most likely cause?

A.The sender's IP is in the allow list.
B.The spam threshold is set too low.
C.The anti-spam engine signatures are outdated.
D.Incoming mail is received on a listener that does not apply the anti-spam engine.
AnswerD

A listener with anti-spam disabled will deliver without scanning.

Why this answer

Option D is correct because if incoming mail is received on a mail policy (listener) that does not have the anti-spam engine enabled, the ESA will not apply any spam filtering to those messages. Even though the global or default policy may be set to 'Quarantine', the listener configuration determines which security services are invoked. Without the anti-spam engine on that listener, messages bypass spam detection entirely and are delivered directly to the user's inbox, never appearing in the spam quarantine.

Exam trap

Cisco often tests the distinction between global policy settings and per-listener service enablement, trapping candidates who assume that configuring a quarantine action in the mail policy automatically applies to all incoming mail paths.

How to eliminate wrong answers

Option A is wrong because an allow list entry would bypass spam filtering and deliver the message to the inbox, but the question states the messages are spam and not found in quarantine; an allow list would explain delivery but not the absence from quarantine, and the administrator would typically see the allow list entry. Option B is wrong because setting the spam threshold too low (i.e., a lower score required to classify as spam) would actually cause more messages to be flagged as spam and sent to quarantine, not fewer. Option C is wrong because outdated anti-spam engine signatures would likely result in false negatives (spam not detected), but the messages are still processed by the anti-spam engine; they would either be quarantined or delivered based on the policy, not bypass quarantine entirely.

181
Multi-Selectmedium

Which THREE are valid components of an IKEv2 exchange? (Choose three.)

Select 3 answers
A.Aggressive Mode exchange
B.Main Mode exchange
C.IKE_SA_INIT exchange
D.IKE_AUTH exchange
E.INFORMATIONAL exchange
AnswersC, D, E

First pair of messages to negotiate cryptographic parameters and exchange nonces.

Why this answer

IKEv2 simplifies the Internet Key Exchange process by using only two exchanges to establish an IPsec security association: the IKE_SA_INIT exchange (for negotiating cryptographic parameters and exchanging Diffie-Hellman public values) and the IKE_AUTH exchange (for authenticating the peers and establishing the first child SA). These are the mandatory exchanges defined in RFC 7296, making options C and D correct. The INFORMATIONAL exchange is also a valid component of IKEv2, used for error reporting and deleting SAs, which is why option E is correct.

Exam trap

Cisco often tests the distinction between IKEv1 and IKEv2 phases, and the trap here is that candidates familiar with IKEv1 mistakenly select Main Mode or Aggressive Mode as valid IKEv2 components, not realizing IKEv2 uses entirely different exchange names.

182
MCQhard

A company uses Cisco Secure Workload to enforce microsegmentation across multiple AWS accounts. After enabling enforcement, they find that the policies are only applied to workloads in the primary account. What is the most likely reason?

A.The policy labels are not propagated
B.The agents in secondary accounts are not registered
C.The enforcement scope is limited to a single VPC
D.The cloud connector is not configured for the secondary accounts
AnswerD

Without a cloud connector for each account, Secure Workload cannot discover or enforce policies on those workloads.

Why this answer

Cisco Secure Workload (formerly Tetration) uses cloud connectors to integrate with AWS accounts and discover workloads. When enforcement is enabled, the policies are applied only to workloads in the primary account because the cloud connector has not been configured for the secondary AWS accounts. Without the connector, the platform cannot manage or enforce policies on workloads outside the primary account.

Exam trap

Cisco often tests the misconception that agent registration alone is sufficient for enforcement across accounts, but the cloud connector is the critical component for multi-account discovery and policy application.

How to eliminate wrong answers

Option A is wrong because policy labels are propagated automatically once the cloud connector is configured and agents are registered; labels not propagating would affect policy matching, not enforcement scope. Option B is wrong because agents in secondary accounts can be registered independently, but without a cloud connector, the platform cannot discover or manage those accounts to enforce policies. Option C is wrong because the enforcement scope is not limited to a single VPC; Cisco Secure Workload can enforce across multiple VPCs and accounts if the cloud connector is properly configured.

183
MCQmedium

An engineer is configuring Cisco ISE for guest access. The requirement is that guests must accept an acceptable use policy (AUP) before being granted network access. Which portal type should be used?

A.Sponsored guest portal
B.Hotspot guest portal
C.BYOD portal
D.Self-registration guest portal
AnswerD

Allows guests to register and accept AUP.

Why this answer

The self-registration guest portal is the correct choice because it allows guests to create their own credentials and, crucially, includes a configurable step where the user must accept an Acceptable Use Policy (AUP) before being granted network access. This portal type is specifically designed for scenarios where guests self-onboard and must acknowledge a policy, which is a core requirement for compliance in many guest access deployments.

Exam trap

The trap here is that candidates often confuse the 'hotspot guest portal' (which also shows a splash page) with the self-registration portal, but the hotspot portal does not require the user to create credentials or formally accept an AUP as a registration step—it only provides a simple click-through without identity creation.

How to eliminate wrong answers

Option A is wrong because a sponsored guest portal requires an existing employee (sponsor) to create the guest account, and while it can include an AUP, the primary mechanism for guest self-service with mandatory AUP acceptance is the self-registration portal, not the sponsored flow. Option B is wrong because a hotspot guest portal provides open, unauthenticated access (often with a simple click-through splash page) and does not require user registration or credential creation, so it lacks the self-registration step where an AUP is typically enforced. Option C is wrong because a BYOD portal is used for onboarding personal devices into the corporate network with certificate provisioning or posture assessment, not for guest access scenarios where an AUP must be accepted before network access is granted.

184
MCQeasy

Refer to the exhibit. What is the effect of this NAT rule on the Cisco FTD device deployed in the cloud?

A.Performs identity NAT between the two networks without port translation
B.Translates source IP when traffic goes from outside to inside
C.Enables Port Address Translation (PAT)
D.Translates destination IP from 192.168.1.0 to a public IP
AnswerA

The 'static' keyword with same IP on both sides indicates identity NAT.

Why this answer

The NAT rule shown in the exhibit is a static identity NAT (also known as NAT exempt or no-translation NAT) that translates the source IP address of traffic from the 192.168.1.0/24 network to the same IP address when going to the 10.0.0.0/24 network. This is achieved by specifying the source address as both the original and translated address, effectively bypassing any address translation while still being processed by the NAT engine. Since no port translation is configured, it performs identity NAT without PAT, which is why option A is correct.

Exam trap

Cisco often tests the distinction between identity NAT and dynamic PAT, where candidates mistakenly assume that any NAT rule must involve address translation or PAT, but identity NAT explicitly preserves the original IP without port translation.

How to eliminate wrong answers

Option B is wrong because identity NAT translates the source IP when traffic goes from inside to outside (not outside to inside), and the rule specifically applies to traffic originating from the 192.168.1.0/24 network. Option C is wrong because identity NAT explicitly disables Port Address Translation (PAT) by mapping the source address to itself, so no port translation occurs. Option D is wrong because the rule translates the source IP (not destination IP) from 192.168.1.0 to itself, and the destination network 10.0.0.0/24 remains untranslated.

185
MCQhard

A security engineer is configuring Cisco Web Security Appliance (WSA) to block access to social media sites during business hours. The company wants to allow access to LinkedIn for the HR department. Which policy configuration approach should the engineer use?

A.Create a time-based access policy to block social media during business hours, and an identity-based policy to allow LinkedIn for HR.
B.Enable HTTPS decryption and block social media based on content.
C.Create a global URL filtering policy to block social media and add an exception for LinkedIn.
D.Configure Data Loss Prevention (DLP) to block social media posts.
AnswerA

Time-based policies restrict access during specific hours, and identity policies can exempt HR.

