Cisco SCOR / CCNP Security Core 350-701 (350-701) — Questions 226300

500 questions total · 7pages · All types, answers revealed

Page 3

Page 4 of 7

Page 5
226
MCQmedium

A multinational corporation uses Cisco AMP for Endpoints with cloud-based file reputation. The security team notices that a file that was previously determined to be clean (disposition: clean) is now reported as malicious by a threat intelligence feed. However, AMP has not taken any action on endpoints that already executed the file. The administrator confirms that retrospective security is enabled. What should the administrator check first to ensure that the file is remediated on all affected endpoints?

A.Verify that the file is not excluded from scanning due to an anti-virus exclusion list.
B.Confirm that the endpoints have internet connectivity to the AMP cloud.
C.Check that the policy assigned to the endpoints has the 'Remediate Now' option enabled for files with changed dispositions.
D.Ensure that the file is being analyzed by the local AMP engine for accurate detection.
AnswerC

Requires explicit setting.

Why this answer

Option C is correct because when a file's disposition changes from clean to malicious in the AMP cloud, the 'Remediate Now' policy setting controls whether AMP automatically triggers remediation actions (such as quarantine or deletion) on endpoints that have already executed the file. Even with retrospective security enabled, the administrator must ensure that the policy assigned to the endpoints has this option enabled; otherwise, the cloud will send the updated disposition but the endpoint will not automatically act on it.

Exam trap

Cisco often tests the distinction between 'retrospective security' being enabled (which allows the cloud to send updated dispositions) and the 'Remediate Now' policy setting (which controls whether the endpoint automatically acts on those updates), leading candidates to incorrectly assume that enabling retrospective security alone is sufficient for automatic remediation.

How to eliminate wrong answers

Option A is wrong because antivirus exclusion lists affect real-time or on-access scanning, not the retrospective remediation of a file whose disposition has changed in the cloud; exclusions would prevent initial detection but do not block cloud-triggered remediation. Option B is wrong because endpoints must have internet connectivity to receive the updated disposition from the AMP cloud, but the question states that the administrator confirms retrospective security is enabled, implying connectivity is already present; the issue is the lack of automatic remediation action, not connectivity. Option D is wrong because the local AMP engine handles initial file analysis and detection, but the file was previously determined clean by the cloud; the local engine does not re-analyze files for retrospective disposition changes—that is a cloud-driven function.

227
Multi-Selecthard

Which THREE features are available in Cisco Umbrella to protect against DNS-based threats? (Choose three.)

Select 3 answers
A.IP-layer enforcement
B.Application control
C.DNS-layer security
D.Data Loss Prevention (DLP)
E.Anti-virus scanning
AnswersA, B, C

Blocks traffic to malicious IP addresses.

Why this answer

Cisco Umbrella provides DNS-layer security (option C) as its core function, intercepting DNS queries to block requests to malicious domains before a connection is established. IP-layer enforcement (option A) extends protection by applying policies based on the destination IP address, blocking traffic to known malicious IPs even if DNS resolution is bypassed. Application control (option B) allows administrators to permit or block specific cloud applications (e.g., Dropbox, Facebook) at the DNS level, preventing data exfiltration or unauthorized usage through DNS-based application identification.

Exam trap

Cisco often tests the distinction between DNS-layer security (which blocks at the query level) and IP-layer enforcement (which blocks at the network layer), and candidates mistakenly think DLP or anti-virus are part of Umbrella because they confuse it with other Cisco security products like WSA or Secure Endpoint.

228
Multi-Selecthard

Which THREE capabilities are provided by Cisco ISE's visibility services within the Secure Network Access domain? (Choose three.)

Select 3 answers
A.Endpoint profiling and classification (including IoT)
B.802.1X authentication for wired and wireless
C.Security group access control enforcement
D.Guest user registration and sponsor workflows
E.Passive identity monitoring and contextual data collection
AnswersA, D, E

ISE profiles endpoints based on attributes like MAC OUI, DHCP options.

Why this answer

ISE visibility includes profiling, device registration (BYOD), and anomaly detection. Option A (passive traffic monitoring) is part of ISE's network visibility with ASA/FP. Option C (IoT device classification) is a profiling feature.

Option E (guest lifecycle management) is part of visibility for guests. Option B is basic 802.1X, not visibility. Option D is policy enforcement, not visibility.

229
MCQeasy

Which type of firewall is best suited to inspect application-layer traffic and protect against exploits like SQL injection?

A.Stateful firewall
B.Application proxy firewall
C.Packet-filtering firewall
D.Next-generation firewall with IPS and application visibility
AnswerD

Provides application-layer inspection and protection.

Why this answer

A next-generation firewall (NGFW) with IPS and application visibility is best suited to inspect application-layer traffic and protect against exploits like SQL injection because it combines deep packet inspection (DPI), signature-based IPS, and application-level awareness. Unlike simpler firewalls, an NGFW can decode HTTP/HTTPS payloads, match patterns against SQL injection signatures (e.g., ' OR 1=1 --), and block malicious traffic at Layer 7 while maintaining stateful inspection.

Exam trap

Cisco often tests the misconception that a stateful firewall is sufficient for application-layer threats, but the trap here is that stateful firewalls only inspect up to Layer 4 and cannot detect payload-based exploits like SQL injection, which require Layer 7 inspection and IPS capabilities.

How to eliminate wrong answers

Option A is wrong because a stateful firewall only tracks connection state (TCP handshake, sequence numbers) and inspects up to Layer 4, lacking the ability to parse application-layer payloads for SQL injection patterns. Option B is wrong because an application proxy firewall (a dedicated proxy) can inspect application traffic but is often slower, less scalable, and lacks integrated IPS signatures; the question asks for the 'best suited' modern solution, which is an NGFW with IPS and application visibility. Option C is wrong because a packet-filtering firewall operates only at Layers 3 and 4, filtering based on IP addresses, ports, and protocols, with no application-layer inspection to detect SQL injection.

230
MCQhard

A university is using Cisco WSA to filter web traffic for its students and staff. The WSA is configured with transparent proxy mode and uses Active Directory for authentication. Recently, the IT department received complaints that some users cannot access certain educational websites that are correctly categorized as 'Education'. The WSA policy has a default rule that blocks all categories except those explicitly allowed. The 'Education' category is set to 'Allow'. However, affected users are shown a block page with the reason 'Web Reputation: Low Reputation'. The Web Reputation threshold is set to -5.0. The IT team checked the reputation scores of the blocked sites and found they are around -4.5. What is the most likely reason for the block?

A.The Web Reputation action is set to 'Block' for scores below 0, overriding the URL filtering allow
B.The 'Education' category is not included in the allowed list for the specific identification profile
C.The users are not authenticated properly and are assigned a default policy that blocks education
D.The HTTPS decryption is failing for those sites, causing a block
AnswerA

Reputation actions can override URL filtering, blocking sites with low reputation even if the category is allowed.

Why this answer

Option A is correct because the Web Reputation action configured in the WSA policy overrides the URL category-based allow rule. Even though the 'Education' category is set to 'Allow', the Web Reputation threshold is set to -5.0, and the blocked sites have a reputation score of -4.5 (which is below the threshold, meaning worse reputation). The WSA applies the most restrictive action: if Web Reputation is set to 'Block' for scores below 0, it will block traffic regardless of the category allow action, resulting in the block page showing 'Web Reputation: Low Reputation'.

Exam trap

Cisco often tests the concept that Web Reputation actions can override URL category allow rules, leading candidates to mistakenly focus on category misconfiguration or authentication issues when the block page explicitly indicates reputation as the reason.

How to eliminate wrong answers

Option B is wrong because the question states the 'Education' category is set to 'Allow' in the WSA policy, and the block page explicitly cites 'Web Reputation: Low Reputation', not a category mismatch. Option C is wrong because the block page reason is reputation-based, not authentication-related; if users were unauthenticated, they would likely see a different block message or be redirected to a login page, not a reputation block. Option D is wrong because HTTPS decryption failure would typically result in a certificate error or a 'decryption failed' block page, not a 'Web Reputation: Low Reputation' message; reputation scoring is independent of decryption status.

231
MCQmedium

A network engineer is designing a multi-cloud architecture with AWS and Azure. The company needs consistent security policies across both cloud providers and on-premises data centers. Which Cisco solution should the engineer recommend?

A.Cisco Umbrella SIG.
B.Cisco Firepower NGFW.
C.Cisco Tetration.
D.Cisco Stealthwatch Enterprise.
AnswerC

Correct: Tetration provides micro-segmentation and consistent policies across hybrid/multi-cloud.

Why this answer

Option B is correct because Cisco Tetration provides workload protection and micro-segmentation across multicloud environments. Option A is wrong because Stealthwatch is for network traffic visibility, not policy orchestration. Option C is wrong because Firepower is more focused on on-premises.

Option D is wrong because Umbrella is cloud-delivered security but not for workload segmentation.

232
MCQhard

A hospital is deploying Cisco ISE for network access control. They have a mix of employee laptops, medical devices (e.g., infusion pumps), and guest smartphones. The network uses Cisco Catalyst 9300 switches and Aironet 3700 series access points. For medical devices, the policy must use Machine Authentication (MAB) since they are 802.1X incapable. The ISE policy authenticates via MAB and then assigns the device to a specific VLAN for medical devices. During a pilot, the network team notices that some infusion pumps (MAC: 00:1A:2B:3C:4D:5E) are failing MAB authentication. The switch logs show 'Authentication failed for MAC 001a.2b3c.4d5e on interface GigabitEthernet1/0/10'. ISE logs show 'Authentication failed - RADIUS server rejected - Reason: Invalid Endpoint ID'. The engineer has verified the MAC address is in the ISE endpoint repository with correct identity group. What should the engineer check next to resolve this issue?

A.Verify that the switch port is configured with 'authentication port-control auto'
B.Check the MAC address format in the ISE endpoint identity store (such as using lowercase with a hyphen separator)
C.Confirm that the ISE policy for MAB allows the device to authenticate
D.Ensure the RADIUS shared secret is correct on the switch and ISE
AnswerB

The switch sends MAC in form '001a.2b3c.4d5e' (no delimiter) or '00-1a-2b-3c-4d-5e'? ISE expects a specific format; mismatch causes 'Invalid Endpoint ID'.

Why this answer

The error 'Invalid Endpoint ID' typically indicates that the username/password used for MAB is not matching. For MAB, the switch sends the MAC address as both username and password. If the ISE repository has the MAC but the authentication profile expects a different format (e.g., lowercase, colon-separated), it can fail.

Option B is correct because the switch might be sending the MAC in different case (upper vs lower) or without dashes. Option A would cause different error. Option C would prevent any auth.

Option D would cause other services to fail, not specific to MAB.

233
MCQmedium

An organization is using Cisco ESA to protect against email-borne threats. They notice that some phishing emails are not being caught by the anti-spam engine. The emails contain malicious URLs that are rewritten by the ESA. Which feature should be verified to ensure the rewritten URLs are properly analyzed?

A.Data Loss Prevention (DLP) policies
B.URL filtering and analysis settings
C.Anti-Virus scanning engine
D.Encryption policies
AnswerB

This ensures rewritten URLs are analyzed for malicious content.

Why this answer

B is correct because the URL filtering and analysis settings control how the Cisco ESA rewrites and subsequently analyzes malicious URLs. When a phishing email contains a malicious URL, the ESA can rewrite the URL to point to its own proxy for real-time analysis. If this feature is not properly configured or if the analysis settings (such as reputation scoring or time-of-click verification) are disabled, the rewritten URLs may not be inspected, allowing the threat to bypass detection.

Exam trap

Cisco often tests the distinction between features that inspect content (anti-spam, anti-virus) versus features that analyze URLs at the time of click, leading candidates to mistakenly choose anti-virus or anti-spam options when the question specifically involves rewritten URLs.

