Cisco SCOR / CCNP Security Core 350-701 (350-701) — Questions 451500

500 questions total · 7pages · All types, answers revealed

Page 6

Page 7 of 7

451
MCQhard

An engineer is troubleshooting a Cisco WSA that is failing to block malware downloads from a specific cloud storage website. The URL filtering policy is set to block the 'Cloud Storage' category, and the Web Reputation score is set to block scores below -5.0. Users can still download files. What is the most likely cause?

A.The file type is not configured for malware inspection
B.HTTPS proxy decryption is not configured
C.The L4 Traffic Monitor is not enabled
D.The users are not authenticated
AnswerA

Malware inspection only applies to specified file types; if not included, downloads pass through.

Why this answer

The Cisco WSA can block malware downloads only if it inspects the file content. If the file type is not configured for malware inspection, the WSA will allow the download even if the URL category and reputation score are set to block. This is because malware inspection requires explicit configuration of file types (e.g., .exe, .zip) to scan for threats, and without it, the WSA bypasses deep content analysis.

Exam trap

Cisco often tests the misconception that URL filtering and reputation scores alone are sufficient to block malware, but the trap here is that malware inspection must be explicitly configured for specific file types to actually scan and block malicious content.

How to eliminate wrong answers

Option B is wrong because HTTPS proxy decryption is required to inspect encrypted traffic, but the question does not specify that the cloud storage website uses HTTPS; even if it does, the core issue is that the file type is not inspected, not the lack of decryption. Option C is wrong because the L4 Traffic Monitor is used for monitoring traffic flows and does not affect malware inspection or URL filtering decisions. Option D is wrong because user authentication is not required for URL filtering or malware inspection to apply; the WSA can enforce policies based on source IP or other criteria without authentication.

452
MCQhard

Based on the exhibit, what is the root cause of the AMP connector's inability to connect to the cloud?

A.The AMP cloud servers are blocking the connector's IP address.
B.The proxy server address is incorrect in the connector configuration.
C.The proxy requires authentication, and the AMP connector has no credentials configured.
D.The connector has no network connectivity to the internet.
AnswerC

The 407 error explicitly indicates proxy authentication failure.

Why this answer

Option C is correct. The log shows a 'Proxy authentication failed' error with a 407 status, indicating missing or incorrect proxy credentials. Option A is incorrect because the initial timeout was overwritten by later errors.

Option B is incorrect because the proxy is configured; it's the credentials that are missing. Option D is incorrect because the network connectivity was resolved; the proxy is rejecting the connection.

453
MCQmedium

A large enterprise is migrating legacy applications to AWS. The security team requires that all data in transit between the applications and the on-premises data center be encrypted and inspected for threats. They have deployed a Cisco Firepower NGFW on-premises and are using Amazon VPC with a VPN connection. The team is concerned about east-west traffic within the VPC also being inspected. They consider deploying Cisco Secure Firewall in the cloud (cFMC). However, budget constraints limit the number of virtual firewalls. Which design best meets the requirements while optimizing cost?

A.Inspect all traffic at the on-premises Firepower by routing all cloud traffic through a VPN.
B.Deploy a Cisco Secure Firewall virtual instance in each VPC.
C.Use AWS Network Firewall for east-west inspection and keep Firepower on-premises for north-south.
D.Deploy a single Cisco Secure Firewall virtual instance in a transit VPC and route all inter-VPC traffic through it.
AnswerD

Correct: Central inspection reduces cost while covering east-west.

Why this answer

Option D is correct because deploying a single Cisco Secure Firewall virtual instance in a transit VPC allows centralized inspection of all inter-VPC (east-west) traffic while minimizing costs. By routing traffic through the transit VPC, you avoid the expense of deploying a firewall in every VPC, and the on-premises Firepower NGFW handles north-south traffic (VPN and internet-bound). This design meets the encryption and threat inspection requirements for both east-west and north-south traffic within the budget constraint.

Exam trap

Cisco often tests the concept that a single virtual firewall in a transit VPC can inspect east-west traffic cost-effectively, and the trap here is that candidates mistakenly think AWS Network Firewall (Option C) can replace Cisco Secure Firewall for unified threat inspection across hybrid environments, but it lacks the deep integration with on-premises Firepower and advanced threat detection features required by the scenario.

How to eliminate wrong answers

Option A is wrong because routing all cloud traffic through an on-premises VPN for inspection introduces significant latency, bandwidth bottlenecks, and single points of failure, and it does not efficiently inspect east-west traffic within the VPC (traffic between VPCs would hairpin through the VPN, violating AWS best practices). Option B is wrong because deploying a Cisco Secure Firewall virtual instance in each VPC would exceed the budget constraint and is overkill for east-west inspection; it also creates management complexity without centralizing policy. Option C is wrong because AWS Network Firewall is a managed service that can inspect east-west traffic, but it does not integrate with the on-premises Cisco Firepower NGFW for unified threat intelligence or policy management, and it cannot inspect traffic that is already encrypted end-to-end between applications (it lacks the same deep packet inspection capabilities as Cisco Secure Firewall).

454
MCQmedium

A large enterprise uses Cisco ISE with pxGrid to share context with Firepower for threat containment. When a Firepower detects an infected endpoint, it triggers a pxGrid quarantine action that changes the endpoint's authorization profile. The engineer observes that the quarantine is applied, but after the Firepower clears the threat, the endpoint does not regain its original access. What is the most likely reason?

A.Firepower failed to send the clearance message to ISE
B.The ISE session is not forced to reauthenticate after quarantine release
C.The network access device does not support CoA
D.ISE authorization policy is not ordered correctly
AnswerB

After quarantine release, ISE must send a CoA to reauthenticate the endpoint; otherwise the NAD maintains the original quarantine session.

Why this answer

pxGrid quarantine actions typically override the existing session and require a cleanup. If the endpoint is not configured to reauthenticate after quarantine release, it remains in a quarantine state. Option D is correct because the session on the NAD might not be updated unless a CoA is sent.

Option A: Firepower clearance sends a message but might not trigger re-auth. Option B: ISE policy might be correct. Option C: NAD might not support CoA but it did accept quarantine.

So answer is D.

455
Multi-Selectmedium

Which TWO conditions must be met for a Cisco switch to initiate 802.1X authentication? (Choose two.)

Select 2 answers
A.The switch port is configured with 'authentication port-control auto'.
B.The switch port is configured with 'switchport mode access'.
C.The endpoint has a 802.1X supplicant enabled.
D.The switch has a VLAN configured for guest access.
E.The switch has a reachable RADIUS server configured.
AnswersA, E

This command enables 802.1X on the port.

Why this answer

Options A and B are correct. The switch port must be configured with 'authentication port-control auto' to enable 802.1X, and a RADIUS server must be reachable for authentication. Option C is not mandatory (trunk ports can also be used).

Option D is not required for the switch to initiate (the switch initiates regardless of supplicant status). Option E is optional for guest VLAN.

456
MCQmedium

An organization uses Cisco ESA to filter inbound email. The security team notices that some phishing emails are reaching users despite having an anti-spam policy. Further analysis reveals that the emails are sent from a domain that is gray-listed but not blocked. What should the administrator do to prevent these emails without impacting legitimate emails?

A.Disable the Gray Mail feature in the anti-spam policy.
B.Create a content filter to quarantine the emails based on malicious URLs or attachment type.
C.Enable Retrospective Scanning to detect the phishing emails after delivery.
D.Add the sender IP address to the SenderBase block list.
AnswerB

Targets specific threat content.

Why this answer

Option B is correct because creating a content filter to quarantine emails based on malicious URLs or attachment type directly addresses the phishing threat without affecting legitimate emails. Since the domain is gray-listed (not blocked), the anti-spam policy considers the sender as suspicious but not malicious; a content filter can inspect the email content for specific indicators of compromise (e.g., known malicious URLs or dangerous attachment types like .exe or .js) and quarantine those emails, bypassing the gray-mail classification.

Exam trap

Cisco often tests the distinction between anti-spam policies (which classify based on sender reputation and content patterns) and content filters (which allow rule-based actions on specific email attributes), leading candidates to mistakenly choose options that modify the anti-spam policy or rely on post-delivery detection instead of pre-delivery prevention.

How to eliminate wrong answers

Option A is wrong because disabling the Gray Mail feature would remove the gray-listing classification entirely, potentially allowing more spam or phishing emails to reach users, and it does not specifically block the phishing emails. Option C is wrong because Retrospective Scanning (using Cisco Advanced Phishing Protection) detects threats after delivery and can recall messages, but it does not prevent the initial delivery; the question asks to 'prevent these emails' from reaching users. Option D is wrong because adding the sender IP address to the SenderBase block list would block all emails from that IP, which could impact legitimate emails if the IP is shared or if the sender uses a legitimate mail server that is temporarily compromised.