Why this answer

Option A is correct because Cisco WSA uses a hierarchical policy model where time-based access policies control when traffic is allowed or blocked, and identity-based policies (using authentication or IP ranges) provide granular exceptions for specific user groups like HR. By combining a time-based policy to block social media during business hours and an identity-based policy to allow LinkedIn for HR, the engineer achieves the requirement without over-permitting access. This approach leverages WSA's ability to evaluate multiple policy types in order, ensuring the HR exception takes precedence for LinkedIn traffic.

Exam trap

Cisco often tests the distinction between global exceptions (which apply to all users) and identity-based exceptions (which apply to specific groups), leading candidates to incorrectly choose a global exception when a group-specific exception is required.

How to eliminate wrong answers

Option B is wrong because HTTPS decryption is not required to block social media based on URL categories; WSA can block social media using URL filtering without decrypting traffic, and enabling decryption unnecessarily adds complexity and privacy concerns. Option C is wrong because creating a global URL filtering policy to block social media and adding an exception for LinkedIn would allow LinkedIn for all users, not just HR, violating the requirement for HR-only access. Option D is wrong because Data Loss Prevention (DLP) is designed to prevent sensitive data exfiltration, not to block access to entire websites or categories like social media; DLP policies inspect content within allowed traffic, not enforce URL-based access controls.

186
MCQmedium

A DevOps team is deploying containers in Kubernetes and needs to enforce network security policies between pods. Which Cisco solution is designed for this?

A.Cisco Cloudlock
B.Cisco Umbrella
C.Cisco Secure Workload (Tetration)
D.Cisco Firepower NGFW
AnswerC

Tetration provides micro-segmentation and policy enforcement for containers.

Why this answer

Cisco Secure Workload (formerly Tetration) is the correct answer because it provides micro-segmentation and network policy enforcement for containerized environments like Kubernetes. It uses agent-based and agentless sensors to map all inter-pod traffic flows and enforce whitelist-based policies at the kernel level via eBPF or iptables, ensuring zero-trust between pods without requiring changes to the underlying network fabric.

Exam trap

Cisco often tests the distinction between cloud-native workload security (Secure Workload) and perimeter or DNS-layer security (Firepower, Umbrella) — the trap here is assuming a traditional firewall or DNS filter can enforce pod-level micro-segmentation in Kubernetes.

How to eliminate wrong answers

Option A is wrong because Cisco Cloudlock is a cloud access security broker (CASB) focused on securing SaaS applications and user access, not on enforcing network policies between Kubernetes pods. Option B is wrong because Cisco Umbrella is a DNS-layer cloud security solution that provides internet threat protection and web filtering, not micro-segmentation or pod-to-pod policy enforcement. Option D is wrong because Cisco Firepower NGFW is a physical or virtual firewall designed for perimeter and data center network segmentation, not for granular, workload-level policy enforcement within a Kubernetes cluster's overlay network.

187
MCQmedium

A company has deployed Cisco AMP for Endpoints and wants to receive immediate notification when a file is detected as malicious by the cloud sandbox analysis. Which policy setting should be enabled?

A.Enable 'Send alerts for malicious files' in the AMP policy
B.Configure Syslog forwarding for all events
C.Enable 'Exploit Prevention' in block mode
D.Set the connector to 'Analyze' mode
AnswerA

This setting triggers alerts when a file is determined malicious by cloud sandbox.

Why this answer

Cloud sandbox analysis provides verdicts; to get alerts you need to enable 'Send alerts on file reputation' and ensure that the cloud analysis is configured.

188
MCQhard

During a security incident, it is observed that a server behind a Cisco ASA is being accessed repeatedly with different source IPs in a short time. The firewall logs show many dropped packets to the server's IP on port 443. What is the most effective mitigation to reduce the impact while maintaining legitimate access?

A.Increase the connection timeout
B.Implement an access-list to allow only known source IPs
C.Configure a static route to null0 for the server's IP
D.Enable TCP Intercept with a low threshold
AnswerD

TCP Intercept mitigates SYN floods by intercepting and verifying connections.

Why this answer

TCP Intercept with a low threshold is the most effective mitigation because it protects the server from a SYN flood attack by intercepting TCP SYN packets and completing the three-way handshake on behalf of the server. This allows legitimate traffic to proceed while dropping excessive SYN requests from rapidly changing source IPs, which is exactly the behavior described in the scenario. Unlike other options, TCP Intercept dynamically manages connection attempts without blocking all unknown sources or disrupting legitimate access.

Exam trap

Cisco often tests the distinction between reactive mitigation (TCP Intercept) and static or blocking measures, leading candidates to choose access-lists or null routes that completely deny access instead of dynamically protecting the server.

How to eliminate wrong answers

Option A is wrong because increasing the connection timeout would only keep stale connections open longer, potentially exhausting resources and worsening the impact of the attack. Option B is wrong because implementing an access-list to allow only known source IPs is impractical for a public-facing server on port 443 (HTTPS), as it would block legitimate clients with unknown IPs and break normal web access. Option C is wrong because configuring a static route to null0 for the server's IP would drop all traffic to that server, including legitimate traffic, effectively taking the server offline rather than mitigating the attack while maintaining access.

189
MCQmedium

An administrator is configuring DLP on the Cisco ESA to block social security numbers (SSNs) in outgoing email. The policy is set to 'Drop' for SSN matches, but some emails containing SSNs are still being delivered. What step should the administrator take to troubleshoot?

A.Increase the message size limit in the mail flow policy.
B.Verify that the DLP policy is enabled and assigned to the outgoing mail policy.
C.Ensure that TLS is enabled for outgoing mail.
D.Add additional SSN patterns to the DLP dictionary.
AnswerB

If not assigned, DLP rules won't apply.

Why this answer

The most likely reason SSNs are still being delivered is that the DLP policy is not actually applied to the outgoing mail policy. Even if the DLP policy is configured to 'Drop' for SSN matches, it will have no effect unless it is enabled and explicitly assigned to the mail policy that governs outbound messages. Without this assignment, the ESA will not inspect messages against the DLP dictionary, allowing SSNs to pass through.

Exam trap

Cisco often tests the distinction between configuring a feature (e.g., creating a DLP policy) and actually applying it to a mail policy, leading candidates to overlook the assignment step and focus on unrelated settings like message size or encryption.

How to eliminate wrong answers

Option A is wrong because increasing the message size limit in the mail flow policy would not prevent DLP from scanning or dropping messages; it only affects whether large messages are accepted or rejected before DLP processing. Option C is wrong because TLS is a transport encryption protocol and has no bearing on DLP content inspection or the enforcement of a 'Drop' action. Option D is wrong because the default SSN patterns in the DLP dictionary are already comprehensive; adding more patterns would not resolve the issue if the policy itself is not enabled or assigned to the outgoing mail policy.

190
MCQeasy

A DevOps team is deploying containerized applications on Kubernetes and needs to ensure that only authorized images are run. Which solution should they integrate with Kubernetes to enforce image trust and scanning?

A.Cisco Stealthwatch Cloud
B.Cisco Cloud Workload Protection (CWP)
C.Cisco Firepower Next-Generation Firewall
D.Cisco Umbrella
AnswerB

CWP provides image scanning and admission control for containers.

Why this answer

Cisco Cloud Workload Protection (CWP) is the correct solution because it provides integrated image scanning, vulnerability assessment, and trust enforcement for containerized workloads in Kubernetes. CWP uses a policy-based admission controller to block deployments of unauthorized or vulnerable images before they run, directly addressing the requirement to ensure only authorized images are executed.

Exam trap

Cisco often tests the distinction between network security tools (Stealthwatch, Firepower, Umbrella) and workload-specific security solutions (CWP), leading candidates to pick a familiar name like Firepower or Umbrella instead of the correct container-focused product.

How to eliminate wrong answers

Option A is wrong because Cisco Stealthwatch Cloud is a network traffic analysis and anomaly detection tool for cloud environments, not an image trust or scanning solution for Kubernetes. Option C is wrong because Cisco Firepower Next-Generation Firewall is a network security appliance focused on perimeter traffic inspection and intrusion prevention, not container image authorization. Option D is wrong because Cisco Umbrella is a cloud-delivered DNS-layer security and web gateway service, not a container image trust enforcement mechanism.

