Cisco SCOR / CCNP Security Core 350-701 (350-701) — Questions 601675

988 questions total · 14pages · All types, answers revealed

Page 8

Page 9 of 14

Page 10
601
MCQhard

An ISE deployment uses TrustSec with SGTs assigned by Active Directory group membership. A group of users in the 'Finance' AD group is correctly receiving SGT 5, but a new user added to that group is getting SGT 0. The ISE policy is unchanged, and other users in the group work fine. What is the most likely cause?

A.The user endpoint has not been profiled by ISE yet
B.ISE has not synchronized the latest AD group membership
C.The user endpoint is running antivirus software that blocks SGT assignment
D.The user does not have a PAC (Protected Access Credential)
E.The switchport is configured with 'authentication violation restrict' which blocks the new user
AnswerB

ISE caches AD groups. If the user was recently added, the cache may be stale, causing ISE to assign a default SGT (0).

Why this answer

Option B is correct because ISE uses Active Directory (AD) as an identity source and must synchronize group membership changes before it can map the new user to the correct Security Group Tag (SGT). If the AD group membership has not been refreshed via the scheduled or manual sync, ISE will not know the new user belongs to the 'Finance' group, resulting in a default SGT of 0 (unknown/untrusted). Other users already in the group work fine because their membership was present during the last successful sync.

Exam trap

Cisco often tests the misconception that SGT assignment is immediate upon AD group membership change, but the trap here is that ISE must synchronize the AD group membership before it can apply the correct SGT, and a default SGT of 0 indicates the user is not matched to any authorization policy.

How to eliminate wrong answers

Option A is wrong because endpoint profiling is not required for SGT assignment based on AD group membership; SGTs are assigned after authentication and authorization, not after profiling. Option C is wrong because antivirus software does not interfere with SGT assignment, which is a network-level attribute applied by the switch or ISE based on the user's identity, not a client-side process. Option D is wrong because a PAC (Protected Access Credential) is used in EAP-FAST for secure tunnel establishment, not for SGT assignment; SGTs are assigned via RADIUS attributes (e.g., Cisco-AVPair) after successful authentication.

Option E is wrong because 'authentication violation restrict' places the port in an err-disabled state upon a violation, but the scenario describes the user successfully authenticating (getting SGT 0), not being blocked; a violation would prevent access entirely.

602
Multi-Selectmedium

A network engineer is configuring Cisco TrustSec on a switch to enforce segmentation. Which THREE components are required for TrustSec to assign a Security Group Tag (SGT) to a user after successful authentication via ISE?

Select 3 answers
A.SGT classification on the switch
B.802.1X authentication
C.RADIUS communication between ISE and switch
D.Change of Authorization (CoA)
E.VLAN assignment
AnswersB, C, D

802.1X is typically used to authenticate the user before SGT assignment.

Why this answer

B is correct because 802.1X authentication is the foundational mechanism that initiates the identity-based access control flow. When a user connects to the switch port, 802.1X (using EAP over LAN) authenticates the user against ISE, which then triggers the assignment of a Security Group Tag (SGT) via RADIUS attributes. Without 802.1X, the switch has no user identity to classify, and TrustSec cannot enforce segmentation at the user level.

Exam trap

Cisco often tests the misconception that SGT classification on the switch is a prerequisite for SGT assignment, when in fact classification is the downstream action that applies the tag after ISE has assigned it via RADIUS and CoA.

603
MCQeasy

Which Cisco product provides next-generation firewall (NGFW) capabilities, including application visibility and intrusion prevention?

A.Cisco ASA
B.Cisco Firepower
C.Cisco Stealthwatch
D.Cisco ISE
AnswerB

Firepower provides NGFW, IPS, and advanced malware protection.

Why this answer

Cisco Firepower (now part of Cisco Secure Firewall) is the NGFW that includes IPS and application control.

604
Multi-Selecteasy

Which TWO factors should be considered when designing a Cisco ISE deployment for network access control (NAC) in a multi-site environment? (Choose two.)

Select 2 answers
A.ISE node roles and placement (primary, secondary, monitoring)
B.Endpoint profiling needs
C.Number of endpoints per policy evaluator
D.Type of network access device (switch, WLC, VPN)
E.WAN link latency and reliability between sites
AnswersA, E

Roles define failover and administration; critical for multi-site.

Why this answer

Multi-site NAC design requires reliable connectivity between sites and proper node roles. Option A (WAN latency) is critical for authentication timeliness. Option C (ISE node roles, like Admin vs Monitoring) is important for failover and load balancing.

Option B is irrelevant unless performance. Option D is a detail for wired, not all. Option E is about endpoint attributes, not multi-site design.

605
MCQhard

A multinational corporation is deploying Cisco ISE to enforce network access for both wired and wireless users. The company has 5,000 employees and 2,000 guest users daily. The ISE deployment consists of two nodes: a primary Administration Node (PAN) and a Monitoring Node (MNT). All policies are configured on the PAN. Recently, the company has experienced intermittent authentication failures during peak hours. The failures affect both wired 802.1X and wireless users. The syslogs show 'RADIUS request dropped' messages on the ISE nodes. The network team has verified that the RADIUS shared secret is correct and that the network devices can reach the ISE nodes. The ISE nodes have sufficient CPU and memory. However, the authentication failures correlate with times when the number of concurrent sessions exceeds 500. What is the most likely cause of the issue?

A.The ISE node is running out of RADIUS session capacity
B.The ISE nodes are not reachable from the network devices
C.The RADIUS shared secret is mistyped on some network devices
D.The CPU and memory are insufficient despite appearing sufficient
AnswerA

ISE has a maximum number of concurrent RADIUS sessions; exceeding that causes drops.

Why this answer

The 'RADIUS request dropped' messages and correlation with concurrent sessions exceeding 500 indicate that the ISE node has reached its RADIUS session capacity. Cisco ISE nodes have a finite number of RADIUS session contexts (typically 500 for a single node in many deployments), and once this limit is exceeded, new authentication requests are dropped. This is a licensing and resource limitation, not a CPU or memory issue, and it explains why failures occur only during peak hours.

Exam trap

Cisco often tests the distinction between resource exhaustion (CPU/memory) and session capacity limits, trapping candidates who assume that sufficient CPU and memory means no capacity issue, when in fact the RADIUS session table is a separate finite resource.

How to eliminate wrong answers

Option B is wrong because the network team verified that the network devices can reach the ISE nodes, so reachability is not the issue. Option C is wrong because the RADIUS shared secret was verified as correct on all devices, and mistyped secrets would cause consistent failures, not intermittent ones correlated with session count. Option D is wrong because the ISE nodes have sufficient CPU and memory, and the problem is a session capacity limit, not a resource exhaustion issue.

606
MCQmedium

Which Cisco FTD feature provides application visibility and control (AVC) to identify and block applications like Facebook or Skype?

A.URL filtering policy
B.Access control policy with application conditions
C.Intrusion policy
D.SSL decryption policy
AnswerB

Correct; AVC is implemented in access control rules.

Why this answer

Application visibility and control is achieved through the access control policy using application filters and the application database. Intrusion policy handles threats, not application identification.

607
MCQhard

A security team is implementing Privileged Access Management (PAM) using CyberArk integrated with Cisco SecureX. They need to provide just-in-time access to a critical server for a specific task, with automatic password rotation after use. Which PAM capability addresses this requirement?

A.Remote shell investigation
B.Password vaulting
C.Session recording
D.EDR file quarantine
AnswerB

Password vaulting stores, rotates, and provides on-demand access to privileged credentials.

Why this answer

Password vaulting securely stores and manages privileged credentials, enabling just-in-time access and automatic rotation after use to minimize exposure.

608
Multi-Selecteasy

Which two conditions must be met for Cisco Firepower Threat Defense (FTD) to perform SSL decryption?

Select 2 answers
A.The FTD must have a decryption certificate (server certificate) installed.
B.The client must be using TLS 1.2 or higher.
C.The FTD must have a URL Filtering license.
D.A valid certificate authority (CA) certificate for the internal CA must be installed on the FTD.
E.The decryption policy must be configured on the FTD device.
AnswersA, D

The decryption certificate is used to establish a new TLS session with the client.

Why this answer

SSL decryption requires both a trusted CA certificate to re-sign the server certificate and a decryption certificate (server certificate) to present to the client. Options A, C, and D are not prerequisites.

609
Multi-Selecteasy

Which TWO are required to successfully deploy Cisco AMP for Endpoints in a Windows domain environment with Group Policy?

Select 2 answers
A.Install the AMP connector on each endpoint
B.Configure the firewall to block outbound HTTPS traffic
C.Install the AMP connector on a domain controller
D.Assign an AMP policy to the connector via Group Policy
E.Ensure all endpoints are joined to the domain
AnswersA, D

The connector must be present to enforce policies.

Why this answer

Option A is correct because the AMP for Endpoints connector is the agent software that must be installed on each endpoint to provide malware detection, file trajectory, and retrospective security analysis. Without the connector, the endpoint cannot communicate with the AMP cloud or enforce any security policies, making deployment non-functional.

Exam trap

Cisco often tests the misconception that Group Policy can both install software and assign policies, but in reality, Group Policy only assigns the AMP policy via registry settings, while the connector installation must be handled separately through startup scripts, SCCM, or manual methods.

610
MCQhard

A company uses Cisco Threat Response (CTR) to investigate a potential breach. The analyst sees an observable (SHA256) with a score of 90 in the threat grid. However, the AMP connector on the endpoint shows 'Allow' for that file. What could cause this discrepancy?

A.The 'File Blocking' setting is set to 'Off' for the policy, ignoring cloud scores.
B.The AMP policy has file reputation disabled, so all files are allowed.
C.The AMP policy uses 'Local Analysis' and the local analysis determined the file was safe.
D.The file was blocked but the AMP console shows 'Allow' due to delayed event ingestion.
AnswerC

Local analysis can override cloud reputation if configured and the file passes local heuristics.

