CCNA Content Security Questions

75 of 93 questions · Page 1/2 · Content Security topic · Answers revealed

1
Multi-Selecthard

Which THREE of the following are valid considerations when deploying Cisco Advanced Malware Protection (AMP) for Networks on a Firepower system? (Choose three.)

Select 3 answers
A.AMP for Networks should be deployed in inline mode behind the firewall.
B.An AMP subscription must be active on the Firepower Management Center.
C.File inspection must be enabled in the access control policy.
D.The Firepower device must have outbound internet connectivity to the AMP cloud.
E.A dedicated bridge group must be created on the Firepower device.
AnswersB, C, D

Cloud-based file analysis requires a valid license.

Why this answer

Option B is correct because an active AMP subscription on the Firepower Management Center (FMC) is required to enable the AMP for Networks feature. Without a valid subscription license tied to the FMC, the system cannot authenticate with the AMP cloud or enforce file-based threat policies.

Exam trap

Cisco often tests the misconception that AMP for Networks requires inline mode or a specific interface configuration like a bridge group, when in fact it works in multiple deployment modes and only requires a valid subscription, file inspection enabled, and outbound cloud connectivity.

2
MCQeasy

A company wants to prevent users from downloading executable files (.exe) from the internet via the WSA. Which policy type should be configured?

A.URL filtering policy with category blocking
B.Data Security policy
C.Access policy with file type filtering
D.Web Reputation Security policy
AnswerC

File type filtering blocks specific MIME types or extensions.

Why this answer

C is correct because an Access policy in WSA allows granular control over web traffic, including the ability to block specific file types such as .exe via the 'File Type Filtering' action. This directly prevents users from downloading executable files from the internet, as the WSA inspects the MIME type or file extension in the HTTP response and applies the configured block action.

Exam trap

Cisco often tests the distinction between URL filtering (which controls access based on site categories) and file type filtering (which controls downloads based on file type), and the trap here is that candidates confuse 'blocking executable downloads' with 'blocking malicious sites' or 'blocking categories,' leading them to choose URL filtering or Web Reputation policies instead.

How to eliminate wrong answers

Option A is wrong because URL filtering policy with category blocking controls access based on URL categories (e.g., gambling, social media), not on the file type of downloaded content; it cannot block .exe files from allowed categories. Option B is wrong because Data Security policy (DLP) is designed to prevent sensitive data leakage (e.g., credit card numbers, PII) by inspecting content, not to block executable file downloads. Option D is wrong because Web Reputation Security policy uses reputation scores to block malicious or risky sites, but it does not filter by file type; a site with good reputation could still serve .exe files.

3
MCQhard

A Cisco WSA receives intermittent complaints that legitimate websites are being blocked. The access policy uses reputation scoring and URL filtering. The administrator checks the logs and finds that the blocked requests have a web reputation score of -2.0. What action should be taken to allow these legitimate sites while still blocking malicious ones?

A.Create a custom URL category for the legitimate sites and apply an allow action above the reputation policy.
B.Lower the reputation threshold to -1.0.
C.Set the reputation action to 'Monitor' for suspicious scores.
D.Disable web reputation filtering for that policy.
AnswerA

Allow override bypasses reputation blocking for specific sites.

Why this answer

Option A is correct because creating a custom URL category for the legitimate sites and placing an allow action above the reputation policy ensures that traffic matching that category bypasses the reputation scoring check. This allows the legitimate sites while the reputation policy continues to block malicious sites with scores below the threshold. In Cisco WSA, access policies are evaluated in order, so a higher-priority allow rule for trusted URLs overrides the lower-priority reputation-based block.

Exam trap

Cisco often tests the concept of policy evaluation order in WSA, where candidates mistakenly think adjusting the reputation threshold or disabling filtering is the correct fix, rather than using a higher-priority allow rule for trusted sites.

How to eliminate wrong answers

Option B is wrong because lowering the reputation threshold to -1.0 would allow more sites with poor reputation (scores between -2.0 and -1.0) to pass, increasing the risk of allowing malicious sites. Option C is wrong because setting the reputation action to 'Monitor' for suspicious scores would only log the requests without blocking them, which does not selectively allow the legitimate sites while still blocking malicious ones. Option D is wrong because disabling web reputation filtering entirely removes the reputation-based protection for the whole policy, leaving all sites unguarded against malicious threats.

4
MCQeasy

A company wants to use Cisco Umbrella to block access to malicious domains. They have deployed the Umbrella roaming client on all endpoints. However, traffic from a specific application is still reaching a known malicious domain. What is the most likely reason?

A.The Umbrella policy is configured to allow that specific application.
B.The domain is not categorized as malicious in Umbrella's database.
C.The Umbrella roaming client is not installed on the server.
D.The application uses a hardcoded IP address or non-DNS protocol.
AnswerD

Umbrella blocks at the DNS layer; if the application does not use DNS, the block does not apply.

Why this answer

Cisco Umbrella operates at the DNS layer, meaning it can only block domains that are resolved via DNS queries. If an application uses a hardcoded IP address or communicates using a non-DNS protocol (e.g., direct IP connections or protocols like HTTP/HTTPS without DNS resolution), the traffic bypasses Umbrella's DNS-based enforcement entirely. This is why the malicious domain is still reachable despite the roaming client being deployed.

Exam trap

Cisco often tests the misconception that Umbrella blocks all traffic regardless of how the destination is resolved, when in fact it only blocks based on DNS queries, not direct IP connections or non-DNS protocols.

How to eliminate wrong answers

Option A is wrong because Umbrella policies apply globally to all traffic passing through the DNS layer; there is no per-application allow/block policy that would override DNS-based blocking for a specific application. Option B is wrong because even if a domain is not categorized as malicious, Umbrella can still block it via custom block lists or security categories; the question states the domain is known malicious, implying it should be blocked. Option C is wrong because the roaming client is deployed on all endpoints, and the traffic originates from an endpoint, not a server; the roaming client on the endpoint handles DNS resolution for all applications on that endpoint.

5
MCQhard

A multinational company has recently deployed Cisco WSA with explicit proxy for 10,000 users across two data centers. The WSA is configured with multiple identities based on IP subnets and authentication via LDAP. Users in the R&D department (subnet 192.168.10.0/24) are configured with an access policy that blocks all social media, but they can access web-based email like Gmail. The administrator receives complaints that R&D users cannot access a critical partner's HTTPS website (https://portal.partner.com) that is not categorized. The access policy for R&D has a default action of 'Monitor' for uncategorized URLs, but the site is blocked. The web reputation score for the site is +1.5 (low risk). The global web reputation threshold is set to -1.0. The administrator checks the access logs and sees that the request is denied with the reason 'URL is blocked by policy'. The R&D policy has an explicit 'Deny' action for the URL category 'Uncategorized URLs' set to 'Block', but the default action for the policy is 'Monitor'. The identity matching is correct. What is the most likely cause and solution?

A.Change the R&D policy's Uncategorized URLs action from Block to Monitor.
B.Lower the global web reputation threshold to -2.0 to allow more sites.
C.Create a custom URL category for portal.partner.com and configure the R&D policy to allow it.
D.Disable authentication for the R&D identity to bypass policy.
AnswerC

Custom allow rule overrides the category block.

Why this answer

Option C is correct because the R&D access policy has an explicit 'Deny' action for the 'Uncategorized URLs' category, which overrides the default 'Monitor' action. Since portal.partner.com is uncategorized, it is blocked by this explicit deny. Creating a custom URL category for the partner site and configuring an explicit 'Allow' action in the R&D policy will bypass the uncategorized URL block while preserving the rest of the policy.

Exam trap

Cisco often tests the concept that explicit policy actions for a URL category override the default action, leading candidates to incorrectly assume the default 'Monitor' action would allow the traffic when an explicit 'Deny' is present.

How to eliminate wrong answers

Option A is wrong because changing the Uncategorized URLs action from Block to Monitor would allow all uncategorized sites, including potentially malicious ones, which violates the security intent of blocking social media and could expose the R&D department to risks. Option B is wrong because the global web reputation threshold is already set to -1.0, and the site has a reputation score of +1.5 (low risk), so lowering the threshold would not affect this block; the block is due to the explicit policy action on uncategorized URLs, not reputation. Option D is wrong because disabling authentication would bypass identity-based policy matching, potentially applying a different policy that might allow the site, but it would also remove access controls for all R&D users, breaking the intended security posture and is not a recommended practice.

6
MCQmedium

A company is deploying Cisco Web Security Appliance (WSA) to enforce acceptable use policies. Users report that some legitimate websites are being blocked incorrectly. The security team wants to allow these sites while still blocking known malware sites. Which action should the administrator take?

A.Create a custom URL filtering policy to allow the specific URLs.
B.Disable HTTPS decryption to bypass filtering for encrypted sites.
C.Enable Data Loss Prevention (DLP) to allow the sites.
D.Increase the HTTPS decryption depth to inspect more content.
AnswerA

Custom URL filtering policies can whitelist specific URLs while keeping other blocking rules intact.

Why this answer

Option A is correct because the Cisco WSA uses URL filtering policies to control access based on URL categories and individual URLs. By creating a custom URL filtering policy that allows the specific URLs, the administrator can whitelist legitimate sites while the WSA continues to block known malware sites through its reputation-based and category-based filtering. This approach maintains security enforcement without disabling broader protections.

Exam trap

Cisco often tests the distinction between URL filtering policies (which control access based on URL categories) and other security features like DLP or HTTPS decryption, leading candidates to confuse content inspection with access control.

How to eliminate wrong answers

Option B is wrong because disabling HTTPS decryption would prevent the WSA from inspecting encrypted traffic, potentially allowing malware to pass through encrypted connections, and it does not address the issue of incorrectly blocked legitimate sites. Option C is wrong because Data Loss Prevention (DLP) is designed to prevent sensitive data from leaving the network, not to allow or block websites based on URL filtering. Option D is wrong because increasing HTTPS decryption depth allows the WSA to inspect more layers of encrypted content, but it does not resolve false positives in URL categorization; it could even increase inspection overhead without fixing the whitelisting need.

7
MCQhard

A user in the Engineering group reports that they cannot access a banking website (https://www.examplebank.com). The website is categorized as 'Financial' by the WSA. Based on the exhibit, what is the most likely cause?

A.The Malware Scanning action is set to 'Scan' but blocks the site
B.The user identification is not configured correctly
C.The Web Reputation threshold of -6.0 is blocking the site due to a low reputation score
D.The Social Networking category is set to 'Monitor' and is blocking the site
AnswerC

If the site's reputation is below -6.0, it will be blocked regardless of URL filtering.

Why this answer

The exhibit shows a Web Reputation threshold of -6.0, meaning any website with a reputation score lower than -6.0 will be blocked. The banking site 'examplebank.com' likely has a low reputation score (e.g., due to being newly registered or hosting malicious content), causing it to fall below the threshold and be blocked. This is the most direct cause because the WSA applies reputation-based filtering before other policies, and the user's inability to access the site aligns with a reputation block rather than a category or scanning issue.

Exam trap

Cisco often tests the distinction between URL category actions (Allow, Block, Monitor) and Web Reputation thresholds, where candidates mistakenly think a category like 'Financial' being allowed means the site is accessible, ignoring that a low reputation score can override category-based policies.

How to eliminate wrong answers

Option A is wrong because Malware Scanning set to 'Scan' does not block sites; it scans traffic for malware and may block only if malware is detected, but the question does not indicate malware presence. Option B is wrong because user identification misconfiguration would affect policy application based on user/group, but the exhibit shows a global reputation threshold that applies regardless of user identity, and the user is in the Engineering group which is not explicitly blocked by any policy shown. Option D is wrong because the Social Networking category is set to 'Monitor', which logs traffic without blocking it; 'Monitor' actions do not deny access, so it cannot be the cause of the block.

8
Multi-Selectmedium

Which TWO actions are best practices when configuring a Cisco WSA to block malicious websites? (Choose two.)

Select 2 answers
A.Configure URL filtering categories to block known malicious categories
B.Set the default action to 'Monitor' for all categories
C.Disable user authentication to simplify policy
D.Allow all HTTPS traffic to improve performance
E.Enable Web Reputation filtering
AnswersA, E

Blocking categories like malware, phishing provides protection.

Why this answer

Option A is correct because Cisco WSA URL filtering categories allow administrators to block entire groups of known malicious sites, such as malware, phishing, or spyware categories, which are pre-classified by Cisco Talos. This provides a broad, proactive defense against threats without needing to maintain individual URL block lists. Option E is correct because Web Reputation filtering uses a scoring system (1–10, with lower scores being more malicious) to dynamically block or warn users about websites with poor reputation, even if they are not in a specific malicious category, adding a layer of behavioral analysis.

Exam trap

Cisco often tests the misconception that 'Monitor' mode is a safe default for security, when in fact it only logs traffic and does not block threats, leading candidates to incorrectly select Option B.

9
MCQhard

An administrator is troubleshooting an issue where emails sent to a specific external domain are being delayed by up to 30 minutes. The Cisco ESA is configured with multiple mail exchangers (MX) for delivery. The logs show that the ESA is attempting delivery to the primary MX, which is unresponsive, and failing over to the secondary MX after 30 minutes. What change should be made to reduce the delivery delay?

A.Enable SMTP over TLS (ESMTP) for the delivery
B.Reduce the delivery queue retry interval in the ESA settings
C.Increase the number of MX records for that domain
D.Remove the primary MX record from DNS
AnswerB

Lowering retry interval causes faster failover to secondary MX.

Why this answer

Configuring a shorter timeout or retry interval on the delivery queue will cause the ESA to fail over faster. Option A is wrong because increasing the number of MX records doesn't change the timeout. Option B is wrong because disabling the primary MX is not a good practice.

Option D is wrong because enabling ESMTP does not affect timeout.