How to eliminate wrong answers

Option A is wrong because Data Loss Prevention (DLP) policies are designed to prevent sensitive data from leaving the organization, not to analyze rewritten URLs for malicious content. Option C is wrong because the Anti-Virus scanning engine focuses on detecting malware in attachments or body content, not on analyzing rewritten URLs or their destinations. Option D is wrong because encryption policies govern the use of TLS or S/MIME for secure email transmission, not the inspection or analysis of rewritten URLs.

234
MCQmedium

A security engineer notices that several endpoints in the HR department have been infected with ransomware despite having Cisco AMP for Endpoints deployed. The AMP policy is set to 'Detect' for all file types. What is the most likely reason the ransomware was not blocked?

A.The endpoints had process exclusions that allowed the ransomware process.
B.The AMP policy was set to 'Detect' and not 'Block' or 'Quarantine'.
C.The AMP cloud was unreachable during the infection attempt.
D.The file was too large for cloud analysis and AMP timed out.
AnswerB

The 'Detect' mode only generates alerts without taking preventive action.

Why this answer

Cisco AMP for Endpoints policies have three primary actions: 'Detect', 'Block', and 'Quarantine'. When a policy is set to 'Detect', the endpoint will alert on malicious files but will not prevent execution. Since the ransomware was allowed to run, the most likely cause is that the policy was configured to 'Detect' only, rather than a more restrictive action like 'Block' or 'Quarantine'.

Exam trap

Cisco often tests the distinction between 'Detect' and 'Block' actions in AMP policies, as candidates may assume that any detection capability automatically prevents execution, but 'Detect' is purely alerting without enforcement.

How to eliminate wrong answers

Option A is wrong because process exclusions in AMP are used to bypass scanning for legitimate processes, but the question states the ransomware was not blocked due to the policy setting, not due to an exclusion list. Option C is wrong because while cloud connectivity issues can affect retrospective analysis and file reputation lookups, AMP for Endpoints uses local TETRA (Traps Engine for Threat Recognition and Analysis) and Spero engine to block known malware even without cloud access; the 'Detect' policy would still allow execution regardless of cloud reachability. Option D is wrong because file size limits for cloud analysis (typically 8 MB for full upload) would cause AMP to fall back to local analysis or allow the file if it cannot be analyzed, but the core issue remains the policy action being set to 'Detect' rather than 'Block'.

235
Multi-Selecthard

An organization is deploying Cisco Cloud Workload Protection (CWP) in AWS. Which THREE of the following components are part of a standard CWP architecture?

Select 3 answers
A.Cloud Security Posture Management (CSPM) scanner
B.Workload sensor (agent or agentless)
C.Policy enforcement point (e.g., network enforcement)
D.Cisco Umbrella DNS connector
E.Centralized aggregation and analysis server
AnswersB, C, E

Sensors collect telemetry from workloads.

Why this answer

The workload sensor (agent or agentless) is a core component of Cisco Cloud Workload Protection (CWP) because it provides visibility into workload activity, including process execution, network connections, and file integrity. This sensor collects telemetry data from workloads running in AWS and forwards it to the centralized analysis engine for threat detection and policy enforcement.

Exam trap

Cisco often tests the distinction between CWP's workload-specific components (sensor, enforcement point, analysis server) and other Cisco cloud security products like CSPM or Umbrella, so candidates mistakenly include CSPM or DNS connectors as part of CWP.

236
Multi-Selecteasy

Which TWO of the following are components of Cisco TrustSec?

Select 2 answers
A.802.1X
B.Security Group Tag (SGT)
C.Security Group Access Control List (SGACL)
D.MACsec
E.IPsec
AnswersB, C

SGTs carry group membership information in packets.

Why this answer

Cisco TrustSec uses Security Group Tags (SGTs) to classify traffic based on identity and enforce access control policies. SGTs are 16-bit values assigned to users or devices, and they are carried in the packet header (e.g., via Cisco Metadata or inline tagging) to allow policy enforcement at the network layer.

Exam trap

Cisco often tests the distinction between authentication/encryption protocols (802.1X, MACsec, IPsec) and the actual policy enforcement components (SGT and SGACL) of TrustSec, leading candidates to select 802.1X or MACsec as TrustSec components when they are merely supporting technologies.

237
MCQeasy

A company is deploying cloud workload protection for their Azure VMs. They want to ensure that security policies are automatically adjusted based on workload changes. Which technology should they implement?

A.Cisco Firepower NGFW
B.Cisco Secure Workload
C.Cisco Umbrella
D.Cisco Stealthwatch
AnswerB

Provides automatic policy adjustment based on workload changes.

Why this answer

Cisco Secure Workload (formerly Tetration) is the correct choice because it provides workload protection for Azure VMs with automatic policy adjustment based on workload changes. It uses agent-based and agentless sensors to collect telemetry, builds a dependency map, and enforces micro-segmentation policies that dynamically adapt as workloads scale, migrate, or change, meeting the requirement for automated security policy adjustment.

Exam trap

The trap here is that candidates often confuse Cisco Secure Workload with Cisco Stealthwatch, assuming both provide similar workload visibility, but Stealthwatch lacks the automated policy enforcement and micro-segmentation capabilities that Secure Workload offers for dynamic cloud environments.

How to eliminate wrong answers

Option A is wrong because Cisco Firepower NGFW is a network firewall that provides perimeter and east-west traffic inspection but does not natively integrate with Azure VM workload changes to automatically adjust security policies; it requires manual policy updates or external orchestration. Option C is wrong because Cisco Umbrella is a cloud-delivered DNS-layer security and secure web gateway (SWG) that protects against internet threats but does not provide workload-level policy automation or micro-segmentation for Azure VMs. Option D is wrong because Cisco Stealthwatch is a network traffic analysis and visibility tool that uses NetFlow/IPFIX for anomaly detection but does not automatically adjust security policies based on workload changes; it focuses on monitoring rather than enforcement.

238
Multi-Selectmedium

Which TWO of the following are best practices when configuring Cisco Email Security Appliance (ESA) anti-spam filters? (Choose two.)

Select 2 answers
A.Rely solely on IP reputation lists for spam detection.
B.Adjust threshold levels per sender group to reduce false positives.
C.Use a combination of Cisco Anti-Spam and a third-party anti-spam engine.
D.Set the anti-spam action to 'Delete' for high-scoring messages.
E.Enable all available anti-spam engines to ensure maximum detection.
AnswersB, C

Different sender groups may require different sensitivity.

Why this answer

Best practices for ESA anti-spam include enabling multiple anti-spam engines for layered detection and configuring threshold levels per group. Option A is correct because using both Cisco Anti-Spam and third-party engines improves detection. Option E is correct because tuning thresholds per sender group reduces false positives.

Option B is incorrect because enabling all engines can cause performance issues. Option C is incorrect because blocking without quarantine may cause loss of legitimate mail. Option D is incorrect because reputation lists are the least accurate.

239
Multi-Selectmedium

Which TWO of the following are benefits of using Cisco Cloudlock for cloud security? (Choose two.)

Select 2 answers
A.Shadow IT discovery
B.DDoS protection
C.Network firewall capabilities
D.Identity and access management
E.Data loss prevention for cloud apps
AnswersA, E

Cloudlock can discover unsanctioned cloud applications.

Why this answer

Cisco Cloudlock is a cloud access security broker (CASB) that provides visibility into cloud application usage. Option A is correct because Cloudlock's Shadow IT discovery feature identifies unauthorized cloud applications being used by employees, allowing administrators to assess risk and enforce policies. This is a core CASB function that discovers and categorizes cloud apps based on user traffic patterns.

Exam trap

Cisco often tests the distinction between CASB functions (Shadow IT, DLP) and traditional network security functions (firewall, DDoS), leading candidates to mistakenly associate Cloudlock with network-layer protections.

240
MCQeasy

A company wants to allow employees to access webmail services but block any upload of attachments that contain malware. Which feature of Cisco WSA should be configured?

A.Data Loss Prevention (DLP) policy
B.Application Visibility and Control (AVC)
C.URL filtering policy
D.Malware scanning with DVS engine
AnswerD

DVS engine scans files for malware, including uploads.

Why this answer

Option D is correct because the Dynamic Vectoring and Scoring (DVS) engine in Cisco WSA provides advanced malware detection by analyzing file attachments in real time, including webmail uploads. It uses multiple scanning techniques, such as reputation analysis and file-type identification, to block malware before it reaches the user. This directly addresses the requirement to prevent malware-laden attachments in webmail traffic.

Exam trap

Cisco often tests the distinction between DLP (data loss prevention) and malware scanning, leading candidates to mistakenly choose DLP when the question is about blocking malicious content rather than preventing data leakage.

How to eliminate wrong answers

Option A is wrong because Data Loss Prevention (DLP) policies are designed to prevent sensitive data from leaving the network (e.g., credit card numbers, PII), not to detect or block malware in attachments. Option B is wrong because Application Visibility and Control (AVC) focuses on identifying and controlling application traffic (e.g., blocking or shaping webmail apps), not on scanning file content for malware. Option C is wrong because URL filtering policies control access based on web categories or reputation, not on the content of uploaded attachments; they cannot inspect or block malware within files.

241
MCQeasy

A company is implementing Cisco Umbrella to provide DNS-layer security. They want to block access to known malicious domains while allowing all other traffic. Which policy configuration should be used?

A.Create a block list with known malicious domains
B.Enable selective proxy for all traffic
C.Create an allow list with only safe domains
D.Use a custom policy with both allow and block lists
AnswerA

Block list allows all traffic except specified malicious domains.

Why this answer

Cisco Umbrella's DNS-layer security operates by intercepting DNS queries and comparing them against policy-defined lists. A block list containing known malicious domains is the correct approach because Umbrella will block DNS resolution for those domains while allowing all other traffic to pass through normally. This aligns with the requirement to block only malicious destinations without affecting access to legitimate sites.

Exam trap

Cisco often tests the distinction between DNS-layer security (which uses block lists for domain resolution) and proxy-based security (which inspects full HTTP/HTTPS traffic), leading candidates to mistakenly select proxy options like selective proxy when only DNS-layer blocking is needed.

How to eliminate wrong answers

Option B is wrong because enabling selective proxy for all traffic would route all web traffic through Umbrella's proxy, which is unnecessary for DNS-layer blocking and could introduce latency or break non-HTTP traffic. Option C is wrong because an allow list with only safe domains would block all traffic except those explicitly allowed, which is the opposite of the requirement to allow all other traffic. Option D is wrong because while custom policies can combine allow and block lists, the requirement specifically calls for blocking known malicious domains while allowing everything else, making a simple block list the most direct and correct configuration.

242
MCQhard

In a Cisco TrustSec deployment, you want to dynamically assign SGTs based on user authentication. Which mechanism should you use?

A.CTS SXP
B.CTS RBACL
C.CTS device classification
D.CTS identity-based networking (IBNS) with RADIUS CoA
AnswerD

IBNS with CoA can dynamically assign SGTs via RADIUS attributes.

Why this answer

Option D is correct. Identity-Based Networking Services (IBNS) with RADIUS Change of Authorization (CoA) allows dynamic assignment of SGTs during authentication. Option A (RBACL) is for role-based access control, not SGT assignment.

Option B (SXP) propagates SGTs but doesn't assign dynamically. Option C (device classification) is for static assignment.

243
MCQmedium

An ASA firewall is configured as shown. A web server is behind the ASA with IP 10.1.1.100. Which additional configuration is required to allow HTTPS traffic from the internet to the web server?

A.Add a route to the web server's subnet
B.Configure static NAT for the web server
C.Increase the security level of the inside interface
D.Apply the access-group to the inside interface
AnswerB

Static NAT is necessary to map the public IP to the internal server.

Why this answer

Option B is correct because the ASA firewall requires static NAT to translate the public IP address (typically the ASA's outside interface IP or a dedicated public IP) to the private IP address of the web server (10.1.1.100). Without static NAT, the ASA will not perform the necessary destination address translation for inbound HTTPS traffic, and the web server's private IP is not routable on the internet.

Exam trap

The trap here is that candidates often assume a route or security level adjustment is sufficient, but Cisco specifically tests that NAT is mandatory for translating private addresses to public addresses in ASA firewall configurations.

