Cisco SCOR / CCNP Security Core 350-701 (350-701) — Questions 376450

500 questions total · 7pages · All types, answers revealed

Page 5

Page 6 of 7

Page 7
376
MCQeasy

A company wants to ensure that only authorized applications can run on endpoints. Which feature of Cisco AMP for Endpoints should be used to create a whitelist of allowed applications?

A.Application Control
B.Exploit Prevention
C.Orbital Advanced Search
D.File Reputation
AnswerA

Application Control allows whitelisting of approved applications and blocks unauthorized ones.

Why this answer

Application Control in AMP allows administrators to define policies that permit only approved applications to execute.

377
MCQmedium

An organization is migrating from on-premises Cisco ESA to Cisco Cloud Email Security (CES). They need to ensure that email encryption policies remain consistent after migration. What is the best approach to migrate the encryption policies?

A.Export the configuration from on-premises ESA and import into CES
B.Use the Cisco ESA API to migrate policies automatically
C.Recreate the policies manually in CES based on existing documentation
D.Synchronize the two appliances using Cisco Security Management Suite
AnswerA

Export/import preserves exact policy settings and is the recommended migration approach.

Why this answer

Exporting the configuration from on-premises ESA and importing into CES ensures consistency. Option A is wrong because manual re-creation is error-prone. Option C is wrong because using the API requires custom scripting and may not capture all policies.

Option D is wrong because there is no direct synchronization feature between on-premises and cloud ESA.

378
MCQmedium

A company uses Cisco ISE for network access control. Users connecting via wired 802.1X are successfully authenticated but cannot reach the internet. The administrator checks the authorization policy and notices that the correct dACL is being applied. What is the most likely cause of the issue?

A.The switchport is configured as dynamic desirable
B.The RADIUS server is not sending the dACL attribute in the Access-Accept
C.The switch port MTU is set to 1500 bytes
D.ISE is out of licenses for endpoint devices
AnswerB

If the dACL is not included in the RADIUS response, the switch will not apply it.

Why this answer

The most likely cause is that the RADIUS server (ISE) is not sending the dACL attribute in the Access-Accept packet. Even though the authorization policy applies a dACL, if the RADIUS message does not include the dACL name (e.g., Cisco-AV-Pair = "ip:inacl#100=...") or the switch does not receive it, the switch cannot enforce the filter, leaving the user authenticated but with no internet access due to default deny-all behavior.

Exam trap

Cisco often tests the misconception that a correctly configured authorization policy in ISE guarantees the dACL is sent; the trap is that the policy must be linked to an authorization profile that explicitly includes the dACL, and the RADIUS message must carry it—otherwise the switch never receives the filter.

How to eliminate wrong answers

Option A is wrong because switchport mode dynamic desirable is a DTP setting for trunk negotiation and does not affect 802.1X authentication or dACL enforcement. Option C is wrong because an MTU of 1500 bytes is standard and would not prevent internet access after successful authentication; it might cause fragmentation issues but not a complete lack of connectivity. Option D is wrong because ISE license depletion affects the ability to authenticate new endpoints, not the enforcement of already-applied dACLs for authenticated users.

379
MCQhard

A multinational corporation is migrating its on-premises data center to a public cloud provider. The security policy requires that all traffic between cloud VPCs and the on-premises network must be inspected by a next-generation firewall (NGFW) deployed in the cloud. The on-premises network uses BGP for dynamic routing. Which design meets the requirement while minimizing latency and administrative overhead?

A.Deploy a transit VPC with an NGFW instance and configure BGP dynamic routing between the transit VPC, other VPCs, and the on-premises network.
B.Use AWS Transit Gateway with static routes pointing to the NGFW instance for inspection.
C.Create a site-to-site VPN between each VPC and the on-premises network, and configure the NGFW on-premises.
D.Use AWS Direct Connect to connect all VPCs to the on-premises network and place the NGFW on-premises.
AnswerA

Transit VPC with NGFW and BGP allows traffic inspection and dynamic route exchange.

Why this answer

Option A is correct because a transit VPC with an NGFW instance allows centralized traffic inspection while using BGP dynamic routing to exchange routes between the transit VPC, other VPCs, and the on-premises network. This design minimizes administrative overhead by avoiding static route management and reduces latency by keeping inspection within the cloud, rather than hair-pinning traffic on-premises. BGP enables automatic failover and route propagation, meeting the dynamic routing requirement.

Exam trap

Cisco often tests the misconception that a cloud-native service like AWS Transit Gateway inherently supports dynamic routing with NGFW inspection, but the trap is that Transit Gateway uses static routes for traffic steering unless integrated with a transit VPC and BGP, leading candidates to choose Option B incorrectly.

How to eliminate wrong answers

Option B is wrong because AWS Transit Gateway with static routes pointing to the NGFW instance introduces administrative overhead from manual route updates and does not leverage BGP dynamic routing as required, leading to potential misconfigurations and higher latency due to forced traffic paths. Option C is wrong because creating a site-to-site VPN between each VPC and the on-premises network with the NGFW on-premises forces all traffic to hair-pin through the on-premises network, increasing latency and failing to inspect traffic within the cloud; it also does not centralize inspection in the cloud as required. Option D is wrong because using AWS Direct Connect to connect all VPCs to the on-premises network and placing the NGFW on-premises violates the requirement that inspection must occur in the cloud, and it introduces significant latency by routing all cloud traffic back to the on-premises NGFW.

380
MCQhard

During a security incident, an engineer needs to quickly quarantine an endpoint that is connected to a switch via 802.1X. The engineer wants to use ISE to send a Change of Authorization (CoA) to move the port to a restrictive VLAN. What must be configured on the switch to allow ISE to send CoA?

A.The switch must listen on UDP port 1700 for CoA packets
B.The switch must have 'aaa server radius dynamic-author' configured with a client entry for ISE
C.The switch must have a VTY line configured with 'transport input ssh'
D.RADIUS accounting must be enabled on the switch
E.The switch must have 'authentication event server dead action authorize' configured
AnswerB

This command enables the switch to accept CoA requests from ISE.

Why this answer

Option D is correct because CoA requires the switch to act as a RADIUS client for dynamic authorization, configured with 'aaa server radius dynamic-author'. Option A is wrong because RADIUS accounting is separate. Option B is wrong because CoA uses UDP port 3799 by default.

Option C is wrong because 'authentication event server dead action' is for RADIUS server failure, not CoA.

381
MCQhard

A company has deployed Cisco ISE for network access control. After a recent upgrade, the operations team notices that some users are being assigned incorrect authorization profiles. The ISE logs show that the users are being matched to the correct identity group, but the authorization result is different from expected. What is the most likely cause?

A.The passive identity feature is overriding the user's group assignment.
B.The authorization policy rules are not in the correct order, causing a different rule to match first.
C.The network device group assignment has changed, causing the device to be in a different group.
D.The authentication policy is misconfigured, causing users to be placed in the wrong identity group.
AnswerB

ISE uses first-match logic for authorization policies.

Why this answer

In Cisco ISE, authorization policies are evaluated in top-down order, and the first matching rule is applied. Even if users are correctly assigned to an identity group, a higher-priority authorization policy rule that matches on other conditions (e.g., endpoint profile, device type, or time condition) can override the expected result. This is the most likely cause when authentication and group assignment are correct but the authorization result is unexpected.

Exam trap

Cisco often tests the concept that authorization policies are evaluated in order of precedence, and candidates mistakenly focus on authentication or group assignment when the real issue is rule ordering in the authorization policy.

How to eliminate wrong answers

Option A is wrong because the passive identity feature (e.g., Active Directory passive identity) is used for identity mapping and does not override group assignments; it only provides identity context for authentication. Option C is wrong because if the network device group assignment had changed, the device would likely fail authentication or be matched to a different policy set, not cause incorrect authorization profiles while still matching the correct identity group. Option D is wrong because the question states that users are being matched to the correct identity group, which means the authentication policy is working correctly; a misconfigured authentication policy would place users in the wrong group, not result in correct group matching with wrong authorization.

382
Drag & Dropmedium

Drag and drop the steps to configure a Cisco ASA for remote access VPN using AnyConnect in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

First enable AnyConnect image, then define IP pool, group policy, tunnel group, and apply to interface.

383
MCQeasy

A small business uses Cisco Umbrella for DNS-layer security. They recently enabled multi-factor authentication (MFA) for all administration accounts. The IT manager is unable to log into the Umbrella dashboard; the login page accepts his password but then asks for an MFA code. However, he never set up MFA. He checks his email and finds no registration email. He is the only administrator. How should he regain access to the Umbrella dashboard?

A.Create a new Umbrella account and transfer the organization.
B.Use the Umbrella API to programmatically disable MFA.
C.Have another administrator in the organization disable MFA for his account.
D.Contact Cisco TAC and prove ownership of the account to have MFA reset.
AnswerD

Correct: TAC can verify identity and reset MFA.

Why this answer

When an administrator is locked out of Cisco Umbrella due to MFA that was never configured, and there is no other administrator to assist, the only recovery path is to contact Cisco TAC. TAC can verify account ownership through a proof-of-ownership process and then reset the MFA enrollment, allowing the administrator to set it up fresh. This is the standard escalation procedure for Umbrella when self-service recovery options are unavailable.

Exam trap

Cisco often tests the misconception that API or self-service options can bypass MFA recovery, but in reality, MFA is a security boundary that requires administrative or TAC-level intervention to reset.

How to eliminate wrong answers

Option A is wrong because creating a new Umbrella account and transferring the organization is not a supported feature; Umbrella organizations are tied to a single primary account and cannot be transferred without TAC involvement. Option B is wrong because the Umbrella API does not expose an endpoint to disable MFA for an administrator account; MFA settings are managed through the dashboard or by TAC only. Option C is wrong because the scenario states the IT manager is the only administrator, so there is no other administrator to perform the disable action.

384
MCQhard

An administrator is migrating an ASA firewall to a cloud environment and wants to use FlexConfig to push additional configuration. After applying the FlexConfig, the ASA does not show the expected commands. Which of the following is a likely reason?

A.The ASA model does not support FlexConfig.
B.The ASA must be rebooted for FlexConfig to take effect.
C.The FlexConfig is not associated with the device in ASDM.
D.The FlexConfig contains syntax errors that are silently ignored.
AnswerC

FlexConfig must be associated with the device in ASDM or CLI; otherwise, it will not be applied.

Why this answer

FlexConfig is a feature of Cisco ASDM that allows administrators to push additional CLI commands to an ASA that are not natively supported by the ASDM GUI. For FlexConfig to work, the configuration template must be explicitly associated with the target device within ASDM. If this association is missing, the ASA will not receive or apply the FlexConfig commands, even if the template is correctly written and the device supports the feature.

Exam trap

Cisco often tests the distinction between creating a FlexConfig template and actually associating it with a device, because candidates mistakenly believe that simply uploading a template is sufficient for it to be applied.

How to eliminate wrong answers

Option A is wrong because FlexConfig is supported on all ASA models that run ASA software version 8.4(2) or later, including virtual ASAv instances used in cloud environments. Option B is wrong because FlexConfig changes take effect immediately after the ASA reloads its configuration; no system reboot is required. Option D is wrong because FlexConfig templates with syntax errors are not silently ignored; the ASA will reject the invalid commands and generate error messages in the syslog or CLI output, alerting the administrator to the problem.

385
MCQmedium

A security administrator is reviewing firewall logs and notices that an internal user is generating excessive outbound DNS queries to a known malicious domain. The company uses Cisco Umbrella for DNS-layer security. How should the administrator investigate and block this traffic?

A.Check the Cisco Umbrella dashboard for the domain, identify the internal IP, and block the domain via policy.
B.Create a firewall ACL to block the IP address of the DNS server from the internal user.
C.Disable the user's network access temporarily and inform the IT department.
D.Enable full packet capture on the internal network and wait for the next occurrence.
AnswerA

Umbrella provides visibility and enforcement at the DNS layer, stopping malicious queries before connection.

Why this answer

Option A is correct because Cisco Umbrella is a DNS-layer security solution that can log and block DNS queries to malicious domains. The administrator should first check the Umbrella dashboard to identify the internal IP generating the excessive queries, then create a policy to block the domain, which will prevent all subsequent DNS resolutions to that domain without affecting other traffic.

Exam trap

Cisco often tests the candidate's understanding that DNS-layer security (like Umbrella) is the appropriate tool for blocking malicious domains at the DNS level, rather than using traditional firewall ACLs or reactive measures that do not leverage the solution's policy-based blocking capabilities.