457
MCQhard

An engineer is deploying Cisco ISE for guest access. The guest portal uses a self-provisioned username and password. To ensure secure credential transmission, which protocol should be enforced on the portal?

A.DNSSEC
B.RADIUS over TLS
C.HTTPS with a valid certificate
D.HTTP with redirect to captive portal
AnswerC

Encrypts credentials between client and portal.

Why this answer

Option A is correct because HTTPS with a valid certificate encrypts the credential transmission between the client and the portal. Option B is incorrect because HTTP transmits credentials in cleartext. Option C is incorrect because RADIUS over TLS is used between the NAS and ISE, not between the client and portal.

Option D is incorrect because DNSSEC does not encrypt traffic.

458
MCQhard

An administrator reviewed the log entry from the Cisco ESA exhibit. The DLP policy is set to 'Continue (with disclaimer)' for credit card matches. How should the policy be changed to prevent this data leakage?

A.Remove the DLP policy assignment for the Finance mail flow.
B.Change the DLP policy action from 'Continue' to 'Drop'.
C.Lower the DLP sensitivity threshold.
D.Enable TLS encryption on the policy.
AnswerB

Drop prevents delivery of messages containing credit card numbers.

Why this answer

Option B is correct because the current DLP policy action 'Continue (with disclaimer)' allows the email to be delivered after appending a disclaimer, which does not prevent data leakage. Changing the action to 'Drop' will block the email entirely, preventing the credit card data from leaving the organization. This directly addresses the requirement to stop the data leakage.

Exam trap

Cisco often tests the misconception that adding a disclaimer or encryption is sufficient to prevent data leakage, when in fact only blocking (Drop) or quarantining the message stops the actual transmission of sensitive content.

How to eliminate wrong answers

Option A is wrong because removing the DLP policy assignment for the Finance mail flow would disable all DLP scanning for that flow, which is an overreaction and does not target the specific issue of credit card matches; it would leave other potential violations unmonitored. Option C is wrong because lowering the DLP sensitivity threshold would make the policy match more easily, potentially increasing false positives and not preventing the leakage of already-detected credit card data. Option D is wrong because enabling TLS encryption only secures the transmission channel between mail servers; it does not inspect or block the content of the email, so it cannot prevent data leakage of credit card numbers.

459
MCQeasy

A network administrator wants to centrally manage and enforce access policies for wired and wireless users. Which Cisco product provides this functionality?

A.Cisco Identity Services Engine (ISE)
B.Cisco Prime Infrastructure
C.Cisco Adaptive Security Appliance (ASA)
D.Cisco Wireless LAN Controller (WLC)
AnswerA

Central policy engine for network access.

Why this answer

Option A is correct because Cisco ISE is the policy administration point for network access control across wired, wireless, and VPN. Option B is incorrect because WLC manages only wireless. Option C is incorrect because ASA is a firewall.

Option D is incorrect because Prime Infrastructure is for management and assurance, not policy enforcement.

460
Multi-Selecteasy

Which TWO are valid methods for determining the SGT (Security Group Tag) assigned to an endpoint in a TrustSec deployment?

Select 2 answers
A.DNS resolution of the endpoint hostname
B.Static assignment on the network access device (switch) using the 'cts role-based sgt' command
C.The IP address of the endpoint
D.DHCP Option 141
E.Dynamic assignment from ISE based on authentication or authorization policy
AnswersB, E

The switch can be configured with a static SGT per port or per VLAN.

Why this answer

Options A and C are correct. A: Static assignment on switch port via 'cts role-based sgt'. B: DHCP Option 141 is not used for SGT.

C: ISE can dynamically assign SGT via authentication policy. D: DNS is not involved. E: IP address does not determine SGT; it's based on identity.

461
MCQhard

A cloud security team is investigating a possible data exfiltration incident involving an AWS S3 bucket configured with cross-region replication. Which Cisco Cloudlock feature can detect unusual replication patterns that may indicate data theft?

A.Umbrella threat intelligence
B.Stealthwatch Cloud flow logs
C.Firepower IPS signatures
D.Cloudlock User and Entity Behavior Analytics (UEBA)
AnswerD

UEBA detects behavioral anomalies in cloud services.

Why this answer

Cloudlock UEBA is the correct answer because it establishes behavioral baselines for user and entity activities, such as S3 bucket replication patterns. When cross-region replication deviates from the learned baseline—e.g., unusual volume, frequency, or destination—UEBA generates an anomaly alert, directly detecting potential data exfiltration. This is a core capability of Cisco Cloudlock's cloud access security broker (CASB) functionality.

Exam trap

The trap here is that candidates often confuse UEBA with network-based detection tools (like IPS or flow logs) or general threat intelligence feeds, failing to recognize that UEBA specifically addresses anomalous user and entity behavior in cloud environments like AWS S3.

How to eliminate wrong answers

Option A is wrong because Umbrella threat intelligence provides DNS-layer security and web proxy filtering, not behavioral analysis of cloud storage replication patterns. Option B is wrong because Stealthwatch Cloud flow logs analyze network traffic flows and IP behaviors, not S3 bucket replication events within AWS. Option C is wrong because Firepower IPS signatures detect known network-based attack patterns via deep packet inspection, not anomalous user or entity behavior in cloud APIs.

462
MCQhard

An organization is using Cisco Umbrella alongside Cisco AMP for Endpoints. A user reports that they cannot access a legitimate file-sharing website. However, the site is not categorized as malicious by Umbrella. What is the most likely reason for the block?

A.Cisco AMP's Intelligent Proxy detected the file download as potentially malicious and blocked it
B.The website's domain is in a custom block list
C.The endpoint's firewall is blocking the connection
D.The user is behind a proxy that is not configured with Umbrella
AnswerA

Umbrella's Intelligent Proxy can block files based on AMP's file reputation, even if the website is safe.

Why this answer

AMP's Intelligent Proxy (if using Umbrella's proxy) might block the file download if the file itself is classified as malicious by AMP even if the site is safe.

463
MCQmedium

Refer to the exhibit. What is the most likely reason for the high number of 'No route to host' drops on a Cisco ASA?

A.Firewall is in transparent mode
B.Interface is down
C.Missing static route on the ASA
D.Incorrect NAT rule
AnswerC

Without a route to the destination, the ASA cannot forward the packet.

Why this answer

The 'No route to host' drop on a Cisco ASA indicates that the firewall has no valid route in its routing table to reach the destination IP address of the packet. Option C is correct because a missing static route (or dynamic route) for the destination network prevents the ASA from performing a route lookup, causing it to drop the packet with this specific syslog message. This is a Layer 3 forwarding issue, not a policy or NAT problem.

Exam trap

Cisco often tests the distinction between Layer 3 routing drops ('No route to host') and Layer 2/interface drops, or between routing issues and NAT/policy failures, so candidates must remember that 'No route to host' is exclusively a routing table lookup failure, not a firewall rule or interface problem.

How to eliminate wrong answers

Option A is wrong because transparent mode (Layer 2 bridge) does not perform IP routing; 'No route to host' drops are a Layer 3 routing issue that only occurs in routed mode. Option B is wrong because if an interface were down, the ASA would generate 'Interface down' or 'No buffer' drops, not 'No route to host' — the latter specifically indicates a missing route, not a link failure. Option D is wrong because an incorrect NAT rule would cause 'NAT failed' or 'Translation creation failed' drops, or asymmetric routing issues, but not a 'No route to host' drop, which occurs before NAT processing in the packet flow.

464
MCQmedium

A university is implementing 802.1X for student wireless networks using Cisco Wireless LAN Controllers (WLCs) and ISE. Students connect with their personal devices using PEAP-MSCHAPv2. During heavy usage, some students report authentication failures and sporadic disconnections. The network team examines the ISE live logs and sees many 'Authentication failed' entries with reason 'Internal error - unable to find a suitable proxy target'. The team has configured two ISE nodes as authentication proxies for the wireless subnets. What is the most likely cause of this issue?

A.The WLC is not configured to use the ISE proxy nodes as RADIUS servers
B.The RADIUS shared secret is mismatched between WLC and ISE
C.ISE node CPU is overloaded due to high authentication load
D.The proxy target rules in ISE do not match the WLC's NAS-IP-Address
AnswerD

Proxy target rules must include the NAS-IP-Address of the WLC to forward requests to the appropriate authentication node.