191
MCQhard

During an email security audit, it is discovered that encrypted emails sent between two partners are being silently dropped by the Cisco ESA. The ESA uses a policy that decrypts incoming S/MIME messages for scanning. What is the most likely cause of the dropped messages?

A.The ESA is configured to re-encrypt outbound messages that were decrypted.
B.The ESA cannot decrypt the messages because the sender's certificate is not trusted by the ESA.
C.The messages contain encrypted attachments that exceed size limits.
D.The ESA is using TLS to receive the messages and the partner's certificate is untrusted.
AnswerB

S/MIME decryption requires trusting the sender's certificate; otherwise, it may drop.

Why this answer

The Cisco ESA decrypts incoming S/MIME messages to perform content scanning. If the sender's certificate is not trusted by the ESA (i.e., not in the ESA's trusted certificate store or the certificate chain cannot be validated), the ESA cannot decrypt the message. This causes the message to be silently dropped because the policy requires decryption for scanning, and failure to decrypt results in the message being discarded rather than delivered.

Exam trap

The trap here is confusing transport-layer encryption (TLS) with message-level encryption (S/MIME), leading candidates to incorrectly select Option D, when the core issue is the ESA's inability to decrypt the S/MIME message due to an untrusted sender certificate.

How to eliminate wrong answers

Option A is wrong because re-encryption of outbound messages occurs after scanning and does not cause inbound messages to be dropped; it is a separate policy action. Option C is wrong because encrypted attachments exceeding size limits would trigger a different policy action (e.g., bounce or quarantine), not silent dropping, and the question states the entire email is dropped, not just the attachment. Option D is wrong because TLS is used for transport encryption between MTAs, not for S/MIME message decryption; an untrusted TLS certificate would cause a connection failure, not silent dropping of already-received S/MIME messages.

192
MCQmedium

A security analyst sees multiple AMP events for 'Trojan.Generic.37283212' on several endpoints. After updating the AMP signatures, the detection still occurs. What is the best next step to reduce false positives?

A.Wait for the next signature update that might remove the detection.
B.Add the file SHA256 hash to the Custom Whitelist in the AMP policy.
C.Disable the signature for Trojan.Generic in the AMP policy.
D.Reinstall the AMP connector on the affected endpoints.
AnswerB

Whitelisting the specific file hash prevents future false positives while retaining protection.

Why this answer

Option B is correct because adding the file hash to the 'Custom Whitelist' in the AMP policy will prevent future detection of that specific variant. Option A is incorrect because updating signatures does not address a false positive if the detection is correct. Option C is incorrect because disabling the signature entirely would remove protection.

Option D is incorrect because reinstalling the connector is not targeted.

193
Multi-Selecthard

Which THREE of the following are features of Cisco Identity Services Engine (ISE) that can be used to enforce network access control?

Select 3 answers
A.Profiling
B.Posture assessment
C.Guest access management
D.Application visibility
E.NetFlow analysis
AnswersA, B, C

ISE can profile endpoints to identify device type and OS.

Why this answer

Profiling is a core ISE feature that uses passive and active fingerprinting techniques (e.g., DHCP, HTTP, SNMP, NetFlow) to identify endpoint attributes such as operating system, device type, and MAC vendor. This identity context allows ISE to enforce granular access policies based on the device class, such as blocking IoT sensors from reaching critical servers.

Exam trap

Cisco often tests the distinction between ISE's identity-based enforcement features (profiling, posture, guest) and network-layer monitoring tools (NetFlow, application visibility) that belong to other products like Stealthwatch or Firepower.

194
MCQeasy

A security engineer is configuring a cloud access security broker (CASB) to protect a SaaS application used by employees. The primary concern is to prevent sensitive data from being uploaded to the application. Which deployment mode should the engineer choose?

A.Forward proxy mode, which intercepts user traffic and inspects it before it reaches the SaaS application.
B.API-based mode, which connects directly to the SaaS application's APIs to scan and block sensitive data.
C.Reverse proxy mode, which sits in front of the SaaS application and inspects incoming traffic.
D.Web application firewall (WAF) mode, which filters HTTP traffic to the application.
AnswerB

API mode allows data inspection at rest and can block uploads via API calls.

Why this answer

Option B is correct because API-based mode connects directly to the SaaS application's APIs, allowing the CASB to scan data at rest and in transit using the application's native APIs (e.g., REST or Graph APIs). This mode can block uploads by enforcing data loss prevention (DLP) policies directly within the SaaS application, without requiring traffic redirection or proxy configuration. It is the most effective deployment mode for preventing sensitive data from being uploaded, as it can inspect and block data at the point of storage.

Exam trap

Cisco often tests the misconception that forward proxy mode is the best for all data protection scenarios, but the trap here is that API-based mode is specifically designed for deep integration with SaaS applications to prevent data uploads, while forward proxy mode is limited to inline traffic inspection and cannot block data already submitted via API calls.

How to eliminate wrong answers

Option A is wrong because forward proxy mode intercepts user traffic before it reaches the SaaS application, but it requires client-side configuration (e.g., PAC files or browser proxy settings) and cannot inspect data already encrypted by the SaaS application's API calls; it is better suited for shadow IT discovery and inline traffic inspection, not for blocking uploads via API-level controls. Option C is wrong because reverse proxy mode sits in front of the SaaS application and inspects incoming traffic from users, but it does not have direct access to the SaaS application's internal APIs and cannot block data uploads at the storage layer; it is typically used for access control and threat protection. Option D is wrong because Web application firewall (WAF) mode filters HTTP traffic to the application at the network layer, focusing on web-based attacks (e.g., SQL injection, XSS) rather than data loss prevention; it cannot inspect or block sensitive data within API payloads or file uploads.

195
MCQeasy

A company with 500 employees uses Cisco Web Security Appliance (WSA) as a proxy. They have a policy to block access to social media sites during working hours (9 AM - 5 PM) for all users except the marketing team. The marketing team must have unrestricted access at all times. The WSA is configured with a time-based access policy that blocks the 'Social Networking' category from 9 AM to 5 PM, and an identity policy that identifies the marketing team by Active Directory group. However, marketing users report that they are blocked from social media during working hours. What is the most likely cause?

A.The time-based policy is set to block social media from 9 AM to 5 PM, but the marketing team's identity policy is not explicitly set to 'Monitor' or 'Allow' for that category.
B.The WSA requires authentication for all users, but marketing users are not prompted to authenticate.
C.The identity policy for the marketing team has a 'Use Global Policy' action for social networking, which then applies the time-based block.
D.The marketing team's Active Directory group is not being recognized by the WSA due to a synchronization issue.
AnswerC

If the identity policy uses 'Use Global Policy', the time-based block from the global policy applies, blocking marketing users.

Why this answer

Option C is correct because when an identity policy is set to 'Use Global Policy' for a specific category, it defers to the global access policy, which in this case includes the time-based block for social networking. Since the marketing team's identity policy does not explicitly override the global policy with an 'Allow' or 'Monitor' action for the 'Social Networking' category, the time-based block applies to them as well.

Exam trap

The trap here is that candidates often confuse identity policies with access policies, thinking that identifying a user group automatically grants them different access, when in fact the identity policy must be paired with a separate access policy that explicitly overrides the global policy.

How to eliminate wrong answers

Option A is wrong because the issue is not that the identity policy lacks an explicit 'Monitor' or 'Allow' action; rather, the identity policy is set to 'Use Global Policy', which causes the global time-based block to apply. Option B is wrong because the WSA does require authentication for identity-based policies, but the marketing users are likely authenticating successfully (otherwise they would not be identified as marketing users at all); the problem is the policy action, not authentication failure. Option D is wrong because if the Active Directory group were not recognized, the marketing users would not be identified by the identity policy at all, and they would likely fall into a default policy that also blocks social media; however, the question states they are identified as marketing users but still blocked, indicating the group is recognized.