Why this answer

Option C is correct because Cisco AMP for Endpoints uses a layered approach: cloud-based file reputation (Threat Grid) provides a score, but if the policy has Local Analysis enabled, the endpoint's local engine can override the cloud verdict. In this scenario, the local analysis determined the file was safe, so the file was allowed despite the high cloud score of 90. This explains the discrepancy between the Threat Grid score and the AMP connector's 'Allow' action.

Exam trap

Cisco often tests the concept that AMP's Local Analysis can override cloud-based reputation scores, leading to a file being allowed despite a high malicious score in Threat Grid, which candidates mistakenly attribute to misconfigured file blocking or reputation settings.

How to eliminate wrong answers

Option A is wrong because the 'File Blocking' setting, when set to 'Off', disables file blocking entirely, but it does not ignore cloud scores; it simply does not enforce blocking based on any score. Option B is wrong because disabling file reputation in the AMP policy would prevent the endpoint from querying the cloud for reputation, but it would not cause a file with a high cloud score to be allowed; instead, the file would be handled by other mechanisms like local analysis or simple allow/block rules. Option D is wrong because AMP events are near real-time; delayed event ingestion would not cause the console to show 'Allow' for a blocked file—it would either show no event or a delayed 'Blocked' event, not an incorrect 'Allow' status.

611
MCQmedium

Refer to the exhibit. The engineer configured a file type filter for executables on access policy Policy_A. However, .exe files from trusted_sites are still being allowed. What is the most likely reason for this behavior?

A.The file type filter is applied to the wrong access policy.
B.The URL category for trusted_sites is blocking the file type filter from being evaluated.
C.The file type filter action is set to 'monitor' instead of 'block'.
D.The access policy order is incorrect; a less specific policy is matching before Policy_A.
AnswerC

A 'monitor' action only logs and does not block; to block, the action must be set to 'block'.

Why this answer

Option C is correct because the file type filter action is set to 'monitor' (which only logs) instead of 'block'. The access policy action is 'allow', so without a block action in the file type filter, executables are allowed. Option A is wrong because the file type filter is applied to Policy_A.

Option B is wrong because the filter is on executables category, not URL. Option D is wrong because policy order is not shown to be an issue.

612
MCQmedium

A network administrator is deploying Cisco AMP for Endpoints to protect against advanced malware. They want to ensure that if a file is initially allowed but later determined to be malicious, the file is automatically blocked and quarantined on all endpoints that have executed it. Which AMP feature should be configured?

A.Retrospective Security (Retrospective)
B.TETRA (Technique Extraction and Retrospective Analysis)
C.File Analysis via the AMP cloud
D.Exclude List for known good files
AnswerA

Updates disposition and remediates.

Why this answer

Retrospective Security (Retrospective) is the correct feature because it allows Cisco AMP for Endpoints to re-evaluate files that were initially allowed based on local or cloud reputation. If a file is later determined to be malicious via updated threat intelligence, Retrospective Security automatically blocks and quarantines that file on all endpoints that have executed it, even after the initial execution. This provides continuous protection against advanced malware that evades initial detection.

Exam trap

The trap here is that candidates confuse TETRA (a network-based exploit detection engine) with endpoint-based retrospective file quarantine, or they assume File Analysis alone provides automatic retroactive remediation without understanding that it requires the Retrospective Security feature to be explicitly enabled.

How to eliminate wrong answers

Option B (TETRA) is wrong because TETRA (Technique Extraction and Retrospective Analysis) is a feature of Cisco Firepower and Snort that extracts and analyzes exploit techniques from network traffic, not a file-level retrospective quarantine capability for endpoints. Option C (File Analysis via the AMP cloud) is wrong because it refers to submitting files to the cloud for static and dynamic analysis to determine maliciousness, but it does not automatically retroactively block and quarantine files already executed on endpoints. Option D (Exclude List for known good files) is wrong because it is a whitelisting mechanism to prevent false positives, not a feature that blocks or quarantines files later found malicious.

613
MCQeasy

An administrator configures a Cisco ASA with an interface named 'inside' at security level 100 and 'outside' at security level 0. Which statement about traffic flow is true?

A.Traffic from inside to outside is denied unless NAT is configured.
B.All traffic between inside and outside is denied without an ACL.
C.Traffic from inside to outside is allowed by default if the connection is statefully inspected.
D.Traffic from outside to inside is allowed by default.
AnswerC

Correct; higher-to-lower traffic is allowed if stateful inspection permits.

Why this answer

By default, traffic from a higher security level (inside) to a lower security level (outside) is allowed without an ACL if stateful inspection permits.

614
MCQhard

A security architect is designing a solution to detect and block ransomware using Cisco AMP. The requirement is that when a file executes and attempts to encrypt files in a monitored directory, the event must be captured and the process terminated immediately. Which AMP feature set should be used?

A.Exploit Prevention with Behavioral Protection enabled.
B.Application Control with a block list of known ransomware binaries.
C.Vulnerability Assessment with real-time patching.
D.Device Flow Correlation (DFC) with advanced malware analysis.
AnswerA

This feature set detects ransomware behaviors and can automatically terminate the process.

Why this answer

Cisco AMP's Exploit Prevention with Behavioral Protection is designed to monitor file behavior in real time. When a file executes and attempts to encrypt files in a monitored directory, Behavioral Protection detects the anomalous activity (e.g., mass file modifications) and can immediately terminate the process, meeting the requirement to capture and block the ransomware event.

Exam trap

Cisco often tests the distinction between signature-based controls (like Application Control) and behavioral-based controls (like Exploit Prevention with Behavioral Protection), leading candidates to mistakenly choose a static block list approach for dynamic ransomware detection.

How to eliminate wrong answers

Option B is wrong because Application Control with a block list of known ransomware binaries relies on static signatures or hashes, which cannot detect unknown or zero-day ransomware that has not been previously identified. Option C is wrong because Vulnerability Assessment with real-time patching focuses on identifying and remediating software vulnerabilities, not on detecting or blocking malicious file behavior like encryption attempts. Option D is wrong because Device Flow Correlation (DFC) with advanced malware analysis is used for network traffic analysis and correlation, not for endpoint behavioral monitoring or process termination.

615
MCQhard

An engineer is tuning Snort signatures on a Cisco FTD to reduce false positives. A rule triggers on legitimate traffic that matches a known exploit pattern but is actually benign. Which tuning technique would be most appropriate to suppress the alerts without completely disabling the rule?

A.Add a suppression filter for the specific source IP addresses.
B.Change the rule action from 'alert' to 'pass'.
C.Increase the rule's threshold to require more hits before alerting.
D.Disable the rule in the intrusion policy.
AnswerA

Suppression filters silence alerts for known benign sources while retaining the rule.

Why this answer

Using a suppression filter allows the rule to remain active but suppresses alerts for specific source/destination IPs or ports.

616
MCQeasy

Refer to the exhibit. What happened to the file 'crack.exe'?

A.The file was allowed because it was detected as malicious.
B.The file was blocked from executing.
C.The file was detected but no action was taken.
D.The file was quarantined to a secure folder.
AnswerB

The log explicitly states 'Blocked by policy'.

Why this answer

The exhibit shows that Cisco AMP for Endpoints detected 'crack.exe' as malicious and applied the 'BLOCK' action, which prevents the file from executing on the endpoint. This is indicated by the 'BLOCK' disposition in the event details, meaning the file was blocked before it could run. Option B is correct because the file was blocked from executing based on the detection and policy configured in AMP.

Exam trap

Cisco often tests the distinction between 'BLOCK' and 'QUARANTINE' actions in AMP, where candidates may confuse blocking execution with quarantining the file, but the exhibit explicitly shows the 'BLOCK' action, not 'QUARANTINE'.

How to eliminate wrong answers

Option A is wrong because the file was not allowed; it was blocked, and 'allowed because it was detected as malicious' is contradictory since malicious files are typically blocked, not allowed. Option C is wrong because the exhibit shows an action was taken ('BLOCK'), not that no action was taken; 'detected but no action' would correspond to a 'MONITOR' or 'ALERT' disposition. Option D is wrong because the file was blocked from executing, not quarantined to a secure folder; quarantine involves moving the file to a safe location, which is a different action than blocking execution.

617
MCQeasy

An endpoint security engineer wants to protect against memory injection attacks on endpoints running Windows. Which Cisco AMP feature should be enabled?

A.Retrospective security
B.Exploit Prevention
C.IOC scanning
D.Device Trajectory
AnswerB

Exploit Prevention specifically guards against memory injection and other exploit techniques.

Why this answer

Exploit Prevention in Cisco AMP protects against memory-based attacks by monitoring and blocking techniques like buffer overflows and code injection.

618
MCQhard

A company is deploying a multi-tier application on AWS. The web servers must be accessible from the internet only on ports 80 and 443, while the database servers should be accessible only from the web servers on port 3306. Which combination of cloud network security controls should be used?

A.Only security groups for both tiers, no NACLs
B.Only Network ACLs for both subnets, no security groups
C.Security groups for each tier and a Network ACL on the database subnet
D.Network ACLs for the web tier and security groups for the database tier
AnswerC

Security groups control instance-level traffic; NACLs add subnet-level filtering.

Why this answer

Security groups act as instance-level firewalls, allowing stateful filtering. NACLs are stateless and applied at the subnet level. Typically, security groups for each tier and NACLs for subnet-level filtering are used.

619
MCQhard

A security engineer is troubleshooting an issue where a known malicious file (SHA-256: 3a7c...f9e) is not being detected by Cisco Secure Endpoint on a Windows 10 endpoint. The file was downloaded from the internet. The policy has the 'File Reputation' setting set to 'Use cloud lookup', and the 'Exploit Prevention' module is enabled. The endpoint is connected to the internet and can reach the AMP cloud. What is the most likely reason for the missed detection?

