Cisco SCOR / CCNP Security Core 350-701 (350-701) — Questions 526600

988 questions total · 14pages · All types, answers revealed

Page 7

Page 8 of 14

Page 9
526
Matchingmedium

Match each Cisco ASA feature to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Modular Policy Framework for traffic inspection

High availability with active/standby or active/active

Graphical management interface

Command-line interface for configuration

VPN client for remote access

Why these pairings

These are common ASA features and their definitions.

527
Multi-Selectmedium

Which TWO of the following are required for successful registration of an AMP for Endpoints connector with the cloud?

Select 2 answers
A.A locally installed SQL database for event storage.
B.A proxy server configured in the connector settings.
C.Outbound HTTPS access to the AMP cloud backend servers.
D.A valid registration token obtained from the AMP console.
E.An inbound firewall rule allowing connections from the AMP cloud.
AnswersC, D

The connector communicates with the cloud over HTTPS (port 443).

Why this answer

Option C is correct because the AMP for Endpoints connector must establish an outbound HTTPS (TCP/443) connection to the AMP cloud backend servers to communicate telemetry, receive policy updates, and perform health checks. Without this outbound access, the connector cannot register or maintain its connection to the cloud.

Exam trap

Cisco often tests the misconception that inbound firewall rules are needed for cloud-based security products, but AMP for Endpoints uses a purely outbound model, so candidates mistakenly select option E thinking the cloud must 'push' data to the endpoint.

528
MCQhard

A security analyst is investigating an alert from Cisco Secure Endpoint indicating that an endpoint has been infected with ransomware. The analyst wants to determine the initial infection vector. Which feature of Cisco Secure Endpoint should the analyst use to trace the chain of events leading to the infection?

A.Orbital Advanced Search
B.TETRA traffic analysis
C.Windows Event Viewer integration
D.Device Flow Correlation
AnswerA

Orbital Advanced Search provides retrospective analysis to trace the attack chain.

Why this answer

Orbital Advanced Search is the correct feature because it provides deep forensic visibility into endpoint activity, allowing the analyst to perform advanced queries across files, processes, registry keys, and network connections. This enables tracing the chain of events—such as a malicious email attachment, exploit, or drive-by download—that led to the ransomware infection, by correlating timestamps and process parent-child relationships.

Exam trap

Cisco often tests the distinction between network-level analysis (TETRA, Device Flow Correlation) and endpoint-level forensic investigation (Orbital), leading candidates to confuse traffic analysis with host-based event chain reconstruction.

How to eliminate wrong answers

Option B is wrong because TETRA traffic analysis is a network-based traffic analysis tool used for detecting anomalies in network flows, not for tracing endpoint-level event chains or initial infection vectors. Option C is wrong because Windows Event Viewer integration is a basic log collection method that lacks the advanced querying, cross-system correlation, and forensic depth needed to reconstruct a multi-step attack chain within Cisco Secure Endpoint. Option D is wrong because Device Flow Correlation focuses on correlating network flows between devices to identify lateral movement or C2 communication, not on tracing the initial infection vector on a single endpoint.

529
Multi-Selectmedium

Which THREE are recommended best practices for deploying Cisco AMP for Endpoints in a large enterprise?

Select 3 answers
A.Configure the policy to block all files with disposition 'Unknown' to prevent zero-day attacks.
B.Deploy the AMP connector to all endpoints, including servers and desktops.
C.Create separate groups for different operating systems and applications to apply tailored policies.
D.Start with 'Audit' or 'Detect' mode to baseline and adjust before enforcing blocks.
E.Set the default policy action to 'Block' for all file types to maximize security from day one.
AnswersB, C, D

Comprehensive coverage is key for endpoint protection.

Why this answer

Deploying the AMP connector to all endpoints, including servers and desktops, ensures comprehensive visibility and protection across the entire enterprise attack surface. Cisco AMP for Endpoints relies on a connector installed on each device to perform file analysis, retrospective detection, and telemetry collection; leaving any endpoint unmonitored creates a blind spot that attackers can exploit. This is a foundational best practice for large-scale deployments to achieve consistent security coverage.

Exam trap

Cisco often tests the misconception that aggressive blocking (e.g., blocking all 'Unknown' files or setting 'Block' as the default action) is a best practice, when in reality, a phased approach starting with 'Audit' or 'Detect' mode is recommended to avoid breaking production systems and to fine-tune policies based on actual traffic patterns.

530
MCQhard

A multinational company has deployed a Cisco Firepower 4100 series device as the perimeter firewall. The network consists of multiple internal segments: a corporate LAN (192.168.1.0/24), a data center (10.10.0.0/16), and a guest wireless network (172.16.0.0/16). The firewall is configured with the following access control policy rules: 1. Allow from any to any (for testing, but currently enabled) 2. Allow from corporate LAN to data center (destination ports TCP/443, TCP/8443) 3. Block from guest wireless to data center 4. Allow from any to internet (destination any) Recently, the security team discovered that a host in the guest network (172.16.5.50) is communicating with a server in the data center (10.10.10.100) on TCP port 443. The security team wants to immediately block this traffic without affecting other legitimate communications. Which action should be taken first?

A.Move rule 3 (block guest to data center) above rule 1 (allow all)
B.Modify rule 2 to include a deny for the guest subnet
C.Change rule 4 to block all traffic from guest network
D.Add a new rule after rule 4 to block the specific traffic
AnswerA

This ensures the block rule is evaluated before the allow rule, stopping the traffic.

Why this answer

Rule 1 is an 'allow any any' rule placed above rule 3, which is supposed to block guest-to-data-center traffic. Because Cisco Firepower processes access control rules in top-down order, rule 1 matches and permits the traffic before rule 3 can be evaluated. Moving rule 3 above rule 1 ensures the block action is applied first, immediately stopping the unwanted communication without altering other rules.

Exam trap

Cisco often tests the concept that a default 'allow any' rule placed above more specific deny rules will negate those denies, and candidates mistakenly think adding a new rule or modifying an existing rule later in the policy will override the earlier match.

How to eliminate wrong answers

Option B is wrong because modifying rule 2 to deny the guest subnet would break the intended allow rule for corporate LAN to data center, and it would not block the specific traffic unless the deny is placed before the allow, which still requires reordering. Option C is wrong because changing rule 4 to block all traffic from guest network would also block legitimate guest internet access, violating the requirement to not affect other communications. Option D is wrong because adding a new rule after rule 4 would never be evaluated for this traffic, as rule 1 (allow any any) already permits it earlier in the sequence.

531
MCQmedium

A security engineer is configuring Cisco Umbrella to block malicious domains. They need to ensure that internal DNS queries from remote users using Cisco AnyConnect are protected. Which deployment method should they use?

A.Configure DNS Layer Security in the office firewall
B.Enable Cisco Cloudlock integration
C.Install the Umbrella Roaming Client on all endpoints
D.Deploy the Umbrella virtual appliance at headquarters
AnswerC

The Roaming Client secures DNS queries regardless of user location.

Why this answer

The Umbrella Roaming Client (now part of Cisco Secure Client) is the correct deployment method because it provides DNS-layer security directly on endpoints, including remote users connecting via AnyConnect. It intercepts DNS queries on the local machine and forwards them to Umbrella's cloud-based DNS resolvers, ensuring protection even when the user is off-network or behind a VPN. This is the only option that covers remote users without relying on network-level appliances or firewalls.

Exam trap

Cisco often tests the misconception that VPN-based protection (like AnyConnect) inherently secures DNS traffic, but the trap here is that without a local agent like the Umbrella Roaming Client, DNS queries from remote users may bypass the corporate DNS policy and use the local ISP's DNS resolver.

How to eliminate wrong answers

Option A is wrong because configuring DNS Layer Security in the office firewall only protects DNS queries that traverse that firewall, not those from remote users who are off-network or whose traffic is tunneled via AnyConnect. Option B is wrong because Cisco Cloudlock is a cloud access security broker (CASB) for SaaS applications, not a DNS-layer security solution for blocking malicious domains. Option D is wrong because deploying the Umbrella virtual appliance at headquarters only protects DNS queries originating from within the corporate network, not from remote endpoints.

532
Multi-Selecthard

A security administrator is configuring a Cisco CloudLock policy for a SaaS application. The policy must detect and alert on sharing of files containing personally identifiable information (PII) with external users. Which TWO actions should the administrator take? (Choose two.)

Select 2 answers
A.Configure a policy to automatically block all external sharing of files containing PII.
B.Disable external sharing for the entire SaaS application.
C.Create a data loss prevention (DLP) rule with a PII pattern.
D.Create a policy that triggers an alert when a file with PII is shared externally.
E.Enable transparent proxy to inspect all traffic.
AnswersC, D

Correct: DLP rules identify sensitive content like PII.

Why this answer

Option C is correct because Cisco CloudLock uses DLP rules to scan files for sensitive content like PII patterns. Creating a DLP rule with a PII pattern enables the policy to identify files containing PII, which is the first step in detecting and alerting on such sharing events.

Exam trap

Cisco often tests the distinction between detection/alerting and automated blocking, so candidates may mistakenly choose a blocking action (Option A) when the question explicitly asks for detection and alerting.

533
Multi-Selecteasy

A company is deploying a cloud-based web application and wants to protect against OWASP Top 10 attacks. Which THREE security controls should they implement? (Select three.)

Select 3 answers
A.Input validation
B.Rate limiting
C.Data loss prevention (DLP)
D.Network segmentation at the hypervisor level
E.Web application firewall (WAF)
AnswersA, B, E

Prevents injection attacks.

Why this answer

Input validation (A) is correct because it is a fundamental security control that sanitizes and validates user-supplied data before processing, directly mitigating injection attacks (e.g., SQLi, XSS) listed in the OWASP Top 10. By enforcing whitelist-based validation on the cloud-based web application, it prevents malformed or malicious input from reaching the application logic, which is critical for cloud environments where the application is exposed to the internet.