How to eliminate wrong answers

Option B is wrong because blocking the DNS server IP address would prevent the user from resolving any domains, not just the malicious one, and does not leverage the DNS-layer security capabilities of Umbrella. Option C is wrong because disabling the user's network access is a reactive, disruptive measure that does not address the root cause or allow for forensic analysis; it also bypasses the proper use of Umbrella's policy controls. Option D is wrong because enabling full packet capture is a passive monitoring technique that does not block the traffic and delays remediation; it is inefficient compared to using the existing Umbrella dashboard and policy enforcement.

386
Multi-Selecteasy

Which TWO benefits does centralized RADIUS authentication provide over local authentication on network devices? (Choose two.)

Select 2 answers
A.Centralized accounting and logging of all authentication attempts
B.Ability to change passwords or permissions in one place
C.Faster authentication because of local caching
D.Support for multiple authentication protocols like PAP, CHAP, EAP
E.No need for a backup authentication method
AnswersA, B

RADIUS server provides unified logs.

Why this answer

Centralized RADIUS authentication aggregates all authentication, authorization, and accounting (AAA) data on a single server. This provides a unified audit trail for all login attempts across network devices, enabling comprehensive logging and accounting that local authentication cannot offer. Local authentication logs are device-specific and lack centralized aggregation, making forensic analysis and compliance reporting more difficult.

Exam trap

Cisco often tests the misconception that centralized authentication is faster or eliminates the need for a backup method, when in reality it introduces dependency on network reachability and requires a fallback like local authentication for resilience.

387
Multi-Selecthard

Which THREE are characteristics of Cisco Stealthwatch?

Select 3 answers
A.Can integrate with Cisco ISE for automated threat response
B.Provides behavioral analysis to detect threats
C.Acts as a next-generation firewall
D.Uses NetFlow and IPFIX for network traffic visibility
E.Functions as an intrusion prevention system (IPS)
AnswersA, B, D

Integration allows ISE to enforce policies based on Stealthwatch alerts.

Why this answer

Option A is correct because Cisco Stealthwatch can integrate with Cisco ISE (Identity Services Engine) via pxGrid or REST API to enable automated threat response. When Stealthwatch detects anomalous behavior, it can trigger ISE to enforce policy changes such as quarantining an endpoint or dynamically applying a security group access control list (SGACL), closing the loop between detection and remediation.

Exam trap

Cisco often tests the distinction between detection/visibility tools (Stealthwatch) and inline enforcement devices (NGFW/IPS), so the trap here is that candidates confuse Stealthwatch's behavioral analysis and flow-based monitoring with the packet-inspecting, blocking capabilities of a next-generation firewall or intrusion prevention system.

388
Drag & Dropmedium

Drag and drop the steps to implement Cisco Umbrella (formerly OpenDNS) for DNS-layer security in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Start with registration, add network identity, point DNS to Umbrella, set policies, then verify.

389
Multi-Selectmedium

A Cisco TrustSec deployment is being implemented to enforce micro-segmentation. The security team needs to ensure that Security Group Tags (SGTs) are propagated across the network. Which THREE methods can be used to distribute SGT information in a TrustSec environment? (Choose three.)

Select 3 answers
A.SGT over SXP (SGT Exchange Protocol)
B.SGT over Cisco Discovery Protocol (CDP)
C.SGT over VXLAN
D.SGT inline tagging (in the Ethernet header)
E.SGT over MPLS
AnswersA, C, D

SXP is a standard protocol to propagate SGTs between network devices without inline tagging.

Why this answer

The correct methods are SGT over SXP (SGT Exchange Protocol), SGT over VXLAN, and SGT inline tagging in the Ethernet header. SGT over MPLS is not a standard TrustSec propagation method. SGT over CDP is not supported; CDP is used for device discovery, not SGT propagation.

390
MCQmedium

An email administrator sees the above log entry in the Cisco ESA. What will happen to the email?

A.The email will be quarantined and an administrator will review it
B.The email will be dropped and not delivered
C.The email will be encrypted before delivery
D.The email will be delivered with a warning
AnswerA

Quarantine action holds the email for review.

Why this answer

The log entry indicates that the email triggered a content filter action set to 'quarantine' in the Cisco ESA. When an email is quarantined, it is held in a designated quarantine mailbox for administrative review, allowing the administrator to release, delete, or further analyze the message. This is the default behavior for policies that require human intervention before delivery.

Exam trap

Cisco often tests the distinction between 'quarantine' (administrative review required) and 'drop' (silent discard) to see if candidates understand that quarantine preserves the message for later action, while drop permanently removes it.

How to eliminate wrong answers

Option B is wrong because 'drop' means the email is silently discarded without any notification or quarantine, which is not indicated by the log entry. Option C is wrong because encryption is a separate action applied during delivery, not a quarantine action, and the log does not reference any encryption policy. Option D is wrong because delivering with a warning would add a header or subject tag but still deliver the email, whereas the log shows the email was not delivered and was instead held for review.

391
MCQeasy

Refer to the exhibit. A user attempts to SSH to the router. The RADIUS server is unreachable. What will happen?

A.The user will be denied access because RADIUS is unreachable
B.The router will try TACACS+ as a fallback
C.The user will be authenticated using the local database
D.The user will be authenticated using RADIUS after a timeout
AnswerC

When RADIUS is unreachable, the router uses local authentication.

Why this answer

When RADIUS is unreachable and the router is configured for AAA authentication, the default behavior is to fall back to the local database if the 'local' keyword is included in the authentication method list. In this scenario, the user will be authenticated using the local database because the RADIUS server is unreachable, and the router has a local user account configured. This is a standard AAA fallback mechanism to ensure administrative access is not completely lost.

Exam trap

Cisco often tests the misconception that a RADIUS timeout will eventually allow authentication, but the trap here is that the router immediately falls back to the next method in the list (local) when the server is unreachable, not after a timeout.

How to eliminate wrong answers

Option A is wrong because the router does not immediately deny access; it falls back to the local database if configured. Option B is wrong because TACACS+ is only tried as a fallback if it is explicitly listed in the authentication method list; the exhibit does not show TACACS+ in the method list. Option D is wrong because RADIUS authentication will not proceed after a timeout; the router will move to the next method in the list (local) immediately upon RADIUS being unreachable.

392
MCQeasy

A network engineer is configuring Cisco Umbrella to secure remote users connecting to a SaaS application. The users are not assigned a static public IP and often connect from various locations. Which deployment method best protects these users?

A.Roaming Client
B.Virtual Appliances
C.DNS forwarding with Network Device binding
D.IP layer enforcement with Anycast
AnswerA

Installs a lightweight client that routes traffic through Umbrella regardless of network.

Why this answer

The Roaming Client (Cisco Umbrella Roaming Security Module) is the correct deployment method because it provides DNS-layer security directly on the endpoint, regardless of the user's location or IP address. This ensures that remote users without a static public IP are protected by Umbrella's DNS filtering and threat intelligence, even when connecting from various networks (e.g., home, coffee shop, hotel). The client automatically selects the closest Umbrella data center via Anycast and encrypts DNS queries over HTTPS (DoH) to prevent tampering.

Exam trap

Cisco often tests the misconception that DNS forwarding or IP-based enforcement can protect roaming users, but the trap here is that those methods require a stable, known source IP or a managed network device, which fails when users connect from arbitrary locations without a static public IP.

How to eliminate wrong answers

Option B (Virtual Appliances) is wrong because virtual appliances are deployed on-premises within a corporate network and cannot protect remote users who are not connected to the corporate VPN or network. Option C (DNS forwarding with Network Device binding) is wrong because DNS forwarding relies on a specific network device (e.g., router, firewall) with a static public IP or a configured IP binding, which fails when users roam and their source IP changes. Option D (IP layer enforcement with Anycast) is wrong because IP layer enforcement (e.g., using policy based on source IP) is ineffective for roaming users whose IP addresses are dynamic and unpredictable; Anycast alone does not provide per-user identity or enforcement without a client.

393
MCQmedium

During a security audit, it is discovered that some users are bypassing the proxy by using HTTPS tunnels over port 443. The WSA is configured with an explicit proxy mode. What additional configuration is needed to prevent such bypass?

A.Implement a firewall rule to block outbound HTTP/HTTPS traffic except from the WSA
B.Enable SSL decryption on the WSA
C.Configure identity-based authentication for all users
D.Create a custom URL category for tunneling websites and block them
AnswerA

This forces all web traffic through the proxy, preventing bypass.

Why this answer

When using explicit proxy, clients must be configured to use the proxy. To prevent bypass, configure the firewall to block outbound HTTP/HTTPS traffic from non-proxy sources, or use transparent proxy with WCCP. Option A is wrong because enabling SSL decryption alone does not force traffic through proxy.

Option B is wrong because authenticating users does not prevent bypass. Option D is wrong because creating a deny URL category for tunnels is ineffective.

394
MCQmedium

A network engineer is troubleshooting an endpoint that failed to receive policy updates from the Cisco AMP cloud. The endpoint shows 'Out-of-Date' in the AMP console. The engineer verifies that the endpoint has outbound HTTPS access to the AMP cloud. What additional step should the engineer take to resolve the issue?

A.Configure the AMP connector to use a static IP address for the cloud.
B.Reboot the endpoint to force a policy download.
C.Verify that SNMP is enabled on the endpoint.
D.Verify that the endpoint can resolve the AMP cloud hostname using DNS.
AnswerD

The connector must resolve the cloud hostname for HTTPS connections.

Why this answer

Option B is correct because the AMP connector requires the correct cloud connectivity hostname (like *.amp.cisco.com) and port 443. If DNS resolution fails or the hostname is incorrect, the endpoint cannot communicate. Option A is wrong because the AMP connector does not use SNMP.

Option C is wrong because a reboot is not typically required; the connector can retry automatically. Option D is wrong because the connector itself can resolve DNS; there is no separate proxy configuration inside the connector (but proxy can be configured via policy).

395
MCQmedium

A company deploys Cisco ISE for network access control. They want to enforce that only employees with a valid certificate and a compliant posture can access the corporate Wi-Fi. Which policy combination should be used?

A.Authorization profile with dACL and a Posture Enforcement Policy (PEP)
B.Authentication using PEAP-MSCHAPv2 and a Posture Enforcement Policy (PEP)
C.Authentication using EAP-TLS and a Posture Enforcement Policy (PEP)
D.Guest portal with self-registration and a Posture Enforcement Policy (PEP)
AnswerC

EAP-TLS uses certificates for authentication, and PEP enforces posture compliance.

Why this answer

Option C is correct because EAP-TLS provides certificate-based mutual authentication, ensuring only employees with a valid certificate can authenticate. The Posture Enforcement Policy (PEP) then checks the endpoint's compliance (e.g., antivirus, patch level) before granting network access. This combination meets the requirement for both certificate validation and posture compliance enforcement on corporate Wi-Fi.

Exam trap

Cisco often tests the distinction between authentication protocols (EAP-TLS vs. PEAP-MSCHAPv2) and their ability to enforce certificate-based access, leading candidates to mistakenly choose PEAP-MSCHAPv2 (Option B) because it is commonly used with machine certificates, but it does not require a client certificate for user authentication.

How to eliminate wrong answers

Option A is wrong because an authorization profile with a downloadable ACL (dACL) controls post-authentication permissions but does not enforce certificate-based authentication; it assumes the user is already authenticated. Option B is wrong because PEAP-MSCHAPv2 uses a username/password (or machine credentials) for authentication, not a certificate, so it cannot enforce that only employees with a valid certificate gain access. Option D is wrong because a guest portal with self-registration is designed for unauthenticated guests, not for employees with certificates, and it does not enforce certificate-based authentication.

396
MCQmedium

A SOC analyst notices that after deploying Cisco AMP for Endpoints, some legitimate business software is being blocked by the Exploit Prevention engine. What is the recommended action to allow this software while maintaining maximum security?

A.Disable Exploit Prevention entirely on affected endpoints
B.Create an application exception in Exploit Prevention policy
C.Add the software's executable hash to the file exclusion list
D.Set Exploit Prevention to 'Audit' mode
AnswerB

Allows the specific application while maintaining protection for others.

Why this answer

The best practice is to create an exception for that specific application in the Exploit Prevention policy, rather than disabling the engine entirely or excluding the folder.

397
MCQeasy

A network engineer is configuring a new firewall to enforce security policies between two internal VLANs. The goal is to allow only HTTP traffic from the finance VLAN to the HR VLAN, while blocking all other traffic. Which type of firewall rule should be applied to achieve this requirement with minimal administrative overhead?