A.The endpoint was offline when the file was first written to disk, so the cloud lookup was skipped.
B.Windows Defender Real-time Protection is interfering with the AMP connector.
C.The Exploit Prevention module is blocking the cloud lookup process.
D.The AMP cloud license has expired for the organization.
AnswerA

If the endpoint was offline during file download, the initial cloud lookup is skipped, and the file is allowed.

Why this answer

Option A is correct because Cisco Secure Endpoint's 'File Reputation' with 'Use cloud lookup' requires the endpoint to be online at the moment the file is written to disk. If the endpoint was offline during that critical window, the connector cannot perform the SHA-256 cloud lookup against the AMP cloud, and the file is not evaluated for maliciousness. The file remains undetected until a subsequent scan or event triggers a new lookup, which may not happen automatically.

Exam trap

Cisco often tests the nuance that 'Use cloud lookup' requires real-time connectivity at the exact moment of file creation, not just general internet access, and candidates mistakenly assume that a later online state will retroactively detect the file.

How to eliminate wrong answers

Option B is wrong because Windows Defender Real-time Protection does not interfere with the AMP connector; both can coexist, and Cisco Secure Endpoint is designed to operate alongside other antivirus products without conflict. Option C is wrong because the Exploit Prevention module does not block cloud lookup processes; it monitors for exploit techniques like code injection or heap spray, not network-based reputation queries. Option D is wrong because if the AMP cloud license had expired, the connector would typically show a licensing error or fail to communicate entirely, but the scenario states the endpoint can reach the AMP cloud, implying connectivity and licensing are functional.

620
MCQmedium

A network engineer is troubleshooting 802.1X authentication on a Cisco switch. Users report that they cannot authenticate. The engineer verifies that the switch (authenticator) is configured correctly and the RADIUS server (ISE) is reachable. Which component is most likely misconfigured on the client side?

A.Authentication server
B.RADIUS shared secret
C.Supplicant
D.Authenticator
AnswerC

Correct. The supplicant on the client may be misconfigured or not enabled.

Why this answer

The supplicant is the client software that initiates 802.1X authentication. If users cannot authenticate, the supplicant configuration (e.g., EAP method, credentials) is often the issue.

621
MCQhard

An engineer is troubleshooting why AMP for Endpoints is not detecting a specific malicious file. The file hash is available and other endpoints detected it. What is the most likely cause for the detection failure on this endpoint?

A.The AMP connector is not configured with a proxy when needed.
B.The endpoint's AMP connector has local analysis disabled, preventing hash matching.
C.The AMP signature database on that endpoint is outdated.
D.The AMP policy is set to 'Block' instead of 'Detect'.
AnswerB

Local analysis allows matching known bad hashes without cloud lookup; if disabled, detection may rely solely on cloud.

Why this answer

When AMP for Endpoints fails to detect a file that is known to be malicious (based on its hash) and other endpoints have already detected it, the most likely cause is that local analysis (also known as local scanning or local hash matching) is disabled on the failing endpoint. AMP for Endpoints uses a combination of cloud-based lookups and local analysis. If local analysis is disabled, the endpoint cannot perform hash-based detection against its local cache or signature database, and it must rely entirely on cloud connectivity.

If the cloud lookup is delayed or the endpoint is offline, detection fails. Option B directly addresses this scenario.

Exam trap

Cisco often tests the misconception that AMP for Endpoints relies on a traditional signature database (like a .dat file) that can become outdated, when in fact the primary detection mechanism is cloud-based with a local cache that is not a full signature database.

How to eliminate wrong answers

Option A is wrong because a proxy misconfiguration would prevent cloud connectivity, but the question states the file hash is available and other endpoints detected it, implying cloud connectivity is not the issue; moreover, local analysis would still work if enabled. Option C is wrong because AMP for Endpoints does not rely on a locally stored signature database like traditional antivirus; it uses a lightweight local cache and cloud lookups, so an 'outdated signature database' is not a relevant concept for hash-based detection. Option D is wrong because setting the policy to 'Block' instead of 'Detect' would still trigger detection (and then block), not cause a failure to detect; the detection engine runs regardless of the action taken.

622
MCQmedium

A security administrator notices that a significant volume of spam is bypassing the Cisco ESA's anti-spam filters. Upon investigation, they find that the messages have a mid-range SBRS score of 5.0. Which action should the administrator take to improve spam detection?

A.Change the SBRS score interpretation to positive
B.Lower the SBRS threshold to 3.0
C.Increase the SBRS threshold to 7.0
D.Disable SenderBase reputation checks
AnswerB

Lowering the threshold causes the ESA to treat messages with lower SBRS scores as spam, improving catch rates.

Why this answer

The SBRS score ranges from -10 to +10, with negative scores indicating spam. A score of 5.0 is considered likely legitimate. To catch more spam, the administrator should lower the threshold so that messages with scores above a lower value (e.g., 3.0) are treated as spam.

623
MCQeasy

Which 802.1X component is responsible for enforcing access control on the network and relaying authentication messages between the client and the authentication server?

A.Authentication server
B.RADIUS server
C.Supplicant
D.Authenticator
AnswerD

The authenticator (switch/WLC) enforces access and relays EAP messages.

Why this answer

The authenticator (typically a switch or WLC) enforces access control and acts as a proxy between the supplicant and the authentication server (ISE).

624
Multi-Selecthard

A security team is implementing endpoint hardening measures. They want to ensure that only approved applications can run, monitor for suspicious behavior, and have the ability to isolate processes if needed. Which THREE Cisco AMP features should they enable? (Choose three.)

Select 3 answers
A.Host-based IPS (Exploit Prevention)
B.Application whitelisting
C.File quarantine
D.Retrospective security
E.EDR process isolation
AnswersA, B, E

Exploit Prevention monitors for suspicious behavior like memory injection.

Why this answer

Application whitelisting (via Cisco AMP's application control) restricts execution to approved apps; host-based IPS (Exploit Prevention) monitors behavior; and EDR capabilities (process isolation) allow containment. These three together harden endpoints.

625
Multi-Selecteasy

Which TWO are valid methods for integrating Cisco Umbrella with an existing network to provide DNS-layer security?

Select 2 answers
A.SNMP monitoring of DNS queries.
B.Roaming Security client installed on endpoints.
C.IPsec VPN tunnel to Umbrella cloud.
D.Active Directory integration to forward DNS requests to Umbrella virtual appliances.
E.BGP peering to route DNS traffic to Umbrella.
AnswersB, D

Client software provides DNS filtering on any network.

Why this answer

Option B is correct because the Cisco Umbrella Roaming Security client, when installed on endpoints, automatically redirects DNS queries to the Umbrella cloud via a local proxy, providing DNS-layer security without requiring network infrastructure changes. This method ensures that all DNS traffic from the endpoint is filtered by Umbrella's policy, even when the device is off the corporate network.

Exam trap

Cisco often tests the distinction between methods that provide DNS-layer security (like the roaming client and DNS forwarding via virtual appliances) versus methods that are used for other layers of security (like IPsec VPNs for full traffic inspection or BGP for routing), leading candidates to mistakenly select options that sound plausible but are not designed for DNS-layer integration.

626
Multi-Selecteasy

Which two actions are valid actions in a Cisco Firepower access control rule? (Choose two.)

Select 2 answers
A.Log
B.Reset
C.Redirect
D.Allow
E.Trust
AnswersD, E

Correct. Allow permits traffic and applies further inspection.

Why this answer

In Firepower access control policy, the actions are Trust (skip further inspection), Allow (permit and inspect), Block (block traffic), and Interactive Block (present a block page). These are standard actions.

627
MCQhard

A network administrator is configuring an ASA to enforce that traffic between two internal zones must be inspected by the firewall. Which security principle is being applied?

A.Microsegmentation
B.Least Privilege
C.Separation of Duties
D.Defense in Depth
AnswerA

Microsegmentation enforces traffic inspection between segments, aligning with zero trust.

Why this answer

Microsegmentation is a zero trust principle that divides the network into small zones and enforces granular access controls between them.

628
Multi-Selectmedium

A security analyst is tuning Snort IPS rules to reduce false positives. Which TWO strategies are effective?

Select 2 answers
A.Disable the rule that is causing false positives
B.Increase the sensitivity of all rules
C.Enable all rules to maximize coverage
D.Add a pass rule for known benign traffic
E.Set the rule action to 'alert' instead of 'drop'
AnswersA, D

Disabling removes the false positive.

Why this answer

Disabling rules that generate false positives and adjusting thresholds (e.g., rate_filter) help reduce noise. Whitelisting IPs or changing actions to alert instead of drop address false positives.

629
Multi-Selecteasy

An organization wants to prevent sensitive data such as credit card numbers from being sent via email. Which TWO features of Cisco ESA can be used to achieve this?

Select 2 answers
A.Outbreak filters
B.Anti-spam filters
C.Content filters
D.SenderBase reputation
E.DLP policies
AnswersC, E

Content filters allow custom rules to block or modify emails based on content.

Why this answer

DLP policies scan for specific patterns like credit card numbers, and content filters can be used to block or quarantine matching emails.

630
MCQeasy

In Cisco Firepower Management Center (FMC), which action in an access control rule will send a TCP RST to the source and destination and log the event?

A.Trust
B.Allow
C.Block with reset
D.Interactive Block
AnswerC

Correct. This action blocks the traffic and sends TCP RST packets.

Why this answer

The 'Block with reset' action sends RST packets to both endpoints. 'Trust' bypasses inspection, 'Allow' permits traffic, and 'Interactive Block' is for SSL decryption failure.

631
MCQeasy

A company wants to enforce consistent security policies for Office 365, Salesforce, and Box. Which Cisco product provides CASB functionality with policy enforcement for SaaS applications?

