CCNA Scor Network Security Questions

75 of 125 questions · Page 1/2 · Scor Network Security topic · Answers revealed

1
MCQmedium

A company uses Cisco Firepower Threat Defense (FTD) managed by FMC. They need to create an access control policy that allows traffic from specific source IPs to a web server, but blocks all other traffic. How should the rule base be ordered?

A.Place the block rule first, then the permit rule.
B.Place the permit rule first, then the block rule.
C.Use a single rule with permit and block conditions combined.
D.Order does not matter because FMC processes rules in parallel.
AnswerB

The permit rule matches first for allowed sources; the block rule catches all others.

Why this answer

Access control rules are evaluated in order from top to bottom. The first matching rule is applied. Therefore, the permit rule for the specific source IPs must come before the final block rule.

2
MCQmedium

A Cisco FTD is deployed in inline mode and is configured with a file policy to detect malware. When a file is transferred, the FTD computes a SHA-256 hash and checks it against AMP cloud. The cloud returns 'unavailable' for the hash. What action will the FTD take by default?

A.Allow the file and log the event.
B.Perform a deep packet inspection on the file.
C.Detonate the file in a sandbox before deciding.
D.Block the file because it could not be verified.
AnswerA

Default behavior is to allow and log when disposition is unavailable.

Why this answer

By default, if the cloud lookup cannot determine the disposition (clean, malware, unknown), the file is allowed but logged.

3
Multi-Selectmedium

A company is designing a network segmentation strategy using firewalls. Which THREE considerations are important for a defense-in-depth approach?

Select 3 answers
A.Use a DMZ to host public-facing services.
B.Allow all outbound traffic from internal users.
C.Apply strict inbound ACLs to limit access to critical zones.
D.Place all servers in the same segment for easier management.
E.Implement internal segmentation to contain threats.
AnswersA, C, E

DMZ isolates public services from internal network.

Why this answer

Defense-in-depth involves multiple layers: DMZ for public services, internal segmentation to limit lateral movement, and inbound strict rules.

4
MCQmedium

A Cisco FTD is configured with SSL/TLS inspection using the 'decrypt-known-key' method. Which traffic can be decrypted with this method?

A.Traffic to internal servers whose private key is imported into FTD
B.Traffic to any website on the internet
C.Traffic using self-signed certificates only
D.All SSL traffic regardless of certificate
AnswerA

This method requires the server's private key to decrypt.

Why this answer

Decrypt-known-key is used when the FTD has the server's private key, typically for internal servers.

5
MCQmedium

An organization deploys Cisco FTD in a high-availability pair using active/standby. If the active unit fails, what happens to existing connections?

A.Existing connections are preserved if stateful failover is configured.
B.All connections are dropped and must be re-established.
C.The standby unit cannot take over because it has no configuration.
D.Only TCP connections are preserved; UDP connections are dropped.
AnswerA

Correct.

Why this answer

In active/standby, state information is synchronized. When the standby becomes active, existing connections are preserved if the failover is stateful.

6
Multi-Selectmedium

A Cisco FTD is deployed in inline mode and configured with an access control policy. The policy includes rules with actions: Trust, Allow, Block, and Interactive Block. Which two statements about these actions are correct? (Choose two.)

Select 2 answers
A.Trust action bypasses all further inspection modules.
B.Interactive Block action shows a block page to the user.
C.Allow action is the default action if no rule matches.
D.Block action logs the traffic and allows it to pass.
E.Allow action applies only URL filtering but not IPS.
AnswersA, B

Trust skips IPS, file, and URL filtering.

Why this answer

Trust bypasses all further inspection. Allow permits traffic but subjects it to inspection. Block drops traffic.

Interactive Block challenges the user with a block page and allows them to proceed if they accept.

7
MCQmedium

An engineer configures a Cisco ASA in a DMZ architecture. The DMZ hosts web servers that need to be accessible from the internet. Which security level should be assigned to the DMZ interface to ensure proper traffic flow without additional ACLs for return traffic?

A.255
B.0
C.50
D.100
AnswerC

Correct. Level 50 is between 0 and 100, allowing return traffic from DMZ to outside without ACLs.

Why this answer

For internet-to-DMZ traffic, the DMZ interface should have a security level higher than outside (0) but lower than inside (100) to allow return traffic from DMZ to outside without explicit ACLs. Level 50 is common.

8
MCQhard

A Cisco FTD device is deployed inline and configured with an access control policy that includes a rule to block traffic from a specific source IP address. However, traffic from that IP is still passing through. What is the most likely cause?

A.The rule is assigned to the wrong interface
B.The intrusion policy is overriding the block action
C.The device is in passive mode
D.A trust rule exists before the block rule in the policy
AnswerD

Correct. Traffic matching an earlier trust rule will bypass later block rules.

Why this answer

In Cisco FTD, the access control policy rules are evaluated in order. If a rule earlier in the order permits the traffic (e.g., a trust rule), subsequent block rules are not evaluated. The rule order must be correct.

9
MCQmedium

An organization is deploying Cisco Firepower Threat Defense (FTD) in a high-availability (HA) pair in active/standby mode. Which statement about state synchronization is true?

A.The standby unit mirrors all traffic and builds its own connection table.
B.Both units process traffic simultaneously and share states via the control link.
C.Connection states are synchronized from active to standby over the failover link.
D.Only configuration is synchronized; connection states are not replicated.
AnswerC

Correct. Stateful failover replicates connection state information.

Why this answer

In active/standby HA, the active unit replicates connection states to the standby unit so that if a failover occurs, the standby can take over without disrupting existing connections. Stateful failover requires synchronization of connection tables.

10
MCQhard

A Cisco FTD device managed by FMC is processing traffic. An access control rule is configured with the action 'Interactive Block'. What behavior does this action trigger?