10
MCQhard

A company using Cisco Web Security Appliance (WSA) in explicit proxy mode has enabled HTTPS decryption with a custom CA certificate. A user reports that a specific banking website displays a certificate error message. The administrator verifies that the WSA is generating a certificate for that site. What is the most likely cause of the error?

A.The banking website uses HTTP Public Key Pinning (HPKP) or Certificate Pinning.
B.The WSA's time is not synchronized with the NTP server, causing certificate validity issues.
C.The WSA is not configured to generate certificates for that domain.
D.The user's browser does not trust the WSA's CA certificate.
AnswerA

Pinned certificates are compared to the original, and the WSA's generated certificate does not match, causing an error.

Why this answer

Banking websites often use dynamic certificates with extended validation (EV) and may implement certificate pinning. However, the WSA's generated certificate will not match the original certificate's public key or subject alternative names if the site uses pinning. Option B is correct because certificate pinning will cause a mismatch.

Option A is incorrect because the CA certificate is already trusted. Option C is incorrect because the WSA's certificate is generated on the fly. Option D is possible but less specific to banking sites.

11
MCQhard

A company is deploying Cisco Umbrella to enforce security policies for remote users. They want to ensure that DNS requests from roaming clients are routed through Umbrella's DNS resolvers. However, some users are bypassing Umbrella by using third-party DNS servers like Google (8.8.8.8). Which configuration should be applied to prevent this?

A.Configure Content Filtering to block Google DNS
B.Add a firewall rule on each client to block port 53 to all but Umbrella
C.Enable IP Layer Enforcement in the Umbrella dashboard
D.Enable DNS Policy in the Umbrella roaming client
AnswerD

This forces all DNS requests through Umbrella and blocks alternative DNS servers.

Why this answer

Option D is correct because the Umbrella roaming client's DNS Policy feature forces all DNS traffic from the endpoint to use Umbrella's DNS resolvers, even if the user manually configures a third-party DNS server like Google (8.8.8.8). This is achieved by intercepting DNS requests at the OS level and redirecting them to the Umbrella resolvers, effectively preventing bypass attempts without relying on network-level blocks.

Exam trap

Cisco often tests the distinction between network-level enforcement (like IP Layer Enforcement) and endpoint-level enforcement (like DNS Policy in the roaming client), leading candidates to mistakenly choose IP Layer Enforcement because it sounds like a global solution, but it fails for roaming clients not connected to the corporate network.

How to eliminate wrong answers

Option A is wrong because Content Filtering in Umbrella blocks specific domains or categories, not IP addresses or DNS server endpoints; it cannot prevent a client from using a third-party DNS resolver like 8.8.8.8. Option B is wrong because adding a firewall rule on each client to block port 53 to all but Umbrella is impractical for roaming users, as it requires manual configuration on every device and does not scale; it also fails if the user has administrative rights to disable the rule. Option C is wrong because IP Layer Enforcement in Umbrella applies to network traffic based on IP addresses, but it does not intercept or redirect DNS queries at the endpoint level; it relies on the network gateway to enforce policies, which is ineffective for roaming clients that are not behind a corporate network.

12
Multi-Selectmedium

A company is deploying Cisco Email Security Appliance (ESA) to protect against phishing attacks. The security team wants to implement two security features to detect malicious URLs in emails. Which two features should be enabled? (Choose two.)

Select 2 answers
A.DomainKeys Identified Mail (DKIM) signing
B.Sender Policy Framework (SPF) verification
C.Domain-based Message Authentication, Reporting & Conformance (DMARC)
D.URL reputation filtering
E.Cisco Advanced Phishing Protection
AnswersD, E

Checks URLs against threat intelligence databases.

Why this answer

URL reputation filtering is correct because it uses the Cisco Talos threat intelligence to analyze and block emails containing malicious URLs based on real-time reputation scores. Cisco Advanced Phishing Protection is correct because it uses machine learning and behavioral analysis to detect and block sophisticated phishing URLs that may bypass traditional reputation checks.

Exam trap

Cisco often tests the distinction between email authentication protocols (DKIM, SPF, DMARC) and content-based security features, so candidates mistakenly choose authentication methods when the question explicitly asks for features that detect malicious URLs in emails.

13
MCQhard

A Cisco WSA appliance is configured with explicit proxy mode. Users report that they cannot access external HTTPS websites, but HTTP works fine. The proxy logs show 'SSL handshake failed' errors. What is the most likely reason?

A.The HTTPS proxy port is not configured on the WSA.
B.The WSA's SSL certificate is not trusted by the clients.
C.The WSA is configured to forward HTTPS traffic without decryption.
D.Client certificates are required for authentication.
AnswerB

Clients must trust the WSA's certificate for HTTPS interception.

Why this answer

In explicit proxy mode, the Cisco WSA must intercept HTTPS traffic by performing a man-in-the-middle (MITM) decryption. For this to work, the WSA presents its own SSL certificate to the client. If that certificate is not trusted by the client's browser or operating system (i.e., not installed in the trusted root certificate store), the client will reject the SSL handshake, resulting in 'SSL handshake failed' errors.

HTTP traffic is unaffected because it does not involve certificate validation.

Exam trap

Cisco often tests the distinction between proxy configuration (port settings) and SSL decryption trust (certificate validation), leading candidates to mistakenly focus on port numbers or forwarding modes instead of the certificate trust chain.

How to eliminate wrong answers

Option A is wrong because the HTTPS proxy port (typically 3128 or 8080) is configured separately from the decryption function; the error is about the SSL handshake, not about port misconfiguration. Option C is wrong because forwarding HTTPS traffic without decryption (i.e., using the CONNECT method) would not cause an SSL handshake failure at the proxy level—the proxy would simply tunnel the traffic, and the handshake would occur between the client and the destination server. Option D is wrong because client certificate authentication is an optional feature for mutual TLS; it is not required for basic HTTPS decryption, and its absence would not cause a generic 'SSL handshake failed' error.

14
MCQhard

A financial services company recently migrated from a legacy web filter to Cisco WSA in explicit proxy mode. The company has 5000 users across three offices, each connected via MPLS. The WSA is deployed in the data center. A week after deployment, users in the remote office report that web pages load extremely slowly, while users in the main office near the data center experience normal speeds. The network team confirms there is no WAN congestion. The WSA administrator checks the logs and sees that the remote users are being authenticated via NTLM and that the WSA's CPU and memory usage are below 50%. However, the number of concurrent connections from the remote office is very high, with many connections in a TIME_WAIT state. What is the most likely cause of the slow web performance for remote users?

A.The WSA's proxy process is overloaded due to high SSL decryption demands.
B.Remote users are using an outdated browser that does not support modern protocols.
C.The WSA is not configured to reuse TCP connections, causing high connection overhead for remote users.
D.NTLM authentication is causing authentication delays over the MPLS link.
AnswerC

Connection reuse reduces latency.

Why this answer

The correct answer is C because the high number of concurrent connections in TIME_WAIT state indicates that TCP connections are being closed after each request instead of being reused. In explicit proxy mode, the WSA can reuse persistent connections to reduce latency, but if connection reuse is not configured, each HTTP request from a remote user requires a new TCP handshake, which adds significant round-trip time (RTT) over the MPLS link. This overhead explains the slow performance for remote users while main office users, with lower latency, are unaffected.

Exam trap

The trap here is that candidates often attribute slow performance to authentication delays (NTLM) or SSL decryption, but the key clue is the high number of TIME_WAIT connections, which points to TCP connection overhead rather than authentication or encryption processing.

How to eliminate wrong answers

Option A is wrong because the WSA's CPU and memory usage are below 50%, and the issue is not related to SSL decryption demands; the logs show NTLM authentication, not SSL-related problems. Option B is wrong because outdated browser support would cause compatibility issues, not a sudden increase in TIME_WAIT connections and connection overhead after a migration. Option D is wrong because NTLM authentication occurs once per session and does not cause a high number of concurrent connections in TIME_WAIT state; authentication delays would manifest as slow initial logins, not persistent slow page loads.

15
MCQhard

A network administrator is configuring Cisco Umbrella for web security. They want to ensure that all DNS requests from branch offices are sent to Umbrella for policy enforcement, but they have limited control over the branch routers. What is the most effective deployment method?

A.Deploy the Umbrella roaming client on endpoints
B.Set up a transparent proxy on the branch routers
C.Configure Umbrella as DNS forwarder on the branch routers
D.Use PAC files on the clients to redirect web traffic
AnswerA

Endpoints send DNS directly to Umbrella, no network changes needed.

Why this answer

The Umbrella roaming client (Option A) is the most effective method because it can be deployed on endpoints to redirect all DNS queries to Umbrella's cloud resolvers, regardless of branch router configuration. This client works at the OS level, intercepting DNS traffic and enforcing policies even when the network path is uncontrolled, making it ideal for scenarios with limited router access.

Exam trap

Cisco often tests the misconception that DNS forwarding or proxy configurations on routers are always the best approach, but the trap here is that the question explicitly states 'limited control over branch routers,' making endpoint-based solutions like the roaming client the only viable option for comprehensive DNS security enforcement.

How to eliminate wrong answers

Option B is wrong because setting up a transparent proxy on branch routers requires administrative control over those routers, which contradicts the constraint of limited control. Option C is wrong because configuring Umbrella as a DNS forwarder on branch routers also demands router-level configuration, and it only redirects DNS traffic, not all web traffic, potentially missing HTTP/HTTPS policy enforcement. Option D is wrong because PAC files only redirect web traffic for browsers that support them, leaving non-browser applications and DNS queries unaffected, and they require client-side configuration that may not be feasible in a limited-control environment.

16
MCQhard

A network administrator notices that users in the finance department are unable to access a legitimate business web application that uses custom port 8443. The WSA is configured with a decryption policy that decrypts all traffic on port 443. What is the most likely cause of the issue?

A.The decryption policy is not applied to port 8443, so the WSA treats it as non-decrypted traffic which may be blocked by default
B.The WSA is configured with a time-based access rule that only allows access during business hours
C.The WSA cannot decrypt traffic on port 8443, causing a certificate mismatch
D.The web application is blocked by an identity-based access policy
AnswerA

Default access policies often block non-decrypted or non-standard ports unless explicitly allowed.

Why this answer

The WSA's decryption policy is configured to decrypt traffic only on port 443 (HTTPS). Since the finance department's web application uses custom port 8443, the traffic is not subject to decryption. By default, the WSA may block non-decrypted traffic that matches certain security or access policies, or it may treat it as untrusted, leading to access failure.

The most likely cause is that the decryption policy does not cover port 8443, so the WSA applies a default action (often block) to non-decrypted traffic.

Exam trap

Cisco often tests the misconception that decryption policies automatically apply to all HTTPS traffic regardless of port, when in fact they are port-specific and require explicit configuration for non-standard ports.

How to eliminate wrong answers

Option B is wrong because time-based access rules would affect access regardless of port, but the issue is specific to port 8443 not being decrypted, not a time restriction. Option C is wrong because the WSA does not attempt to decrypt traffic on port 8443; it simply does not apply decryption, so no certificate mismatch occurs. Option D is wrong because identity-based access policies would block based on user or group, not specifically due to the port mismatch; the core problem is the decryption policy scope, not identity.

17
Multi-Selecteasy

Which TWO of the following are common causes of email delivery delays in Cisco Email Security Appliance (ESA)? (Select exactly two.)

Select 2 answers
A.Too many recipients in a single message
B.High volume of email in the delivery queue
C.Slow response from the destination mail server during SenderBase reputation check
D.Incorrect MX record for the destination domain
E.Improper SPF record on the sender's domain
AnswersB, C

Causes queuing delays.

Why this answer

Option B is correct because a high volume of email in the delivery queue indicates that the ESA is experiencing a backlog of messages awaiting delivery. This can occur due to rate limiting, transient delivery failures, or a large number of messages being processed simultaneously, which directly causes delays in email delivery as the queue must be drained sequentially.

Exam trap

Cisco often tests the distinction between causes of delays (e.g., queue buildup or slow external responses) versus causes of permanent failures (e.g., incorrect MX records) or authentication issues (e.g., SPF), leading candidates to confuse delivery failures with delays.

18
MCQmedium

A network administrator is troubleshooting why users in the marketing department cannot access a specific cloud storage site through the Cisco WSA. The access policy for marketing is set to 'Monitor' for the File Sharing category, but the site is blocked. What is the most likely reason?

A.Web reputation threshold is set to block the site.
B.The site is mis-categorized as an unknown URL.
C.A more specific identity or policy is applying a block action.
D.URL filtering is disabled for that policy.
AnswerC

For example, a time-based or user-specific policy may override.

Why this answer

The correct answer is C because Cisco WSA applies policies in a hierarchical order, and a more specific identity or policy (e.g., one based on user group, subnet, or time range) can override a broader policy set to 'Monitor'. Even though the marketing department's access policy is configured to monitor the File Sharing category, a more granular rule may explicitly block the cloud storage site, causing the unexpected block.

Exam trap

The trap here is that candidates assume a policy set to 'Monitor' for a category will always allow traffic, forgetting that Cisco WSA's policy evaluation uses a first-match model where more specific policies can override broader ones.

How to eliminate wrong answers

Option A is wrong because the web reputation threshold is a separate security measure that evaluates the risk score of a URL; if it were blocking the site, the action would be based on reputation, not the File Sharing category policy. Option B is wrong because if the site were mis-categorized as an unknown URL, it would fall under the 'Uncategorized URLs' category, not the File Sharing category, and the policy for marketing would need to explicitly handle that category. Option D is wrong because URL filtering being disabled for that policy would mean no category-based actions apply at all, so the site would not be blocked by a category action; instead, it would be allowed or handled by other mechanisms.

19
MCQeasy

An organization is using Cisco Firepower Threat Defense (FTD) with URL filtering to block access to social media sites during work hours. After implementation, users can still access Facebook and Twitter. The access control policy is configured correctly with a URL category condition. What should the administrator verify first?