196
MCQmedium

A network engineer is troubleshooting an issue where users on a specific VLAN cannot access the internet through a Cisco ASA firewall. The ASA has a default route pointing to the ISP router. The security policy includes an ACL that permits all traffic from the inside interface to the outside interface. What is the most likely cause of the problem?

A.The default route is misconfigured
B.DNS is not resolving domain names
C.NAT (Network Address Translation) is not configured
D.The ACL is blocking the traffic
AnswerC

Without NAT, private IP addresses cannot reach the internet because they are not routable.

Why this answer

The most likely cause is that NAT is not configured. Even though the ACL permits all traffic from inside to outside, the Cisco ASA requires NAT (or a NAT exemption rule) to translate private IP addresses to a routable public IP address when traffic traverses from a higher-security interface (inside) to a lower-security interface (outside). Without NAT, the ASA will drop the packets because it cannot determine how to route the private source addresses on the public internet, and the return traffic would have no way to reach the internal hosts.

Exam trap

Cisco often tests the misconception that an ACL permitting all traffic is sufficient for internet access, but the trap here is that the ASA requires NAT (or a NAT exemption) for traffic to traverse security levels, even when the ACL is permissive.

How to eliminate wrong answers

Option A is wrong because the default route is correctly pointing to the ISP router, and the issue is not about routing to the next hop but about address translation. Option B is wrong because DNS resolution is a separate function; even if DNS fails, users could still access the internet via IP addresses, and the problem states they cannot access the internet at all. Option D is wrong because the ACL explicitly permits all traffic from inside to outside, so it is not blocking the traffic.

197
MCQhard

A large enterprise with over 2,000 employees recently experienced a security breach. An attacker gained initial access through a phishing email and then moved laterally across the network to reach a critical database server. The network currently has a flat Layer 2 topology with all devices in a single large VLAN. The company wants to prevent lateral movement in the future while maintaining operational simplicity. They have a Cisco ISE deployment already but it is only used for wireless guest access. The security team is evaluating options. Option A: Deploy 802.1X with dynamic VLAN assignment across all wired ports. This would authenticate users and assign them to different VLANs based on identity. Option B: Implement micro-segmentation using Cisco TrustSec with Security Group Tags (SGTs) on the existing switches and enforce SGT-based policies on the firewalls. This would allow traffic control between groups regardless of IP. Option C: Install a next-generation firewall at the internet edge and enable IPS to block known attack signatures. Option D: Upgrade all access switches to support Private VLANs (PVLANs) and configure promiscuous ports for servers. Which solution BEST addresses the lateral movement problem while leveraging existing infrastructure?

A.Install a next-generation firewall at the internet edge and enable IPS.
B.Upgrade all access switches to support Private VLANs (PVLANs).
C.Deploy 802.1X with dynamic VLAN assignment across all wired ports.
D.Implement micro-segmentation using Cisco TrustSec with SGTs and enforce policies on firewalls.
AnswerD

SGTs allow traffic control based on group identity, preventing lateral movement even within the same subnet, and leverages existing ISE.

Why this answer

Option D is correct because Cisco TrustSec with Security Group Tags (SGTs) enables micro-segmentation at Layer 2, allowing traffic control between user groups and servers based on identity rather than IP address. This directly prevents lateral movement by enforcing policies that restrict which endpoints can communicate, even within the same VLAN, and it leverages the existing Cisco ISE deployment for policy management without requiring major topology changes.

Exam trap

Cisco often tests the distinction between network segmentation (VLANs/802.1X) and micro-segmentation (TrustSec/SGTs), where the trap is that candidates assume VLAN-based isolation is sufficient to prevent lateral movement, but it fails when an attacker compromises a device within the same VLAN or when VLAN hopping is possible.

How to eliminate wrong answers

Option A is wrong because installing a next-generation firewall at the internet edge with IPS only inspects traffic entering or leaving the network; it does not control lateral movement within the internal flat Layer 2 network, so an attacker who has already gained access can still move freely between devices. Option B is wrong because Private VLANs (PVLANs) isolate ports within a VLAN but require promiscuous ports for servers, which creates a single point of compromise; they also do not provide identity-based policy enforcement and would require significant reconfiguration of all access switches, increasing complexity. Option C is wrong because 802.1X with dynamic VLAN assignment authenticates users and places them into different VLANs, but within a single VLAN, lateral movement is still possible; it does not provide granular per-flow or per-group segmentation like SGTs, and it relies on VLAN boundaries that can be bypassed by an attacker who compromises a device in a trusted VLAN.

198
MCQeasy

A network engineer is troubleshooting an issue where an endpoint is failing to authenticate via 802.1X on a Cisco switch. The switch port is in unauthorized state. Which step should the engineer take first to identify the root cause?

A.Check the switch's RADIUS server reachability.
B.Check the ISE authentication logs for failure reasons.
C.Check the endpoint's supplicant configuration.
D.Check the CA server for certificate issues.
AnswerB

ISE logs provide detailed failure reasons, often indicating the exact step where authentication fails. This is the best first step.

Why this answer

The correct first step is to check the ISE authentication logs for failure reasons because the switch port is already in an unauthorized state, meaning the 802.1X authentication process has failed. ISE (the RADIUS server) logs provide the most granular failure reason, such as invalid credentials, unknown client, or EAP method mismatch, which directly pinpoints the root cause. Checking the switch's RADIUS reachability or endpoint configuration would be premature without first understanding why authentication was denied.

Exam trap

Cisco often tests the principle of 'start at the most specific source of truth'—the trap here is that candidates jump to checking network connectivity (Option A) or client configuration (Option C) without first consulting the authentication server logs, which contain the definitive failure reason.

How to eliminate wrong answers

Option A is wrong because checking RADIUS server reachability from the switch is a lower-layer connectivity check that would not explain why authentication failed if the server is reachable; the switch port being unauthorized indicates the RADIUS server likely received and rejected the request. Option C is wrong because checking the endpoint's supplicant configuration is a valid step but should come after reviewing the authentication logs to confirm whether the failure is client-side or server-side. Option D is wrong because checking the CA server for certificate issues is only relevant if EAP-TLS or a certificate-based method is used, and it is not the first step without knowing the failure reason from ISE logs.

199
MCQmedium

An organization wants to provide guest wireless access with a captive portal. Which Cisco ISE portal type should be used?

A.Sponsored Guest Portal
B.Central Web Authentication (CWA) Portal
C.Hotspot Guest Portal
D.Self-Registered Guest Portal
AnswerD

This portal allows guests to register themselves and create credentials.

Why this answer

Option A is correct. The Self-Registered Guest Portal allows guests to create their own credentials via a captive portal. Option B is for sponsored guests.

Option C is for simple hotspot without registration. Option D (CWA) is used for central web authentication but typically for BYOD, not guest self-registration.

200
Multi-Selecthard

Which THREE components are part of a Cisco Cloud Web Security (CWS) deployment with on-premises connectors? (Choose three.)

Select 3 answers
A.Cisco ASA firewall as the forward proxy
B.On-premises Connector appliance
C.Cloud-based policy management portal
D.Cisco Web Security Appliance (WSA)
E.Cisco Cloud Scanning Center
AnswersB, C, E

The Connector sends traffic to the cloud scanning center.

Why this answer

The On-premises Connector appliance (option B) is a core component of a Cisco CWS deployment with on-premises connectors. It acts as a local proxy that forwards web traffic from users to the Cisco Cloud Scanning Center for threat inspection, while also caching content locally to reduce latency. This appliance integrates with existing network infrastructure to enable cloud-based web security without requiring full traffic redirection to the cloud.

Exam trap

Cisco often tests the distinction between the On-premises Connector appliance and the Cisco Web Security Appliance (WSA), as candidates may confuse the cloud-based CWS connector with the fully on-premises WSA solution.

201
MCQeasy

An organization wants to restrict administrative access to Cisco network devices based on the time of day and source IP address. Which technology should be used?

