Cisco SCOR / CCNP Security Core 350-701 (350-701) — Questions 301375

500 questions total · 7pages · All types, answers revealed

Page 4

Page 5 of 7

Page 6
301
MCQmedium

An engineer is configuring ISE for guest access via a sponsor portal. The policy requires that a sponsor must approve each guest. However, guests are being automatically approved without sponsor interaction. What is the most likely misconfiguration?

A.The guest portal's 'Access setting' is set to 'Self-Registration' instead of 'Sponsor Approval'
B.The guest portal is not configured to send email notifications to sponsors
C.The sponsor user account is assigned to the wrong sponsor group
D.The guest endpoint is being profiled as a known device
AnswerA

If the portal is set to self-registration, guests are automatically approved. It must be set to sponsor approval to require manual approval.

Why this answer

Option C is correct because the guest portal settings must be set to 'Sponsor Approval' to require sponsor approval. Option A is wrong because the sponsor account type affects who can sponsor, not the approval process. Option B is wrong because guest report is just for notification.

Option D is wrong because self-registration is the opposite of requiring sponsor approval.

302
MCQhard

A security analyst observes that one endpoint is generating Alerts of type 'Trojan' in Cisco AMP, but other identical endpoints on the same software version show no issues. After verifying that the signature versions are consistent, what is the most likely cause of the discrepancy?

A.A legitimate application on that endpoint is exhibiting behavior that matches a Trojan signature
B.The AMP connector is misconfigured and is generating false alerts
C.The endpoint's network traffic is being intercepted by a proxy causing AMP to misidentify it
D.The endpoint has an outdated operating system patch
AnswerA

AMP's behavioral analysis might flag a legitimate application if it behaves like malware. Other endpoints may not have that app.

Why this answer

AMP uses behavioral analysis and machine learning; if one endpoint has a different application behavior or a legitimate application that behaves similarly to malware, it could cause a false positive. Other endpoints may not have that application.

303
MCQeasy

A company wants to prevent sensitive data such as credit card numbers from being sent via email. Which Cisco ESA feature should be enabled?

A.Anti-Spam
B.Secure/Multipurpose Internet Mail Extensions (S/MIME)
C.Data Loss Prevention (DLP)
D.Anti-Malware
AnswerC

DLP scans email content for sensitive data patterns.

Why this answer

C is correct because Data Loss Prevention (DLP) is the Cisco ESA feature specifically designed to inspect email content and attachments for sensitive data patterns, such as credit card numbers, and enforce policies to prevent their unauthorized transmission. DLP uses predefined or custom dictionaries and message filters to detect and block or quarantine such data, directly addressing the requirement to prevent sensitive data from being sent via email.

Exam trap

Cisco often tests the distinction between security features that protect against external threats (Anti-Spam, Anti-Malware) versus those that control internal data leakage (DLP), leading candidates to confuse content inspection for malicious intent with content inspection for sensitive data.

How to eliminate wrong answers

Option A is wrong because Anti-Spam is designed to filter unsolicited bulk email based on reputation and content analysis, not to inspect for sensitive data patterns like credit card numbers. Option B is wrong because S/MIME is a protocol for encrypting and digitally signing email messages to ensure confidentiality and authentication, but it does not inspect or prevent the sending of sensitive data; it only secures the transport. Option D is wrong because Anti-Malware is focused on detecting and blocking malicious software (viruses, worms, trojans) in email attachments or links, not on identifying or preventing the transmission of sensitive data patterns.

304
MCQeasy

An administrator is configuring Cisco ISE to profile endpoints. The administrator wants to ensure that endpoints are correctly identified based on MAC address and hostname. Which of the following is a prerequisite for successful profiling?

A.The DHCP server must be configured with option 82.
B.The endpoints must have the ISE agent installed.
C.The network devices must have profiling enabled and be configured with SNMP.
D.The switch must be configured with SNMP v3.
AnswerC

Network devices must be configured with SNMP to allow ISE to poll for MAC addresses and hostnames.

Why this answer

C is correct because Cisco ISE uses SNMP to query network devices (switches, wireless LAN controllers) for endpoint attributes such as MAC addresses and hostnames. Profiling must be enabled on the network devices, and SNMP (typically v2c or v3) must be configured so that ISE can collect the necessary data via MIBs like BRIDGE-MIB or ENTITY-MIB to correlate MAC-to-port mappings and hostname information.

Exam trap

The trap here is that candidates often think an agent or a specific DHCP option is required for profiling, but Cisco tests the understanding that passive network probes like SNMP are the foundational mechanism for MAC and hostname discovery without endpoint software.

How to eliminate wrong answers

Option A is wrong because DHCP option 82 (Relay Agent Information) is used for DHCP snooping and IP address tracking, not for profiling endpoints based on MAC address and hostname; ISE can use DHCP probes, but option 82 is not a prerequisite. Option B is wrong because the ISE agent (anyconnect or posture agent) is required for advanced endpoint posture assessment, but basic profiling based on MAC address and hostname can be done passively via network probes (SNMP, DHCP, HTTP) without any agent installed. Option D is wrong because while SNMP v3 provides encryption and authentication, it is not a mandatory prerequisite; SNMP v2c is commonly used and sufficient for profiling, and the requirement is simply that SNMP is configured, not specifically v3.

305
MCQeasy

A multinational company needs to gain centralized visibility into cloud security posture across AWS, Azure, and GCP. Which Cisco product provides multi-cloud security posture management (CSPM) capabilities?

A.Cisco Cloudlock
B.Cisco Firepower Threat Defense
C.Cisco Stealthwatch Cloud
D.Cisco Umbrella
AnswerA

Cloudlock offers CSPM, DLP, and access governance for multi-cloud.

Why this answer

Cisco Cloudlock is the correct answer because it provides Cloud Security Posture Management (CSPM) capabilities across multi-cloud environments, including AWS, Azure, and GCP. It continuously monitors cloud infrastructure for misconfigurations, compliance violations, and security risks, offering centralized visibility and remediation guidance. This aligns directly with the requirement for multi-cloud CSPM in the question.

Exam trap

Cisco often tests the distinction between CSPM and cloud workload protection (CWP) or network security tools; the trap here is that candidates may confuse Stealthwatch Cloud (network visibility) or Umbrella (DNS security) with cloud security posture management, but only Cloudlock directly addresses multi-cloud configuration and compliance monitoring.

How to eliminate wrong answers

Option B (Cisco Firepower Threat Defense) is wrong because it is a next-generation firewall (NGFW) and intrusion prevention system (IPS) focused on network traffic inspection and threat prevention, not cloud security posture management. Option C (Cisco Stealthwatch Cloud) is wrong because it provides network traffic analysis and visibility for cloud and on-premises environments using NetFlow/IPFIX data, but it does not perform CSPM functions like configuration assessment or compliance monitoring. Option D (Cisco Umbrella) is wrong because it is a cloud-delivered DNS security and secure web gateway (SWG) solution that protects against internet-based threats, not a CSPM tool for multi-cloud posture management.

306
MCQeasy

A company with 5000 endpoints uses Cisco Secure Endpoint (AMP) and Cisco ISE. Users report that legitimate software installations are being quarantined, causing delays. The security team receives many alerts for file executions. The AMP policy is set to "High Security" with "Block Unknown" enabled. Network traffic is monitored by Cisco Stealthwatch. The team wants to reduce operational overhead while maintaining security. What should they do?

A.Disable "Block Unknown" and rely solely on Stealthwatch for threat detection
B.Create an AMP exclusion for software installation directories and enable "File Reputation" with "Cloud Lookups"
C.Change AMP policy to "Medium Security" and enable "Application Blocking with Allow List"
D.Disable AMP and use only ISE for endpoint posture checks
AnswerB

Exclusions reduce false positives for trusted paths, while file reputation with cloud lookups maintains detection for unknown files, balancing security and overhead.

Why this answer

Option C is correct. Creating an AMP exclusion for software installation directories reduces false positives by preventing scanning of known legitimate installations. Enabling File Reputation with Cloud Lookups maintains detection by checking unknown files against cloud intelligence, thus not sacrificing security.

Option A is too broad; lowering the security level might miss threats. Option B removes endpoint protection, relying solely on network detection which is insufficient. Option D removes endpoint protection entirely, increasing risk.

307
MCQhard

An engineer is designing a FlexVPN deployment with multiple hub routers and spoke routers. The spokes need to establish tunnels to the closest hub based on latency. Which feature should be configured to achieve dynamic hub selection?

A.Configure static priority on each hub and use priority-based selection.
B.Use Multipoint GRE with mGRE and NHRP for dynamic tunnel selection.
C.Use DHCP option 121 to push static routes for hub selection.
D.Implement IKEv2 redirect mechanism to direct spokes to the optimal hub.
AnswerD

IKEv2 redirect allows hubs to redirect spokes to a better hub based on location or latency.

Why this answer

The IKEv2 redirect mechanism allows a hub to inform a spoke of a more optimal hub based on metrics such as latency or load. The spoke then initiates a new IKEv2 connection to the recommended hub, enabling dynamic hub selection without manual configuration. This is the standard Cisco solution for FlexVPN deployments requiring proximity-based tunnel establishment.

Exam trap

Cisco often tests the IKEv2 redirect mechanism as the only standards-based method for dynamic hub selection in FlexVPN, and the trap here is that candidates confuse DMVPN's mGRE/NHRP (which handles spoke-to-spoke tunnels) with the hub-selection problem, leading them to choose Option B.

How to eliminate wrong answers

Option A is wrong because static priority on hubs does not adapt to real-time network conditions like latency; it forces spokes to always prefer a fixed hub regardless of performance. Option B is wrong because mGRE and NHRP are used for dynamic spoke-to-spoke tunnel establishment (DMVPN phase 2/3), not for selecting the best hub based on latency. Option C is wrong because DHCP option 121 pushes static routes for routing purposes, not for dynamic tunnel endpoint selection based on latency.

308
Drag & Dropmedium

Drag and drop the steps to configure NetFlow on a Cisco IOS router for traffic monitoring in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

First enable flow on interface, then configure exporter, create monitor, apply to interface, and verify.

309
MCQhard

A security team notices that an AWS Lambda function is allowed to access an S3 bucket containing PII. The Lambda role has an attached policy that grants s3:PutObject and s3:GetObject to the bucket. Which action would be the most effective to ensure least privilege?

A.Enable S3 default encryption using AWS KMS
B.Apply AWS WAF rules to the Lambda function
C.Remove the role and create a new role with full S3 access
D.Add a bucket policy that restricts access to the Lambda execution role and includes conditions
AnswerD

Resource policies with conditions can restrict based on role and source.

Why this answer

Option D is correct because adding a bucket policy that restricts access to the Lambda execution role and includes conditions (such as aws:SourceArn or aws:SourceAccount) enforces least privilege at the resource level. This ensures that only the specific Lambda function can perform s3:PutObject and s3:GetObject on the S3 bucket, preventing any other principal or service from abusing the role's permissions.

Exam trap

The trap here is that candidates often confuse resource-based policies (bucket policies) with identity-based policies (IAM roles) and think that modifying the IAM role alone is sufficient, but Cisco tests that least privilege requires restricting access at both the identity and resource levels, especially for cross-service scenarios.

How to eliminate wrong answers

Option A is wrong because enabling S3 default encryption using AWS KMS protects data at rest but does not restrict which principals or roles can access the bucket; it addresses confidentiality, not authorization. Option B is wrong because AWS WAF is a web application firewall that protects HTTP/HTTPS endpoints (like API Gateway or CloudFront), not Lambda functions or S3 bucket access; it cannot control IAM permissions or S3 API calls. Option C is wrong because creating a new role with full S3 access (s3:*) would grant excessive permissions, violating the principle of least privilege and potentially allowing the Lambda function to list, delete, or modify all objects in the bucket.

310
MCQmedium

A company's remote employees use Cisco AnyConnect to connect to the corporate network. The VPN is configured with split tunneling so that only traffic to the corporate subnet (10.0.0.0/8) goes through the tunnel, and all other traffic goes directly to the internet. Recently, several employees reported that they cannot access the corporate file server (IP 10.2.3.4) even though they can connect to the VPN. The network team checks the ASA configuration and confirms that the split tunnel ACL includes the corporate subnet. The AnyConnect client shows that it is connected. What is the most likely cause of the issue?

A.The ASA is performing NAT on the VPN traffic.
B.The DNS resolution for the file server is failing due to VPN DNS settings.
C.The file server's firewall is blocking VPN traffic.
D.The split tunnel ACL is not being applied correctly, and traffic is going direct to internet.
AnswerB

Split tunneling often requires DNS to be resolved via the corporate DNS server; misconfiguration can cause resolution failures.