A.Ensure that SSL decryption is enabled for the relevant traffic.
B.Confirm that the FTD is configured with a DNS policy to perform DNS snooping for URL filtering.
C.Check that the URL filtering rule is above any other permit rules.
D.Verify that the FTD has an updated URL filtering database.
AnswerB

Without DNS snooping, the FTD cannot categorize URLs for HTTPS traffic and relies on IP reputation, which may not be effective.

Why this answer

Option B is correct because Cisco FTD uses DNS snooping to map domain names to IP addresses for URL filtering when SSL decryption is not enabled. Without DNS snooping, the FTD cannot reliably associate traffic with the requested URL category if the traffic is encrypted, leading to bypasses like users accessing Facebook and Twitter despite a blocking rule.

Exam trap

Cisco often tests the misconception that SSL decryption is required for URL filtering on encrypted traffic, but the correct first step is to verify DNS snooping, which provides a lightweight alternative for domain-based filtering without decryption.

How to eliminate wrong answers

Option A is wrong because SSL decryption is not a prerequisite for URL filtering; DNS snooping allows URL filtering to work on encrypted traffic without decrypting it, and enabling SSL decryption is a separate, more resource-intensive step. Option C is wrong because while rule order matters in access control policies, the question states the policy is configured correctly with a URL category condition, so the issue is not rule placement but the FTD's inability to identify the traffic as social media. Option D is wrong because an outdated URL database would cause incorrect categorization (e.g., blocking a site that is not social media), not a complete bypass of the rule; the database update is a secondary check after verifying DNS snooping.

20
Multi-Selectmedium

Which TWO actions can be configured in a Cisco ESA DLP policy to respond to a violation involving outbound credit card numbers? (Choose two.)

Select 2 answers
A.Deliver the message with a CC to the compliance team
B.Encrypt the message using a secure policy
C.Quarantine the message for review
D.Add a disclaimer that the message is confidential
E.Bounce the message back to the sender
AnswersB, C

Encryption ensures the data is protected even if sent.

Why this answer

Option B is correct because Cisco ESA DLP policies can automatically encrypt outbound messages containing sensitive data like credit card numbers. This ensures that even if the message is intercepted, the content remains protected, which is a common compliance requirement for PCI DSS.

Exam trap

Cisco often tests the distinction between 'notification-only' actions (like CC or disclaimer) and 'enforcement' actions (like encrypt or quarantine), leading candidates to mistakenly select passive options that do not actually prevent data exfiltration.

21
Multi-Selecteasy

Which TWO of the following are valid methods for deploying Cisco Web Security Appliance in a network? (Choose two.)

Select 2 answers
A.Explicit proxy mode
B.VPN concentrator mode
C.DNS proxy mode
D.Transparent proxy mode
E.Bridge mode
AnswersA, D

Clients are configured to use the WSA as proxy.

Why this answer

Explicit proxy mode requires clients to be manually configured to send web traffic directly to the WSA's IP address and port (typically 3128 or 8080). This gives the administrator granular control over which devices use the proxy and allows for authentication at the proxy layer, making it a valid deployment method for the Cisco Web Security Appliance.

Exam trap

Cisco often tests the distinction between 'transparent proxy mode' and 'bridge mode' — candidates mistakenly think the WSA can be deployed as a Layer 2 bridge, but the correct term for inline, non-explicit interception is transparent proxy mode, which relies on traffic redirection rather than bridging.

22
Multi-Selecthard

Which TWO of the following are correct about Cisco Umbrella's multi-layered security approach? (Choose two.)

Select 2 answers
A.Firewall as a Service
B.DNS-layer security
C.IP reputation filtering
D.Proxy-based web inspection
E.Sandboxing for malicious file analysis
AnswersB, D

First layer of defense by blocking requests to malicious domains.

Why this answer

DNS-layer security is a core component of Cisco Umbrella's multi-layered approach. It blocks requests to malicious domains at the earliest stage of the connection, before any IP address resolution occurs, by inspecting DNS queries against threat intelligence feeds. This prevents users from reaching known phishing, malware, or command-and-control (C2) domains.

Exam trap

Cisco often tests the distinction between the core layers of Umbrella's multi-layered security (DNS-layer and proxy-based web inspection) and additional integrated features like sandboxing or IP reputation, which are not considered separate layers in the official architecture.

23
MCQeasy

A security engineer is configuring Cisco WSA to block access to a new social media site that is not in any predefined URL category. Which action should the engineer take to ensure the site is blocked for all users?

A.Disable the URL filtering engine and use only web reputation.
B.Add the URL to the existing Social Networking category.
C.Create a custom URL category with the site and apply a block action in the access policy.
D.Enable Dynamic Content Analysis to detect and block the site.
AnswerC

This directly blocks the site via policy.

Why this answer

Option C is correct because Cisco WSA allows administrators to create custom URL categories for sites not covered by predefined categories. By adding the URL to a custom category and applying a block action in the access policy, the engineer ensures the site is blocked for all users, as access policies evaluate custom categories before predefined ones.

Exam trap

Cisco often tests the misconception that predefined categories are editable or that Dynamic Content Analysis can be used for URL blocking, when in fact custom categories are the only way to handle uncategorized sites in access policies.

How to eliminate wrong answers

Option A is wrong because disabling the URL filtering engine and relying solely on web reputation would not block a specific URL; web reputation scores traffic based on risk, not content categories, and cannot enforce a block for a particular social media site. Option B is wrong because the Social Networking category is a predefined, read-only category in Cisco WSA; you cannot add custom URLs to it, and attempting to do so would require modifying the category definition, which is not supported. Option D is wrong because Dynamic Content Analysis (DCA) inspects web content for malicious patterns, not for blocking specific social media sites; it is designed for threat detection, not URL-based access control.

24
MCQmedium

A security analyst notices that a Cisco Firepower Threat Defense (FTD) device is not applying file policies to detect malware in HTTP traffic. The access control policy has an HTTPS decryption rule that decrypts traffic from external sources. The file policy is associated with the same rule. What is the missing configuration?

A.The file policy is set to 'Detect' but not 'Block' for malware.
B.The HTTP inspection is not enabled in the access control policy's advanced settings.
C.SSL decryption is not configured for the internal network.
D.The URL category is not defined in the file policy.
AnswerB

File policies require the HTTP inspector to be enabled to scan files in HTTP streams.

Why this answer

File policies in Firepower are applied based on network analysis and file inspection. For HTTP traffic, the FTD must have the appropriate inspection engine enabled. Option C is correct because the HTTP inspection profile must be configured to inspect traffic and apply file policies.

Option A is not directly related. Option B is incorrect because decryption is already in place. Option D is unnecessary as file policies work independently of URL filtering.

25
MCQmedium

A user in the marketing group reports that they cannot access twitter.com. The access policy summary is shown in the exhibit. What is the most likely reason?

A.The default policy is blocking the site because Marketing-Policy is set to Monitor only.
B.The access policy has a time-based restriction that blocks social media during work hours.
C.The marketing group is not assigned to the Marketing-Policy.
D.The Social Networking category is set to Block in the Marketing-Policy.
AnswerD

The block action overrides the Monitor action for that category.

Why this answer

Option D is correct because the exhibit shows that the Marketing-Policy has the Social Networking category set to Block. Since twitter.com is classified under Social Networking, this action explicitly denies access for users assigned to that policy, overriding any other settings.

Exam trap

Cisco often tests the misconception that a Monitor action in a policy allows traffic, when in fact Monitor only logs traffic without blocking it, but a Block action in the same or a more specific category overrides Monitor for that category.

How to eliminate wrong answers

Option A is wrong because the default policy only applies when no other policy matches; here the Marketing-Policy matches the marketing group, so the default policy is not evaluated. Option B is wrong because the exhibit does not show any time-based restriction; the policy summary lists only category-based actions. Option C is wrong because the question states the user is in the marketing group, and the exhibit implies the Marketing-Policy is applied to that group; if the group were not assigned, the user would fall through to the default policy, not be blocked by a specific category action.

26
MCQhard

A global company uses Cisco Umbrella to enforce security policies across roaming users. Recently, a user reported that they could not access a legitimate business application while connected to a guest Wi-Fi at an airport. The application is categorized as 'Productivity' in Umbrella. Other users outside the office can access it. What is the most likely reason?

A.The user's Umbrella roaming client is unable to authenticate, so the request uses the default policy which blocks the category.
B.The application's category is blocked globally in the Umbrella policy.
C.The user is in a different geographic location with a stricter policy.
D.The guest Wi-Fi's public IP address is on a block list.
AnswerA

Identity not resolved, fallback policy applies.

Why this answer

Option D is correct because Umbrella uses identity-based policies; if the roaming security client cannot detect the user identity (e.g., due to no VPN or client failure), the request falls back to the default policy, which might block the category. Option A is wrong because the category is not blocked globally. Option B is wrong because the issue is specific to one user, not location.

Option C is wrong because the guest Wi-Fi has no public IP block.

27
Multi-Selectmedium

Which THREE of the following are capabilities of Cisco Email Security Appliance (ESA) for content filtering? (Choose three.)

Select 3 answers
A.Intrusion Prevention System (IPS)
B.Anti-spam filtering
C.Zero-day malware protection using sandboxing
D.Anti-virus scanning
E.Data Loss Prevention (DLP)
AnswersB, D, E

ESA uses Cisco's and third-party anti-spam engines.

Why this answer

B is correct because Cisco ESA includes a sophisticated anti-spam filtering engine that uses multiple techniques such as SenderBase reputation, contextual analysis, and signature-based detection to identify and block unwanted email messages. This is a core content security capability of the ESA, operating at the email gateway to filter inbound and outbound traffic.

Exam trap

Cisco often tests the distinction between native ESA capabilities (like anti-spam, anti-virus, and DLP) and optional integrated features (like sandboxing), leading candidates to mistakenly select sandboxing as a core content filtering function.

28
MCQeasy

A network administrator wants to block access to a specific URL category on the Cisco WSA but allow access to all other categories. Which action should be taken in the Access Policy?

A.Set the action to 'Monitor' for the category
B.Set the action to 'Redirect' for the category
C.Set the action to 'Warn' for the category
D.Set the action to 'Block' for the category
AnswerD

Block denies access to the category.

Why this answer

To block access to a specific URL category while allowing all others, the Access Policy must set the action for that category to 'Block'. The Cisco WSA evaluates URL categories in order of precedence, and a 'Block' action explicitly denies HTTP/HTTPS requests matching that category, while all other categories default to 'Allow' unless otherwise configured.

Exam trap

Cisco often tests the distinction between 'Block' and 'Warn' actions, where candidates mistakenly think 'Warn' denies access, but it actually allows access after user acknowledgment, making 'Block' the only true denial action.

How to eliminate wrong answers

Option A is wrong because 'Monitor' logs the traffic but does not block it, allowing access to the category. Option B is wrong because 'Redirect' sends the user to a different URL (e.g., a block page or authentication portal) but does not inherently block access; it can be bypassed or still permit the request depending on configuration. Option C is wrong because 'Warn' displays a warning message to the user but still permits access to the category after the user acknowledges the warning.

29
MCQhard

A security engineer deploys Cisco Advanced Malware Protection (AMP) for Endpoints with cloud-based detection. After installation, a sample malware is executed on a test endpoint, but the AMP console shows no detection or trajectory data. The endpoint shows a 'Connected' status. What is the most likely reason for the lack of detection?

A.The AMP cloud subscription has expired, but the console still shows connectivity.
B.The endpoint's network connection to the AMP cloud is intermittent, causing files to be evaluated locally instead of being sent for analysis.
C.The AMP connector version is outdated and does not support the malware family.
D.The malware is packed and requires a signature update that is not yet available.
AnswerB

If the cloud connection is unstable, the connector may use local analysis which might not detect the malware.

Why this answer

Option B is correct because when the AMP for Endpoints connector detects intermittent connectivity to the AMP cloud, it falls back to local file evaluation using only the local signature cache. Since cloud-based detection relies on sending file hashes and behavioral telemetry for advanced analysis, a disrupted connection prevents the cloud from performing deep analysis, resulting in no detection or trajectory data despite the endpoint showing a 'Connected' status.

Exam trap

Cisco often tests the misconception that a 'Connected' status guarantees full cloud functionality, when in reality intermittent connectivity can cause the endpoint to operate in a local-only mode without alerting the administrator.

How to eliminate wrong answers

Option A is wrong because if the AMP cloud subscription had expired, the endpoint would typically show a 'Disconnected' or 'Unregistered' status, not 'Connected', and the console would display a license warning. Option C is wrong because an outdated connector version might miss certain detections, but the core issue here is the lack of cloud communication; the connector would still attempt to send files for analysis and would show some error or queuing status. Option D is wrong because packed malware is handled by AMP's cloud-based machine learning and behavioral analysis, not solely by signature updates; the lack of detection is due to the cloud not receiving the file for analysis, not because of missing signatures.

30
MCQeasy

A company is deploying Cisco Umbrella for web security. They want to enforce that all DNS requests from remote users using VPN are filtered. Which deployment method should be used?

A.Use a PAC file to redirect web traffic to Umbrella.
B.Configure the corporate DNS servers to forward to Umbrella.
C.Install the Cisco Umbrella Roaming Security client on remote endpoints.
D.Deploy a virtual appliance as a DNS forwarder at the branch office.
AnswerC

The client ensures DNS filtering anywhere.

Why this answer

The Cisco Umbrella Roaming Security client is the correct deployment method for filtering DNS requests from remote VPN users because it installs a local DNS forwarder on the endpoint that intercepts all DNS traffic and sends it directly to Umbrella's cloud resolvers, even when the user is off the corporate network. This ensures that DNS queries are filtered regardless of the VPN tunnel state, as the client operates independently of the VPN connection.

Exam trap

Cisco often tests the distinction between DNS-layer security and proxy-based web security, and the trap here is that candidates may assume a PAC file or corporate DNS forwarding is sufficient for remote users, overlooking that the Roaming client is specifically designed for off-network enforcement.