A.Explicit deny rule
B.Implicit deny rule
C.Stateful rule
D.Default-permit rule
AnswerA

An explicit deny at the end of the rule base ensures that only explicitly permitted traffic (HTTP) is allowed, following best practice.

Why this answer

Option A is correct because an explicit deny rule is required to block all traffic except HTTP from finance to HR. While firewalls have an implicit deny at the end of the rulebase, the requirement to 'block all other traffic' with minimal administrative overhead is best met by creating an explicit deny rule that matches the specific traffic flows to be blocked, ensuring clarity and preventing unintended implicit allow behavior. This approach avoids relying on the implicit deny, which could be overridden by a later default-permit rule or misconfiguration.

Exam trap

Cisco often tests the distinction between explicit deny and implicit deny, trapping candidates who think the implicit deny alone is sufficient to block traffic, when in fact an explicit deny rule is needed to enforce a specific block with minimal administrative overhead and to avoid reliance on default behaviors that can be overridden.

How to eliminate wrong answers

Option B is wrong because an implicit deny rule is automatically applied at the end of the firewall rulebase, but it does not block traffic before it; it only denies traffic that does not match any explicit rule. Relying solely on implicit deny would require an explicit permit rule for HTTP, but the question asks for blocking 'all other traffic' with minimal overhead, and implicit deny is not a rule you configure—it is a default behavior. Option C is wrong because a stateful rule refers to the firewall's ability to track connection states (e.g., allowing return traffic for established sessions), but it does not inherently block traffic; it is a property of how rules are processed, not a rule type that denies traffic.

Option D is wrong because a default-permit rule would allow all traffic by default, which directly contradicts the requirement to block all other traffic; this is the opposite of what is needed.

398
Multi-Selectmedium

A company is implementing zero trust architecture in the cloud. Which TWO principles are fundamental to zero trust? (Choose two.)

Select 2 answers
A.Assume breach
B.Implicit trust for internal traffic
C.Use static passwords
D.Use perimeter firewalls only
E.Verify explicitly
AnswersA, E

Design systems assuming an attacker is present.

Why this answer

Option A is correct because zero trust architecture operates on the principle of 'never trust, always verify,' which includes assuming that a breach has already occurred or is inevitable. This assumption drives continuous validation of every access request, regardless of source, and enforces least-privilege access to limit lateral movement. In cloud environments, this means treating every API call, workload, and user session as potentially compromised until proven otherwise.

Exam trap

Cisco often tests the misconception that zero trust still allows implicit trust for internal traffic or that traditional perimeter defenses are sufficient, leading candidates to select 'Implicit trust for internal traffic' or 'Use perimeter firewalls only' instead of recognizing that zero trust requires explicit verification for all traffic.

399
MCQhard

An organization is deploying Cisco ISE with passive identity mapping from Active Directory. They notice that users are not being correctly identified on the network, and some workstations are appearing with multiple IP addresses. What is the most likely cause?

A.ISE is configured with incorrect Active Directory domain join credentials.
B.The DHCP server is not configured to forward DHCP packets to ISE.
C.The ISE node is not configured for passive identity service.
D.The network switches are not configured with SNMP traps for MAC notification.
AnswerB

Without DHCP forwarding, ISE cannot correlate IP addresses to MAC addresses, leading to identification issues.

Why this answer

Option B is correct because passive identity mapping via DHCP requires the DHCP server to forward DHCP packets to ISE. Without this, IP-to-MAC mappings are incomplete. Option A is incorrect because domain join credentials affect ISE-AD communication, not DHCP mapping.

Option C is incorrect because SNMP traps are used for endpoint classification, not passive identity. Option D is incorrect because the passive identity service must be enabled, but the symptom points to missing DHCP data.

400
MCQmedium

A company uses multiple cloud providers (AWS and Azure) and wants to unify security monitoring and policy enforcement. They have on-premises data centers as well. Which Cisco solution is best suited for this?

A.Cisco Secure Cloud Analytics
B.Cisco Secure Firewall Cloud Native
C.Cisco Secure Workload
D.Cisco Secure Network Analytics
AnswerA

Unified monitoring and policy enforcement for multi-cloud and on-prem.

Why this answer

Cisco Secure Cloud Analytics (formerly Stealthwatch Cloud) is designed to provide unified visibility and security monitoring across multi-cloud environments (AWS, Azure, GCP) and on-premises data centers. It uses NetFlow/IPFIX data and cloud-native API integrations to detect anomalies and enforce consistent security policies, making it the best fit for the company's requirement to unify security monitoring and policy enforcement across hybrid and multi-cloud deployments.

Exam trap

Cisco often tests the distinction between 'monitoring and policy enforcement across multiple clouds' (Secure Cloud Analytics) versus 'micro-segmentation for workloads' (Secure Workload) or 'on-premises network analytics' (Secure Network Analytics), leading candidates to confuse the scope of each solution.

How to eliminate wrong answers

Option B (Cisco Secure Firewall Cloud Native) is wrong because it is a virtual firewall appliance specifically for public cloud environments, focusing on network segmentation and threat inspection, but it does not provide unified monitoring or policy enforcement across multiple cloud providers and on-premises. Option C (Cisco Secure Workload) is wrong because it is a micro-segmentation and workload protection solution that focuses on application-level visibility and policy enforcement within data centers and clouds, but it is not designed for unified security monitoring across disparate cloud providers and on-premises. Option D (Cisco Secure Network Analytics) is wrong because it is an on-premises network traffic analysis tool that relies on NetFlow/IPFIX from physical network devices, lacking native multi-cloud API integrations and the ability to monitor cloud-native workloads without additional agents.

401
MCQmedium

A company uses Cisco WSA in transparent mode. They want to bypass proxy processing for all traffic to a specific internal server (10.0.0.5) to reduce latency. They create an access policy with a custom URL category and add the server's IP to the 'Proxy Bypass' list. However, traffic to that server is still being proxied. What is the most likely cause?

A.The IP address is incorrectly formatted in the bypass list
B.The access policy is placed after a deny rule
C.The proxy bypass list does not apply in transparent mode; instead use network ACLs to bypass WSA
D.The client is required to authenticate
AnswerC

In transparent mode, bypass must be done at the network level (WCCP redirect ACL or PBR) to avoid sending traffic to WSA.

Why this answer

In transparent mode, the Cisco WSA intercepts traffic at the network layer without explicit client configuration. The 'Proxy Bypass' list is designed for explicit proxy deployments where clients are configured to send traffic to the WSA; it does not function in transparent mode because the WSA cannot distinguish bypass requests from intercepted traffic. To bypass proxy processing in transparent mode, you must use network ACLs on upstream routers or switches to redirect traffic away from the WSA, or configure WCCP exclusion rules.

Exam trap

Cisco often tests the misconception that the 'Proxy Bypass' list is a universal bypass mechanism across all deployment modes, when in fact it only applies to explicit proxy configurations, not transparent mode.

How to eliminate wrong answers

Option A is wrong because IP address formatting errors (e.g., typos or subnet mismatches) would cause a different failure, but the bypass list itself is not applicable in transparent mode, so formatting is irrelevant. Option B is wrong because access policy ordering (e.g., a deny rule before the bypass policy) could affect traffic matching, but the core issue is that the bypass list mechanism is non-functional in transparent mode, not a policy sequence problem. Option D is wrong because client authentication requirements do not prevent bypass list functionality; authentication is a separate policy action and does not override the fundamental limitation of the bypass list in transparent mode.

402
MCQeasy

Refer to the exhibit. A security administrator implements this S3 bucket policy to restrict access to the bucket 'my-bucket'. What type of condition is being used?

A.String condition
B.IpAddress condition
C.Bool condition
D.Numeric condition
AnswerB

Condition key is IpAddress.

Why this answer

The condition in the S3 bucket policy uses the `IpAddress` condition key to restrict access based on the requester's IP address. This is explicitly an IP address condition, which evaluates the source IP of the request against the specified CIDR range. Option B is correct because the `aws:SourceIp` key is only valid with the `IpAddress` (or `NotIpAddress`) condition operator.

Exam trap

Cisco often tests the distinction between the condition key (`aws:SourceIp`) and the condition operator (`IpAddress`), leading candidates to confuse it with a String condition because the IP address is a string value.

How to eliminate wrong answers

Option A is wrong because a String condition uses operators like `StringEquals` or `StringLike` to compare string values, not IP addresses. Option C is wrong because a Bool condition uses the `Bool` operator to check boolean values like `aws:SecureTransport` true/false, not IP ranges. Option D is wrong because a Numeric condition uses operators like `NumericEquals` or `NumericLessThan` to compare numbers, not IP addresses.

403
MCQhard

A company uses Cisco WSA with multiple authentication realms (LDAP, RADIUS, and local). They want to require multi-factor authentication (MFA) for external users but allow single sign-on (SSO) for internal corporate users. Which configuration approach should be used?

A.Use a single authentication realm with both LDAP and RADIUS configured, and rely on the client IP to choose method
B.Configure a SSL VPN on WSA to differentiate user groups
C.Configure two authentication realms: one for internal (LDAP with Kerberos SSO) and one for external (RADIUS with MFA), then assign each realm to appropriate access policies
D.Use SAML authentication with an Identity Provider that supports MFA
AnswerC

Multiple realms allow different authentication methods per policy.

Why this answer

Option C is correct because Cisco WSA supports multiple authentication realms, allowing you to assign different realms to different access policies. By configuring an internal realm with LDAP and Kerberos SSO for seamless authentication, and a separate external realm with RADIUS and MFA for stronger security, you can enforce MFA only for external users while maintaining SSO for internal users. This approach directly maps authentication methods to user groups based on policy, not on client IP or a single realm.

Exam trap

Cisco often tests the misconception that a single authentication realm can handle multiple authentication methods simultaneously, or that features like SSL VPN or SAML alone can solve policy-based MFA differentiation without realm-level configuration.

How to eliminate wrong answers

Option A is wrong because a single authentication realm cannot simultaneously support both LDAP and RADIUS as separate methods; WSA realms are configured with one primary authentication protocol, and relying on client IP to choose the method is not a supported feature for differentiating MFA vs. SSO. Option B is wrong because SSL VPN is not a feature of Cisco WSA; WSA is a web proxy and does not terminate VPN connections, so this configuration is irrelevant and would not differentiate user groups for authentication.

Option D is wrong because while SAML with an IdP can support MFA, it does not inherently allow you to enforce MFA only for external users while using SSO for internal users within the same WSA configuration; you would still need separate realms or policies to differentiate the authentication flow, and SAML alone does not provide the granular policy-based realm assignment that option C does.

404
MCQhard

Refer to the exhibit. An administrator notices that DNS responses larger than 512 bytes are being dropped. Which configuration change should be made to allow larger DNS responses?

A.Remove the DNS inspection policy
B.Add an access-list to permit the traffic
C.Disable the set connection advanced-options command
D.Increase the message-length maximum under the DNS map
AnswerD

Raising the limit (e.g., to 4096) allows larger DNS responses.

Why this answer

The correct answer is D because DNS inspection on Cisco ASA/Firepower devices uses a DNS map to enforce a default maximum message length of 512 bytes, which aligns with the original DNS specification (RFC 1035). To allow larger DNS responses (e.g., those using EDNS0, which can exceed 512 bytes), you must increase the message-length maximum under the DNS map. This change permits the firewall to reassemble and forward DNS packets that exceed the default limit without dropping them.

Exam trap

Cisco often tests the misconception that ACLs or removing inspection policies are the solution for application-layer drops, when in fact the issue is a specific inspection parameter (DNS message-length) that must be tuned via a DNS map.

How to eliminate wrong answers

Option A is wrong because removing the DNS inspection policy entirely would disable all DNS inspection, including security checks like DNS query/response validation, which is an overly broad and insecure solution. Option B is wrong because an access-list permits traffic at the network layer based on IP addresses and ports, but it does not affect the application-layer inspection of DNS message length; the drop occurs due to the inspection engine, not a firewall ACL. Option C is wrong because the 'set connection advanced-options' command is used for advanced TCP connection settings (e.g., timeout, sequence number randomization) and has no bearing on DNS message-length limits.

405
MCQeasy

A small business uses Cisco ISE to authenticate employees via Active Directory. The company has a single ISE node and two Catalyst 2960-X switches. Employees connect to the network and are successfully authenticated using 802.1X with PEAP. The business wants to provide guest wireless access using a separate SSID with a captive portal. The engineer configures a new WLAN on the WLC (Cisco 2504) pointing to the same ISE node. Guest users can associate to the WLAN and get an IP address, but when they open a browser, they do not see the captive portal page; instead, they get a 'Connection refused' error. The engineer verifies that the guest portal is enabled on ISE and the WLC is configured to use ISE for RADIUS. What is the most likely cause?