Why this answer

When split tunneling is configured, DNS queries for corporate resources are often sent to the corporate DNS server through the tunnel. If the VPN adapter's DNS settings are not properly configured or the corporate DNS server is unreachable, the client cannot resolve the file server's hostname to its IP address (10.2.3.4), even though the IP itself is reachable via the tunnel. This is a common misconfiguration where the client uses its local DNS server, which does not have records for the internal corporate domain.

Exam trap

Cisco often tests the distinction between network-layer connectivity (IP reachable) and application-layer resolution (DNS), leading candidates to focus on routing or firewall issues when the real problem is DNS misconfiguration in split-tunnel scenarios.

How to eliminate wrong answers

Option A is wrong because NAT on VPN traffic would typically translate the source IP of the client, but it would not prevent access to a specific IP like 10.2.3.4; NAT might cause issues with routing or application protocols, but the symptom here is inability to access a specific server, not a general connectivity failure. Option C is wrong because the file server's firewall blocking VPN traffic would affect all VPN users consistently, not just those reporting issues, and the scenario states that the VPN connection is established and the split tunnel ACL includes the subnet, implying the traffic reaches the server but fails at a higher layer. Option D is wrong because the network team confirmed the split tunnel ACL includes the corporate subnet, and the AnyConnect client shows it is connected, so traffic to 10.0.0.0/8 should be routed through the tunnel; if the ACL were misapplied, the client would likely show no tunnel route or the user would be unable to ping the server IP directly, which is not stated.

311
MCQhard

An incident responder is analyzing an endpoint that was compromised despite AMP for Endpoints being deployed. The AMP logs show the malware file had a disposition of 'Unknown' shortly before compromise, but later changed to 'Malicious' after cloud analysis. What is the most likely reason the file was not blocked initially?

A.The cloud analysis result was delayed due to high traffic.
B.The local analysis engine was disabled, so the file was not analyzed locally.
C.The AMP policy was configured to 'Allow' or 'Detect' for files with disposition 'Unknown'.
D.The endpoint did not have connectivity to the AMP cloud at the time of execution.
AnswerC

Unknown files may be allowed until the cloud verdict returns; if the action is not 'Block', execution occurs.

Why this answer

Option B is correct because if the policy action for 'Unknown' is set to 'Audit' or 'Allow', the file runs while cloud analysis completes. Option A is wrong because local analysis is used for known files, not unknowns. Option C is wrong because the file would have been blocked eventually if policy required it.

Option D is wrong because connectivity issues would prevent cloud analysis altogether.

312
MCQhard

An ISE deployment uses TrustSec with SGTs assigned by Active Directory group membership. A group of users in the 'Finance' AD group is correctly receiving SGT 5, but a new user added to that group is getting SGT 0. The ISE policy is unchanged, and other users in the group work fine. What is the most likely cause?

A.The user endpoint has not been profiled by ISE yet
B.ISE has not synchronized the latest AD group membership
C.The user endpoint is running antivirus software that blocks SGT assignment
D.The user does not have a PAC (Protected Access Credential)
E.The switchport is configured with 'authentication violation restrict' which blocks the new user
AnswerB

ISE caches AD groups. If the user was recently added, the cache may be stale, causing ISE to assign a default SGT (0).

Why this answer

Option D is correct because ISE caches AD groups; a new user may not be in the cache until the next sync. Option A is wrong because SGT classification can be based on AD groups without PAC. Option B is wrong because endpoint protection is separate.

Option C is wrong because profiling is not involved in AD group-based SGT assignment.

313
Multi-Selecteasy

Which TWO factors should be considered when designing a Cisco ISE deployment for network access control (NAC) in a multi-site environment? (Choose two.)

Select 2 answers
A.ISE node roles and placement (primary, secondary, monitoring)
B.Endpoint profiling needs
C.Number of endpoints per policy evaluator
D.Type of network access device (switch, WLC, VPN)
E.WAN link latency and reliability between sites
AnswersA, E

Roles define failover and administration; critical for multi-site.

Why this answer

Multi-site NAC design requires reliable connectivity between sites and proper node roles. Option A (WAN latency) is critical for authentication timeliness. Option C (ISE node roles, like Admin vs Monitoring) is important for failover and load balancing.

Option B is irrelevant unless performance. Option D is a detail for wired, not all. Option E is about endpoint attributes, not multi-site design.

314
MCQhard

A multinational corporation is deploying Cisco ISE to enforce network access for both wired and wireless users. The company has 5,000 employees and 2,000 guest users daily. The ISE deployment consists of two nodes: a primary Administration Node (PAN) and a Monitoring Node (MNT). All policies are configured on the PAN. Recently, the company has experienced intermittent authentication failures during peak hours. The failures affect both wired 802.1X and wireless users. The syslogs show 'RADIUS request dropped' messages on the ISE nodes. The network team has verified that the RADIUS shared secret is correct and that the network devices can reach the ISE nodes. The ISE nodes have sufficient CPU and memory. However, the authentication failures correlate with times when the number of concurrent sessions exceeds 500. What is the most likely cause of the issue?

A.The ISE node is running out of RADIUS session capacity
B.The ISE nodes are not reachable from the network devices
C.The RADIUS shared secret is mistyped on some network devices
D.The CPU and memory are insufficient despite appearing sufficient
AnswerA

ISE has a maximum number of concurrent RADIUS sessions; exceeding that causes drops.

Why this answer

The 'RADIUS request dropped' messages and correlation with concurrent sessions exceeding 500 indicate that the ISE node has reached its RADIUS session capacity. Cisco ISE nodes have a finite number of RADIUS session contexts (typically 500 for a single node in many deployments), and once this limit is exceeded, new authentication requests are dropped. This is a licensing and resource limitation, not a CPU or memory issue, and it explains why failures occur only during peak hours.

Exam trap

Cisco often tests the distinction between resource exhaustion (CPU/memory) and session capacity limits, trapping candidates who assume that sufficient CPU and memory means no capacity issue, when in fact the RADIUS session table is a separate finite resource.

How to eliminate wrong answers

Option B is wrong because the network team verified that the network devices can reach the ISE nodes, so reachability is not the issue. Option C is wrong because the RADIUS shared secret was verified as correct on all devices, and mistyped secrets would cause consistent failures, not intermittent ones correlated with session count. Option D is wrong because the ISE nodes have sufficient CPU and memory, and the problem is a session capacity limit, not a resource exhaustion issue.

315
Multi-Selecteasy

Which two conditions must be met for Cisco Firepower Threat Defense (FTD) to perform SSL decryption?

Select 2 answers
A.The FTD must have a decryption certificate (server certificate) installed.
B.The client must be using TLS 1.2 or higher.
C.The FTD must have a URL Filtering license.
D.A valid certificate authority (CA) certificate for the internal CA must be installed on the FTD.
E.The decryption policy must be configured on the FTD device.
AnswersA, D

The decryption certificate is used to establish a new TLS session with the client.

Why this answer

SSL decryption requires both a trusted CA certificate to re-sign the server certificate and a decryption certificate (server certificate) to present to the client. Options A, C, and D are not prerequisites.

316
Multi-Selecteasy

Which TWO are required to successfully deploy Cisco AMP for Endpoints in a Windows domain environment with Group Policy?

Select 2 answers
A.Install the AMP connector on each endpoint
B.Configure the firewall to block outbound HTTPS traffic
C.Install the AMP connector on a domain controller
D.Assign an AMP policy to the connector via Group Policy
E.Ensure all endpoints are joined to the domain
AnswersA, D

The connector must be present to enforce policies.

Why this answer

Options A and D are correct. The AMP connector must be installed (A) and the policy must be assigned (D). Option B (install on a domain controller) is not required; the connector can be on any endpoint.

Option C (configure firewall to block outbound HTTPS) would break connectivity. Option E (join all endpoints to the domain) is not strictly necessary; Group Policy can apply to non-domain machines via local policy.

317
MCQhard

A company uses Cisco Threat Response (CTR) to investigate a potential breach. The analyst sees an observable (SHA256) with a score of 90 in the threat grid. However, the AMP connector on the endpoint shows 'Allow' for that file. What could cause this discrepancy?

A.The 'File Blocking' setting is set to 'Off' for the policy, ignoring cloud scores.
B.The AMP policy has file reputation disabled, so all files are allowed.
C.The AMP policy uses 'Local Analysis' and the local analysis determined the file was safe.
D.The file was blocked but the AMP console shows 'Allow' due to delayed event ingestion.
AnswerC

Local analysis can override cloud reputation if configured and the file passes local heuristics.

Why this answer

Option C is correct because Cisco AMP for Endpoints uses a layered approach: cloud-based file reputation (Threat Grid) provides a score, but if the policy has Local Analysis enabled, the endpoint's local engine can override the cloud verdict. In this scenario, the local analysis determined the file was safe, so the file was allowed despite the high cloud score of 90. This explains the discrepancy between the Threat Grid score and the AMP connector's 'Allow' action.

Exam trap

Cisco often tests the concept that AMP's Local Analysis can override cloud-based reputation scores, leading to a file being allowed despite a high malicious score in Threat Grid, which candidates mistakenly attribute to misconfigured file blocking or reputation settings.

How to eliminate wrong answers

Option A is wrong because the 'File Blocking' setting, when set to 'Off', disables file blocking entirely, but it does not ignore cloud scores; it simply does not enforce blocking based on any score. Option B is wrong because disabling file reputation in the AMP policy would prevent the endpoint from querying the cloud for reputation, but it would not cause a file with a high cloud score to be allowed; instead, the file would be handled by other mechanisms like local analysis or simple allow/block rules. Option D is wrong because AMP events are near real-time; delayed event ingestion would not cause the console to show 'Allow' for a blocked file—it would either show no event or a delayed 'Blocked' event, not an incorrect 'Allow' status.

318
MCQmedium

Refer to the exhibit. The engineer configured a file type filter for executables on access policy Policy_A. However, .exe files from trusted_sites are still being allowed. What is the most likely reason for this behavior?

A.The file type filter is applied to the wrong access policy.
B.The URL category for trusted_sites is blocking the file type filter from being evaluated.
C.The file type filter action is set to 'monitor' instead of 'block'.
D.The access policy order is incorrect; a less specific policy is matching before Policy_A.
AnswerC

A 'monitor' action only logs and does not block; to block, the action must be set to 'block'.

Why this answer

Option C is correct because the file type filter action is set to 'monitor' (which only logs) instead of 'block'. The access policy action is 'allow', so without a block action in the file type filter, executables are allowed. Option A is wrong because the file type filter is applied to Policy_A.

Option B is wrong because the filter is on executables category, not URL. Option D is wrong because policy order is not shown to be an issue.

319
MCQmedium

A network administrator is deploying Cisco AMP for Endpoints to protect against advanced malware. They want to ensure that if a file is initially allowed but later determined to be malicious, the file is automatically blocked and quarantined on all endpoints that have executed it. Which AMP feature should be configured?

A.Retrospective Security (Retrospective)
B.TETRA (Technique Extraction and Retrospective Analysis)
C.File Analysis via the AMP cloud
D.Exclude List for known good files
AnswerA

Updates disposition and remediates.

Why this answer

Retrospective Security (Retrospective) is the correct feature because it allows Cisco AMP for Endpoints to re-evaluate files that were initially allowed based on local or cloud reputation. If a file is later determined to be malicious via updated threat intelligence, Retrospective Security automatically blocks and quarantines that file on all endpoints that have executed it, even after the initial execution. This provides continuous protection against advanced malware that evades initial detection.

Exam trap

The trap here is that candidates confuse TETRA (a network-based exploit detection engine) with endpoint-based retrospective file quarantine, or they assume File Analysis alone provides automatic retroactive remediation without understanding that it requires the Retrospective Security feature to be explicitly enabled.

How to eliminate wrong answers

Option B (TETRA) is wrong because TETRA (Technique Extraction and Retrospective Analysis) is a feature of Cisco Firepower and Snort that extracts and analyzes exploit techniques from network traffic, not a file-level retrospective quarantine capability for endpoints. Option C (File Analysis via the AMP cloud) is wrong because it refers to submitting files to the cloud for static and dynamic analysis to determine maliciousness, but it does not automatically retroactively block and quarantine files already executed on endpoints. Option D (Exclude List for known good files) is wrong because it is a whitelisting mechanism to prevent false positives, not a feature that blocks or quarantines files later found malicious.

320
MCQhard

A security architect is designing a solution to detect and block ransomware using Cisco AMP. The requirement is that when a file executes and attempts to encrypt files in a monitored directory, the event must be captured and the process terminated immediately. Which AMP feature set should be used?