A.Cisco Stealthwatch
B.Cisco Firepower Threat Defense
C.Cisco Umbrella
D.Cisco Cloudlock
AnswerD

Cloudlock is a CASB with DLP and policy enforcement.

Why this answer

Cisco Cloudlock is the correct answer because it is Cisco's Cloud Access Security Broker (CASB) solution specifically designed to enforce consistent security policies across SaaS applications like Office 365, Salesforce, and Box. It provides visibility, data loss prevention (DLP), threat protection, and compliance monitoring by acting as a policy enforcement point between users and cloud services, using API-based integration to inspect and control data in transit and at rest.

Exam trap

The trap here is that candidates often confuse Cisco Umbrella's cloud-delivered security (DNS filtering, web proxy) with CASB functionality, but Umbrella lacks the deep API-level integration and policy enforcement for SaaS applications that Cloudlock provides.

How to eliminate wrong answers

Option A is wrong because Cisco Stealthwatch is a network visibility and security analytics tool that focuses on traffic flow analysis using NetFlow/IPFIX, not CASB functionality for SaaS policy enforcement. Option B is wrong because Cisco Firepower Threat Defense (FTD) is a next-generation firewall (NGFW) that provides intrusion prevention and application control at the network perimeter, but it does not offer native CASB capabilities for SaaS applications like Office 365 or Salesforce. Option C is wrong because Cisco Umbrella is a cloud-delivered DNS-layer security solution that provides threat intelligence and web filtering, but it lacks the deep API-based policy enforcement and data-level controls required for CASB functionality in SaaS environments.

632
MCQmedium

A security administrator wants to enforce a policy that blocks upload of sensitive data to unauthorized cloud applications. Which technology should be used to gain visibility and control over sanctioned and unsanctioned SaaS applications?

A.Cisco Umbrella SIG
B.CASB
C.CWPP
D.CSPM
AnswerB

CASB is specifically designed for visibility and control over SaaS applications, including DLP.

Why this answer

A CASB (Cloud Access Security Broker) provides visibility into SaaS usage and enables data loss prevention (DLP) policies to control data uploads to cloud apps.

633
Multi-Selecthard

Which THREE of the following are best practices for deploying Cisco Web Security Appliance (WSA) in a large enterprise environment? (Select exactly three.)

Select 3 answers
A.Use explicit proxy mode with PAC files for user-specific policy enforcement
B.Configure transparent proxy to avoid client configuration
C.Disable anti-malware scanning to improve performance
D.Deploy multiple WSAs in a cluster for high availability
E.Enable SSL decryption for comprehensive content inspection
AnswersA, D, E

Allows per-user policies.

Why this answer

Option A is correct because explicit proxy mode with PAC files allows the WSA to enforce granular, user-specific policies based on authentication (e.g., via NTLM or LDAP) and destination URL. PAC files enable automatic proxy configuration for clients, ensuring traffic is routed through the WSA without manual browser settings, while still supporting user identity for policy decisions.

Exam trap

Cisco often tests the misconception that transparent proxy is always superior for large enterprises, but the trap here is that explicit proxy with PAC files is actually the best practice for user-specific policy enforcement in a large environment, while transparent proxy lacks identity granularity without additional complexity.

634
MCQhard

An administrator reviews the AMP event log shown in the exhibit. The same file hash appears in all events. What is the most likely explanation for the third event showing a 'TETRA Event' with 'Action: Quarantine' and 'Disposition: Unknown'?

A.The AMP connector failed to communicate with the cloud and generated a TETRA event as an error.
B.The file was previously blocked, but the user executed it from a different location, triggering a TETRA event.
C.The file was determined to be malicious by the cloud after the first detection.
D.The file was executed and, because its disposition was unknown, AMP quarantined it and submitted it for cloud analysis.
AnswerD

TETRA events are triggered when an unknown file is executed; the connector quarantines the file and sends it to the cloud for analysis.

Why this answer

The third event shows a TETRA (Trajectory) event with 'Action: Quarantine' and 'Disposition: Unknown' because AMP uses TETRA to correlate related events into a single trajectory. When a file with an unknown disposition is executed, AMP quarantines it locally and submits it to the cloud for analysis. The 'Unknown' disposition indicates the cloud had not yet classified the file at the time of the event, and the quarantine action is a precautionary measure while analysis is pending.

Exam trap

Cisco often tests the misconception that a TETRA event is a separate detection type rather than a correlation mechanism, leading candidates to confuse it with a cloud communication error or a re-execution trigger.

How to eliminate wrong answers

Option A is wrong because a TETRA event is not an error generated by a communication failure; it is a trajectory event that correlates multiple related detections. Option B is wrong because the file was not previously blocked (the first event shows 'Action: Allowed'), and TETRA events do not trigger simply from executing a file from a different location. Option C is wrong because if the cloud had determined the file to be malicious after the first detection, the third event would show a 'Malicious' disposition, not 'Unknown'.

635
MCQmedium

An engineer is configuring Cisco Firepower Threat Defense (FTD) with a pre-filter policy to block traffic from known malicious IP addresses before it reaches the access control policy. The pre-filter rules are configured to block traffic from the malicious IPs. However, the engineer notices that some traffic from those IPs is still being allowed. What is the most likely reason?

A.A pre-filter rule with a lower priority (higher number) is matching the traffic first and allowing it
B.The pre-filter rules are configured with the wrong source interface
C.The access control policy is overriding the pre-filter policy
D.The default action for the pre-filter policy is set to 'Allow'
AnswerA

Pre-filter rules are evaluated in order; if a rule with a lower priority (higher number) matches first, it could allow traffic that should be blocked.

Why this answer

Pre-filter rules are evaluated in order of priority (lower numbers first). If a rule with a higher priority number (lower priority) is configured to allow traffic, it will be matched before a lower-numbered (higher priority) block rule if the allow rule appears earlier in the sequence. This causes the traffic to be permitted before reaching the intended block rule, which is why some malicious IP traffic is still allowed.

Exam trap

Cisco often tests the misconception that pre-filter rules are evaluated in the order they appear in the GUI (which is by rule number), and that a higher-priority (lower number) rule can be accidentally placed after a lower-priority (higher number) rule if the engineer does not manually assign rule numbers or reorder them correctly.

How to eliminate wrong answers

Option B is wrong because the source interface is a match condition, not an ordering issue; if the wrong interface were configured, the rule would simply not match the traffic, not cause a higher-priority allow rule to override a block. Option C is wrong because pre-filter policies are evaluated before access control policies in the FTD data plane, so the access control policy cannot override a pre-filter block; if a pre-filter rule allows traffic, the access control policy can then block it, but not vice versa. Option D is wrong because the default action for a pre-filter policy is to continue to the access control policy (not 'Allow' or 'Block' by default), and even if set to 'Allow', it would only apply to traffic that does not match any pre-filter rule, not override a matching block rule.

636
MCQeasy

Refer to the exhibit. A security analyst sees this syslog message on a Cisco ASA. What does it indicate?

A.A TCP connection from 10.10.10.10 to 203.0.113.50 was denied.
B.A TCP connection from 203.0.113.50 to 10.10.10.10 was denied by the ACL named OUTSIDE.
C.A TCP connection from 203.0.113.50 to 10.10.10.10 was allowed and logged.
D.The ASA interface OUTSIDE is experiencing high CPU due to Denial of Service.
AnswerB

The syslog clearly indicates a deny by access-group OUTSIDE.

Why this answer

The syslog message shows an ACL deny action on the OUTSIDE interface for a TCP connection from source 203.0.113.50 to destination 10.10.10.10. The format '%ASA-4-106023' indicates a deny, and the interface name 'OUTSIDE' is explicitly stated. The source IP is listed first in the message, confirming the connection attempt originated from 203.0.113.50.

Exam trap

Cisco often tests the order of IP addresses in syslog messages—candidates mistakenly assume the first IP is the destination, but in ASA syslogs, the source IP is listed first, leading to reversed direction errors.

How to eliminate wrong answers

Option A is wrong because the source and destination IPs are reversed; the syslog shows the source as 203.0.113.50 and destination as 10.10.10.10, not the other way around. Option C is wrong because the syslog code 106023 indicates a deny action, not an allow; allowed connections use code 106100 or similar. Option D is wrong because the message is a specific ACL deny log, not a CPU utilization or DoS alert; high CPU would generate different syslog messages (e.g., %ASA-4-422001).

637
MCQeasy

A security administrator notices that a file initially classified as 'unknown' by Cisco AMP for Endpoints has been later determined to be malicious. Which Cisco AMP feature allows the administrator to see the file's propagation and impacts across endpoints?

A.Device Trajectory
B.SHA-256 Disposition
C.IOC Scanning
D.Exploit Prevention
AnswerA

Device Trajectory shows the historical activity and propagation of a file or process, enabling retrospective analysis.

Why this answer

Device Trajectory provides a timeline view of file and process activity, showing the propagation of a threat after it is discovered to be malicious.

638
Multi-Selectmedium

A security analyst is configuring Cisco Secure Endpoint (AMP) to detect and respond to threats. Which TWO features are part of the Exploit Prevention capability? (Choose two.)

Select 2 answers
A.Memory injection protection
B.File quarantine
C.SHA-256 disposition
D.Rogue process detection
E.Device Trajectory
AnswersA, D

Blocks attempts to inject code into running processes.

Why this answer

Exploit Prevention in Cisco Secure Endpoint includes memory injection protection and other exploit mitigations like rogue process detection.

639
Multi-Selecthard

A company wants to deploy endpoint hardening measures to prevent unauthorized applications from executing. Which THREE techniques are commonly used for application control? (Choose three.)

Select 3 answers
A.Application whitelisting
B.Host-based IPS
C.Patch management
D.EDR capabilities (e.g., file quarantine)
E.Application blacklisting
AnswersA, B, D

Whitelisting permits only pre-approved applications to execute.