Exam trap

Cisco often tests the distinction between application-layer controls (input validation, WAF, rate limiting) and infrastructure-layer controls (DLP, hypervisor segmentation), leading candidates to mistakenly select DLP or hypervisor segmentation as protections against OWASP Top 10 attacks.

534
MCQeasy

A security architect is designing network access control for a campus network. The requirement is to authenticate users before granting network access and to enforce policies based on user identity and device posture. Which solution should be deployed?

A.AAA server with TACACS+
B.VPN concentrator with client certificate authentication
C.Next-generation firewall with application control
D.Cisco Identity Services Engine (ISE)
AnswerD

ISE provides centralized policy enforcement for network access with user and device context.

Why this answer

Cisco ISE is the correct solution because it provides centralized policy-based network access control that authenticates users via 802.1X, MAB, or web authentication, and enforces dynamic VLAN assignment, ACLs, or SGTs based on user identity and device posture (e.g., compliance with antivirus, OS patches). Unlike a generic AAA server, ISE integrates with posture assessment (via AnyConnect or NAC Agent) and supports profiling, guest access, and BYOD onboarding, directly meeting the requirement for identity- and posture-based enforcement.

Exam trap

Cisco often tests the distinction between AAA for device administration (TACACS+) and AAA for network access (RADIUS/ISE), leading candidates to mistakenly choose a generic AAA server when the question specifically requires identity- and posture-based enforcement.

How to eliminate wrong answers

Option A is wrong because TACACS+ is a legacy AAA protocol that separates authentication, authorization, and accounting but does not support device posture assessment or dynamic policy enforcement based on endpoint health; it is typically used for device administration (e.g., router/switch CLI access), not for network access control of end-user devices. Option B is wrong because a VPN concentrator with client certificate authentication only secures remote access connections and does not control access to the campus network at the edge (wired/wireless); it lacks the ability to enforce policies based on device posture or integrate with switch/AP port-level control. Option C is wrong because a next-generation firewall with application control inspects traffic at the network perimeter and enforces policies based on application signatures, not user identity or device posture; it cannot authenticate users at the access layer or dynamically assign VLANs/ACLs on switches.

535
MCQmedium

A company wants to privately connect an on-premises network to an Azure virtual network without traversing the internet. Which Azure service should they use?

A.Azure VPN Gateway
B.Azure Front Door
C.Azure ExpressRoute
D.Azure Private Link
AnswerC

ExpressRoute offers dedicated private connectivity.

Why this answer

Azure ExpressRoute provides dedicated private connectivity from on-premises to Azure, bypassing the internet.

536
MCQmedium

An attacker intercepts ARP packets on a local network and associates their MAC address with the IP address of a legitimate host. This is an example of which attack?

A.ARP spoofing
B.Typosquatting
C.SSL stripping
D.DNS cache poisoning
AnswerA

ARP spoofing involves sending forged ARP replies to link an attacker's MAC to a legitimate IP.

Why this answer

ARP spoofing (ARP poisoning) allows an attacker to intercept traffic by associating their MAC with the victim's IP.

537
Multi-Selectmedium

An organization wants to block access to malicious websites using Cisco Umbrella. Which two protection layers are available with the Umbrella SIG? (Choose two.)

Select 2 answers
A.IPS/IDS
B.Cloud proxy
C.DNS security
D.VPN termination
E.Email sandboxing
AnswersB, C

Cloud proxy inspects HTTP/HTTPS traffic.

Why this answer

Umbrella SIG includes DNS security and cloud proxy for web traffic filtering.

538
Multi-Selectmedium

Which TWO actions are recommended best practices for securing web traffic using Cisco Umbrella?

Select 2 answers
A.Configure SSL decryption to always bypass traffic to trusted domains.
B.Configure the network to use the root DNS forwarder for all DNS queries.
C.Enable IP-layer enforcement for all destinations.
D.Configure local security stack bypass for all internal IP ranges.
E.Use Selective Proxy with PAC files to route traffic based on destination category.
AnswersC, E

IP-layer enforcement blocks malicious IPs at the network layer, providing comprehensive protection.

Why this answer

Option C is correct because enabling IP-layer enforcement in Cisco Umbrella ensures that all traffic to destinations that match a blocked category is dropped at the IP layer, even if DNS-based blocking is bypassed (e.g., via direct IP connections). This provides a second layer of protection by inspecting and blocking traffic based on the destination IP address, preventing users from circumventing DNS filtering by using IP addresses directly.

Exam trap

Cisco often tests the misconception that DNS-layer blocking is sufficient for full web security, but the trap here is that IP-layer enforcement is required to catch traffic that bypasses DNS, such as direct IP connections or non-DNS protocols.

539
Multi-Selecthard

Which THREE of the following are key principles of the Cisco Zero Trust security model?

Select 3 answers
A.Never trust, always verify
B.Continuous monitoring and validation
C.Implicit trust for internal traffic
D.Perimeter-based security
E.Least privilege access
AnswersA, B, E

Core principle of zero trust.

Why this answer

Option A is correct because 'Never trust, always verify' is the foundational principle of the Cisco Zero Trust security model, which mandates that no user, device, or network segment is trusted by default, regardless of its location relative to the network perimeter. This principle eliminates implicit trust and requires authentication and authorization for every access request, aligning with the Zero Trust architecture defined in NIST SP 800-207.

Exam trap

Cisco often tests the misconception that Zero Trust still allows implicit trust for internal traffic or relies on a strong perimeter, when in fact the model explicitly removes all location-based trust and requires continuous verification for every access attempt.

540
MCQhard

A security engineer reviews the security group rules for an EC2 instance. Based on the exhibit, which security concern should be addressed immediately?

A.SSH is allowed from the entire internet because it uses TCP port 22
B.There is no deny rule to block malicious traffic
C.RDP is allowed from all sources (0.0.0.0/0)
D.SSH access is allowed from two separate IP ranges
AnswerC

Exposing RDP to the internet is a critical security risk.

Why this answer

Option C is correct because allowing RDP (TCP port 3389) from 0.0.0.0/0 exposes the EC2 instance to brute-force attacks and unauthorized remote access from the entire internet. Security groups are stateful and only support allow rules, so this overly permissive ingress rule is a critical security risk that must be removed or restricted to trusted IP ranges.

Exam trap

Cisco often tests the misconception that security groups need explicit deny rules or that allowing SSH from multiple IP ranges is automatically a security issue, when the real immediate concern is an overly permissive RDP rule from all sources.

How to eliminate wrong answers

Option A is wrong because SSH (TCP port 22) is not shown as allowed from the entire internet in the exhibit; the question states SSH is allowed from two separate IP ranges, which is a common practice for administrative access. Option B is wrong because security groups are stateful firewalls that only support allow rules; they do not have explicit deny rules, and the absence of a deny rule is not a security concern—traffic not matching any allow rule is implicitly denied. Option D is wrong because SSH access from two separate IP ranges is not inherently a security concern; it is a typical configuration for redundant or geographically distributed administrative access, and the question asks for the immediate concern, which is the RDP exposure.

541
Multi-Selectmedium

A security team is implementing DevSecOps practices. Which TWO actions should be taken to secure secrets (e.g., API keys, passwords) in a CI/CD pipeline? (Choose two.)

Select 2 answers
A.Share secrets via email to team members
B.Hardcode secrets in the source code with comments to remind developers
C.Use a secrets management tool like HashiCorp Vault
D.Implement scanning for secrets in code repositories using tools like git-secrets
E.Store secrets in environment variables in the pipeline configuration
AnswersC, D

Vault securely stores and controls access to secrets.

Why this answer

Secrets should never be hardcoded in code; instead, use a secrets management tool like HashiCorp Vault or cloud-native secret stores. Also, scan for leaked secrets using tools like git-secrets.

542
MCQmedium

A network administrator configures Cisco ISE to identify devices by analyzing DHCP requests, HTTP user agents, and SNMP queries. Which ISE feature is being used?

A.TrustSec
B.Profiling
C.Guest access
D.Posture assessment
AnswerB

Profiling uses probes to determine device type and characteristics.

Why this answer

Profiling in ISE uses probes (DHCP, HTTP, SNMP, etc.) to identify device type and attributes.

543
MCQeasy

A security administrator notices that a file initially classified as 'unknown' by Cisco AMP for Endpoints was later determined to be malicious after execution. Which feature allows the administrator to see the file's propagation and impact on endpoints?

A.Exploit Prevention
B.Endpoint IOC Scanning
C.SHA-256 Disposition
D.Device Trajectory
AnswerD

Correct. Device Trajectory shows the history of file activity and propagation across endpoints.

Why this answer

Device Trajectory is the correct answer because it provides a chronological timeline of a file's activity across all endpoints, showing its origin, propagation, and actions taken after execution. This feature is specifically designed to visualize the impact and spread of malicious files that were initially unknown but later determined to be malicious by Cisco AMP for Endpoints.

Exam trap

The trap here is that candidates confuse SHA-256 Disposition (a static hash-based classification) with the dynamic, behavioral tracking capability of Device Trajectory, leading them to pick Option C when the question asks about propagation and impact over time.

How to eliminate wrong answers

Option A is wrong because Exploit Prevention is a protection mechanism that blocks known exploit techniques at runtime, not a forensic tool for viewing file propagation and impact. Option B is wrong because Endpoint IOC Scanning checks for indicators of compromise on endpoints at a point in time, but it does not provide a historical timeline of a file's movement and behavior across systems. Option C is wrong because SHA-256 Disposition is simply the classification (e.g., clean, malicious, unknown) of a file based on its hash, not a feature that tracks file propagation or impact.

544
MCQhard

An FTD device is deployed in passive mode. Which statement about its traffic processing is true?

A.It can block malicious traffic by sending TCP resets.
B.It receives traffic from a network tap or SPAN port and cannot block traffic.
C.It operates as a transparent firewall with inline inspection.
D.It can use the 'Block' action in access control rules.
AnswerB

Correct. Passive mode uses a copy of traffic for analysis only.

Why this answer

In passive mode, the FTD receives a copy of traffic from a span port; it cannot block traffic in real-time. It can only generate alerts.