A.Exploit Prevention with Behavioral Protection enabled.
B.Application Control with a block list of known ransomware binaries.
C.Vulnerability Assessment with real-time patching.
D.Device Flow Correlation (DFC) with advanced malware analysis.
AnswerA

This feature set detects ransomware behaviors and can automatically terminate the process.

Why this answer

Option A is correct because AMP's 'Exploit Prevention' combined with 'Behavioral Protection' specifically monitors for ransomware-like behavior and can terminate processes. Option B is incorrect because 'Device Flow Correlation' is for network traffic analysis. Option C is incorrect because 'Application Control' only allows/denies execution, not behavioral analysis.

Option D is incorrect because 'Vulnerability Assessment' checks for CVEs, not runtime behavior.

321
MCQeasy

Refer to the exhibit. What happened to the file 'crack.exe'?

A.The file was allowed because it was detected as malicious.
B.The file was blocked from executing.
C.The file was detected but no action was taken.
D.The file was quarantined to a secure folder.
AnswerB

The log explicitly states 'Blocked by policy'.

Why this answer

Option C is correct because the log says 'Blocked by policy'. Option A is wrong because it was not allowed. Option B is wrong because it was not quarantined (no mention of quarantine).

Option D is wrong because it was not just detected; action was taken.

322
MCQhard

A security engineer is troubleshooting an issue where a known malicious file (SHA-256: 3a7c...f9e) is not being detected by Cisco Secure Endpoint on a Windows 10 endpoint. The file was downloaded from the internet. The policy has the 'File Reputation' setting set to 'Use cloud lookup', and the 'Exploit Prevention' module is enabled. The endpoint is connected to the internet and can reach the AMP cloud. What is the most likely reason for the missed detection?

A.The endpoint was offline when the file was first written to disk, so the cloud lookup was skipped.
B.Windows Defender Real-time Protection is interfering with the AMP connector.
C.The Exploit Prevention module is blocking the cloud lookup process.
D.The AMP cloud license has expired for the organization.
AnswerA

If the endpoint was offline during file download, the initial cloud lookup is skipped, and the file is allowed.

Why this answer

Option A is correct because Cisco Secure Endpoint's 'File Reputation' with 'Use cloud lookup' requires the endpoint to be online at the moment the file is written to disk. If the endpoint was offline during that critical window, the connector cannot perform the SHA-256 cloud lookup against the AMP cloud, and the file is not evaluated for maliciousness. The file remains undetected until a subsequent scan or event triggers a new lookup, which may not happen automatically.

Exam trap

Cisco often tests the nuance that 'Use cloud lookup' requires real-time connectivity at the exact moment of file creation, not just general internet access, and candidates mistakenly assume that a later online state will retroactively detect the file.

How to eliminate wrong answers

Option B is wrong because Windows Defender Real-time Protection does not interfere with the AMP connector; both can coexist, and Cisco Secure Endpoint is designed to operate alongside other antivirus products without conflict. Option C is wrong because the Exploit Prevention module does not block cloud lookup processes; it monitors for exploit techniques like code injection or heap spray, not network-based reputation queries. Option D is wrong because if the AMP cloud license had expired, the connector would typically show a licensing error or fail to communicate entirely, but the scenario states the endpoint can reach the AMP cloud, implying connectivity and licensing are functional.

323
MCQhard

An engineer is troubleshooting why AMP for Endpoints is not detecting a specific malicious file. The file hash is available and other endpoints detected it. What is the most likely cause for the detection failure on this endpoint?

A.The AMP connector is not configured with a proxy when needed.
B.The endpoint's AMP connector has local analysis disabled, preventing hash matching.
C.The AMP signature database on that endpoint is outdated.
D.The AMP policy is set to 'Block' instead of 'Detect'.
AnswerB

Local analysis allows matching known bad hashes without cloud lookup; if disabled, detection may rely solely on cloud.

Why this answer

When AMP for Endpoints fails to detect a file that is known to be malicious (based on its hash) and other endpoints have already detected it, the most likely cause is that local analysis (also known as local scanning or local hash matching) is disabled on the failing endpoint. AMP for Endpoints uses a combination of cloud-based lookups and local analysis. If local analysis is disabled, the endpoint cannot perform hash-based detection against its local cache or signature database, and it must rely entirely on cloud connectivity.

If the cloud lookup is delayed or the endpoint is offline, detection fails. Option B directly addresses this scenario.

Exam trap

Cisco often tests the misconception that AMP for Endpoints relies on a traditional signature database (like a .dat file) that can become outdated, when in fact the primary detection mechanism is cloud-based with a local cache that is not a full signature database.

How to eliminate wrong answers

Option A is wrong because a proxy misconfiguration would prevent cloud connectivity, but the question states the file hash is available and other endpoints detected it, implying cloud connectivity is not the issue; moreover, local analysis would still work if enabled. Option C is wrong because AMP for Endpoints does not rely on a locally stored signature database like traditional antivirus; it uses a lightweight local cache and cloud lookups, so an 'outdated signature database' is not a relevant concept for hash-based detection. Option D is wrong because setting the policy to 'Block' instead of 'Detect' would still trigger detection (and then block), not cause a failure to detect; the detection engine runs regardless of the action taken.

324
Multi-Selecteasy

Which TWO are valid methods for integrating Cisco Umbrella with an existing network to provide DNS-layer security?

Select 2 answers
A.SNMP monitoring of DNS queries.
B.Roaming Security client installed on endpoints.
C.IPsec VPN tunnel to Umbrella cloud.
D.Active Directory integration to forward DNS requests to Umbrella virtual appliances.
E.BGP peering to route DNS traffic to Umbrella.
AnswersB, D

Client software provides DNS filtering on any network.

Why this answer

Option B is correct because the Cisco Umbrella Roaming Security client, when installed on endpoints, automatically redirects DNS queries to the Umbrella cloud via a local proxy, providing DNS-layer security without requiring network infrastructure changes. This method ensures that all DNS traffic from the endpoint is filtered by Umbrella's policy, even when the device is off the corporate network.

Exam trap

Cisco often tests the distinction between methods that provide DNS-layer security (like the roaming client and DNS forwarding via virtual appliances) versus methods that are used for other layers of security (like IPsec VPNs for full traffic inspection or BGP for routing), leading candidates to mistakenly select options that sound plausible but are not designed for DNS-layer integration.

325
MCQeasy

A company wants to enforce consistent security policies for Office 365, Salesforce, and Box. Which Cisco product provides CASB functionality with policy enforcement for SaaS applications?

A.Cisco Stealthwatch
B.Cisco Firepower Threat Defense
C.Cisco Umbrella
D.Cisco Cloudlock
AnswerD

Cloudlock is a CASB with DLP and policy enforcement.

Why this answer

Cisco Cloudlock is the correct answer because it is Cisco's Cloud Access Security Broker (CASB) solution specifically designed to enforce consistent security policies across SaaS applications like Office 365, Salesforce, and Box. It provides visibility, data loss prevention (DLP), threat protection, and compliance monitoring by acting as a policy enforcement point between users and cloud services, using API-based integration to inspect and control data in transit and at rest.

Exam trap

The trap here is that candidates often confuse Cisco Umbrella's cloud-delivered security (DNS filtering, web proxy) with CASB functionality, but Umbrella lacks the deep API-level integration and policy enforcement for SaaS applications that Cloudlock provides.

How to eliminate wrong answers

Option A is wrong because Cisco Stealthwatch is a network visibility and security analytics tool that focuses on traffic flow analysis using NetFlow/IPFIX, not CASB functionality for SaaS policy enforcement. Option B is wrong because Cisco Firepower Threat Defense (FTD) is a next-generation firewall (NGFW) that provides intrusion prevention and application control at the network perimeter, but it does not offer native CASB capabilities for SaaS applications like Office 365 or Salesforce. Option C is wrong because Cisco Umbrella is a cloud-delivered DNS-layer security solution that provides threat intelligence and web filtering, but it lacks the deep API-based policy enforcement and data-level controls required for CASB functionality in SaaS environments.

326
Multi-Selecthard

Which THREE of the following are best practices for deploying Cisco Web Security Appliance (WSA) in a large enterprise environment? (Select exactly three.)

Select 3 answers
A.Use explicit proxy mode with PAC files for user-specific policy enforcement
B.Configure transparent proxy to avoid client configuration
C.Disable anti-malware scanning to improve performance
D.Deploy multiple WSAs in a cluster for high availability
E.Enable SSL decryption for comprehensive content inspection
AnswersA, D, E

Allows per-user policies.

Why this answer

Option A is correct because explicit proxy mode with PAC files allows the WSA to enforce granular, user-specific policies based on authentication (e.g., via NTLM or LDAP) and destination URL. PAC files enable automatic proxy configuration for clients, ensuring traffic is routed through the WSA without manual browser settings, while still supporting user identity for policy decisions.

Exam trap

Cisco often tests the misconception that transparent proxy is always superior for large enterprises, but the trap here is that explicit proxy with PAC files is actually the best practice for user-specific policy enforcement in a large environment, while transparent proxy lacks identity granularity without additional complexity.

327
MCQhard

An administrator reviews the AMP event log shown in the exhibit. The same file hash appears in all events. What is the most likely explanation for the third event showing a 'TETRA Event' with 'Action: Quarantine' and 'Disposition: Unknown'?

A.The AMP connector failed to communicate with the cloud and generated a TETRA event as an error.
B.The file was previously blocked, but the user executed it from a different location, triggering a TETRA event.
C.The file was determined to be malicious by the cloud after the first detection.
D.The file was executed and, because its disposition was unknown, AMP quarantined it and submitted it for cloud analysis.
AnswerD

TETRA events are triggered when an unknown file is executed; the connector quarantines the file and sends it to the cloud for analysis.

Why this answer

The third event shows a TETRA (Trajectory) event with 'Action: Quarantine' and 'Disposition: Unknown' because AMP uses TETRA to correlate related events into a single trajectory. When a file with an unknown disposition is executed, AMP quarantines it locally and submits it to the cloud for analysis. The 'Unknown' disposition indicates the cloud had not yet classified the file at the time of the event, and the quarantine action is a precautionary measure while analysis is pending.

Exam trap

Cisco often tests the misconception that a TETRA event is a separate detection type rather than a correlation mechanism, leading candidates to confuse it with a cloud communication error or a re-execution trigger.

How to eliminate wrong answers

Option A is wrong because a TETRA event is not an error generated by a communication failure; it is a trajectory event that correlates multiple related detections. Option B is wrong because the file was not previously blocked (the first event shows 'Action: Allowed'), and TETRA events do not trigger simply from executing a file from a different location. Option C is wrong because if the cloud had determined the file to be malicious after the first detection, the third event would show a 'Malicious' disposition, not 'Unknown'.

328
MCQmedium

An engineer is configuring Cisco Firepower Threat Defense (FTD) with a pre-filter policy to block traffic from known malicious IP addresses before it reaches the access control policy. The pre-filter rules are configured to block traffic from the malicious IPs. However, the engineer notices that some traffic from those IPs is still being allowed. What is the most likely reason?

A.A pre-filter rule with a lower priority (higher number) is matching the traffic first and allowing it
B.The pre-filter rules are configured with the wrong source interface
C.The access control policy is overriding the pre-filter policy
D.The default action for the pre-filter policy is set to 'Allow'
AnswerA

Pre-filter rules are evaluated in order; if a rule with a lower priority (higher number) matches first, it could allow traffic that should be blocked.

Why this answer

Pre-filter rules are evaluated in order of priority (lower numbers first). If a rule with a higher priority number (lower priority) is configured to allow traffic, it will be matched before a lower-numbered (higher priority) block rule if the allow rule appears earlier in the sequence. This causes the traffic to be permitted before reaching the intended block rule, which is why some malicious IP traffic is still allowed.

Exam trap

Cisco often tests the misconception that pre-filter rules are evaluated in the order they appear in the GUI (which is by rule number), and that a higher-priority (lower number) rule can be accidentally placed after a lower-priority (higher number) rule if the engineer does not manually assign rule numbers or reorder them correctly.

How to eliminate wrong answers

Option B is wrong because the source interface is a match condition, not an ordering issue; if the wrong interface were configured, the rule would simply not match the traffic, not cause a higher-priority allow rule to override a block. Option C is wrong because pre-filter policies are evaluated before access control policies in the FTD data plane, so the access control policy cannot override a pre-filter block; if a pre-filter rule allows traffic, the access control policy can then block it, but not vice versa. Option D is wrong because the default action for a pre-filter policy is to continue to the access control policy (not 'Allow' or 'Block' by default), and even if set to 'Allow', it would only apply to traffic that does not match any pre-filter rule, not override a matching block rule.