Why this answer

The error 'unable to find a suitable proxy target' indicates that the ISE node cannot determine which proxy to use for the authentication request, often due to proxy target rules not matching the incoming request attributes like NAS-IP-Address. Option D is correct because if the proxy target rules are missing or incorrect, ISE cannot forward the request. Option A would cause different errors.

Option B might cause performance but not internal error. Option C would cause connection errors, not proxy target errors.

465
MCQhard

A company with 5,000 endpoints is using Cisco Secure Endpoint. The security team receives an alert that a specific file (SHA256: 8f4a...b2c) has been detected as malware on 10 endpoints. The file has been quarantined on those endpoints. The team wants to ensure that no other endpoints in the organization have this file. Which feature should be used to locate the file across all endpoints?

A.The Policy editor with file blacklist
B.Orbital Advanced Search
C.TETRA traffic analysis
D.The AMP Dashboard with event filters
AnswerB

Orbital can search across all endpoints for a specific file hash.

Why this answer

Orbital Advanced Search is the correct feature because it provides a powerful, query-based search capability across all endpoints managed by Cisco Secure Endpoint. It allows the security team to search for specific file hashes (like SHA256: 8f4a...b2c) across the entire endpoint fleet, identifying any endpoint that has the file present, regardless of whether it has been quarantined or not. This is the only option that enables proactive, organization-wide file discovery beyond simple alert-based or policy-driven actions.

Exam trap

Cisco often tests the distinction between reactive alert-based tools (like the AMP Dashboard) and proactive search capabilities (like Orbital), and the trap here is that candidates assume the dashboard's event filters can locate files across all endpoints, when in fact they only show events that have already been logged.

How to eliminate wrong answers

Option A is wrong because the Policy editor with file blacklist is a preventive control that blocks files from executing or being written, but it does not provide a search or discovery capability to locate files already present on endpoints. Option C is wrong because TETRA traffic analysis is a network-based detection and response tool that analyzes encrypted traffic patterns, not a file search mechanism for endpoints. Option D is wrong because the AMP Dashboard with event filters shows historical events and alerts, but it cannot perform a proactive, query-based search for a specific file hash across all endpoints; it only displays events that have already triggered alerts.

466
MCQhard

A network engineer is troubleshooting a site-to-site IPsec VPN that fails to establish. The IKE phase 1 completes successfully, but phase 2 fails. The debug output shows 'IPSEC(validate_proposal): transform set proposal mismatch'. Both peers have the same transform set configured. What is the most likely cause?

A.Mismatched IPsec lifetime values
B.Missing route for the remote subnet
C.Mismatched encryption/authentication algorithms in the transform set
D.Incorrect pre-shared key
AnswerC

Even if both sets are named the same, the actual algorithms might differ; 'transform set proposal mismatch' indicates algorithm mismatch.

Why this answer

The error 'IPSEC(validate_proposal): transform set proposal mismatch' indicates that the IPsec transform sets proposed by the two peers do not match during IKE phase 2 negotiation. Even if the transform sets appear identical in configuration, a mismatch in the encryption algorithm (e.g., AES-256 vs AES-128) or authentication algorithm (e.g., SHA-1 vs SHA-256) will cause this failure. Since IKE phase 1 completed successfully, the pre-shared key and routing are not the issue, and lifetime mismatches typically generate a different error.

Exam trap

Cisco often tests the distinction between IKE phase 1 and phase 2 failures, and the trap here is that candidates assume identical transform set names mean identical algorithms, ignoring that default values (like AES key length) can differ between devices or IOS versions.

How to eliminate wrong answers

Option A is wrong because mismatched IPsec lifetime values (e.g., 3600 vs 86400 seconds) would cause a 'lifetime mismatch' or 'proposal mismatch' error, but the debug output specifically mentions 'transform set proposal mismatch', which points to algorithms, not lifetimes. Option B is wrong because a missing route for the remote subnet would prevent traffic from triggering the VPN or cause packets to be dropped, but it would not produce a transform set mismatch error during phase 2 negotiation. Option D is wrong because an incorrect pre-shared key would cause IKE phase 1 to fail (e.g., 'invalid pre-shared key' or 'authentication failure'), not phase 2, and the question states phase 1 completes successfully.

467
MCQmedium

Refer to the exhibit. An engineer configures this interface for 802.1X. Users report that after successful authentication, they are forced to reauthenticate every hour even though the authentication session is still active. What configuration change should be made to prevent reauthentication unless triggered by a change?

A.Increase 'dot1x timeout tx-period' to 60.
B.Change 'authentication timer reauthenticate' to 0.
C.Remove 'authentication periodic'.
D.Add 'authentication event server dead action authorize'.
AnswerC

Removing this command disables periodic reauthentication.

Why this answer

Option A is correct. The 'authentication periodic' command enables periodic reauthentication. Removing it stops automatic reauthentication.

Option B is incorrect because setting the timer to 0 is invalid. Option C is incorrect because increasing the tx-period affects initial timeout, not reauthentication. Option D is incorrect because it configures server dead action, not reauthentication behavior.

468
MCQmedium

Refer to the exhibit. A user has successfully authenticated via 802.1X. However, the SGT (Security Group Tag) assigned is 0, which is the default untagged value. Which configuration change would most likely allow ISE to assign a non-zero SGT for this user?

A.In ISE authorization profile, add Cisco AV pair 'cts:security-group-tag=15'
B.Enable 'cts manual' globally on the switch
C.Ensure that the switch has a RADIUS server defined with 'radius-server host 10.1.1.1 auth-port 1645'
D.Configure 'aaa authorization network default group radius' on the switch
E.Enable 'sgt caching' on the switch port
AnswerA

ISE must send the SGT as a RADIUS attribute in the Access-Accept. Currently, it is not sending any SGT, so SGT is 0.

Why this answer

Option D is correct because ISE must include the SGT in the RADIUS Access-Accept (e.g., via cisco-av-pair). Option A is wrong because the show command indicates authorization success, so AAA is functional. Option B is wrong because the session already shows authorization by server.

Option C is wrong because SGT assignment does not require SGT caching on the switch. Option E is wrong because global 'cts' command is required for TrustSec, but it must be enabled.

469
MCQmedium

An organization uses Cisco ESA and wants to implement a policy that automatically encrypts emails containing credit card numbers before delivery. What feature should be used?

A.Anti-spam engine
B.Anti-virus engine
C.Email authentication (SPF, DKIM)
D.DLP policy with encryption action
AnswerD

DLP can trigger encryption based on policy.

Why this answer

D is correct because Cisco ESA includes a Data Loss Prevention (DLP) feature that can scan email content for sensitive data patterns, such as credit card numbers (matching Luhn algorithm and known issuer prefixes). When a match is found, the DLP policy can trigger an encryption action, automatically encrypting the email before delivery to protect the sensitive information in transit.

Exam trap

The trap here is that candidates confuse DLP with anti-spam or anti-virus engines, assuming any security feature can handle content-based encryption, but only DLP policies have the specific content inspection and policy-driven encryption action capability in Cisco ESA.

How to eliminate wrong answers

Option A is wrong because the Anti-spam engine is designed to detect and filter unsolicited bulk email (spam) based on reputation and content analysis, not to identify sensitive data like credit card numbers or apply encryption. Option B is wrong because the Anti-virus engine scans for malware signatures and malicious attachments, not for pattern-based sensitive data, and cannot enforce encryption actions. Option C is wrong because Email authentication (SPF, DKIM) validates the sender's domain and message integrity to prevent spoofing and phishing, but it does not inspect message content for credit card numbers nor apply encryption.

470
MCQmedium

Refer to the exhibit. A host with IP address 10.0.0.5 sends traffic to destination 192.168.2.10. The traffic is not being translated. What is the most likely cause?

A.The security-level of the inside interface is too high to allow NAT.
B.The ACL INSIDE_NAT does not permit traffic to the destination network 192.168.2.0/24.
C.The interface outside does not have a valid IP address assigned.
D.The NAT statement uses source dynamic instead of source static; dynamic cannot translate internal IPs.
AnswerB

The ACL only permits traffic to 192.168.3.0/24, so 192.168.2.0/24 traffic is not matched and hence not translated.

Why this answer

The access-list INSIDE_NAT permits traffic to network 192.168.3.0/24, but the destination is 192.168.2.10, which is not matched. Therefore, NAT is not applied to that traffic. Option A is correct.

Options B, C, and D are not relevant because dynamic NAT is allowed, outside interface has an IP, and security-level does not affect NAT.