How to eliminate wrong answers

Option A is wrong because a PAC file redirects HTTP/HTTPS web traffic via a proxy, not DNS requests, and Umbrella filters at the DNS layer, not the HTTP layer. Option B is wrong because configuring corporate DNS servers to forward to Umbrella only filters DNS queries that reach those servers, which does not cover remote users whose DNS requests may bypass the corporate network entirely. Option D is wrong because deploying a virtual appliance as a DNS forwarder at the branch office would only filter DNS traffic from users within that branch, not from remote VPN users who are not connected through that branch.

31
Multi-Selectmedium

Which THREE considerations must be taken when deploying SSL decryption on a Cisco WSA in explicit proxy mode?

Select 3 answers
A.Create an HTTPS decryption policy to specify which traffic to decrypt.
B.Install the WSA's CA certificate on all client browsers.
C.Ensure that the WSA can listen on TCP ports below 1024.
D.Configure the WSA to inspect decrypted content for malware and policy violations.
E.Enable DLP scanning on the WSA to inspect decrypted content.
AnswersA, B, D

Policy defines what to decrypt based on URL categories or users.

Why this answer

Option A is correct because an explicit HTTPS decryption policy is required to define which traffic should be intercepted and decrypted. Without this policy, the WSA will not decrypt any HTTPS traffic, even if the CA certificate is installed. The policy specifies criteria such as source IP, destination URL category, or user identity to selectively decrypt traffic.

Exam trap

Cisco often tests the distinction between explicit and transparent proxy modes; the trap here is that candidates mistakenly think the WSA must listen on privileged ports (below 1024) for explicit proxy, when that requirement only applies to transparent proxy deployments.

32
MCQhard

A network administrator configures the above policy on a Cisco Firepower Threat Defense (FTD) device. Users report that they cannot access the login page at https://www.example.com/login. What is the most likely cause?

A.The 'match request uri regex ".*evil.*"' in OUTSIDE_INSPECT is blocking the page.
B.The 'match request body regex ".*malware.*"' in OUTSIDE_INSPECT is blocking the page.
C.The 'inspect' action in INSIDE_INSPECT does not permit the traffic; it only inspects.
D.The class-map HTTP_CLASS is incorrectly matching the host header for example.com.
AnswerC

In FTD, the 'inspect' action alone allows traffic, but the issue might be that the policy-map is not applied correctly or the default action is to deny. However, this is the most plausible cause among the options.

Why this answer

Option C is correct because in Cisco Firepower Threat Defense (FTD), the 'inspect' action only monitors traffic for threats without explicitly permitting it. For traffic to be allowed through the device, a separate 'allow' or 'permit' action is required in the access control policy. Since INSIDE_INSPECT uses only 'inspect', the HTTPS traffic to the login page is blocked by default, as FTD implicitly denies traffic that is not explicitly permitted.

Exam trap

Cisco often tests the misconception that the 'inspect' action permits traffic, when in reality it only enables inspection and requires a separate 'allow' action for traffic to pass.

How to eliminate wrong answers

Option A is wrong because the 'match request uri regex ".*evil.*"' in OUTSIDE_INSPECT applies to traffic from the outside zone, not to the inside-to-outside traffic that users are using to reach the login page. Option B is wrong because the 'match request body regex ".*malware.*"' also applies to outside traffic and would not affect inside users accessing example.com. Option D is wrong because the class-map HTTP_CLASS is used to classify traffic for inspection, and matching the host header for example.com would not cause a block; the issue is the lack of a permit action, not the classification.

33
MCQmedium

An administrator configures Cisco Email Security Appliance (ESA) to add a disclaimer to all outgoing emails using a content filter. The filter is enabled and matches all outgoing mail. However, some users report that the disclaimer is missing from their sent emails. Which action should the administrator take to troubleshoot?

A.Increase the memory allocated to the content filter engine.
B.Review the message filters in the 'Incoming' or 'Outgoing' mail policies that might be taking precedence.
C.Verify that the mail flow policy for outgoing mail is set to 'Accept'.
D.Check if the content filter is disabled or has an invalid condition.
AnswerB

Message filters are processed before content filters and could be silently discarding or modifying messages before the disclaimer is added.

Why this answer

Option B is correct because content filters on Cisco ESA are evaluated after message filters. If a message filter (e.g., one that strips headers or drops attachments) is applied in the same or a higher-priority mail policy, it can prevent the content filter from processing the message, causing the disclaimer to be missing. The administrator should review the message filters in the 'Incoming' or 'Outgoing' mail policies to identify any that might be taking precedence and interfering with the content filter's action.

Exam trap

Cisco often tests the concept that content filters are not the only filtering mechanism; message filters have higher priority and can preempt content filter execution, leading candidates to overlook the need to check message filter precedence.

How to eliminate wrong answers

Option A is wrong because increasing memory allocated to the content filter engine would not resolve a missing disclaimer issue; memory allocation affects performance under load, not the logical execution order of filters. Option C is wrong because the mail flow policy for outgoing mail must already be set to 'Accept' for the ESA to deliver messages; if it were set to 'Reject' or 'Bounce', the emails would not be sent at all, not just missing a disclaimer. Option D is wrong because the scenario states the filter is enabled and matches all outgoing mail, so checking if it is disabled or has an invalid condition is redundant; the issue lies in filter precedence, not the filter's configuration.

34
MCQeasy

A company uses Cisco Umbrella to protect its remote users. The security team notices that some users are able to bypass Umbrella by using a different DNS resolver. Which deployment method ensures that all DNS traffic is forced through Umbrella?

A.Deploy the Umbrella virtual appliance in the data center.
B.Use BGP to redirect traffic to Umbrella.
C.Install the Umbrella roaming client on all endpoints.
D.Configure Active Directory integration.
AnswerC

The roaming client enforces DNS policy even if users change DNS settings.

Why this answer

The Cisco Umbrella roaming client (C) is the correct deployment method because it installs a local agent on each endpoint that intercepts all DNS queries at the operating system level, regardless of the DNS resolver configured in the network settings. This ensures that all DNS traffic is forced through Umbrella's cloud-based security platform, preventing users from bypassing protection by manually changing their DNS resolver to a non-Umbrella server.

Exam trap

Cisco often tests the misconception that network-level solutions (like a virtual appliance or BGP) can protect remote users, but the trap here is that remote endpoints require an agent-based approach (the roaming client) to enforce DNS policy locally, because network-level controls cannot intercept traffic that does not traverse the corporate network.

How to eliminate wrong answers

Option A is wrong because deploying the Umbrella virtual appliance in the data center only protects DNS traffic that passes through the corporate network; remote users' DNS queries are not routed through the data center, so they can still bypass Umbrella by using a different DNS resolver. Option B is wrong because BGP (Border Gateway Protocol) is used for routing IP traffic between autonomous systems, not for redirecting individual DNS queries from remote endpoints; it would require complex network-level redirection and does not enforce DNS policy on endpoints outside the corporate network. Option D is wrong because Active Directory integration with Umbrella provides identity-based policy enforcement and logging, but it does not force DNS traffic through Umbrella; users can still change their DNS resolver locally and bypass protection.

35
Multi-Selecteasy

Which TWO benefits does the Cisco ESA provide for email security? (Choose two.)

Select 2 answers
A.Email encryption and data loss prevention
B.DNS-layer security
C.Network firewall functionality
D.Advanced threat protection against malware and phishing
E.Web content filtering
AnswersA, D

ESA offers encryption and DLP.

Why this answer

Option A is correct because the Cisco Email Security Appliance (ESA) includes integrated email encryption capabilities via Cisco Registered Envelope Service (CRES) or PGP/SMIME, and it provides Data Loss Prevention (DLP) through pre-defined or custom DLP policies that scan outbound emails for sensitive data patterns such as credit card numbers or PII. These features are core to the ESA's content security functionality.

Exam trap

Cisco often tests the distinction between the ESA's email-specific security features (encryption, DLP, anti-malware) and features belonging to other Cisco security products like Umbrella (DNS-layer security) or WSA (web filtering), so candidates mistakenly attribute cross-product capabilities to the ESA.

36
MCQeasy

A company uses Cisco Web Security Appliance (WSA) to filter web traffic. The security team wants to block access to a specific category of websites (e.g., 'Social Networking') for all users except the HR department. Which WSA feature should be used to achieve this policy?

A.Routing policy
B.Decryption policy
C.Identity-based policy
D.Global access policy
AnswerC

Identity-based policies can apply different rules to different user groups based on authentication.

Why this answer

Identity-based policies in Cisco WSA allow you to apply different access rules based on the user or group identity, typically authenticated via Active Directory or LDAP. By creating an identity-based policy that exempts the HR department (e.g., via an AD group) and blocks the 'Social Networking' category for all other users, you achieve the required granular control without affecting the entire organization.

Exam trap

Cisco often tests the distinction between identity-based policies and global access policies, trapping candidates who think a global policy can be applied with exceptions, when in fact identity-based policies are required for user-specific exemptions.

How to eliminate wrong answers

Option A is wrong because routing policy controls how traffic is forwarded (e.g., next-hop or proxy chaining), not the per-user or per-group web access rules. Option B is wrong because decryption policy manages SSL/TLS interception and certificate handling, not category-based blocking based on user identity. Option D is wrong because global access policy applies uniformly to all traffic without user or group differentiation, so it cannot selectively exempt the HR department.

37
MCQmedium

An organization is using Cisco ESA and wants to ensure that outgoing emails containing credit card numbers are blocked before leaving the network. Which feature should be configured?

A.Anti-Spam policies
B.Data Loss Prevention (DLP) policies
C.Encryption policies
D.Anti-Virus scanning
AnswerB

DLP inspects content for sensitive data patterns.

Why this answer

Cisco ESA uses Data Loss Prevention (DLP) policies to inspect outgoing email content for sensitive data such as credit card numbers. DLP can identify patterns (e.g., 16-digit card numbers) using predefined or custom dictionaries and enforce actions like blocking, quarantining, or encrypting the message before it leaves the network. Anti-Spam, Encryption, and Anti-Virus policies do not perform content-based pattern matching for sensitive data.

Exam trap

Cisco often tests the distinction between DLP (content inspection for sensitive data) and encryption (protecting data in transit), leading candidates to mistakenly choose Encryption policies when the goal is to block or prevent data exfiltration, not just secure the channel.

How to eliminate wrong answers

Option A is wrong because Anti-Spam policies are designed to filter inbound unwanted bulk email using reputation filters and content analysis, not to detect sensitive data patterns in outbound messages. Option C is wrong because Encryption policies control whether a message is encrypted during transit (e.g., via TLS or S/MIME), but they do not inspect the message body for credit card numbers or enforce blocking based on content. Option D is wrong because Anti-Virus scanning detects malware attachments and malicious code, not structured data like credit card numbers.

38
MCQeasy

A network administrator needs to configure Cisco WSA to decrypt HTTPS traffic for inspection. What is the first step that must be completed?

A.Create a bypass list for internal sites
B.Configure an Access Control List (ACL) to allow decryption
C.Install a Certificate Authority (CA) certificate on the WSA and distribute it to clients
D.Configure user authentication
AnswerC

This allows the WSA to act as a trusted man-in-the-middle.

Why this answer

The first step in configuring Cisco WSA for HTTPS decryption is to install a Certificate Authority (CA) certificate on the WSA and distribute it to client devices. This establishes trust because the WSA acts as a man-in-the-middle, generating a new certificate for each HTTPS session signed by this CA; without the CA certificate in the clients' trusted root store, browsers will display certificate warnings and block the connection.

Exam trap

Cisco often tests the misconception that you first need to configure an ACL or bypass list before installing the CA certificate, but the fundamental prerequisite is establishing trust through certificate installation, otherwise decryption cannot function at all.

How to eliminate wrong answers

Option A is wrong because creating a bypass list for internal sites is an optional step to exclude certain traffic from decryption, not the prerequisite for enabling HTTPS decryption itself. Option B is wrong because an Access Control List (ACL) is used for traffic filtering or redirection, not for authorizing decryption; decryption is controlled by policies on the WSA, not by ACLs. Option D is wrong because user authentication is a separate feature for identity-based policies and is not required to perform HTTPS decryption; decryption can function without any authentication configured.

39
MCQmedium

An administrator notices that some users receive spam messages even though the ESA policy is set to 'Quarantine' for suspected spam. The messages are not found in the user's spam quarantine. What is the most likely cause?

A.The sender's IP is in the allow list.
B.The spam threshold is set too low.
C.The anti-spam engine signatures are outdated.
D.Incoming mail is received on a listener that does not apply the anti-spam engine.
AnswerD

A listener with anti-spam disabled will deliver without scanning.

Why this answer

Option D is correct because if incoming mail is received on a mail policy (listener) that does not have the anti-spam engine enabled, the ESA will not apply any spam filtering to those messages. Even though the global or default policy may be set to 'Quarantine', the listener configuration determines which security services are invoked. Without the anti-spam engine on that listener, messages bypass spam detection entirely and are delivered directly to the user's inbox, never appearing in the spam quarantine.

Exam trap

Cisco often tests the distinction between global policy settings and per-listener service enablement, trapping candidates who assume that configuring a quarantine action in the mail policy automatically applies to all incoming mail paths.

How to eliminate wrong answers

Option A is wrong because an allow list entry would bypass spam filtering and deliver the message to the inbox, but the question states the messages are spam and not found in quarantine; an allow list would explain delivery but not the absence from quarantine, and the administrator would typically see the allow list entry. Option B is wrong because setting the spam threshold too low (i.e., a lower score required to classify as spam) would actually cause more messages to be flagged as spam and sent to quarantine, not fewer. Option C is wrong because outdated anti-spam engine signatures would likely result in false negatives (spam not detected), but the messages are still processed by the anti-spam engine; they would either be quarantined or delivered based on the policy, not bypass quarantine entirely.

40
MCQhard

A security engineer is configuring Cisco Web Security Appliance (WSA) to block access to social media sites during business hours. The company wants to allow access to LinkedIn for the HR department. Which policy configuration approach should the engineer use?