329
MCQeasy

Refer to the exhibit. A security analyst sees this syslog message on a Cisco ASA. What does it indicate?

A.A TCP connection from 10.10.10.10 to 203.0.113.50 was denied.
B.A TCP connection from 203.0.113.50 to 10.10.10.10 was denied by the ACL named OUTSIDE.
C.A TCP connection from 203.0.113.50 to 10.10.10.10 was allowed and logged.
D.The ASA interface OUTSIDE is experiencing high CPU due to Denial of Service.
AnswerB

The syslog clearly indicates a deny by access-group OUTSIDE.

Why this answer

The syslog message shows an ACL deny action on the OUTSIDE interface for a TCP connection from source 203.0.113.50 to destination 10.10.10.10. The format '%ASA-4-106023' indicates a deny, and the interface name 'OUTSIDE' is explicitly stated. The source IP is listed first in the message, confirming the connection attempt originated from 203.0.113.50.

Exam trap

Cisco often tests the order of IP addresses in syslog messages—candidates mistakenly assume the first IP is the destination, but in ASA syslogs, the source IP is listed first, leading to reversed direction errors.

How to eliminate wrong answers

Option A is wrong because the source and destination IPs are reversed; the syslog shows the source as 203.0.113.50 and destination as 10.10.10.10, not the other way around. Option C is wrong because the syslog code 106023 indicates a deny action, not an allow; allowed connections use code 106100 or similar. Option D is wrong because the message is a specific ACL deny log, not a CPU utilization or DoS alert; high CPU would generate different syslog messages (e.g., %ASA-4-422001).

330
MCQmedium

An organization has deployed Cisco AMP for Endpoints and wants to automatically isolate a host from the network when a high-severity malware detection occurs. Which integration must be configured to enable this automated response?

A.Cisco Stealthwatch with NetFlow
B.Cisco Web Security Appliance
C.Cisco Firepower Next-Gen Firewall
D.Cisco ISE with pxGrid
AnswerD

pxGrid enables AMP to send isolation commands to ISE, which then changes the endpoint's network access.

Why this answer

Cisco AMP uses the Threat Response API and integrations with network access control to automate isolation. ISE integration allows AMP to trigger network quarantine.

331
MCQmedium

A company has a Cisco ASA firewall configured with multiple access-lists applied to the outside interface. The security team is investigating reports that legitimate HTTPS traffic to a public web server located on a DMZ is intermittently being blocked. The firewall configuration includes an ACL that permits traffic to the web server's IP address on TCP 443, but also includes a general deny rule for all other traffic. The engineer notices that the permit rule is placed after a deny rule that blocks traffic from a specific source subnet that is used by internal users for testing. The internal users report that they can access the web server, but external users sometimes experience timeouts. What is the most likely cause of the intermittent blocking?

A.The permit rule for HTTPS is not hitting because traffic is being matched by a preceding deny rule.
B.The external users are hitting the firewall's connection limit.
C.The ASA is performing NAT incorrectly for the web server traffic.
D.The ASA is experiencing high CPU utilization causing packet drops.
AnswerA

If a deny rule earlier in the ACL matches the traffic, the permit rule is never evaluated, causing blocking.

Why this answer

The most likely cause is that the permit rule for HTTPS (TCP 443) is placed after a deny rule that blocks traffic from a specific source subnet. Since ACLs on a Cisco ASA are processed sequentially from top to bottom, if a packet matches the earlier deny rule, it will be dropped before reaching the permit rule. This explains why external users (who may be sourced from the blocked subnet or whose traffic is inadvertently matched by the deny rule due to overlapping or misconfigured source conditions) experience intermittent timeouts, while internal users from a different subnet are not affected.

Exam trap

Cisco often tests the concept of ACL sequential processing and the importance of rule order, where candidates mistakenly assume that a permit rule later in the list will override an earlier deny rule, or that the ASA uses a 'best-match' approach like a routing table.

How to eliminate wrong answers

Option B is wrong because the firewall's connection limit would affect all new connections uniformly, not just external users intermittently, and the scenario describes a specific ACL ordering issue rather than a resource exhaustion symptom. Option C is wrong because incorrect NAT would typically cause a complete failure to reach the web server or asymmetric routing issues, not intermittent blocking that correlates with ACL order. Option D is wrong because high CPU utilization would cause general packet loss or performance degradation across all traffic, not selectively block only external HTTPS traffic while internal users remain unaffected.

332
MCQhard

During a security audit, it is discovered that some malware downloads were not blocked by the Cisco WSA even though the Web Reputation score was set to block scores below -5.0. The logs show that the downloads came from sites with a reputation score of -6.2. What is the most likely reason the downloads were not blocked?

A.HTTPS decryption was not enabled
B.The users were not authenticated
C.The Web Reputation threshold was not applied correctly
D.The file type was not configured for malware inspection
AnswerD

Malware inspection only applies to specified file types.

Why this answer

The Cisco WSA uses Web Reputation filtering to block traffic based on reputation scores, but this filtering operates at the URL or domain level, not at the file content level. Even if a site has a very low reputation score (e.g., -6.2), the WSA will only block the download if the file type is included in the malware inspection configuration. If the file type (e.g., .exe, .zip) is not configured for malware inspection, the WSA will allow the download despite the low reputation score, because reputation-based blocking alone does not inspect the content of the file.

Exam trap

Cisco often tests the misconception that a low Web Reputation score alone will block all downloads from that site, but the trap here is that reputation filtering and malware inspection are separate functions; blocking requires both the reputation threshold to be met AND the file type to be enabled for malware inspection.

How to eliminate wrong answers

Option A is wrong because HTTPS decryption is not required for Web Reputation filtering; reputation scores are based on the URL/domain and can be evaluated even without decrypting HTTPS traffic. Option B is wrong because user authentication is not a prerequisite for Web Reputation filtering; the WSA can apply reputation policies based on source IP or other criteria without requiring authentication. Option C is wrong because the logs confirm the site had a reputation score of -6.2, which is below the -5.0 threshold, so the threshold was applied correctly; the issue is that reputation-based blocking alone does not inspect file content, and the file type was not configured for malware inspection.

333
MCQhard

During a cloud migration, the security team uses Cisco CloudLock for DLP. They notice that the DLP engine is not scanning certain files in Google Drive shared with external users. The CloudLock admin console shows the connector status as 'connected'. What is the most likely cause?

A.The connector lacks permission to scan external files
B.The files are too large (over 100 MB)
C.The external sharing is disabled in CloudLock policy
D.The files are in Google Drive 'My Drive' not 'Shared Drive'
AnswerA

CloudLock requires specific OAuth scopes to access files shared outside the organization; if missing, scanning is incomplete.

Why this answer

Cisco CloudLock requires explicit permissions to scan files shared with external users. Even though the connector status shows 'connected', the default OAuth scopes granted during initial setup may not include access to files shared outside the organization. The DLP engine can only inspect files it has read access to; without the 'drive.readonly' scope extended to externally shared items, those files are invisible to scanning.

Exam trap

Cisco often tests the misconception that a 'connected' status implies full functionality, when in reality the connector may lack the necessary OAuth permissions to access certain file categories like externally shared items.

How to eliminate wrong answers

Option B is wrong because CloudLock supports scanning files up to 5 GB in size, and the 100 MB threshold is not a limitation for Google Drive DLP scanning. Option C is wrong because disabling external sharing in CloudLock policy would prevent DLP actions (like blocking or alerting) but does not prevent the engine from scanning the files; the issue is that the files are not being scanned at all. Option D is wrong because CloudLock scans both 'My Drive' and 'Shared Drive' files; the location does not affect the scanning capability, only the permission scope does.

334
MCQmedium

An organization deploys Cisco Secure Firewall (formerly Firepower) in a public cloud environment (AWS). They need to inspect traffic between VPCs. What is the recommended deployment model?

A.Deploy firewall as a centralized virtual appliance in a transit VPC
B.Install firewall software on each EC2 instance
C.Deploy firewall in each VPC with VPC peering
D.Use AWS Network Firewall instead
AnswerA

Centralized inspection in a transit VPC provides consistent policy enforcement for inter-VPC traffic.

Why this answer

In a public cloud environment like AWS, deploying Cisco Secure Firewall as a centralized virtual appliance in a transit VPC is the recommended model because it allows traffic between multiple VPCs to be routed through a single inspection point. This architecture leverages VPC peering or AWS Transit Gateway to funnel inter-VPC traffic to the firewall, ensuring consistent policy enforcement and visibility without requiring per-VPC firewall instances. Centralized inspection simplifies management, reduces costs, and avoids the complexity of distributed firewall deployments.

Exam trap

Cisco often tests the misconception that deploying a firewall in each VPC with VPC peering is sufficient, but the trap is that VPC peering does not support transitive routing, so traffic between two peered VPCs cannot be forced through a firewall in a third VPC without complex and unsupported routing hacks.

How to eliminate wrong answers

Option B is wrong because installing firewall software on each EC2 instance is impractical for inter-VPC traffic inspection—it would require agent-based controls that cannot inspect traffic at the network layer between VPCs, and it violates the principle of centralized security management. Option C is wrong because deploying a firewall in each VPC with VPC peering creates a mesh of point-to-point connections that does not scale, introduces asymmetric routing challenges, and makes policy management cumbersome; VPC peering does not support transitive routing, so traffic between VPCs would not automatically pass through a firewall in another VPC. Option D is wrong because while AWS Network Firewall is a native service, the question specifically asks about deploying Cisco Secure Firewall, and using AWS Network Firewall would replace the Cisco solution rather than deploy it; Cisco Secure Firewall can be deployed as a virtual appliance in a transit VPC to provide advanced threat inspection and integration with Cisco security ecosystem.

335
MCQeasy

A company uses Cisco Umbrella for DNS-layer security. They want to block access to known malicious IPs that may be resolved by non-DNS traffic. Which feature should they enable?

A.File Analysis
B.Application Discovery
C.IP Layer Enforcement
D.HTTPS Inspection
AnswerC

Blocks malicious IPs for non-DNS traffic.

Why this answer

IP Layer Enforcement is the correct feature because it allows Cisco Umbrella to block traffic to known malicious IP addresses even when the traffic does not originate from a DNS query. This is essential for blocking threats that use hardcoded IPs or non-DNS protocols like direct IP connections, ensuring protection beyond DNS-layer filtering.

Exam trap

Cisco often tests the distinction between DNS-layer security (which only blocks based on domain names) and IP-layer enforcement (which blocks based on IP addresses), leading candidates to mistakenly choose HTTPS Inspection or File Analysis as they associate them with security inspection rather than IP-based blocking.

How to eliminate wrong answers

Option A is wrong because File Analysis is a feature for inspecting and sandboxing files for malware, not for blocking traffic to malicious IPs. Option B is wrong because Application Discovery is used to identify and categorize applications in use, not to enforce IP-based blocking. Option D is wrong because HTTPS Inspection decrypts and inspects encrypted web traffic for threats, but it does not directly block traffic to known malicious IPs resolved outside of DNS.

336
MCQmedium

A multinational company has recently deployed Cisco Umbrella for DNS-layer security across all offices. The security team receives reports that users in the Asia-Pacific region cannot access a critical cloud-based CRM application (crm.company.com). The CRM is hosted by a third-party provider and uses a custom domain. The Umbrella dashboard shows that DNS requests for crm.company.com are being blocked with the reason 'Cisco Umbrella Intelligence Feed: Blocked Domain'. The domain is not part of any standard security category. The IT team has verified that the domain is legitimate and necessary for business operations. What should the administrator do to restore access while maintaining security?

A.Whitelist the CRM server's IP address in the IP-layer enforcement settings
B.Configure the local DNS server to forward crm.company.com directly to the CRM provider's DNS
C.Disable the Cisco Umbrella Intelligence Feed for the Asia-Pacific region
D.Add crm.company.com to the global allow list in the Umbrella dashboard under Policy > Destination Lists > Allow
AnswerD

This allows the domain to bypass DNS blocking while preserving other protections.

Why this answer

Option D is correct because the domain is being blocked by the Cisco Umbrella Intelligence Feed, which is a curated threat intelligence feed. Since the domain is legitimate and not part of a standard security category, the proper method to restore access is to add it to the global allow list under Policy > Destination Lists > Allow. This overrides the block from the intelligence feed while preserving all other security policies.

Exam trap

Cisco often tests the distinction between DNS-layer and IP-layer enforcement, leading candidates to incorrectly choose IP whitelisting (Option A) when the block is actually occurring at the DNS layer before IP-layer policies are evaluated.