471
MCQhard

A large enterprise uses Cisco ISE for network access control with 802.1X authentication (PEAP-MSCHAPv2) on wired ports. Access switches are Cisco Catalyst 3850s running IOS-XE 16.9, and ISE is version 2.7 with all patches. Recently, users in the finance department report intermittent connectivity issues when connecting to the network. The issue is sporadic: a user may connect successfully one day, then fail multiple times the next day. Switch logs show frequent 'EAP timeout' errors for these users. The network team has verified that the RADIUS servers are reachable and have sufficient CPU and memory. The ISE logs show no authentication failures, only that some EAP conversations are dropped mid-exchange. What is the most likely cause of these intermittent failures?

A.The switch is configured with a RADIUS timeout value that is too low.
B.The switch port is configured with a dynamic VLAN assignment that does not exist on the switch.
C.The user's machine certificate has expired.
D.The ISE server is configured with an incorrect shared secret for the switch.
AnswerA

A low timeout can cause the switch to abort EAP exchanges when network latency spikes, leading to intermittent timeouts.

Why this answer

The EAP timeout errors and intermittent nature point to the RADIUS timeout being too low on the switch, causing it to drop EAP conversations during periods of high latency. Options A, B, and D would cause consistent failures for affected users, not intermittent issues.

472
MCQhard

An enterprise is deploying a hybrid email security solution using Cisco Email Security Appliance (ESA) on-premises and Cisco Cloud Email Security (CES). The organization wants to use the cloud for spam filtering while the on-premises ESA handles DLP and encryption for sensitive data. Inbound emails should be processed by the cloud first, then sent to the on-premises ESA. Which architecture correctly implements this requirement?

A.MX record → On-premises ESA → Internal mail server, with a separate smart host via CES
B.MX record → Dual MX pointing to both CES and ESA
C.MX record → On-premises ESA → Cisco CES → Internal mail server
D.MX record → Cisco CES → On-premises ESA (internal mail server)
AnswerD

This flow ensures cloud spam filtering first, then DLP/encryption on-premises.

Why this answer

Option D is correct because it places Cisco CES (cloud) first in the email flow to handle spam filtering, then forwards the cleaned messages to the on-premises ESA for DLP and encryption before delivery to the internal mail server. This matches the requirement that inbound emails be processed by the cloud first, then the on-premises ESA, with CES acting as the initial SMTP gateway via MX record.

Exam trap

Cisco often tests the order of processing in hybrid email architectures, and the trap here is that candidates mistakenly think the on-premises ESA should be the first hop (Option C) or that dual MX records can enforce sequential processing (Option B), when in reality the MX record must point to the cloud service to ensure the correct flow.

How to eliminate wrong answers

Option A is wrong because it sends inbound emails directly to the on-premises ESA first, bypassing the cloud spam filtering, and the separate smart host via CES would only be used for outbound or relay traffic, not for the required inbound flow. Option B is wrong because dual MX records pointing to both CES and ESA would cause load balancing or failover, not sequential processing; inbound emails could arrive at either device first, violating the requirement that cloud processes first. Option C is wrong because it places the on-premises ESA before CES in the flow, meaning inbound emails hit the on-premises ESA first, which contradicts the requirement that cloud handles spam filtering before the on-premises ESA handles DLP and encryption.

473
Multi-Selectmedium

An administrator is configuring 802.1X on a switch port for both an IP phone and a PC. Which two commands should be configured to support this scenario? (Choose two)

Select 2 answers
A.authentication host-mode multi-domain
B.dot1x pae authenticator
C.authentication violation restrict
D.authentication port-control auto
E.authentication host-mode multi-auth
AnswersA, D

Allows one voice and one data device.

Why this answer

Options B and C are correct. 'authentication host-mode multi-domain' (B) allows one device per domain (voice and data). 'authentication port-control auto' (C) enables 802.1X authentication on the port. Option A (multi-auth) allows multiple devices in the same domain, which is not needed. Option D (violation restrict) is an action when a violation occurs, not mandatory.

Option E (dot1x pae authenticator) is required but not among the two most specific; it is often enabled by default.

474
Multi-Selecthard

Which TWO configuration steps are required to enable Cisco AMP for Endpoints to use the Threat Grid appliance for file analysis?

Select 2 answers
A.Configure the AMP connector policy to submit files to the on-premises Threat Grid appliance.
B.Enable SSL decryption in the AMP connector policy.
C.Register the Threat Grid appliance in the AMP cloud as a private analysis provider.
D.Ensure the firewall allows inbound traffic to the Threat Grid appliance from the internet.
E.Install the Cisco Threat Grid Connector on each endpoint.
AnswersA, C

The connector policy must specify the Threat Grid appliance as the target for file analysis.

Why this answer

Option A is correct because the AMP for Endpoints connector policy must be configured to submit files to the on-premises Threat Grid appliance. This directs the endpoint connector to send suspicious files to the local Threat Grid for dynamic analysis instead of the public cloud. Option C is correct because the Threat Grid appliance must be registered in the AMP cloud as a private analysis provider, which creates a secure tunnel (using TLS) between the AMP cloud and the on-premises appliance, enabling file submission and result retrieval.

Exam trap

Cisco often tests the misconception that inbound firewall rules are needed for on-premises appliances, when in fact the Threat Grid appliance initiates outbound connections to the AMP cloud, making option D a common distractor.

475
MCQhard

A large enterprise recently migrated to Cisco Email Security Appliance (ESA) for inbound email filtering. The security team notices an increasing number of phishing emails that bypass the spam filter. Analysis shows that these emails originate from a legitimate but compromised domain (example-bank.com), use valid DKIM signatures, and have low spam scores due to carefully crafted benign text and embedded images. The team already has SenderBase enabled and uses the default spam threshold. The CEO received a convincing phishing email that led to a credential leak. Which course of action should the security team take to best mitigate this threat without causing significant false positives?

A.Increase the spam threshold to catch lower-scoring emails.
B.Enable graymail filtering to categorize these emails as bulk suspicious.
C.Create a content filter that detects the domain 'example-bank.com' in the envelope sender and sets the action to 'drop'.
D.Implement DMARC with a quarantine policy for the domain.
AnswerC

This directly blocks emails from the known malicious domain without affecting other domains, minimizing false positives.

Why this answer

Option B is correct because creating a content filter to detect the specific malicious domain in the envelope sender (MAIL FROM) and applying a 'drop' action directly blocks emails from that domain. This is a targeted approach that does not affect other domains. Option A is incorrect because graymail filtering is for newsletters and bulk mail, not for targeted phishing.

Option C is incorrect because increasing the spam threshold may cause more false positives and may still not catch these low-scoring emails. Option D is incorrect because DMARC with quarantine would only help if the domain is being spoofed, but the emails are actually coming from the legitimate domain which is compromised.

476
MCQeasy

A company has deployed Cisco Umbrella with a virtual appliance (VA) for content filtering. Users report that some websites are not loading properly, and the helpdesk suspects that the VA is blocking legitimate traffic. The network administrator checks the VA dashboard and sees that the VA is passing traffic normally. However, the administrator notices that the VA's upstream DNS server is set to a public resolver (208.67.222.222) instead of the company's internal DNS servers. This causes internal hostnames to resolve incorrectly. The company uses Active Directory with domain-joined computers. What should the administrator do to resolve the issue?

A.Add a conditional forwarder in the internal DNS for all .local domains.
B.Configure the clients to use Umbrella's DNS directly instead of the VA.
C.Disable Umbrella content filtering for internal domain names.
D.Change the upstream DNS server in the VA configuration to point to the internal DNS servers.
AnswerD

Correct: This enables proper resolution of internal names.

Why this answer

The virtual appliance (VA) acts as a forwarding proxy; it receives DNS queries from clients, forwards them to its configured upstream DNS server, and applies content filtering policies. When the upstream DNS is set to a public resolver like 208.67.222.222 (OpenDNS), the VA cannot resolve internal Active Directory domain names (e.g., .local or internal FQDNs) because the public resolver has no knowledge of the private DNS zone. Changing the upstream DNS server to the company's internal DNS servers allows the VA to resolve both internal and external names correctly, while still applying Umbrella's content filtering policies to external traffic.

Exam trap

Cisco often tests the misconception that content filtering policies are the root cause of resolution failures, when in fact the underlying DNS forwarding chain is misconfigured, leading candidates to incorrectly focus on filtering rules or client-side changes rather than the upstream DNS server setting.