A.TACACS+ with per-command authorization
B.SNMPv3 with ACLs
C.802.1X with EAP-TLS
D.IPsec VPN with extended authentication
AnswerA

TACACS+ allows granular control over administrative access, including time and source IP.

Why this answer

TACACS+ is the correct choice because it supports per-command authorization, which allows an administrator to define granular access policies based on attributes such as time of day and source IP address. This is achieved through the TACACS+ authorization process, where the AAA server evaluates the user's request against configured authorization rules before granting access to specific commands or sessions.

Exam trap

Cisco often tests the distinction between TACACS+ and RADIUS, where candidates mistakenly choose RADIUS-based options (like 802.1X) for device administration, not realizing that TACACS+ is the only protocol that supports per-command authorization and time-based access control for CLI access.

How to eliminate wrong answers

Option B is wrong because SNMPv3 with ACLs provides authentication and encryption for network management traffic but does not support per-command authorization or time-based access control for administrative CLI access. Option C is wrong because 802.1X with EAP-TLS is a port-based network access control method used for endpoint authentication at Layer 2, not for authorizing administrative commands on network devices. Option D is wrong because IPsec VPN with extended authentication secures remote connectivity and authenticates users, but it does not provide per-command authorization or time-of-day restrictions for device administration.

202
MCQeasy

A security analyst wants to detect misconfigurations in cloud storage buckets using Cisco Secure Cloud Analytics (formerly Stealthwatch Cloud). What must be configured first?

A.Enable flow log export to the analytics platform
B.Install a sensor in the cloud VPC
C.Deploy a syslog collector
D.Connect to the cloud provider's API
AnswerD

API integration retrieves metadata and configuration for misconfiguration detection.

Why this answer

Cisco Secure Cloud Analytics (formerly Stealthwatch Cloud) relies on API integration with the cloud provider (AWS, Azure, GCP) to pull metadata about cloud resources, including storage bucket configurations. By connecting to the cloud provider's API, the platform can continuously monitor for misconfigurations such as public read/write access, unencrypted buckets, or improper logging settings. Without this API connection, the platform cannot access the cloud provider's resource inventory or configuration state, making bucket misconfiguration detection impossible.

Exam trap

Cisco often tests the distinction between telemetry collection (flow logs, sensors) and cloud control plane integration (API), leading candidates to mistakenly choose a network-based option when the question specifically asks about configuration detection.

How to eliminate wrong answers

Option A is wrong because flow log export (e.g., VPC Flow Logs to S3) provides network traffic metadata, not storage bucket configuration data; Cisco Secure Cloud Analytics uses flow logs for traffic analysis, not for detecting bucket misconfigurations. Option B is wrong because installing a sensor in the cloud VPC captures network flows and host telemetry, but it does not have visibility into cloud control plane APIs or storage bucket settings; sensors are for traffic monitoring, not configuration auditing. Option C is wrong because a syslog collector ingests log messages from network devices or servers, but it does not interface with cloud provider APIs to retrieve bucket configurations; syslog is for event logging, not cloud resource metadata.

203
Multi-Selecteasy

Which THREE of the following are true regarding HTTPS decryption on Cisco Web Security Appliance (WSA)? (Choose three.)

Select 3 answers
A.Decryption can be selectively applied based on URL category.
B.The WSA must generate a unique CA certificate that is distributed to clients.
C.Decryption is transparent to the user and does not require any client configuration.
D.HTTPS decryption is enabled by default for all traffic.
E.Decryption can impact WSA performance due to the cryptographic overhead.
AnswersA, B, E

Administrators can choose categories to decrypt or bypass.

Why this answer

Option A is correct because Cisco WSA allows administrators to define decryption policies that selectively decrypt HTTPS traffic based on URL categories (e.g., Social Networking, Finance, Health). This granular control enables organizations to balance security inspection with privacy compliance, decrypting only high-risk categories while bypassing sensitive ones like banking or healthcare.

Exam trap

Cisco often tests the misconception that HTTPS decryption is transparent or automatic, but the trap is that it always requires client-side trust configuration (e.g., installing the WSA's CA certificate) and is never enabled by default.

204
MCQeasy

A company uses Cisco Web Security Appliance (WSA) in explicit proxy mode. Users report that some HTTPS websites fail to load. The administrator checks the logs and sees that the WSA is not generating any certificate for those sites. What is the most likely cause?

A.HTTPS decryption is disabled globally or for the specific category.
B.The website uses certificate pinning, which prevents interception.
C.The WSA CA certificate is not installed in the user's browser trust store.
D.The WSA is configured to bypass decryption for the user's subnet.
AnswerA

If decryption is disabled, the WSA does not generate certificates; it tunnels the HTTPS traffic without inspection, which should still work unless proxy settings are misconfigured.

Why this answer

When HTTPS decryption is disabled globally or for a specific category, the WSA cannot generate a certificate to intercept and inspect the traffic. In explicit proxy mode, the WSA must decrypt HTTPS traffic to apply security policies; without decryption enabled, the proxy simply forwards the traffic without generating a certificate, causing the browser to fail to establish a secure connection for sites that require inspection.

Exam trap

Cisco often tests the distinction between 'no certificate generated' (indicating decryption is disabled) versus 'certificate error' (indicating trust issues or pinning), so candidates mistakenly choose options related to certificate trust or pinning when the core issue is that decryption is simply not enabled.

How to eliminate wrong answers

Option B is wrong because certificate pinning is a client-side security mechanism that does not prevent the WSA from generating a certificate; the WSA would still generate its own certificate, but the browser would reject it due to pinning mismatch, which would appear as a certificate error, not a failure to generate a certificate. Option C is wrong because if the WSA CA certificate is not installed in the user's browser trust store, the browser would display a certificate warning or error, but the WSA would still generate a certificate for the site; the logs would show certificate generation, not a lack of it. Option D is wrong because bypassing decryption for a subnet means the WSA would not attempt to generate a certificate for those users, but the logs would show that traffic is being bypassed, not that no certificate is generated; the question states the WSA is not generating certificates for those sites, which implies decryption is disabled globally or per category, not per subnet.

205
MCQhard

During a cloud migration, an organization notices increased latency in AWS workloads when using Cisco Firepower for traffic inspection. What is the most likely cause?

A.The Firepower instance is undersized for the traffic volume
B.The VPC routing table is misconfigured, causing traffic to hairpin
C.AWS WAF is conflicting with Firepower rules
D.Firepower is inspecting encrypted traffic without SSL decryption
AnswerA

Undersized instance leads to high CPU and latency.

Why this answer

When using Cisco Firepower for traffic inspection in AWS, the Firepower instance must process all traffic traversing the virtual appliance. If the instance type (e.g., m5.large) is undersized relative to the throughput demands (e.g., exceeding 1 Gbps), packet processing will queue, causing increased latency. This is a common scaling issue in cloud migrations where on-premises traffic patterns are replicated without adjusting instance sizing.

Exam trap

Cisco often tests the misconception that latency in cloud inspection is always due to routing misconfigurations (Option B), but the real trap is that undersized virtual appliances are the primary cause when traffic volume exceeds instance capacity, not network topology errors.

How to eliminate wrong answers

Option B is wrong because a misconfigured VPC routing table causing hairpinning would result in asymmetric routing or packet loss, not simply increased latency, and the symptom would be connectivity failures rather than gradual latency increase. Option C is wrong because AWS WAF operates at Layer 7 (HTTP/HTTPS) and does not conflict with Firepower's network-layer inspection; they can coexist without causing latency unless explicitly chained. Option D is wrong because inspecting encrypted traffic without SSL decryption means Firepower cannot inspect payloads, which reduces CPU load and would not increase latency; latency from encryption inspection only occurs when decryption is enabled.

206
Multi-Selecteasy

Which TWO of the following are authentication methods used for wired network access in Cisco ISE?

Select 2 answers
A.TACACS+
B.NetFlow
C.RADIUS
D.802.1X
E.MAC Authentication Bypass (MAB)
AnswersD, E

802.1X is a standard authentication method for wired and wireless.