Why this answer

Application whitelisting allows only approved applications to run. Host-based IPS monitors/prevents malicious behavior. EDR capabilities like file quarantine and process isolation help control applications.

Blacklisting is less effective; patch management is not application control.

640
MCQhard

A Cisco ESA administrator is investigating an increase in false positive detections from the outbreak filter. The filter is configured to use TALOS intelligence and has a threshold of 'Medium'. Which action would most effectively reduce false positives while maintaining protection against new outbreaks?

A.Change the threshold to 'Low'
B.Change the threshold to 'High'
C.Disable the outbreak filter
D.Exempt all internal senders from the filter
AnswerB

A higher threshold reduces false positives by requiring stronger evidence.

Why this answer

The outbreak filter uses TALOS threat intelligence to quarantine suspicious messages. Increasing the threshold to 'High' reduces sensitivity, meaning only messages with strong indicators of maliciousness will be flagged, reducing false positives.

641
MCQeasy

An attacker uses Shodan to discover internet-facing ICS devices and then performs banner grabbing. This is an example of which type of attack?

A.Social engineering
B.Active reconnaissance
C.Exploitation
D.Passive OSINT
AnswerD

Shodan is a search engine for internet-connected devices; using it without direct interaction is passive OSINT.

Why this answer

Passive OSINT involves collecting publicly available information without directly interacting with the target. Banner grabbing is active scanning, but the question emphasizes the initial passive phase. However, Shodan is a passive OSINT tool.

642
MCQmedium

An organization has deployed Cisco AMP for Endpoints and wants to automatically isolate a host from the network when a high-severity malware detection occurs. Which integration must be configured to enable this automated response?

A.Cisco Stealthwatch with NetFlow
B.Cisco Web Security Appliance
C.Cisco Firepower Next-Gen Firewall
D.Cisco ISE with pxGrid
AnswerD

pxGrid enables AMP to send isolation commands to ISE, which then changes the endpoint's network access.

Why this answer

Cisco ISE with pxGrid (Platform Exchange Grid) enables automated policy-based responses by allowing Cisco AMP for Endpoints to share threat intelligence with ISE. When AMP detects a high-severity malware, it triggers a pxGrid event that instructs ISE to dynamically quarantine the host by applying a security group access control list (SGACL) or a CoA (Change of Authorization) to block network access. This integration is specifically designed for context sharing and automated remediation across Cisco security products.

Exam trap

Cisco often tests the misconception that a firewall (like Firepower NGFW) is the primary tool for host isolation, but the trap here is that endpoint isolation requires network access control (NAC) integration via ISE and pxGrid, not just traffic filtering at the perimeter.

How to eliminate wrong answers

Option A is wrong because Cisco Stealthwatch with NetFlow provides network visibility and behavioral analytics but does not have a native mechanism to receive AMP malware detection alerts and enforce host isolation; it focuses on flow-based anomaly detection, not endpoint policy enforcement. Option B is wrong because Cisco Web Security Appliance (WSA) is a proxy for web traffic filtering and cannot directly isolate a host from the entire network based on AMP endpoint detections; it lacks the policy enforcement point for network access control. Option C is wrong because Cisco Firepower Next-Gen Firewall (NGFW) can block traffic based on threat intelligence but requires integration via Firepower Management Center (FMC) or pxGrid to receive AMP events; however, the question asks for the integration that enables automated response, and ISE with pxGrid is the direct, purpose-built integration for host isolation, whereas Firepower NGFW alone does not perform endpoint quarantine actions like RADIUS CoA or NAC.

643
Multi-Selecthard

A Cisco WSA administrator needs to implement HTTPS inspection for traffic from internal users. The administrator wants to avoid decrypting traffic to financial and healthcare sites due to compliance requirements. Which THREE actions should the administrator take to configure this policy?

Select 3 answers
A.Configure the proxy in explicit mode
B.Create a decryption policy with action 'Decrypt' for all traffic
C.Install the WSA's CA certificate on all client devices
D.Enable AMP file scanning for decrypted traffic
E.Add a bypass rule for the URL categories 'Finance' and 'Health'
AnswersB, C, E

This enables decryption by default.

Why this answer

To selectively decrypt, the administrator should create a decryption policy that decrypts all traffic, then use URL category exceptions to bypass decryption for finance and health categories. Alternatively, create a policy that explicitly decrypts all else and uses bypass rules. The three actions: create a decryption policy with action 'Decrypt', add bypass rules for the specified categories, and ensure CA certificate is deployed.

644
MCQmedium

A company has a Cisco ASA firewall configured with multiple access-lists applied to the outside interface. The security team is investigating reports that legitimate HTTPS traffic to a public web server located on a DMZ is intermittently being blocked. The firewall configuration includes an ACL that permits traffic to the web server's IP address on TCP 443, but also includes a general deny rule for all other traffic. The engineer notices that the permit rule is placed after a deny rule that blocks traffic from a specific source subnet that is used by internal users for testing. The internal users report that they can access the web server, but external users sometimes experience timeouts. What is the most likely cause of the intermittent blocking?

A.The permit rule for HTTPS is not hitting because traffic is being matched by a preceding deny rule.
B.The external users are hitting the firewall's connection limit.
C.The ASA is performing NAT incorrectly for the web server traffic.
D.The ASA is experiencing high CPU utilization causing packet drops.
AnswerA

If a deny rule earlier in the ACL matches the traffic, the permit rule is never evaluated, causing blocking.

Why this answer

The most likely cause is that the permit rule for HTTPS (TCP 443) is placed after a deny rule that blocks traffic from a specific source subnet. Since ACLs on a Cisco ASA are processed sequentially from top to bottom, if a packet matches the earlier deny rule, it will be dropped before reaching the permit rule. This explains why external users (who may be sourced from the blocked subnet or whose traffic is inadvertently matched by the deny rule due to overlapping or misconfigured source conditions) experience intermittent timeouts, while internal users from a different subnet are not affected.

Exam trap

Cisco often tests the concept of ACL sequential processing and the importance of rule order, where candidates mistakenly assume that a permit rule later in the list will override an earlier deny rule, or that the ASA uses a 'best-match' approach like a routing table.

How to eliminate wrong answers

Option B is wrong because the firewall's connection limit would affect all new connections uniformly, not just external users intermittently, and the scenario describes a specific ACL ordering issue rather than a resource exhaustion symptom. Option C is wrong because incorrect NAT would typically cause a complete failure to reach the web server or asymmetric routing issues, not intermittent blocking that correlates with ACL order. Option D is wrong because high CPU utilization would cause general packet loss or performance degradation across all traffic, not selectively block only external HTTPS traffic while internal users remain unaffected.

645
Multi-Selectmedium

A network administrator wants to deploy security products that provide network-based intrusion prevention and advanced threat detection. Which TWO Cisco products are most suitable? (Choose two.)

Select 2 answers
A.Cisco Identity Services Engine (ISE)
B.Cisco Advanced Malware Protection (AMP) for Endpoints
C.Cisco Stealthwatch
D.Cisco Email Security Appliance (ESA)
E.Cisco Firepower NGFW
AnswersC, E

Stealthwatch provides network visibility and anomaly detection.

Why this answer

Cisco Firepower is an NGFW/IPS. Cisco Stealthwatch provides network detection and analysis. ISE is for identity, not IPS.

ESA is email, AMP is endpoint.

646
MCQhard

During a security audit, it is discovered that some malware downloads were not blocked by the Cisco WSA even though the Web Reputation score was set to block scores below -5.0. The logs show that the downloads came from sites with a reputation score of -6.2. What is the most likely reason the downloads were not blocked?

A.HTTPS decryption was not enabled
B.The users were not authenticated
C.The Web Reputation threshold was not applied correctly
D.The file type was not configured for malware inspection
AnswerD

Malware inspection only applies to specified file types.

Why this answer

The Cisco WSA uses Web Reputation filtering to block traffic based on reputation scores, but this filtering operates at the URL or domain level, not at the file content level. Even if a site has a very low reputation score (e.g., -6.2), the WSA will only block the download if the file type is included in the malware inspection configuration. If the file type (e.g., .exe, .zip) is not configured for malware inspection, the WSA will allow the download despite the low reputation score, because reputation-based blocking alone does not inspect the content of the file.

Exam trap

Cisco often tests the misconception that a low Web Reputation score alone will block all downloads from that site, but the trap here is that reputation filtering and malware inspection are separate functions; blocking requires both the reputation threshold to be met AND the file type to be enabled for malware inspection.

How to eliminate wrong answers

Option A is wrong because HTTPS decryption is not required for Web Reputation filtering; reputation scores are based on the URL/domain and can be evaluated even without decrypting HTTPS traffic. Option B is wrong because user authentication is not a prerequisite for Web Reputation filtering; the WSA can apply reputation policies based on source IP or other criteria without requiring authentication. Option C is wrong because the logs confirm the site had a reputation score of -6.2, which is below the -5.0 threshold, so the threshold was applied correctly; the issue is that reputation-based blocking alone does not inspect file content, and the file type was not configured for malware inspection.

647
MCQhard

During a cloud migration, the security team uses Cisco CloudLock for DLP. They notice that the DLP engine is not scanning certain files in Google Drive shared with external users. The CloudLock admin console shows the connector status as 'connected'. What is the most likely cause?

A.The connector lacks permission to scan external files
B.The files are too large (over 100 MB)
C.The external sharing is disabled in CloudLock policy
D.The files are in Google Drive 'My Drive' not 'Shared Drive'
AnswerA

CloudLock requires specific OAuth scopes to access files shared outside the organization; if missing, scanning is incomplete.