A.The ISE guest portal service is not running
B.The guest user's device does not have a valid DNS server
C.The WLC is not configured with the ISE portal IP address for redirection
D.The guest WLAN does not have a pre-authentication ACL
AnswerC

The WLC needs to know where to redirect HTTP traffic; without that, the captive portal cannot appear.

Why this answer

The captive portal requires the guest traffic to be redirected to ISE's portal service. Typically, this is done by the WLC redirecting HTTP traffic to the ISE IP. If the DNS resolution for the portal fails or the WLC does not know the portal address, the redirect fails.

Option C is correct because the WLC must be configured with the portal IP (or domain) for redirection. Option A would affect all authentication. Option B might be needed but without proper redirect, portal won't show.

Option D is irrelevant.

406
MCQmedium

A company wants to provide both corporate and guest wireless access using the same access points. They require that guest users be placed into a separate VLAN and have internet-only access. Which Cisco solution should be used?

A.Cisco Identity Services Engine (ISE) with dACL and VLAN assignment
B.Cisco Prime Infrastructure
C.Cisco Flexible NetFlow
D.Cisco TrustSec with SGT
AnswerA

ISE can assign VLANs and downloadable ACLs based on user or device identity.

Why this answer

Cisco ISE with downloadable ACLs (dACL) and VLAN assignment is the correct solution because it enables dynamic per-user policy enforcement. When a guest user authenticates, ISE can place them into a dedicated guest VLAN and apply a dACL that restricts traffic to internet-only access, while corporate users remain in their native VLAN with full internal access. This leverages RADIUS CoA (Change of Authorization) and 802.1X to dynamically assign VLANs and filter traffic at the access point or switch.

Exam trap

The trap here is that candidates often confuse Cisco Prime Infrastructure or TrustSec as policy enforcement tools, but Prime is only for management and TrustSec uses SGTs for role-based access, not direct VLAN assignment for guest isolation.

How to eliminate wrong answers

Option B is wrong because Cisco Prime Infrastructure is a management and monitoring platform, not a policy enforcement engine; it cannot dynamically assign VLANs or apply per-user access control lists. Option C is wrong because Cisco Flexible NetFlow is a traffic monitoring and analysis tool that provides visibility into network flows, but it does not enforce access control or VLAN assignment. Option D is wrong because Cisco TrustSec with SGT (Security Group Tags) provides role-based access control using tag propagation, but it does not natively support VLAN assignment for guest segmentation; it relies on SGT-to-VLAN mapping which is not the direct mechanism for placing guest users into a separate VLAN with internet-only access.

407
MCQeasy

An administrator wants to prevent confidential data (e.g., credit card numbers) from being sent via email using Cisco ESA. Which feature should be enabled and configured with the appropriate dictionary?

A.Outbreak Filters with file reputation
B.Anti-Spam with URL reputation
C.Message Filters with regex pattern matching
D.Data Loss Prevention (DLP) with a predefined credit card dictionary
AnswerD

DLP is designed for sensitive data detection using predefined dictionaries.

Why this answer

Cisco ESA's Data Loss Prevention (DLP) feature is specifically designed to inspect outbound messages for sensitive data patterns, such as credit card numbers, using predefined dictionaries. By enabling DLP and selecting the appropriate credit card dictionary, the administrator can enforce policies to block or quarantine emails containing confidential information, directly addressing the requirement.

Exam trap

Cisco often tests the distinction between content inspection features (DLP) and threat-focused features (Outbreak Filters, Anti-Spam), leading candidates to confuse message filters or outbreak filters with DLP's specialized data classification capabilities.

How to eliminate wrong answers

Option A is wrong because Outbreak Filters with file reputation are designed to block malicious attachments based on file reputation and outbreak rules, not to inspect message content for sensitive data patterns like credit card numbers. Option B is wrong because Anti-Spam with URL reputation focuses on identifying and blocking spam emails based on sender reputation and malicious URLs, not on detecting confidential data within the email body or attachments. Option C is wrong because Message Filters with regex pattern matching can be used for custom content inspection, but they lack the predefined, comprehensive dictionaries and compliance-focused policies that DLP provides for sensitive data like credit card numbers, making DLP the correct and more efficient solution.

408
MCQeasy

The ISE logs show 'Authentication failed - RADIUS attribute Calling-Station-ID is missing' for a wired client. What is the most likely cause?

A.The switch is not configured to include the calling-station-id in RADIUS requests.
B.The switch is configured with 'authentication mac-move deny'.
C.The switch port is configured as a trunk port.
D.The client's MAC address is not registered in ISE.
AnswerA

The switch must send the MAC address via the Calling-Station-ID attribute; if not configured, it is missing.

Why this answer

Option D is correct because the switch must be configured to include the calling-station-id (MAC address) in RADIUS requests; if not, the attribute is missing. Option A is incorrect because the MAC address not being registered would cause a different failure. Option B is incorrect because 'authentication mac-move deny' affects MAC mobility, not attribute delivery.

Option C is incorrect because trunk ports do not affect 802.1X authentication.

409
MCQhard

Refer to the exhibit. A security analyst notices this CloudTrail log entry. Which security best practice is being violated?

A.SSH access is allowed from a single IP
B.Port 22 is open to the internet
C.The user identity is an admin account
D.RDP access is allowed from any IP address (0.0.0.0/0)
AnswerD

0.0.0.0/0 means all IPs, a major security risk.

Why this answer

The CloudTrail log shows an `AuthorizeSecurityGroupIngress` API call that adds a rule allowing RDP (port 3389) from `0.0.0.0/0`, which means any IP on the internet. This violates the security best practice of restricting administrative access to trusted IP addresses only. Allowing RDP from all sources exposes the instance to brute-force attacks and unauthorized access attempts.

Exam trap

Cisco often tests the distinction between the port being open (which is not inherently a violation) versus the source being `0.0.0.0/0` (which is the violation), causing candidates to incorrectly focus on the protocol (RDP vs SSH) rather than the overly permissive source.

How to eliminate wrong answers

Option A is wrong because the log entry does not show any SSH (port 22) rule being modified; the rule added is for RDP (port 3389), and the issue is about overly permissive access, not a single IP. Option B is wrong because the log entry does not mention port 22 or SSH; the open port is 3389 (RDP), and the violation is about the source being 0.0.0.0/0, not the port itself. Option C is wrong because while the user identity is an admin account, the core violation is the overly permissive security group rule, not the use of an admin account; using an admin account for routine tasks is a separate best practice concern, but the direct violation in the log is the 0.0.0.0/0 rule.

410
MCQhard

A security engineer is implementing Cisco Identity Services Engine (ISE) for 802.1X authentication. The requirement is to allow full network access for corporate devices that pass posture assessment, while providing limited access for guest devices. The engineer configures an authorization policy with conditions based on identity group and posture status. However, guest devices are still getting full access. What is the most likely cause?

A.The guest devices are not passing the certificate validation
B.The authorization rule for corporate devices is placed above the guest rule, and guest devices are matching the corporate rule first
C.MAC Authentication Bypass (MAB) is not enabled for the guest devices
D.The RADIUS attributes for dACL are not being sent correctly
AnswerB

ISE uses first-match; if guest devices match an earlier rule, they get the associated permissions.

Why this answer

Cisco ISE authorization policies are evaluated in top-down order, and the first matching rule is applied. If the corporate device rule is placed above the guest rule, guest devices that do not meet the posture condition may still match the corporate rule if the condition is not restrictive enough (e.g., if the identity group condition is broad or the posture check is not enforced as a required match). This results in guest devices receiving full access instead of the intended limited access.

Exam trap

Cisco often tests the concept that authorization rules are processed top-down and that a less specific rule placed above a more specific rule can cause unintended matches, leading candidates to overlook the importance of rule ordering and condition specificity.

How to eliminate wrong answers

Option A is wrong because certificate validation is part of the authentication phase (EAP-TLS or PEAP), not the authorization policy; failing certificate validation would prevent authentication entirely, not cause guest devices to get full access. Option C is wrong because MAB is a fallback authentication method for devices that do not support 802.1X, not a factor in authorization policy ordering; enabling MAB would not change which authorization rule matches first. Option D is wrong because RADIUS attributes for dACL are sent as part of the authorization result, not the cause of a misordered policy; if the wrong rule matches, the dACL attributes would be applied correctly for that rule, but the rule itself is incorrect.

411
MCQmedium

A user connected to port Gi1/0/1 cannot access the network. Based on the output, what is the most likely cause?

A.The RADIUS server is unreachable
B.The client does not support 802.1X
C.The switch has a misconfigured AAA command
D.The port is in errdisable state
AnswerB

EAP-timeout indicates client not responding to EAP.

Why this answer

Option B is correct because the 'Reason: EAP-timeout' indicates that the client did not respond to 802.1X EAP requests, which typically means the client does not support 802.1X or it is not enabled. Option A is incorrect because if the RADIUS server were unreachable, the switch would likely use a critical VLAN, but the reason is EAP-timeout from the client side. Option C is incorrect because AAA configuration would cause different errors.

Option D is incorrect because 'Errdisable' would show a different port state.

412
MCQhard

Refer to the exhibit. A network engineer applies a zone-based firewall policy to a router. Users in the INSIDE zone report they can access HTTP servers on the OUTSIDE zone but cannot resolve DNS names or access MS-SQL servers. What does the policy do to DNS and MS-SQL traffic?

A.They are allowed because no 'inspect' action is applied to the class.
B.They are dropped because the BAD_TRAFFIC class explicitly drops them.
C.They are inspected and allowed through the firewall.
D.They are dropped because they do not match the GOOD_TRAFFIC class.
AnswerB

The class BAD_TRAFFIC includes DNS and MS-SQL and applies the drop action.

Why this answer

The correct answer is B because the zone-based firewall policy explicitly defines a class map (BAD_TRAFFIC) that matches DNS (UDP/53) and MS-SQL (TCP/1433) traffic and applies the 'drop' action. Since the policy-map uses a 'class-default' action of 'inspect' for GOOD_TRAFFIC, any traffic not matching GOOD_TRAFFIC but matching BAD_TRAFFIC is dropped before inspection can occur. The users' symptoms confirm that DNS and MS-SQL are being dropped, while HTTP (matched by GOOD_TRAFFIC) is inspected and allowed.

Exam trap

Cisco often tests the misconception that 'inspect' in class-default automatically allows all traffic, but the trap here is that explicit 'drop' actions in higher-priority class maps (like BAD_TRAFFIC) override any default inspection, causing candidates to overlook the sequential processing order of class maps in a policy-map.

How to eliminate wrong answers

Option A is wrong because the 'inspect' action is applied to the GOOD_TRAFFIC class, not to DNS or MS-SQL; the BAD_TRAFFIC class explicitly drops them, so they are not allowed by default. Option C is wrong because DNS and MS-SQL are not inspected or allowed; they are matched by the BAD_TRAFFIC class, which applies a 'drop' action, overriding any default inspection behavior. Option D is wrong because the traffic is not dropped due to a lack of match with GOOD_TRAFFIC; it is dropped because it explicitly matches the BAD_TRAFFIC class, which has a 'drop' action, and the policy processes class matches in order (BAD_TRAFFIC before class-default).

413
MCQeasy

An administrator needs to ensure that only authorized hosts can connect to a switch port. The port is connected to a single PC. Which 802.1X host mode should be configured?

A.Single-Host
B.Multi-Domain
C.Multi-Auth
D.Multi-Host
AnswerA

Allows only one authenticated device.

Why this answer

Option A is correct because 'Single-Host' mode allows only one authenticated device per port, which is appropriate for a single PC. Option B is incorrect because 'Multi-Host' allows multiple devices after one authentication. Option C is incorrect because 'Multi-Domain' allows one device per domain (data and voice).

Option D is incorrect because 'Multi-Auth' allows multiple authentications but is overkill for a single PC.

414
MCQeasy

A financial company uses Cisco AMP for Endpoints to protect 500 Windows workstations. The security administrator notices that several endpoints in the accounting department are showing 'Out-of-Date' status for over a week. The administrator checks the AMP console and sees that the group policy for accounting has been modified to disable certain scanning features. The endpoints have Internet connectivity but are not updating their policy or receiving new definitions. The administrator suspects a misconfiguration. What should the administrator do first to resolve this issue?

A.Restart the AMP services on a few affected endpoints to force a policy update.
B.Verify that the endpoints can communicate with the AMP cloud by checking the connector's connectivity status.
C.Increase the policy polling interval from 60 minutes to 30 minutes.
D.Reinstall the AMP connector on all affected endpoints.
AnswerB

This identifies if the issue is network-related.