545
MCQeasy

A guest device in VLAN 200 attempts to reach a server at 10.10.1.1. What happens to the traffic?

A.The traffic is permitted
B.The traffic is forwarded without any action
C.The traffic is dropped
D.The traffic is logged and forwarded
AnswerC

Destination 10.10.1.1 matches deny entry.

Why this answer

Option B is correct because the VACL 'BLOCK_MAP' is applied to VLAN 200. The access-list BLOCK_GUEST denies traffic from any source to the 10.10.0.0/16 network. Since the destination 10.10.1.1 falls within this range, the traffic is dropped.

Option A is incorrect because the ACL denies the traffic. Option C is incorrect because the VACL match occurs. Option D is incorrect because logging is not configured in the VACL.

546
Multi-Selectmedium

A network engineer is tasked with securing email communications. Which TWO Cisco products are specifically designed for email security? (Choose two.)

Select 2 answers
A.Cisco Stealthwatch
B.Cisco ISE (Identity Services Engine)
C.Cisco ESA (Email Security Appliance)
D.Cisco Secure Email (Cloud)
E.Cisco WSA (Web Security Appliance)
AnswersC, D

ESA is an on-premises email security gateway.

Why this answer

Cisco Email Security Appliance (ESA) and Cisco Secure Email (formerly Cloud Email Security) are dedicated email security solutions.

547
MCQhard

During a security incident, an investigator wants to identify all endpoints that communicated with a known malicious IP address within the last 24 hours. Which Cisco tool is best suited for this forensic analysis?

A.Cisco Firepower NGFW
B.Cisco Secure Network Analytics (Stealthwatch)
C.Cisco Umbrella
D.Cisco ISE
AnswerB

Provides network visibility and historical flow analysis.

Why this answer

Cisco Secure Network Analytics (Stealthwatch) is the correct tool because it provides network-wide visibility and flow-based analytics using NetFlow/IPFIX data. It can retroactively query all historical flow records to identify every endpoint that communicated with a known malicious IP address within a specified time window, making it ideal for forensic analysis.

Exam trap

Cisco often tests the distinction between real-time blocking tools (NGFW, Umbrella) and historical forensic analysis tools (Stealthwatch), leading candidates to choose a tool that prevents threats rather than one that retroactively identifies all affected hosts.

How to eliminate wrong answers

Option A is wrong because Cisco Firepower NGFW is a next-generation firewall focused on real-time threat prevention and inline blocking, not historical forensic analysis of all endpoints over a 24-hour period; it lacks the centralized flow record storage and query capabilities needed for this task. Option C is wrong because Cisco Umbrella is a cloud-delivered DNS-layer security solution that logs DNS queries, not direct IP communication flows; it cannot identify endpoints that communicated with a malicious IP via non-DNS protocols or direct IP connections. Option D is wrong because Cisco ISE is a policy-based network access control (NAC) and identity management platform; it does not capture or store network flow data for historical communication analysis between endpoints and external IPs.

548
MCQhard

During a security incident, an analyst needs to isolate a compromised endpoint and perform remote forensic analysis using Cisco AMP for Endpoints. Which capability allows the analyst to execute commands on the endpoint remotely?

A.Remote shell investigation
B.Device Trajectory
C.File quarantine
D.Process isolation
AnswerA

Remote shell investigation enables command execution on the endpoint for analysis.

Why this answer

Remote shell investigation is the correct answer because Cisco AMP for Endpoints includes a feature that allows an analyst to establish a secure, encrypted shell session directly with the compromised endpoint. This enables the execution of arbitrary commands for live remote forensic analysis without requiring additional tools or manual intervention on the endpoint.

Exam trap

Cisco often tests the distinction between reactive containment actions (like file quarantine or process isolation) and interactive investigation capabilities (like remote shell), leading candidates to confuse process isolation with remote command execution.

How to eliminate wrong answers

Option B is wrong because Device Trajectory is a timeline-based visualization of file and process events on the endpoint, not a mechanism for remote command execution. Option C is wrong because File quarantine is a containment action that isolates malicious files, preventing their execution, but does not provide a shell for running commands. Option D is wrong because Process isolation terminates or suspends a specific process on the endpoint to stop malicious activity, but it does not allow the analyst to execute commands remotely.

549
MCQhard

A network administrator is configuring IKEv2 on a Cisco router and wants to ensure that the router does not initiate connections but only responds to incoming IKEv2 requests. Which configuration command should be applied?

A.crypto ikev2 no initiate
B.crypto ikev2 passive
C.crypto ikev2 limit max-incoming-sa 10
D.crypto ikev2 limit max-negotiations 10
AnswerB

This command disables IKEv2 initiation, making the router respond-only.

Why this answer

The 'crypto ikev2 passive' command configures the router to only respond to incoming IKEv2 requests and never initiate its own IKEv2 connections. This is essential for scenarios where the router must act as a responder only, such as in hub-and-spoke VPN topologies where the hub should not initiate tunnels.

Exam trap

Cisco often tests the distinction between 'passive' mode and other IKEv2 limit commands, where candidates mistakenly choose a limit-based command (like max-incoming-sa or max-negotiations) thinking it prevents initiation, but only 'passive' actually stops the router from sending initial IKEv2 messages.

How to eliminate wrong answers

Option A is wrong because 'crypto ikev2 no initiate' is not a valid Cisco IOS command; the correct syntax uses the 'passive' keyword. Option C is wrong because 'crypto ikev2 limit max-incoming-sa 10' limits the number of incoming security associations, but does not prevent the router from initiating IKEv2 connections. Option D is wrong because 'crypto ikev2 limit max-negotiations 10' limits the number of simultaneous IKEv2 negotiations, but does not prevent the router from acting as an initiator.

550
MCQeasy

A network security engineer needs to block malicious file downloads on endpoints regardless of the user's location. Which Cisco solution should be integrated with the company's existing endpoint protection platform to achieve cloud-delivered threat intelligence?

A.Cisco Umbrella
B.Cisco Stealthwatch
C.Cisco Firepower Management Center
D.Cisco ISE
AnswerA

Umbrella provides cloud-delivered threat intelligence and can block malicious file downloads from anywhere.

Why this answer

Cisco Umbrella is the correct answer because it provides cloud-delivered threat intelligence that can be integrated with existing endpoint protection platforms (EPPs) to block malicious file downloads regardless of the user's location. Umbrella uses DNS-layer security and cloud-based threat feeds to enforce policies on endpoints even when they are off the corporate network, making it ideal for location-agnostic protection.

Exam trap

Cisco often tests the distinction between on-premises security appliances (like Firepower) and cloud-delivered security services (like Umbrella), and the trap here is that candidates may assume Firepower Management Center can provide cloud threat intelligence to endpoints, when in fact it only manages on-premises firewalls and does not extend protection to endpoints off-network.

How to eliminate wrong answers

Option B (Cisco Stealthwatch) is wrong because it focuses on network traffic analysis and behavioral analytics using NetFlow/IPFIX data, not on cloud-delivered threat intelligence for endpoint file downloads. Option C (Cisco Firepower Management Center) is wrong because it is an on-premises management console for Firepower NGFW and NGIPS appliances, requiring traffic to be routed through the firewall for inspection, and does not provide cloud-delivered intelligence directly to endpoints. Option D (Cisco ISE) is wrong because it is a policy-based network access control (NAC) and identity management platform, not a cloud-delivered threat intelligence service for blocking malicious file downloads on endpoints.

551
MCQeasy

A network administrator is troubleshooting intermittent authentication failures on a switch port configured for 802.1X with MAB fallback. Users can connect but get dropped after a few minutes. What is the most likely cause?

A.Incorrect VLAN assignment
B.Incorrect RADIUS shared secret
C.Reauthentication timer set too short
D.MAB timeout set too low
AnswerC

Frequent reauth can cause drops if client or server is slow.

Why this answer

The reauthentication timer on the switch port is set too short, causing the 802.1X session to expire and re-initiate authentication frequently. This results in users being dropped after a few minutes as the port cycles through reauthentication, even though MAB fallback may temporarily allow traffic. The default reauthentication timer is typically 3600 seconds, but if misconfigured to a very low value (e.g., 60 seconds), it will cause periodic disconnections.

Exam trap

Cisco often tests the distinction between initial authentication failures (caused by shared secret or MAB timeout issues) and post-authentication drops (caused by reauthentication timer misconfiguration), leading candidates to confuse MAB timeout with reauthentication timer.

How to eliminate wrong answers

Option A is wrong because incorrect VLAN assignment would cause persistent connectivity issues (e.g., wrong subnet or no access), not intermittent drops after a few minutes. Option B is wrong because an incorrect RADIUS shared secret would cause authentication to fail entirely from the start, not allow users to connect and then drop later. Option D is wrong because the MAB timeout controls how long the switch waits for a response from the RADIUS server during MAB fallback; setting it too low would cause MAB to fail quickly, but the symptom here is intermittent drops after successful connection, not initial authentication failure.

552
MCQeasy

An administrator needs to enforce 802.1X authentication for devices that do not support 802.1X supplicants. Which method should be configured on Cisco ISE to allow these devices to authenticate?

A.802.1X with EAP-TLS
B.Guest portal
C.PEAP-MSCHAPv2
D.MAB
AnswerD

MAB uses the device MAC address for authentication, bypassing the need for a supplicant.

Why this answer

MAC Authentication Bypass (MAB) allows non-supplicant devices to authenticate based on their MAC address.

553
MCQeasy

A large enterprise uses Cisco Firepower Threat Defense (FTD) as its next-generation firewall. The network team recently deployed a new application that uses HTTPS for all communications. Users report that the application is slow and sometimes fails to load pages. The security team suspects that SSL inspection might be causing the issue. The FTD is configured with an SSL policy that decrypts all HTTPS traffic using a self-signed certificate. The internal CA is not trusted by the application servers. Which action should the engineer take to resolve the performance and connectivity issues while maintaining security visibility?