How to eliminate wrong answers

Option A is wrong because adding a route to the web server's subnet is unnecessary; the ASA already has a directly connected route to the 10.1.1.0/24 subnet via its inside interface. Option C is wrong because increasing the security level of the inside interface does not affect inbound traffic from a lower-security interface (outside) to a higher-security interface (inside); security levels control default traffic flow direction, not NAT or access control. Option D is wrong because applying the access-group to the inside interface would filter traffic exiting the inside interface, not inbound traffic from the internet; the access-group must be applied to the outside interface to permit HTTPS traffic inbound.

244
MCQeasy

A company uses Cisco Umbrella to block malicious domains. An endpoint user reports that they cannot access a legitimate business website. The website resolves to a domain that is not on any block list. What is the most likely cause?

A.The domain is listed in a custom Destination List with 'Block' action.
B.The domain is part of a content category that is blocked in the Umbrella policy.
C.The Umbrella policy has Application Settings enabled for 'Web Browsing' with block action.
D.The Umbrella roaming client is using an invalid API token.
AnswerB

Umbrella's content category filtering can block entire categories of websites, even if the domain is not individually listed.

Why this answer

Option B is correct because 'Content Categories' in Umbrella can inadvertently block categories like 'Business' or 'Information Technology' if misconfigured. Option A is incorrect because an invalid token would block all internet access. Option C is incorrect because 'Application Settings' control application-level filtering, not URL access.

Option D is incorrect because 'Destination Lists' are specific domains, not categories.

245
MCQhard

Refer to the exhibit. The crypto map is applied to an interface. Which additional configuration is necessary for IPsec to function correctly?

A.Define an extended access list for interesting traffic
B.Create a tunnel interface and apply the crypto map to it
C.Create a transform-set with the same parameters as the proposal
D.Configure an ISAKMP policy (IKE phase 1) with pre-shared key or certificate
AnswerD

IKE phase 1 must be configured to establish a secure channel before IPsec can work.

Why this answer

IPsec requires both IKE Phase 1 (ISAKMP) and Phase 2 to be configured. The crypto map references a transform-set and an access list, but without an ISAKMP policy defining authentication (pre-shared key or certificate) and encryption/hash parameters, IKE cannot establish a secure control channel. Option D is correct because the ISAKMP policy is mandatory for IKE Phase 1 negotiation before IPsec SAs can be created.

Exam trap

Cisco often tests the misconception that a crypto map alone is sufficient for IPsec, hiding the fact that IKE Phase 1 (ISAKMP policy) is a prerequisite that must be configured separately, leading candidates to overlook it when other options like transform-sets or access lists are already present.

How to eliminate wrong answers

Option A is wrong because an extended access list for interesting traffic is already referenced in the crypto map (as shown in the exhibit), so it is not missing. Option B is wrong because a tunnel interface is not required for site-to-site IPsec; the crypto map is applied directly to the physical or sub-interface, and creating a tunnel interface would be an unnecessary overlay. Option C is wrong because a transform-set is already defined and referenced in the crypto map; creating another with the same parameters would be redundant and not address the missing IKE Phase 1 configuration.

246
MCQhard

An administrator configures Cisco Email Security Appliance (ESA) with an outbreak filter to handle a new ransomware variant. The outbreak filter is set to 'Quarantine' for messages with a threat score above 70. After deployment, some legitimate emails with a threat score of 75 are quarantined. The administrator wants to reduce false positives without compromising security. Which configuration change should be made?

A.Disable the outbreak filter temporarily to allow all emails.
B.Increase the threat score threshold to 80 or higher.
C.Create a content filter to bypass outbreak filtering for known good senders.
D.Configure the outbreak filter to 'Analyze' instead of 'Quarantine' for scores between 70 and 80.
AnswerD

Analysis allows the ESA to gather more intelligence and possibly release the email if it's determined safe, reducing false positives.

Why this answer

Option D is correct because it allows the administrator to apply a graduated response: messages with threat scores between 70 and 80 are analyzed (e.g., delivered with a warning or delayed) rather than quarantined, reducing false positives while still providing security. The outbreak filter in Cisco ESA supports multiple actions per score range, enabling a tiered policy that avoids an all-or-nothing approach. This maintains protection against truly high-risk messages (score >80) while sparing borderline legitimate traffic.

Exam trap

Cisco often tests the distinction between outbreak filter actions (Quarantine, Analyze, Deliver) and the misconception that content filters can override outbreak filter verdicts, when in reality outbreak filters are evaluated first and content filters cannot bypass them.

How to eliminate wrong answers

Option A is wrong because disabling the outbreak filter entirely removes all protection against the ransomware variant, which compromises security. Option B is wrong because increasing the threshold to 80 or higher would still quarantine legitimate emails with a score of 75, failing to address the false positive issue; it merely shifts the cutoff without resolving the underlying problem of borderline scores. Option C is wrong because content filters operate independently from outbreak filters and cannot bypass outbreak filtering; outbreak filters evaluate messages based on threat scores from Talos/Sophos, and a content filter cannot override that action unless the message is already allowed through the outbreak filter.

247
MCQmedium

A network security engineer is deploying Cisco Firepower Threat Defense (FTD) in a data center. The requirement is to inspect traffic between two internal VLANs while allowing the firewall to enforce access control policies based on source and destination zones. Which deployment mode should the engineer use?

A.Routed mode
B.Inline mode
C.Transparent mode
D.Hybrid mode
AnswerC

Transparent mode operates at layer 2, allowing inspection between VLANs without IP renumbering.

Why this answer

Transparent mode (Layer 2 mode) is correct because the requirement specifies inspecting traffic between two internal VLANs without routing. In transparent mode, the FTD acts as a bridge, forwarding frames based on MAC addresses while enforcing access control policies based on source and destination zones. This allows the firewall to inspect inter-VLAN traffic without requiring IP address changes or acting as a default gateway.

Exam trap

Cisco often tests the distinction between 'transparent mode' and 'inline mode'—the trap here is that candidates confuse 'inline' (a deployment topology for IPS sensors) with 'transparent' (a Layer 2 firewall mode), leading them to incorrectly select inline mode when the question asks about firewall deployment modes for FTD.

How to eliminate wrong answers

Option A is wrong because routed mode operates at Layer 3, requiring the FTD to be the next-hop gateway for each VLAN, which would change the network topology and introduce routing decisions not needed for internal VLAN-to-VLAN inspection. Option B is wrong because inline mode is a deployment method for IPS/IDS sensors (e.g., passive or inline tap), not a firewall mode; the FTD does not have an 'inline mode' as a standalone deployment mode—it is either routed, transparent, or hybrid. Option D is wrong because hybrid mode is not a standard deployment mode for FTD; the FTD supports routed and transparent modes, and while it can run multiple virtual firewalls in different modes, 'hybrid mode' is not a selectable deployment mode for a single FTD device.

248
Multi-Selecteasy

A company wants to implement Zero Trust principles in their cloud environment. Which THREE of the following are key Zero Trust tenets?

Select 3 answers
A.Assume breach (minimize blast radius)
B.Implement multifactor authentication (MFA) everywhere
C.Use least privilege access
D.Verify explicitly (authenticate and authorize every request)
E.Assume that the perimeter is secure
AnswersA, C, D

Design with the expectation that breach will occur, and segment accordingly.

Why this answer

Option A is correct because 'Assume breach' is a core Zero Trust tenet that minimizes the blast radius by segmenting access and continuously monitoring for threats, even within the cloud environment. This principle assumes that an attacker may already be present, so it enforces micro-segmentation and real-time analytics to limit lateral movement, aligning with NIST SP 800-207 Zero Trust Architecture guidelines.

Exam trap

Cisco often tests the distinction between 'security controls' (like MFA) and 'core tenets' (like verify explicitly), leading candidates to incorrectly select MFA as a tenet rather than recognizing it as an implementation tool.

249
MCQhard

Refer to the exhibit. A network administrator is troubleshooting device tracking on a Cisco switch. The output shows two devices in VLAN 100. The switch is configured with IPv6 first-hop security features. The administrator notices that the device with MAC address aaaa.bbbb.cccc is not receiving RA guard protection. What is the most likely reason?

A.The interface Gi0/1/1 is not configured as a trusted interface for RA guard.
B.The device is not in the same VLAN as the RA guard policy.
C.The device tracking entry for aaaa.bbbb.cccc is invalid.
D.The device tracking table has reached its limit.
AnswerA

RA guard only applies to trusted interfaces.

Why this answer

RA Guard protection is applied per interface based on trust configuration. The exhibit shows the device with MAC aaaa.bbbb.cccc is reachable via Gi0/1/1, but if that interface is not explicitly configured as trusted for RA Guard (e.g., using `ipv6 nd raguard trust`), the switch will not apply RA Guard filtering to RAs received on that port. This allows rogue RA messages from that device to bypass protection, making A the correct answer.

Exam trap

Cisco often tests the distinction between device tracking entries being present and the interface trust configuration being applied, leading candidates to incorrectly assume a valid tracking entry implies protection is active.

How to eliminate wrong answers

Option B is wrong because the device is in VLAN 100, and the RA Guard policy is applied to that VLAN (as shown in the exhibit), so the VLAN mismatch is not the issue. Option C is wrong because the device tracking entry for aaaa.bbbb.cccc is listed as valid (state REACHABLE), so it is not invalid. Option D is wrong because the device tracking table shows only two entries, far below typical limits (e.g., 4096 or more), so the table is not full.

250
MCQmedium

A company deploys Cisco ASA with clientless SSL VPN to provide remote access to internal web-based applications. Users connect via a web browser and authenticate using RADIUS. The security policy requires that users re-authenticate after 15 minutes of inactivity. The administrator configures the group-policy with 'vpn-idle-timeout 15' and 'vpn-session-timeout 60'. After testing, the administrator finds that users can still access the internal web applications even after the VPN session has timed out. The administrator checks the ASA logs and confirms that the VPN session is indeed terminated. The web applications are standard HTTP-based and do not have their own session timeout mechanisms. What is the most likely cause of this issue?

A.The web applications use persistent cookies that do not require re-authentication.
B.The clientless SSL VPN portal uses 'application-specific' timeout settings.
C.The RADIUS server is sending the 'Session-Timeout' attribute that overrides the ASA configuration.
D.The ASA is configured with 'webvpn' and 'cache' enabled, which caches the application pages.
AnswerA

Persistent cookies maintain the application session independently of the VPN session.

Why this answer

Option A is correct because clientless SSL VPN uses a web portal that relies on cookies to maintain the user's authenticated state. When the VPN session times out, the ASA terminates the VPN tunnel, but the web browser still holds the authentication cookie for the internal web application. Since the web application itself has no session timeout, the cookie remains valid, allowing the user to continue accessing the application without re-authentication.

The ASA's vpn-idle-timeout and vpn-session-timeout only control the VPN tunnel, not the application-layer cookies.

Exam trap

Cisco often tests the distinction between VPN-layer timeouts and application-layer session persistence, trapping candidates who assume that terminating the VPN tunnel automatically invalidates all application access.

How to eliminate wrong answers

Option B is wrong because 'application-specific' timeout settings in clientless SSL VPN are not a standard feature; the ASA does not have per-application timeout configurations that override the group-policy timeouts. Option C is wrong because the RADIUS 'Session-Timeout' attribute, if sent, would override the ASA's vpn-session-timeout, but the issue is that users can still access applications after the VPN session ends, which is not caused by an override—it's a cookie persistence problem. Option D is wrong because the 'webvpn cache' feature caches static content like images and CSS to improve performance, not authentication tokens or session state; it does not allow continued access after session termination.

251
MCQmedium

A network engineer is troubleshooting an issue where users on VLAN 10 cannot access the internet, but they can reach internal resources. The firewall is configured with a default route pointing to the ISP router. The engineer notices that NAT is configured but traffic is not being translated. Which configuration is most likely missing?

A.An ACL to match the traffic to be translated
B.A NAT pool with available public IP addresses
C.Port Address Translation (PAT) configuration
D.A route map to apply NAT based on destination
AnswerA

The ACL defines interesting traffic for NAT; without it, no packets are matched for translation.