How to eliminate wrong answers

Option A is wrong because whitelisting the CRM server's IP address in IP-layer enforcement would only bypass IP-based blocks, but the block is occurring at the DNS layer due to the domain being in the Intelligence Feed; DNS-layer enforcement resolves the domain to an IP before IP-layer checks, so the block happens first. Option B is wrong because configuring the local DNS server to forward crm.company.com directly to the CRM provider's DNS would bypass Cisco Umbrella entirely for that domain, removing all security inspection and logging, which is not a recommended or controlled approach. Option C is wrong because disabling the Cisco Umbrella Intelligence Feed for the Asia-Pacific region would remove threat intelligence protection for all domains in that feed across the entire region, unnecessarily exposing the network to potential threats.

337
MCQeasy

A company deploys Cisco Firepower Threat Defense (FTD) in transparent mode. They create an access control rule to allow HTTP traffic from the inside network (10.10.10.0/24) to a web server at 192.168.1.100. The rule is configured with action 'Allow', a source zone 'inside', a destination zone 'outside', and an intrusion policy attached. After deployment, users report they cannot access the web server. The administrator verifies that the web server is reachable from other networks and that the FTD management interface is accessible. The FTD's packet capture shows no traffic matching the rule. The rule is listed first in the access control policy. What is the most likely cause of the problem?

A.The intrusion policy is blocking the traffic.
B.The web server's IP address is not correctly defined in the network object.
C.The rule's action is set to 'Monitor' instead of 'Allow'.
D.The FTD is in transparent mode, so it does not use zones; the rule should be assigned to an interface pair.
AnswerD

Transparent mode FTD requires rules to be applied to specific interface pairs, not security zones.

Why this answer

In transparent mode, Cisco Firepower Threat Defense (FTD) operates as a Layer 2 bridge and does not use security zones. Instead, traffic is controlled by interface pairs. The rule configured with source and destination zones will never match traffic because transparent mode bypasses zone-based policy enforcement.

The correct approach is to assign the rule to an interface pair (e.g., inside to outside) rather than zones.

Exam trap

Cisco often tests the distinction between routed and transparent mode, specifically that transparent mode uses interface pairs instead of zones, leading candidates to overlook this fundamental difference and incorrectly assume zone-based rules work in all modes.

How to eliminate wrong answers

Option A is wrong because an intrusion policy attached to an Allow rule does not block traffic by default; it only inspects and alerts or drops based on signatures, and the packet capture shows no traffic matching the rule, indicating the rule itself is not being hit. Option B is wrong because the web server's IP address being incorrectly defined in a network object would cause a different rule to match or no match at all, but the packet capture shows no traffic matching the rule, pointing to a zone/interface mismatch rather than an object definition issue. Option C is wrong because if the rule's action were set to 'Monitor', traffic would still match the rule and appear in packet captures, but the users would be unable to access the web server only if a subsequent rule blocked it; the capture shows no match, so the action is not the problem.

338
Multi-Selectmedium

Which THREE steps should the administrator take to troubleshoot slow web browsing when using Cisco WSA? (Choose three.)

Select 3 answers
A.Check the WSA's network interface statistics for errors or drops
B.Verify the HTTPS decryption policies to ensure they are not causing excessive CPU load
C.Examine the WSA access logs for TCP connection time and server response time
D.Restart the proxy services to clear any temporary issues
E.Configure the WSA to use a public DNS server like 8.8.8.8
AnswersA, B, C

Network issues can cause slow connectivity.

Why this answer

Option A is correct because checking the WSA's network interface statistics for errors or drops helps identify physical-layer issues (e.g., duplex mismatches, CRC errors) that can cause packet loss and retransmissions, directly slowing web browsing. This is a fundamental first step in isolating whether the problem is at the network layer rather than within the proxy itself.

Exam trap

Cisco often tests the misconception that restarting services (Option D) is a valid troubleshooting step for performance issues, but in the 350-701 exam, the focus is on diagnostic analysis using logs and statistics rather than disruptive actions.

339
MCQhard

In a Cisco TrustSec environment, a network administrator observes that traffic between two endpoints in the same SGT group is being denied. The relevant switch has CTS configured with 'cts manual' and 'policy static sgt 10'. What is the most probable cause?

A.The SGT classification is not applied to the correct VLAN.
B.The SGT is not propagated to the downstream switch.
C.The endpoint's NAC agent is not reporting posture.
D.The IP-to-SGT mapping is missing on the switch.
AnswerA

If the VLAN on the switchport is not mapped to the SGT, the endpoint may be classified incorrectly, causing denial.

Why this answer

Option D is correct. If the SGT classification is not applied to the correct VLAN, the switch may not classify traffic correctly, leading to default denial. Option A is incorrect because with manual CTS, IP-to-SGT mapping is done via static configuration or RADIUS, and missing mapping would cause unknown SGT.

Option B is irrelevant to traffic forwarding. Option C is incorrect because SGT propagation is not needed for same-switch communication.

340
MCQeasy

Which component of Cisco AMP for Endpoints is responsible for preventing the execution of known malware by checking files against a continuously updated cloud database before they run?

A.Exploit Prevention
B.Application Control
C.File Reputation
D.Orbital
AnswerC

File Reputation checks files against Talos intelligence to block known malware.

Why this answer

File Reputation uses cloud lookups to determine if a file is known to be malicious before it executes.

341
Matchingmedium

Match each VPN type to its characteristic.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Connects entire networks over the internet

Allows individual users to connect securely

Uses web browser for clientless access

Provides encrypted tunnels using IPsec

Dynamic multipoint VPN for hub-and-spoke topologies

Why these pairings

These are common VPN types and their descriptions.

342
MCQeasy

Which Cisco ISE node is responsible for authenticating endpoints and enforcing access policies?

A.Administration Node
B.pxGrid
C.Policy Service Node (PSN)
D.Monitoring Node
AnswerC

PSN performs authentication and policy enforcement.

Why this answer

The Policy Service Node (PSN) is the Cisco ISE component that performs endpoint authentication, authorization, and accounting (AAA) and enforces access policies by processing RADIUS requests from network access devices (NADs). It handles posture assessment, guest services, and client provisioning, making it the direct enforcement point for network access control.

Exam trap

Cisco often tests the distinction between management, monitoring, and enforcement roles, and the trap here is confusing the Administration Node (which defines policies) with the Policy Service Node (which enforces them), leading candidates to pick the Administration Node as the enforcement point.

How to eliminate wrong answers

Option A is wrong because the Administration Node manages the ISE configuration, certificates, and policy definitions but does not process authentication or enforce policies in real time. Option B is wrong because pxGrid (Platform Exchange Grid) is a data-sharing protocol for context exchange between ISE and other security systems, not an authentication or policy enforcement node. Option D is wrong because the Monitoring Node collects logs, metrics, and alerts for auditing and troubleshooting, but it does not participate in the authentication or enforcement of access policies.

343
MCQmedium

A security analyst is investigating a compromised endpoint that is part of a botnet. The endpoint is running Cisco Secure Endpoint with TETRA. The analyst notices that the endpoint is communicating with a command-and-control (C2) server over HTTPS. Which TETRA feature would be most effective in detecting this traffic?

A.URL filtering against known malicious URL databases
B.SSL/TLS decryption and inspection
C.File reputation and cloud lookup
D.Protocol analysis with deep packet inspection
AnswerB

TETRA can decrypt SSL traffic if configured, allowing inspection of C2 communication.

Why this answer

TETRA (Telemetry and Threat Response Analytics) on Cisco Secure Endpoint can detect C2 traffic over HTTPS by performing SSL/TLS decryption and inspection. This allows the agent to examine encrypted payloads for malicious patterns, such as beaconing or command-and-control protocol artifacts, which would otherwise be hidden in the encrypted tunnel.

Exam trap

The trap here is that candidates often choose deep packet inspection (DPI) without realizing that DPI cannot inspect encrypted HTTPS traffic without SSL/TLS decryption, making it ineffective for detecting C2 communication over HTTPS.

How to eliminate wrong answers

Option A is wrong because URL filtering against known malicious URL databases relies on static reputation lists and cannot detect C2 traffic using dynamically generated or previously unknown domains, nor can it inspect encrypted content. Option C is wrong because file reputation and cloud lookup analyze file hashes and behaviors, not network traffic patterns like HTTPS C2 communication. Option D is wrong because protocol analysis with deep packet inspection (DPI) cannot inspect encrypted HTTPS payloads without first decrypting the SSL/TLS session, making it ineffective against encrypted C2 traffic.

344
MCQeasy

A network administrator is configuring 802.1X for wired access on a Cisco switch. The switch is configured for RADIUS using a Cisco ISE server. During testing, a client that supports 802.1X is unable to authenticate and fails to gain network access. The administrator checks the switch logs and sees "Authentication failed: invalid EAP code received". What is the most likely cause?

A.The client is using an unsupported EAP method (e.g., EAP-TLS instead of PEAP).
B.The RADIUS server is unreachable.
C.The switch is configured with the wrong shared secret for RADIUS.
D.The switch port is configured as a trunk port rather than an access port.
AnswerA

The switch cannot process an unrecognized EAP code, which occurs when the client negotiates an unsupported method.

Why this answer

Option C is correct because the error "invalid EAP code received" indicates that the switch received an EAP packet with a code it does not support, typically due to an unsupported EAP method. Option A is wrong because a shared secret mismatch would produce a different RADIUS error. Option B is wrong because trunk port configuration would cause VLAN issues, not EAP parsing errors.

Option D is wrong because RADIUS unreachability would cause timeouts or no response.

345
MCQhard

An organization is deploying Cisco TrustSec and uses SXP to propagate SGTs between routers that do not support SGT inline tagging. The SXP connection is established, but the SGT mappings are not being learned. The administrator checks 'show sxp connections' and sees the connection is in 'On' state. What is the most likely issue?

A.The SXP source IP is not reachable.
B.The SXP hold-down timer expires too quickly.
C.The SXP speaker and listener are both configured as listener.
D.The SXP password is incorrect.
AnswerC

SXP requires one side to be speaker and the other listener; both listener prevents mapping exchange.

Why this answer

Option A is correct because for SXP, one side must be a speaker and the other a listener. If both are configured as listener, the connection state is 'On' but no mappings are exchanged. Option B is incorrect because an incorrect password would prevent the connection from establishing.

Option C is incorrect because if the source IP is unreachable, the connection would not reach 'On' state. Option D is incorrect because the hold-down timer affects stale mappings but not initial learning.

346
Multi-Selecteasy

A security engineer is configuring Cisco Web Security Appliance (WSA) to block downloads of potentially malicious file types such as .exe and .scr. The engineer wants to ensure that these files are blocked even if they are hosted on trusted websites. Which TWO actions should the engineer take?

Select 2 answers
A.Create an access policy that enables file reputation filtering.
B.Create a custom URL category for the file types.
C.Enable the file type control feature in the access policy.
D.Configure HTTPS proxy to decrypt traffic for file inspection.
E.Enable Data Loss Prevention (DLP) on the access policy.
AnswersA, C

File reputation filtering uses the Cisco Talos reputation to block known malicious files.

Why this answer

Option B (file reputation filtering) and Option D (file type control) are correct because they allow the WSA to block specific file types based on reputation or file type, regardless of the source URL. Option A is incorrect because URL categories are for categorizing websites, not file types. Option C (DLP) is designed for data loss prevention, not file type blocking.

Option E (HTTPS proxy) enables inspection of encrypted traffic but does not itself block file types.

347
Multi-Selectmedium

Which TWO methods can be used to enforce least privilege within a network infrastructure? (Choose two.)

Select 2 answers
A.Use Cisco TrustSec with SGTs and security group policies.
B.Use a single administrator account with full privileges for all IT staff.
C.Place all users in the same VLAN without ACLs.
D.Configure source NAT on the firewall to hide internal addresses.
E.Implement role-based access control (RBAC) on network devices.
AnswersA, E

SGTs enforce access based on group membership.

Why this answer

Cisco TrustSec uses Security Group Tags (SGTs) to classify traffic based on user or device identity, not just IP addresses. Security group policies then enforce least privilege by allowing or denying communication between SGTs, ensuring that only necessary traffic flows between endpoints.

Exam trap

Cisco often tests the misconception that NAT or VLAN segmentation alone enforces least privilege, when in fact they lack identity-based or role-based access control required for true least privilege.

348
Multi-Selectmedium

Which THREE are valid methods to obtain security group tags (SGTs) on a Cisco switch? (Choose three.)

Select 3 answers
A.IP-to-SGT mapping via RADIUS
B.CTS manual configuration
C.Cisco ISE pxGrid subscription
D.VLAN-to-SGT mapping
E.SXP
AnswersA, B, E

RADIUS can send SGT attributes during authentication.