A.Increase the SSL decryption resources by adding more FTD modules.
B.Create an SSL decryption bypass rule for the specific application servers' IP addresses.
C.Install the internal CA certificate on all application servers.
D.Disable SSL inspection globally on the FTD.
AnswerB

Allows trusted traffic to pass without inspection, reducing load and avoiding certificate errors.

Why this answer

Option B is correct because the application servers do not trust the FTD's self-signed certificate, causing SSL/TLS handshake failures or performance degradation due to certificate validation errors and renegotiation. By creating an SSL decryption bypass rule for the specific application servers' IP addresses, the engineer exempts that traffic from inspection, resolving connectivity and performance issues while still inspecting other HTTPS traffic for security visibility.

Exam trap

Cisco often tests the misconception that performance issues from SSL inspection are always due to resource exhaustion, leading candidates to choose scaling solutions (Option A) instead of recognizing that certificate trust mismatches cause handshake failures and retransmissions.

How to eliminate wrong answers

Option A is wrong because adding more FTD modules increases processing capacity but does not address the root cause: the application servers reject the self-signed certificate, leading to handshake failures regardless of resources. Option C is wrong because installing the internal CA certificate on application servers would require trust configuration on external or third-party servers, which is often impractical or outside the enterprise's control, and does not fix the immediate performance issue caused by SSL inspection overhead. Option D is wrong because disabling SSL inspection globally removes security visibility for all HTTPS traffic, which is excessive and violates the requirement to maintain security visibility.

554
MCQmedium

Refer to the exhibit. A user is unable to access Dropbox, which is a high-risk application. The administrator wants to allow Dropbox but still block other high-risk apps. What is the most efficient way to achieve this?

A.Add the user to a group that is exempt from the policy
B.Delete the existing policy and create separate policies for each high-risk app
C.Create a new Cloudlock policy that allows Dropbox for all users, placed with higher priority
D.Modify the existing policy to change risk level to 'Medium'
AnswerC

Higher priority policy overrides the block.

Why this answer

Option C is correct because Cisco Cloudlock uses a policy-based approach where policies are evaluated in order of priority. By creating a new policy with higher priority that explicitly allows Dropbox, the administrator can override the existing block policy for that specific application while maintaining the block on all other high-risk apps. This is the most efficient method as it avoids modifying or deleting the original policy.

Exam trap

The trap here is that candidates may think modifying the risk level or using exemptions is the simplest approach, but Cisco tests the understanding that policy priority allows selective overrides without disrupting the original rule set.

How to eliminate wrong answers

Option A is wrong because adding the user to an exemption group would bypass the entire policy, allowing all high-risk apps, not just Dropbox, which does not meet the requirement to block other high-risk apps. Option B is wrong because deleting the existing policy and creating separate policies for each high-risk app is inefficient and unnecessary; it adds administrative overhead and does not leverage Cloudlock's priority-based policy evaluation. Option D is wrong because changing the risk level to 'Medium' would affect the classification of all high-risk apps, potentially allowing other high-risk apps to be treated as medium risk, which is not the intended outcome.

555
MCQmedium

What is the primary function of a Certificate Revocation List (CRL) in a PKI?

A.List revoked certificates
B.Store private keys
C.Validate certificate signatures
D.Generate new certificates
AnswerA

Correct answer. CRL provides a list of revoked certificates.

Why this answer

CRL lists certificates that have been revoked before their expiration date, allowing relying parties to verify validity.

556
Multi-Selecthard

An organization is deploying Cisco WSA in explicit proxy mode. Which three considerations are important for this deployment? (Choose three.)

Select 3 answers
A.Client browsers must be configured to use the proxy
B.SSL decryption can be performed on the proxy
C.Network changes are required on all endpoints
D.The proxy IP address must be configured on the router for WCCP
E.Authentication can be enforced at the proxy
AnswersA, B, E

Correct. Explicit proxy requires browser proxy settings.

Why this answer

Explicit proxy requires browser configuration (PAC file or manual), supports authentication, and can apply identity-based policies. Transparent proxy does not require client configuration.

557
MCQhard

During a security incident, a SOC analyst notices that a malicious file was executed on an endpoint. Using Cisco AMP for Endpoints, which feature should the analyst use to visualize the file's propagation and activities across the network over time?

A.Orbital Advanced Search
B.IOC Scan
C.Device Trajectory
D.File Reputation Lookup
AnswerC

Correct. Device Trajectory shows a chronological view of file events, including propagation and behavior.

Why this answer

Device Trajectory provides a timeline view of file and process activities on an endpoint, showing how a file propagated and what actions it performed, which is crucial for incident investigation.

558
MCQmedium

Refer to the exhibit. A file with SHA256 hash 'a1b2c3d4e5f6...' is detected on an endpoint. The threat grid returns a score of 90 for this file. What action is taken by AMP?

A.Allow (because threat score 90 is not specifically matched in reputation).
B.Block (because the custom detection rule has action 'block').
C.Quarantine (because score 90 falls between 80 and 100).
D.No action (because the file is in the whitelist).
AnswerB

Custom detections are applied first; the file matches and is blocked.

Why this answer

Option B is correct because the exhibit shows a custom detection rule configured with an action of 'block'. In Cisco AMP, custom detection rules take precedence over reputation scores or threat grid analysis. When a file matches a custom SHA256 hash rule, AMP applies the configured action (block) regardless of the threat score, which in this case is 90.

Exam trap

Cisco often tests the precedence of custom detection rules over reputation scores, leading candidates to mistakenly apply the threat grid score logic (e.g., quarantine for high scores) instead of recognizing that the custom rule's action is definitive.

How to eliminate wrong answers

Option A is wrong because AMP does not 'allow' files based on a threat score of 90 not being specifically matched; the custom detection rule overrides any reputation-based logic, and a score of 90 indicates high risk, not a reason to allow. Option C is wrong because quarantine is not automatically triggered by a score between 80 and 100; AMP uses threat grid scores for analysis, but the action is determined by the custom detection rule, not a score range. Option D is wrong because the file is not in the whitelist; the exhibit shows a custom detection rule with a block action, and whitelisting would require an explicit allow rule, which is absent.

559
MCQmedium

A company uses Cisco Web Security Appliance (WSA) with transparent proxy mode. Recently, they enabled NTLM authentication. Some users are intermittently prompted for credentials while browsing. What is the most likely cause of this behavior?

A.The WSA is configured to prompt for authentication only for specific categories.
B.The user's browser has cached an incorrect credential.
C.The WSA is set to use Kerberos instead of NTLM.
D.The WSA is not configured to handle NTLM persistent connections, causing the browser to re-authenticate on each request.
AnswerD

Without persistent connections, each HTTP request may trigger a new NTLM challenge, leading to prompts.

Why this answer

In transparent proxy mode with NTLM authentication, the WSA must maintain persistent connections to avoid re-authentication on every HTTP request. If the WSA is not configured to handle NTLM persistent connections (e.g., by enabling connection reuse or adjusting keepalive settings), the browser will be prompted repeatedly for credentials because each new TCP connection triggers a new NTLM challenge-response cycle. This intermittent behavior occurs because some connections may be reused while others are not, depending on browser and proxy settings.

Exam trap

Cisco often tests the distinction between authentication protocol selection (Kerberos vs. NTLM) and the underlying transport behavior (persistent vs. non-persistent connections), leading candidates to incorrectly blame the protocol type rather than connection handling.

How to eliminate wrong answers

Option A is wrong because prompting for authentication only for specific categories would cause consistent prompts for those categories, not intermittent prompts across all browsing. Option B is wrong because a cached incorrect credential would result in consistent authentication failures or repeated prompts, not intermittent behavior that varies per request. Option C is wrong because if the WSA were set to use Kerberos instead of NTLM, the browser would attempt Kerberos authentication (which may fall back to NTLM), but the core issue of intermittent prompts is not caused by the authentication protocol choice itself; it is caused by the lack of persistent connection handling for NTLM.

560
MCQmedium

A company uses Cisco Umbrella to enforce web security. After deploying a new policy that blocks all social media sites, users report that they cannot access a corporate Salesforce instance that uses a social login feature. Which Umbrella setting should be adjusted to resolve the issue without weakening the policy?

A.Create a bypass code for users to access Salesforce
B.Disable the Social Networking category under Content Categories
C.Configure Intelligent Proxy to inspect Salesforce traffic
D.Add Salesforce to the Application Settings allowed list
AnswerD

This allows the Salesforce application even if the social networking category is blocked.

Why this answer

Option D is correct because the social login feature for Salesforce is being blocked by the Social Networking content category in Cisco Umbrella. By adding Salesforce to the Application Settings allowed list, you permit the specific application traffic while keeping the broader social media policy intact. This granular control ensures that only the required Salesforce instance bypasses the block, without weakening the overall security posture.

Exam trap

Cisco often tests the distinction between content categories and application settings, where candidates mistakenly think disabling a category or using a bypass code is the correct approach, rather than using the granular allowed list for specific applications.

How to eliminate wrong answers

Option A is wrong because creating a bypass code for users would allow them to circumvent the policy entirely, weakening security and not addressing the specific Salesforce application issue. Option B is wrong because disabling the Social Networking category would remove the block on all social media sites, completely undermining the policy's intent. Option C is wrong because Intelligent Proxy is used for inspecting and controlling web traffic, not for allowing specific applications; it would not resolve the blocking of Salesforce's social login feature.

561
Multi-Selecteasy

Which three components are part of the CIA triad?

Select 3 answers
A.Authentication
B.Integrity
C.Confidentiality
D.Authorization
E.Availability
AnswersB, C, E

Ensures data is not tampered with.

Why this answer

The CIA triad consists of Confidentiality, Integrity, and Availability.

562
MCQmedium

An organization is using Cisco ESA and wants to ensure that emails sent from their domain are authenticated using a cryptographic signature. Which email authentication method should be configured?

A.DMARC
B.SPF
C.SenderBase
D.DKIM
AnswerD

DKIM provides a cryptographic signature for email authentication.

Why this answer

DKIM (DomainKeys Identified Mail) uses a digital signature to verify that an email was not tampered with and is from the claimed domain.