Why this answer

Options A and B are correct because 802.1X and MAC Authentication Bypass (MAB) are the primary authentication methods for wired ports. Option C is incorrect because RADIUS is a protocol, not an authentication method. Option D is incorrect because TACACS+ is for device administration, not network access.

Option E is incorrect because NetFlow is a monitoring tool.

207
MCQhard

An organization discovers that a man-in-the-middle attack was successfully performed using a forged certificate issued by a trusted CA. The legitimate CA’s private key was compromised. Which PKI component was breached?

A.Certification Authority (CA) private key
B.Online Certificate Status Protocol (OCSP) responder
C.Registration Authority (RA)
D.Certificate Revocation List (CRL)
AnswerA

The CA private key is used to sign certificates; its compromise allows forging.

Why this answer

The correct answer is A because the man-in-the-middle attack succeeded due to a forged certificate issued by a trusted CA, which directly implies that the CA's private key was compromised. The CA's private key is the root of trust in a PKI; if it is stolen, an attacker can sign fraudulent certificates that will be trusted by all clients that trust the CA. Without the private key, the attacker could not have created a valid forged certificate.

Exam trap

Cisco often tests the distinction between components that issue certificates (CA) versus those that verify or manage status (OCSP, RA, CRL), and the trap here is confusing the CA's signing role with the RA's identity-verification role or the OCSP/CRL's status-checking role.

How to eliminate wrong answers

Option B is wrong because the OCSP responder provides real-time certificate status (valid, revoked, unknown) but does not issue certificates or hold the CA's signing key; compromising it would not allow forging certificates. Option C is wrong because the Registration Authority (RA) is responsible for verifying identity and forwarding certificate requests to the CA, but it does not hold the CA's private key and cannot sign certificates. Option D is wrong because the Certificate Revocation List (CRL) is a published list of revoked certificates; compromising it would not enable an attacker to forge new certificates, only to hide revocations.

208
MCQhard

An analyst reviews an AMP for Endpoints event where a file was detected as malware but later determined to be a false positive. The analyst wants to prevent this file from being flagged in the future. What is the recommended action?

A.Submit the file to Cisco TALOS for reanalysis.
B.Add the file hash to the custom detection list with action 'Allow' or 'Uncategorized'.
C.Disable AMP detection for that file type globally.
D.Change the AMP policy from 'Detect' to 'Audit' for the endpoint.
AnswerB

Custom exceptions override global dispositions, preventing future false positives without affecting other protections.

Why this answer

Option D is correct because adding a file hash to the custom detection list as an exception prevents future alerts. Option A is wrong because disabling detection for that file type is too broad. Option B is wrong because changing policy to 'Audit' reduces protection.

Option C is wrong because only the cloud can update dispositions, but custom exceptions are used for false positives.

209
Multi-Selecthard

Which TWO are valid options for configuring a switch port to handle authentication failures in an 802.1X environment? (Select two.)

Select 2 answers
A.authentication event no-response action authorize vlan 100
B.dot1x critical profile
C.authentication event server dead action reinitialize
D.authentication port-control force-authorized
E.authentication event fail action authorize vlan 999
AnswersA, E

This is used when the endpoint does not respond to 802.1X (e.g., non-802.1X device).

Why this answer

Options A and C are correct. A: 'authentication event fail action authorize vlan 999' allows placing the port in a guest VLAN on failure. B: 'authentication event server dead action reinitialize' is for RADIUS server failure, not authentication failure.

C: 'authentication event no-response action authorize vlan 100' is for when the endpoint does not respond to EAPOL. D: 'authentication port-control force-authorized' forces the port to authorized state, bypassing authentication entirely. E: 'dot1x critical' is for critical voice VLAN, not failure handling.

210
MCQmedium

An organization uses AWS and Azure. They deploy Cisco Secure Workload to enforce microsegmentation. They discover that after deploying agents on EC2 instances, some traffic is misclassified due to overlapping IPs across multiple VPCs. Which configuration change best resolves this?

A.Reassign unique labels for each workload
B.Enable VRF-like segmentation within Secure Workload
C.Use Cloud Connector to map instance metadata
D.Configure separate enforcement scopes for each VPC
AnswerC

Cloud Connector enriches workload identity with cloud metadata, disambiguating overlapping IPs.

Why this answer

C is correct because Cloud Connector in Cisco Secure Workload (formerly Tetration) integrates with AWS and Azure APIs to retrieve instance metadata, such as VPC ID, subnet, and instance ID. This metadata allows Secure Workload to uniquely identify workloads even when they have overlapping IP addresses across different VPCs, enabling accurate traffic classification and policy enforcement.

Exam trap

Cisco often tests the misconception that labels or enforcement scopes alone can solve IP overlap issues, but the correct answer requires understanding that cloud-native metadata integration (Cloud Connector) is the designed solution for disambiguating overlapping IPs in multi-cloud environments.

How to eliminate wrong answers

Option A is wrong because reassigning unique labels for each workload does not resolve the underlying issue of overlapping IPs; labels are user-defined tags for grouping, not a mechanism to disambiguate IP address conflicts across VPCs. Option B is wrong because VRF-like segmentation within Secure Workload is not a native feature; Secure Workload uses software-defined segmentation based on labels and metadata, not VRF instances, and enabling such a feature would not directly map overlapping IPs to their correct VPC context. Option D is wrong because configuring separate enforcement scopes for each VPC does not automatically resolve IP overlap; enforcement scopes define policy boundaries but still rely on unique workload identification, which requires metadata mapping to distinguish workloads with identical IPs in different VPCs.

211
MCQmedium

A laptop fails to authenticate via 802.1X on a Cisco switch. The switch logs show: 'Authentication failed for user 'jdoe' on interface GigabitEthernet1/0/24: EAP session timeout.' What is the most likely cause?

A.The supplicant is using an incorrect EAP method.
B.The wired authentication timeout on the switch is too low.
C.The RADIUS server is unreachable.
D.The switch is not configured with a RADIUS server.
AnswerB

Low timeout setting can cause the session to time out before authentication completes.

Why this answer

Option D is correct. The specific 'EAP session timeout' error indicates the authentication process took longer than the configured timeout. Option A is incorrect because unreachable RADIUS would cause a different error.

Option B is incorrect because incorrect EAP method usually results in a different error. Option C is incorrect because missing RADIUS server would prevent any attempt.

212
MCQhard

A security engineer is configuring Cisco ISE to enforce SGT-based access control. The engineer creates an SGACL on the switch that permits traffic from SGT 10 to SGT 20. However, traffic from SGT 10 to SGT 20 is still being dropped. The engineer verifies that the SGTs are correctly assigned. What is a possible reason for the drop?

A.SXP is not configured
B.The CTRL protocol is not enabled
C.The PAC on the switch is expired
D.There is a deny SGACL with a higher priority that matches the traffic
AnswerD

SGACLs are evaluated in order; a deny rule earlier in the list would override the permit rule.

Why this answer

Option D is correct because Cisco ISE enforces SGT-based access control using Security Group ACLs (SGACLs) that are evaluated in priority order. Even if a permit SGACL exists for SGT 10 to SGT 20, a deny SGACL with a higher priority (lower sequence number) that matches the same traffic will take precedence and cause the traffic to be dropped. The engineer must check the full SGACL list and their sequence numbers on the switch to identify conflicting rules.

Exam trap

Cisco often tests the concept that SGACLs are processed in priority order (lowest sequence number first) and that a higher-priority deny rule can silently override a lower-priority permit rule, leading candidates to incorrectly assume the issue is with SGT assignment or protocol configuration.