Why this answer

Cisco CloudLock requires explicit permissions to scan files shared with external users. Even though the connector status shows 'connected', the default OAuth scopes granted during initial setup may not include access to files shared outside the organization. The DLP engine can only inspect files it has read access to; without the 'drive.readonly' scope extended to externally shared items, those files are invisible to scanning.

Exam trap

Cisco often tests the misconception that a 'connected' status implies full functionality, when in reality the connector may lack the necessary OAuth permissions to access certain file categories like externally shared items.

How to eliminate wrong answers

Option B is wrong because CloudLock supports scanning files up to 5 GB in size, and the 100 MB threshold is not a limitation for Google Drive DLP scanning. Option C is wrong because disabling external sharing in CloudLock policy would prevent DLP actions (like blocking or alerting) but does not prevent the engine from scanning the files; the issue is that the files are not being scanned at all. Option D is wrong because CloudLock scans both 'My Drive' and 'Shared Drive' files; the location does not affect the scanning capability, only the permission scope does.

648
MCQmedium

An organization deploys Cisco Secure Firewall (formerly Firepower) in a public cloud environment (AWS). They need to inspect traffic between VPCs. What is the recommended deployment model?

A.Deploy firewall as a centralized virtual appliance in a transit VPC
B.Install firewall software on each EC2 instance
C.Deploy firewall in each VPC with VPC peering
D.Use AWS Network Firewall instead
AnswerA

Centralized inspection in a transit VPC provides consistent policy enforcement for inter-VPC traffic.

Why this answer

In a public cloud environment like AWS, deploying Cisco Secure Firewall as a centralized virtual appliance in a transit VPC is the recommended model because it allows traffic between multiple VPCs to be routed through a single inspection point. This architecture leverages VPC peering or AWS Transit Gateway to funnel inter-VPC traffic to the firewall, ensuring consistent policy enforcement and visibility without requiring per-VPC firewall instances. Centralized inspection simplifies management, reduces costs, and avoids the complexity of distributed firewall deployments.

Exam trap

Cisco often tests the misconception that deploying a firewall in each VPC with VPC peering is sufficient, but the trap is that VPC peering does not support transitive routing, so traffic between two peered VPCs cannot be forced through a firewall in a third VPC without complex and unsupported routing hacks.

How to eliminate wrong answers

Option B is wrong because installing firewall software on each EC2 instance is impractical for inter-VPC traffic inspection—it would require agent-based controls that cannot inspect traffic at the network layer between VPCs, and it violates the principle of centralized security management. Option C is wrong because deploying a firewall in each VPC with VPC peering creates a mesh of point-to-point connections that does not scale, introduces asymmetric routing challenges, and makes policy management cumbersome; VPC peering does not support transitive routing, so traffic between VPCs would not automatically pass through a firewall in another VPC. Option D is wrong because while AWS Network Firewall is a native service, the question specifically asks about deploying Cisco Secure Firewall, and using AWS Network Firewall would replace the Cisco solution rather than deploy it; Cisco Secure Firewall can be deployed as a virtual appliance in a transit VPC to provide advanced threat inspection and integration with Cisco security ecosystem.

649
MCQeasy

A company uses Cisco Umbrella for DNS-layer security. They want to block access to known malicious IPs that may be resolved by non-DNS traffic. Which feature should they enable?

A.File Analysis
B.Application Discovery
C.IP Layer Enforcement
D.HTTPS Inspection
AnswerC

Blocks malicious IPs for non-DNS traffic.

Why this answer

IP Layer Enforcement is the correct feature because it allows Cisco Umbrella to block traffic to known malicious IP addresses even when the traffic does not originate from a DNS query. This is essential for blocking threats that use hardcoded IPs or non-DNS protocols like direct IP connections, ensuring protection beyond DNS-layer filtering.

Exam trap

Cisco often tests the distinction between DNS-layer security (which only blocks based on domain names) and IP-layer enforcement (which blocks based on IP addresses), leading candidates to mistakenly choose HTTPS Inspection or File Analysis as they associate them with security inspection rather than IP-based blocking.

How to eliminate wrong answers

Option A is wrong because File Analysis is a feature for inspecting and sandboxing files for malware, not for blocking traffic to malicious IPs. Option B is wrong because Application Discovery is used to identify and categorize applications in use, not to enforce IP-based blocking. Option D is wrong because HTTPS Inspection decrypts and inspects encrypted web traffic for threats, but it does not directly block traffic to known malicious IPs resolved outside of DNS.

650
MCQeasy

In a Cisco ISE 802.1X deployment, which component acts as the authenticator?

A.RADIUS server
B.Authentication server (ISE)
C.Supplicant (client software)
D.Authenticator (switch/WLC)
AnswerD

The authenticator is the network device that mediates authentication between supplicant and server.

Why this answer

The authenticator is the network device (switch or wireless LAN controller) that enforces authentication before granting access.

651
MCQmedium

A multinational company has recently deployed Cisco Umbrella for DNS-layer security across all offices. The security team receives reports that users in the Asia-Pacific region cannot access a critical cloud-based CRM application (crm.company.com). The CRM is hosted by a third-party provider and uses a custom domain. The Umbrella dashboard shows that DNS requests for crm.company.com are being blocked with the reason 'Cisco Umbrella Intelligence Feed: Blocked Domain'. The domain is not part of any standard security category. The IT team has verified that the domain is legitimate and necessary for business operations. What should the administrator do to restore access while maintaining security?

A.Whitelist the CRM server's IP address in the IP-layer enforcement settings
B.Configure the local DNS server to forward crm.company.com directly to the CRM provider's DNS
C.Disable the Cisco Umbrella Intelligence Feed for the Asia-Pacific region
D.Add crm.company.com to the global allow list in the Umbrella dashboard under Policy > Destination Lists > Allow
AnswerD

This allows the domain to bypass DNS blocking while preserving other protections.

Why this answer

Option D is correct because the domain is being blocked by the Cisco Umbrella Intelligence Feed, which is a curated threat intelligence feed. Since the domain is legitimate and not part of a standard security category, the proper method to restore access is to add it to the global allow list under Policy > Destination Lists > Allow. This overrides the block from the intelligence feed while preserving all other security policies.

Exam trap

Cisco often tests the distinction between DNS-layer and IP-layer enforcement, leading candidates to incorrectly choose IP whitelisting (Option A) when the block is actually occurring at the DNS layer before IP-layer policies are evaluated.

How to eliminate wrong answers

Option A is wrong because whitelisting the CRM server's IP address in IP-layer enforcement would only bypass IP-based blocks, but the block is occurring at the DNS layer due to the domain being in the Intelligence Feed; DNS-layer enforcement resolves the domain to an IP before IP-layer checks, so the block happens first. Option B is wrong because configuring the local DNS server to forward crm.company.com directly to the CRM provider's DNS would bypass Cisco Umbrella entirely for that domain, removing all security inspection and logging, which is not a recommended or controlled approach. Option C is wrong because disabling the Cisco Umbrella Intelligence Feed for the Asia-Pacific region would remove threat intelligence protection for all domains in that feed across the entire region, unnecessarily exposing the network to potential threats.

652
MCQeasy

A company deploys Cisco Firepower Threat Defense (FTD) in transparent mode. They create an access control rule to allow HTTP traffic from the inside network (10.10.10.0/24) to a web server at 192.168.1.100. The rule is configured with action 'Allow', a source zone 'inside', a destination zone 'outside', and an intrusion policy attached. After deployment, users report they cannot access the web server. The administrator verifies that the web server is reachable from other networks and that the FTD management interface is accessible. The FTD's packet capture shows no traffic matching the rule. The rule is listed first in the access control policy. What is the most likely cause of the problem?

A.The intrusion policy is blocking the traffic.
B.The web server's IP address is not correctly defined in the network object.
C.The rule's action is set to 'Monitor' instead of 'Allow'.
D.The FTD is in transparent mode, so it does not use zones; the rule should be assigned to an interface pair.
AnswerD

Transparent mode FTD requires rules to be applied to specific interface pairs, not security zones.

Why this answer

In transparent mode, Cisco Firepower Threat Defense (FTD) operates as a Layer 2 bridge and does not use security zones. Instead, traffic is controlled by interface pairs. The rule configured with source and destination zones will never match traffic because transparent mode bypasses zone-based policy enforcement.

The correct approach is to assign the rule to an interface pair (e.g., inside to outside) rather than zones.

Exam trap

Cisco often tests the distinction between routed and transparent mode, specifically that transparent mode uses interface pairs instead of zones, leading candidates to overlook this fundamental difference and incorrectly assume zone-based rules work in all modes.

How to eliminate wrong answers

Option A is wrong because an intrusion policy attached to an Allow rule does not block traffic by default; it only inspects and alerts or drops based on signatures, and the packet capture shows no traffic matching the rule, indicating the rule itself is not being hit. Option B is wrong because the web server's IP address being incorrectly defined in a network object would cause a different rule to match or no match at all, but the packet capture shows no traffic matching the rule, pointing to a zone/interface mismatch rather than an object definition issue. Option C is wrong because if the rule's action were set to 'Monitor', traffic would still match the rule and appear in packet captures, but the users would be unable to access the web server only if a subsequent rule blocked it; the capture shows no match, so the action is not the problem.

653
MCQmedium

A security analyst wants to investigate a remote endpoint that is suspected of being compromised. Using Cisco AMP for Endpoints, which capability allows the analyst to run commands on the endpoint and perform live analysis?

A.Process isolation
B.File quarantine
C.IOC scanning
D.Remote shell investigation
AnswerD

Remote shell provides a command-line interface to the endpoint for live analysis.

Why this answer

Cisco AMP for Endpoints includes endpoint detection and response (EDR) capabilities such as remote shell, which allows analysts to execute commands on the endpoint for investigation.

654
Multi-Selectmedium

Which THREE steps should the administrator take to troubleshoot slow web browsing when using Cisco WSA? (Choose three.)