563
MCQmedium

An attacker intercepts communication between a client and server by spoofing ARP messages to associate the attacker's MAC address with the server's IP. This is an example of which type of attack?

A.Reconnaissance
B.Man-in-the-middle (MITM)
C.DNS cache poisoning
D.DDoS attack
AnswerB

ARP spoofing enables MITM by intercepting traffic.

Why this answer

ARP spoofing allows an attacker to intercept traffic, a classic man-in-the-middle (MITM) technique.

564
Multi-Selectmedium

A network administrator is configuring endpoint protection policies for a large enterprise. The requirement is to allow only approved software to run on endpoints, while blocking all other executables. Which Cisco Secure Endpoint feature should be configured? (Choose two.)

Select 2 answers
A.Exploit Prevention
B.Malware Analytics
C.Application Control
D.Lockdown Mode
E.File Reputation
AnswersC, D

Application Control allows whitelisting approved software.

Why this answer

Application Control (C) is correct because it allows administrators to define a whitelist of approved software, blocking all other executables from running on endpoints. Lockdown Mode (D) is correct because it enforces a strict policy where only pre-approved applications can execute, effectively preventing any unapproved software from running. Together, these features provide comprehensive control over executable files in a large enterprise environment.

Exam trap

Cisco often tests the distinction between 'blocking malicious files' (File Reputation) and 'blocking unapproved applications' (Application Control/Lockdown Mode), leading candidates to confuse threat-based blocking with policy-based whitelisting.

565
MCQmedium

A network administrator is configuring Cisco ISE profiling to identify devices on the network. Which probe allows ISE to identify device type by analyzing the HTTP User-Agent string?

A.DHCP probe
B.Device Sensor
C.HTTP probe
D.SNMP probe
AnswerC

HTTP probe captures HTTP traffic, including User-Agent strings, for device profiling.

Why this answer

The HTTP probe inspects HTTP packets, including the User-Agent field, to determine the operating system and browser type, aiding in device profiling.

566
MCQeasy

Which component of a Snort rule specifies the action to take when the rule conditions are matched?

A.Rule options
B.Action
C.Source address
D.Protocol
AnswerB

Correct. The action is the first field in the Snort rule.

Why this answer

In Snort, the first part of the rule header is the action (e.g., alert, drop, reject).

567
MCQeasy

Which component in the 802.1X architecture is responsible for relaying authentication messages between the client and the authentication server?

A.Supplicant
B.Authenticator
C.Authentication Server
D.Policy Service Node
AnswerB

Correct. The authenticator relays EAP messages between supplicant and authentication server.

Why this answer

The authenticator (e.g., switch or wireless LAN controller) acts as a proxy, forwarding EAP messages between the supplicant (client) and the authentication server (ISE).

568
MCQmedium

A Cisco WSA administrator wants to prioritize bandwidth for video conferencing applications while limiting recreational streaming. Which feature should be configured?

A.Bandwidth Controls
B.SSL/TLS Decryption
C.Application Visibility and Control (AVC)
D.URL Filtering
AnswerA

Bandwidth controls allow setting per-application bandwidth limits.

Why this answer

Bandwidth controls on Cisco WSA allow setting bandwidth limits per application (via AVC) to prioritize critical applications and limit others.

569
Multi-Selecthard

Which THREE of the following are valid components of Cisco ISE's visibility and enforcement architecture?

Select 3 answers
A.TrustSec with SGTs
B.Profiling probes (e.g., DHCP, HTTP)
C.pxGrid (Platform Exchange Grid)
D.NetFlow for flow analysis
E.SNMP traps for alerting
AnswersA, B, C

TrustSec provides scalable role-based access control using SGTs.

Why this answer

Cisco ISE's visibility and enforcement architecture relies on TrustSec with Security Group Tags (SGTs) to enforce access policies based on logical groupings rather than IP addresses. SGTs are propagated via SXP or inline tagging, enabling dynamic policy enforcement across the network.

Exam trap

Cisco often tests the distinction between visibility/enforcement components (TrustSec, pxGrid, profiling) and general network monitoring tools (NetFlow, SNMP), leading candidates to incorrectly include the latter as core ISE architecture elements.

570
MCQmedium

A company uses Cisco AnyConnect for remote access VPN. They want to allow only specific Active Directory groups to access the corporate network. Which feature on the ASA or FTD should be configured to enforce this?

A.Connection profile with LDAP attribute map
B.AAA server group
C.Group Policy with filter on group membership
D.Dynamic Access Policy (DAP)
AnswerD

DAP allows granular access based on user attributes like AD group membership.

Why this answer

Dynamic Access Policies (DAP) can evaluate user attributes from AD to assign access rights.

571
MCQmedium

A security team is designing an endpoint protection strategy for a mix of Windows and macOS endpoints. They want to use Cisco AMP for Endpoints with centralized management. Which deployment approach minimizes administrative overhead?

A.Deploy an on-premises AMP Console for each operating system.
B.Install a Windows Server as a management point and deploy connectors via SCCM.
C.Use group policies to define different policies for Windows and macOS.
D.Use the AMP cloud console to manage a single policy that applies to both platforms with os-specific exclusions.
AnswerD

The cloud console supports multi-platform policy with per-OS rules, minimizing overhead.

Why this answer

Option D is correct because Cisco AMP for Endpoints offers a cloud-based console that provides centralized management for both Windows and macOS endpoints from a single pane of glass. This eliminates the need for on-premises infrastructure or separate management tools, and a single policy can be applied across platforms with OS-specific exclusions to handle differences in file paths and processes, thereby minimizing administrative overhead.

Exam trap

The trap here is that candidates often assume different operating systems require separate management consoles or policies, but Cisco AMP for Endpoints' cloud console supports a single policy with OS-specific exclusions, which is the most efficient approach for minimizing administrative overhead.

How to eliminate wrong answers

Option A is wrong because deploying separate on-premises AMP Consoles for each operating system increases administrative overhead by requiring dedicated hardware, maintenance, and separate management interfaces, contradicting the goal of centralized management. Option B is wrong because installing a Windows Server as a management point and deploying connectors via SCCM adds unnecessary complexity and administrative overhead, as SCCM is not required for AMP for Endpoints deployment and the cloud console already provides centralized management without additional infrastructure. Option C is wrong because using group policies to define different policies for Windows and macOS is not a native AMP for Endpoints deployment method; group policies are a Windows-centric feature and do not apply to macOS, and this approach would require separate policy management, increasing overhead rather than minimizing it.

572
MCQeasy

What is the primary purpose of DMARC in email authentication?

A.To add a digital signature
B.To specify a policy for failed authentication
C.To encrypt email content
D.To verify the sending IP address
AnswerB

DMARC instructs receivers to quarantine or reject failure.

Why this answer

DMARC tells receiving servers how to handle emails that fail SPF or DKIM checks.

573
MCQeasy

An organization wants to enforce that specific sensitive files are never executed on endpoints. Which AMP for Endpoints feature is most appropriate?

A.Outbreak Control (file extension blocking)
B.Simple or advanced custom detections (Application Control)
C.Exclusion lists
D.Behavioral analysis and engine protection
AnswerB

Custom detections allow blocking specific files via SHA-256 hashes or paths.

Why this answer

Option B is correct because Simple or advanced custom detections (Application Control) allow administrators to create hash-based or path-based rules that explicitly block execution of specific files. This directly meets the requirement to prevent sensitive files from ever running on endpoints, as Application Control enforces allow/block policies at the file execution level, not just at the network or signature level.

Exam trap

Cisco often tests the distinction between blocking file execution (Application Control) and blocking file transfer or access (Outbreak Control), leading candidates to mistakenly choose Outbreak Control when the question specifically says 'never executed.'

How to eliminate wrong answers

Option A is wrong because Outbreak Control (file extension blocking) only blocks files based on their extension (e.g., .exe, .pdf), not specific sensitive files; it cannot target a particular file by hash or path. Option C is wrong because Exclusion lists are used to exempt files or processes from scanning, not to block execution; they would actually allow sensitive files to run. Option D is wrong because Behavioral analysis and engine protection detects and blocks malicious behavior after execution begins, but it does not prevent a specific sensitive file from being executed in the first place.

574
MCQeasy

An administrator is configuring a Cisco ASA 5500-X to perform SSL inspection for outbound traffic. The users must be able to access HTTPS websites without certificate errors. Which configuration step is essential for the ASA to perform decryption?

A.Configure the ASA to use a self-signed certificate without distribution.
B.Import the web server's private key onto the ASA.
C.Configure AAA authentication for SSL inspection.
D.Generate a trusted root CA certificate on the ASA and distribute it to all client machines.
AnswerD

Clients need to trust the ASA's certificate to avoid warnings.

Why this answer

Option D is correct because for the ASA to perform SSL inspection (a man-in-the-middle proxy), it must generate a trusted root CA certificate that is installed as a trusted root on all client machines. This allows the ASA to dynamically sign the web server's certificate during the SSL handshake, so clients trust the re-encrypted traffic without certificate errors.

Exam trap

Cisco often tests the misconception that the ASA needs the server's private key (Option B) to decrypt traffic, when in fact the ASA performs a full man-in-the-middle proxy and only needs its own trusted CA certificate distributed to clients.

How to eliminate wrong answers

Option A is wrong because a self-signed certificate without distribution would cause certificate errors on clients, as they do not trust the ASA's self-signed root. Option B is wrong because importing the web server's private key onto the ASA is not required for SSL inspection; the ASA acts as a proxy and generates its own keys for the session, and obtaining the server's private key would be a security violation and impractical for all outbound sites. Option C is wrong because AAA authentication is used for user access control, not for the cryptographic trust needed to avoid certificate errors during SSL decryption.

575
MCQmedium

A network engineer configures ISE for 802.1X with PEAP-MSCHAPv2. Users report intermittent authentication failures on certain switches. The engineer checks ISE logs and sees 'Authentication failed' with reason 'User not found in identity store'. What is the most likely issue?