How to eliminate wrong answers

Option A is wrong because SXP (SGT Exchange Protocol) is used to propagate SGT bindings between network devices, not to enforce SGACL policies; if SGTs are already correctly assigned, SXP is not required for the switch to apply the SGACL. Option B is wrong because the CTRL protocol (Cisco TrustSec Control Protocol) is used for dynamic SGT assignment and environment data download, but the switch can still enforce locally configured SGACLs without it. Option C is wrong because an expired PAC (Protected Access Credential) would prevent the switch from authenticating to ISE or downloading policies, but the engineer has already verified that SGTs are correctly assigned, indicating the switch is already authenticated and has the necessary policies.

213
MCQeasy

An administrator wants to block the download of executable files (.exe) via HTTP using Cisco WSA. Which approach is most effective?

A.Enable Anti-Malware scanning for executables
B.Configure a Web Reputation policy to block low-reputation sites
C.Create a URL filtering policy with action 'Block' for the category 'Executable Files'
D.Use a PAC file to bypass the proxy for executable downloads
AnswerC

WSA's URL filtering can block based on MIME type of file downloads.

Why this answer

Option C is correct because Cisco WSA's URL filtering policies include a predefined content category called 'Executable Files' that specifically targets file extensions like .exe, .dll, and .msi. By setting the action to 'Block' for this category, the administrator can prevent HTTP downloads of executable files without affecting other traffic. This is the most direct and effective method as it operates at the application layer, inspecting the URL path for file extensions.

Exam trap

Cisco often tests the distinction between content filtering (blocking by file type) and security scanning (detecting threats), leading candidates to mistakenly choose Anti-Malware scanning when the goal is to block all executable downloads regardless of maliciousness.

How to eliminate wrong answers

Option A is wrong because Anti-Malware scanning only detects and blocks malicious executables after the download is initiated, not preventing the download itself; it also requires a license and may allow benign executables through. Option B is wrong because Web Reputation policies score websites based on risk, not file types; a low-reputation site might still host legitimate executables, and a high-reputation site could serve malicious .exe files. Option D is wrong because a PAC file only controls proxy routing (bypassing the proxy for certain destinations) and does not block content; it would allow executable downloads to go directly to the internet without inspection.

214
MCQeasy

An administrator is troubleshooting authentication failures for VPN users. The RADIUS server is reachable via ping, but users receive 'AAA authentication failed'. Which command should be used to test communication with the RADIUS server?

A.aaa new-model
B.show radius server statistics
C.test aaa group radius user password
D.debug radius authentication
AnswerC

This command simulates RADIUS authentication to verify server reachability and credentials.

Why this answer

Option C is correct because the 'test aaa group radius user password' command is specifically designed to simulate an authentication attempt against a RADIUS server, allowing the administrator to verify whether the RADIUS server is properly processing credentials. Since the RADIUS server is reachable via ping but users still fail, this command isolates whether the issue lies in the AAA authentication process itself, such as incorrect shared secret, user credentials, or RADIUS attribute mismatches.

Exam trap

The trap here is that candidates often confuse reachability (ping) with successful AAA authentication, or they select 'debug radius authentication' thinking it will test the server, when in fact debug commands only observe traffic and do not initiate a test transaction.

How to eliminate wrong answers

Option A is wrong because 'aaa new-model' enables AAA on the device but does not test existing communication with a RADIUS server; it is a configuration command, not a diagnostic one. Option B is wrong because 'show radius server statistics' displays historical counters for RADIUS transactions (e.g., timeouts, retransmissions) but does not perform a live authentication test to validate credentials or shared secret. Option D is wrong because 'debug radius authentication' enables real-time logging of RADIUS exchanges, which can help observe failures but does not actively test authentication; it requires a live user attempt and can be disruptive in production due to high CPU usage.

215
Multi-Selecteasy

Which TWO of the following are common security objectives of the Cisco TrustSec solution? (Choose two.)

Select 2 answers
A.Microsegmentation of network traffic
B.VPN termination for remote users
C.End-to-end data encryption
D.Network topology discovery
E.Role-based access control using security group tags (SGTs)
AnswersA, E

TrustSec allows granular segmentation based on security groups.

Why this answer

Cisco TrustSec uses Security Group Tags (SGTs) to enforce microsegmentation by classifying traffic based on user, device, or role rather than IP addresses. This allows granular policy enforcement at the access layer, reducing lateral movement within the network. Microsegmentation is a core security objective of TrustSec, enabling dynamic, identity-based access control.

Exam trap

Cisco often tests the distinction between TrustSec's microsegmentation (using SGTs) and encryption (e.g., IPsec or MACsec), so the trap here is assuming that TrustSec provides end-to-end encryption when it actually focuses on access control and segmentation, not data confidentiality.

216
Multi-Selectmedium

Which THREE of the following are recommended best practices for configuring Cisco AMP for Endpoints to minimize false positives while maintaining strong detection?

Select 3 answers
A.Set scan level to maximum for all file types
B.Enable file reputation scanning with cloud lookups
C.Use application blocking with a whitelist of approved software
D.Disable exploit prevention to reduce false positives
E.Configure exclusions for directories where trusted software is installed
AnswersB, C, E

File reputation scanning leverages cloud intelligence to classify files, reducing false positives from known good files.

Why this answer

Options A, C, and D are correct. Option A (File Reputation scanning) validates files against cloud intelligence, reducing false positives by allowing known good files. Option C (Application blocking with whitelist) ensures only approved applications run, minimizing false alerts.

Option D (Exclusions for trusted applications) prevents scanning of benign software, lowering false positives while maintaining detection for unknowns. Option B is wrong because disabling exploit prevention weakens security. Option E is wrong because maximum scan level increases false positives without significant detection gain.

217
Multi-Selecthard

Which TWO are common causes for CoA (Change of Authorization) failures in a Cisco ISE deployment? (Choose two.)

Select 2 answers
A.The switch does not support the CoA protocol.
B.The ISE node serving the CoA is not in the same subnet as the switch.
C.The RADIUS shared secret between ISE and switch is mismatched.
D.The switch port is configured with 'authentication periodic'.
E.The endpoint is connected through a wireless controller that proxies RADIUS.
AnswersA, C

The switch must implement RFC 3576 for CoA to work.

Why this answer

Options A and B are correct. The switch must support CoA (RFC 3576), and the RADIUS shared secret must match for CoA packets to be accepted. Option C is not a cause (periodic reauthentication is a feature).

Option D is not inherently a cause (proxy can still forward CoA). Option E is incorrect because ISE and switch can be in different subnets as long as network connectivity exists.

218
MCQhard

Refer to the exhibit. An administrator sees that the file invoice_2024.exe was blocked by both Cisco AMP and ESA. However, a user claims the attachment was delivered. What is the most likely cause?

A.The ESA was not configured to use AMP for file reputation.
B.The ESA was configured to 'Deliver then alert' for malware detected by AMP.
C.The AMP file reputation check was not performed due to an ACL misconfiguration.
D.The file was whitelisted in the AMP policy.
AnswerB

In 'Deliver then alert' mode, the email is delivered and an alert is sent, explaining why the user received it.

Why this answer

Option B is correct because when Cisco ESA is configured with 'Deliver then alert' for malware detected by AMP, the email is delivered to the user before the AMP file reputation analysis completes. The ESA sends the file to AMP for analysis, but if the policy is set to deliver first and alert later, the user receives the attachment even if AMP later determines it is malicious. This explains why the administrator sees the block in both AMP and ESA logs, yet the user claims delivery.

Exam trap

Cisco often tests the distinction between 'Deliver then alert' and 'Block' or 'Deliver and alert' modes in ESA AMP integration, where candidates mistakenly assume that a block in AMP logs means the file was never delivered, but the 'Deliver then alert' policy allows delivery before the block verdict is received.

How to eliminate wrong answers

Option A is wrong because if the ESA were not configured to use AMP for file reputation, the file would not have been blocked by AMP at all, but the exhibit shows it was blocked by both AMP and ESA, indicating AMP integration is active. Option C is wrong because an ACL misconfiguration would prevent the file from being sent to AMP for reputation check, resulting in no AMP block event, but the exhibit shows AMP did block the file, so the check was performed. Option D is wrong because if the file were whitelisted in the AMP policy, AMP would not have blocked it, contradicting the exhibit showing a block by AMP.