Why this answer

For NAT to translate traffic, the firewall must know which traffic to translate. An ACL is used to match the source IP addresses (or networks) that should be translated. Without an ACL applied to the NAT rule, the firewall has no criteria to identify traffic from VLAN 10 for translation, so packets are forwarded without NAT, causing internet access to fail while internal routing works.

Exam trap

Cisco often tests the misconception that simply enabling NAT or PAT is enough, but the ACL is the critical component that defines the traffic to be translated, and candidates may overlook it because they assume NAT applies to all traffic by default.

How to eliminate wrong answers

Option B is wrong because a NAT pool is only needed for dynamic NAT with a range of public IPs; for typical PAT (overload) to a single interface IP, no pool is required. Option C is wrong because PAT is a type of NAT (often configured with 'overload'), but the core missing piece is the ACL to define which traffic is translated; PAT configuration alone does not specify the traffic. Option D is wrong because a route map for NAT based on destination is an advanced feature (e.g., policy NAT) and is not required for basic source NAT; the standard approach uses an ACL to match source addresses.

252
Multi-Selecteasy

Which TWO Cisco solutions provide virtual firewall capabilities in public cloud environments? (Choose two.)

Select 2 answers
A.Cisco ASAv
B.Cisco DNA Center
C.Cisco Umbrella
D.Cisco Firepower Threat Defense (FTD) for AWS
E.Cisco ISE
AnswersA, D

ASAv is the virtual ASA firewall, available in AWS, Azure, GCP.

Why this answer

Cisco ASAv (Adaptive Security Virtual Appliance) is a virtualized version of the Cisco ASA firewall that can be deployed in public cloud environments such as AWS, Azure, and GCP. It provides stateful firewall, VPN, and threat defense capabilities natively within the cloud infrastructure. Option A is correct because ASAv is explicitly designed for virtual firewall functions in public clouds.

Exam trap

Cisco often tests the distinction between cloud-delivered security services (like Umbrella) and virtualized network security appliances (like ASAv/FTDv), causing candidates to mistakenly select Umbrella as a virtual firewall when it is actually a cloud-based security service.

253
Multi-Selectmedium

Which TWO of the following are capabilities of Cisco Orbital?

Select 2 answers
A.Real-time file reputation checking
B.Running live queries across all endpoints
C.Scheduled forensic data collection tasks
D.Pre-execution sandboxing of unknown files
E.Automated endpoint isolation via ISE
AnswersB, C

Orbital allows queries in real-time across managed endpoints.

Why this answer

Cisco Orbital provides advanced endpoint querying and can run scripts on endpoints for investigation.

254
MCQhard

You are a security engineer for a multinational corporation with 5,000 employees. The company uses Cisco Umbrella for DNS-layer security, Cisco Web Security Appliance (WSA) for proxy services in the data center, and Cisco Email Security Appliance (ESA) for email security. Recently, the security team has received multiple reports of users receiving phishing emails that bypass the ESA. The emails contain links to malicious websites that are also not blocked by Umbrella or WSA. Upon investigation, you find that the phishing emails use newly registered domains (less than 24 hours old) and the malicious websites are hosted on cloud infrastructure with frequently changing IP addresses. The company's current security policies rely on signature-based detection and static blocklists. Which action should you take to most effectively mitigate these threats?

A.Deploy Cisco Threat Response to enable automated threat hunting and blocking across all security products.
B.Configure the WSA to block all domains registered within the last 30 days.
C.Enable Data Loss Prevention (DLP) on the ESA to scan email content for sensitive data.
D.Increase the frequency of signature updates on the ESA and WSA to every hour.
AnswerA

Cisco Threat Response uses real-time intelligence to block emerging threats across the entire security stack.

Why this answer

Option A is correct because Cisco Threat Response (CTR) provides integrated threat hunting and automated blocking across Cisco security products, including Umbrella, WSA, and ESA. This enables the security team to correlate indicators of compromise (IoCs) from phishing emails and newly registered domains, then automatically block them across all layers, addressing the dynamic nature of the threat (fast-flux hosting and newly registered domains) that signature-based and static blocklists cannot handle.

Exam trap

Cisco often tests the misconception that increasing signature update frequency or using broad domain-blocking rules can effectively stop zero-day or rapidly changing threats, when in fact integrated threat intelligence and automated response (like CTR) are required to address dynamic attacks that bypass signature-based and static defenses.

How to eliminate wrong answers

Option B is wrong because blocking all domains registered within the last 30 days is overly aggressive and would cause massive false positives, as many legitimate domains (e.g., for marketing campaigns or new business sites) are registered daily; it also does not leverage the integrated threat intelligence needed to dynamically identify malicious new domains. Option C is wrong because DLP on the ESA focuses on preventing data exfiltration by scanning for sensitive content (e.g., credit card numbers, PII), not on detecting or blocking phishing emails with malicious links; it does not address the core issue of bypassing email and web security. Option D is wrong because increasing signature update frequency on ESA and WSA still relies on signature-based detection, which cannot protect against zero-day or rapidly changing threats like newly registered domains and fast-flux IP addresses; signatures are reactive and require time to be created and distributed.

255
MCQhard

A global enterprise with over 20,000 endpoints has been using Cisco AMP for Endpoints for two years. They recently migrated to a new SIEM and want to forward AMP events in near real-time. The security operations team notices that the SIEM is receiving duplicate events for the same file execution, causing alert fatigue. The AMP console shows that the 'Send to Syslog' action is enabled on two different policies, and both policies are applied to the same groups of endpoints. The team also uses the AMP APIs to pull data. The network engineer wants to eliminate duplicate events without losing any critical alerts. Which course of action should the engineer take?

A.Disable the AMP API to stop duplicates from multiple data sources.
B.Increase the event detection interval to reduce the number of events generated.
C.Remove the 'Send to Syslog' action from one of the two policies.
D.Review the group hierarchy and ensure each endpoint is assigned to a single policy that includes the syslog action.
AnswerD

Eliminates duplicate policy application.

Why this answer

Option C is correct because duplicate events are caused by multiple policies with the same syslog action. Consolidating policy assignments ensures that each endpoint receives only one policy with syslog forwarding. Option A (disable API) would stop API pulls but not duplicates from syslog.

Option B (disable one policy) might remove the syslog action from one policy but could leave gaps if that policy has other important settings. Option D (increase detection interval) does not affect duplicates.

256
MCQhard

A financial services company uses a multi-cloud strategy with workloads in AWS and Azure. They must comply with PCI DSS, which requires encryption of cardholder data at rest and in transit. The security team has implemented the following: 1) AWS S3 buckets use server-side encryption with AWS KMS (SSE-KMS). 2) Azure Blob Storage uses Azure Storage Service Encryption (SSE) with Azure Key Vault. 3) All traffic between VPCs and VNets uses IPsec VPN tunnels. During an audit, the assessor notes that data stored in AWS S3 is encrypted with a key that is also used for a development environment. Additionally, logs from Azure Blob Storage are accessible to a group of developers with read-only permissions. Which action should the security team take to address the compliance gaps?

A.Change the encryption method to AWS S3 SSE-C and Azure client-side encryption to maintain separate keys.
B.Implement a cloud DLP solution to monitor access to encrypted data and alert on unauthorized use.
C.Use a third-party VPN appliance to ensure encryption in transit between all cloud environments.
D.Create separate KMS keys for production and development in AWS, and restrict Azure Blob Storage log access to only authorized security auditors.
AnswerD

Separate keys satisfy PCI DSS requirement for key separation; restricting log access meets access control requirements.

Why this answer

Option D is correct because PCI DSS requires strict separation of cryptographic keys between production and non-production environments, and logging access must be restricted to authorized personnel. Using the same KMS key for production S3 data and a development environment violates this requirement, and granting developers read-only access to Azure Blob Storage logs exposes sensitive audit data. Creating separate KMS keys for production and development in AWS ensures key isolation, while restricting Azure Blob Storage log access to only authorized security auditors enforces the principle of least privilege required by PCI DSS.

Exam trap

Cisco often tests the distinction between encryption methods (SSE-S3, SSE-KMS, SSE-C) and key management controls, leading candidates to focus on encryption algorithms rather than the PCI DSS requirement for key separation and access control to audit logs.

How to eliminate wrong answers

Option A is wrong because changing to SSE-C or client-side encryption does not address the key reuse issue (the same key could still be used) and introduces key management complexity without solving the access control problem for logs. Option B is wrong because a cloud DLP solution monitors data patterns but does not enforce cryptographic key separation or restrict log access; it is a detective control, not a corrective one for the specific compliance gaps. Option C is wrong because the existing IPsec VPN tunnels already provide encryption in transit between VPCs and VNets; the audit findings are about key reuse and log access, not about the encryption method for data in transit.

257
Matchingmedium

Match each Cisco security solution to its primary use case.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Next-generation firewall and IPS

DNS-layer security and web filtering

Endpoint threat detection and response

Network access control and policy enforcement

Network traffic analysis and anomaly detection

Why these pairings

These are primary use cases for Cisco security products.

258
Multi-Selecteasy

Which TWO of the following are core components of the Cisco Identity Services Engine (ISE) for policy enforcement?

Select 2 answers
A.Active Directory Integration
B.EAP-TLS
C.Policy Service Node (PSN)
D.Firepower Threat Defense
E.Network Access Device (NAD)
AnswersA, C

ISE integrates with Active Directory to retrieve user and group information for policy.

Why this answer

The Policy Service Node (PSN) is responsible for policy decision and enforcement, and Active Directory integration is a key component for identity mapping. NAD (Network Access Device) is an external device that ISE controls, not a component of ISE itself. EAP-TLS is an authentication protocol, and Firepower is a separate security product.

259
Multi-Selecthard

Which TWO of the following are true about MACsec?

Select 2 answers
A.It requires a PKI
B.It uses IEEE 802.1AE standard
C.It provides data confidentiality only
D.It is used for WLAN security
E.It operates at Layer 2
AnswersB, E

MACsec is defined by IEEE 802.1AE.

Why this answer

MACsec is defined by the IEEE 802.1AE standard, which specifies a security protocol for providing data confidentiality, integrity, and origin authenticity at Layer 2. It operates directly on Ethernet frames, encrypting the payload while preserving the frame header for transparent forwarding. This makes option B correct because the standard is the foundational reference for MACsec.

Exam trap

Cisco often tests the misconception that MACsec is a Layer 3 or application-layer security protocol, but the trap here is that candidates confuse it with IPsec (Layer 3) or WLAN security (Layer 2 but wireless), when MACsec is strictly a Layer 2 wired Ethernet security standard.

260
MCQhard

An engineer is implementing Cisco ISE posture assessment for corporate Windows laptops. The requirement: endpoints that are missing critical Microsoft security patches must be quarantined in a remediation VLAN. The ISE posture policy uses an 'Application Condition' to check for the patch. However, some laptops with missing patches are still allowed access. During testing, the engineer notices that the posture agent reports 'NAC Agent: Posture Unknown' for those laptops. What is the most likely cause?

A.The posture agent software is outdated
B.The missing patches are not on the ISE patch list
C.The ISE server is unreachable from the client VLAN
D.The authorization policy does not include a posture profile
AnswerD

Without a posture profile in the authorization result, the client does not receive instructions to perform posture assessment, leading to 'Posture Unknown'.

Why this answer

Posture Unknown typically means the posture assessment timed out or the client did not complete the scan. Common cause is the posture agent not receiving the necessary credentials or probe from ISE due to a missing 'posture' authorization profile. Option B is correct because if the authorization policy does not invoke posture (i.e., the result includes a posture profile), the agent may not perform the scan.

Option A (patch not installed) would result in non-compliance, not unknown. Option C (ISE not reachable) would break all authentication. Option D (agent version) might cause issues but typically not 'unknown'.

So answer is B.

261
Multi-Selecthard

Which THREE are key components of Cisco's Cloud Security architecture? (Choose three.)