A.The packet is dropped and logged without any user notification.
B.The connection is reset and the source IP is added to a block list permanently.
C.The traffic is allowed but inspected more closely.
D.The user is shown a block page and can click to bypass the block for a specified time.
AnswerD

Interactive Block allows the user to request bypass.

Why this answer

Interactive Block presents a user with a block page with an option to bypass; it is not a simple block or allow.

11
MCQmedium

An engineer is configuring Dynamic Access Policy (DAP) on an ASA for AnyConnect VPN. They want to assign different access policies based on the client's anti-virus status and device posture. What must be configured to obtain this information?

A.Cisco Secure Client (formerly AnyConnect) with posture module
B.Group policy with split tunneling enabled
C.Cisco ISE as the AAA server
D.SSL VPN with DTLS enabled
AnswerA

Correct. The posture module collects endpoint compliance information.

Why this answer

DAP can use endpoint attributes from the AnyConnect client, such as antivirus status, via the Secure Endpoint or posture module. The ASA obtains this information through the AnyConnect client's posture assessment.

12
MCQmedium

A network administrator is configuring site-to-site VPN between two Cisco ASA firewalls using IKEv2. The administrator wants to ensure that the VPN tunnel uses the most secure encryption algorithm available. Which encryption algorithm should be selected in the IKEv2 proposal?

A.AES-256
B.AES-128
C.DES
D.3DES
AnswerA

AES-256 is the strongest encryption algorithm listed.

Why this answer

AES-256 provides the highest security among the options. DES and 3DES are weak and deprecated, while AES-128 is less secure than AES-256.

13
MCQmedium

An engineer configures a Cisco ASA firewall with three interfaces: inside (security level 100), outside (security level 0), and DMZ (security level 50). Traffic from the inside network to the DMZ network is sourced from 10.1.1.0/24 and destined to 192.168.1.0/24. The inside interface is configured with IP 10.1.1.1, DMZ interface with IP 192.168.1.1. An ACL on the inside interface permits IP traffic from 10.1.1.0/24 to 192.168.1.0/24. What happens when a packet from 10.1.1.10 to 192.168.1.10 arrives at the inside interface?

A.The packet is forwarded because the security levels allow traffic from higher to lower, and an ACL permits it.
B.The packet is dropped because no ACL is applied to the DMZ interface.
C.The packet is dropped because traffic from higher to lower security levels is implicitly denied.
D.The packet is forwarded only if a NAT rule exists for the source address.
AnswerA

Correct. Higher to lower is allowed by default, and the ACL explicitly permits the traffic.

Why this answer

The ASA allows traffic from higher to lower security levels by default, but only if an ACL permits it. Since the inside level (100) is higher than DMZ (50), and the ACL permits the traffic, the packet is forwarded.

14
MCQeasy

A security analyst is reviewing Snort rule output and sees an alert with the following details: action: alert, protocol: tcp, src: any, dst: any, content: 'malicious'. What type of detection is this rule using?

A.Behavioral detection
B.Heuristic detection
C.Anomaly-based detection
D.Signature-based detection
AnswerD

Correct. The rule matches a specific content string, which is a signature.

Why this answer

The rule uses a specific content pattern 'malicious' to match traffic, which is characteristic of signature-based detection. Signature-based IDS relies on predefined patterns or signatures to identify known threats.

15
MCQhard

An engineer is configuring Cisco Firepower Threat Defense (FTD) in inline NGFW mode. The access control policy must block all traffic from geolocation 'North Korea' and allow all other traffic. Which type of rule should be used and in what order should it be placed?

A.Block rule with source geolocation North Korea, placed at the top of the policy.
B.Intrusion policy with geolocation filter, placed before access control rules.
C.Block rule with source geolocation North Korea, placed at the bottom of the policy.
D.Permit rule with destination geolocation North Korea, placed at the top.
AnswerA

Correct. Block rule at the top ensures all traffic from North Korea is blocked before any allow rule is evaluated.

Why this answer

Geolocation filtering is applied in access control rules. The block rule must be placed before any allow rules to ensure traffic from North Korea is blocked. Rule order is top-down.

16
MCQmedium

A company uses Cisco Firepower with FMC and wants to block access to social media websites for all users. Which feature should be used to create this policy?

A.File Policy
B.URL Filtering
C.Intrusion Policy
D.Application Visibility and Control (AVC)
AnswerB

URL filtering uses categories like Social Networking to block websites.

Why this answer

URL filtering allows blocking or allowing access based on URL categories (e.g., Social Networking). Application visibility and control (AVC) can block specific applications, but URL filtering is more appropriate for web browsing categories.

17
MCQmedium

In a Snort intrusion detection rule, which part specifies the action to take when the rule matches?

A.Action
B.Protocol
C.Options
D.Source IP
AnswerA

Action is the first field in a Snort rule.

Why this answer

The action is the first field in a Snort rule (e.g., alert, drop, reject).

18
MCQeasy

A security administrator is investigating an alert from an IPS that detected a SQL injection attempt. The alert was triggered by a signature that looks for specific patterns in the traffic. What type of detection method is this?

A.Signature-based detection
B.Behavioral detection
C.Heuristic detection
D.Anomaly-based detection
AnswerA

Signature-based detection matches traffic against known attack patterns.

Why this answer

Signature-based detection uses predefined patterns (signatures) to identify known attacks. Anomaly-based detection looks for deviations from normal behavior.

19
MCQhard

An engineer configures a Cisco FTD in a high-availability pair with active/standby failover. The primary unit fails, and the standby takes over. After the primary recovers, what must be done to ensure it resumes as active?

A.Execute 'failover active' on the primary unit.
B.No action is needed; the primary automatically resumes active role.
C.Reboot the secondary unit.
D.Disable and re-enable failover.
AnswerA

This forces the primary to become active again.

Why this answer

In active/standby failover, the active unit can be forced to become standby and the standby active. To make the recovered primary active, the command 'failover active' on the primary or 'failover reset' can be used. However, by default, the primary will not automatically become active unless configured with preempt.