A.Create a time-based access policy to block social media during business hours, and an identity-based policy to allow LinkedIn for HR.
B.Enable HTTPS decryption and block social media based on content.
C.Create a global URL filtering policy to block social media and add an exception for LinkedIn.
D.Configure Data Loss Prevention (DLP) to block social media posts.
AnswerA

Time-based policies restrict access during specific hours, and identity policies can exempt HR.

Why this answer

Option A is correct because Cisco WSA uses a hierarchical policy model where time-based access policies control when traffic is allowed or blocked, and identity-based policies (using authentication or IP ranges) provide granular exceptions for specific user groups like HR. By combining a time-based policy to block social media during business hours and an identity-based policy to allow LinkedIn for HR, the engineer achieves the requirement without over-permitting access. This approach leverages WSA's ability to evaluate multiple policy types in order, ensuring the HR exception takes precedence for LinkedIn traffic.

Exam trap

Cisco often tests the distinction between global exceptions (which apply to all users) and identity-based exceptions (which apply to specific groups), leading candidates to incorrectly choose a global exception when a group-specific exception is required.

How to eliminate wrong answers

Option B is wrong because HTTPS decryption is not required to block social media based on URL categories; WSA can block social media using URL filtering without decrypting traffic, and enabling decryption unnecessarily adds complexity and privacy concerns. Option C is wrong because creating a global URL filtering policy to block social media and adding an exception for LinkedIn would allow LinkedIn for all users, not just HR, violating the requirement for HR-only access. Option D is wrong because Data Loss Prevention (DLP) is designed to prevent sensitive data exfiltration, not to block access to entire websites or categories like social media; DLP policies inspect content within allowed traffic, not enforce URL-based access controls.

41
MCQmedium

An administrator is configuring DLP on the Cisco ESA to block social security numbers (SSNs) in outgoing email. The policy is set to 'Drop' for SSN matches, but some emails containing SSNs are still being delivered. What step should the administrator take to troubleshoot?

A.Increase the message size limit in the mail flow policy.
B.Verify that the DLP policy is enabled and assigned to the outgoing mail policy.
C.Ensure that TLS is enabled for outgoing mail.
D.Add additional SSN patterns to the DLP dictionary.
AnswerB

If not assigned, DLP rules won't apply.

Why this answer

The most likely reason SSNs are still being delivered is that the DLP policy is not actually applied to the outgoing mail policy. Even if the DLP policy is configured to 'Drop' for SSN matches, it will have no effect unless it is enabled and explicitly assigned to the mail policy that governs outbound messages. Without this assignment, the ESA will not inspect messages against the DLP dictionary, allowing SSNs to pass through.

Exam trap

Cisco often tests the distinction between configuring a feature (e.g., creating a DLP policy) and actually applying it to a mail policy, leading candidates to overlook the assignment step and focus on unrelated settings like message size or encryption.

How to eliminate wrong answers

Option A is wrong because increasing the message size limit in the mail flow policy would not prevent DLP from scanning or dropping messages; it only affects whether large messages are accepted or rejected before DLP processing. Option C is wrong because TLS is a transport encryption protocol and has no bearing on DLP content inspection or the enforcement of a 'Drop' action. Option D is wrong because the default SSN patterns in the DLP dictionary are already comprehensive; adding more patterns would not resolve the issue if the policy itself is not enabled or assigned to the outgoing mail policy.

42
MCQhard

During an email security audit, it is discovered that encrypted emails sent between two partners are being silently dropped by the Cisco ESA. The ESA uses a policy that decrypts incoming S/MIME messages for scanning. What is the most likely cause of the dropped messages?

A.The ESA is configured to re-encrypt outbound messages that were decrypted.
B.The ESA cannot decrypt the messages because the sender's certificate is not trusted by the ESA.
C.The messages contain encrypted attachments that exceed size limits.
D.The ESA is using TLS to receive the messages and the partner's certificate is untrusted.
AnswerB

S/MIME decryption requires trusting the sender's certificate; otherwise, it may drop.

Why this answer

The Cisco ESA decrypts incoming S/MIME messages to perform content scanning. If the sender's certificate is not trusted by the ESA (i.e., not in the ESA's trusted certificate store or the certificate chain cannot be validated), the ESA cannot decrypt the message. This causes the message to be silently dropped because the policy requires decryption for scanning, and failure to decrypt results in the message being discarded rather than delivered.

Exam trap

The trap here is confusing transport-layer encryption (TLS) with message-level encryption (S/MIME), leading candidates to incorrectly select Option D, when the core issue is the ESA's inability to decrypt the S/MIME message due to an untrusted sender certificate.

How to eliminate wrong answers

Option A is wrong because re-encryption of outbound messages occurs after scanning and does not cause inbound messages to be dropped; it is a separate policy action. Option C is wrong because encrypted attachments exceeding size limits would trigger a different policy action (e.g., bounce or quarantine), not silent dropping, and the question states the entire email is dropped, not just the attachment. Option D is wrong because TLS is used for transport encryption between MTAs, not for S/MIME message decryption; an untrusted TLS certificate would cause a connection failure, not silent dropping of already-received S/MIME messages.

43
MCQeasy

A company with 500 employees uses Cisco Web Security Appliance (WSA) as a proxy. They have a policy to block access to social media sites during working hours (9 AM - 5 PM) for all users except the marketing team. The marketing team must have unrestricted access at all times. The WSA is configured with a time-based access policy that blocks the 'Social Networking' category from 9 AM to 5 PM, and an identity policy that identifies the marketing team by Active Directory group. However, marketing users report that they are blocked from social media during working hours. What is the most likely cause?

A.The time-based policy is set to block social media from 9 AM to 5 PM, but the marketing team's identity policy is not explicitly set to 'Monitor' or 'Allow' for that category.
B.The WSA requires authentication for all users, but marketing users are not prompted to authenticate.
C.The identity policy for the marketing team has a 'Use Global Policy' action for social networking, which then applies the time-based block.
D.The marketing team's Active Directory group is not being recognized by the WSA due to a synchronization issue.
AnswerC

If the identity policy uses 'Use Global Policy', the time-based block from the global policy applies, blocking marketing users.

Why this answer

Option C is correct because when an identity policy is set to 'Use Global Policy' for a specific category, it defers to the global access policy, which in this case includes the time-based block for social networking. Since the marketing team's identity policy does not explicitly override the global policy with an 'Allow' or 'Monitor' action for the 'Social Networking' category, the time-based block applies to them as well.

Exam trap

The trap here is that candidates often confuse identity policies with access policies, thinking that identifying a user group automatically grants them different access, when in fact the identity policy must be paired with a separate access policy that explicitly overrides the global policy.

How to eliminate wrong answers

Option A is wrong because the issue is not that the identity policy lacks an explicit 'Monitor' or 'Allow' action; rather, the identity policy is set to 'Use Global Policy', which causes the global time-based block to apply. Option B is wrong because the WSA does require authentication for identity-based policies, but the marketing users are likely authenticating successfully (otherwise they would not be identified as marketing users at all); the problem is the policy action, not authentication failure. Option D is wrong because if the Active Directory group were not recognized, the marketing users would not be identified by the identity policy at all, and they would likely fall into a default policy that also blocks social media; however, the question states they are identified as marketing users but still blocked, indicating the group is recognized.

44
Multi-Selecthard

Which THREE components are part of a Cisco Cloud Web Security (CWS) deployment with on-premises connectors? (Choose three.)

Select 3 answers
A.Cisco ASA firewall as the forward proxy
B.On-premises Connector appliance
C.Cloud-based policy management portal
D.Cisco Web Security Appliance (WSA)
E.Cisco Cloud Scanning Center
AnswersB, C, E

The Connector sends traffic to the cloud scanning center.

Why this answer

The On-premises Connector appliance (option B) is a core component of a Cisco CWS deployment with on-premises connectors. It acts as a local proxy that forwards web traffic from users to the Cisco Cloud Scanning Center for threat inspection, while also caching content locally to reduce latency. This appliance integrates with existing network infrastructure to enable cloud-based web security without requiring full traffic redirection to the cloud.

Exam trap

Cisco often tests the distinction between the On-premises Connector appliance and the Cisco Web Security Appliance (WSA), as candidates may confuse the cloud-based CWS connector with the fully on-premises WSA solution.

45
Multi-Selecteasy

Which THREE of the following are true regarding HTTPS decryption on Cisco Web Security Appliance (WSA)? (Choose three.)

Select 3 answers
A.Decryption can be selectively applied based on URL category.
B.The WSA must generate a unique CA certificate that is distributed to clients.
C.Decryption is transparent to the user and does not require any client configuration.
D.HTTPS decryption is enabled by default for all traffic.
E.Decryption can impact WSA performance due to the cryptographic overhead.
AnswersA, B, E

Administrators can choose categories to decrypt or bypass.

Why this answer

Option A is correct because Cisco WSA allows administrators to define decryption policies that selectively decrypt HTTPS traffic based on URL categories (e.g., Social Networking, Finance, Health). This granular control enables organizations to balance security inspection with privacy compliance, decrypting only high-risk categories while bypassing sensitive ones like banking or healthcare.

Exam trap

Cisco often tests the misconception that HTTPS decryption is transparent or automatic, but the trap is that it always requires client-side trust configuration (e.g., installing the WSA's CA certificate) and is never enabled by default.

46
MCQeasy

A company uses Cisco Web Security Appliance (WSA) in explicit proxy mode. Users report that some HTTPS websites fail to load. The administrator checks the logs and sees that the WSA is not generating any certificate for those sites. What is the most likely cause?

A.HTTPS decryption is disabled globally or for the specific category.
B.The website uses certificate pinning, which prevents interception.
C.The WSA CA certificate is not installed in the user's browser trust store.
D.The WSA is configured to bypass decryption for the user's subnet.
AnswerA

If decryption is disabled, the WSA does not generate certificates; it tunnels the HTTPS traffic without inspection, which should still work unless proxy settings are misconfigured.

Why this answer

When HTTPS decryption is disabled globally or for a specific category, the WSA cannot generate a certificate to intercept and inspect the traffic. In explicit proxy mode, the WSA must decrypt HTTPS traffic to apply security policies; without decryption enabled, the proxy simply forwards the traffic without generating a certificate, causing the browser to fail to establish a secure connection for sites that require inspection.

Exam trap

Cisco often tests the distinction between 'no certificate generated' (indicating decryption is disabled) versus 'certificate error' (indicating trust issues or pinning), so candidates mistakenly choose options related to certificate trust or pinning when the core issue is that decryption is simply not enabled.

How to eliminate wrong answers

Option B is wrong because certificate pinning is a client-side security mechanism that does not prevent the WSA from generating a certificate; the WSA would still generate its own certificate, but the browser would reject it due to pinning mismatch, which would appear as a certificate error, not a failure to generate a certificate. Option C is wrong because if the WSA CA certificate is not installed in the user's browser trust store, the browser would display a certificate warning or error, but the WSA would still generate a certificate for the site; the logs would show certificate generation, not a lack of it. Option D is wrong because bypassing decryption for a subnet means the WSA would not attempt to generate a certificate for those users, but the logs would show that traffic is being bypassed, not that no certificate is generated; the question states the WSA is not generating certificates for those sites, which implies decryption is disabled globally or per category, not per subnet.

47
MCQeasy

An administrator wants to block the download of executable files (.exe) via HTTP using Cisco WSA. Which approach is most effective?

A.Enable Anti-Malware scanning for executables
B.Configure a Web Reputation policy to block low-reputation sites
C.Create a URL filtering policy with action 'Block' for the category 'Executable Files'
D.Use a PAC file to bypass the proxy for executable downloads
AnswerC

WSA's URL filtering can block based on MIME type of file downloads.

Why this answer

Option C is correct because Cisco WSA's URL filtering policies include a predefined content category called 'Executable Files' that specifically targets file extensions like .exe, .dll, and .msi. By setting the action to 'Block' for this category, the administrator can prevent HTTP downloads of executable files without affecting other traffic. This is the most direct and effective method as it operates at the application layer, inspecting the URL path for file extensions.

Exam trap

Cisco often tests the distinction between content filtering (blocking by file type) and security scanning (detecting threats), leading candidates to mistakenly choose Anti-Malware scanning when the goal is to block all executable downloads regardless of maliciousness.

How to eliminate wrong answers

Option A is wrong because Anti-Malware scanning only detects and blocks malicious executables after the download is initiated, not preventing the download itself; it also requires a license and may allow benign executables through. Option B is wrong because Web Reputation policies score websites based on risk, not file types; a low-reputation site might still host legitimate executables, and a high-reputation site could serve malicious .exe files. Option D is wrong because a PAC file only controls proxy routing (bypassing the proxy for certain destinations) and does not block content; it would allow executable downloads to go directly to the internet without inspection.

48
MCQhard

Refer to the exhibit. An administrator sees that the file invoice_2024.exe was blocked by both Cisco AMP and ESA. However, a user claims the attachment was delivered. What is the most likely cause?

A.The ESA was not configured to use AMP for file reputation.
B.The ESA was configured to 'Deliver then alert' for malware detected by AMP.
C.The AMP file reputation check was not performed due to an ACL misconfiguration.
D.The file was whitelisted in the AMP policy.
AnswerB

In 'Deliver then alert' mode, the email is delivered and an alert is sent, explaining why the user received it.

Why this answer

Option B is correct because when Cisco ESA is configured with 'Deliver then alert' for malware detected by AMP, the email is delivered to the user before the AMP file reputation analysis completes. The ESA sends the file to AMP for analysis, but if the policy is set to deliver first and alert later, the user receives the attachment even if AMP later determines it is malicious. This explains why the administrator sees the block in both AMP and ESA logs, yet the user claims delivery.