Select 3 answers
A.Cisco Duo
B.Cisco Catalyst switches
C.Cisco Secure Firewall (virtual)
D.Cisco Meraki access points
E.Cisco Secure Cloud Analytics (Stealthwatch Cloud)
AnswersA, C, E

Duo provides multi-factor authentication for cloud access.

Why this answer

Cisco Duo is a key component of Cisco's Cloud Security architecture because it provides multi-factor authentication (MFA) as a cloud-delivered service, enforcing zero-trust access policies for users connecting to cloud applications and resources. It integrates with various identity providers and applications via SAML, RADIUS, and OAuth, ensuring that only authenticated and authorized users gain access, which is fundamental to securing cloud environments.

Exam trap

Cisco often tests the distinction between cloud-managed hardware (like Meraki APs) and actual cloud security architecture components, so candidates mistakenly select Meraki access points because they are 'cloud-managed,' but they are not part of the cloud security architecture—they are endpoint connectivity devices.

262
MCQmedium

A company deploys a Cisco ASAv in AWS for VPN termination. They need to enforce multi-factor authentication (MFA) for remote access VPN users. Which Cisco solution integrates with ASAv to provide MFA?

A.Cisco Duo
B.Cisco Umbrella
C.Cisco ISE
D.Cisco Cloudlock
AnswerA

Duo integrates with ASAv for MFA via RADIUS or other methods.

Why this answer

Cisco Duo is the correct solution because it is a cloud-based MFA platform that integrates directly with the Cisco ASAv via the AnyConnect VPN client or the ASA's authentication proxy. Duo acts as a RADIUS or LDAP proxy, intercepting authentication requests and prompting users for a second factor (e.g., push notification, OTP) after primary credentials are validated. This provides the required multi-factor authentication for remote access VPN users without requiring additional on-premises infrastructure.

Exam trap

The trap here is that candidates often confuse Cisco ISE's ability to enforce MFA policies with it being a native MFA provider, when in fact ISE requires an external MFA solution like Duo to actually generate and validate second-factor tokens.

How to eliminate wrong answers

Option B (Cisco Umbrella) is wrong because it is a cloud-delivered DNS security and web filtering solution, not an MFA platform; it does not provide second-factor authentication for VPN logins. Option C (Cisco ISE) is wrong because while ISE can enforce MFA via integration with Duo or other identity providers, it is a policy and access control platform that requires significant on-premises deployment and does not natively provide MFA itself—it relies on external MFA services. Option D (Cisco Cloudlock) is wrong because it is a cloud access security broker (CASB) focused on protecting cloud applications and data, not on authenticating VPN users with multi-factor authentication.

263
MCQeasy

A small business uses Cisco Umbrella to protect its 50 employees. One employee reports that they cannot access a specific website (www.example.com) that is required for their work. The administrator checks the Umbrella dashboard and sees that the domain is categorized as 'Social Networking' and is blocked by the company's policy. However, the employee argues that the website is actually a business tool. The administrator verifies that the website is indeed legitimate. What is the best course of action to restore access while maintaining security?

A.Contact Cisco Umbrella support to re-categorize the domain.
B.Disable the 'Social Networking' category blocking policy.
C.Create a policy override to allow the specific domain while keeping the category blocked.
D.Remove the user from the Umbrella policy entirely.
AnswerC

Targeted exception.

Why this answer

Option C is correct because Cisco Umbrella allows administrators to create per-domain policy overrides that bypass the category-based block for a specific domain while keeping the broader category (e.g., 'Social Networking') blocked for all other domains. This approach restores access to the legitimate business tool without weakening the overall security posture by disabling the entire category or removing the user from policy enforcement.

Exam trap

Cisco often tests the concept that category-based blocking can be fine-tuned with per-domain overrides rather than requiring category reclassification or disabling the entire category, tempting candidates to choose the simpler but less secure options like disabling the category or removing the user from policy.

How to eliminate wrong answers

Option A is wrong because contacting Cisco Umbrella support to re-categorize the domain is unnecessary and time-consuming; the domain is correctly categorized as 'Social Networking' based on its content, and the issue is a false positive for this specific business need, not a categorization error. Option B is wrong because disabling the entire 'Social Networking' category blocking policy would allow access to all social networking sites, significantly increasing the attack surface and violating the company's security policy. Option D is wrong because removing the user from the Umbrella policy entirely would strip all web filtering protection for that employee, exposing them to malicious sites and defeating the purpose of using Umbrella.

264
MCQeasy

A hospital uses Cisco ESA for email security. The compliance team requires that all emails containing protected health information (PHI) be encrypted before leaving the organization. The administrator has configured a content filter that matches emails containing patterns like 'Patient ID: [0-9]{9}' and sends them to the encryption service. However, some encrypted emails are being rejected by the recipient's mail server because the encryption is applied after the email has already been processed. What is the most likely reason for this issue?

A.The encryption action is configured as 'deliver then encrypt' instead of 'encrypt then deliver'.
B.The content filter is only applied to incoming emails, not outgoing.
C.The recipient's mail server does not support the encryption protocol used.
D.The email exceeds the maximum size limit for encryption.
AnswerA

Order of actions matters.

Why this answer

Option A is correct because Cisco ESA processes emails through a series of mail policies and content filters before delivery. If the encryption action is configured as 'deliver then encrypt', the email is first sent to the recipient's mail server, and then encryption is attempted as a separate, asynchronous action. This means the email leaves the organization unencrypted, and the recipient's server may reject it if it expects encryption from the start.

The correct configuration should be 'encrypt then deliver', which ensures the email is encrypted before it is queued for delivery, preventing rejection due to unencrypted content.

Exam trap

Cisco often tests the distinction between 'deliver then encrypt' and 'encrypt then deliver' as a common misconfiguration, where candidates assume encryption is always applied before delivery without checking the order of actions in the content filter or mail policy.

How to eliminate wrong answers

Option B is wrong because content filters in Cisco ESA are applied based on the mail policy (incoming or outgoing), and the scenario explicitly states the requirement is for emails leaving the organization, so the filter would be applied to outgoing emails, not incoming. Option C is wrong because the issue described is that encryption is applied after the email has already been processed, not that the recipient's server lacks support for the encryption protocol; if the protocol were unsupported, the rejection would occur regardless of timing. Option D is wrong because Cisco ESA does not have a maximum size limit for encryption that would cause rejection after processing; size limits typically trigger a different action (e.g., bounce or skip) before delivery, not a post-processing rejection.

265
Multi-Selectmedium

Which TWO of the following are valid approaches to mitigate ARP spoofing attacks on a switched network?

Select 2 answers
A.Enable BPDU Guard on all switchports
B.Enable Dynamic ARP Inspection (DAI) on VLANs
C.Enable IP Source Guard on untrusted ports
D.Enable Port Security on all access ports
E.Enable DHCP Snooping globally
AnswersB, C

DAI validates ARP packets and drops invalid ones.

Why this answer

Dynamic ARP Inspection (DAI) is a security feature that validates ARP packets in a network. It relies on a DHCP snooping binding database to map IP addresses to MAC addresses, and it drops ARP packets that have invalid IP-to-MAC bindings, thereby preventing ARP spoofing attacks on a switched network.

Exam trap

Cisco often tests the dependency chain: candidates may think DHCP Snooping alone mitigates ARP spoofing, but it only provides the database; DAI is the feature that actually enforces ARP validation.

266
MCQeasy

A company is moving its data to AWS and wants to use Cisco Cloudlock for cloud access security broker (CASB) capabilities. Which deployment mode is required for Cloudlock to inspect traffic for shadow IT discovery?

A.Proxy-based (forward proxy)
B.API-based
C.Log collection
D.Reverse proxy
AnswerB

Cloudlock uses API connections to cloud providers to scan data at rest for shadow IT.

Why this answer

For shadow IT discovery, Cloudlock uses an API-based deployment mode to connect directly to cloud service providers (e.g., AWS, Office 365) via their APIs. This allows Cloudlock to pull metadata, user activity logs, and application usage data without requiring traffic redirection, enabling identification of unsanctioned cloud applications. Proxy-based modes are not used for shadow IT discovery because they require traffic to be routed through the proxy, which is not feasible for cloud-to-cloud traffic.

Exam trap

Cisco often tests the misconception that proxy-based modes are required for all CASB functions, but for shadow IT discovery, the API-based mode is specifically designed to work without traffic interception by querying cloud provider APIs directly.

How to eliminate wrong answers

Option A is wrong because proxy-based (forward proxy) deployment requires traffic to be explicitly routed through the proxy, which is impractical for discovering shadow IT in cloud environments where traffic may not traverse the corporate network. Option C is wrong because log collection relies on ingesting logs from existing infrastructure (e.g., firewalls, web proxies) and does not provide the direct API integration needed for real-time shadow IT discovery across multiple cloud providers. Option D is wrong because reverse proxy is used to protect and inspect traffic to sanctioned applications (e.g., as a web application firewall), not for discovering unsanctioned cloud services.

267
MCQeasy

A network engineer is troubleshooting an 802.1X deployment where some Windows 10 endpoints fail to authenticate. Logs show that the client sends an EAPoL-Start but never receives an EAP-Request/Identity. The switch port configuration is: interface GigabitEthernet0/1 switchport mode access authentication port-control auto dot1x pae authenticator Which additional command is most likely needed?

A.dot1x reauthentication
B.dot1x system-auth-control
C.spanning-tree portfast
D.dot1x timeout tx-period 3
AnswerB

This global command enables 802.1X authentication on the switch, which is required for the port to process EAPoL messages.

Why this answer

The 'authentication port-control auto' enables 802.1X, but the switch must also be configured to use the RADIUS server for authentication. The missing command is 'dot1x timeout tx-period 3' is irrelevant; 'dot1x reauthentication' is optional; 'spanning-tree portfast' is for STP. The correct answer is A: 'aaa new-model' and 'radius-server host...' but the option must be listed.

Actually the stem asks for 'additional command', so option C 'dot1x system-auth-control' is necessary globally. In many Cisco switches, 'dot1x system-auth-control' must be enabled globally. Thus answer is C.

268
Matchingmedium

Match each Cisco ASA feature to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Modular Policy Framework for traffic inspection

High availability with active/standby or active/active

Graphical management interface

Command-line interface for configuration

VPN client for remote access

Why these pairings

These are common ASA features and their definitions.

269
Multi-Selectmedium

Which TWO of the following are required for successful registration of an AMP for Endpoints connector with the cloud?

Select 2 answers
A.A locally installed SQL database for event storage.
B.A proxy server configured in the connector settings.
C.Outbound HTTPS access to the AMP cloud backend servers.
D.A valid registration token obtained from the AMP console.
E.An inbound firewall rule allowing connections from the AMP cloud.
AnswersC, D

The connector communicates with the cloud over HTTPS (port 443).

Why this answer

Option C is correct because the AMP for Endpoints connector must establish an outbound HTTPS (TCP/443) connection to the AMP cloud backend servers to communicate telemetry, receive policy updates, and perform health checks. Without this outbound access, the connector cannot register or maintain its connection to the cloud.

Exam trap

Cisco often tests the misconception that inbound firewall rules are needed for cloud-based security products, but AMP for Endpoints uses a purely outbound model, so candidates mistakenly select option E thinking the cloud must 'push' data to the endpoint.

270
MCQhard

A security analyst is investigating an alert from Cisco Secure Endpoint indicating that an endpoint has been infected with ransomware. The analyst wants to determine the initial infection vector. Which feature of Cisco Secure Endpoint should the analyst use to trace the chain of events leading to the infection?

A.Orbital Advanced Search
B.TETRA traffic analysis
C.Windows Event Viewer integration
D.Device Flow Correlation
AnswerA

Orbital Advanced Search provides retrospective analysis to trace the attack chain.

Why this answer

Orbital Advanced Search is the correct feature because it provides deep forensic visibility into endpoint activity, allowing the analyst to perform advanced queries across files, processes, registry keys, and network connections. This enables tracing the chain of events—such as a malicious email attachment, exploit, or drive-by download—that led to the ransomware infection, by correlating timestamps and process parent-child relationships.