Why this answer

Option A is correct because the most common cause of 'Out-of-Date' endpoints is a communication issue. Checking the AMP connector's connection status (e.g., via the connector GUI) can reveal if the endpoint can reach the cloud. Option B (restart services) might temporarily fix but not identify root cause.

Option C (reinstall connector) is drastic and should be last resort. Option D (increase polling interval) does not help if there is a connectivity obstacle.

415
Multi-Selecthard

Which THREE actions should a security engineer take when configuring a Cisco AMP for Endpoints policy to minimize false positives while maintaining strong protection?

Select 3 answers
A.Configure custom whitelist exclusions for trusted applications
B.Use group-based policies to apply different rules to different endpoint populations
C.Enable all exploit prevention rules regardless of environment
D.Set file reputation to block only files with 'Malicious' disposition
E.Disable file reputation to reduce cloud queries
AnswersA, B, D

Whitelisting reduces false positives.

Why this answer

Options B, C, and D are correct. Configuring whitelist exclusions (B) prevents legitimate applications from being flagged. Setting different policies for different groups (C) allows tailored rules.

Using the 'Disposition' filter to block only malicious files (D) avoids blocking unknown benign files. Option A (Enable all exploit prevention rules) may cause false positives from legitimate applications. Option E (Disable file reputation) reduces protection.

416
MCQeasy

An organization wants to implement endpoint protection that uses behavioral analysis to detect ransomware. The solution must be able to roll back changes made by the ransomware after detection. Which Cisco endpoint security feature provides this capability?

A.Exploit prevention with ransomware rollback
B.File reputation scanning
C.Device flow telemetry
D.Application blocking via policy
AnswerA

Exploit prevention uses behavioral analysis to detect ransomware and can roll back file changes automatically.

Why this answer

Option A is correct because Cisco's endpoint protection includes a behavioral analysis engine that monitors for ransomware-like activities (e.g., mass file encryption, rapid file modifications). Upon detection, the feature automatically triggers a rollback, restoring affected files to their pre-encryption state using Volume Shadow Copy Service (VSS) snapshots or similar mechanisms, effectively reversing the ransomware's changes.

Exam trap

Cisco often tests the distinction between prevention (blocking before execution) and remediation (rolling back after execution), so candidates may confuse file reputation or application blocking with the rollback capability, missing that only behavioral analysis with rollback addresses post-infection recovery.

How to eliminate wrong answers

Option B is wrong because file reputation scanning relies on static or cloud-based hash lookups (e.g., Talos intelligence) to block known malware, but it does not perform behavioral analysis or rollback changes. Option C is wrong because device flow telemetry (e.g., NetFlow or IPFIX) provides network traffic visibility and anomaly detection, but it is not an endpoint security feature and cannot reverse file modifications. Option D is wrong because application blocking via policy uses allow/deny lists or path-based rules to prevent execution, but it lacks behavioral detection and the ability to undo changes after an attack.

417
MCQhard

An organization deploys AMP for Endpoints with the Orbital module to perform advanced endpoint telemetry. The team wants to create a query that retrieves all running processes with a network connection to an external IP address. Which Orbital query language syntax is correct?

A.SELECT * FROM all_processes WHERE ip = 'external'
B.SELECT * FROM all_processes WHERE listening = 'true'
C.SELECT * FROM processes WHERE network_connection = 'true'
D.SELECT * FROM all_processes WHERE remote_ip IN (SELECT ip FROM connections WHERE direction = 'OUT')
AnswerD

This correctly uses the 'all_processes' table with a subquery on 'connections' to filter processes with outgoing remote connections.

Why this answer

Option D is correct because the Orbital 'all_processes' table with 'IN' filter for network connections is the standard approach. Option A is incorrect because 'processes' is not a valid table; it's 'all_processes'. Option B is incorrect because 'listening' is for listening ports, not outgoing connections.

Option C is incorrect because the 'where' clause incorrectly uses 'ip' without qualifying.

418
MCQhard

A security team suspects that malware is exfiltrating data by encoding it in DNS queries. Which Cisco security solution is specifically designed to analyze DNS traffic for malicious activity?

A.Cisco Firepower NGFW
B.Cisco Stealthwatch
C.Cisco Email Security Appliance
D.Cisco Umbrella
AnswerD

Umbrella provides DNS security and can detect tunneling.

Why this answer

Cisco Umbrella is a cloud-delivered security solution that provides DNS-layer security by intercepting and analyzing DNS queries. It can detect and block DNS-based data exfiltration techniques, such as DNS tunneling, by inspecting DNS request patterns and comparing them against threat intelligence feeds. This makes it the correct choice for analyzing DNS traffic for malicious activity.

Exam trap

Cisco often tests the distinction between network security appliances that inspect traffic (like Firepower) versus cloud-based DNS security (Umbrella), leading candidates to mistakenly choose Firepower because they think 'DNS traffic analysis' implies a firewall feature.

How to eliminate wrong answers

Option A is wrong because Cisco Firepower NGFW is a next-generation firewall that inspects network traffic at layers 3-7 but does not have native, dedicated DNS traffic analysis for detecting data exfiltration via DNS tunneling; it relies on Snort rules or external integrations. Option B is wrong because Cisco Stealthwatch focuses on network visibility and behavioral analytics using NetFlow/IPFIX data, not deep DNS query inspection, and is not specifically designed to analyze DNS traffic for malicious activity. Option C is wrong because Cisco Email Security Appliance (ESA) is designed to protect against email-based threats such as spam, phishing, and malware, and does not analyze DNS traffic.

419
MCQhard

Refer to the exhibit. An engineer is analyzing an intrusion policy on Cisco Firepower Management Center (FMC). The network uses Windows servers and clients. A flood of HTTP traffic is being detected as a potential attack, but it is legitimate. Which preprocessor configuration change would most likely reduce false positives without losing detection of real attacks?

A.Disable the http_inspect preprocessor
B.Change global_sensitivity to medium
C.Change frag3 policy to bsd
D.Change stream5_tcp policy to linux
AnswerB

Lowering sensitivity reduces false positives for benign traffic while still detecting true attacks.

Why this answer

The http_inspect preprocessor's global_sensitivity setting controls how aggressively it normalizes HTTP traffic before analysis. Setting it to 'medium' reduces false positives from legitimate HTTP floods by relaxing the threshold for anomalous HTTP behavior, while still allowing the preprocessor to detect real attacks that exhibit more extreme deviations. This is the most targeted change because it directly addresses the flood of HTTP traffic without disabling the preprocessor entirely.

Exam trap

Cisco often tests the misconception that disabling a preprocessor or changing unrelated protocol policies (like TCP or IP fragmentation) is the solution, when the correct answer is a targeted tuning parameter within the relevant preprocessor.

How to eliminate wrong answers

Option A is wrong because disabling the http_inspect preprocessor would remove all HTTP normalization and inspection, likely causing the intrusion policy to miss real HTTP-based attacks (e.g., SQL injection, cross-site scripting) and potentially increasing false negatives. Option C is wrong because changing the frag3 policy to 'bsd' alters IP fragment reassembly behavior (e.g., handling overlapping fragments), which is unrelated to HTTP traffic floods and would not reduce false positives for HTTP-based events. Option D is wrong because changing the stream5_tcp policy to 'linux' modifies TCP stream reassembly parameters (e.g., handling of TCP retransmissions or window scaling), which does not address the HTTP flood issue and could disrupt legitimate TCP connections without affecting HTTP-level false positives.

420
MCQeasy

A network administrator is troubleshooting an issue where users in the Sales VLAN cannot access the internet through the Cisco Firepower Threat Defense (FTD) device. The FTD is configured with a security policy that allows traffic from the Sales subnet to any destination. However, the traffic is being blocked. Which feature should the administrator check first to resolve the issue?

A.Identity policy
B.SSL decryption policy
C.Intrusion prevention policy
D.URL filtering policy
AnswerD

URL filtering can block traffic even if the security policy allows it.

Why this answer

The correct answer is D, URL filtering policy. Even though the security policy allows traffic from the Sales subnet to any destination, a URL filtering policy can block internet access by categorizing or matching the destination URLs. If the policy is set to block all URLs or a specific category (e.g., 'Uncategorized URLs'), traffic will be dropped before it reaches the internet, regardless of the allow rule in the access control policy.

Exam trap

The trap here is that candidates assume an 'Allow' rule in the access control policy guarantees traffic flow, but Cisco tests the understanding that subordinate policies (like URL filtering) can override the parent rule's action, causing traffic to be blocked despite a seemingly permissive policy.

How to eliminate wrong answers

Option A is wrong because Identity policy is used to map users to groups for authentication and authorization, not to block or allow internet traffic based on URL or destination; it does not directly block traffic that is already allowed by the security policy. Option B is wrong because SSL decryption policy controls whether encrypted traffic is decrypted for inspection, but it does not block traffic by itself; traffic can still flow even if decryption is disabled or bypassed. Option C is wrong because Intrusion prevention policy (IPS) inspects traffic for malicious patterns and can drop malicious packets, but it would not block all internet traffic from a subnet unless a specific signature triggered; it is not a blanket block for internet access.

421
MCQhard

During a threat hunt, you need to retrieve forensic data from a remote endpoint that is currently not communicating with the AMP cloud. Which Cisco tool enables you to perform an on-demand scan and collect telemetry from that endpoint even when it is offline?

A.Cisco Threat Response
B.Cisco Stealthwatch
C.Cisco Orbital
D.Cisco AMP Console
AnswerC

Orbital provides advanced endpoint querying and can execute on-demand or scheduled tasks even if endpoint is offline.

Why this answer

Cisco Orbital allows you to issue commands to endpoints for forensic data collection. If the endpoint is unreachable, you can schedule a task to execute when it reconnects.

422
Matchingmedium

Match each 802.1X component to its role.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Client requesting network access

Network device that enforces access control

RADIUS server that validates credentials

Extensible Authentication Protocol framework

Protocol used for AAA services

Why these pairings

These are key components of 802.1X authentication.

423
Multi-Selecteasy

A security architect is evaluating Cisco Cloud Security portfolio for SaaS access protection. Which two solutions provide inline traffic inspection for cloud applications? (Choose two.)

Select 2 answers
A.Cisco Secure Firewall
B.Cisco Umbrella SIG
C.Cisco Cloudlock
D.Cisco DUO
E.Cisco Secure Workload
AnswersA, B

Secure Firewall can be deployed as a virtual appliance in the cloud for inline traffic inspection.

Why this answer

Cisco Secure Firewall (A) provides inline traffic inspection for cloud applications through its Next-Generation Firewall (NGFW) capabilities, including Application Visibility and Control (AVC) and SSL/TLS decryption, allowing it to inspect and enforce policies on traffic to and from SaaS applications. Cisco Umbrella SIG (B) is a cloud-delivered Secure Internet Gateway (SIG) that performs inline proxy-based inspection of all web traffic, including SaaS applications, by intercepting DNS and HTTP/HTTPS requests to enforce security policies such as URL filtering, malware detection, and data loss prevention.

Exam trap

Cisco often tests the distinction between API-based CASB (like Cloudlock) and inline proxy-based SIG (like Umbrella), where candidates mistakenly assume all cloud security solutions perform inline inspection, but Cloudlock only provides out-of-band API access for compliance and data protection, not real-time traffic inspection.

424
MCQeasy

Refer to the exhibit. A network administrator is troubleshooting a wired client that has successfully authenticated using MAB. However, the client is unable to access resources beyond the local subnet. What is the most likely cause?

A.The client's IP address is from a DHCP scope that does not include a default gateway.
B.The VLAN policy is incorrect; the client should be in VLAN 20.
C.The switch is not configured for inter-VLAN routing.
D.The authorization policy is missing a downloadable ACL (dACL) to allow traffic.
AnswerD

Without a dACL, the switch may default to deny all traffic beyond the local subnet.

Why this answer

Option C is correct because the authorization policy 'Permit_Access' likely does not include a downloadable ACL (dACL), so no traffic filtering is applied on the switch to allow inter-subnet traffic. Option A is incorrect because VLAN 10 is assigned; subnet routing is separate. Option B is incorrect because routing is not configured per port.

Option D is incorrect because the DHCP scope is not directly related to the issue.

425
MCQhard

A security architect is designing a zero-trust architecture for a remote workforce using Cisco SD-WAN. The company requires that all traffic between branch sites and the data center is encrypted and authenticated, and that no device can access resources unless it has a valid certificate. Which technology should be used to enforce device identity?