Why this answer

Options A, C, and D are correct. SXP (SGT Exchange Protocol) propagates SGTs, CTS manual configuration statically assigns SGTs, and IP-to-SGT mapping via RADIUS allows dynamic assignment. Option B is not a standard method (VLAN-to-SGT mapping is not directly supported; SGTs are per host).

Option E (pxGrid subscription) is used by ISE to share data, not for the switch to obtain SGTs.

349
MCQeasy

After applying a new extended ACL inbound on an interface, users report they can no longer reach a critical server on a different subnet. The ACL permits the server's IP and required ports. What is the most likely cause?

A.The router has run out of memory for ACL processing.
B.The ACL is applied in the outbound direction instead of inbound.
C.The ACL is applied to the wrong interface.
D.The ACL is missing a permit for necessary traffic (e.g., return traffic or ARP), triggering the implicit deny.
AnswerD

Extended ACLs end with implicit deny; missing permit for other traffic blocks communication.

Why this answer

When an extended ACL is applied inbound on an interface, it filters traffic entering that interface before the routing decision. Even if the ACL permits the destination server's IP and required ports, it must also permit the return traffic (e.g., TCP acknowledgments, ICMP replies) from the server back to the users. If the ACL does not explicitly permit this return traffic, the implicit deny at the end of the ACL will drop it, breaking connectivity.

This is the most common cause of connectivity loss after applying an inbound ACL.

Exam trap

Cisco often tests the concept that an inbound ACL filters traffic before the routing decision, and candidates mistakenly focus only on the destination server's IP and ports, forgetting that return traffic must also be explicitly permitted to avoid the implicit deny.

How to eliminate wrong answers

Option A is wrong because ACL processing does not require significant memory; routers use TCAM or CPU-based lookups that are deterministic and do not fail due to memory exhaustion under normal conditions. Option B is wrong because the question states the ACL is applied inbound, and applying it outbound would filter traffic leaving the interface, which would not directly cause users to lose access to a server on a different subnet (the problem would manifest differently, such as inability to send traffic out). Option C is wrong because the question specifies the ACL is applied to the correct interface; if it were applied to the wrong interface, the symptoms would likely affect different traffic flows, not specifically the server reachability issue described.

350
Multi-Selecthard

Which THREE symptoms indicate that a Cisco ESA is experiencing a mail loop?

Select 3 answers
A.A high number of messages in the 'Bounced' queue.
B.Messages fail DKIM signature verification.
C.Multiple 'Received:' headers from the same ESA in the same message.
D.A rapid increase in the 'Spam Quarantine' count.
E.The same Message-ID appears multiple times in the mail logs with different mid values.
AnswersA, C, E

Loops often cause bounce messages to accumulate.

Why this answer

A high number of messages in the 'Bounced' queue is a classic symptom of a mail loop on a Cisco ESA. When a loop occurs, messages are repeatedly sent back and forth between mail servers, eventually exceeding the maximum hop count or delivery attempts, causing them to be moved to the Bounced queue. This queue specifically holds messages that could not be delivered due to permanent failures, and loops generate many such failures.

Exam trap

Cisco often tests the distinction between symptoms of a mail loop (bounced queue, duplicate Received headers, repeated Message-IDs) and symptoms of other issues like spam or authentication failures, so candidates mistakenly associate DKIM failures or quarantine increases with loops.

351
MCQeasy

A company wants to use Cisco DUO for MFA to protect access to its Azure AD applications. Which authentication method should be configured for cloud applications?

A.Secondary authentication via DUO after Azure AD
B.DUO for RADIUS authentication
C.DUO as a SAML identity provider
D.Primary authentication via DUO
AnswerA

DUO provides MFA as a second factor after Azure AD validates the user identity.

Why this answer

When integrating Cisco DUO with Azure AD for MFA, the recommended approach is to configure DUO as a secondary authentication provider after Azure AD handles primary authentication. This is achieved by using DUO's Azure AD integration, which acts as a custom control or a conditional access policy that triggers DUO MFA after the user has already authenticated against Azure AD. This ensures that Azure AD remains the identity provider (IdP) for primary authentication, while DUO provides an additional layer of security via a secondary push, phone call, or passcode.

Exam trap

Cisco often tests the misconception that DUO can serve as a primary identity provider for cloud applications, but the trap here is that DUO is strictly a secondary authentication factor and must be layered after the primary IdP (Azure AD) to protect existing cloud applications without breaking the authentication chain.

How to eliminate wrong answers

Option B is wrong because DUO for RADIUS authentication is used for on-premises VPNs, network devices, or legacy applications that support RADIUS, not for cloud-native Azure AD applications that use modern authentication protocols like SAML or OpenID Connect. Option C is wrong because configuring DUO as a SAML identity provider would replace Azure AD as the primary IdP, which is not the goal; the requirement is to protect access to Azure AD applications, meaning Azure AD must remain the IdP. Option D is wrong because primary authentication via DUO would bypass Azure AD entirely, which contradicts the requirement to protect access to Azure AD applications; DUO is designed for secondary MFA, not as a primary authentication source.

352
Matchingmedium

Match each Cisco security command to its function.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Display IKE security associations

Display configured access control lists

Display firewall configuration and statistics

Enable IP packet debugging

Save running configuration to startup

Why these pairings

These are common Cisco IOS security commands.

353
MCQeasy

A Cisco ASA firewall is configured with multiple contexts. The administrator needs to allow traffic from a context to pass through the management context for management purposes. Which type of interface should be used for this inter-context communication?

A.Use a shared interface that is allowed in multiple contexts.
B.Configure a virtual interface in each context and bridge them.
C.Use a dedicated physical interface for each context and route through the backplane.
D.Configure a subinterface on the management interface for each context.
AnswerA

Shared interfaces allow multiple contexts to use the same physical interface, enabling inter-context communication.

Why this answer

In multiple-context mode on a Cisco ASA, inter-context communication (such as allowing a user context to send management traffic to the management context) is achieved by using a shared interface. A shared interface is assigned to multiple security contexts, enabling them to communicate directly without requiring a physical or virtual crossover cable. This design allows the management context to receive traffic from other contexts for monitoring or administrative purposes while maintaining separation of forwarding tables.

Exam trap

Cisco often tests the misconception that inter-context communication requires a physical connection or a dedicated management path, when in fact the shared interface feature is the correct and supported method for allowing traffic between contexts on the same ASA.

How to eliminate wrong answers

Option B is wrong because bridging virtual interfaces between contexts would create a Layer 2 loop and is not a supported method for inter-context communication on the ASA; the ASA uses routed mode between contexts. Option C is wrong because using a dedicated physical interface for each context and routing through the backplane is unnecessary and inefficient—the ASA backplane is not a routable interface, and inter-context traffic should use shared interfaces or context-to-context routing via the system execution space. Option D is wrong because subinterfaces on the management interface cannot be assigned to other contexts; the management interface is reserved for out-of-band management and does not support being shared or used for inter-context data traffic.

354
MCQhard

During a cloud migration, an administrator notices that a workload in Azure is generating outbound traffic that is being blocked by the cloud security group. The workload requires connectivity to a specific SaaS application (Office 365) using TLS. The security group denies all outbound traffic except to specific IP ranges. Which action should the administrator take?

A.Implement a proxy server
B.Use Azure Private Link
C.Add the Office 365 IP ranges and FQDNs to the allowed list
D.Disable the security group temporarily
AnswerC

Allows required traffic while maintaining security.

Why this answer

Option C is correct because the administrator needs to allow outbound traffic to Office 365, which uses TLS over TCP/443. Since the security group denies all outbound traffic except to specific IP ranges, the most direct and secure method is to add the published Office 365 IP ranges and FQDNs to the allowed list. This ensures the workload can reach the SaaS application without bypassing security controls or introducing additional latency.

Exam trap

The trap here is that candidates often confuse Azure Private Link (which is for private connectivity to Azure services) with general SaaS connectivity, or they incorrectly assume a proxy server is always required for outbound traffic control, when in fact the simplest solution is to update the security group rules with the correct IP ranges and FQDNs.

How to eliminate wrong answers

Option A is wrong because implementing a proxy server would add an unnecessary intermediary, increasing complexity and latency, and does not address the root cause of the security group blocking traffic; the proxy itself would still need its outbound traffic allowed. Option B is wrong because Azure Private Link is used to privately connect to Azure PaaS services (e.g., Azure SQL, Storage) over the Microsoft backbone, not to external SaaS applications like Office 365, which are not hosted in Azure and cannot be accessed via Private Link. Option D is wrong because disabling the security group temporarily removes all outbound restrictions, exposing the workload to potential security risks and violating the principle of least privilege; it is a poor operational practice that should never be recommended.

355
MCQmedium

A security architect is designing a hybrid cloud with AWS and on-premises data center. They need to enforce consistent security policies across both environments. Which approach is most effective?

A.Deploy separate Cisco Firepower instances in AWS and on-prem, each with independent policies
B.Use Cisco Secure Cloud Analytics (Stealthwatch) with AWS Cloud integration
C.Use AWS CloudTrail and AWS Config for on-premises resources
D.Establish a site-to-site VPN and use AWS Security Groups for both environments
AnswerB

Provides unified visibility and policy enforcement across hybrid environments.

Why this answer

Option B is correct because Cisco Secure Cloud Analytics (Stealthwatch) integrates with AWS Cloud via API to ingest flow logs, VPC logs, and NetFlow, enabling centralized visibility and consistent policy enforcement across hybrid environments. This approach avoids policy fragmentation by applying a unified security analytics layer that can detect anomalies and enforce responses in both AWS and on-premises networks without requiring separate policy management.

Exam trap

Cisco often tests the misconception that VPN connectivity alone (Option D) or separate firewalls (Option A) can achieve consistent policy enforcement, when in reality they require a centralized analytics and orchestration layer like Stealthwatch to unify policy management across hybrid clouds.

How to eliminate wrong answers

Option A is wrong because deploying separate Cisco Firepower instances with independent policies creates policy silos, leading to inconsistent security enforcement and increased administrative overhead, which defeats the goal of consistent policies. Option C is wrong because AWS CloudTrail and AWS Config are designed for auditing and compliance of AWS resources, not for managing or enforcing security policies on on-premises resources; they lack the capability to apply policies to non-AWS environments. Option D is wrong because a site-to-site VPN provides encrypted connectivity but does not enforce security policies; AWS Security Groups are stateful firewalls that only apply to AWS VPC resources and cannot extend to on-premises hosts or networks.

356
MCQmedium

An incident responder notices that an AMP connector on a critical server has stopped sending 'IP to Application' mapping events after a software update. Which step should be taken to restore this telemetry?

A.Enable the 'Network' component in the AMP connector settings and restart the service.
B.Uninstall and reinstall the AMP connector with default settings.
C.Update the AMP policy on the connector to force a configuration reload.
D.Restart the AMP connector service on the server.
AnswerA

The 'IP to Application' mapping is part of the 'Network' component, which can be disabled during update.

Why this answer

Option C is correct because the 'IP to Application' mapping feature requires the 'Network' component to be enabled in the AMP connector configuration post-update. Option A is incorrect because restarting the service does not re-enable the component. Option B is incorrect because a policy update would not enable a disabled component.

Option D is incorrect because reinstalling would be unnecessarily disruptive.

357
Multi-Selecthard

Which THREE of the following are capabilities of Cisco Threat Response (CTR) that integrate with endpoint telemetry for accelerated detection and response?

Select 3 answers
A.Real-time blocking of malicious processes at the endpoint
B.Device Trajectory to visualize the timeline of events on an endpoint
C.Centralized search across endpoint, network, and email telemetry
D.Automatic deployment of software patches to endpoints
E.Casebook creation to document investigation steps and share with team
AnswersB, C, E

Device Trajectory is a key feature in AMP/CTR for reconstructing events.

Why this answer

Device Trajectory is a core capability of Cisco Threat Response (CTR) that ingests endpoint telemetry from Cisco Secure Endpoint (formerly AMP for Endpoints). It visualizes a timeline of events—such as process executions, file modifications, and network connections—on a specific endpoint, enabling security analysts to quickly reconstruct the sequence of an attack and accelerate detection and response.

Exam trap

The trap here is that candidates confuse the capabilities of the endpoint protection agent (e.g., real-time blocking or patching) with the investigative and orchestration functions of Cisco Threat Response, which is a separate cloud service that aggregates telemetry but does not perform active prevention or remediation actions.

358
MCQhard

A security analyst discovers that a user downloaded a CSV file containing social security numbers from a sanctioned cloud storage app, but no alert was generated. The DLP policy shown in the exhibit was applied. What is the most likely reason the policy failed to trigger?