A.The switch port is configured with 'authentication periodic'.
B.The user is not in the Active Directory group that ISE is configured to query.
C.The switch is not configured with the correct shared secret.
D.The user's certificate is expired.
AnswerB

ISE cannot find the user in the identity store, likely due to group membership or search base issues.

Why this answer

The error 'User not found in identity store' indicates that ISE queried its configured identity sources (e.g., Active Directory) and could not locate the user account. Since PEAP-MSCHAPv2 authenticates users against a backend identity store (not certificates), the most likely cause is that the user is not a member of the specific AD group that ISE is configured to query, or the user object does not exist in the joined domain. This is a common misconfiguration when ISE uses group-based filtering or restricted identity stores.

Exam trap

Cisco often tests the distinction between authentication failures caused by credential/identity store issues versus RADIUS communication or certificate problems, and the trap here is that candidates confuse PEAP-MSCHAPv2 (which relies on AD credentials) with EAP-TLS (which relies on client certificates), leading them to incorrectly select an expired certificate option.

How to eliminate wrong answers

Option A is wrong because 'authentication periodic' triggers reauthentication at intervals but does not cause a 'User not found' error; it would instead cause periodic re-auth attempts that succeed or fail based on credentials. Option B is correct as explained. Option C is wrong because a mismatched shared secret between the switch and ISE would result in a RADIUS authentication failure with a reason like 'Invalid RADIUS shared secret' or 'RADIUS request dropped', not a user lookup failure.

Option D is wrong because PEAP-MSCHAPv2 does not use client certificates for user authentication; the user's certificate is irrelevant here—only the server certificate is used for the PEAP tunnel, and an expired user certificate would not produce a 'User not found' error.

576
MCQhard

A security engineer is configuring a Cisco Firepower NGFW to detect and block a new malware variant that communicates with a command-and-control server using encrypted DNS queries. Which Cisco security product is best suited to provide visibility into this malicious DNS traffic?

A.Cisco Umbrella
B.Cisco ASA
C.Cisco AMP
D.Cisco Stealthwatch
AnswerA

Umbrella provides DNS-layer security to block malicious domains.

Why this answer

Cisco Umbrella is a cloud-delivered DNS security service that can block malicious domains and provide visibility into DNS queries.

577
MCQeasy

A company wants to deploy Cisco AMP for Endpoints to protect against advanced malware. Which best practice should be followed when configuring the policy for the first time?

A.Disable file analysis for known good file types to improve performance.
B.Start with 'Audit' or 'Detect' mode to baseline endpoint behavior before enforcing blocks.
C.Set the policy to 'Block' immediately to maximize protection.
D.Disable AMP's network firewall to reduce complexity.
AnswerB

Audit/Detect modes allow identification of false positives and tuning before enforcement.

Why this answer

Starting with 'Audit' or 'Detect' mode is a best practice because it allows the security team to observe endpoint behavior, identify false positives, and understand the baseline environment without disrupting operations. Cisco AMP for Endpoints uses cloud-based threat intelligence and file reputation analysis; beginning in a non-blocking mode ensures that legitimate applications are not inadvertently quarantined before the policy is tuned.

Exam trap

Cisco often tests the misconception that maximum protection (Block mode) should be applied immediately, but the trap is that they want you to recognize the operational necessity of a phased deployment (Audit/Detect first) to avoid business disruption and ensure policy accuracy.

How to eliminate wrong answers

Option A is wrong because disabling file analysis for known good file types reduces visibility and can allow malware that masquerades as a trusted file to bypass detection; AMP's file analysis engine uses multiple techniques (e.g., static analysis, machine learning) that should remain enabled for all files. Option C is wrong because immediately setting the policy to 'Block' can cause business disruption by quarantining legitimate files or applications that are not yet recognized as safe, leading to false positives and operational issues. Option D is wrong because disabling AMP's network firewall reduces the endpoint's defense-in-depth capabilities; the firewall component provides an additional layer of protection by blocking malicious network connections and should be configured, not disabled, to reduce complexity.

578
MCQhard

A company uses Cisco Firepower Threat Defense (FTD) managed by FMC. They want to enable URL filtering based on user identity from an Active Directory (AD) source. Which configuration steps are required on the FMC?

A.Create a URL category and associate it with a user group in the access control policy.
B.Configure an identity source (AD), create realm and user groups, then configure URL filtering rules with user conditions.
C.Create URL filtering rules first, then assign to users via dynamic object.
D.Configure identity source and NAT policy, then apply URL filtering.
AnswerB

Standard workflow for identity-based URL filtering in FMC.

Why this answer

Option B is correct because to enable URL filtering based on user identity from Active Directory, you must first configure an identity source (AD) on the FMC, then create a realm and import user groups. After that, you can configure URL filtering rules within an access control policy that includes user conditions to match traffic against specific AD users or groups. This sequence ensures the FTD can resolve user identity before applying URL category-based actions.

Exam trap

Cisco often tests the misconception that you can directly associate URL categories with user groups in the access control policy without first configuring the identity source and realm, leading candidates to pick Option A.

How to eliminate wrong answers

Option A is wrong because creating a URL category and associating it with a user group in the access control policy is not the first step; the identity source and realm must be configured first to establish user identity mapping. Option C is wrong because creating URL filtering rules first and then assigning them to users via a dynamic object bypasses the necessary identity source configuration and realm setup, and dynamic objects are not used for user identity in URL filtering. Option D is wrong because configuring a NAT policy is unrelated to URL filtering based on user identity; the correct prerequisite is configuring the identity source and realm, not NAT.

579
MCQeasy

Which security model requires that all subjects and devices are untrusted by default, and access is granted only after verification, regardless of the network location?

A.Least Privilege
B.Defense in Depth
C.CIA Triad
D.Zero Trust
AnswerD

Zero Trust explicitly requires verification for every access attempt, regardless of location.

Why this answer

Zero Trust is a security model based on the principle of 'never trust, always verify', requiring continuous authentication and authorization.

580
MCQeasy

In a Cisco FTD deployment, which management option allows on-box management without the need for a separate FMC server?

A.FMC (Firepower Management Center)
B.ASDM (Adaptive Security Device Manager)
C.CDO (Cisco Defense Orchestrator)
D.FDM (Firepower Device Manager)
AnswerD

FDM is built into the FTD device for local management.

Why this answer

FDM (Firepower Device Manager) is the on-box management interface for FTD devices. FMC is a centralized management server. CDO is cloud-based.

ASDM is for ASA.

581
Multi-Selectmedium

Which TWO of the following are best practices for securing Cisco routers against unauthorized access? (Choose two.)

Select 2 answers
A.Enable SNMP read-write community string for monitoring
B.Use the 'service password-enforcement' command to encrypt passwords with type 7
C.Disable unused services like HTTP server and CDP
D.Configure authentication using HTTP with local username/password
E.Use SSH version 2 for remote access
AnswersC, E

Disabling unnecessary services reduces the attack surface.

Why this answer

C is correct because disabling unused services like HTTP server and CDP reduces the attack surface of the router. The HTTP server can be exploited for web-based attacks, and CDP can leak sensitive network topology information. Cisco best practices recommend disabling all unnecessary services to minimize exposure.

Exam trap

Cisco often tests the distinction between 'service password-encryption' (type 7) and the stronger 'enable secret' (MD5 hash), leading candidates to mistakenly think type 7 encryption is secure.

582
MCQmedium

Cisco ISE is configured with posture assessment to ensure endpoints meet security requirements before gaining network access. After a posture check, ISE needs to dynamically change the VLAN assignment for a non-compliant endpoint. Which ISE feature enables this real-time change?

A.TrustSec
B.Change of Authorization (CoA)
C.Guest portal
D.Profiling
AnswerB

CoA allows ISE to push new authorization changes (e.g., VLAN, ACL) to the network device in real time.

Why this answer

Change of Authorization (CoA) allows ISE to dynamically update authentication and authorization attributes such as VLAN assignment.

583
Multi-Selectmedium

A cloud security engineer is evaluating CSPM (Cloud Security Posture Management) solutions. Which TWO capabilities are essential for a CSPM tool? (Select two.)

Select 2 answers
A.Vulnerability scanning of container images
B.Incident response automation with playbooks
C.Continuous compliance monitoring with industry standards
D.Real-time network traffic analysis
E.Misconfiguration detection based on best practices
AnswersC, E

Core CSPM capability.

Why this answer

Option C is correct because CSPM tools are fundamentally designed to continuously monitor cloud environments against industry standards such as CIS, NIST, and PCI DSS. This ensures that the cloud infrastructure remains compliant with regulatory and security frameworks, which is a core requirement for cloud security posture management.

Exam trap

Cisco often tests the distinction between CSPM (configuration and compliance) and other cloud security tools (container scanning, SOAR, NTA), so the trap here is confusing adjacent security functions with the specific scope of CSPM.

584
MCQmedium

An engineer is configuring ISE for guest access via a sponsor portal. The policy requires that a sponsor must approve each guest. However, guests are being automatically approved without sponsor interaction. What is the most likely misconfiguration?

A.The guest portal's 'Access setting' is set to 'Self-Registration' instead of 'Sponsor Approval'
B.The guest portal is not configured to send email notifications to sponsors
C.The sponsor user account is assigned to the wrong sponsor group
D.The guest endpoint is being profiled as a known device
AnswerA

If the portal is set to self-registration, guests are automatically approved. It must be set to sponsor approval to require manual approval.

Why this answer

Option C is correct because the guest portal settings must be set to 'Sponsor Approval' to require sponsor approval. Option A is wrong because the sponsor account type affects who can sponsor, not the approval process. Option B is wrong because guest report is just for notification.

Option D is wrong because self-registration is the opposite of requiring sponsor approval.

585
MCQhard

A security analyst observes that one endpoint is generating Alerts of type 'Trojan' in Cisco AMP, but other identical endpoints on the same software version show no issues. After verifying that the signature versions are consistent, what is the most likely cause of the discrepancy?