20
MCQhard

A Cisco FMC administrator needs to create a file policy to detect malware in HTTP downloads. The policy should allow the file to be delivered if it is known clean, block if known malicious, and allow but capture for analysis if unknown. Which combination of actions is required?

A.Detect Files: Clean = Allow; Malicious = Block; Unknown = Allow and Capture
B.Detect Files: Clean = Block; Malicious = Allow; Unknown = Block
C.Detect Files: Clean = Allow; Malicious = Allow; Unknown = Block
D.Intrusion Policy instead of File Policy
AnswerA

Correct; this matches the requirement.

Why this answer

The file policy can use dispositions from AMP: clean (allow), malicious (block), and unknown (allow but capture for further analysis).

21
Multi-Selectmedium

A security administrator is configuring a Cisco Firepower system for network discovery and wants to identify hosts and services on the network. Which two actions must be configured to enable network discovery? (Choose two.)

Select 2 answers
A.Enable SSL/TLS inspection for all traffic.
B.Configure a file policy with malware detection.
C.Configure an Access Control Policy with an 'Allow' rule for discovery traffic.
D.Enable the Network Discovery feature in FMC.
E.Deploy the FTD in inline mode only.
AnswersC, D

Correct. Discovery traffic must be allowed to be analyzed.

Why this answer

Network discovery requires enabling discovery in the FMC and configuring the FTD to perform discovery by applying an access control policy that allows discovery traffic or by configuring discovery settings. Also, the FTD must be in an appropriate mode (inline or passive) and have the necessary policies applied.

22
Multi-Selecthard

A company is using Cisco ASA with AnyConnect VPN. They want to implement Dynamic Access Policy (DAP) to enforce access based on device compliance. Which two attributes can DAP use to evaluate endpoint posture? (Choose two.)

Select 2 answers
A.Cisco ISE authorization profile
B.Antivirus software version and real-time protection status
C.User group membership from Active Directory
D.Source IP address
E.Presence of a specific file
AnswersB, E

Correct. DAP can check antivirus status via AnyConnect posture.

Why this answer

DAP can use attributes from the AnyConnect client such as antivirus status, firewall status, and operating system. It can also use AAA attributes from RADIUS or LDAP. The Secure Endpoint (formerly AMP) connector provides device compliance data.

23
MCQmedium

A Cisco ASA is configured with dynamic PAT to translate internal addresses to a single outside IP address. A user on the inside initiates a connection to an external web server. The ASA creates a connection entry. Which table is checked first when a return packet arrives from the web server?

A.ACL table
B.Connection table (conn)
C.NAT table (xlate)
D.Routing table
AnswerB

Correct. The ASA checks the connection table to see if the packet belongs to an existing session.

Why this answer

The ASA checks the connection table (conn table) first for stateful inspection. The xlate table is used for NAT translation, but connection table is checked for session state.

24
MCQmedium

A security engineer is tuning Snort rules on a Cisco FTD to reduce false positives. Which action should be taken if a rule is generating alerts for legitimate traffic?

A.Change the rule action to 'reject'.
B.Increase the priority of the rule.
C.Disable the rule or set it to 'noalert'.
D.Add the rule to a custom policy with higher precedence.
AnswerC

Correct; disabling or setting to noalert stops false alerts.

Why this answer

To reduce false positives, the rule can be disabled (noalert), thresholding can reduce alert frequency, or the rule can be modified to be more specific. Disabling is a common initial step if the rule is not needed.

25
MCQeasy

Which NAT type on a Cisco ASA translates both the source and destination IP addresses and is typically used to allow external hosts to access internal servers?

A.Identity NAT
B.PAT (Port Address Translation)
C.Static NAT
D.Dynamic NAT
AnswerC

Correct. Static NAT provides a fixed mapping for both directions.

Why this answer

Static NAT creates a one-to-one mapping between an internal private IP and an external public IP, translating both source and destination addresses symmetrically. It is commonly used to make internal servers accessible from the outside.

26
Multi-Selecthard

An engineer is deploying Cisco Firepower Threat Defense (FTD) in inline mode and needs to decrypt SSL traffic for inspection. Which two methods are supported by FTD for SSL decryption? (Choose two.)

Select 2 answers
A.Decrypt - Passthrough: SSL traffic is allowed without inspection.
B.Decrypt - Monitor: SSL traffic is monitored but not decrypted.
C.Decrypt - Block: SSL traffic is blocked if decryption fails.
D.Decrypt - Resign: The FTD re-signs the server certificate with its own CA.
E.Decrypt - Known Key: Using the private key of the destination server.
AnswersD, E

This method installs a CA on the FTD and re-signs certificates for inspection.

Why this answer

FTD supports decrypting traffic using a known private key (e.g., from a web server) or by re-signing certificates using a CA certificate installed on the device. The other options are not valid SSL decryption methods.

27
Multi-Selectmedium

A network engineer is configuring a Cisco ASA to use the Modular Policy Framework (MPF) for advanced traffic inspection. Which three components are part of the MPF? (Choose three.)

Select 3 answers
A.Service-policy
B.Route-map
C.Class-map
E.Policy-map
AnswersA, C, E

Correct. Service-policy applies the policy-map to an interface or globally.

Why this answer

MPF consists of class-maps to classify traffic, policy-maps to define actions, and service-policy to apply the policy to interfaces or globally. These are the three core components.

28
MCQmedium

A network administrator is configuring NAT on a Cisco ASA to allow internal users to access the internet using a single public IP address. The internal network uses RFC 1918 addresses. Which type of NAT should be configured?

A.Dynamic NAT
B.Static NAT
C.Identity NAT
D.PAT (Port Address Translation)
AnswerD

PAT overloads a single IP by using unique port numbers.

Why this answer

PAT (Port Address Translation) allows many internal IPs to share a single public IP by using unique source ports. Dynamic NAT would require a pool of public IPs, and static NAT provides one-to-one mapping.