A.The user bypassed the DLP policy using an API call.
B.The policy was not applied to the cloud storage app used by the user.
C.The policy only notifies the admin and does not block the download.
D.The social security numbers in the file did not contain dashes, so the regex did not match.
AnswerD

The regex specifically requires dashes; numbers without dashes would not match.

Why this answer

The DLP policy uses a regex pattern that expects dashes in the social security numbers (e.g., \d{3}-\d{2}-\d{4}). If the CSV file contained SSNs without dashes (e.g., 123456789), the regex would not match, and no alert would be generated. This is the most likely reason the policy failed to trigger, as the data format did not meet the policy's detection criteria.

Exam trap

Cisco often tests the nuance that DLP regex patterns are literal and do not automatically account for formatting variations (like missing dashes), leading candidates to overlook the mismatch and incorrectly assume a policy misapplication or bypass.

How to eliminate wrong answers

Option A is wrong because bypassing DLP via an API call would require the user to have direct API access and the policy to lack API inspection, but the scenario describes a download from a sanctioned cloud storage app, which typically uses HTTPS and is subject to DLP inspection; there is no evidence of API bypass. Option B is wrong because the policy is explicitly applied to the cloud storage app (as shown in the exhibit), and the app is sanctioned, so the policy should cover it. Option C is wrong because the policy's action (notify admin vs. block) does not affect whether an alert is generated; the policy would still trigger an alert if the content matched, but it failed to match due to the regex issue.

359
Multi-Selectmedium

A security engineer is configuring Cisco TrustSec on a network. Which TWO actions are required to enable TrustSec on a Cisco switch?

Select 2 answers
A.Enable MACsec encryption on all trunk links.
B.Define Security Group Tags (SGTs) on the switch using the 'cts role-based sgt' command or via RADIUS.
C.Deploy Cisco ISE as the only policy server.
D.Apply IP access-lists on interfaces to filter traffic based on source IP.
E.Configure 802.1X or MAC Authentication Bypass (MAB) on the switch ports.
AnswersB, E

SGTs must be defined to tag traffic.

Why this answer

B is correct because Security Group Tags (SGTs) are the fundamental building blocks of Cisco TrustSec, used to classify traffic and enforce role-based access control. SGTs can be defined locally on the switch using the 'cts role-based sgt' command or dynamically assigned via a RADIUS server (such as Cisco ISE) during authentication. Without SGTs, the switch cannot perform the source-based or destination-based policy enforcement that TrustSec relies on.

Exam trap

Cisco often tests the misconception that MACsec encryption is a prerequisite for TrustSec, when in fact it is an optional enhancement; the real requirement is the definition and assignment of SGTs, along with port-based authentication (802.1X or MAB) to dynamically bind SGTs to endpoints.

360
MCQeasy

A company's Cisco WSA is configured with explicit proxy mode. Users report that they can browse the internet but cannot access internal websites hosted on the company's intranet. What is the most likely cause?

A.The WSA is in transparent proxy mode.
B.Users are not authenticated to the WSA.
C.The internal websites are not in the proxy bypass list.
D.SSL decryption is blocking the internal sites.
AnswerC

Proxy bypass list needed for internal traffic.

Why this answer

In explicit proxy mode, the WSA requires clients to be configured to send traffic to it. If internal websites are not added to the proxy bypass list (or the WSA's PAC file does not direct internal traffic directly), the WSA will attempt to proxy requests for internal sites, which may fail because the WSA cannot route to internal IPs or the internal DNS resolution fails. This is the most likely cause because users can browse the internet (proxied traffic works) but cannot reach internal sites (which should bypass the proxy).

Exam trap

Cisco often tests the distinction between explicit and transparent proxy modes, and the trap here is that candidates assume authentication or SSL decryption is the cause, when the real issue is the proxy bypass list not covering internal destinations.

How to eliminate wrong answers

Option A is wrong because the scenario explicitly states the WSA is configured with explicit proxy mode, so transparent mode is not in use. Option B is wrong because authentication is not required for basic HTTP/HTTPS access in explicit proxy mode; unauthenticated users can still browse the internet and internal sites if the proxy bypass list is correct. Option D is wrong because SSL decryption, if enabled, would affect both internal and external HTTPS sites equally, not selectively block only internal sites; moreover, internal sites often use self-signed certificates that would cause decryption failures, but the question states users can browse the internet (which includes HTTPS sites), so SSL decryption is not the issue.

361
MCQeasy

A company is planning to use Cisco Umbrella to secure internet access for branch offices. They already have Cisco Meraki MX appliances at each branch. What is the best way to send DNS traffic from the branches to Umbrella?

A.Enable the Umbrella integration in Meraki dashboard
B.Deploy the Umbrella virtual appliance at each branch
C.Install the Umbrella Roaming Client on each user device
D.Configure IPSec tunnels between branches and Umbrella data centers
AnswerA

Meraki MX has built-in connector to Umbrella for DNS forwarding.

Why this answer

Option D is correct because Meraki MX can automatically integrate with Umbrella via the built-in connector. Option A is wrong because IPSec tunnel is more complex and not native. Option B is wrong because an on-premises virtual appliance adds infrastructure.

Option C is wrong because the roaming client is for endpoints, not branch networks.

362
MCQhard

A large enterprise uses Cisco WSA with integrated Cisco Advanced Malware Protection (AMP) to inspect web traffic. The security policy dictates that all downloaded files should be scanned by AMP. Recently, a user downloaded a PDF file from a trusted vendor site, but the download was blocked by the WSA. The administrator checks the WSA logs and sees that the file was blocked due to AMP's 'File Reputation' score of 10 (high risk). However, the vendor confirms the file is legitimate. The administrator notes that the file is digitally signed by the vendor. What is the most appropriate next step to allow the file while maintaining security?

A.Add the vendor's domain to the WSA's global URL whitelist.
B.Lower the AMP file reputation threshold from 10 to 7 to allow files with lower risk scores.
C.Add the file's SHA-256 hash to the AMP custom allow list to override the reputation.
D.Disable AMP scanning for the vendor's domain in the WSA policy.
AnswerC

Permits only this specific file.

Why this answer

Option C is correct because Cisco AMP allows administrators to create custom allow lists using file hashes (SHA-256) to override the file reputation score. Since the file is digitally signed and confirmed legitimate, adding its SHA-256 hash to the AMP custom allow list will permit the download while still scanning other files from that domain, preserving security. This approach directly addresses the false positive without broadly reducing security controls.

Exam trap

The trap here is that candidates may think whitelisting the domain or disabling AMP for that domain is sufficient, but Cisco tests the understanding that AMP's custom allow list is the precise mechanism to handle false positives without compromising security for other files from the same source.

How to eliminate wrong answers

Option A is wrong because adding the vendor's domain to the WSA's global URL whitelist would bypass all security scanning for that domain, including URL filtering, DLP, and AMP, which is overly permissive and violates the policy that all downloaded files should be scanned. Option B is wrong because lowering the AMP file reputation threshold from 10 to 7 would allow all files with a score of 7 or higher, potentially permitting malicious files that have not yet been analyzed, weakening overall security posture. Option D is wrong because disabling AMP scanning for the vendor's domain would completely remove file reputation analysis for all files from that domain, contradicting the security policy that mandates scanning all downloads.

363
MCQhard

A large enterprise has deployed Cisco ISE for network access control with 802.1X and MAB across its wired and wireless networks. The network consists of Cisco Catalyst switches, Cisco Wireless LAN Controllers (WLCs), and ISE in a distributed deployment with three Policy Service Nodes (PSNs) and an Admin Node. Recently, the company implemented a new security policy requiring all endpoints to pass posture assessment before gaining full network access. The posture assessment uses AnyConnect ISE Posture Module. Shortly after the change, users report that some wired clients are unable to connect to the network. The ISE logs show that the authentication is successful, but the session is terminated immediately with a 'Session-Timeout' attribute set to 0. The network team notices that the affected clients are all connected to switches running older Cisco IOS versions. The ISE administrator confirms that the authorization profiles for the affected clients include a session-timeout of 1 hour. Which course of action should the network engineer take to resolve the issue?

A.Upgrade the switch IOS to a version that supports the new ISE posture attributes.
B.Disable posture assessment for the affected switch ports using a different authorization policy.
C.Configure the switches to ignore the Session-Timeout attribute sent by ISE.
D.Increase the session-timeout value in the ISE authorization profile to a larger value.
AnswerA

Upgrading resolves the incompatibility and allows proper handling of posture attributes.

Why this answer

Option B is correct because older IOS versions may not properly interpret the new RADIUS attributes sent by ISE during posture assessment, causing session termination. Upgrading to a supported IOS version resolves the compatibility issue. Option A is incorrect because ignoring the Session-Timeout attribute is not a recommended practice and may cause security issues.

Option C is incorrect because disabling posture for these ports is a workaround, not a solution. Option D is incorrect because increasing the timeout does not address the root cause, which is the switch's inability to handle the attribute.

364
Matchingmedium

Match each Cisco security product to its category.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Next-Generation Firewall

Cloud-Delivered Security

Advanced Malware Protection

Identity Services Engine

Network Visibility and Detection

Why these pairings

These are key Cisco security solutions and their categories.

365
MCQmedium

A company with 500 endpoints uses Cisco AMP for Endpoints with a private cloud and a single Threat Grid appliance for file analysis. The security team notices that some endpoints are not receiving updates to the local malware signatures for over 24 hours. The AMP console shows these endpoints as 'Out of Date'. The network team confirms that the endpoints can reach the private cloud server on TCP port 443. The endpoints are running Windows 10 with the latest AMP connector version. The private cloud server has sufficient disk space and is running normally. The AMP console shows that the 'Update Policy' is enabled and set to download signatures every 4 hours. Which action should the administrator take to resolve the issue?

A.Restart the Cisco AMP for Endpoints connector service on the affected endpoints.
B.Clear the update cache on the affected endpoints by running 'c:\Program Files\Cisco\AMP\xxxxx\amp_update.exe --clear-cache' from an elevated command prompt.
C.Change the update policy interval from 4 hours to 1 hour to force more frequent checks.
D.Check if the firewall is blocking the signature update port 443 for those specific endpoints.
AnswerB

Clearing the update cache forces a fresh download of signature updates, resolving stuck updates.

Why this answer

The correct action is to clear the update cache on the affected endpoints. When endpoints show as 'Out of Date' despite being able to reach the private cloud on TCP 443 and having the correct update policy, the local signature cache is often corrupted or stale. Running `amp_update.exe --clear-cache` forces the connector to discard its cached signature data and download a fresh copy from the private cloud, resolving the update failure without requiring a service restart or policy change.

Exam trap

The trap here is that candidates assume connectivity issues (firewall) or service restarts are the fix, but Cisco specifically tests the knowledge that a corrupted local signature cache requires clearing the cache, not restarting the service or changing the update interval.

How to eliminate wrong answers

Option A is wrong because restarting the AMP connector service only restarts the process; it does not address a corrupted or stale local signature cache, which is the root cause of the 'Out of Date' status. Option C is wrong because changing the update interval from 4 hours to 1 hour does not fix the underlying issue—if the cache is corrupted, more frequent checks will still fail to download valid signatures. Option D is wrong because the network team already confirmed that endpoints can reach the private cloud on TCP port 443, so a firewall block is not the problem.

366
MCQhard

Refer to the exhibit. An engineer has configured the ACL on the GigabitEthernet0/0 interface. Which of the following is true about the effect of this ACL?

A.It blocks all IP traffic from entering G0/0 because of the deny statement.
B.It blocks traffic sourced from 10.0.0.0/8 entering G0/0, but allows other traffic.
C.It permits all traffic because the ACL is misconfigured.
D.It blocks traffic destined to 10.0.0.0/8 entering G0/0, but allows other traffic.
AnswerB

The deny statement blocks source 10.0.0.0/8, and the permit any any allows all else.

Why this answer

The ACL is applied inbound on GigabitEthernet0/0 with a single deny statement for source IP 10.0.0.0/8. Since ACLs have an implicit deny any at the end, traffic from the 10.0.0.0/8 range is blocked, but all other IP traffic is implicitly permitted because the explicit deny only matches that source range. This makes option B correct.

Exam trap

Cisco often tests the misconception that a single deny statement in an ACL blocks all traffic, when in fact the implicit permit any allows all other traffic unless a permit any is explicitly omitted or the ACL is applied in a way that triggers the implicit deny.