A.A legitimate application on that endpoint is exhibiting behavior that matches a Trojan signature
B.The AMP connector is misconfigured and is generating false alerts
C.The endpoint's network traffic is being intercepted by a proxy causing AMP to misidentify it
D.The endpoint has an outdated operating system patch
AnswerA

AMP's behavioral analysis might flag a legitimate application if it behaves like malware. Other endpoints may not have that app.

Why this answer

In Cisco AMP, a single endpoint generating 'Trojan' alerts while identical peers remain clean, with consistent signature versions, strongly indicates a false positive caused by a legitimate application exhibiting behavior that matches a Trojan signature. AMP uses behavioral analysis and signature-based detection; if a benign application performs actions (e.g., file writes, registry modifications, or network connections) that resemble known malware patterns, it can trigger an alert. Since other endpoints with the same software and signatures are unaffected, the issue is localized to that specific endpoint's unique application or configuration, not a global misconfiguration or signature issue.

Exam trap

Cisco often tests the concept that false positives are a common cause of isolated alerts, tempting candidates to choose a misconfiguration or network issue, but the key is that identical endpoints with the same signatures rule out global problems, leaving a local behavioral anomaly as the most likely cause.

How to eliminate wrong answers

Option B is wrong because a misconfigured AMP connector would typically cause widespread or consistent false alerts across multiple endpoints, not a single isolated case, and the question states other identical endpoints show no issues. Option C is wrong because proxy interception would affect all endpoints behind the same proxy, not just one, and AMP analyzes file and process behavior locally, not just network traffic, so proxy interception is unlikely to cause a localized Trojan false positive. Option D is wrong because an outdated OS patch would likely cause broader security issues or missing protections, but it does not directly cause AMP to generate false positive Trojan alerts; signature-based detection relies on file/behavior patterns, not OS patch level.

586
MCQhard

In a Cisco TrustSec deployment, after successful authentication, ISE assigns a Security Group Tag (SGT) to the user. Which protocol is used to propagate the SGT to the network devices for policy enforcement?

A.SXP (SGT Exchange Protocol)
B.SNMP
C.RADIUS
D.EAP
AnswerA

SXP is the protocol that transports IP-to-SGT mappings between devices.

Why this answer

Cisco TrustSec uses SGT Exchange Protocol (SXP) to propagate SGT mappings from the policy server (ISE) to network devices that do not natively support SGT tagging in hardware.

587
MCQhard

In Cisco ISE, which protocol is used for EAP-TLS authentication, and what is the primary requirement for the client to successfully authenticate?

A.EAP-FAST, requiring a PAC file
B.LEAP, requiring a shared secret
C.EAP-TLS, requiring a client certificate
D.PEAP-MSCHAPv2, requiring username and password
AnswerC

Correct. EAP-TLS is certificate-based; the client must present a certificate.

Why this answer

EAP-TLS uses certificates for mutual authentication. The client must have a valid certificate (typically issued by a CA trusted by ISE) to authenticate successfully.

588
MCQmedium

A security analyst notices that a file previously marked as 'clean' on an endpoint was later determined to be malicious. Using Cisco Secure Endpoint, which feature allows the analyst to see the propagation of that file across the system and understand its impact?

A.IOC scanning
B.SHA-256 disposition
C.Exploit Prevention
D.Device Trajectory
AnswerD

Device Trajectory shows the timeline of file activity and propagation.

Why this answer

Device Trajectory in Cisco Secure Endpoint provides a timeline of events showing file propagation and system changes, enabling retrospective analysis.

589
MCQhard

A security team wants to enforce application whitelisting on endpoints to prevent unauthorized software execution. Which Cisco AMP for Endpoints feature can be used to implement this control?

A.IOC scanning
B.Exploit Prevention
C.Device Trajectory
D.Application whitelisting (via AMP policy)
AnswerD

AMP can be configured with policies that allow only approved applications to run.

Why this answer

Application whitelisting is an endpoint hardening technique that can be enforced using Cisco AMP's advanced policies, including file and application control.

590
MCQeasy

A company wants to prevent sensitive data such as credit card numbers from being sent via email. Which Cisco ESA feature should be enabled?

A.Anti-Spam
B.Secure/Multipurpose Internet Mail Extensions (S/MIME)
C.Data Loss Prevention (DLP)
D.Anti-Malware
AnswerC

DLP scans email content for sensitive data patterns.

Why this answer

C is correct because Data Loss Prevention (DLP) is the Cisco ESA feature specifically designed to inspect email content and attachments for sensitive data patterns, such as credit card numbers, and enforce policies to prevent their unauthorized transmission. DLP uses predefined or custom dictionaries and message filters to detect and block or quarantine such data, directly addressing the requirement to prevent sensitive data from being sent via email.

Exam trap

Cisco often tests the distinction between security features that protect against external threats (Anti-Spam, Anti-Malware) versus those that control internal data leakage (DLP), leading candidates to confuse content inspection for malicious intent with content inspection for sensitive data.

How to eliminate wrong answers

Option A is wrong because Anti-Spam is designed to filter unsolicited bulk email based on reputation and content analysis, not to inspect for sensitive data patterns like credit card numbers. Option B is wrong because S/MIME is a protocol for encrypting and digitally signing email messages to ensure confidentiality and authentication, but it does not inspect or prevent the sending of sensitive data; it only secures the transport. Option D is wrong because Anti-Malware is focused on detecting and blocking malicious software (viruses, worms, trojans) in email attachments or links, not on identifying or preventing the transmission of sensitive data patterns.

591
MCQhard

An organization deploys Cisco ISE for network access control. After successful 802.1X authentication, a user's device is found to be missing critical patches via posture assessment. The administrator wants to dynamically move the user to a remediation VLAN without requiring the user to reconnect. Which ISE capability enables this?

A.Change of Authorization (CoA)
B.RADIUS Accounting
C.MAB reauthentication
D.Device Sensor profiling
AnswerA

CoA enables ISE to update session authorization in real time, such as moving to a remediation VLAN.

Why this answer

Change of Authorization (CoA) allows ISE to dynamically change authorization attributes (e.g., VLAN, ACL) for an already authenticated session.

592
MCQeasy

An administrator is configuring Cisco ISE to profile endpoints. The administrator wants to ensure that endpoints are correctly identified based on MAC address and hostname. Which of the following is a prerequisite for successful profiling?

A.The DHCP server must be configured with option 82.
B.The endpoints must have the ISE agent installed.
C.The network devices must have profiling enabled and be configured with SNMP.
D.The switch must be configured with SNMP v3.
AnswerC

Network devices must be configured with SNMP to allow ISE to poll for MAC addresses and hostnames.

Why this answer

C is correct because Cisco ISE uses SNMP to query network devices (switches, wireless LAN controllers) for endpoint attributes such as MAC addresses and hostnames. Profiling must be enabled on the network devices, and SNMP (typically v2c or v3) must be configured so that ISE can collect the necessary data via MIBs like BRIDGE-MIB or ENTITY-MIB to correlate MAC-to-port mappings and hostname information.

Exam trap

The trap here is that candidates often think an agent or a specific DHCP option is required for profiling, but Cisco tests the understanding that passive network probes like SNMP are the foundational mechanism for MAC and hostname discovery without endpoint software.

How to eliminate wrong answers

Option A is wrong because DHCP option 82 (Relay Agent Information) is used for DHCP snooping and IP address tracking, not for profiling endpoints based on MAC address and hostname; ISE can use DHCP probes, but option 82 is not a prerequisite. Option B is wrong because the ISE agent (anyconnect or posture agent) is required for advanced endpoint posture assessment, but basic profiling based on MAC address and hostname can be done passively via network probes (SNMP, DHCP, HTTP) without any agent installed. Option D is wrong because while SNMP v3 provides encryption and authentication, it is not a mandatory prerequisite; SNMP v2c is commonly used and sufficient for profiling, and the requirement is simply that SNMP is configured, not specifically v3.

593
MCQeasy

A multinational company needs to gain centralized visibility into cloud security posture across AWS, Azure, and GCP. Which Cisco product provides multi-cloud security posture management (CSPM) capabilities?

A.Cisco Cloudlock
B.Cisco Firepower Threat Defense
C.Cisco Stealthwatch Cloud
D.Cisco Umbrella
AnswerA

Cloudlock offers CSPM, DLP, and access governance for multi-cloud.

Why this answer

Cisco Cloudlock is the correct answer because it provides Cloud Security Posture Management (CSPM) capabilities across multi-cloud environments, including AWS, Azure, and GCP. It continuously monitors cloud infrastructure for misconfigurations, compliance violations, and security risks, offering centralized visibility and remediation guidance. This aligns directly with the requirement for multi-cloud CSPM in the question.

Exam trap

Cisco often tests the distinction between CSPM and cloud workload protection (CWP) or network security tools; the trap here is that candidates may confuse Stealthwatch Cloud (network visibility) or Umbrella (DNS security) with cloud security posture management, but only Cloudlock directly addresses multi-cloud configuration and compliance monitoring.

How to eliminate wrong answers

Option B (Cisco Firepower Threat Defense) is wrong because it is a next-generation firewall (NGFW) and intrusion prevention system (IPS) focused on network traffic inspection and threat prevention, not cloud security posture management. Option C (Cisco Stealthwatch Cloud) is wrong because it provides network traffic analysis and visibility for cloud and on-premises environments using NetFlow/IPFIX data, but it does not perform CSPM functions like configuration assessment or compliance monitoring. Option D (Cisco Umbrella) is wrong because it is a cloud-delivered DNS security and secure web gateway (SWG) solution that protects against internet-based threats, not a CSPM tool for multi-cloud posture management.

594
MCQmedium

A security analyst notices that a user is downloading a file from a website. The Cisco WSA is configured to perform AMP file scanning. What happens when the file's SHA-256 hash is not found in the local cache?

A.The file is allowed immediately.
B.The file is sent to the cloud for analysis and a verdict is returned.
C.The file is quarantined until an administrator reviews it.
D.The file is blocked permanently.
AnswerB

AMP performs a cloud lookup or sandboxing to determine the file's safety.