A.802.1X with EAP-TLS
B.Network Access Control (NAC)
C.Cisco TrustSec
D.IPsec VPN
AnswerC

TrustSec uses SGTs to enforce access based on device identity and is a key component of zero trust.

Why this answer

Cisco TrustSec uses Security Group Tags (SGTs) and device identity based on certificates to enforce access control in a zero-trust architecture. It integrates with SD-WAN to ensure that only devices with valid certificates can communicate, meeting the requirement for encrypted and authenticated traffic between branch sites and the data center.

Exam trap

The trap here is that candidates often confuse IPsec VPN's encryption and authentication of the tunnel with device identity enforcement, but IPsec authenticates the peer (router or firewall), not the individual device, which is a critical distinction in zero-trust architectures.

How to eliminate wrong answers

Option A is wrong because 802.1X with EAP-TLS is a port-based authentication mechanism for network access control at the edge, not a technology for enforcing device identity across SD-WAN tunnels between branches and data centers. Option B is wrong because Network Access Control (NAC) is a broader framework for admission control, but it does not natively provide the certificate-based device identity enforcement and SGT-based segmentation that TrustSec offers in a zero-trust SD-WAN context. Option D is wrong because IPsec VPN provides encryption and authentication for traffic, but it does not enforce device identity via certificates; it authenticates the VPN gateway or peer, not the individual device accessing resources.

426
Multi-Selectmedium

An organization is implementing Cisco Secure Cloud Insights (formerly CloudCenter). Which three capabilities does this tool provide? (Choose three.)

Select 3 answers
A.Cloud security posture management
B.Workload migration planning
C.User behavior analytics
D.Network traffic analysis
E.Cloud cost optimization
AnswersA, B, E

Identifies misconfigurations and compliance violations.

Why this answer

Cisco Secure Cloud Insights (formerly CloudCenter) provides cloud security posture management (CSPM) by continuously monitoring cloud environments for misconfigurations, compliance violations, and security risks. It helps organizations enforce security policies across multi-cloud deployments, ensuring alignment with frameworks like CIS and NIST.

Exam trap

Cisco often tests the distinction between cloud security posture management (CSPM) and cloud workload protection platform (CWPP) capabilities, leading candidates to confuse CloudCenter's CSPM and cost optimization features with unrelated tools like user behavior analytics or network traffic analysis.

427
MCQhard

A security administrator discovers that users are evading the corporate firewall by using SSH to tunnel HTTP traffic to external servers. Which action can be taken on a Cisco ASA firewall to detect and prevent this?

A.Configure a dynamic PAT rule to limit the number of SSH sessions
B.Enable SSH inspection using the 'inspect ssh' command in the global policy
C.Create an access-list to block port 22 entirely
D.Implement SSL decryption to inspect the encrypted SSH payload
AnswerB

SSH inspection allows the firewall to apply deep inspection and enforce policies on SSH traffic.

Why this answer

Option B is correct because enabling SSH inspection with the 'inspect ssh' command on a Cisco ASA allows the firewall to monitor SSH control channel negotiations and detect when SSH is being used to tunnel other protocols (like HTTP). The ASA can then enforce policies to block such tunneling, preventing users from bypassing the corporate firewall.

Exam trap

Cisco often tests the misconception that blocking port 22 is a valid solution, but the trap is that this would also block legitimate SSH access, whereas SSH inspection provides granular control without disrupting normal operations.

How to eliminate wrong answers

Option A is wrong because dynamic PAT (Port Address Translation) limits the number of simultaneous translations, not the number of SSH sessions, and does not inspect or prevent SSH tunneling. Option C is wrong because blocking port 22 entirely would also block legitimate SSH administrative access, which is an overly restrictive and impractical solution. Option D is wrong because SSL decryption is designed to inspect HTTPS traffic, not SSH; SSH uses its own encryption protocol (not SSL/TLS), and the ASA cannot decrypt SSH payloads without breaking the SSH protocol.

428
MCQmedium

A company has 500 users who work remotely and connect to cloud-based SaaS applications. The security team is concerned about malware downloads from these applications. They have deployed Cisco Umbrella with the SIG feature. However, after deployment, a test shows that downloading a file from Dropbox is not being inspected by the cloud security stack. The Umbrella dashboard indicates that the policy is active and the SIG feature is enabled. The network team confirms that the users are using the Umbrella roaming client and that the traffic is correctly forwarding to Umbrella. What is the most likely issue?

A.The SIG inspection only applies to HTTP traffic, not HTTPS
B.The Dropbox application uses non-standard ports
C.The users' devices are not configured with the Umbrella roaming client
D.The traffic is bypassed because of an explicit bypass rule for Dropbox
AnswerD

Umbrella SIG includes automatic bypass for high-traffic cloud apps to optimize performance.

Why this answer

Option D is correct because Cisco Umbrella's SIG (Security Internet Gateway) feature can be configured with explicit bypass rules for specific applications or domains. Even when the SIG is enabled and traffic is forwarding correctly, an administrator may have inadvertently created a bypass rule for Dropbox, causing its traffic to skip cloud security inspection. This explains why the policy is active but downloads from Dropbox are not inspected.

Exam trap

Cisco often tests the concept that a feature being 'enabled' does not guarantee all traffic is inspected, as explicit bypass rules or policy misconfigurations can override the inspection, leading candidates to incorrectly assume the issue is with client configuration or protocol support.

How to eliminate wrong answers

Option A is wrong because Cisco Umbrella SIG supports HTTPS inspection via TLS/SSL decryption, so it can inspect HTTPS traffic, not just HTTP. Option B is wrong because Dropbox uses standard HTTPS ports (443) and Umbrella SIG inspects traffic based on domain and application, not just port numbers; non-standard ports would not cause a bypass unless explicitly configured. Option C is wrong because the question states the network team confirmed users are using the Umbrella roaming client and traffic is correctly forwarding to Umbrella, so the client is properly configured.

429
MCQhard

A network administrator is troubleshooting an issue where users cannot send emails with attachments larger than 10 MB through the Cisco Email Security Appliance (ESA). The ESA is configured with a mail flow policy that has a maximum message size of 20 MB. What is the most likely cause of the issue?

A.The mail flow policy maximum message size is set too low.
B.The HAT (Host Access Table) maximum message size is set to 10 MB.
C.The outgoing mail policy has a smaller attachment size limit.
D.The ESA default maximum attachment size is 10 MB.
AnswerD

The default maximum attachment size in ESA is 10 MB, which restricts attachments even if the overall message size is larger.

Why this answer

The Cisco ESA has a built-in default maximum attachment size of 10 MB, which is separate from the mail flow policy's maximum message size. Even though the mail flow policy allows messages up to 20 MB, the attachment size limit is enforced by the ESA's default configuration, which caps individual attachments at 10 MB. This default can be overridden in the mail flow policy or system settings, but if not explicitly changed, it remains the limiting factor.

Exam trap

The trap here is that candidates confuse the mail flow policy's maximum message size with the attachment size limit, assuming that increasing the message size automatically allows larger attachments, when in fact they are independently configured.

How to eliminate wrong answers

Option A is wrong because the mail flow policy maximum message size is set to 20 MB, which is already larger than the 10 MB attachment limit, so it is not the cause. Option B is wrong because the HAT (Host Access Table) controls sender-based access and rate limiting, not attachment size limits; attachment size is governed by mail flow policies or system defaults. Option C is wrong because outgoing mail policies do not have a separate attachment size limit; the attachment size is controlled by the same mail flow policy or global default settings.

430
MCQmedium

A network engineer notices that some Windows 10 clients fail to authenticate via 802.1X after a recent OS update. The supplicant shows 'EAPOL-Start' but never receives an EAP-Request/Identity. The switch port is configured with 'authentication port-control auto' and 'dot1x pae authenticator'. What is the most likely cause?

A.The switch port is configured as a trunk port
B.The switch has 'aaa authentication dot1x default none' globally
C.The switch port is configured with 'authentication order mab dot1x'
D.The switch is configured with 'snmp-server community' which disables 802.1X
AnswerA

802.1X is not supported on trunk ports by default. The switch will not respond to EAPOL-Start on trunk ports.

Why this answer

Option B is correct because if the switch port is configured as a trunk, 802.1X is not supported on trunk ports by default. Option A is wrong because SNMP does not affect EAPOL. Option C is wrong because global authentication mode 'none' would not affect a single port.

Option D is wrong because MAB is a fallback method, not the cause of EAPOL-Start not being answered.

431
MCQeasy

A network administrator is configuring 802.1X authentication on Cisco switches for wired endpoints. Which protocol is used between the client (supplicant) and the switch (authenticator)?

A.RADIUS
B.EAP over UDP
C.EAP over LAN (EAPoL)
D.TACACS+
AnswerC

EAPoL is the standard protocol for 802.1X between client and switch.

Why this answer

In 802.1X authentication, the client (supplicant) communicates with the switch (authenticator) using EAP over LAN (EAPoL), which is defined in IEEE 802.1X-2004. EAPoL encapsulates EAP frames in Ethernet frames, allowing the supplicant to send authentication credentials to the authenticator before granting network access. The authenticator then relays these EAP messages to the authentication server (typically a RADIUS server) using RADIUS, but the direct protocol between client and switch is EAPoL.

Exam trap

Cisco often tests the distinction between the protocol used on the client-to-switch link (EAPoL) versus the protocol used on the switch-to-server link (RADIUS), causing candidates to mistakenly select RADIUS or TACACS+ because they are more familiar with AAA protocols.

How to eliminate wrong answers

Option A is wrong because RADIUS is used between the authenticator (switch) and the authentication server, not between the client and the switch; the client never sends RADIUS packets directly to the switch. Option B is wrong because EAP over UDP is not a standard protocol for 802.1X; EAPoL uses Ethernet frames (Layer 2), not UDP (Layer 4), and EAP over UDP is sometimes used in other contexts like EAP-FAST but not for wired 802.1X supplicant-authenticator communication. Option D is wrong because TACACS+ is a Cisco-proprietary protocol used for device administration (AAA for CLI access), not for network access control via 802.1X; it separates authentication, authorization, and accounting but is not used in the 802.1X framework.

432
Matchingmedium

Match each encryption algorithm to its type.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Symmetric block cipher

Asymmetric public-key algorithm

Hash function

Symmetric block cipher (legacy)

Key exchange algorithm

Why these pairings

These are common encryption algorithms and their categories.

433
MCQmedium

A company is designing a secure segmentation strategy for a three-tier web application. They want to isolate the web, application, and database tiers while allowing only necessary traffic. Which design best achieves defense-in-depth while minimizing complexity?

A.Place each tier in a separate VLAN and rely on ACLs on the distribution switch.
B.Deploy a dedicated firewall for each tier and connect them in series.
C.Use VRF-Lite with SGTs and enforce policies via Cisco ISE.
D.Place a single stateful firewall between each tier with separate interfaces.
AnswerC

Allows granular, policy-based segmentation without per-tier firewalls.

Why this answer

Option C is correct because VRF-Lite with Security Group Tags (SGTs) and Cisco ISE provides scalable, policy-based segmentation that follows the defense-in-depth principle. VRF-Lite creates separate routing tables for each tier, while SGTs enforce granular, identity-based access control at the network layer, reducing complexity compared to multiple firewalls or ACLs. This design allows necessary traffic between tiers without relying on IP addresses alone, aligning with zero-trust architecture.

Exam trap

Cisco often tests the misconception that stateful firewalls alone (Option D) or VLANs with ACLs (Option A) provide sufficient segmentation, but the trap is that defense-in-depth requires policy-based, identity-aware controls like SGTs to prevent lateral movement and reduce complexity in multi-tier applications.

How to eliminate wrong answers

Option A is wrong because relying solely on ACLs on a distribution switch lacks stateful inspection and cannot enforce application-layer policies, making it vulnerable to IP spoofing and insufficient for defense-in-depth. Option B is wrong because deploying a dedicated firewall for each tier in series introduces unnecessary complexity, latency, and single points of failure, violating the principle of minimizing complexity. Option D is wrong because placing a single stateful firewall between each tier with separate interfaces still creates a bottleneck and does not provide the granular, identity-based segmentation that SGTs offer, nor does it scale well for multi-tier environments.

434
MCQeasy

An organization is deploying Cisco Secure Endpoint (AMP) for the first time in a Windows environment. The security team wants to ensure that any file executed from a USB drive is automatically scanned and blocked if malicious. Which policy feature should be enabled to achieve this?