29
MCQeasy

Which deployment mode allows a Cisco Firepower NGFW to inspect traffic without being in the direct forwarding path?

A.Transparent
B.Routed
C.Passive
D.Inline
AnswerC

Passive mode uses a network tap or SPAN port.

Why this answer

Inline deployment is in the path; passive mode (or SPAN) monitors a copy of traffic.

30
MCQhard

In Cisco Firepower, an access control policy has multiple rules. Rule 1: Allow HTTP from any to any. Rule 2: Block HTTP from 10.0.0.0/8 to any. A packet from 10.0.0.1 to 192.168.1.1 with destination port 80 is inspected. What action is taken?

A.The packet is allowed only if no intrusion policy triggers.
B.The packet is allowed because Rule 1 is matched first.
C.The packet is blocked because Rule 2 is more specific.
D.The packet is blocked and an alert is generated.
AnswerB

Correct. The first matching rule determines the action.

Why this answer

Rules are evaluated top-down. The packet matches Rule 1 first (Allow HTTP), so it is allowed. Even though Rule 2 would block it, Rule 1 is matched first.

31
Multi-Selectmedium

A network security engineer is configuring Cisco ASA for remote access VPN using AnyConnect. Which two components must be configured to enable split tunneling? (Choose two.)

Select 2 answers
A.A crypto map that specifies the VPN encryption parameters.
B.An access list that defines the networks to be tunneled or excluded.
C.A group policy that references the split tunneling ACL.
D.A dynamic access policy (DAP) that enforces split tunneling.
E.A tunnel group that defines the VPN connection parameters.
AnswersB, C

The ACL defines which traffic is encrypted.

Why this answer

Split tunneling requires defining an ACL that specifies which traffic goes through the tunnel, and applying that ACL in the group policy. The ACL is configured on the ASA and referenced in the group policy.

32
MCQhard

A Cisco FTD device is configured with an access control policy that has multiple rules. The first rule is 'Allow' for all traffic from the internal network to the internet. The second rule is 'Block' for traffic from a specific internal host to any destination. However, the administrator notices that the specific host can still access the internet. What is the most likely cause?

A.The block rule is placed after the allow rule.
B.The block rule is not applied to the correct interface.
C.The block rule is configured with 'Trust' action.
D.The block rule has a lower priority than the allow rule.
AnswerA

Correct. The first matching rule is applied; thus the allow rule matches before the block rule.

Why this answer

Access control rules are evaluated in order. The first rule allows all internal traffic, and since rules are processed top-down, the first match applies. The second rule is never reached because the first rule already matched.

To block the specific host, the more specific rule must be placed before the general allow rule.

33
MCQeasy

On a Cisco ASA, which table holds information about translated addresses for active connections?

A.ARP table
B.Conn table
C.Xlate table
D.Routing table
AnswerC

Correct. The xlate table stores address translation mappings.

Why this answer

The xlate table stores translation entries (NAT translations) for active sessions.

34
MCQeasy

Which type of VPN on Cisco ASA is typically used for site-to-site connectivity and encrypts all traffic between two sites?

A.IKEv2 IPsec site-to-site VPN
B.L2TP VPN
C.DTLS VPN
AnswerA

Correct. IKEv2 IPsec is used for site-to-site VPNs.

Why this answer

IKEv2 IPsec site-to-site VPN encrypts traffic between two gateways.

35
MCQmedium

A network architect is designing a DMZ for a web server farm. The ASA firewall will have three interfaces: inside (level 100), DMZ (level 50), and outside (level 0). They want to allow HTTP traffic from the internet to the DMZ web servers and also allow the web servers to initiate connections to the inside for database updates. What is the minimal ACL configuration to achieve this?

A.ACL on outside interface inbound permitting HTTP to DMZ; ACL on inside interface inbound permitting database traffic from DMZ.
B.No ACL needed because traffic from higher to lower is implicitly allowed.
C.ACL on inside interface inbound permitting HTTP to DMZ; ACL on DMZ interface inbound permitting database traffic to inside.
D.ACL on outside interface inbound permitting HTTP to DMZ; ACL on DMZ interface inbound permitting database traffic to inside.
AnswerD

Correct. Allows inbound HTTP from outside to DMZ, and outbound database from DMZ to inside.

Why this answer

Traffic from higher to lower security is implicitly allowed, so from inside (100) to DMZ (50) is allowed by default. Traffic from DMZ (50) to inside (100) is blocked by default, so an ACL on the DMZ interface inbound (or inside interface outbound) is needed to permit the database updates. For traffic from outside (0) to DMZ (50), it is from lower to higher, so an ACL on the outside interface inbound is needed to permit HTTP.

36
Multi-Selectmedium

A security administrator is deploying a Cisco ASA in a DMZ architecture. The inside interface is security 100, outside interface is security 0, and DMZ interface is security 50. Which TWO statements about traffic flow are correct?

Select 2 answers
A.Traffic from DMZ to outside is denied by default.
B.Traffic from inside to DMZ is allowed by default.
C.Traffic from outside to inside is allowed by default without ACL.
D.Traffic from inside to outside is allowed by default.
E.Traffic from DMZ to inside is allowed by default.
AnswersB, D

Inside security 100 > DMZ security 50.

Why this answer

Traffic from higher to lower security levels is allowed by default; lower to higher requires ACLs. Also, traffic from inside to DMZ is allowed, but return traffic is allowed due to stateful inspection.

37
Multi-Selecthard

An engineer is tuning an IPS on a Cisco FTD to reduce false positives. Which three techniques are effective? (Choose three.)

Select 3 answers
A.Add source and destination IP filters to signatures
B.Disable specific signatures that trigger incorrectly
C.Increase the global sensitivity slider to maximum
D.Enable all built-in rules to maximize coverage
E.Use monitor mode for new or modified rules
AnswersA, B, E

Restricting rule scope reduces irrelevant alerts.