Exam trap

Cisco often tests the distinction between 'Deliver then alert' and 'Block' or 'Deliver and alert' modes in ESA AMP integration, where candidates mistakenly assume that a block in AMP logs means the file was never delivered, but the 'Deliver then alert' policy allows delivery before the block verdict is received.

How to eliminate wrong answers

Option A is wrong because if the ESA were not configured to use AMP for file reputation, the file would not have been blocked by AMP at all, but the exhibit shows it was blocked by both AMP and ESA, indicating AMP integration is active. Option C is wrong because an ACL misconfiguration would prevent the file from being sent to AMP for reputation check, resulting in no AMP block event, but the exhibit shows AMP did block the file, so the check was performed. Option D is wrong because if the file were whitelisted in the AMP policy, AMP would not have blocked it, contradicting the exhibit showing a block by AMP.

49
MCQmedium

A multinational corporation uses Cisco AMP for Endpoints with cloud-based file reputation. The security team notices that a file that was previously determined to be clean (disposition: clean) is now reported as malicious by a threat intelligence feed. However, AMP has not taken any action on endpoints that already executed the file. The administrator confirms that retrospective security is enabled. What should the administrator check first to ensure that the file is remediated on all affected endpoints?

A.Verify that the file is not excluded from scanning due to an anti-virus exclusion list.
B.Confirm that the endpoints have internet connectivity to the AMP cloud.
C.Check that the policy assigned to the endpoints has the 'Remediate Now' option enabled for files with changed dispositions.
D.Ensure that the file is being analyzed by the local AMP engine for accurate detection.
AnswerC

Requires explicit setting.

Why this answer

Option C is correct because when a file's disposition changes from clean to malicious in the AMP cloud, the 'Remediate Now' policy setting controls whether AMP automatically triggers remediation actions (such as quarantine or deletion) on endpoints that have already executed the file. Even with retrospective security enabled, the administrator must ensure that the policy assigned to the endpoints has this option enabled; otherwise, the cloud will send the updated disposition but the endpoint will not automatically act on it.

Exam trap

Cisco often tests the distinction between 'retrospective security' being enabled (which allows the cloud to send updated dispositions) and the 'Remediate Now' policy setting (which controls whether the endpoint automatically acts on those updates), leading candidates to incorrectly assume that enabling retrospective security alone is sufficient for automatic remediation.

How to eliminate wrong answers

Option A is wrong because antivirus exclusion lists affect real-time or on-access scanning, not the retrospective remediation of a file whose disposition has changed in the cloud; exclusions would prevent initial detection but do not block cloud-triggered remediation. Option B is wrong because endpoints must have internet connectivity to receive the updated disposition from the AMP cloud, but the question states that the administrator confirms retrospective security is enabled, implying connectivity is already present; the issue is the lack of automatic remediation action, not connectivity. Option D is wrong because the local AMP engine handles initial file analysis and detection, but the file was previously determined clean by the cloud; the local engine does not re-analyze files for retrospective disposition changes—that is a cloud-driven function.

50
Multi-Selecthard

Which THREE features are available in Cisco Umbrella to protect against DNS-based threats? (Choose three.)

Select 3 answers
A.IP-layer enforcement
B.Application control
C.DNS-layer security
D.Data Loss Prevention (DLP)
E.Anti-virus scanning
AnswersA, B, C

Blocks traffic to malicious IP addresses.

Why this answer

Cisco Umbrella provides DNS-layer security (option C) as its core function, intercepting DNS queries to block requests to malicious domains before a connection is established. IP-layer enforcement (option A) extends protection by applying policies based on the destination IP address, blocking traffic to known malicious IPs even if DNS resolution is bypassed. Application control (option B) allows administrators to permit or block specific cloud applications (e.g., Dropbox, Facebook) at the DNS level, preventing data exfiltration or unauthorized usage through DNS-based application identification.

Exam trap

Cisco often tests the distinction between DNS-layer security (which blocks at the query level) and IP-layer enforcement (which blocks at the network layer), and candidates mistakenly think DLP or anti-virus are part of Umbrella because they confuse it with other Cisco security products like WSA or Secure Endpoint.

51
MCQhard

A university is using Cisco WSA to filter web traffic for its students and staff. The WSA is configured with transparent proxy mode and uses Active Directory for authentication. Recently, the IT department received complaints that some users cannot access certain educational websites that are correctly categorized as 'Education'. The WSA policy has a default rule that blocks all categories except those explicitly allowed. The 'Education' category is set to 'Allow'. However, affected users are shown a block page with the reason 'Web Reputation: Low Reputation'. The Web Reputation threshold is set to -5.0. The IT team checked the reputation scores of the blocked sites and found they are around -4.5. What is the most likely reason for the block?

A.The Web Reputation action is set to 'Block' for scores below 0, overriding the URL filtering allow
B.The 'Education' category is not included in the allowed list for the specific identification profile
C.The users are not authenticated properly and are assigned a default policy that blocks education
D.The HTTPS decryption is failing for those sites, causing a block
AnswerA

Reputation actions can override URL filtering, blocking sites with low reputation even if the category is allowed.

Why this answer

Option A is correct because the Web Reputation action configured in the WSA policy overrides the URL category-based allow rule. Even though the 'Education' category is set to 'Allow', the Web Reputation threshold is set to -5.0, and the blocked sites have a reputation score of -4.5 (which is below the threshold, meaning worse reputation). The WSA applies the most restrictive action: if Web Reputation is set to 'Block' for scores below 0, it will block traffic regardless of the category allow action, resulting in the block page showing 'Web Reputation: Low Reputation'.

Exam trap

Cisco often tests the concept that Web Reputation actions can override URL category allow rules, leading candidates to mistakenly focus on category misconfiguration or authentication issues when the block page explicitly indicates reputation as the reason.

How to eliminate wrong answers

Option B is wrong because the question states the 'Education' category is set to 'Allow' in the WSA policy, and the block page explicitly cites 'Web Reputation: Low Reputation', not a category mismatch. Option C is wrong because the block page reason is reputation-based, not authentication-related; if users were unauthenticated, they would likely see a different block message or be redirected to a login page, not a reputation block. Option D is wrong because HTTPS decryption failure would typically result in a certificate error or a 'decryption failed' block page, not a 'Web Reputation: Low Reputation' message; reputation scoring is independent of decryption status.

52
MCQmedium

An organization is using Cisco ESA to protect against email-borne threats. They notice that some phishing emails are not being caught by the anti-spam engine. The emails contain malicious URLs that are rewritten by the ESA. Which feature should be verified to ensure the rewritten URLs are properly analyzed?

A.Data Loss Prevention (DLP) policies
B.URL filtering and analysis settings
C.Anti-Virus scanning engine
D.Encryption policies
AnswerB

This ensures rewritten URLs are analyzed for malicious content.

Why this answer

B is correct because the URL filtering and analysis settings control how the Cisco ESA rewrites and subsequently analyzes malicious URLs. When a phishing email contains a malicious URL, the ESA can rewrite the URL to point to its own proxy for real-time analysis. If this feature is not properly configured or if the analysis settings (such as reputation scoring or time-of-click verification) are disabled, the rewritten URLs may not be inspected, allowing the threat to bypass detection.

Exam trap

Cisco often tests the distinction between features that inspect content (anti-spam, anti-virus) versus features that analyze URLs at the time of click, leading candidates to mistakenly choose anti-virus or anti-spam options when the question specifically involves rewritten URLs.

How to eliminate wrong answers

Option A is wrong because Data Loss Prevention (DLP) policies are designed to prevent sensitive data from leaving the organization, not to analyze rewritten URLs for malicious content. Option C is wrong because the Anti-Virus scanning engine focuses on detecting malware in attachments or body content, not on analyzing rewritten URLs or their destinations. Option D is wrong because encryption policies govern the use of TLS or S/MIME for secure email transmission, not the inspection or analysis of rewritten URLs.

53
Multi-Selectmedium

Which TWO of the following are best practices when configuring Cisco Email Security Appliance (ESA) anti-spam filters? (Choose two.)

Select 2 answers
A.Rely solely on IP reputation lists for spam detection.
B.Adjust threshold levels per sender group to reduce false positives.
C.Use a combination of Cisco Anti-Spam and a third-party anti-spam engine.
D.Set the anti-spam action to 'Delete' for high-scoring messages.
E.Enable all available anti-spam engines to ensure maximum detection.
AnswersB, C

Different sender groups may require different sensitivity.

Why this answer

Best practices for ESA anti-spam include enabling multiple anti-spam engines for layered detection and configuring threshold levels per group. Option A is correct because using both Cisco Anti-Spam and third-party engines improves detection. Option E is correct because tuning thresholds per sender group reduces false positives.

Option B is incorrect because enabling all engines can cause performance issues. Option C is incorrect because blocking without quarantine may cause loss of legitimate mail. Option D is incorrect because reputation lists are the least accurate.

54
MCQeasy

A company wants to allow employees to access webmail services but block any upload of attachments that contain malware. Which feature of Cisco WSA should be configured?

A.Data Loss Prevention (DLP) policy
B.Application Visibility and Control (AVC)
C.URL filtering policy
D.Malware scanning with DVS engine
AnswerD

DVS engine scans files for malware, including uploads.

Why this answer

Option D is correct because the Dynamic Vectoring and Scoring (DVS) engine in Cisco WSA provides advanced malware detection by analyzing file attachments in real time, including webmail uploads. It uses multiple scanning techniques, such as reputation analysis and file-type identification, to block malware before it reaches the user. This directly addresses the requirement to prevent malware-laden attachments in webmail traffic.

Exam trap

Cisco often tests the distinction between DLP (data loss prevention) and malware scanning, leading candidates to mistakenly choose DLP when the question is about blocking malicious content rather than preventing data leakage.

How to eliminate wrong answers

Option A is wrong because Data Loss Prevention (DLP) policies are designed to prevent sensitive data from leaving the network (e.g., credit card numbers, PII), not to detect or block malware in attachments. Option B is wrong because Application Visibility and Control (AVC) focuses on identifying and controlling application traffic (e.g., blocking or shaping webmail apps), not on scanning file content for malware. Option C is wrong because URL filtering policies control access based on web categories or reputation, not on the content of uploaded attachments; they cannot inspect or block malware within files.

55
MCQhard

An administrator configures Cisco Email Security Appliance (ESA) with an outbreak filter to handle a new ransomware variant. The outbreak filter is set to 'Quarantine' for messages with a threat score above 70. After deployment, some legitimate emails with a threat score of 75 are quarantined. The administrator wants to reduce false positives without compromising security. Which configuration change should be made?

A.Disable the outbreak filter temporarily to allow all emails.
B.Increase the threat score threshold to 80 or higher.
C.Create a content filter to bypass outbreak filtering for known good senders.
D.Configure the outbreak filter to 'Analyze' instead of 'Quarantine' for scores between 70 and 80.
AnswerD

Analysis allows the ESA to gather more intelligence and possibly release the email if it's determined safe, reducing false positives.

Why this answer

Option D is correct because it allows the administrator to apply a graduated response: messages with threat scores between 70 and 80 are analyzed (e.g., delivered with a warning or delayed) rather than quarantined, reducing false positives while still providing security. The outbreak filter in Cisco ESA supports multiple actions per score range, enabling a tiered policy that avoids an all-or-nothing approach. This maintains protection against truly high-risk messages (score >80) while sparing borderline legitimate traffic.

Exam trap

Cisco often tests the distinction between outbreak filter actions (Quarantine, Analyze, Deliver) and the misconception that content filters can override outbreak filter verdicts, when in reality outbreak filters are evaluated first and content filters cannot bypass them.

How to eliminate wrong answers

Option A is wrong because disabling the outbreak filter entirely removes all protection against the ransomware variant, which compromises security. Option B is wrong because increasing the threshold to 80 or higher would still quarantine legitimate emails with a score of 75, failing to address the false positive issue; it merely shifts the cutoff without resolving the underlying problem of borderline scores. Option C is wrong because content filters operate independently from outbreak filters and cannot bypass outbreak filtering; outbreak filters evaluate messages based on threat scores from Talos/Sophos, and a content filter cannot override that action unless the message is already allowed through the outbreak filter.

56
MCQhard

You are a security engineer for a multinational corporation with 5,000 employees. The company uses Cisco Umbrella for DNS-layer security, Cisco Web Security Appliance (WSA) for proxy services in the data center, and Cisco Email Security Appliance (ESA) for email security. Recently, the security team has received multiple reports of users receiving phishing emails that bypass the ESA. The emails contain links to malicious websites that are also not blocked by Umbrella or WSA. Upon investigation, you find that the phishing emails use newly registered domains (less than 24 hours old) and the malicious websites are hosted on cloud infrastructure with frequently changing IP addresses. The company's current security policies rely on signature-based detection and static blocklists. Which action should you take to most effectively mitigate these threats?

A.Deploy Cisco Threat Response to enable automated threat hunting and blocking across all security products.
B.Configure the WSA to block all domains registered within the last 30 days.
C.Enable Data Loss Prevention (DLP) on the ESA to scan email content for sensitive data.
D.Increase the frequency of signature updates on the ESA and WSA to every hour.
AnswerA

Cisco Threat Response uses real-time intelligence to block emerging threats across the entire security stack.

Why this answer

Option A is correct because Cisco Threat Response (CTR) provides integrated threat hunting and automated blocking across Cisco security products, including Umbrella, WSA, and ESA. This enables the security team to correlate indicators of compromise (IoCs) from phishing emails and newly registered domains, then automatically block them across all layers, addressing the dynamic nature of the threat (fast-flux hosting and newly registered domains) that signature-based and static blocklists cannot handle.

Exam trap

Cisco often tests the misconception that increasing signature update frequency or using broad domain-blocking rules can effectively stop zero-day or rapidly changing threats, when in fact integrated threat intelligence and automated response (like CTR) are required to address dynamic attacks that bypass signature-based and static defenses.