A.Enable File Reputation to check files against the cloud.
B.Enable Exploit Prevention to block malicious code execution.
C.Configure Quarantine actions for all file events.
D.Enable Removable Media Scan in the policy.
AnswerD

This feature automatically scans files on removable media when accessed.

Why this answer

Option C is correct because 'Removable Media Scan' in the AMP policy specifically scans files on removable media. Option A is wrong because 'File Reputation' is global scanning for all file executions but not media-specific. Option B is wrong because 'Exploit Prevention' protects against exploits, not file scanning.

Option D is wrong because 'Quarantine' is an action, not a feature that triggers scanning.

435
Drag & Dropmedium

Drag and drop the steps to recover a lost password on a Cisco IOS router in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Enter ROMmon, change register to skip startup-config, boot, copy config, change password, save, and restore register.

436
MCQhard

You are a security engineer for a multinational corporation that uses a hybrid cloud environment with AWS and Azure. The company has deployed Cisco Cloudlock for SaaS security and Cisco Umbrella for DNS-layer security. Recently, the incident response team detected that an employee's credentials were compromised, and the attacker used them to access the company's Office 365 tenant. The attacker exfiltrated sensitive data by sending emails with attachments to external addresses. Cloudlock logs show that the data exfiltration occurred because the policy for 'Outbound Email with Attachments' was set to 'Allow' for all users. The attacker also used a personal Google Drive account to store stolen data, which was not detected by Cloudlock because Google Drive is not sanctioned. You need to recommend a course of action to prevent similar incidents. Which action should you take first?

A.Reset the compromised user's password and revoke all active sessions
B.Implement multi-factor authentication for all Office 365 users
C.Modify the Cloudlock policy to block outbound emails with attachments containing sensitive data for all users
D.Sanction Google Drive and create a Cloudlock policy to monitor it
AnswerC

Directly addresses the exfiltration method used.

Why this answer

Option C is correct because the incident occurred due to a misconfigured Cloudlock policy that allowed outbound emails with attachments. By modifying the policy to block outbound emails containing sensitive data, you directly address the exfiltration vector used by the attacker. This is the most immediate and effective control to prevent recurrence of the same attack method.

Exam trap

Cisco often tests the distinction between immediate remediation (blocking the exfiltration vector) versus long-term security improvements (MFA, password resets), and the trap here is that candidates may choose MFA or password reset because they focus on the credential compromise rather than the policy misconfiguration that allowed the data loss.

How to eliminate wrong answers

Option A is wrong because while resetting the compromised password and revoking sessions is a necessary remediation step, it does not prevent future incidents if the same policy misconfiguration remains. Option B is wrong because multi-factor authentication (MFA) would have helped prevent the initial compromise, but the question asks for the first action to prevent similar incidents, and the immediate vulnerability is the permissive Cloudlock policy that allowed the exfiltration. Option D is wrong because sanctioning Google Drive and creating a monitoring policy does not address the fact that the attacker already used an unsanctioned service; the primary exfiltration method was via Office 365 email, which was allowed by the existing policy.

437
MCQmedium

A network administrator is configuring management access on a Cisco router. The requirement is to provide encrypted remote access with AAA authentication and fallback to local credentials if the AAA server is unavailable. Which configuration best meets these requirements?

A.Enable Telnet with a local username and password.
B.Enable SSHv2 with AAA authentication and 'aaa authentication login default group radius local' configured.
C.Enable HTTP with AAA authentication.
D.Use SNMPv3 with read-write community strings.
AnswerB

SSH provides encryption, AAA with local fallback meets availability.

Why this answer

Option B is correct because SSHv2 provides encrypted remote access, and the command 'aaa authentication login default group radius local' configures AAA authentication with RADIUS as the primary method and local credentials as a fallback if the RADIUS server is unreachable. This meets the requirement for both encrypted access and AAA fallback to local authentication.

Exam trap

Cisco often tests the distinction between encrypted (SSH) and unencrypted (Telnet, HTTP) protocols, and the specific behavior of AAA fallback (local only on server non-response, not on authentication denial).

How to eliminate wrong answers

Option A is wrong because Telnet transmits all data, including credentials, in cleartext, failing the requirement for encrypted remote access. Option C is wrong because HTTP does not encrypt traffic by default; HTTPS would be required for encryption, and the question specifies 'HTTP' without encryption. Option D is wrong because SNMPv3 with read-write community strings is used for network management polling and configuration, not for interactive remote shell access, and community strings are not a secure authentication method for management access.

438
MCQeasy

A network administrator is configuring Cisco Email Security Appliance (ESA) to prevent outgoing spam. The company wants to ensure that all outgoing emails contain a legal disclaimer and that any email with more than 20 recipients is delayed. Which two features should be combined?

A.Outgoing mail policy with Disclaimer action and Destination Controls
B.Data Loss Prevention (DLP) and Outbreak Filters
C.Antivirus scanning
D.Message Filters with content scanning
AnswerA

The Disclaimer action adds the legal text, and Destination Controls can set recipient rate limits.

Why this answer

Option A is correct because the requirement to add a legal disclaimer is met by the Disclaimer action within an Outgoing Mail Policy, and the requirement to delay emails with more than 20 recipients is met by Destination Controls, which allow rate-limiting based on recipient count per message. These two features are specifically designed for outgoing email control and can be combined in a single mail policy.

Exam trap

Cisco often tests the distinction between Mail Policies (which include Disclaimer and Destination Controls) and Message Filters (which are more granular but lack Destination Controls), leading candidates to incorrectly choose Message Filters for both requirements.

How to eliminate wrong answers

Option B is wrong because Data Loss Prevention (DLP) focuses on detecting and blocking sensitive data in emails, not adding disclaimers or delaying messages based on recipient count; Outbreak Filters are designed to detect and block new malware outbreaks, not for disclaimer insertion or recipient-based delays. Option C is wrong because Antivirus scanning only detects and removes malware in email attachments, it does not add disclaimers or enforce recipient count limits. Option D is wrong because Message Filters with content scanning can add disclaimers but cannot enforce recipient-based delays; Destination Controls are a separate feature not available within Message Filters.

439
MCQmedium

An organization is using Microsoft 365 and wants to prevent sensitive data from being shared externally via email and OneDrive. Which Cisco cloud security product should they deploy?

A.Cisco Cloudlock
B.Cisco Umbrella
C.Cisco Stealthwatch
D.Cisco Duo
AnswerA

Cloudlock offers DLP for cloud applications like M365.

Why this answer

Cisco Cloudlock is the correct choice because it is a cloud-native CASB (Cloud Access Security Broker) that integrates with Microsoft 365 to enforce data loss prevention (DLP) policies. It can inspect email attachments and OneDrive files for sensitive data patterns (e.g., credit card numbers, PII) and block external sharing based on policy. Cloudlock uses APIs to scan content at rest and in transit, providing granular control over data residency and sharing permissions.

Exam trap

Cisco often tests the distinction between CASB (Cloudlock) and other security products by listing multiple cloud-related tools, and the trap here is that candidates confuse Umbrella's broad web security capabilities with the specific DLP and data-sharing controls that only a CASB like Cloudlock provides.

How to eliminate wrong answers

Option B (Cisco Umbrella) is wrong because it is a DNS-layer security gateway focused on web filtering, threat intelligence, and blocking malicious domains—it does not provide content inspection or DLP for SaaS applications like Microsoft 365. Option C (Cisco Stealthwatch) is wrong because it is a network traffic analysis tool that uses NetFlow and behavioral analytics to detect anomalies and threats within the network, not for controlling data sharing in cloud applications. Option D (Cisco Duo) is wrong because it is a multi-factor authentication (MFA) and zero-trust access solution that verifies user identity but does not inspect or prevent data leakage in email or OneDrive.

440
MCQhard

Refer to the exhibit. A network engineer configures a site-to-site VPN between a Cisco router and an Azure VPN gateway. After configuration, the tunnel is not coming up. Which issue is most likely causing the problem?

A.The access list is not permitting the correct source/destination traffic
B.The tunnel mode is not set to transport
C.Missing IKEv2 proposal match on the Azure side
D.The crypto map does not specify the local identity
AnswerC

Azure VPN gateway requires matching IKE proposals; mismatch prevents tunnel establishment.

Why this answer

The most likely issue is a mismatch in IKEv2 proposals between the Cisco router and the Azure VPN gateway. Azure requires specific IKEv2 encryption (e.g., AES256), integrity (e.g., SHA256), and DH group (e.g., DH Group 14) parameters. If the Cisco router's crypto ikev2 proposal does not exactly match the Azure-side settings, the IKEv2 SA negotiation fails, preventing the tunnel from coming up.

Exam trap

Cisco often tests the concept that IKEv2 proposal mismatches are a frequent cause of tunnel failures when connecting to cloud providers like Azure, AWS, or GCP, and candidates mistakenly blame ACLs or crypto map issues instead of verifying the transform sets.

How to eliminate wrong answers

Option A is wrong because the access list in a site-to-site VPN configuration is used to define interesting traffic (traffic to be encrypted), not to permit the tunnel itself; a misconfigured ACL would cause traffic to be sent in clear text or dropped, but would not prevent the IKE/IPsec tunnel from establishing. Option B is wrong because tunnel mode (transport vs. tunnel) is not relevant to IKEv2 proposal mismatches; for site-to-site VPNs, tunnel mode is the default and correct setting, and transport mode is used for host-to-host or L2L with special requirements. Option D is wrong because the crypto map does not need to specify a local identity; the local identity is derived from the IP address of the interface or the configured identity (e.g., FQDN) in the IKEv2 profile, and its absence would not cause a proposal mismatch.

441
Multi-Selectmedium

Which THREE are characteristics of Cisco ISE profiler service?

Select 3 answers
A.It can determine the endpoint operating system based on MAC OUI and DHCP fingerprints
B.It uses a combination of active and passive probes to identify endpoint attributes
C.It can provide attributes used in authorization policy conditions
D.It performs posture compliance checking on endpoints
E.It requires the installation of an ISE agent on all endpoints
AnswersA, B, C

Profiling uses these attributes to identify OS.

Why this answer

Options B, D, and E are correct. B: Profiling uses both active and passive probes. C: Profiling does not require an agent; it is agentless.

A: Profiler does not perform posture assessments; that's posture service. D: Profiling can be based on MAC OUI and DHCP fingerprints. E: Profiler can feed attributes to authorization policies.

442
MCQeasy

An engineer is troubleshooting a site-to-site IPsec VPN between two Cisco routers. The tunnel is not establishing. Which command would verify that IKE phase 1 negotiations have completed successfully?

A.show crypto ipsec sa
B.show crypto isakmp sa
C.show crypto map
D.debug crypto isakmp
AnswerB

This command displays IKE phase 1 security associations.

Why this answer

The 'show crypto isakmp sa' command displays the state of IKE (Internet Key Exchange) Phase 1 security associations (SAs). A successful Phase 1 negotiation is indicated by a state of 'MM_ACTIVE' (Main Mode) or 'QM_IDLE' (Aggressive Mode), confirming that the peers have mutually authenticated and established a secure ISAKMP tunnel. This is the direct verification command for Phase 1 completion.

Exam trap

Cisco often tests the distinction between Phase 1 (ISAKMP) and Phase 2 (IPsec) commands, trapping candidates who confuse 'show crypto ipsec sa' (Phase 2) with 'show crypto isakmp sa' (Phase 1) for verifying IKE negotiations.

How to eliminate wrong answers

Option A is wrong because 'show crypto ipsec sa' displays IPsec Phase 2 SAs, which are only created after IKE Phase 1 has completed; it cannot verify Phase 1 status. Option C is wrong because 'show crypto map' displays the crypto map configuration and its applied interfaces, but it does not show the dynamic state or negotiation progress of IKE Phase 1 SAs. Option D is wrong because 'debug crypto isakmp' is a real-time troubleshooting tool that shows IKE events as they occur, but it is not a verification command for completed negotiations and can be resource-intensive on a production router.

443
MCQhard

Refer to the exhibit. An administrator in us-west-2 tries to launch an instance. The policy allows only us-east-1. What should the administrator do to successfully launch the instance?

A.Launch the instance in us-east-1
B.Modify the resource ARN to include us-west-2
C.Change the policy to allow all regions
D.Remove the condition from the policy
AnswerA

Complies with the policy condition.

Why this answer

Option A is correct because the IAM policy explicitly restricts the ec2:RunInstances action to the us-east-1 region using a Condition block with ec2:Region set to 'us-east-1'. Since the administrator is attempting to launch the instance in us-west-2, the only way to comply with the policy is to launch in us-east-1. AWS IAM policies are evaluated based on the principal, action, resource, and condition; if any condition is not met, the request is denied by default.