Why this answer

Tuning to reduce false positives includes adjusting thresholds, disabling specific signatures, using rule filtering by source/destination, and customizing rules. Monitoring without dropping (monitor mode) also helps evaluate impact.

38
MCQmedium

A security analyst is monitoring the Cisco FMC and notices a high number of false positives from an intrusion rule that detects SQL injection attempts. The legitimate web application frequently generates similar patterns. Which course of action would reduce false positives while maintaining detection for actual attacks?

A.Disable the rule entirely.
B.Create a new intrusion rule with opposite logic.
C.Change the rule action to 'pass'.
D.Increase the rule's threshold to reduce frequency.
AnswerD

Thresholding can reduce alerts from repeated patterns while still triggering on high volume.

Why this answer

Modifying the rule's threshold to require a higher number of matches or using a suppression filter for the web server IP can reduce false positives.

39
MCQeasy

An engineer is configuring a Cisco ASA to allow traffic from the inside (security level 100) to the outside (security level 0). They create an access list permitting HTTP traffic from inside to outside and apply it to the inside interface inbound. What is the expected behavior?

A.The traffic will be blocked because the ACL is applied inbound on the inside interface.
B.The traffic will be blocked because the ACL should be applied outbound on the outside interface.
C.The traffic will be allowed only if a NAT rule exists.
D.The traffic will be allowed because the ACL permits it.
AnswerD

Correct. The ACL explicitly permits HTTP, so it is allowed.

Why this answer

On Cisco ASA, when an ACL is applied inbound on the higher security interface (inside), traffic is evaluated before the stateful inspection. Since traffic from higher to lower security is implicitly allowed by default (based on security levels), the ACL does not need to explicitly permit it; however, applying an ACL inbound on the higher interface can restrict traffic. The ACL as described permits HTTP, so the traffic will be allowed.

40
MCQmedium

A company is deploying Cisco AnyConnect SSL VPN and wants to enforce different access policies based on the endpoint's antivirus status. Which feature should be used?

A.Dynamic Access Policy (DAP)
B.Group Policy
C.Split Tunneling
D.Network Access Control (NAC)
AnswerA

DAP evaluates endpoint attributes like antivirus to assign access.

Why this answer

Dynamic Access Policy (DAP) allows granular access control based on endpoint attributes such as antivirus status, OS, registry keys, etc. Group policies provide basic settings but not dynamic evaluation.

41
MCQeasy

An administrator configures a Cisco ASA with a DMZ interface at security level 50. Traffic from the inside (level 100) to the DMZ (level 50) is allowed by default. What additional configuration is needed to allow traffic from the DMZ to the inside?

A.An ACL applied to the DMZ interface permitting traffic to inside.
B.A NAT rule is required.
C.An ACL applied to the inside interface permitting traffic from DMZ.
D.No additional configuration; it is allowed by default.
AnswerA

Correct; ACL on DMZ (lower level) permits traffic to inside (higher level).

Why this answer

Traffic from lower to higher security level is blocked by default; an ACL must be applied to the lower security interface (DMZ) to permit traffic to the inside (higher).

42
MCQmedium

An organization needs to inspect traffic between two internal zones (e.g., HR and IT) on a Cisco FTD. Which deployment mode is appropriate?

A.Switchport mode
B.Routed mode without any policy
C.Inline mode with an access control policy
D.Passive mode with an intrusion policy
AnswerC

Correct; inline mode enables active inspection and blocking.

Why this answer

Inline mode allows the FTD to actively inspect and block traffic. Passive mode only monitors. The requirement to inspect implies inline for enforcement.

43
MCQmedium

An engineer wants to block traffic from a specific country on a Cisco FTD. Which feature should be used in the access control policy?

A.Intrusion policy
B.Geolocation filtering
C.Application visibility and control (AVC)
D.URL filtering
AnswerB

Correct. Geolocation filtering uses source/destination country to permit or deny.

Why this answer

Geolocation filtering allows blocking or allowing traffic based on source or destination country. It is configured as a condition in access control rules.

44
MCQmedium

In Cisco ASA modular policy framework, what is the function of a class-map?

A.Apply the policy to an interface
B.Classify traffic into different flows
C.Configure NAT rules
D.Define the action to take on traffic
AnswerB

Class-map matches traffic for classification.

Why this answer

Class-maps identify traffic based on match criteria (e.g., ACL, protocol).

45
MCQmedium

A company uses a Cisco FMC to manage multiple FTD devices. They want to decrypt SSL/TLS traffic from internal users to external websites using a known private key. Which SSL decryption method should they use?

A.Bypass decryption
B.Decrypt-resign
C.Decrypt-known-key
D.Decrypt-unknown-key
AnswerB

Correct. Decrypt-resign is used for outbound inspection, where the firewall re-signs certificates with a CA.

Why this answer

Decrypt-known-key is used when the firewall has the server's private key (e.g., for internal servers), but for outbound traffic, decrypt-resign is typically used to re-sign certificates. However, the question specifies 'using a known private key', which implies the server's key is known, but for outbound inspection, the firewall generates a new cert. The correct method for outbound inspection with a known key is not standard; actually, decrypt-resign uses a CA to re-sign.

The best answer is decrypt-resign because decrypt-known-key is for inbound traffic to servers where the key is known.

46
MCQmedium

Which VPN technology allows Cisco AnyConnect clients to use UDP for transport to avoid TCP overhead and improve performance?

B.L2TP
C.IKEv2
D.DTLS
AnswerD

Correct. DTLS provides UDP-based encryption for AnyConnect.

Why this answer

DTLS (Datagram Transport Layer Security) is used by AnyConnect to provide a UDP-based SSL VPN, reducing latency compared to TCP.

47
MCQeasy

What is the primary difference between signature-based and anomaly-based intrusion detection?