How to eliminate wrong answers

Option B is wrong because blocking all domains registered within the last 30 days is overly aggressive and would cause massive false positives, as many legitimate domains (e.g., for marketing campaigns or new business sites) are registered daily; it also does not leverage the integrated threat intelligence needed to dynamically identify malicious new domains. Option C is wrong because DLP on the ESA focuses on preventing data exfiltration by scanning for sensitive content (e.g., credit card numbers, PII), not on detecting or blocking phishing emails with malicious links; it does not address the core issue of bypassing email and web security. Option D is wrong because increasing signature update frequency on ESA and WSA still relies on signature-based detection, which cannot protect against zero-day or rapidly changing threats like newly registered domains and fast-flux IP addresses; signatures are reactive and require time to be created and distributed.

57
MCQeasy

A small business uses Cisco Umbrella to protect its 50 employees. One employee reports that they cannot access a specific website (www.example.com) that is required for their work. The administrator checks the Umbrella dashboard and sees that the domain is categorized as 'Social Networking' and is blocked by the company's policy. However, the employee argues that the website is actually a business tool. The administrator verifies that the website is indeed legitimate. What is the best course of action to restore access while maintaining security?

A.Contact Cisco Umbrella support to re-categorize the domain.
B.Disable the 'Social Networking' category blocking policy.
C.Create a policy override to allow the specific domain while keeping the category blocked.
D.Remove the user from the Umbrella policy entirely.
AnswerC

Targeted exception.

Why this answer

Option C is correct because Cisco Umbrella allows administrators to create per-domain policy overrides that bypass the category-based block for a specific domain while keeping the broader category (e.g., 'Social Networking') blocked for all other domains. This approach restores access to the legitimate business tool without weakening the overall security posture by disabling the entire category or removing the user from policy enforcement.

Exam trap

Cisco often tests the concept that category-based blocking can be fine-tuned with per-domain overrides rather than requiring category reclassification or disabling the entire category, tempting candidates to choose the simpler but less secure options like disabling the category or removing the user from policy.

How to eliminate wrong answers

Option A is wrong because contacting Cisco Umbrella support to re-categorize the domain is unnecessary and time-consuming; the domain is correctly categorized as 'Social Networking' based on its content, and the issue is a false positive for this specific business need, not a categorization error. Option B is wrong because disabling the entire 'Social Networking' category blocking policy would allow access to all social networking sites, significantly increasing the attack surface and violating the company's security policy. Option D is wrong because removing the user from the Umbrella policy entirely would strip all web filtering protection for that employee, exposing them to malicious sites and defeating the purpose of using Umbrella.

58
MCQeasy

A hospital uses Cisco ESA for email security. The compliance team requires that all emails containing protected health information (PHI) be encrypted before leaving the organization. The administrator has configured a content filter that matches emails containing patterns like 'Patient ID: [0-9]{9}' and sends them to the encryption service. However, some encrypted emails are being rejected by the recipient's mail server because the encryption is applied after the email has already been processed. What is the most likely reason for this issue?

A.The encryption action is configured as 'deliver then encrypt' instead of 'encrypt then deliver'.
B.The content filter is only applied to incoming emails, not outgoing.
C.The recipient's mail server does not support the encryption protocol used.
D.The email exceeds the maximum size limit for encryption.
AnswerA

Order of actions matters.

Why this answer

Option A is correct because Cisco ESA processes emails through a series of mail policies and content filters before delivery. If the encryption action is configured as 'deliver then encrypt', the email is first sent to the recipient's mail server, and then encryption is attempted as a separate, asynchronous action. This means the email leaves the organization unencrypted, and the recipient's server may reject it if it expects encryption from the start.

The correct configuration should be 'encrypt then deliver', which ensures the email is encrypted before it is queued for delivery, preventing rejection due to unencrypted content.

Exam trap

Cisco often tests the distinction between 'deliver then encrypt' and 'encrypt then deliver' as a common misconfiguration, where candidates assume encryption is always applied before delivery without checking the order of actions in the content filter or mail policy.

How to eliminate wrong answers

Option B is wrong because content filters in Cisco ESA are applied based on the mail policy (incoming or outgoing), and the scenario explicitly states the requirement is for emails leaving the organization, so the filter would be applied to outgoing emails, not incoming. Option C is wrong because the issue described is that encryption is applied after the email has already been processed, not that the recipient's server lacks support for the encryption protocol; if the protocol were unsupported, the rejection would occur regardless of timing. Option D is wrong because Cisco ESA does not have a maximum size limit for encryption that would cause rejection after processing; size limits typically trigger a different action (e.g., bounce or skip) before delivery, not a post-processing rejection.

59
Multi-Selectmedium

Which TWO actions are recommended best practices for securing web traffic using Cisco Umbrella?

Select 2 answers
A.Configure SSL decryption to always bypass traffic to trusted domains.
B.Configure the network to use the root DNS forwarder for all DNS queries.
C.Enable IP-layer enforcement for all destinations.
D.Configure local security stack bypass for all internal IP ranges.
E.Use Selective Proxy with PAC files to route traffic based on destination category.
AnswersC, E

IP-layer enforcement blocks malicious IPs at the network layer, providing comprehensive protection.

Why this answer

Option C is correct because enabling IP-layer enforcement in Cisco Umbrella ensures that all traffic to destinations that match a blocked category is dropped at the IP layer, even if DNS-based blocking is bypassed (e.g., via direct IP connections). This provides a second layer of protection by inspecting and blocking traffic based on the destination IP address, preventing users from circumventing DNS filtering by using IP addresses directly.

Exam trap

Cisco often tests the misconception that DNS-layer blocking is sufficient for full web security, but the trap here is that IP-layer enforcement is required to catch traffic that bypasses DNS, such as direct IP connections or non-DNS protocols.

60
MCQmedium

A company uses Cisco Web Security Appliance (WSA) with transparent proxy mode. Recently, they enabled NTLM authentication. Some users are intermittently prompted for credentials while browsing. What is the most likely cause of this behavior?

A.The WSA is configured to prompt for authentication only for specific categories.
B.The user's browser has cached an incorrect credential.
C.The WSA is set to use Kerberos instead of NTLM.
D.The WSA is not configured to handle NTLM persistent connections, causing the browser to re-authenticate on each request.
AnswerD

Without persistent connections, each HTTP request may trigger a new NTLM challenge, leading to prompts.

Why this answer

In transparent proxy mode with NTLM authentication, the WSA must maintain persistent connections to avoid re-authentication on every HTTP request. If the WSA is not configured to handle NTLM persistent connections (e.g., by enabling connection reuse or adjusting keepalive settings), the browser will be prompted repeatedly for credentials because each new TCP connection triggers a new NTLM challenge-response cycle. This intermittent behavior occurs because some connections may be reused while others are not, depending on browser and proxy settings.

Exam trap

Cisco often tests the distinction between authentication protocol selection (Kerberos vs. NTLM) and the underlying transport behavior (persistent vs. non-persistent connections), leading candidates to incorrectly blame the protocol type rather than connection handling.

How to eliminate wrong answers

Option A is wrong because prompting for authentication only for specific categories would cause consistent prompts for those categories, not intermittent prompts across all browsing. Option B is wrong because a cached incorrect credential would result in consistent authentication failures or repeated prompts, not intermittent behavior that varies per request. Option C is wrong because if the WSA were set to use Kerberos instead of NTLM, the browser would attempt Kerberos authentication (which may fall back to NTLM), but the core issue of intermittent prompts is not caused by the authentication protocol choice itself; it is caused by the lack of persistent connection handling for NTLM.

61
MCQmedium

A company uses Cisco Umbrella to enforce web security. After deploying a new policy that blocks all social media sites, users report that they cannot access a corporate Salesforce instance that uses a social login feature. Which Umbrella setting should be adjusted to resolve the issue without weakening the policy?

A.Create a bypass code for users to access Salesforce
B.Disable the Social Networking category under Content Categories
C.Configure Intelligent Proxy to inspect Salesforce traffic
D.Add Salesforce to the Application Settings allowed list
AnswerD

This allows the Salesforce application even if the social networking category is blocked.

Why this answer

Option D is correct because the social login feature for Salesforce is being blocked by the Social Networking content category in Cisco Umbrella. By adding Salesforce to the Application Settings allowed list, you permit the specific application traffic while keeping the broader social media policy intact. This granular control ensures that only the required Salesforce instance bypasses the block, without weakening the overall security posture.

Exam trap

Cisco often tests the distinction between content categories and application settings, where candidates mistakenly think disabling a category or using a bypass code is the correct approach, rather than using the granular allowed list for specific applications.

How to eliminate wrong answers

Option A is wrong because creating a bypass code for users would allow them to circumvent the policy entirely, weakening security and not addressing the specific Salesforce application issue. Option B is wrong because disabling the Social Networking category would remove the block on all social media sites, completely undermining the policy's intent. Option C is wrong because Intelligent Proxy is used for inspecting and controlling web traffic, not for allowing specific applications; it would not resolve the blocking of Salesforce's social login feature.

62
MCQeasy

A company wants to prevent sensitive data such as credit card numbers from being sent via email. Which Cisco ESA feature should be enabled?

A.Anti-Spam
B.Secure/Multipurpose Internet Mail Extensions (S/MIME)
C.Data Loss Prevention (DLP)
D.Anti-Malware
AnswerC

DLP scans email content for sensitive data patterns.

Why this answer

C is correct because Data Loss Prevention (DLP) is the Cisco ESA feature specifically designed to inspect email content and attachments for sensitive data patterns, such as credit card numbers, and enforce policies to prevent their unauthorized transmission. DLP uses predefined or custom dictionaries and message filters to detect and block or quarantine such data, directly addressing the requirement to prevent sensitive data from being sent via email.

Exam trap

Cisco often tests the distinction between security features that protect against external threats (Anti-Spam, Anti-Malware) versus those that control internal data leakage (DLP), leading candidates to confuse content inspection for malicious intent with content inspection for sensitive data.

How to eliminate wrong answers

Option A is wrong because Anti-Spam is designed to filter unsolicited bulk email based on reputation and content analysis, not to inspect for sensitive data patterns like credit card numbers. Option B is wrong because S/MIME is a protocol for encrypting and digitally signing email messages to ensure confidentiality and authentication, but it does not inspect or prevent the sending of sensitive data; it only secures the transport. Option D is wrong because Anti-Malware is focused on detecting and blocking malicious software (viruses, worms, trojans) in email attachments or links, not on identifying or preventing the transmission of sensitive data patterns.

63
MCQmedium

Refer to the exhibit. The engineer configured a file type filter for executables on access policy Policy_A. However, .exe files from trusted_sites are still being allowed. What is the most likely reason for this behavior?

A.The file type filter is applied to the wrong access policy.
B.The URL category for trusted_sites is blocking the file type filter from being evaluated.
C.The file type filter action is set to 'monitor' instead of 'block'.
D.The access policy order is incorrect; a less specific policy is matching before Policy_A.
AnswerC

A 'monitor' action only logs and does not block; to block, the action must be set to 'block'.

Why this answer

Option C is correct because the file type filter action is set to 'monitor' (which only logs) instead of 'block'. The access policy action is 'allow', so without a block action in the file type filter, executables are allowed. Option A is wrong because the file type filter is applied to Policy_A.

Option B is wrong because the filter is on executables category, not URL. Option D is wrong because policy order is not shown to be an issue.

64
MCQmedium

A network administrator is deploying Cisco AMP for Endpoints to protect against advanced malware. They want to ensure that if a file is initially allowed but later determined to be malicious, the file is automatically blocked and quarantined on all endpoints that have executed it. Which AMP feature should be configured?

A.Retrospective Security (Retrospective)
B.TETRA (Technique Extraction and Retrospective Analysis)
C.File Analysis via the AMP cloud
D.Exclude List for known good files
AnswerA

Updates disposition and remediates.

Why this answer

Retrospective Security (Retrospective) is the correct feature because it allows Cisco AMP for Endpoints to re-evaluate files that were initially allowed based on local or cloud reputation. If a file is later determined to be malicious via updated threat intelligence, Retrospective Security automatically blocks and quarantines that file on all endpoints that have executed it, even after the initial execution. This provides continuous protection against advanced malware that evades initial detection.

Exam trap

The trap here is that candidates confuse TETRA (a network-based exploit detection engine) with endpoint-based retrospective file quarantine, or they assume File Analysis alone provides automatic retroactive remediation without understanding that it requires the Retrospective Security feature to be explicitly enabled.

How to eliminate wrong answers

Option B (TETRA) is wrong because TETRA (Technique Extraction and Retrospective Analysis) is a feature of Cisco Firepower and Snort that extracts and analyzes exploit techniques from network traffic, not a file-level retrospective quarantine capability for endpoints. Option C (File Analysis via the AMP cloud) is wrong because it refers to submitting files to the cloud for static and dynamic analysis to determine maliciousness, but it does not automatically retroactively block and quarantine files already executed on endpoints. Option D (Exclude List for known good files) is wrong because it is a whitelisting mechanism to prevent false positives, not a feature that blocks or quarantines files later found malicious.

65
Multi-Selecteasy

Which TWO are valid methods for integrating Cisco Umbrella with an existing network to provide DNS-layer security?

Select 2 answers
A.SNMP monitoring of DNS queries.
B.Roaming Security client installed on endpoints.
C.IPsec VPN tunnel to Umbrella cloud.
D.Active Directory integration to forward DNS requests to Umbrella virtual appliances.
E.BGP peering to route DNS traffic to Umbrella.
AnswersB, D

Client software provides DNS filtering on any network.

Why this answer

Option B is correct because the Cisco Umbrella Roaming Security client, when installed on endpoints, automatically redirects DNS queries to the Umbrella cloud via a local proxy, providing DNS-layer security without requiring network infrastructure changes. This method ensures that all DNS traffic from the endpoint is filtered by Umbrella's policy, even when the device is off the corporate network.

Exam trap

Cisco often tests the distinction between methods that provide DNS-layer security (like the roaming client and DNS forwarding via virtual appliances) versus methods that are used for other layers of security (like IPsec VPNs for full traffic inspection or BGP for routing), leading candidates to mistakenly select options that sound plausible but are not designed for DNS-layer integration.