Select 3 answers
A.Check the WSA's network interface statistics for errors or drops
B.Verify the HTTPS decryption policies to ensure they are not causing excessive CPU load
C.Examine the WSA access logs for TCP connection time and server response time
D.Restart the proxy services to clear any temporary issues
E.Configure the WSA to use a public DNS server like 8.8.8.8
AnswersA, B, C

Network issues can cause slow connectivity.

Why this answer

Option A is correct because checking the WSA's network interface statistics for errors or drops helps identify physical-layer issues (e.g., duplex mismatches, CRC errors) that can cause packet loss and retransmissions, directly slowing web browsing. This is a fundamental first step in isolating whether the problem is at the network layer rather than within the proxy itself.

Exam trap

Cisco often tests the misconception that restarting services (Option D) is a valid troubleshooting step for performance issues, but in the 350-701 exam, the focus is on diagnostic analysis using logs and statistics rather than disruptive actions.

655
MCQhard

In a Cisco TrustSec environment, a network administrator observes that traffic between two endpoints in the same SGT group is being denied. The relevant switch has CTS configured with 'cts manual' and 'policy static sgt 10'. What is the most probable cause?

A.The SGT classification is not applied to the correct VLAN.
B.The SGT is not propagated to the downstream switch.
C.The endpoint's NAC agent is not reporting posture.
D.The IP-to-SGT mapping is missing on the switch.
AnswerA

If the VLAN on the switchport is not mapped to the SGT, the endpoint may be classified incorrectly, causing denial.

Why this answer

In Cisco TrustSec with 'cts manual' and 'policy static sgt 10', the SGT is statically assigned to an interface or VLAN. If traffic between two endpoints in the same SGT group is denied, the most probable cause is that the SGT classification is applied to the wrong VLAN, causing the switch to enforce SGACLs incorrectly. Since both endpoints share SGT 10, intra-group traffic should be permitted by default unless a specific SGACL denies it, but misclassification can lead to unexpected drops.

Exam trap

Cisco often tests the distinction between static and dynamic SGT assignment, and the trap here is that candidates assume IP-to-SGT mapping (Option D) is always required, when in fact static SGT bypasses mapping and relies on interface/VLAN classification.

How to eliminate wrong answers

Option B is wrong because SGT propagation to a downstream switch is irrelevant for intra-switch traffic between two endpoints on the same switch; propagation matters only when traffic crosses switches. Option C is wrong because NAC agent posture reporting is used for dynamic SGT assignment via ISE, not for static SGT configuration with 'cts manual' and 'policy static sgt 10'. Option D is wrong because IP-to-SGT mapping is not used in a static SGT environment; static SGT is assigned per interface or VLAN, not via IP mapping.

656
MCQmedium

An organization wants to enforce MFA for all administrative access to their Azure environment and also require that access from non-compliant devices be blocked. Which Azure feature should they use?

A.Azure Security Center
B.Azure AD Conditional Access
C.Azure AD Privileged Identity Management
D.Azure Firewall
AnswerB

Correct. Conditional Access enforces MFA and device compliance.

Why this answer

Azure AD Conditional Access allows policies based on user, device, location, and risk to enforce MFA and block non-compliant devices.

657
MCQeasy

Which component of Cisco AMP for Endpoints is responsible for preventing the execution of known malware by checking files against a continuously updated cloud database before they run?

A.Exploit Prevention
B.Application Control
C.File Reputation
D.Orbital
AnswerC

File Reputation checks files against Talos intelligence to block known malware.

Why this answer

File Reputation is the correct answer because it is the Cisco AMP for Endpoints component that queries a continuously updated cloud database (the AMP Threat Grid) to check the reputation of a file before it executes. If the file is known malware, execution is blocked immediately, preventing the threat from running. This pre-execution check relies on the file's SHA-256 hash and cloud-based reputation scoring.

Exam trap

Cisco often tests the distinction between pre-execution cloud-based reputation checks (File Reputation) and runtime behavioral protection (Exploit Prevention), so candidates mistakenly choose Exploit Prevention because they associate it with blocking malware execution, but it does not use cloud lookups.

How to eliminate wrong answers

Option A is wrong because Exploit Prevention focuses on blocking exploit techniques (e.g., buffer overflows, heap sprays) at runtime using memory protection and behavioral analysis, not on checking file reputation against a cloud database. Option B is wrong because Application Control enforces policies on which applications are allowed to run based on path, publisher, or hash, but it does not perform cloud-based reputation lookups; it uses local whitelist/blacklist rules. Option D is wrong because Orbital is a remote investigation and response tool that enables live queries and forensic data collection from endpoints, not a pre-execution file reputation check.

658
MCQmedium

A company wants to enforce that all outbound emails containing credit card numbers are blocked. Which Cisco ESA feature should be configured to achieve this?

A.DLP policies
B.Anti-Spam (SenderBase)
C.Outbreak Filters
D.AMP for Email
AnswerA

DLP policies detect and block sensitive data in outbound emails.

Why this answer

Data Loss Prevention (DLP) policies on Cisco ESA can scan outbound emails for sensitive data like credit card numbers and block them.

659
MCQmedium

A company is implementing DMARC for its domain. The administrator wants to instruct receivers to reject emails that fail SPF or DKIM checks. Which DMARC policy should the administrator set?

A.p=quarantine
B.p=none
C.p=reject
D.p=deny
AnswerC

p=reject instructs receivers to reject emails that fail authentication.

Why this answer

DMARC policy options are: none (monitor), quarantine (send to spam), or reject (block). To reject failing messages, the administrator sets p=reject in the DMARC DNS record.

660
Matchingmedium

Match each VPN type to its characteristic.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Connects entire networks over the internet

Allows individual users to connect securely

Uses web browser for clientless access

Provides encrypted tunnels using IPsec

Dynamic multipoint VPN for hub-and-spoke topologies

Why these pairings

These are common VPN types and their descriptions.

661
MCQeasy

Which Cisco Umbrella feature provides off-network protection by intercepting DNS requests on a user's device?

A.Secure Internet Gateway (SIG)
B.Cisco AnyConnect
C.Intelligent Proxy
D.Umbrella Roaming Client
AnswerD

It provides DNS-layer security on and off the network.

Why this answer

The Umbrella Roaming Client is installed on endpoints and redirects DNS queries to Cisco Umbrella even when the device is off the corporate network.

662
MCQmedium

An organization is deploying Cisco AnyConnect VPN with split tunneling. They want to ensure that only traffic destined for the corporate network goes through the VPN tunnel, while internet-bound traffic goes directly. Which configuration element on the ASA controls this?

A.Dynamic Access Policy (DAP)
B.Group policy with split tunneling settings
C.Network (or client) profile on the ASA
D.Connection profile
AnswerB

Correct. Group policy defines split tunneling parameters.

Why this answer

Split tunneling is configured in the group policy. The group policy specifies which networks are tunneled (via split-tunnel-policy and split-tunnel-network-list).

663
MCQeasy

Which Cisco ISE node is responsible for authenticating endpoints and enforcing access policies?

A.Administration Node
B.pxGrid
C.Policy Service Node (PSN)
D.Monitoring Node
AnswerC

PSN performs authentication and policy enforcement.

Why this answer

The Policy Service Node (PSN) is the Cisco ISE component that performs endpoint authentication, authorization, and accounting (AAA) and enforces access policies by processing RADIUS requests from network access devices (NADs). It handles posture assessment, guest services, and client provisioning, making it the direct enforcement point for network access control.

Exam trap

Cisco often tests the distinction between management, monitoring, and enforcement roles, and the trap here is confusing the Administration Node (which defines policies) with the Policy Service Node (which enforces them), leading candidates to pick the Administration Node as the enforcement point.

How to eliminate wrong answers

Option A is wrong because the Administration Node manages the ISE configuration, certificates, and policy definitions but does not process authentication or enforce policies in real time. Option B is wrong because pxGrid (Platform Exchange Grid) is a data-sharing protocol for context exchange between ISE and other security systems, not an authentication or policy enforcement node. Option D is wrong because the Monitoring Node collects logs, metrics, and alerts for auditing and troubleshooting, but it does not participate in the authentication or enforcement of access policies.

664
Multi-Selecteasy

An administrator is configuring Cisco ISE profiling using Device Sensor. Which two types of information can the Device Sensor collect from endpoints? (Choose two.)

Select 2 answers
A.RADIUS accounting logs
B.DHCP details (hostname, vendor class)
C.HTTP user-agent strings
D.NetFlow data
E.SNMP MIB objects
AnswersB, C

Correct. Device Sensor can capture DHCP data.

Why this answer

Cisco Device Sensor can collect DHCP information (e.g., hostname, vendor class) and HTTP information (e.g., user-agent) to identify device type and operating system.

665
MCQmedium

A security analyst is investigating a compromised endpoint that is part of a botnet. The endpoint is running Cisco Secure Endpoint with TETRA. The analyst notices that the endpoint is communicating with a command-and-control (C2) server over HTTPS. Which TETRA feature would be most effective in detecting this traffic?

A.URL filtering against known malicious URL databases
B.SSL/TLS decryption and inspection
C.File reputation and cloud lookup
D.Protocol analysis with deep packet inspection
AnswerB

TETRA can decrypt SSL traffic if configured, allowing inspection of C2 communication.

Why this answer

TETRA (Telemetry and Threat Response Analytics) on Cisco Secure Endpoint can detect C2 traffic over HTTPS by performing SSL/TLS decryption and inspection. This allows the agent to examine encrypted payloads for malicious patterns, such as beaconing or command-and-control protocol artifacts, which would otherwise be hidden in the encrypted tunnel.

Exam trap

The trap here is that candidates often choose deep packet inspection (DPI) without realizing that DPI cannot inspect encrypted HTTPS traffic without SSL/TLS decryption, making it ineffective for detecting C2 communication over HTTPS.