A.Signature-based has higher false positive rate than anomaly-based.
B.Signature-based uses patterns of known attacks; anomaly-based uses behavior baselines.
C.Signature-based detects unknown attacks; anomaly-based detects known attacks.
D.Both methods are identical in operation.
AnswerB

Correct.

Why this answer

Signature-based detection compares traffic against known attack patterns; anomaly-based detection establishes a baseline and flags deviations.

48
MCQhard

A Cisco ASA is configured with a modular policy framework to inspect HTTP traffic. The class-map matches HTTP traffic, and the policy-map applies inspection. Which command correctly applies the policy to an interface?

A.service-policy policy-map-name interface inside
B.service-policy inspect http interface inside
C.policy-map service-policy inside
D.apply service-policy policy-map-name inside
AnswerA

Correct. This applies the named policy-map to the inside interface.

Why this answer

The service-policy command applies a policy-map to an interface or globally. The syntax is: service-policy policy-map-name {global | interface interface-name}.

49
MCQmedium

A Cisco ASA has three interfaces: inside (100), outside (0), and DMZ (50). A static NAT rule is configured to map the DMZ server 10.1.1.10 to outside address 200.1.1.10. An ACL on the outside interface permits traffic to 200.1.1.10. A host on the internet sends a packet to 200.1.1.10. What happens when the packet hits the outside interface?

A.The packet is dropped because no ACL exists for the DMZ interface.
B.The packet is forwarded only if an ACL on the DMZ interface permits it.
C.The packet is forwarded to the DMZ server after NAT translation.
D.The packet is dropped because the outside security level is lower than DMZ.
AnswerC

Correct. Static NAT translates the destination to the DMZ IP and forwards the packet.

Why this answer

The ASA translates the destination address to the DMZ IP using the static NAT rule, then routes the packet to the DMZ interface. Security levels do not block because NAT is performed before routing.

50
Multi-Selecthard

An engineer is configuring a Cisco ASA for site-to-site IKEv2 VPN with a VTI. Which two statements about VTI are true? (Choose two.)

Select 2 answers
A.VTI can be configured in IKEv2 mode with an IPsec profile.
B.VTI requires a separate ACL to define interesting traffic.
C.VTI is a tunnel interface that can be used with dynamic routing protocols.
D.VTI is only supported on the ASA 5500-X series.
E.VTI uses a crypto map to define the IPsec policy.
AnswersA, C

Correct; VTI uses an IPsec profile for IKEv2.

Why this answer

VTI is a virtual interface that simplifies VPN configuration. It is a tunnel interface that uses IPsec profiles and supports routing protocols over the tunnel.

51
MCQmedium

Which of the following is a characteristic of a 'false negative' in intrusion detection?

A.The signature database is updated.
B.The system crashes due to high resource usage.
C.Malicious traffic is not detected.
D.An alert is generated for benign traffic.
AnswerC

Correct. False negative means missing an attack.

Why this answer

A false negative occurs when the IDS/IPS fails to detect an actual attack. It misses the malicious activity.

52
MCQeasy

An engineer is configuring a Cisco ASA and needs to ensure that traffic from the outside interface to a web server on the DMZ is allowed. The inside interface is security level 100 and the DMZ is level 50. The outside interface is level 0. Which statement about the default traffic flow is true?

A.Traffic from outside to DMZ is allowed implicitly because the ASA inspects all interfaces equally.
B.Traffic from outside to DMZ is denied implicitly because outside level is lower than DMZ level.
C.Traffic from outside to DMZ is allowed implicitly because outside is level 0 and DMZ is level 50.
D.Traffic from outside to DMZ is allowed implicitly because both are lower than inside.
AnswerB

Correct. ASA defaults deny traffic from lower to higher security levels.

Why this answer

By default, the ASA permits traffic from higher security levels to lower security levels without an ACL. However, traffic from lower to higher levels is implicitly denied. Since outside (0) is lower than DMZ (50), an ACL is required.

53
MCQmedium

An administrator configures a Cisco ASA with the following Modular Policy Framework (MPF) commands: class-map type inspect http match any policy-map type inspect http http_policy parameters protocol-violation action reset service-policy http_policy global What is the result of this configuration?

A.Blocks all HTTP traffic globally
B.Enables HTTP deep inspection and logs all HTTP requests
C.Applies the policy only on the inside interface
D.Creates an HTTP inspection policy that resets connections that violate HTTP protocol
AnswerD

The policy-map with protocol-violation action reset will reset connections that do not conform to HTTP standards.

Why this answer

The MPF configuration applies a protocol violation action to HTTP traffic; when a violation is detected, the ASA sends a TCP reset.

54
MCQhard

A Cisco FTD device is configured with an SSL decryption rule using 'Decrypt - Known Key'. In which scenario is this action appropriate?

A.Decrypting traffic to any HTTPS site using a self-signed certificate
B.Decrypting traffic to an external website
C.Decrypting traffic without inspecting the certificate
D.Decrypting traffic to an internal server whose private key is imported
AnswerD

Known Key is used when you have the server's private key.

Why this answer

Decrypt - Known Key is used when the firewall has the server's private key, typically for inbound connections to an internal server.

55
MCQeasy

Which Snort rule action causes the FTD to drop a packet and generate an alert?

A.reject
B.alert
C.drop
D.pass
AnswerC

Correct; drop action drops the packet and generates an alert.

Why this answer

The 'alert' action generates an alert but does not drop; 'drop' drops and alerts; 'reject' drops and sends TCP RST; 'pass' ignores the packet.

56
MCQhard

An organization uses Cisco AnyConnect SSL VPN with DTLS enabled. What is the primary benefit of DTLS?

A.It provides stronger encryption than TLS.
B.It is required for DAP policies.
C.It uses UDP to avoid TCP-over-TCP issues and improve performance.
D.It allows split tunneling without configuration.
AnswerC

Correct; DTLS uses UDP, avoiding TCP meltdown.

Why this answer

DTLS provides UDP-based transport for VPN traffic, reducing latency and improving performance for real-time applications compared to TCP-based TLS.