66
Multi-Selecthard

Which THREE of the following are best practices for deploying Cisco Web Security Appliance (WSA) in a large enterprise environment? (Select exactly three.)

Select 3 answers
A.Use explicit proxy mode with PAC files for user-specific policy enforcement
B.Configure transparent proxy to avoid client configuration
C.Disable anti-malware scanning to improve performance
D.Deploy multiple WSAs in a cluster for high availability
E.Enable SSL decryption for comprehensive content inspection
AnswersA, D, E

Allows per-user policies.

Why this answer

Option A is correct because explicit proxy mode with PAC files allows the WSA to enforce granular, user-specific policies based on authentication (e.g., via NTLM or LDAP) and destination URL. PAC files enable automatic proxy configuration for clients, ensuring traffic is routed through the WSA without manual browser settings, while still supporting user identity for policy decisions.

Exam trap

Cisco often tests the misconception that transparent proxy is always superior for large enterprises, but the trap here is that explicit proxy with PAC files is actually the best practice for user-specific policy enforcement in a large environment, while transparent proxy lacks identity granularity without additional complexity.

67
MCQhard

During a security audit, it is discovered that some malware downloads were not blocked by the Cisco WSA even though the Web Reputation score was set to block scores below -5.0. The logs show that the downloads came from sites with a reputation score of -6.2. What is the most likely reason the downloads were not blocked?

A.HTTPS decryption was not enabled
B.The users were not authenticated
C.The Web Reputation threshold was not applied correctly
D.The file type was not configured for malware inspection
AnswerD

Malware inspection only applies to specified file types.

Why this answer

The Cisco WSA uses Web Reputation filtering to block traffic based on reputation scores, but this filtering operates at the URL or domain level, not at the file content level. Even if a site has a very low reputation score (e.g., -6.2), the WSA will only block the download if the file type is included in the malware inspection configuration. If the file type (e.g., .exe, .zip) is not configured for malware inspection, the WSA will allow the download despite the low reputation score, because reputation-based blocking alone does not inspect the content of the file.

Exam trap

Cisco often tests the misconception that a low Web Reputation score alone will block all downloads from that site, but the trap here is that reputation filtering and malware inspection are separate functions; blocking requires both the reputation threshold to be met AND the file type to be enabled for malware inspection.

How to eliminate wrong answers

Option A is wrong because HTTPS decryption is not required for Web Reputation filtering; reputation scores are based on the URL/domain and can be evaluated even without decrypting HTTPS traffic. Option B is wrong because user authentication is not a prerequisite for Web Reputation filtering; the WSA can apply reputation policies based on source IP or other criteria without requiring authentication. Option C is wrong because the logs confirm the site had a reputation score of -6.2, which is below the -5.0 threshold, so the threshold was applied correctly; the issue is that reputation-based blocking alone does not inspect file content, and the file type was not configured for malware inspection.

68
MCQmedium

A multinational company has recently deployed Cisco Umbrella for DNS-layer security across all offices. The security team receives reports that users in the Asia-Pacific region cannot access a critical cloud-based CRM application (crm.company.com). The CRM is hosted by a third-party provider and uses a custom domain. The Umbrella dashboard shows that DNS requests for crm.company.com are being blocked with the reason 'Cisco Umbrella Intelligence Feed: Blocked Domain'. The domain is not part of any standard security category. The IT team has verified that the domain is legitimate and necessary for business operations. What should the administrator do to restore access while maintaining security?

A.Whitelist the CRM server's IP address in the IP-layer enforcement settings
B.Configure the local DNS server to forward crm.company.com directly to the CRM provider's DNS
C.Disable the Cisco Umbrella Intelligence Feed for the Asia-Pacific region
D.Add crm.company.com to the global allow list in the Umbrella dashboard under Policy > Destination Lists > Allow
AnswerD

This allows the domain to bypass DNS blocking while preserving other protections.

Why this answer

Option D is correct because the domain is being blocked by the Cisco Umbrella Intelligence Feed, which is a curated threat intelligence feed. Since the domain is legitimate and not part of a standard security category, the proper method to restore access is to add it to the global allow list under Policy > Destination Lists > Allow. This overrides the block from the intelligence feed while preserving all other security policies.

Exam trap

Cisco often tests the distinction between DNS-layer and IP-layer enforcement, leading candidates to incorrectly choose IP whitelisting (Option A) when the block is actually occurring at the DNS layer before IP-layer policies are evaluated.

How to eliminate wrong answers

Option A is wrong because whitelisting the CRM server's IP address in IP-layer enforcement would only bypass IP-based blocks, but the block is occurring at the DNS layer due to the domain being in the Intelligence Feed; DNS-layer enforcement resolves the domain to an IP before IP-layer checks, so the block happens first. Option B is wrong because configuring the local DNS server to forward crm.company.com directly to the CRM provider's DNS would bypass Cisco Umbrella entirely for that domain, removing all security inspection and logging, which is not a recommended or controlled approach. Option C is wrong because disabling the Cisco Umbrella Intelligence Feed for the Asia-Pacific region would remove threat intelligence protection for all domains in that feed across the entire region, unnecessarily exposing the network to potential threats.

69
Multi-Selectmedium

Which THREE steps should the administrator take to troubleshoot slow web browsing when using Cisco WSA? (Choose three.)

Select 3 answers
A.Check the WSA's network interface statistics for errors or drops
B.Verify the HTTPS decryption policies to ensure they are not causing excessive CPU load
C.Examine the WSA access logs for TCP connection time and server response time
D.Restart the proxy services to clear any temporary issues
E.Configure the WSA to use a public DNS server like 8.8.8.8
AnswersA, B, C

Network issues can cause slow connectivity.

Why this answer

Option A is correct because checking the WSA's network interface statistics for errors or drops helps identify physical-layer issues (e.g., duplex mismatches, CRC errors) that can cause packet loss and retransmissions, directly slowing web browsing. This is a fundamental first step in isolating whether the problem is at the network layer rather than within the proxy itself.

Exam trap

Cisco often tests the misconception that restarting services (Option D) is a valid troubleshooting step for performance issues, but in the 350-701 exam, the focus is on diagnostic analysis using logs and statistics rather than disruptive actions.

70
Matchingmedium

Match each VPN type to its characteristic.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Connects entire networks over the internet

Allows individual users to connect securely

Uses web browser for clientless access

Provides encrypted tunnels using IPsec

Dynamic multipoint VPN for hub-and-spoke topologies

Why these pairings

These are common VPN types and their descriptions.

71
Multi-Selecteasy

A security engineer is configuring Cisco Web Security Appliance (WSA) to block downloads of potentially malicious file types such as .exe and .scr. The engineer wants to ensure that these files are blocked even if they are hosted on trusted websites. Which TWO actions should the engineer take?

Select 2 answers
A.Create an access policy that enables file reputation filtering.
B.Create a custom URL category for the file types.
C.Enable the file type control feature in the access policy.
D.Configure HTTPS proxy to decrypt traffic for file inspection.
E.Enable Data Loss Prevention (DLP) on the access policy.
AnswersA, C

File reputation filtering uses the Cisco Talos reputation to block known malicious files.

Why this answer

Option B (file reputation filtering) and Option D (file type control) are correct because they allow the WSA to block specific file types based on reputation or file type, regardless of the source URL. Option A is incorrect because URL categories are for categorizing websites, not file types. Option C (DLP) is designed for data loss prevention, not file type blocking.

Option E (HTTPS proxy) enables inspection of encrypted traffic but does not itself block file types.

72
Multi-Selecthard

Which THREE symptoms indicate that a Cisco ESA is experiencing a mail loop?

Select 3 answers
A.A high number of messages in the 'Bounced' queue.
B.Messages fail DKIM signature verification.
C.Multiple 'Received:' headers from the same ESA in the same message.
D.A rapid increase in the 'Spam Quarantine' count.
E.The same Message-ID appears multiple times in the mail logs with different mid values.
AnswersA, C, E

Loops often cause bounce messages to accumulate.

Why this answer

A high number of messages in the 'Bounced' queue is a classic symptom of a mail loop on a Cisco ESA. When a loop occurs, messages are repeatedly sent back and forth between mail servers, eventually exceeding the maximum hop count or delivery attempts, causing them to be moved to the Bounced queue. This queue specifically holds messages that could not be delivered due to permanent failures, and loops generate many such failures.

Exam trap

Cisco often tests the distinction between symptoms of a mail loop (bounced queue, duplicate Received headers, repeated Message-IDs) and symptoms of other issues like spam or authentication failures, so candidates mistakenly associate DKIM failures or quarantine increases with loops.

73
MCQeasy

A company's Cisco WSA is configured with explicit proxy mode. Users report that they can browse the internet but cannot access internal websites hosted on the company's intranet. What is the most likely cause?

A.The WSA is in transparent proxy mode.
B.Users are not authenticated to the WSA.
C.The internal websites are not in the proxy bypass list.
D.SSL decryption is blocking the internal sites.
AnswerC

Proxy bypass list needed for internal traffic.

Why this answer

In explicit proxy mode, the WSA requires clients to be configured to send traffic to it. If internal websites are not added to the proxy bypass list (or the WSA's PAC file does not direct internal traffic directly), the WSA will attempt to proxy requests for internal sites, which may fail because the WSA cannot route to internal IPs or the internal DNS resolution fails. This is the most likely cause because users can browse the internet (proxied traffic works) but cannot reach internal sites (which should bypass the proxy).

Exam trap

Cisco often tests the distinction between explicit and transparent proxy modes, and the trap here is that candidates assume authentication or SSL decryption is the cause, when the real issue is the proxy bypass list not covering internal destinations.

How to eliminate wrong answers

Option A is wrong because the scenario explicitly states the WSA is configured with explicit proxy mode, so transparent mode is not in use. Option B is wrong because authentication is not required for basic HTTP/HTTPS access in explicit proxy mode; unauthenticated users can still browse the internet and internal sites if the proxy bypass list is correct. Option D is wrong because SSL decryption, if enabled, would affect both internal and external HTTPS sites equally, not selectively block only internal sites; moreover, internal sites often use self-signed certificates that would cause decryption failures, but the question states users can browse the internet (which includes HTTPS sites), so SSL decryption is not the issue.

74
MCQhard

A large enterprise uses Cisco WSA with integrated Cisco Advanced Malware Protection (AMP) to inspect web traffic. The security policy dictates that all downloaded files should be scanned by AMP. Recently, a user downloaded a PDF file from a trusted vendor site, but the download was blocked by the WSA. The administrator checks the WSA logs and sees that the file was blocked due to AMP's 'File Reputation' score of 10 (high risk). However, the vendor confirms the file is legitimate. The administrator notes that the file is digitally signed by the vendor. What is the most appropriate next step to allow the file while maintaining security?

A.Add the vendor's domain to the WSA's global URL whitelist.
B.Lower the AMP file reputation threshold from 10 to 7 to allow files with lower risk scores.
C.Add the file's SHA-256 hash to the AMP custom allow list to override the reputation.
D.Disable AMP scanning for the vendor's domain in the WSA policy.
AnswerC

Permits only this specific file.

Why this answer

Option C is correct because Cisco AMP allows administrators to create custom allow lists using file hashes (SHA-256) to override the file reputation score. Since the file is digitally signed and confirmed legitimate, adding its SHA-256 hash to the AMP custom allow list will permit the download while still scanning other files from that domain, preserving security. This approach directly addresses the false positive without broadly reducing security controls.

Exam trap

The trap here is that candidates may think whitelisting the domain or disabling AMP for that domain is sufficient, but Cisco tests the understanding that AMP's custom allow list is the precise mechanism to handle false positives without compromising security for other files from the same source.

How to eliminate wrong answers

Option A is wrong because adding the vendor's domain to the WSA's global URL whitelist would bypass all security scanning for that domain, including URL filtering, DLP, and AMP, which is overly permissive and violates the policy that all downloaded files should be scanned. Option B is wrong because lowering the AMP file reputation threshold from 10 to 7 would allow all files with a score of 7 or higher, potentially permitting malicious files that have not yet been analyzed, weakening overall security posture. Option D is wrong because disabling AMP scanning for the vendor's domain would completely remove file reputation analysis for all files from that domain, contradicting the security policy that mandates scanning all downloads.

75
MCQmedium

A company is deploying Cisco Cloud Web Security (CWS) using an on-premises connector. They want to authenticate users via Active Directory and apply granular policies based on user identity. Which authentication method should be configured on the connector?

A.Local user database on the connector
B.Transparent proxy with explicit authentication via PAC file
C.LDAP authentication with transparent user identification
D.SAML-based authentication
AnswerC

LDAP allows AD integration, and transparent identification via protocols like NTLM is seamless.

Why this answer

Option C is correct because Cisco Cloud Web Security (CWS) with an on-premises connector can integrate with Active Directory via LDAP to perform transparent user identification. This allows the connector to map IP addresses to authenticated user identities without requiring explicit proxy authentication, enabling granular policy enforcement based on AD user or group membership.

Exam trap

The trap here is that candidates often confuse 'transparent proxy' with 'transparent user identification' and assume explicit authentication (Option B) is required, when in fact LDAP-based transparent identification (Option C) is the correct method for integrating with AD without user intervention.

How to eliminate wrong answers

Option A is wrong because a local user database on the connector would require manual user creation and maintenance, which does not scale for enterprise AD integration and cannot provide transparent user identification. Option B is wrong because transparent proxy with explicit authentication via PAC file still requires users to manually authenticate (e.g., via browser pop-up), which defeats the goal of transparent user identification and adds user friction. Option D is wrong because SAML-based authentication is typically used for cloud-based identity federation (e.g., with Cisco Umbrella or web portal access), not for on-premises connector-to-AD integration where LDAP is the standard protocol for transparent user identification.

Page 1 of 2 · 93 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Content Security questions.