219
Drag & Dropmedium

Drag and drop the steps to configure a site-to-site IPsec VPN on a Cisco ASA into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

IKE policy defines Phase 1 parameters, then pre-shared key is set, interesting traffic is defined via ACL, crypto map binds Phase 2 parameters, and it is applied to the interface.

220
MCQeasy

An engineer is troubleshooting a Cisco ASA firewall and notices that traffic from a specific subnet is being dropped. The engineer wants to verify if the drop is due to an access control list (ACL) or an inspection policy. Which command should be used to see the reason for packet drops?

A.show access-list
B.show asp drop
C.show conn
D.show service-policy
AnswerB

Displays packet drop counters with reasons, including ACL and inspection drops.

Why this answer

The 'show asp drop' command displays packet drop statistics from the Accelerated Security Path (ASP) on a Cisco ASA. It provides a detailed breakdown of why packets are dropped, including drops due to ACLs, inspection policies, or other security checks. This makes it the correct tool to differentiate between ACL and inspection policy drops.

Exam trap

Cisco often tests the distinction between commands that show configuration or active connections versus commands that show drop reasons, leading candidates to mistakenly choose 'show access-list' or 'show service-policy' because they think hit counts or policy statistics will reveal the drop cause.

How to eliminate wrong answers

Option A is wrong because 'show access-list' only displays the configured ACL entries and their hit counts, but does not show the specific reason for packet drops or differentiate between ACL and inspection policy drops. Option C is wrong because 'show conn' shows active connections in the connection table, not dropped packets or the reason for drops. Option D is wrong because 'show service-policy' displays the configuration and statistics of service policies (e.g., inspection policies), but does not show the specific reason for packet drops or provide drop counters.

221
Multi-Selectmedium

Which TWO of the following are valid methods for authenticating VPN users in a Cisco AnyConnect deployment?

Select 2 answers
A.TACACS+
B.OSPF
C.RADIUS
D.LDAP
E.SNMP
AnswersC, D

RADIUS is commonly used for VPN authentication.

Why this answer

Cisco AnyConnect VPN authentication can be performed using RADIUS, which is a widely supported AAA protocol. RADIUS enables centralized authentication, authorization, and accounting for VPN users, and it is natively integrated with Cisco ASA and Firepower Threat Defense (FTD) appliances for remote access VPNs.

Exam trap

Cisco often tests the distinction between AAA protocols for device administration (TACACS+) versus user authentication (RADIUS/LDAP), and the trap here is that TACACS+ is a valid AAA protocol but is not used for VPN user authentication in AnyConnect.

222
MCQmedium

An enterprise uses multiple IaaS providers (AWS, Azure, GCP). They need a single solution to enforce consistent security policies across all cloud environments. Which Cisco product provides multi-cloud security posture management?

A.Cisco Defense Orchestrator
B.Cisco Secure Cloud Analytics
C.Cisco ISE
D.Cisco Firepower NGFW
AnswerB

Provides multi-cloud monitoring and policy enforcement.

Why this answer

Cisco Secure Cloud Analytics (formerly Stealthwatch Cloud) is the correct answer because it provides multi-cloud security posture management by ingesting flow logs, API telemetry, and configuration data from AWS, Azure, and GCP to detect misconfigurations, anomalous behavior, and compliance violations. It uses machine learning to establish baselines and alert on deviations, enabling consistent policy enforcement across heterogeneous cloud environments without requiring agents or changes to existing infrastructure.

Exam trap

Cisco often tests the distinction between 'policy orchestration' (Defense Orchestrator) and 'posture management' (Secure Cloud Analytics), so the trap here is assuming that a firewall management tool can also perform multi-cloud security posture assessment without native cloud API integrations.

How to eliminate wrong answers

Option A is wrong because Cisco Defense Orchestrator is a centralized policy management tool for on-premises and cloud firewalls (e.g., FTD, ASA, Meraki), but it does not provide multi-cloud security posture management or analyze cloud-native telemetry from AWS, Azure, and GCP. Option C is wrong because Cisco ISE is a network access control (NAC) and identity management platform for on-premises wired/wireless networks, not designed to ingest cloud API logs or assess cloud security posture. Option D is wrong because Cisco Firepower NGFW is a next-generation firewall appliance for perimeter and data center traffic inspection, lacking the cloud-native API integrations and multi-cloud visibility required for posture management across IaaS providers.

223
MCQmedium

A network engineer is deploying TrustSec using SGT over VXLAN in a data center fabric. The fabric switches are configured as VXLAN Tunnel Endpoints (VTEPs). The engineer must ensure that SGT information is propagated from the border leaves to the spine. Which mechanism should be used?

A.LISP (Locator/ID Separation Protocol)
B.VXLAN Group Policy Option (GPO) in the VXLAN header
C.SXP (SGT Exchange Protocol) between VTEPs
D.IS-IS protocol extensions for SGT
AnswerB

The VXLAN header includes a Group Policy ID field that carries the SGT.

Why this answer

Option A is correct because SGT over VXLAN uses Group Policy Option (GPO) bits in the VXLAN header. Option B is wrong because SXP is for non-VXLAN environments. Option C is wrong because IS-IS carries routing, not SGT.

Option D is wrong because LISP carries endpoint IDs, not SGT.

224
MCQeasy

Which security concept involves creating multiple layers of defense so that if one layer is breached, subsequent layers still provide protection?

A.Zero Trust
B.Defense in depth
C.Separation of duties
D.Least privilege
AnswerB

Layered security approach.

Why this answer

Defense in depth is a security architecture strategy that layers independent defensive mechanisms (e.g., firewalls, IDS/IPS, endpoint protection, encryption) so that if one layer is compromised, subsequent layers continue to protect the asset. This concept is fundamental to the 350-701 exam as it underpins Cisco's SecureX and integrated security fabric approach, where multiple controls (like ASA, Firepower, and Umbrella) work together to provide resilience against breaches.

Exam trap

Cisco often tests the distinction between Defense in depth and Zero Trust by presenting a scenario where multiple security controls are used, and candidates mistakenly choose Zero Trust because they associate 'multiple layers' with 'never trust, always verify,' but Zero Trust is about identity verification and micro-segmentation, not the layered stacking of independent defenses.

How to eliminate wrong answers

Option A is wrong because Zero Trust is a security model that assumes no implicit trust and requires continuous verification of every access request, but it does not inherently describe the layered stacking of defenses; it focuses on identity and context-based access control rather than multiple independent layers. Option C is wrong because Separation of duties is an administrative control that prevents a single individual from having excessive privileges or performing conflicting tasks (e.g., one person approves changes, another implements them); it does not create multiple technical defense layers. Option D is wrong because Least privilege is a principle that grants users only the minimum permissions needed to perform their job functions; it reduces the attack surface but does not involve stacking multiple defensive technologies to protect against successive breaches.

225
MCQmedium

A company is deploying Cisco TrustSec to enforce micro-segmentation between data center servers. Security team wants to use Security Group Tags (SGTs) assigned dynamically via ISE. Which method should the engineer use to propagate SGTs to the access switches that connect the servers, assuming the network uses Cisco Nexus 9000 switches and ISE as the policy server?

A.Deploy SXP (SGT Exchange Protocol) between ISE and the Nexus switches
B.Configure ISE as a RADIUS server to send CoA with SGT
C.Enable SGT inline tagging on all interswitch links
D.Use a dedicated VLAN per security group
AnswerA

SXP is designed to exchange IP-to-SGT mappings between ISE (policy server) and network devices like Nexus switches.

Why this answer

For dynamic SGT propagation, the best method is SXP (SGT Exchange Protocol) because it can carry SGT bindings from ISE to network devices without needing inline tagging on every link. Option A (SGT inline tagging) requires hardware support; B (CoA) is for reauthentication; D (RADIUS change of authorization) is not for SGT. So answer is C.

Page 2

Page 3 of 7

Page 4

All pages