How to eliminate wrong answers

Option A is wrong because adding a conditional forwarder in the internal DNS for .local domains does not affect the VA's upstream DNS configuration; the VA itself must be pointed to the internal DNS servers to resolve internal hostnames. Option B is wrong because configuring clients to use Umbrella's DNS directly bypasses the VA entirely, removing the content filtering enforcement that the company has deployed. Option C is wrong because disabling Umbrella content filtering for internal domain names is not a configuration option in the VA; the issue is DNS resolution, not filtering policy, and the VA must be able to resolve internal names before any filtering can be applied.

477
MCQeasy

A network engineer needs to implement a security solution that provides encryption, integrity, and authentication at Layer 2 between two switches. Which technology should be used?

A.SSL/TLS
B.IPsec
C.802.1X
D.MACsec
AnswerD

MACsec provides Layer 2 encryption, integrity, and authentication.

Why this answer

MACsec (IEEE 802.1AE) provides hop-by-hop encryption, integrity, and authentication at Layer 2 (the data link layer) directly on Ethernet frames. It uses GCM-AES-128 or GCM-AES-256 to encrypt the entire payload and authenticate the frame, ensuring confidentiality and integrity between directly connected switches without requiring IP-layer processing.

Exam trap

Cisco often tests the distinction between Layer 2 encryption (MACsec) and Layer 3 encryption (IPsec), and the trap here is that candidates confuse 'encryption between switches' with IPsec because IPsec is the most commonly known encryption protocol, but it operates at a higher layer and requires IP routing.

How to eliminate wrong answers

Option A is wrong because SSL/TLS operates at Layer 4 (Transport Layer) and is designed for securing application-layer communications like HTTPS, not for encrypting Layer 2 Ethernet frames between switches. Option B is wrong because IPsec operates at Layer 3 (Network Layer) and secures IP packets between hosts or networks, requiring IP routing and not providing Layer 2 frame-level encryption between directly connected switches. Option C is wrong because 802.1X is a port-based network access control (NAC) protocol used for authentication of devices at the access layer, but it does not provide encryption or integrity for data frames; it only controls admission to the network.

478
MCQmedium

A network administrator is troubleshooting an issue where users in the finance VLAN are unable to access a critical server in the server VLAN. The switch logs show multiple 'Authentication failed' messages for MAC addresses in the finance VLAN. The switchport security feature is enabled on the access ports. What is the most likely cause of the issue?

A.The switch ports are configured as trunks and are not allowing the finance VLAN.
B.802.1X authentication is failing for the finance users.
C.Spanning Tree Protocol (STP) is blocking the ports in the finance VLAN.
D.Switchport security violation has caused the ports to error-disable or drop traffic.
AnswerD

Switchport security violation can disable the port or drop traffic from unauthorized MAC addresses.

Why this answer

The switch logs show 'Authentication failed' messages for MAC addresses in the finance VLAN, and switchport security is enabled. When a switchport security violation occurs (e.g., due to a MAC address limit or an unauthorized MAC address), the port can be configured to error-disable or drop traffic. This explains why users in the finance VLAN cannot reach the server, as the access ports are effectively blocking traffic due to the security violation.

Exam trap

Cisco often tests the distinction between switchport security MAC authentication and 802.1X authentication; the trap here is assuming 'Authentication failed' always refers to 802.1X, when it can also be generated by switchport security's 'restrict' or 'shutdown' violation modes.

How to eliminate wrong answers

Option A is wrong because the question states switchport security is enabled on access ports, not trunk ports, and the issue is specific to the finance VLAN's access ports, not trunk VLAN filtering. Option B is wrong because 802.1X authentication is a separate IEEE 802.1X-based network access control mechanism; the logs mention 'Authentication failed' in the context of switchport security MAC address authentication, not 802.1X EAPOL exchanges. Option C is wrong because Spanning Tree Protocol (STP) blocking would cause a different log message (e.g., 'topology change' or 'port moved to blocking state') and would not generate 'Authentication failed' messages; STP operates at Layer 2 to prevent loops, not to authenticate MAC addresses.

479
MCQhard

While troubleshooting an issue where Cisco ESA occasionally fails to process inbound messages, the administrator checks the listener settings and sees that the 'Pool of listeners' option is configured. The mail logs show 'Connection refused' errors during peak hours. What is the most likely cause?

A.The listener service is stopped
B.Listener pool has too few listeners or the pool is misconfigured
C.The sender's IP is blacklisted
D.DNS resolution failure for the sending MTA
AnswerB

A pool of listeners uses the same IP:port and can become exhausted if too many simultaneous connections.

Why this answer

The 'Connection refused' error during peak hours indicates that the Cisco ESA's listener service is actively rejecting new SMTP connections because the configured listener pool has reached its maximum capacity. The 'Pool of listeners' option defines a set of listener processes that handle inbound mail; if the pool size is too small for the traffic volume, new connections are refused. This is a resource exhaustion issue specific to the listener pool, not a service outage or external blocking.

Exam trap

Cisco often tests the distinction between a stopped service (which causes persistent failures) and a resource-exhausted pool (which causes intermittent failures during high load), leading candidates to mistakenly choose 'listener service is stopped' when the logs show 'Connection refused' only at peak times.

How to eliminate wrong answers

Option A is wrong because if the listener service were stopped, the error would be 'Connection refused' consistently at all times, not only during peak hours, and the mail logs would show a persistent failure rather than intermittent peak-hour issues. Option C is wrong because a blacklisted sender IP would result in a 5xx rejection with a specific anti-spam or reputation-based message in the logs, not a generic 'Connection refused' error. Option D is wrong because DNS resolution failure for the sending MTA would cause a 'Name or service not known' or timeout error during the SMTP handshake, not a 'Connection refused' which occurs at the TCP layer before any DNS lookup is relevant.

480
MCQeasy

An S3 bucket policy is shown. What does the condition "aws:SecureTransport": "true" enforce?

A.Only requests from specific IP ranges are allowed
B.Only requests using server-side encryption with KMS are allowed
C.All requests must be authenticated using AWS IAM and MFA
D.All requests to the bucket must use HTTPS
AnswerD

SecureTransport ensures the connection is encrypted via SSL/TLS.

Why this answer

The condition `"aws:SecureTransport": "true"` in an S3 bucket policy enforces that all requests to the bucket must be made over HTTPS (TLS). This ensures that data in transit is encrypted, preventing man-in-the-middle attacks or eavesdropping. The condition evaluates the `aws:SecureTransport` key, which is `true` only when the request uses SSL/TLS.

Exam trap

Cisco often tests the distinction between encryption in transit (HTTPS) and encryption at rest (SSE), so candidates mistakenly associate `aws:SecureTransport` with server-side encryption or KMS rather than the transport layer security.

How to eliminate wrong answers

Option A is wrong because restricting requests to specific IP ranges is enforced using the `aws:SourceIp` condition key, not `aws:SecureTransport`. Option B is wrong because server-side encryption with KMS is enforced using the `s3:x-amz-server-side-encryption-aws-kms-key-id` condition key, not `aws:SecureTransport`. Option C is wrong because requiring IAM authentication and MFA is enforced using the `aws:MultiFactorAuthPresent` condition key, not `aws:SecureTransport`.

481
Multi-Selecthard

Which TWO indicators of compromise (IOCs) can Cisco AMP for Endpoints detect and alert on?

Select 2 answers
A.Malicious DNS queries
B.Phishing email headers
C.Fileless attack techniques (e.g., PowerShell injection)
D.File-based malware (via file reputation and analysis)
E.Anomalous network traffic patterns
AnswersC, D

AMP behavioral analysis detects fileless attacks by monitoring process behavior.

Why this answer

Options B and E are correct. AMP detects malware through file hashes and behavioral analysis (fileless attacks). Option A is wrong because DNS queries are not directly detected by AMP endpoint.

Option C is wrong because network traffic is analyzed by firewalls, not endpoint AMP. Option D is wrong because email headers are not endpoint indicators.

482
MCQhard

A large enterprise uses Cisco TrustSec to enforce segmentation between departments. The network consists of Cisco Catalyst switches running IOS XE with IP ACLs and Security Group Tags (SGTs). The security policy requires that traffic from the Engineering group (SGT=10) to the Finance group (SGT=20) be allowed only to TCP port 443. The administrator configures a Security Group Access Control List (SGACL) on Cisco ISE with a permit statement for TCP 443 and a deny for all other traffic, and pushes it to the switches. After deployment, they notice that Engineering users can access Finance servers not only on TCP 443 but also on other ports. The administrator verifies that the SGACL is correctly configured on ISE and that the switches are receiving the SGTs. Additionally, the switches have IP ACLs on the interfaces. What is the most likely cause of this issue?