How to eliminate wrong answers

Option A is wrong because the ACL does not block all IP traffic; it only blocks traffic sourced from 10.0.0.0/8, and the implicit permit any allows other traffic. Option C is wrong because the ACL is not misconfigured; it correctly denies traffic from the specified source network and permits all other traffic due to the implicit permit. Option D is wrong because the ACL filters based on source IP address, not destination IP address; the deny statement matches source 10.0.0.0/8, not destination.

367
MCQeasy

A network administrator wants to implement 802.1X on a Cisco switch port for a device that does not support 802.1X. Which feature should be configured to allow the device to connect?

A.802.1X with EAP-MSCHAPv2
B.Downloadable ACL (dACL)
C.Web Authentication (WA)
D.MAC Authentication Bypass (MAB)
AnswerD

MAB allows non-802.1X devices to authenticate using their MAC address.

Why this answer

MAC Authentication Bypass (MAB) is the correct feature because it allows a device that does not support 802.1X supplicant software to authenticate by using its MAC address as the identity. The switch acts as a proxy, sending the MAC address as the username and password to the RADIUS server, which can then grant or deny access based on the MAC address in its database.

Exam trap

The trap here is that candidates confuse MAB with a bypass that skips all security, when in fact MAB still enforces authentication via the RADIUS server using the MAC address as credentials.

How to eliminate wrong answers

Option A is wrong because 802.1X with EAP-MSCHAPv2 requires the endpoint to run an 802.1X supplicant that can respond to EAP challenges, which the non-802.1X device cannot do. Option B is wrong because a downloadable ACL (dACL) is a policy enforcement mechanism applied after authentication, not an authentication method; it does not allow an unsupported device to connect. Option C is wrong because Web Authentication (WA) requires the user to open a web browser to authenticate, which is not suitable for a headless device (e.g., printer, IP phone) that cannot perform interactive web login.

368
MCQmedium

A network engineer is troubleshooting an issue where a user's device is successfully authenticated via 802.1X, but the user cannot access the corporate network. ISE logs show that the user was granted access with a downloadable ACL (dACL). What could be the cause of no network access?

A.The switch does not support downloadable ACLs.
B.The user's device is in a different subnet.
C.The RADIUS server is not reachable after authentication.
D.The switch port is configured with 'access-session port-control auto'.
AnswerA

Switches that do not support dACLs will ignore the attribute, resulting in no access.

Why this answer

Option A is correct because if the switch does not support downloadable ACLs, it will ignore the dACL attribute and not apply any filtering, potentially blocking traffic. Option B is incorrect because subnet placement does not affect dACL application. Option C is incorrect because the RADIUS server is not involved after authentication.

Option D is incorrect because 'access-session port-control auto' is correct configuration.

369
MCQmedium

A company is deploying Cisco Cloud Web Security (CWS) using an on-premises connector. They want to authenticate users via Active Directory and apply granular policies based on user identity. Which authentication method should be configured on the connector?

A.Local user database on the connector
B.Transparent proxy with explicit authentication via PAC file
C.LDAP authentication with transparent user identification
D.SAML-based authentication
AnswerC

LDAP allows AD integration, and transparent identification via protocols like NTLM is seamless.

Why this answer

Option C is correct because Cisco Cloud Web Security (CWS) with an on-premises connector can integrate with Active Directory via LDAP to perform transparent user identification. This allows the connector to map IP addresses to authenticated user identities without requiring explicit proxy authentication, enabling granular policy enforcement based on AD user or group membership.

Exam trap

The trap here is that candidates often confuse 'transparent proxy' with 'transparent user identification' and assume explicit authentication (Option B) is required, when in fact LDAP-based transparent identification (Option C) is the correct method for integrating with AD without user intervention.

How to eliminate wrong answers

Option A is wrong because a local user database on the connector would require manual user creation and maintenance, which does not scale for enterprise AD integration and cannot provide transparent user identification. Option B is wrong because transparent proxy with explicit authentication via PAC file still requires users to manually authenticate (e.g., via browser pop-up), which defeats the goal of transparent user identification and adds user friction. Option D is wrong because SAML-based authentication is typically used for cloud-based identity federation (e.g., with Cisco Umbrella or web portal access), not for on-premises connector-to-AD integration where LDAP is the standard protocol for transparent user identification.

370
MCQmedium

Refer to the exhibit. A network analyst reviews a Stealthwatch flow analysis output. What is the most likely interpretation?

A.This is likely a data exfiltration attempt using a non-standard port.
B.This is a typical video streaming session.
C.This is normal database replication traffic.
D.This is a misconfigured backup job.
AnswerA

Large data transfer on an unusual port with high score suggests malicious activity.

Why this answer

Option C is correct. The high volume of data (1.2GB) over a short period (5 minutes) on a non-standard TCP port (4444) with a high threat score (85) is indicative of data exfiltration. Option A is incorrect because database replication typically uses standard ports like 1433 or 1521.

Option B is incorrect because video streaming uses different ports and patterns. Option D is incorrect because backup jobs often use standard ports and have regular patterns.

371
MCQmedium

Refer to the exhibit. A network administrator applies the ACL to the interface. What is the effect on traffic inbound to the interface?

A.All TCP traffic is permitted; other IP traffic is denied
B.Only TCP traffic destined to 192.168.1.100 on port 80 is permitted; all other IP traffic is denied
C.All IP traffic is permitted
D.The ACL is applied outbound, so it has no effect on inbound traffic
AnswerB

The ACL permits only HTTP to that host and denies the rest.

Why this answer

The ACL is applied inbound on the interface and contains a single entry that permits TCP traffic from any source to destination 192.168.1.100 on port 80. Because there is an implicit deny all at the end of every standard and extended ACL, only traffic matching this specific permit statement is allowed; all other IP traffic is denied.

Exam trap

Cisco often tests the implicit deny all at the end of ACLs, and the trap here is that candidates may overlook that only the explicitly permitted traffic is allowed, assuming that a single permit statement implies all other traffic is also permitted.

How to eliminate wrong answers

Option A is wrong because the ACL does not permit all TCP traffic; it only permits TCP traffic destined to 192.168.1.100 on port 80, and other TCP traffic is denied by the implicit deny. Option C is wrong because the ACL explicitly restricts traffic, so not all IP traffic is permitted; only the specified TCP traffic is allowed. Option D is wrong because the ACL is applied inbound (ip access-group ACL_NAME in), not outbound, so it does affect inbound traffic.

372
MCQeasy

An organization wants to prevent malware from executing on endpoints by using a file reputation service. Which Cisco technology provides cloud-based file reputation and analysis for endpoint protection?

A.Cisco Stealthwatch
B.Cisco Identity Services Engine (ISE)
C.Cisco Firepower NGFW
D.Cisco Secure Endpoint (AMP for Endpoints)
AnswerD

Cisco Secure Endpoint provides cloud-based file reputation and analysis.

Why this answer

Cisco Secure Endpoint (formerly AMP for Endpoints) is the correct answer because it provides cloud-based file reputation and analysis through its Advanced Malware Protection (AMP) cloud. This service uses global threat intelligence and machine learning to analyze file behavior, assign reputation scores, and block or quarantine malicious files on endpoints in real time.

Exam trap

Cisco often tests the distinction between network-based file inspection (Firepower NGFW with AMP for Networks) and endpoint-based file reputation (Secure Endpoint), so candidates mistakenly choose Firepower NGFW because they associate 'file reputation' with the firewall's AMP feature, not realizing the question specifies 'endpoints' and 'cloud-based file reputation and analysis' for endpoint protection.

How to eliminate wrong answers

Option A is wrong because Cisco Stealthwatch is a network visibility and security analytics tool that uses NetFlow/IPFIX data for behavioral analysis and threat detection, not a cloud-based file reputation service for endpoints. Option B is wrong because Cisco Identity Services Engine (ISE) is a policy-based network access control (NAC) and identity management platform that enforces access policies via 802.1X, MAC Authentication Bypass (MAB), and posture assessment, but it does not perform file reputation analysis. Option C is wrong because Cisco Firepower NGFW is a next-generation firewall that provides network-based intrusion prevention (IPS), URL filtering, and AMP for Networks (file reputation on the network perimeter), not endpoint-level file reputation and analysis.

373
MCQhard

During a network audit, an engineer finds that a switch configured for 802.1X is allowing a device to access the network without authentication. The switch logs show 'MAB failed', 'dot1x failed', but the port is in the forwarding state. The port configuration includes 'authentication fallback final mab' and 'dot1x timeout server-timeout 10'. What is the most likely explanation?

A.The device is using a MAC address that matches a static CAM entry
B.The 'authentication fallback final mab' command allows the port to become authorized even if MAB fails
C.The switch has 'aaa authentication dot1x default local' which allows local fallback
D.The 'dot1x timeout server-timeout' is too short, causing the switch to skip authentication
E.The switch is running an IOS version that treats 'authentication fallback final mab' as a no-op
AnswerB

This command treats 'mab' as the final method; if it fails, the port is still authorized.

Why this answer

Option D is correct because 'authentication fallback final mab' means if dot1x and MAB fail, the switch still authorizes the device as a final fallback, effectively overriding the authentication failure. Option A is wrong because the logs show authentication attempts. Option B is wrong because the logs explicitly show failures.

Option C is wrong because server-timeout alone does not cause this behavior.

374
MCQhard

A cloud architect is designing a hybrid network between on-premises and AWS. They need to ensure traffic to the internet from the VPC uses the on-premises security stack for inspection. The VPC has an Internet Gateway (IGW). What must be configured to force outbound traffic to the on-premises firewall?

A.Use VPC Endpoints for all services
B.Deploy a NAT Gateway and assign it to the route table
C.Update the VPC route table to point 0.0.0.0/0 to the virtual private gateway or transit gateway attachment
D.Configure security groups to block direct internet access
AnswerC

This routes internet traffic through the VPN to on-premises.

Why this answer

Option C is correct because to force all outbound internet traffic from the VPC through the on-premises firewall, the VPC route table must have a default route (0.0.0.0/0) pointing to the virtual private gateway (VPG) or transit gateway (TGW) attachment. This directs traffic over the VPN or Direct Connect to the on-premises network, where the security stack inspects it before reaching the internet. The Internet Gateway (IGW) remains present but is not used for this traffic because the route table entry overrides it.

Exam trap

Cisco often tests the misconception that a NAT Gateway or VPC Endpoints can redirect traffic to on-premises, but the correct mechanism is a route table entry pointing to the virtual private gateway or transit gateway attachment.

How to eliminate wrong answers

Option A is wrong because VPC Endpoints provide private connectivity to AWS services without traversing the internet, but they do not force general outbound internet traffic through an on-premises firewall; they only handle traffic to specific AWS services. Option B is wrong because a NAT Gateway enables outbound internet access from private subnets but sends traffic directly to the IGW, bypassing the on-premises security stack; it does not route traffic through a VPN or Direct Connect. Option D is wrong because security groups are stateful firewalls that control inbound and outbound traffic at the instance level, but they cannot redirect traffic to an on-premises firewall; they only allow or deny traffic, not route it.

375
MCQmedium

An organization uses Cisco Umbrella for DNS-layer security. They want to block access to a newly discovered malicious domain (malware.example.com) immediately. Which action should the administrator take in the Umbrella dashboard?

A.Add the domain to the 'Global Block List' under 'Managed Networks'.
B.Add the domain to the 'Temporary Block List' under 'Security Settings'.
C.Add the domain to the 'Block List' under the policy's 'Destination Lists'.
D.Add the domain to the 'IP Layer Enforcement' list.
AnswerC

Policy block list immediately blocks DNS queries to the domain for users under that policy.

Why this answer

Option C is correct because in Cisco Umbrella, the most immediate way to block a specific malicious domain is to add it to the 'Block List' under the policy's 'Destination Lists'. This list is evaluated in real-time for DNS queries, allowing the administrator to enforce the block without waiting for threat intelligence updates or affecting other policies.

Exam trap

The trap here is that candidates confuse the 'Global Block List' (which applies to IP addresses at the network layer) with the policy-specific 'Block List' (which applies to domains at the DNS layer), leading them to select Option A instead of C.

How to eliminate wrong answers

Option A is wrong because the 'Global Block List' under 'Managed Networks' is used for blocking IP addresses or networks at the network layer, not for domain-level DNS blocking. Option B is wrong because there is no 'Temporary Block List' under 'Security Settings' in Cisco Umbrella; temporary blocks are typically handled via the 'Block List' within a policy or via the 'Temporary Block' feature in the Investigate console, not under Security Settings. Option D is wrong because 'IP Layer Enforcement' is used for blocking traffic based on IP addresses, not domain names, and it applies after DNS resolution, not at the DNS layer.

Page 4

Page 5 of 7

Page 6

All pages