Exam trap

Cisco often tests the distinction between network-level analysis (TETRA, Device Flow Correlation) and endpoint-level forensic investigation (Orbital), leading candidates to confuse traffic analysis with host-based event chain reconstruction.

How to eliminate wrong answers

Option B is wrong because TETRA traffic analysis is a network-based traffic analysis tool used for detecting anomalies in network flows, not for tracing endpoint-level event chains or initial infection vectors. Option C is wrong because Windows Event Viewer integration is a basic log collection method that lacks the advanced querying, cross-system correlation, and forensic depth needed to reconstruct a multi-step attack chain within Cisco Secure Endpoint. Option D is wrong because Device Flow Correlation focuses on correlating network flows between devices to identify lateral movement or C2 communication, not on tracing the initial infection vector on a single endpoint.

271
Multi-Selectmedium

Which THREE are recommended best practices for deploying Cisco AMP for Endpoints in a large enterprise?

Select 3 answers
A.Configure the policy to block all files with disposition 'Unknown' to prevent zero-day attacks.
B.Deploy the AMP connector to all endpoints, including servers and desktops.
C.Create separate groups for different operating systems and applications to apply tailored policies.
D.Start with 'Audit' or 'Detect' mode to baseline and adjust before enforcing blocks.
E.Set the default policy action to 'Block' for all file types to maximize security from day one.
AnswersB, C, D

Comprehensive coverage is key for endpoint protection.

Why this answer

Deploying the AMP connector to all endpoints, including servers and desktops, ensures comprehensive visibility and protection across the entire enterprise attack surface. Cisco AMP for Endpoints relies on a connector installed on each device to perform file analysis, retrospective detection, and telemetry collection; leaving any endpoint unmonitored creates a blind spot that attackers can exploit. This is a foundational best practice for large-scale deployments to achieve consistent security coverage.

Exam trap

Cisco often tests the misconception that aggressive blocking (e.g., blocking all 'Unknown' files or setting 'Block' as the default action) is a best practice, when in reality, a phased approach starting with 'Audit' or 'Detect' mode is recommended to avoid breaking production systems and to fine-tune policies based on actual traffic patterns.

272
MCQhard

A multinational company has deployed a Cisco Firepower 4100 series device as the perimeter firewall. The network consists of multiple internal segments: a corporate LAN (192.168.1.0/24), a data center (10.10.0.0/16), and a guest wireless network (172.16.0.0/16). The firewall is configured with the following access control policy rules: 1. Allow from any to any (for testing, but currently enabled) 2. Allow from corporate LAN to data center (destination ports TCP/443, TCP/8443) 3. Block from guest wireless to data center 4. Allow from any to internet (destination any) Recently, the security team discovered that a host in the guest network (172.16.5.50) is communicating with a server in the data center (10.10.10.100) on TCP port 443. The security team wants to immediately block this traffic without affecting other legitimate communications. Which action should be taken first?

A.Move rule 3 (block guest to data center) above rule 1 (allow all)
B.Modify rule 2 to include a deny for the guest subnet
C.Change rule 4 to block all traffic from guest network
D.Add a new rule after rule 4 to block the specific traffic
AnswerA

This ensures the block rule is evaluated before the allow rule, stopping the traffic.

Why this answer

Rule 1 is an 'allow any any' rule placed above rule 3, which is supposed to block guest-to-data-center traffic. Because Cisco Firepower processes access control rules in top-down order, rule 1 matches and permits the traffic before rule 3 can be evaluated. Moving rule 3 above rule 1 ensures the block action is applied first, immediately stopping the unwanted communication without altering other rules.

Exam trap

Cisco often tests the concept that a default 'allow any' rule placed above more specific deny rules will negate those denies, and candidates mistakenly think adding a new rule or modifying an existing rule later in the policy will override the earlier match.

How to eliminate wrong answers

Option B is wrong because modifying rule 2 to deny the guest subnet would break the intended allow rule for corporate LAN to data center, and it would not block the specific traffic unless the deny is placed before the allow, which still requires reordering. Option C is wrong because changing rule 4 to block all traffic from guest network would also block legitimate guest internet access, violating the requirement to not affect other communications. Option D is wrong because adding a new rule after rule 4 would never be evaluated for this traffic, as rule 1 (allow any any) already permits it earlier in the sequence.

273
MCQmedium

A security engineer is configuring Cisco Umbrella to block malicious domains. They need to ensure that internal DNS queries from remote users using Cisco AnyConnect are protected. Which deployment method should they use?

A.Configure DNS Layer Security in the office firewall
B.Enable Cisco Cloudlock integration
C.Install the Umbrella Roaming Client on all endpoints
D.Deploy the Umbrella virtual appliance at headquarters
AnswerC

The Roaming Client secures DNS queries regardless of user location.

Why this answer

The Umbrella Roaming Client (now part of Cisco Secure Client) is the correct deployment method because it provides DNS-layer security directly on endpoints, including remote users connecting via AnyConnect. It intercepts DNS queries on the local machine and forwards them to Umbrella's cloud-based DNS resolvers, ensuring protection even when the user is off-network or behind a VPN. This is the only option that covers remote users without relying on network-level appliances or firewalls.

Exam trap

Cisco often tests the misconception that VPN-based protection (like AnyConnect) inherently secures DNS traffic, but the trap here is that without a local agent like the Umbrella Roaming Client, DNS queries from remote users may bypass the corporate DNS policy and use the local ISP's DNS resolver.

How to eliminate wrong answers

Option A is wrong because configuring DNS Layer Security in the office firewall only protects DNS queries that traverse that firewall, not those from remote users who are off-network or whose traffic is tunneled via AnyConnect. Option B is wrong because Cisco Cloudlock is a cloud access security broker (CASB) for SaaS applications, not a DNS-layer security solution for blocking malicious domains. Option D is wrong because deploying the Umbrella virtual appliance at headquarters only protects DNS queries originating from within the corporate network, not from remote endpoints.

274
Multi-Selecthard

A security administrator is configuring a Cisco CloudLock policy for a SaaS application. The policy must detect and alert on sharing of files containing personally identifiable information (PII) with external users. Which TWO actions should the administrator take? (Choose two.)

Select 2 answers
A.Configure a policy to automatically block all external sharing of files containing PII.
B.Disable external sharing for the entire SaaS application.
C.Create a data loss prevention (DLP) rule with a PII pattern.
D.Create a policy that triggers an alert when a file with PII is shared externally.
E.Enable transparent proxy to inspect all traffic.
AnswersC, D

Correct: DLP rules identify sensitive content like PII.

Why this answer

Option C is correct because Cisco CloudLock uses DLP rules to scan files for sensitive content like PII patterns. Creating a DLP rule with a PII pattern enables the policy to identify files containing PII, which is the first step in detecting and alerting on such sharing events.

Exam trap

Cisco often tests the distinction between detection/alerting and automated blocking, so candidates may mistakenly choose a blocking action (Option A) when the question explicitly asks for detection and alerting.

275
Multi-Selecteasy

A company is deploying a cloud-based web application and wants to protect against OWASP Top 10 attacks. Which THREE security controls should they implement? (Select three.)

Select 3 answers
A.Input validation
B.Rate limiting
C.Data loss prevention (DLP)
D.Network segmentation at the hypervisor level
E.Web application firewall (WAF)
AnswersA, B, E

Prevents injection attacks.

Why this answer

Input validation (A) is correct because it is a fundamental security control that sanitizes and validates user-supplied data before processing, directly mitigating injection attacks (e.g., SQLi, XSS) listed in the OWASP Top 10. By enforcing whitelist-based validation on the cloud-based web application, it prevents malformed or malicious input from reaching the application logic, which is critical for cloud environments where the application is exposed to the internet.

Exam trap

Cisco often tests the distinction between application-layer controls (input validation, WAF, rate limiting) and infrastructure-layer controls (DLP, hypervisor segmentation), leading candidates to mistakenly select DLP or hypervisor segmentation as protections against OWASP Top 10 attacks.

276
MCQeasy

A security architect is designing network access control for a campus network. The requirement is to authenticate users before granting network access and to enforce policies based on user identity and device posture. Which solution should be deployed?

A.AAA server with TACACS+
B.VPN concentrator with client certificate authentication
C.Next-generation firewall with application control
D.Cisco Identity Services Engine (ISE)
AnswerD

ISE provides centralized policy enforcement for network access with user and device context.

Why this answer

Cisco ISE is the correct solution because it provides centralized policy-based network access control that authenticates users via 802.1X, MAB, or web authentication, and enforces dynamic VLAN assignment, ACLs, or SGTs based on user identity and device posture (e.g., compliance with antivirus, OS patches). Unlike a generic AAA server, ISE integrates with posture assessment (via AnyConnect or NAC Agent) and supports profiling, guest access, and BYOD onboarding, directly meeting the requirement for identity- and posture-based enforcement.

Exam trap

Cisco often tests the distinction between AAA for device administration (TACACS+) and AAA for network access (RADIUS/ISE), leading candidates to mistakenly choose a generic AAA server when the question specifically requires identity- and posture-based enforcement.

How to eliminate wrong answers

Option A is wrong because TACACS+ is a legacy AAA protocol that separates authentication, authorization, and accounting but does not support device posture assessment or dynamic policy enforcement based on endpoint health; it is typically used for device administration (e.g., router/switch CLI access), not for network access control of end-user devices. Option B is wrong because a VPN concentrator with client certificate authentication only secures remote access connections and does not control access to the campus network at the edge (wired/wireless); it lacks the ability to enforce policies based on device posture or integrate with switch/AP port-level control. Option C is wrong because a next-generation firewall with application control inspects traffic at the network perimeter and enforces policies based on application signatures, not user identity or device posture; it cannot authenticate users at the access layer or dynamically assign VLANs/ACLs on switches.

277
Multi-Selectmedium

Which TWO actions are recommended best practices for securing web traffic using Cisco Umbrella?

Select 2 answers
A.Configure SSL decryption to always bypass traffic to trusted domains.
B.Configure the network to use the root DNS forwarder for all DNS queries.
C.Enable IP-layer enforcement for all destinations.
D.Configure local security stack bypass for all internal IP ranges.
E.Use Selective Proxy with PAC files to route traffic based on destination category.
AnswersC, E

IP-layer enforcement blocks malicious IPs at the network layer, providing comprehensive protection.

Why this answer

Option C is correct because enabling IP-layer enforcement in Cisco Umbrella ensures that all traffic to destinations that match a blocked category is dropped at the IP layer, even if DNS-based blocking is bypassed (e.g., via direct IP connections). This provides a second layer of protection by inspecting and blocking traffic based on the destination IP address, preventing users from circumventing DNS filtering by using IP addresses directly.

Exam trap

Cisco often tests the misconception that DNS-layer blocking is sufficient for full web security, but the trap here is that IP-layer enforcement is required to catch traffic that bypasses DNS, such as direct IP connections or non-DNS protocols.

278
Multi-Selecthard

Which THREE of the following are key principles of the Cisco Zero Trust security model?

Select 3 answers
A.Never trust, always verify
B.Continuous monitoring and validation
C.Implicit trust for internal traffic
D.Perimeter-based security
E.Least privilege access
AnswersA, B, E

Core principle of zero trust.

Why this answer

Option A is correct because 'Never trust, always verify' is the foundational principle of the Cisco Zero Trust security model, which mandates that no user, device, or network segment is trusted by default, regardless of its location relative to the network perimeter. This principle eliminates implicit trust and requires authentication and authorization for every access request, aligning with the Zero Trust architecture defined in NIST SP 800-207.

Exam trap

Cisco often tests the misconception that Zero Trust still allows implicit trust for internal traffic or relies on a strong perimeter, when in fact the model explicitly removes all location-based trust and requires continuous verification for every access attempt.

279
MCQhard

A security engineer reviews the security group rules for an EC2 instance. Based on the exhibit, which security concern should be addressed immediately?

A.SSH is allowed from the entire internet because it uses TCP port 22
B.There is no deny rule to block malicious traffic
C.RDP is allowed from all sources (0.0.0.0/0)
D.SSH access is allowed from two separate IP ranges
AnswerC

Exposing RDP to the internet is a critical security risk.