57
MCQmedium

A security administrator is configuring a Cisco FTD device using FMC. The goal is to block traffic from a specific country and allow all other traffic. Which action should be taken in the access control policy?

A.Create a pre-filter rule that blocks traffic from the country.
B.Create an intrusion rule with a block action for the country.
C.Create a file policy that blocks traffic from the country.
D.Create an access control rule with source country set to the country and action Block.
AnswerD

Access control rules can match on geolocation and block traffic.

Why this answer

Geolocation filtering is configured under access control rules; a rule with block action for the country should be placed before any allow rules.

58
MCQmedium

A security engineer is tuning an IPS to reduce false positives. They notice that legitimate traffic is triggering a signature for a worm that uses a specific HTTP GET request. The engineer wants to disable the signature for that specific traffic pattern but keep it enabled for other traffic. What is the best approach?

A.Increase the signature threshold.
B.Disable the signature globally.
C.Create a rule suppression for the specific source/destination.
D.Change the action to 'alert' instead of 'drop'.
AnswerC

Correct. Suppression allows you to disable the rule for specific conditions.

Why this answer

In Snort-based IPS, you can create a rule suppression or use a pass rule with a higher priority to skip inspection for that traffic. Alternatively, you can modify the rule to add a 'pcre' condition or use 'tag', but the simplest is to create a suppression or use a rule override to disable the specific signature for that source/destination.

59
MCQmedium

An engineer is configuring an access control policy on Cisco FMC for FTD. The policy must allow HTTP traffic from the inside zone to the outside zone, but block all other traffic. Which rule configuration is correct?

A.Rule 1: Trust HTTP from inside to outside; Rule 2: Block all traffic.
B.Rule 1: Permit HTTP from inside to outside; Rule 2: Block all traffic.
C.Rule 1: Block all traffic; Rule 2: Allow HTTP from inside to outside.
D.Rule 1: Allow HTTP from inside to outside; no default rule.
AnswerB

Correct; permit allows HTTP with inspection, and the default deny blocks everything else.

Why this answer

Access control rules are processed top-down; a trust rule bypasses further inspection but still allows traffic; a permit rule allows traffic with inspection. The scenario requires allowing HTTP only, so a permit rule for HTTP with a default deny rule after is correct.

60
MCQhard

A Cisco FTD device is deployed in passive mode. The security team wants to block malicious traffic without affecting legitimate traffic. Which action should be used in the access control policy rule?

A.Set the rule action to 'Allow' and rely on intrusion policy with 'Drop and Reset'
B.Set the rule action to 'Trust'
C.Set the rule action to 'Block' with a reset
D.Set the rule action to 'Interactive Block'
AnswerA

In passive mode, the device cannot block; 'Allow' is appropriate and intrusion policy can alert but not drop. 'Drop and Reset' will not actually drop in passive mode.

Why this answer

In passive mode, the FTD cannot block inline; the 'Interactive Block' action sends a TCP reset but is not recommended as it can affect traffic. The correct approach is to use 'Allow' and rely on an intrusion policy set to 'Drop and Reset' which will generate alerts but not block because the device is passive. Actually, in passive mode, no blocking is possible; the best is to use 'Allow' and monitor.

But the question expects 'Interactive Block' which can send resets; however it may affect legitimate traffic. The intended answer is 'Allow' with intrusion policy alerts. But given options, 'Interactive Block' is often used for blocking but can cause issues.

The correct answer is to not block, so 'Allow'.

61
MCQeasy

On a Cisco ASA, which command applies a policy-map globally to all interfaces?

A.class-map
B.service-policy
C.policy-map
D.access-group
AnswerB

service-policy applies the policy globally.

Why this answer

The service-policy command applies the policy-map globally.

62
Multi-Selecteasy

A network engineer is configuring site-to-site IPsec VPN on a Cisco ASA using IKEv2. Which two components are required for IKEv2 configuration? (Choose two.)

Select 2 answers
A.IKEv2 proposal
B.ISAKMP policy
C.Group policy
D.Transform set
E.Dynamic crypto map
AnswersA, D

IKEv2 proposal defines phase 1 parameters.

Why this answer

IKEv2 requires an IKEv2 proposal (or policy) defining encryption and authentication for phase 1, and a transform set for IPsec phase 2. Also, a crypto map binds the configuration to an interface. ISAKMP policy is for IKEv1.

63
MCQmedium

A security analyst is tuning Snort rules to reduce false positives. The analyst identifies a rule that triggers on a common benign application. Which action should be taken to suppress alerts for that specific traffic without disabling the rule entirely?

A.Delete the rule from the policy.
B.Change the rule action to 'alert'
C.Add a 'threshold' rule to limit the number of alerts.
D.Set the rule to 'drop' action.
AnswerC

Threshold can limit alerts per time interval, reducing noise.

Why this answer

Snort allows using 'threshold' or 'suppress' options to limit alerts. The 'suppress' keyword can suppress alerts for specific source/destination IPs. Alternatively, creating a pass rule in the local policy could bypass inspection for that traffic.

However, directly modifying the rule's action to 'pass' is not standard; using threshold is common.

64
Multi-Selectmedium

An administrator is configuring Dynamic Access Policies (DAP) on a Cisco ASA for AnyConnect VPN. Which two attributes can be used to create DAP rules? (Choose two.)

Select 2 answers
A.Client IP address
B.Anti-virus software version
C.VPN tunnel group
D.Certificate issuer
E.Time of day
AnswersB, C

Correct; endpoint posture attribute.

Why this answer

DAP can use endpoint attributes like antivirus status, registry entries, or connection attributes like group policy. Certificate issuer is not a standard DAP attribute.

65
MCQhard

An administrator is configuring a site-to-site IKEv2 VPN between two Cisco ASAs. Which configuration component defines the encryption and authentication algorithms for the IPsec SA?