Exam trap

Cisco often tests the misconception that modifying the resource ARN or removing the condition is the solution, when in fact the condition key is the binding constraint that must be satisfied by choosing the correct region.

How to eliminate wrong answers

Option B is wrong because modifying the resource ARN to include us-west-2 would not override the Condition block that explicitly restricts the region; the condition must also be satisfied. Option C is wrong because changing the policy to allow all regions would violate the principle of least privilege and is not necessary; the administrator should work within the existing policy constraints. Option D is wrong because removing the condition from the policy would require modifying the policy itself, which the administrator may not have permissions to do, and it would also weaken security by removing the regional restriction.

444
MCQmedium

A company is deploying Cisco Umbrella to protect against DNS-based threats. Which deployment method provides the most comprehensive coverage for all devices on the network without requiring per-device configuration?

A.Install the Umbrella roaming client on every endpoint.
B.Configure each device's DNS settings to use Umbrella's resolvers.
C.Deploy a PAC file that routes all traffic through a proxy with DNS filtering.
D.Configure the network's DNS forwarders to point to Umbrella's DNS resolvers.
AnswerD

Covers all devices using the network's DNS.

Why this answer

Option D is correct because configuring the network's DNS forwarders to point to Umbrella's DNS resolvers (typically on the organization's DHCP server or router) ensures that all DNS queries from any device on the network are automatically forwarded to Umbrella for filtering, without requiring any per-device configuration. This method provides comprehensive coverage for all devices, including those that cannot run agents (e.g., IoT devices, printers, guest devices), by intercepting DNS traffic at the network level.

Exam trap

Cisco often tests the distinction between endpoint-based and network-based deployment methods, and the trap here is that candidates assume the roaming client (Option A) provides the most comprehensive coverage, when in fact network-level DNS forwarding covers all devices without per-device configuration.

How to eliminate wrong answers

Option A is wrong because installing the Umbrella roaming client on every endpoint requires per-device configuration and ongoing management, and it cannot cover non-managed or legacy devices that cannot run the client. Option B is wrong because configuring each device's DNS settings individually is impractical for large networks, does not scale, and fails to cover devices with hardcoded DNS or those that ignore manual DNS settings. Option C is wrong because deploying a PAC file only affects web traffic routed through a proxy; it does not intercept all DNS queries (e.g., non-HTTP traffic, direct DNS lookups) and still requires per-browser or per-system configuration, leaving gaps in coverage.

445
MCQhard

A security engineer is evaluating a web application firewall (WAF) rule set. The application uses a custom REST API that accepts JSON payloads. Which WAF rule is most effective at preventing SQL injection attacks while minimizing false positives?

A.Apply a generic SQL injection signature set from the WAF vendor
B.Block requests containing 'SELECT' or 'UNION' in the URL
C.Set the maximum request size to 10 MB
D.Use a rule that parses JSON and checks for abnormal structures that indicate injection
AnswerD

JSON-specific validation reduces false positives while catching injection attempts.

Why this answer

Option D is correct because JSON-based APIs require context-aware parsing to detect SQL injection within structured payloads. A rule that parses JSON and checks for abnormal structures can identify injection attempts (e.g., nested objects or unexpected keys) without relying on simple keyword matching, which reduces false positives. This approach aligns with the WAF's ability to decode and inspect JSON fields for malicious SQL patterns while ignoring benign data.

Exam trap

Cisco often tests the misconception that generic signature sets are universally effective, but the trap here is that custom APIs with JSON payloads require context-aware parsing to avoid false positives and catch injection in non-keyword forms.

How to eliminate wrong answers

Option A is wrong because generic SQL injection signature sets often produce high false positives in custom REST APIs, as they match common SQL keywords (e.g., 'SELECT') that may appear legitimately in JSON values (e.g., a field named 'select'). Option B is wrong because blocking requests containing 'SELECT' or 'UNION' in the URL is ineffective for JSON payloads sent via POST or PUT methods, where injection occurs in the request body, not the URL; it also causes false positives for legitimate API calls. Option C is wrong because setting the maximum request size to 10 MB does not prevent SQL injection; it only limits the payload size, which is unrelated to injection detection and may block legitimate large JSON payloads.

446
MCQmedium

A company uses Cisco WSA to proxy web traffic. After configuring a decryption policy to inspect HTTPS traffic to a specific external site, users report they can still access the site without any warning or interruption. Which action should the administrator take to ensure HTTPS inspection is applied?

A.Add the site to the 'HTTPS Bypass' list
B.Import the WSA root CA certificate into client browsers
C.Change the policy action from 'Passthrough' to 'Decrypt'
D.Move the decryption policy to the top of the list
AnswerC

The decryption policy must have the action set to 'Decrypt' to inspect HTTPS traffic.

Why this answer

Option C is correct because the decryption policy must have an action of 'Decrypt' to actually perform HTTPS inspection. If the policy action is set to 'Passthrough', the WSA forwards the traffic without decrypting it, so users experience no warning or interruption. Changing the action to 'Decrypt' forces the WSA to intercept the TLS handshake, decrypt the traffic, and apply security policies.

Exam trap

Cisco often tests the distinction between policy configuration (action) and trust infrastructure (CA certificate), leading candidates to mistakenly choose importing the root CA when the real issue is the policy action not being set to 'Decrypt'.

How to eliminate wrong answers

Option A is wrong because adding the site to the 'HTTPS Bypass' list would explicitly exclude it from decryption, which is the opposite of what is needed. Option B is wrong because importing the WSA root CA certificate into client browsers is necessary for users to trust the decrypted connection, but it does not enable the decryption itself; the policy action must first be set to 'Decrypt'. Option D is wrong because moving the policy to the top of the list only affects rule precedence; if the policy action is still 'Passthrough', it will still bypass decryption regardless of its position.

447
MCQeasy

An enterprise wants to prevent data exfiltration from its SaaS applications to unauthorized personal cloud storage. Which Cisco solution should be deployed?

A.Cisco Umbrella
B.Cisco Cloudlock
C.Cisco Duo
D.Cisco Firepower NGFW
AnswerB

Cloudlock as a CASB can prevent data exfiltration to unauthorized cloud storage.

Why this answer

Cisco Cloudlock is the correct solution because it is a cloud-native CASB (Cloud Access Security Broker) specifically designed to protect SaaS applications like Office 365 and Salesforce. It provides data loss prevention (DLP) policies that can detect and block the exfiltration of sensitive data to unauthorized personal cloud storage services by inspecting API traffic and user activities in real time.

Exam trap

Cisco often tests the distinction between network-layer security tools (Umbrella, Firepower) and cloud-native API-based CASB solutions (Cloudlock), leading candidates to mistakenly choose a DNS or firewall product for SaaS DLP scenarios.

How to eliminate wrong answers

Option A (Cisco Umbrella) is wrong because it is a DNS-layer security solution focused on blocking malicious domains and enforcing web usage policies, not on inspecting SaaS application data flows or preventing data exfiltration to personal cloud storage. Option C (Cisco Duo) is wrong because it is a multi-factor authentication (MFA) and zero-trust access solution that secures user authentication but does not provide DLP or content inspection for SaaS data. Option D (Cisco Firepower NGFW) is wrong because it is a network firewall that inspects traffic at the network and application layers but lacks the native API integration with SaaS applications required to enforce granular DLP policies on data stored or shared within those apps.

448
MCQmedium

A company has a site-to-site VPN between two ASA firewalls using IKEv2. The tunnel was working but after an upgrade, it fails. The engineer verifies that the pre-shared keys match, IKE proposals are compatible, and the crypto ACL is correctly defined. What is the next likely cause to investigate?

A.The firewall rules on the intermediate devices are blocking ISAKMP traffic.
B.The ACL for interesting traffic is missing.
C.The crypto map is not applied to the correct interface.
D.The MTU is too high.
AnswerA

Intermediate firewall changes during upgrade can block UDP ports 500 and 4500, preventing IKE negotiation. This is a common cause.

Why this answer

The correct answer is A because the tunnel was working before the upgrade and the engineer has already verified that the pre-shared keys, IKE proposals, and crypto ACL are correct. After an ASA upgrade, intermediate firewall rules or ACLs may be reset or changed, potentially blocking ISAKMP (UDP 500/4500) traffic. Since the tunnel fails to establish, the next logical step is to check if ISAKMP traffic is being permitted through all intermediate devices, as this is a common post-upgrade issue.

Exam trap

Cisco often tests the misconception that post-upgrade failures are always due to configuration mismatches, but the trap here is that intermediate firewall rules or ACL changes are frequently overlooked after an upgrade, even when all other parameters are verified as correct.

How to eliminate wrong answers

Option B is wrong because the engineer has already verified that the crypto ACL is correctly defined, so missing interesting traffic ACL is not the issue. Option C is wrong because if the crypto map were not applied to the correct interface, the tunnel would never have worked before the upgrade, and the engineer would have seen a misconfiguration during verification. Option D is wrong because an MTU that is too high typically causes fragmentation or performance issues, not a complete failure of IKEv2 tunnel establishment, and the tunnel was working before the upgrade with the same MTU.

449
MCQhard

An engineer notices that the 'show authentication sessions' command on a switch shows a session in 'CRITICAL' state. What does this indicate?

A.The host is being authenticated via MAB
B.The authentication server is unreachable and the port is using the critical VLAN
C.The port is administratively down
D.The authentication attempt was rejected by the RADIUS server
AnswerB

CRITICAL state indicates critical fallback.

Why this answer

Option C is correct because a CRITICAL state means the port has fallen back to the critical VLAN due to authentication server unavailability. Option A is incorrect because 'Authz Failed' indicates a different failure. Option B is incorrect because administratively down would show different state.

Option D is incorrect because MAB is a method, not a state.

450
MCQhard

An enterprise is migrating a critical application to AWS. The architecture includes an Application Load Balancer (ALB) in front of EC2 instances across multiple Availability Zones. The application must be protected against common web exploits such as SQL injection and cross-site scripting. The security team decides to use AWS WAF. They also need to ensure that only traffic from the company's corporate IP range (203.0.113.0/24) is allowed to reach the application, except for a partner integration that requires access from a specific IP (198.51.100.5). Additionally, all traffic must be inspected by a third-party NGFW for advanced threat detection. The NGFW is deployed in a separate VPC connected via VPC Peering. The current configuration: ALB is internet-facing, WAF is associated with the ALB, and the NGFW is not in the traffic path. After deployment, traffic from corporate users is not being inspected by the NGFW, and partner traffic is being blocked. What is the most efficient solution to meet all requirements?

A.Configure AWS WAF rate-based rules to block non-corporate IPs and enable managed rules for SQL injection.
B.Change the ALB scheme to internal, update DNS to point to the NGFW's public IP, and configure the NGFW to forward traffic to the ALB after inspection. Create WAF rules to block non-corporate traffic except partner IP.
C.Deploy an additional ALB as a reverse proxy in front of the NGFW, and configure the WAF on the front ALB.
D.Set up a site-to-site VPN between the corporate network and the VPC, and route partner traffic through the VPN.
AnswerB

This ensures all traffic is inspected by the NGFW and only allowed IPs reach the ALB.

Why this answer

Option B is correct because it restructures the traffic flow so that all traffic first hits the NGFW (via its public IP) for advanced threat inspection, then the NGFW forwards clean traffic to the internal ALB. By changing the ALB to internal, it no longer accepts direct internet traffic, ensuring the NGFW is in the path. WAF rules on the ALB then enforce the IP allowlist (corporate range plus partner IP) and protect against SQL injection and XSS, meeting all requirements efficiently.

Exam trap

Cisco often tests the misconception that WAF alone can enforce IP allowlisting and that the NGFW can be placed after the ALB without changing the ALB scheme, but in reality, an internet-facing ALB receives traffic directly from the internet, bypassing any inline NGFW unless the ALB is made internal and traffic is routed through the NGFW first.

How to eliminate wrong answers

Option A is wrong because rate-based rules limit request rates, not enforce IP allowlisting; they would not block non-corporate IPs except the partner IP, and they do not address the NGFW inspection requirement. Option C is wrong because deploying an additional ALB as a reverse proxy in front of the NGFW adds unnecessary complexity and cost; the NGFW itself can receive traffic directly, and the WAF should be on the ALB that serves the application, not on a front-end ALB that would still bypass NGFW inspection if not properly routed. Option D is wrong because a site-to-site VPN only secures traffic between the corporate network and the VPC; it does not solve the partner traffic access issue (partner IP is external, not over VPN) and does not place the NGFW in the traffic path for inspection.

Page 5

Page 6 of 7

Page 7

All pages