A.The SGT classification is not occurring on the access switches.
B.The SGACL is applied only on the inbound direction of the interface.
C.The switches are not running Cisco TrustSec-compatible software.
D.The IP ACLs on the switches are overriding the SGACL.
AnswerD

IP ACLs are evaluated before SGACLs and can permit traffic that SGACLs would deny.

Why this answer

The most likely cause is that IP ACLs on the switch interfaces are overriding the SGACL. In Cisco TrustSec, SGACLs are applied after SGT classification and are evaluated in the forwarding path, but if a traditional IP ACL is configured on the same interface, it is processed first and can permit or deny traffic independently of the SGACL. Since the IP ACLs are present and not configured to match the required policy, they allow traffic on ports other than TCP 443, bypassing the SGACL enforcement.

Exam trap

Cisco often tests the interaction between traditional ACLs and SGACLs, where candidates assume SGACLs always take precedence, but in reality, IP ACLs are evaluated first and can override the SGACL policy.

How to eliminate wrong answers

Option A is wrong because the administrator verified that the switches are receiving the SGTs, indicating SGT classification is occurring correctly. Option B is wrong because SGACLs in Cisco TrustSec are applied in both directions by default (based on the SGT source and destination), not just inbound; the direction of application is not the issue here. Option C is wrong because the switches are running IOS XE with IP ACLs and SGTs, which implies they support TrustSec features; the problem is not software incompatibility but a configuration conflict.

483
MCQeasy

A network engineer is configuring 802.1X on a Cisco switch for wired clients. After configuration, some clients fail authentication. The engineer notices that the clients are not sending any EAP packets. What is the most likely cause?

A.The switch port is configured with access VLAN instead of voice VLAN.
B.The RADIUS server is unreachable.
C.The clients do not have an 802.1X supplicant enabled.
D.The switch port is configured with 'authentication port-control auto'.
AnswerC

Without a supplicant, clients cannot initiate EAP.

Why this answer

Option C is correct because if no EAP packets are sent, the client likely does not have an 802.1X supplicant enabled. Option A is incorrect because access VLAN assignment does not affect EAP transmission. Option B is incorrect because 'authentication port-control auto' is the correct command to enable 802.1X.

Option D is incorrect because if the RADIUS server were unreachable, the switch would still see EAP packets from the client.

484
MCQhard

Refer to the exhibit. An engineer notices that a malicious file disguised as 'app.exe' in the FinanceApp folder (SHA-256 unknown to AMP) was blocked. However, another unknown executable in the same folder was also blocked, causing a false positive. What should the engineer change in the policy to allow only the legitimate 'app.exe' while still blocking unknown executables?

A.Remove the file exclusion for the FinanceApp folder entirely.
B.Remove the process exclusion for app.exe.
C.Change the action for unknown files from 'block' to 'detect'.
D.Change the file exclusion path to the exact full path of app.exe instead of a wildcard.
AnswerD

A specific path exclusion for app.exe will allow it while still blocking other unknown executables in the folder.

Why this answer

Option B is correct because a file exclusion by path prevents scanning of all files in that path, including the specific app.exe, but would also allow other files there. Option A is wrong because it removes the process exclusion, which may be needed for legitimate app. Option C is wrong because changing action to 'detect' would allow all unknowns.

Option D is wrong because removing the file exclusion completely would block app.exe too.

485
MCQmedium

A security engineer is troubleshooting an issue where Cisco AMP for Endpoints is not detecting a known malware sample on a Windows endpoint. The endpoint is running Windows 10 with the latest AMP connector installed and is connected to the corporate network. The malware sample was downloaded from a trusted source for testing. Which configuration is most likely causing the lack of detection?

A.The connector is configured to operate in offline mode.
B.The file reputation scanning is disabled.
C.Custom detections are not configured for the malware.
D.Real-time scanning is disabled for the download directory.
AnswerA

In offline mode, the connector cannot perform cloud lookups for file hashes, so known malware may not be detected.

Why this answer

When Cisco AMP for Endpoints is in offline mode, the connector cannot communicate with the cloud-based threat intelligence and reputation servers. This prevents it from performing file reputation lookups and retrieving the latest malware signatures, so even known malware samples will not be detected. The connector relies on cloud lookups for real-time detection of new or known threats, and offline mode disables this critical function.

Exam trap

Cisco often tests the misconception that disabling real-time scanning or file reputation scanning is the primary cause of missed detections, when in fact the connector's inability to communicate with the cloud (offline mode) is the most direct and common reason for failing to detect known malware.

How to eliminate wrong answers

Option B is wrong because file reputation scanning is a core function that is enabled by default and cannot be disabled; the connector always performs reputation checks when online. Option C is wrong because custom detections are user-defined rules for specific indicators, but the question states the malware is a known sample that should be detected by built-in signatures, not custom rules. Option D is wrong because real-time scanning is a separate feature that monitors file system activity; even if disabled for a specific directory, the connector would still detect the malware via on-access or scheduled scans unless the entire connector is offline.

486
MCQmedium

A company uses Cisco Stealthwatch Cloud for network visibility in AWS. They notice a spike in encrypted traffic from an EC2 instance to an unknown external IP. Which Stealthwatch Cloud feature can analyze this traffic for threats without decrypting it?

A.NetFlow generation
B.Encrypted Traffic Analytics (ETA)
C.Deep Packet Inspection (DPI)
D.SSL Decryption
AnswerB

ETA uses ML to analyze encrypted traffic patterns for threats.

Why this answer

Encrypted Traffic Analytics (ETA) is the correct feature because it uses machine learning and behavioral analysis to inspect metadata (e.g., flow records, packet lengths, timing) of encrypted traffic without decrypting it. This allows Stealthwatch Cloud to detect anomalies like command-and-control communication or data exfiltration even when the payload is encrypted.

Exam trap

The trap here is that candidates often confuse 'Encrypted Traffic Analytics' with 'SSL Decryption' or 'DPI,' assuming that threat analysis of encrypted traffic always requires decryption, when in fact ETA uses metadata and machine learning to bypass that need.

How to eliminate wrong answers

Option A is wrong because NetFlow generation provides basic flow metadata (IPs, ports, protocols) but lacks the advanced behavioral analysis needed to detect threats in encrypted traffic without decryption. Option C is wrong because Deep Packet Inspection (DPI) requires access to unencrypted payloads, which is not possible with encrypted traffic and would require decryption. Option D is wrong because SSL Decryption explicitly decrypts the traffic, which violates the requirement to analyze without decrypting and introduces privacy and compliance concerns.

487
Multi-Selecthard

An organization is adopting a cloud-first strategy and wants to ensure least-privilege access for cloud resources. Which THREE measures should be implemented as part of a cloud IAM strategy? (Select three.)

Select 3 answers
A.Use managed identities for access
B.Regularly review and remove unused roles
C.Store secrets in source code repositories for ease of deployment
D.Enable single sign-on with multi-factor authentication
E.Implement role-based access control with scoping
AnswersA, B, E

Avoids long-term credentials and provides temporary permissions.

Why this answer

Managed identities (such as Azure Managed Identities or AWS IAM Roles for EC2) eliminate the need to store credentials in code or configuration files. The cloud provider automatically rotates the credentials and binds the identity to the compute resource, enforcing least-privilege by granting only the permissions required for that resource to function.

Exam trap

Cisco often tests the distinction between authentication mechanisms (like SSO/MFA) and authorization mechanisms (like RBAC with scoping), leading candidates to incorrectly select SSO/MFA as a least-privilege measure when it only addresses identity verification, not permission restriction.

488
MCQmedium

A network engineer is configuring OSPF on a Cisco router and needs to enable authentication between neighbors. The authentication type should be MD5. Which configuration step is required?

A.ospf authentication-key under router ospf
B.ip ospf authentication message-digest under the interface
C.area 0 authentication command in router configuration
D.ip ospf authentication null
AnswerB

This interface command enables MD5 authentication.

Why this answer

Option B is correct because to enable OSPF MD5 authentication on a Cisco router, the 'ip ospf authentication message-digest' command must be applied under the specific interface. This command tells OSPF to use MD5 (message-digest) authentication for that interface, and it must be paired with an 'ip ospf message-digest-key' command to define the actual key. The authentication type is configured at the interface level, not globally under the OSPF routing process.

Exam trap

Cisco often tests the distinction between area-level authentication (which defaults to simple) and interface-level MD5 authentication, causing candidates to mistakenly choose 'area 0 authentication' thinking it covers MD5.