A.Crypto map
B.IPsec profile
C.ISAKMP policy
D.Transform set
AnswerD

Correct; transform set defines the IPsec security protocols and algorithms.

Why this answer

The transform set specifies the IPsec SA parameters (encryption, authentication, etc.). IKEv2 uses proposals and transforms within the transform set.

66
MCQhard

A Cisco FTD administrator is configuring SSL/TLS inspection. They want to inspect encrypted traffic to an external website that uses a certificate signed by a public CA. Which SSL/TLS inspection action should be used to decrypt this traffic?

A.Decrypt-resign
B.Do not decrypt
C.Decrypt-known-key
D.Block
AnswerA

Correct. Decrypt-resign decrypts, inspects, and re-encrypts using a custom CA certificate trusted by clients.

Why this answer

For traffic to external sites with public certificates, the FTD can use 'decrypt-resign' where it re-encrypts the traffic with a custom CA certificate installed on the client. 'Decrypt-known-key' is for traffic where the private key is known (e.g., internal servers).

67
MCQeasy

Which Cisco Firepower management option allows direct device management without a separate server, using a web interface on the FTD itself?

A.ASDM
B.CLI
C.FDM
D.FMC
AnswerC

Correct. FDM provides on-box management via a web interface.

Why this answer

FDM (Firepower Device Manager) is the on-box management solution for FTD, running directly on the device.

68
MCQmedium

An engineer wants to configure NAT on a Cisco ASA such that multiple internal hosts share a single public IP address when accessing the internet. Which NAT type should be used?

A.Static NAT
B.Dynamic NAT
C.Identity NAT
D.PAT (overload)
AnswerD

PAT overloads a single IP address using port numbers.

Why this answer

PAT (Port Address Translation) or NAT overload allows multiple internal hosts to share a single public IP by using unique port numbers.

69
Multi-Selectmedium

A security analyst is investigating a potential intrusion and suspects that the IPS is missing some attacks (false negatives). Which two factors can contribute to false negatives in signature-based IPS? (Choose two.)

Select 2 answers
A.The attack uses a new exploit for which no signature exists.
B.The IPS is in inline mode and blocks malicious traffic.
C.The traffic is encrypted and the IPS cannot inspect the payload.
D.The signature threshold is set too low.
E.The IPS is configured to drop packets that match a signature.
AnswersA, C

Correct. Signature-based detection cannot detect unknown attacks without a matching signature.

Why this answer

False negatives occur when the IPS fails to detect an actual attack. Common causes include outdated signatures, encrypted traffic that cannot be inspected, and evasion techniques like fragmentation or encoding that the IPS cannot reassemble. Also, if the sensor is in passive mode and misses traffic due to asymmetric routing, it can cause false negatives.

70
Multi-Selecthard

A Cisco FTD is configured with an access control policy that includes a rule to allow traffic from a specific source subnet. However, traffic is being blocked. Which TWO possible causes should be checked?

Select 2 answers
A.The intrusion policy is set to 'No Inspection'.
B.The default action is set to 'Allow'.
C.The source subnet is not correctly defined in the network object.
D.The allow rule is placed after a block rule that matches the same traffic.
E.The rule has a destination port that is incorrect.
AnswersC, D

If the object is incorrect, the rule may not match.

Why this answer

Rule order matters (first match wins) and if an earlier rule blocks the traffic, the allow rule never applies. Also, intrusion policy could block if set to drop.

71
MCQeasy

A Cisco ASA is configured with a site-to-site VPN using IKEv2. Which component defines the encryption and authentication algorithms for the IPsec tunnel?

A.Transform set
B.ISAKMP policy
C.IKEv2 proposal
D.Crypto map
AnswerA

Transform set defines IPsec encryption and authentication.

Why this answer

A transform set specifies the encryption (e.g., AES) and authentication (e.g., SHA) algorithms for IPsec. ISAKMP policy is for IKE phase 1, and crypto map binds the policy to an interface.

72
MCQhard

An FTD device is deployed in passive mode. Which statement about its traffic processing is true?

A.It can block malicious traffic by sending TCP resets.
B.It receives traffic from a network tap or SPAN port and cannot block traffic.
C.It operates as a transparent firewall with inline inspection.
D.It can use the 'Block' action in access control rules.
AnswerB

Correct. Passive mode uses a copy of traffic for analysis only.

Why this answer

In passive mode, the FTD receives a copy of traffic from a span port; it cannot block traffic in real-time. It can only generate alerts.

73
MCQeasy

Which component of a Snort rule specifies the action to take when the rule conditions are matched?

A.Rule options
B.Action
C.Source address
D.Protocol
AnswerB

Correct. The action is the first field in the Snort rule.

Why this answer

In Snort, the first part of the rule header is the action (e.g., alert, drop, reject).

74
MCQmedium

A company uses Cisco AnyConnect for remote access VPN. They want to allow only specific Active Directory groups to access the corporate network. Which feature on the ASA or FTD should be configured to enforce this?

A.Connection profile with LDAP attribute map
B.AAA server group
C.Group Policy with filter on group membership
D.Dynamic Access Policy (DAP)
AnswerD

DAP allows granular access based on user attributes like AD group membership.

Why this answer

Dynamic Access Policies (DAP) can evaluate user attributes from AD to assign access rights.

75
MCQeasy

In a Cisco FTD deployment, which management option allows on-box management without the need for a separate FMC server?

A.FMC (Firepower Management Center)
B.ASDM (Adaptive Security Device Manager)
C.CDO (Cisco Defense Orchestrator)
D.FDM (Firepower Device Manager)
AnswerD

FDM is built into the FTD device for local management.

Why this answer

FDM (Firepower Device Manager) is the on-box management interface for FTD devices. FMC is a centralized management server. CDO is cloud-based.

ASDM is for ASA.

Page 1 of 2 · 125 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Scor Network Security questions.

CCNA Scor Network Security Questions — Page 1 of 2 | Courseiva