Why this answer

Option C is correct because allowing RDP (TCP port 3389) from 0.0.0.0/0 exposes the EC2 instance to brute-force attacks and unauthorized remote access from the entire internet. Security groups are stateful and only support allow rules, so this overly permissive ingress rule is a critical security risk that must be removed or restricted to trusted IP ranges.

Exam trap

Cisco often tests the misconception that security groups need explicit deny rules or that allowing SSH from multiple IP ranges is automatically a security issue, when the real immediate concern is an overly permissive RDP rule from all sources.

How to eliminate wrong answers

Option A is wrong because SSH (TCP port 22) is not shown as allowed from the entire internet in the exhibit; the question states SSH is allowed from two separate IP ranges, which is a common practice for administrative access. Option B is wrong because security groups are stateful firewalls that only support allow rules; they do not have explicit deny rules, and the absence of a deny rule is not a security concern—traffic not matching any allow rule is implicitly denied. Option D is wrong because SSH access from two separate IP ranges is not inherently a security concern; it is a typical configuration for redundant or geographically distributed administrative access, and the question asks for the immediate concern, which is the RDP exposure.

280
MCQeasy

A guest device in VLAN 200 attempts to reach a server at 10.10.1.1. What happens to the traffic?

A.The traffic is permitted
B.The traffic is forwarded without any action
C.The traffic is dropped
D.The traffic is logged and forwarded
AnswerC

Destination 10.10.1.1 matches deny entry.

Why this answer

Option B is correct because the VACL 'BLOCK_MAP' is applied to VLAN 200. The access-list BLOCK_GUEST denies traffic from any source to the 10.10.0.0/16 network. Since the destination 10.10.1.1 falls within this range, the traffic is dropped.

Option A is incorrect because the ACL denies the traffic. Option C is incorrect because the VACL match occurs. Option D is incorrect because logging is not configured in the VACL.

281
MCQhard

During a security incident, an investigator wants to identify all endpoints that communicated with a known malicious IP address within the last 24 hours. Which Cisco tool is best suited for this forensic analysis?

A.Cisco Firepower NGFW
B.Cisco Secure Network Analytics (Stealthwatch)
C.Cisco Umbrella
D.Cisco ISE
AnswerB

Provides network visibility and historical flow analysis.

Why this answer

Option D is correct because Cisco Secure Network Analytics (Stealthwatch) provides network visibility, flow records, and can query historical data for such investigations. Option A is incorrect because Umbrella is real-time DNS protection. Option B is incorrect because Firepower is a firewall.

Option C is incorrect because ISE is for access control.

282
MCQhard

A network administrator is configuring IKEv2 on a Cisco router and wants to ensure that the router does not initiate connections but only responds to incoming IKEv2 requests. Which configuration command should be applied?

A.crypto ikev2 no initiate
B.crypto ikev2 passive
C.crypto ikev2 limit max-incoming-sa 10
D.crypto ikev2 limit max-negotiations 10
AnswerB

This command disables IKEv2 initiation, making the router respond-only.

Why this answer

The 'crypto ikev2 passive' command configures the router to only respond to incoming IKEv2 requests and never initiate its own IKEv2 connections. This is essential for scenarios where the router must act as a responder only, such as in hub-and-spoke VPN topologies where the hub should not initiate tunnels.

Exam trap

Cisco often tests the distinction between 'passive' mode and other IKEv2 limit commands, where candidates mistakenly choose a limit-based command (like max-incoming-sa or max-negotiations) thinking it prevents initiation, but only 'passive' actually stops the router from sending initial IKEv2 messages.

How to eliminate wrong answers

Option A is wrong because 'crypto ikev2 no initiate' is not a valid Cisco IOS command; the correct syntax uses the 'passive' keyword. Option C is wrong because 'crypto ikev2 limit max-incoming-sa 10' limits the number of incoming security associations, but does not prevent the router from initiating IKEv2 connections. Option D is wrong because 'crypto ikev2 limit max-negotiations 10' limits the number of simultaneous IKEv2 negotiations, but does not prevent the router from acting as an initiator.

283
MCQeasy

A network security engineer needs to block malicious file downloads on endpoints regardless of the user's location. Which Cisco solution should be integrated with the company's existing endpoint protection platform to achieve cloud-delivered threat intelligence?

A.Cisco Umbrella
B.Cisco Stealthwatch
C.Cisco Firepower Management Center
D.Cisco ISE
AnswerA

Umbrella provides cloud-delivered threat intelligence and can block malicious file downloads from anywhere.

Why this answer

Cisco Umbrella integrates with endpoint protection platforms to provide cloud-delivered security and block malicious domains, IPs, and file downloads anywhere the user goes.

284
MCQeasy

A network administrator is troubleshooting intermittent authentication failures on a switch port configured for 802.1X with MAB fallback. Users can connect but get dropped after a few minutes. What is the most likely cause?

A.Incorrect VLAN assignment
B.Incorrect RADIUS shared secret
C.Reauthentication timer set too short
D.MAB timeout set too low
AnswerC

Frequent reauth can cause drops if client or server is slow.

Why this answer

Option C is correct because a reauthentication timer that is too short causes frequent reauthentication attempts, which may fail if the RADIUS server is slow or if the client fails to respond in time. Option A is incorrect because an incorrect shared secret would cause all authentications to fail immediately. Option B is incorrect because MAB timeout affects initial authentication, not ongoing sessions.

Option D is incorrect because incorrect VLAN assignment would prevent network access entirely.

285
MCQeasy

A large enterprise uses Cisco Firepower Threat Defense (FTD) as its next-generation firewall. The network team recently deployed a new application that uses HTTPS for all communications. Users report that the application is slow and sometimes fails to load pages. The security team suspects that SSL inspection might be causing the issue. The FTD is configured with an SSL policy that decrypts all HTTPS traffic using a self-signed certificate. The internal CA is not trusted by the application servers. Which action should the engineer take to resolve the performance and connectivity issues while maintaining security visibility?

A.Increase the SSL decryption resources by adding more FTD modules.
B.Create an SSL decryption bypass rule for the specific application servers' IP addresses.
C.Install the internal CA certificate on all application servers.
D.Disable SSL inspection globally on the FTD.
AnswerB

Allows trusted traffic to pass without inspection, reducing load and avoiding certificate errors.

Why this answer

Option B is correct because the application servers do not trust the FTD's self-signed certificate, causing SSL/TLS handshake failures or performance degradation due to certificate validation errors and renegotiation. By creating an SSL decryption bypass rule for the specific application servers' IP addresses, the engineer exempts that traffic from inspection, resolving connectivity and performance issues while still inspecting other HTTPS traffic for security visibility.

Exam trap

Cisco often tests the misconception that performance issues from SSL inspection are always due to resource exhaustion, leading candidates to choose scaling solutions (Option A) instead of recognizing that certificate trust mismatches cause handshake failures and retransmissions.

How to eliminate wrong answers

Option A is wrong because adding more FTD modules increases processing capacity but does not address the root cause: the application servers reject the self-signed certificate, leading to handshake failures regardless of resources. Option C is wrong because installing the internal CA certificate on application servers would require trust configuration on external or third-party servers, which is often impractical or outside the enterprise's control, and does not fix the immediate performance issue caused by SSL inspection overhead. Option D is wrong because disabling SSL inspection globally removes security visibility for all HTTPS traffic, which is excessive and violates the requirement to maintain security visibility.

286
MCQmedium

Refer to the exhibit. A user is unable to access Dropbox, which is a high-risk application. The administrator wants to allow Dropbox but still block other high-risk apps. What is the most efficient way to achieve this?

A.Add the user to a group that is exempt from the policy
B.Delete the existing policy and create separate policies for each high-risk app
C.Create a new Cloudlock policy that allows Dropbox for all users, placed with higher priority
D.Modify the existing policy to change risk level to 'Medium'
AnswerC

Higher priority policy overrides the block.

Why this answer

Option C is correct because Cisco Cloudlock uses a policy-based approach where policies are evaluated in order of priority. By creating a new policy with higher priority that explicitly allows Dropbox, the administrator can override the existing block policy for that specific application while maintaining the block on all other high-risk apps. This is the most efficient method as it avoids modifying or deleting the original policy.

Exam trap

The trap here is that candidates may think modifying the risk level or using exemptions is the simplest approach, but Cisco tests the understanding that policy priority allows selective overrides without disrupting the original rule set.

How to eliminate wrong answers

Option A is wrong because adding the user to an exemption group would bypass the entire policy, allowing all high-risk apps, not just Dropbox, which does not meet the requirement to block other high-risk apps. Option B is wrong because deleting the existing policy and creating separate policies for each high-risk app is inefficient and unnecessary; it adds administrative overhead and does not leverage Cloudlock's priority-based policy evaluation. Option D is wrong because changing the risk level to 'Medium' would affect the classification of all high-risk apps, potentially allowing other high-risk apps to be treated as medium risk, which is not the intended outcome.

287
MCQmedium

Refer to the exhibit. A file with SHA256 hash 'a1b2c3d4e5f6...' is detected on an endpoint. The threat grid returns a score of 90 for this file. What action is taken by AMP?

A.Allow (because threat score 90 is not specifically matched in reputation).
B.Block (because the custom detection rule has action 'block').
C.Quarantine (because score 90 falls between 80 and 100).
D.No action (because the file is in the whitelist).
AnswerB

Custom detections are applied first; the file matches and is blocked.

Why this answer

Option C is correct. The custom detection rule for that exact SHA256 overrides the file reputation rules, so the action is 'block'. Options A and B are incorrect because custom detections take precedence.

Option D is incorrect because the file is matched by the custom detection.

288
MCQmedium

A company uses Cisco Web Security Appliance (WSA) with transparent proxy mode. Recently, they enabled NTLM authentication. Some users are intermittently prompted for credentials while browsing. What is the most likely cause of this behavior?

A.The WSA is configured to prompt for authentication only for specific categories.
B.The user's browser has cached an incorrect credential.
C.The WSA is set to use Kerberos instead of NTLM.
D.The WSA is not configured to handle NTLM persistent connections, causing the browser to re-authenticate on each request.
AnswerD

Without persistent connections, each HTTP request may trigger a new NTLM challenge, leading to prompts.

Why this answer

In transparent proxy mode with NTLM authentication, the WSA must maintain persistent connections to avoid re-authentication on every HTTP request. If the WSA is not configured to handle NTLM persistent connections (e.g., by enabling connection reuse or adjusting keepalive settings), the browser will be prompted repeatedly for credentials because each new TCP connection triggers a new NTLM challenge-response cycle. This intermittent behavior occurs because some connections may be reused while others are not, depending on browser and proxy settings.

Exam trap

Cisco often tests the distinction between authentication protocol selection (Kerberos vs. NTLM) and the underlying transport behavior (persistent vs. non-persistent connections), leading candidates to incorrectly blame the protocol type rather than connection handling.

How to eliminate wrong answers

Option A is wrong because prompting for authentication only for specific categories would cause consistent prompts for those categories, not intermittent prompts across all browsing. Option B is wrong because a cached incorrect credential would result in consistent authentication failures or repeated prompts, not intermittent behavior that varies per request. Option C is wrong because if the WSA were set to use Kerberos instead of NTLM, the browser would attempt Kerberos authentication (which may fall back to NTLM), but the core issue of intermittent prompts is not caused by the authentication protocol choice itself; it is caused by the lack of persistent connection handling for NTLM.

289
MCQmedium

A company uses Cisco Umbrella to enforce web security. After deploying a new policy that blocks all social media sites, users report that they cannot access a corporate Salesforce instance that uses a social login feature. Which Umbrella setting should be adjusted to resolve the issue without weakening the policy?

A.Create a bypass code for users to access Salesforce
B.Disable the Social Networking category under Content Categories
C.Configure Intelligent Proxy to inspect Salesforce traffic
D.Add Salesforce to the Application Settings allowed list
AnswerD

This allows the Salesforce application even if the social networking category is blocked.