Why this answer

Cisco WSA AMP file scanning performs a cloud lookup to check the file's reputation; if unknown, it may sandbox the file for analysis.

595
MCQeasy

A company with 5000 endpoints uses Cisco Secure Endpoint (AMP) and Cisco ISE. Users report that legitimate software installations are being quarantined, causing delays. The security team receives many alerts for file executions. The AMP policy is set to "High Security" with "Block Unknown" enabled. Network traffic is monitored by Cisco Stealthwatch. The team wants to reduce operational overhead while maintaining security. What should they do?

A.Disable "Block Unknown" and rely solely on Stealthwatch for threat detection
B.Create an AMP exclusion for software installation directories and enable "File Reputation" with "Cloud Lookups"
C.Change AMP policy to "Medium Security" and enable "Application Blocking with Allow List"
D.Disable AMP and use only ISE for endpoint posture checks
AnswerB

Exclusions reduce false positives for trusted paths, while file reputation with cloud lookups maintains detection for unknown files, balancing security and overhead.

Why this answer

Option C is correct. Creating an AMP exclusion for software installation directories reduces false positives by preventing scanning of known legitimate installations. Enabling File Reputation with Cloud Lookups maintains detection by checking unknown files against cloud intelligence, thus not sacrificing security.

Option A is too broad; lowering the security level might miss threats. Option B removes endpoint protection, relying solely on network detection which is insufficient. Option D removes endpoint protection entirely, increasing risk.

596
MCQhard

An engineer is designing a FlexVPN deployment with multiple hub routers and spoke routers. The spokes need to establish tunnels to the closest hub based on latency. Which feature should be configured to achieve dynamic hub selection?

A.Configure static priority on each hub and use priority-based selection.
B.Use Multipoint GRE with mGRE and NHRP for dynamic tunnel selection.
C.Use DHCP option 121 to push static routes for hub selection.
D.Implement IKEv2 redirect mechanism to direct spokes to the optimal hub.
AnswerD

IKEv2 redirect allows hubs to redirect spokes to a better hub based on location or latency.

Why this answer

The IKEv2 redirect mechanism allows a hub to inform a spoke of a more optimal hub based on metrics such as latency or load. The spoke then initiates a new IKEv2 connection to the recommended hub, enabling dynamic hub selection without manual configuration. This is the standard Cisco solution for FlexVPN deployments requiring proximity-based tunnel establishment.

Exam trap

Cisco often tests the IKEv2 redirect mechanism as the only standards-based method for dynamic hub selection in FlexVPN, and the trap here is that candidates confuse DMVPN's mGRE/NHRP (which handles spoke-to-spoke tunnels) with the hub-selection problem, leading them to choose Option B.

How to eliminate wrong answers

Option A is wrong because static priority on hubs does not adapt to real-time network conditions like latency; it forces spokes to always prefer a fixed hub regardless of performance. Option B is wrong because mGRE and NHRP are used for dynamic spoke-to-spoke tunnel establishment (DMVPN phase 2/3), not for selecting the best hub based on latency. Option C is wrong because DHCP option 121 pushes static routes for routing purposes, not for dynamic tunnel endpoint selection based on latency.

597
MCQhard

A security team notices that an AWS Lambda function is allowed to access an S3 bucket containing PII. The Lambda role has an attached policy that grants s3:PutObject and s3:GetObject to the bucket. Which action would be the most effective to ensure least privilege?

A.Enable S3 default encryption using AWS KMS
B.Apply AWS WAF rules to the Lambda function
C.Remove the role and create a new role with full S3 access
D.Add a bucket policy that restricts access to the Lambda execution role and includes conditions
AnswerD

Resource policies with conditions can restrict based on role and source.

Why this answer

Option D is correct because adding a bucket policy that restricts access to the Lambda execution role and includes conditions (such as aws:SourceArn or aws:SourceAccount) enforces least privilege at the resource level. This ensures that only the specific Lambda function can perform s3:PutObject and s3:GetObject on the S3 bucket, preventing any other principal or service from abusing the role's permissions.

Exam trap

The trap here is that candidates often confuse resource-based policies (bucket policies) with identity-based policies (IAM roles) and think that modifying the IAM role alone is sufficient, but Cisco tests that least privilege requires restricting access at both the identity and resource levels, especially for cross-service scenarios.

How to eliminate wrong answers

Option A is wrong because enabling S3 default encryption using AWS KMS protects data at rest but does not restrict which principals or roles can access the bucket; it addresses confidentiality, not authorization. Option B is wrong because AWS WAF is a web application firewall that protects HTTP/HTTPS endpoints (like API Gateway or CloudFront), not Lambda functions or S3 bucket access; it cannot control IAM permissions or S3 API calls. Option C is wrong because creating a new role with full S3 access (s3:*) would grant excessive permissions, violating the principle of least privilege and potentially allowing the Lambda function to list, delete, or modify all objects in the bucket.

598
MCQmedium

A company's remote employees use Cisco AnyConnect to connect to the corporate network. The VPN is configured with split tunneling so that only traffic to the corporate subnet (10.0.0.0/8) goes through the tunnel, and all other traffic goes directly to the internet. Recently, several employees reported that they cannot access the corporate file server (IP 10.2.3.4) even though they can connect to the VPN. The network team checks the ASA configuration and confirms that the split tunnel ACL includes the corporate subnet. The AnyConnect client shows that it is connected. What is the most likely cause of the issue?

A.The ASA is performing NAT on the VPN traffic.
B.The DNS resolution for the file server is failing due to VPN DNS settings.
C.The file server's firewall is blocking VPN traffic.
D.The split tunnel ACL is not being applied correctly, and traffic is going direct to internet.
AnswerB

Split tunneling often requires DNS to be resolved via the corporate DNS server; misconfiguration can cause resolution failures.

Why this answer

When split tunneling is configured, DNS queries for corporate resources are often sent to the corporate DNS server through the tunnel. If the VPN adapter's DNS settings are not properly configured or the corporate DNS server is unreachable, the client cannot resolve the file server's hostname to its IP address (10.2.3.4), even though the IP itself is reachable via the tunnel. This is a common misconfiguration where the client uses its local DNS server, which does not have records for the internal corporate domain.

Exam trap

Cisco often tests the distinction between network-layer connectivity (IP reachable) and application-layer resolution (DNS), leading candidates to focus on routing or firewall issues when the real problem is DNS misconfiguration in split-tunnel scenarios.

How to eliminate wrong answers

Option A is wrong because NAT on VPN traffic would typically translate the source IP of the client, but it would not prevent access to a specific IP like 10.2.3.4; NAT might cause issues with routing or application protocols, but the symptom here is inability to access a specific server, not a general connectivity failure. Option C is wrong because the file server's firewall blocking VPN traffic would affect all VPN users consistently, not just those reporting issues, and the scenario states that the VPN connection is established and the split tunnel ACL includes the subnet, implying the traffic reaches the server but fails at a higher layer. Option D is wrong because the network team confirmed the split tunnel ACL includes the corporate subnet, and the AnyConnect client shows it is connected, so traffic to 10.0.0.0/8 should be routed through the tunnel; if the ACL were misapplied, the client would likely show no tunnel route or the user would be unable to ping the server IP directly, which is not stated.

599
MCQhard

A security engineer is configuring Cisco Umbrella Intelligent Proxy to selectively decrypt and inspect HTTPS traffic. The goal is to balance security and user privacy by only inspecting traffic to high-risk domains. How does Intelligent Proxy decide which traffic to inspect?

A.It inspects all HTTPS traffic by default.
B.It evaluates domains against Cisco's security categories and only inspects domains that match certain categories.
C.It uses a list of manually configured domains.
D.It inspects traffic based on the user's identity.
AnswerB

Intelligent Proxy leverages Cisco's threat intelligence to decide which traffic to inspect.

Why this answer

Intelligent Proxy uses Cisco Umbrella's security intelligence to categorize domains and selectively apply SSL inspection to those classified as high risk or based on policy.

600
MCQhard

An incident responder is analyzing an endpoint that was compromised despite AMP for Endpoints being deployed. The AMP logs show the malware file had a disposition of 'Unknown' shortly before compromise, but later changed to 'Malicious' after cloud analysis. What is the most likely reason the file was not blocked initially?

A.The cloud analysis result was delayed due to high traffic.
B.The local analysis engine was disabled, so the file was not analyzed locally.
C.The AMP policy was configured to 'Allow' or 'Detect' for files with disposition 'Unknown'.
D.The endpoint did not have connectivity to the AMP cloud at the time of execution.
AnswerC

Unknown files may be allowed until the cloud verdict returns; if the action is not 'Block', execution occurs.

Why this answer

C is correct because AMP for Endpoints can be configured with a policy that defines the action for files with a disposition of 'Unknown' — typically 'Allow' or 'Detect' — rather than 'Block'. In this scenario, the file was allowed to execute locally because the policy did not block unknown files, and only after cloud analysis returned a 'Malicious' verdict did the disposition change. This explains why the file was not blocked initially despite AMP being deployed.

Exam trap

Cisco often tests the distinction between local and cloud analysis phases, and the trap here is that candidates assume 'Unknown' means the file was not analyzed at all, when in fact it means the local analysis could not determine maliciousness and the policy action for unknown files is the deciding factor.

How to eliminate wrong answers

Option A is wrong because while high traffic can delay cloud analysis, the question states the disposition changed after cloud analysis, not that the analysis itself was delayed; the initial 'Unknown' disposition is a local verdict, not a delayed cloud result. Option B is wrong because if the local analysis engine were disabled, AMP would not have any disposition for the file, and the logs would not show an 'Unknown' disposition — the local engine is what produces the 'Unknown' verdict when it cannot definitively classify the file. Option D is wrong because if the endpoint lacked cloud connectivity at execution, the file would remain 'Unknown' indefinitely and never change to 'Malicious' after cloud analysis; the fact that the disposition later changed proves cloud connectivity was available.

Page 7

Page 8 of 14

Page 9
Cisco SCOR / CCNP Security Core 350-701 350-701 Questions 526–600 | Page 8/14 | Courseiva