How to eliminate wrong answers

Option A is wrong because URL filtering against known malicious URL databases relies on static reputation lists and cannot detect C2 traffic using dynamically generated or previously unknown domains, nor can it inspect encrypted content. Option C is wrong because file reputation and cloud lookup analyze file hashes and behaviors, not network traffic patterns like HTTPS C2 communication. Option D is wrong because protocol analysis with deep packet inspection (DPI) cannot inspect encrypted HTTPS payloads without first decrypting the SSL/TLS session, making it ineffective against encrypted C2 traffic.

666
MCQeasy

A company is using a SaaS application like Office 365. Which security responsibility falls on the customer according to the shared responsibility model?

A.Operating system patching
B.Data classification and access policies
C.Physical security of servers
D.Network firewall management
AnswerB

The customer is responsible for data and access management.

Why this answer

In SaaS, the provider manages the application and infrastructure, while the customer manages data and access control.

667
MCQeasy

Which of the following is a characteristic of anomaly-based intrusion detection compared to signature-based detection?

A.Lower false negative rate for known attacks
B.Higher false positive rate
C.Cannot detect zero-day attacks
D.Requires frequent signature updates
AnswerB

Anomaly-based detection often generates more false positives because any deviation from baseline is flagged.

Why this answer

Anomaly-based detection baselines normal behavior and flags deviations, which can lead to higher false positives because legitimate variations may be flagged. Signature-based detection has lower false positives but cannot detect unknown attacks.

668
Multi-Selecteasy

Which three actions are available in a Cisco Firepower access control rule? (Choose three.)

Select 3 answers
A.Decrypt
B.Allow
C.Trust
D.Monitor
E.Block
AnswersB, C, E

Allow permits traffic and can apply further inspection.

Why this answer

The main actions in access control rules are Trust (bypass inspection), Allow (permit with inspection), Block (deny), and Interactive Block (block with user interaction). Monitor is not an action; it is a logging option.

669
MCQeasy

A network administrator is configuring 802.1X for wired access on a Cisco switch. The switch is configured for RADIUS using a Cisco ISE server. During testing, a client that supports 802.1X is unable to authenticate and fails to gain network access. The administrator checks the switch logs and sees "Authentication failed: invalid EAP code received". What is the most likely cause?

A.The client is using an unsupported EAP method (e.g., EAP-TLS instead of PEAP).
B.The RADIUS server is unreachable.
C.The switch is configured with the wrong shared secret for RADIUS.
D.The switch port is configured as a trunk port rather than an access port.
AnswerA

The switch cannot process an unrecognized EAP code, which occurs when the client negotiates an unsupported method.

Why this answer

Option C is correct because the error "invalid EAP code received" indicates that the switch received an EAP packet with a code it does not support, typically due to an unsupported EAP method. Option A is wrong because a shared secret mismatch would produce a different RADIUS error. Option B is wrong because trunk port configuration would cause VLAN issues, not EAP parsing errors.

Option D is wrong because RADIUS unreachability would cause timeouts or no response.

670
MCQhard

An organization is deploying Cisco TrustSec and uses SXP to propagate SGTs between routers that do not support SGT inline tagging. The SXP connection is established, but the SGT mappings are not being learned. The administrator checks 'show sxp connections' and sees the connection is in 'On' state. What is the most likely issue?

A.The SXP source IP is not reachable.
B.The SXP hold-down timer expires too quickly.
C.The SXP speaker and listener are both configured as listener.
D.The SXP password is incorrect.
AnswerC

SXP requires one side to be speaker and the other listener; both listener prevents mapping exchange.

Why this answer

Option A is correct because for SXP, one side must be a speaker and the other a listener. If both are configured as listener, the connection state is 'On' but no mappings are exchanged. Option B is incorrect because an incorrect password would prevent the connection from establishing.

Option C is incorrect because if the source IP is unreachable, the connection would not reach 'On' state. Option D is incorrect because the hold-down timer affects stale mappings but not initial learning.

671
Multi-Selecteasy

A security engineer is configuring Cisco Web Security Appliance (WSA) to block downloads of potentially malicious file types such as .exe and .scr. The engineer wants to ensure that these files are blocked even if they are hosted on trusted websites. Which TWO actions should the engineer take?

Select 2 answers
A.Create an access policy that enables file reputation filtering.
B.Create a custom URL category for the file types.
C.Enable the file type control feature in the access policy.
D.Configure HTTPS proxy to decrypt traffic for file inspection.
E.Enable Data Loss Prevention (DLP) on the access policy.
AnswersA, C

File reputation filtering uses the Cisco Talos reputation to block known malicious files.

Why this answer

Option B (file reputation filtering) and Option D (file type control) are correct because they allow the WSA to block specific file types based on reputation or file type, regardless of the source URL. Option A is incorrect because URL categories are for categorizing websites, not file types. Option C (DLP) is designed for data loss prevention, not file type blocking.

Option E (HTTPS proxy) enables inspection of encrypted traffic but does not itself block file types.

672
Multi-Selectmedium

Which TWO methods can be used to enforce least privilege within a network infrastructure? (Choose two.)

Select 2 answers
A.Use Cisco TrustSec with SGTs and security group policies.
B.Use a single administrator account with full privileges for all IT staff.
C.Place all users in the same VLAN without ACLs.
D.Configure source NAT on the firewall to hide internal addresses.
E.Implement role-based access control (RBAC) on network devices.
AnswersA, E

SGTs enforce access based on group membership.

Why this answer

Cisco TrustSec uses Security Group Tags (SGTs) to classify traffic based on user or device identity, not just IP addresses. Security group policies then enforce least privilege by allowing or denying communication between SGTs, ensuring that only necessary traffic flows between endpoints.

Exam trap

Cisco often tests the misconception that NAT or VLAN segmentation alone enforces least privilege, when in fact they lack identity-based or role-based access control required for true least privilege.

673
MCQeasy

Cisco ISE is configured to assign Security Group Tags (SGTs) to endpoints based on their identity. This is part of which Cisco security architecture?

A.Cisco Duo
B.Cisco TrustSec
C.Cisco SecureX
D.Cisco AMP
AnswerB

Correct. TrustSec uses SGTs for identity-based segmentation.

Why this answer

Cisco TrustSec is the security architecture that uses Security Group Tags (SGTs) to enforce access control based on identity rather than IP addresses. Cisco ISE acts as the policy decision point, dynamically assigning SGTs to endpoints and distributing them via protocols like SXP or inline tagging, enabling consistent policy enforcement across the network.

Exam trap

Cisco often tests the distinction between TrustSec (which handles SGT assignment and network segmentation) and other security products like Duo or SecureX, so the trap here is confusing identity-based tagging with MFA or cloud security platforms.

How to eliminate wrong answers

Option A is wrong because Cisco Duo is a multi-factor authentication (MFA) and zero-trust access solution, not an architecture for SGT assignment or network segmentation. Option C is wrong because Cisco SecureX is a cloud-native security platform that integrates multiple Cisco security products for visibility and orchestration, but it does not directly assign SGTs or implement TrustSec policies. Option D is wrong because Cisco AMP (Advanced Malware Protection) is an endpoint threat detection and response solution focused on malware analysis and prevention, not on identity-based network segmentation via SGTs.

674
Multi-Selectmedium

Which THREE are valid methods to obtain security group tags (SGTs) on a Cisco switch? (Choose three.)

Select 3 answers
A.IP-to-SGT mapping via RADIUS
B.CTS manual configuration
C.Cisco ISE pxGrid subscription
D.VLAN-to-SGT mapping
E.SXP
AnswersA, B, E

RADIUS can send SGT attributes during authentication.

Why this answer

Options A, C, and D are correct. SXP (SGT Exchange Protocol) propagates SGTs, CTS manual configuration statically assigns SGTs, and IP-to-SGT mapping via RADIUS allows dynamic assignment. Option B is not a standard method (VLAN-to-SGT mapping is not directly supported; SGTs are per host).

Option E (pxGrid subscription) is used by ISE to share data, not for the switch to obtain SGTs.

675
MCQeasy

After applying a new extended ACL inbound on an interface, users report they can no longer reach a critical server on a different subnet. The ACL permits the server's IP and required ports. What is the most likely cause?

A.The router has run out of memory for ACL processing.
B.The ACL is applied in the outbound direction instead of inbound.
C.The ACL is applied to the wrong interface.
D.The ACL is missing a permit for necessary traffic (e.g., return traffic or ARP), triggering the implicit deny.
AnswerD

Extended ACLs end with implicit deny; missing permit for other traffic blocks communication.

Why this answer

When an extended ACL is applied inbound on an interface, it filters traffic entering that interface before the routing decision. Even if the ACL permits the destination server's IP and required ports, it must also permit the return traffic (e.g., TCP acknowledgments, ICMP replies) from the server back to the users. If the ACL does not explicitly permit this return traffic, the implicit deny at the end of the ACL will drop it, breaking connectivity.

This is the most common cause of connectivity loss after applying an inbound ACL.

Exam trap

Cisco often tests the concept that an inbound ACL filters traffic before the routing decision, and candidates mistakenly focus only on the destination server's IP and ports, forgetting that return traffic must also be explicitly permitted to avoid the implicit deny.

How to eliminate wrong answers

Option A is wrong because ACL processing does not require significant memory; routers use TCAM or CPU-based lookups that are deterministic and do not fail due to memory exhaustion under normal conditions. Option B is wrong because the question states the ACL is applied inbound, and applying it outbound would filter traffic leaving the interface, which would not directly cause users to lose access to a server on a different subnet (the problem would manifest differently, such as inability to send traffic out). Option C is wrong because the question specifies the ACL is applied to the correct interface; if it were applied to the wrong interface, the symptoms would likely affect different traffic flows, not specifically the server reachability issue described.

Page 8

Page 9 of 14

Page 10