Why this answer

Option D is correct because the social login feature for Salesforce is being blocked by the Social Networking content category in Cisco Umbrella. By adding Salesforce to the Application Settings allowed list, you permit the specific application traffic while keeping the broader social media policy intact. This granular control ensures that only the required Salesforce instance bypasses the block, without weakening the overall security posture.

Exam trap

Cisco often tests the distinction between content categories and application settings, where candidates mistakenly think disabling a category or using a bypass code is the correct approach, rather than using the granular allowed list for specific applications.

How to eliminate wrong answers

Option A is wrong because creating a bypass code for users would allow them to circumvent the policy entirely, weakening security and not addressing the specific Salesforce application issue. Option B is wrong because disabling the Social Networking category would remove the block on all social media sites, completely undermining the policy's intent. Option C is wrong because Intelligent Proxy is used for inspecting and controlling web traffic, not for allowing specific applications; it would not resolve the blocking of Salesforce's social login feature.

290
Drag & Dropmedium

Drag and drop the steps to configure a Cisco router as a DHCP server in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

First create pool, define network, then set options like default-router and dns-server, and exclude addresses before or after.

291
Multi-Selectmedium

A network administrator is configuring endpoint protection policies for a large enterprise. The requirement is to allow only approved software to run on endpoints, while blocking all other executables. Which Cisco Secure Endpoint feature should be configured? (Choose two.)

Select 2 answers
A.Exploit Prevention
B.Malware Analytics
C.Application Control
D.Lockdown Mode
E.File Reputation
AnswersC, D

Application Control allows whitelisting approved software.

Why this answer

Application Control (C) is correct because it allows administrators to define a whitelist of approved software, blocking all other executables from running on endpoints. Lockdown Mode (D) is correct because it enforces a strict policy where only pre-approved applications can execute, effectively preventing any unapproved software from running. Together, these features provide comprehensive control over executable files in a large enterprise environment.

Exam trap

Cisco often tests the distinction between 'blocking malicious files' (File Reputation) and 'blocking unapproved applications' (Application Control/Lockdown Mode), leading candidates to confuse threat-based blocking with policy-based whitelisting.

292
Multi-Selecthard

Which THREE of the following are valid components of Cisco ISE's visibility and enforcement architecture?

Select 3 answers
A.TrustSec with SGTs
B.Profiling probes (e.g., DHCP, HTTP)
C.pxGrid (Platform Exchange Grid)
D.NetFlow for flow analysis
E.SNMP traps for alerting
AnswersA, B, C

TrustSec provides scalable role-based access control using SGTs.

Why this answer

Cisco ISE's visibility and enforcement architecture relies on TrustSec with Security Group Tags (SGTs) to enforce access policies based on logical groupings rather than IP addresses. SGTs are propagated via SXP or inline tagging, enabling dynamic policy enforcement across the network.

Exam trap

Cisco often tests the distinction between visibility/enforcement components (TrustSec, pxGrid, profiling) and general network monitoring tools (NetFlow, SNMP), leading candidates to incorrectly include the latter as core ISE architecture elements.

293
MCQmedium

A security team is designing an endpoint protection strategy for a mix of Windows and macOS endpoints. They want to use Cisco AMP for Endpoints with centralized management. Which deployment approach minimizes administrative overhead?

A.Deploy an on-premises AMP Console for each operating system.
B.Install a Windows Server as a management point and deploy connectors via SCCM.
C.Use group policies to define different policies for Windows and macOS.
D.Use the AMP cloud console to manage a single policy that applies to both platforms with os-specific exclusions.
AnswerD

The cloud console supports multi-platform policy with per-OS rules, minimizing overhead.

Why this answer

Option D is correct because Cisco AMP for Endpoints offers a cloud-based console that provides centralized management for both Windows and macOS endpoints from a single pane of glass. This eliminates the need for on-premises infrastructure or separate management tools, and a single policy can be applied across platforms with OS-specific exclusions to handle differences in file paths and processes, thereby minimizing administrative overhead.

Exam trap

The trap here is that candidates often assume different operating systems require separate management consoles or policies, but Cisco AMP for Endpoints' cloud console supports a single policy with OS-specific exclusions, which is the most efficient approach for minimizing administrative overhead.

How to eliminate wrong answers

Option A is wrong because deploying separate on-premises AMP Consoles for each operating system increases administrative overhead by requiring dedicated hardware, maintenance, and separate management interfaces, contradicting the goal of centralized management. Option B is wrong because installing a Windows Server as a management point and deploying connectors via SCCM adds unnecessary complexity and administrative overhead, as SCCM is not required for AMP for Endpoints deployment and the cloud console already provides centralized management without additional infrastructure. Option C is wrong because using group policies to define different policies for Windows and macOS is not a native AMP for Endpoints deployment method; group policies are a Windows-centric feature and do not apply to macOS, and this approach would require separate policy management, increasing overhead rather than minimizing it.

294
MCQeasy

An organization wants to enforce that specific sensitive files are never executed on endpoints. Which AMP for Endpoints feature is most appropriate?

A.Outbreak Control (file extension blocking)
B.Simple or advanced custom detections (Application Control)
C.Exclusion lists
D.Behavioral analysis and engine protection
AnswerB

Custom detections allow blocking specific files via SHA-256 hashes or paths.

Why this answer

Option C is correct because Application Control (file blocking) allows blocking specific files by hash, path, or name. Option A is wrong because Exclusions allow files to run. Option B is wrong because Outbreak Control blocks file extensions, not specific files.

Option D is wrong because Behavioral Analysis detects anomalies, not enforce static blocks.

295
MCQeasy

An administrator is configuring a Cisco ASA 5500-X to perform SSL inspection for outbound traffic. The users must be able to access HTTPS websites without certificate errors. Which configuration step is essential for the ASA to perform decryption?

A.Configure the ASA to use a self-signed certificate without distribution.
B.Import the web server's private key onto the ASA.
C.Configure AAA authentication for SSL inspection.
D.Generate a trusted root CA certificate on the ASA and distribute it to all client machines.
AnswerD

Clients need to trust the ASA's certificate to avoid warnings.

Why this answer

Option D is correct because for the ASA to perform SSL inspection (a man-in-the-middle proxy), it must generate a trusted root CA certificate that is installed as a trusted root on all client machines. This allows the ASA to dynamically sign the web server's certificate during the SSL handshake, so clients trust the re-encrypted traffic without certificate errors.

Exam trap

Cisco often tests the misconception that the ASA needs the server's private key (Option B) to decrypt traffic, when in fact the ASA performs a full man-in-the-middle proxy and only needs its own trusted CA certificate distributed to clients.

How to eliminate wrong answers

Option A is wrong because a self-signed certificate without distribution would cause certificate errors on clients, as they do not trust the ASA's self-signed root. Option B is wrong because importing the web server's private key onto the ASA is not required for SSL inspection; the ASA acts as a proxy and generates its own keys for the session, and obtaining the server's private key would be a security violation and impractical for all outbound sites. Option C is wrong because AAA authentication is used for user access control, not for the cryptographic trust needed to avoid certificate errors during SSL decryption.

296
MCQmedium

A network engineer configures ISE for 802.1X with PEAP-MSCHAPv2. Users report intermittent authentication failures on certain switches. The engineer checks ISE logs and sees 'Authentication failed' with reason 'User not found in identity store'. What is the most likely issue?

A.The switch port is configured with 'authentication periodic'.
B.The user is not in the Active Directory group that ISE is configured to query.
C.The switch is not configured with the correct shared secret.
D.The user's certificate is expired.
AnswerB

ISE cannot find the user in the identity store, likely due to group membership or search base issues.

Why this answer

Option C is correct. The error 'User not found in identity store' indicates that the user's credentials are not present in the configured identity source, such as Active Directory. Option A is incorrect because a shared secret mismatch would result in different errors.

Option B is incorrect because certificate expiration would cause a certificate-related error. Option D is incorrect because periodic reauthentication does not cause this error.

297
MCQeasy

A company wants to deploy Cisco AMP for Endpoints to protect against advanced malware. Which best practice should be followed when configuring the policy for the first time?

A.Disable file analysis for known good file types to improve performance.
B.Start with 'Audit' or 'Detect' mode to baseline endpoint behavior before enforcing blocks.
C.Set the policy to 'Block' immediately to maximize protection.
D.Disable AMP's network firewall to reduce complexity.
AnswerB

Audit/Detect modes allow identification of false positives and tuning before enforcement.

Why this answer

Option D is correct because starting with 'Audit' mode allows observation without disruption. Option A is wrong because blocking all unknown files may cause false positives. Option B is wrong because disabling the firewall weakens security.

Option C is wrong because disabling file analysis reduces detection capability.

298
MCQhard

A company uses Cisco Firepower Threat Defense (FTD) managed by FMC. They want to enable URL filtering based on user identity from an Active Directory (AD) source. Which configuration steps are required on the FMC?

A.Create a URL category and associate it with a user group in the access control policy.
B.Configure an identity source (AD), create realm and user groups, then configure URL filtering rules with user conditions.
C.Create URL filtering rules first, then assign to users via dynamic object.
D.Configure identity source and NAT policy, then apply URL filtering.
AnswerB

Standard workflow for identity-based URL filtering in FMC.

Why this answer

Option B is correct because to enable URL filtering based on user identity from Active Directory, you must first configure an identity source (AD) on the FMC, then create a realm and import user groups. After that, you can configure URL filtering rules within an access control policy that includes user conditions to match traffic against specific AD users or groups. This sequence ensures the FTD can resolve user identity before applying URL category-based actions.

Exam trap

Cisco often tests the misconception that you can directly associate URL categories with user groups in the access control policy without first configuring the identity source and realm, leading candidates to pick Option A.

How to eliminate wrong answers

Option A is wrong because creating a URL category and associating it with a user group in the access control policy is not the first step; the identity source and realm must be configured first to establish user identity mapping. Option C is wrong because creating URL filtering rules first and then assigning them to users via a dynamic object bypasses the necessary identity source configuration and realm setup, and dynamic objects are not used for user identity in URL filtering. Option D is wrong because configuring a NAT policy is unrelated to URL filtering based on user identity; the correct prerequisite is configuring the identity source and realm, not NAT.

299
Multi-Selectmedium

Which TWO of the following are best practices for securing Cisco routers against unauthorized access? (Choose two.)

Select 2 answers
A.Enable SNMP read-write community string for monitoring
B.Use the 'service password-enforcement' command to encrypt passwords with type 7
C.Disable unused services like HTTP server and CDP
D.Configure authentication using HTTP with local username/password
E.Use SSH version 2 for remote access
AnswersC, E

Disabling unnecessary services reduces the attack surface.

Why this answer

C is correct because disabling unused services like HTTP server and CDP reduces the attack surface of the router. The HTTP server can be exploited for web-based attacks, and CDP can leak sensitive network topology information. Cisco best practices recommend disabling all unnecessary services to minimize exposure.

Exam trap

Cisco often tests the distinction between 'service password-encryption' (type 7) and the stronger 'enable secret' (MD5 hash), leading candidates to mistakenly think type 7 encryption is secure.

300
Multi-Selectmedium

A cloud security engineer is evaluating CSPM (Cloud Security Posture Management) solutions. Which TWO capabilities are essential for a CSPM tool? (Select two.)

Select 2 answers
A.Vulnerability scanning of container images
B.Incident response automation with playbooks
C.Continuous compliance monitoring with industry standards
D.Real-time network traffic analysis
E.Misconfiguration detection based on best practices
AnswersC, E

Core CSPM capability.

Why this answer

Option C is correct because CSPM tools are fundamentally designed to continuously monitor cloud environments against industry standards such as CIS, NIST, and PCI DSS. This ensures that the cloud infrastructure remains compliant with regulatory and security frameworks, which is a core requirement for cloud security posture management.

Exam trap

Cisco often tests the distinction between CSPM (configuration and compliance) and other cloud security tools (container scanning, SOAR, NTA), so the trap here is confusing adjacent security functions with the specific scope of CSPM.

Page 3

Page 4 of 7

Page 5

All pages