How to eliminate wrong answers

Option A is wrong because 'ospf authentication-key' is a command used under the interface, not under router ospf, and it configures simple (type 1) authentication, not MD5. Option C is wrong because 'area 0 authentication' enables authentication for the entire area but defaults to simple authentication unless 'message-digest' is appended; it does not specify MD5 by itself and still requires interface-level commands. Option D is wrong because 'ip ospf authentication null' explicitly disables authentication on the interface, which is the opposite of what is required.

489
MCQeasy

A security engineer is configuring a Cisco ASA to block traffic from a specific IP address. Which access control entry (ACE) should be applied to the inbound direction of the outside interface?

A.access-list outside_in extended deny ip any host 10.1.1.1
B.access-list outside_in extended deny ip host 10.1.1.1 any
C.access-list outside_in extended deny tcp any host 10.1.1.1
D.access-list outside_in extended deny tcp host 10.1.1.1 any eq 80
AnswerB

Correctly blocks all IP traffic from the specified host.

Why this answer

Option B is correct because the ACE uses the 'ip' protocol to block all traffic from the specific source host 10.1.1.1 to any destination, which is the most comprehensive way to block all IP traffic from that address. In Cisco ASA ACLs, the order of source and destination is 'source destination', so 'deny ip host 10.1.1.1 any' correctly matches packets with source IP 10.1.1.1 and any destination, applied inbound on the outside interface to block traffic entering the network.

Exam trap

Cisco often tests the source-destination order in ACL syntax, and the trap here is that candidates mistakenly reverse the order (putting the target IP as the destination instead of the source) or unnecessarily restrict the protocol, thinking that blocking TCP alone is sufficient.

How to eliminate wrong answers

Option A is wrong because it specifies 'any' as the source and 'host 10.1.1.1' as the destination, which would block traffic from any source going to 10.1.1.1, not traffic originating from 10.1.1.1. Option C is wrong because it restricts the protocol to TCP only, so non-TCP traffic (e.g., UDP, ICMP) from 10.1.1.1 would not be blocked, leaving a security gap. Option D is wrong because it further narrows the rule to TCP traffic from host 10.1.1.1 to any destination on port 80 only, which fails to block other protocols or ports from that IP address.

490
MCQmedium

You are tasked with securing a new cloud deployment on AWS. The environment consists of a web application running on EC2 instances behind an Application Load Balancer (ALB), with data stored in an RDS database. The security requirements include: (1) protect against web application attacks (SQL injection, XSS), (2) ensure only authorized users can access the application, (3) monitor for anomalous behavior. You have decided to use AWS WAF for web application protection, AWS Cognito for user authentication, and Amazon GuardDuty for threat detection. However, the CISO also wants to integrate with Cisco's security portfolio for centralized management and visibility. Which Cisco product would best integrate with these AWS services to provide centralized security management?

A.Cisco Firepower NGFW
B.Cisco Secure Cloud Analytics (Stealthwatch)
C.Cisco Cloudlock
D.Cisco Tetration
AnswerB

Provides centralized visibility and integrates with AWS services.

Why this answer

Cisco Secure Cloud Analytics (Stealthwatch) is the correct choice because it provides centralized visibility and threat detection across hybrid cloud environments, including AWS. It integrates with AWS CloudWatch and VPC Flow Logs to ingest network telemetry, and it can correlate alerts from AWS GuardDuty, WAF, and Cognito into a single pane of glass for security operations. This aligns with the CISO's requirement for centralized management and visibility using Cisco's security portfolio.

Exam trap

Cisco often tests the distinction between products that provide centralized visibility (Stealthwatch) versus those that enforce inline security (Firepower NGFW) or focus on SaaS security (Cloudlock) or micro-segmentation (Tetration), leading candidates to confuse 'integration with AWS services' with 'deployment in AWS'.

How to eliminate wrong answers

Option A is wrong because Cisco Firepower NGFW is a network firewall appliance designed for on-premises or virtual deployments (e.g., AWS Marketplace), but it does not natively aggregate logs or alerts from AWS-native services like WAF, Cognito, or GuardDuty into a centralized management console; it focuses on inline traffic inspection and policy enforcement, not multi-service log correlation. Option C is wrong because Cisco Cloudlock is a cloud access security broker (CASB) focused on SaaS application security (e.g., Office 365, Salesforce) and data loss prevention, not on integrating with AWS infrastructure services like EC2, ALB, or RDS for centralized threat monitoring. Option D is wrong because Cisco Tetration is a workload security and micro-segmentation platform that uses agents and flow data to enforce zero-trust policies, but it does not provide centralized management of AWS-native security services; it is more about application dependency mapping and segmentation, not log aggregation from WAF, Cognito, or GuardDuty.

491
MCQhard

A financial company is deploying Cisco ISE with TrustSec to enforce segmentation between application tiers (web, app, DB). They have a Cisco Catalyst 9500 as the core, and Catalyst 9300s as access switches. The SXP is configured between ISE and core switch, and the core switch propagates SGTs to access switches via SGT inline tagging on trunk ports. The engineer has configured SGTs for web (SGT=2), app (SGT=3), DB (SGT=4). However, when testing from a web server (IP 10.1.1.10, SGT=2) to an app server (IP 10.1.2.20, SGT=3), the app server sees the traffic without SGT in the packet, so the access switch cannot enforce policy. The engineer checks 'show cts role-based sgt-map' on the core and sees the mapping for 10.1.1.10 -> 2. What is the most likely issue?

A.The ISE policy does not allow the traffic from web to app
B.The access switch does not have the security group ACL configured
C.The trunk between core and access is not configured for SGT inline tagging
D.The SXP connection between ISE and core is not established
AnswerC

Without 'cts manual' or 'trust sec' on the trunk, the core switch will not insert the SGT into packets going to the access switch.

Why this answer

If the access switch is not receiving the SGT mapping, the issue is likely that the SXP connection is not sharing mappings to the access switch, or the inline tagging is not correctly configured. Option B is correct because if the trunk between core and access does not have 'cts manual' enabled, the access switch will not strip the tag from the packet. Option A would cause no SGT at all.

Option C would affect enforcement. Option D would affect policy, not packet tagging.

492
MCQhard

An endpoint with MAC 0011.2233.4455 and user 'guest' authenticates but fails. However, the device is not assigned to quarantine. Which policy condition is most likely responsible for the unexpected behavior?

A.The authentication failure overrides authorization
B.The quarantine VLAN is not configured on the switch
C.The device is compliant and the device type is in the allowed list
D.The device is authenticated via MAB, bypassing posture
AnswerC

Condition false, so quarantine not applied.

Why this answer

Option C is correct because the condition requires either 'EndPointCompliant EQUALS No' OR device type not in the list. If the device is compliant (posture passed) and the device type is in the list, the condition is false, so the quarantine rule is not applied, and a default permit rule might apply instead. Option A is incorrect because authentication failure would show 'Failed' and not reach authorization.

Option B is incorrect because MAB is not in use here. Option D is incorrect because if the device were in quarantine, it would have been assigned.

493
MCQeasy

An organization wants to deploy AMP for Endpoints in an offline environment where endpoints cannot connect to the internet. Which deployment option is appropriate?

A.Deploy the AMP connectors with a local proxy caching all AMP communications.
B.Install a Cisco AMP Private Cloud appliance within the local network and point connectors to it.
C.Configure the AMP connectors in 'Standalone' mode to operate without cloud communication.
D.Use Cisco ESA as an intermediary to proxy AMP requests from endpoints.
AnswerB

Private Cloud provides all cloud functionality locally for offline environments.

Why this answer

Option D is correct because Cisco AMP supports a 'Private Cloud' appliance, which can be deployed in an isolated network. Option A is incorrect because AMP connectors require cloud connectivity for full functionality. Option B is incorrect because 'Standalone' mode does not exist for AMP connectors.

Option C is incorrect because proxy mode does not enable offline operation without internet.

494
MCQhard

An engineer is troubleshooting a Cisco ISE deployment where some endpoints are not being profiled correctly. The administrator notices that the endpoints are not sending DHCP requests. Which profiling probe should be primarily used to identify these endpoints?

A.NetFlow probe
B.DHCP probe
C.HTTP probe
D.DNS probe
AnswerA

NetFlow probe analyzes traffic flows and can profile endpoints based on IP and port information.

Why this answer

The correct answer is A (NetFlow probe) because when endpoints do not send DHCP requests, the DHCP probe cannot collect any data. The NetFlow probe analyzes network traffic flows to identify endpoints based on IP addresses, ports, and protocols, even without DHCP activity. This allows Cisco ISE to profile endpoints by observing their communication patterns, such as HTTP or DNS traffic, which still occur even if DHCP is not used.

Exam trap

Cisco often tests the misconception that DHCP is the only way to profile endpoints, leading candidates to choose the DHCP probe, but the trap here is recognizing that NetFlow provides visibility even when DHCP traffic is absent.

How to eliminate wrong answers

Option B (DHCP probe) is wrong because it relies on DHCP requests and acknowledgments; if endpoints are not sending DHCP requests, this probe will not capture any data to profile them. Option C (HTTP probe) is wrong because it only identifies endpoints that generate HTTP traffic, which may not be present for all devices, and it is not the primary probe for endpoints lacking DHCP activity. Option D (DNS probe) is wrong because it depends on DNS queries, which may not be sent by all endpoints, and it is not the primary method when DHCP is absent.

495
MCQmedium

A university is using Cisco ESA to manage email for 20,000 students and staff. They have implemented anti-spam and anti-virus policies. Recently, the IT helpdesk has been receiving complaints that legitimate emails from external senders (such as admissions notifications) are being marked as spam and quarantined. The administrators check the ESA and find that these emails are being flagged with a spam score above the threshold, but the content appears to be legitimate. The sending domains are not on any blacklist. The ESA is using default anti-spam settings. What should the administrator do to reduce false positives without compromising security?

A.Create a content filter to allow any email with 'admissions' in the subject.
B.Disable anti-spam scanning for all inbound email.
C.Add the legitimate sender domains or IPs to the ESA's whitelist (SenderBase whitelist).
D.Lower the spam threshold to decrease sensitivity.
AnswerC

Whitelist trusted senders.

Why this answer

Option C is correct because adding the legitimate sender domains or IPs to the ESA's SenderBase whitelist explicitly bypasses anti-spam scanning for those trusted sources, reducing false positives while maintaining security for all other inbound email. This approach leverages the ESA's reputation-based filtering to allow known good senders without lowering the global spam threshold or disabling protection entirely.

Exam trap

Cisco often tests the distinction between whitelisting (bypassing scanning) and content filters (applying actions after scanning), leading candidates to mistakenly choose a content filter rule that can be exploited or a threshold adjustment that worsens false positives.

How to eliminate wrong answers

Option A is wrong because creating a content filter based solely on the subject line 'admissions' is too broad and can be easily bypassed by spammers, leading to security gaps. Option B is wrong because disabling anti-spam scanning for all inbound email removes protection against spam and malware, compromising the university's email security posture. Option D is wrong because lowering the spam threshold increases sensitivity, which would actually cause more false positives, not reduce them.

496
MCQmedium

A security engineer is deploying Cisco AMP for Endpoints to protect against malware. The company wants to block all executables from running in the Downloads folder except those signed by a specific trusted publisher. Which policy configuration should the engineer use?

A.Use the default malware protection policy, which automatically blocks untrusted executables in Downloads.
B.Create an Application Control rule to block all executables in the Downloads folder and add an exception for the trusted publisher.
C.Configure an Exclusion for the Downloads folder and then use a Custom Detection for untrusted executables.
D.Enable Simple Custom Detections with the SHA-256 hashes of all known executables.
AnswerB

Application Control allows blocking by path and creating exceptions based on publisher certificate.

Why this answer

Option B is correct because Cisco AMP for Endpoints uses Application Control rules to allow or block executables based on file path and publisher certificate. By creating a rule that blocks all executables in the Downloads folder and adding an exception for executables signed by the trusted publisher, the engineer achieves the exact requirement—only trusted signed executables can run from that folder.

Exam trap

The trap here is that candidates often confuse malware protection policies (which rely on reputation and analytics) with Application Control rules (which enforce explicit allow/block based on path and publisher), leading them to select the default malware protection option despite it not supporting folder-specific blocking based on publisher trust.

How to eliminate wrong answers

Option A is wrong because the default malware protection policy in AMP for Endpoints uses cloud-based file reputation and behavioral analysis, not path-based blocking of all untrusted executables in a specific folder. Option C is wrong because configuring an Exclusion for the Downloads folder would exempt it from all scanning, allowing any executable to run, and Custom Detections are for specific files or hashes, not for publisher-based exceptions. Option D is wrong because Simple Custom Detections rely on SHA-256 hashes, which is impractical for blocking all untrusted executables dynamically and does not support publisher-based trust exceptions.

497
MCQmedium

An organization wants to enforce micro-segmentation in a data center to isolate application tiers. Which Cisco technology allows defining security policies based on endpoint groups rather than IP addresses?

A.Cisco ASA with access-lists
B.Cisco TrustSec with Security Group Tags (SGTs)
C.Cisco ISE with guest services
D.Cisco Firepower NGFW with URL filtering
AnswerB

TrustSec uses SGTs for group-based policy enforcement, ideal for micro-segmentation.

Why this answer

Cisco TrustSec uses Security Group Tags (SGTs) to classify traffic based on endpoint groups (e.g., application tiers) rather than IP addresses. This allows micro-segmentation by enforcing policies that follow the traffic regardless of IP changes, using SGTs carried in the packet via Cisco Metadata (CMD) or inline tagging.

Exam trap

Cisco often tests the distinction between IP-based ACLs (ASA) and identity-based segmentation (TrustSec), so the trap here is assuming that any firewall or NGFW can achieve micro-segmentation without understanding that TrustSec's SGTs are specifically designed for endpoint-group policies independent of IP addresses.

How to eliminate wrong answers

Option A is wrong because Cisco ASA with access-lists relies on static IP addresses and port numbers, not endpoint groups, making it unsuitable for dynamic micro-segmentation that follows workloads. Option C is wrong because Cisco ISE with guest services focuses on guest user authentication and policy enforcement for network access, not on defining security policies between application tiers within a data center. Option D is wrong because Cisco Firepower NGFW with URL filtering controls web traffic based on URLs and categories, not on endpoint group-based segmentation between application tiers.

498
Multi-Selecteasy

Which THREE of the following are indicators of compromise (IOCs) that can be detected by Cisco AMP for Endpoints?

Select 3 answers
A.Physical access badge ID
B.Suspicious process execution
C.Malicious file SHA256 hash
D.Phishing URL in an email
E.Command-and-control IP address
AnswersB, C, E

AMP's behavioral protection detects malicious process behavior.

Why this answer

Options B, C, and E are correct. AMP can detect file hashes (B), IP addresses (C), and process executions (E) as IOCs. Option A is incorrect because social engineering is not a technical IOC detected by AMP.

Option D is incorrect because physical intrusion is not detected by endpoint software.

499
MCQhard

A company uses AWS Organizations with multiple accounts. They need to enforce that all S3 buckets have encryption enabled. Which AWS service can centrally audit and automatically remediate non-compliant buckets?

A.Amazon GuardDuty
B.AWS CloudTrail
C.AWS Config conformance packs
D.AWS Security Hub
AnswerC

Config can evaluate rules and trigger remediation actions.

Why this answer

AWS Config conformance packs allow you to deploy a collection of AWS Config rules and remediation actions as a single entity. By using a conformance pack that includes the 's3-bucket-server-side-encryption-enabled' managed rule, you can continuously audit all S3 buckets across your AWS Organization for encryption compliance and automatically trigger remediation (e.g., via AWS Systems Manager Automation) to enable encryption on non-compliant buckets.

Exam trap

Cisco often tests the distinction between services that detect threats (GuardDuty), log API calls (CloudTrail), aggregate findings (Security Hub), and those that enforce configuration compliance (Config conformance packs), so the trap here is confusing Security Hub's aggregation role with Config's direct auditing and remediation capability.

How to eliminate wrong answers

Option A is wrong because Amazon GuardDuty is a threat detection service that monitors for malicious activity and unauthorized behavior, not a compliance auditing or remediation service for S3 bucket encryption. Option B is wrong because AWS CloudTrail records API activity for auditing and governance, but it does not evaluate resource configurations or enforce compliance policies. Option D is wrong because AWS Security Hub aggregates security findings from multiple services (like GuardDuty, Inspector, and Config) and provides a centralized view, but it does not itself perform configuration auditing or automated remediation of non-compliant resources.

500
MCQeasy

Which protocol does Cisco ISE use to communicate with the pxGrid controller for sharing contextual data?

A.JSON-RPC over certificate-based TLS
B.REST API over HTTPS
C.TACACS+
D.RADIUS
AnswerA

pxGrid uses JSON-RPC over TLS with mutual certificate authentication.

Why this answer

Option D is correct. pxGrid uses JSON-RPC over certificate-based TLS for secure communication. Option A is incorrect because REST API is used for other integrations but not pxGrid. Options B and C are authentication protocols, not used for pxGrid.

Page 6

Page 7 of 7

All pages