CCNA Scor Network Security Questions

50 of 125 questions · Page 2/2 · Scor Network Security topic · Answers revealed

76
MCQmedium

Which Cisco FTD feature provides application visibility and control (AVC) to identify and block applications like Facebook or Skype?

A.URL filtering policy
B.Access control policy with application conditions
C.Intrusion policy
D.SSL decryption policy
AnswerB

Correct; AVC is implemented in access control rules.

Why this answer

Application visibility and control is achieved through the access control policy using application filters and the application database. Intrusion policy handles threats, not application identification.

77
MCQeasy

An administrator configures a Cisco ASA with an interface named 'inside' at security level 100 and 'outside' at security level 0. Which statement about traffic flow is true?

A.Traffic from inside to outside is denied unless NAT is configured.
B.All traffic between inside and outside is denied without an ACL.
C.Traffic from inside to outside is allowed by default if the connection is statefully inspected.
D.Traffic from outside to inside is allowed by default.
AnswerC

Correct; higher-to-lower traffic is allowed if stateful inspection permits.

Why this answer

By default, traffic from a higher security level (inside) to a lower security level (outside) is allowed without an ACL if stateful inspection permits.

78
MCQhard

An engineer is tuning Snort signatures on a Cisco FTD to reduce false positives. A rule triggers on legitimate traffic that matches a known exploit pattern but is actually benign. Which tuning technique would be most appropriate to suppress the alerts without completely disabling the rule?

A.Add a suppression filter for the specific source IP addresses.
B.Change the rule action from 'alert' to 'pass'.
C.Increase the rule's threshold to require more hits before alerting.
D.Disable the rule in the intrusion policy.
AnswerA

Suppression filters silence alerts for known benign sources while retaining the rule.

Why this answer

Using a suppression filter allows the rule to remain active but suppresses alerts for specific source/destination IPs or ports.

79
Multi-Selecteasy

Which two actions are valid actions in a Cisco Firepower access control rule? (Choose two.)

Select 2 answers
A.Log
B.Reset
C.Redirect
D.Allow
E.Trust
AnswersD, E

Correct. Allow permits traffic and applies further inspection.

Why this answer

In Firepower access control policy, the actions are Trust (skip further inspection), Allow (permit and inspect), Block (block traffic), and Interactive Block (present a block page). These are standard actions.

80
Multi-Selectmedium

A security analyst is tuning Snort IPS rules to reduce false positives. Which TWO strategies are effective?

Select 2 answers
A.Disable the rule that is causing false positives
B.Increase the sensitivity of all rules
C.Enable all rules to maximize coverage
D.Add a pass rule for known benign traffic
E.Set the rule action to 'alert' instead of 'drop'
AnswersA, D

Disabling removes the false positive.

Why this answer

Disabling rules that generate false positives and adjusting thresholds (e.g., rate_filter) help reduce noise. Whitelisting IPs or changing actions to alert instead of drop address false positives.

81
MCQeasy

In Cisco Firepower Management Center (FMC), which action in an access control rule will send a TCP RST to the source and destination and log the event?

A.Trust
B.Allow
C.Block with reset
D.Interactive Block
AnswerC

Correct. This action blocks the traffic and sends TCP RST packets.

Why this answer

The 'Block with reset' action sends RST packets to both endpoints. 'Trust' bypasses inspection, 'Allow' permits traffic, and 'Interactive Block' is for SSL decryption failure.

82
MCQmedium

An organization is deploying Cisco AnyConnect VPN with split tunneling. They want to ensure that only traffic destined for the corporate network goes through the VPN tunnel, while internet-bound traffic goes directly. Which configuration element on the ASA controls this?

A.Dynamic Access Policy (DAP)
B.Group policy with split tunneling settings
C.Network (or client) profile on the ASA
D.Connection profile
AnswerB

Correct. Group policy defines split tunneling parameters.

Why this answer

Split tunneling is configured in the group policy. The group policy specifies which networks are tunneled (via split-tunnel-policy and split-tunnel-network-list).

83
MCQeasy

Which of the following is a characteristic of anomaly-based intrusion detection compared to signature-based detection?

A.Lower false negative rate for known attacks
B.Higher false positive rate
C.Cannot detect zero-day attacks
D.Requires frequent signature updates
AnswerB

Anomaly-based detection often generates more false positives because any deviation from baseline is flagged.

Why this answer

Anomaly-based detection baselines normal behavior and flags deviations, which can lead to higher false positives because legitimate variations may be flagged. Signature-based detection has lower false positives but cannot detect unknown attacks.

84
Multi-Selecteasy

Which three actions are available in a Cisco Firepower access control rule? (Choose three.)

Select 3 answers
A.Decrypt
B.Allow
C.Trust
D.Monitor
E.Block
AnswersB, C, E

Allow permits traffic and can apply further inspection.

Why this answer

The main actions in access control rules are Trust (bypass inspection), Allow (permit with inspection), Block (deny), and Interactive Block (block with user interaction). Monitor is not an action; it is a logging option.

85
MCQhard

An engineer is configuring a Modular Policy Framework (MPF) on a Cisco ASA to inspect HTTP traffic and apply QoS. The engineer creates a class-map to match HTTP traffic using the 'match port tcp 80' command. However, the policy is not being applied correctly. What is the most likely reason?

A.The class-map should use 'match any' instead of 'match port tcp 80'.
B.The ASA does not support HTTP inspection via MPF.
C.The service-policy must be applied globally, not to an interface.
D.The default global inspection policy already inspects HTTP traffic, and the new policy may be overridden.
AnswerD

The default policy inspects HTTP; the new policy must be inserted before it or the default must be modified.

Why this answer

The default inspection policy (global_policy) already inspects HTTP. Applying a new policy for HTTP with default actions may conflict or be overridden. Also, class-map matching on port alone may not be sufficient if traffic is already handled by default inspection.

But the most common mistake is that the default policy already inspects HTTP traffic, and the new policy must be applied with higher priority or modified.

86
Multi-Selectmedium

A Cisco FTD is deployed in a data center and needs to provide intrusion prevention and application control. Which two actions are available in an access control rule? (Choose two.)

Select 2 answers
A.Monitor
B.Encrypt
C.Redirect
D.Trust
E.Allow
AnswersD, E

Trust action allows traffic without further inspection.

Why this answer

In Cisco FTD access control policy, actions include: TRUST (bypass further inspection), ALLOW (permit with inspection), BLOCK (deny), and INTERACTIVE BLOCK (block with user notification).

87
MCQhard

An engineer is deploying a Cisco FTD in inline mode and wants to inspect SSL/TLS traffic using the 'decrypt-resign' action. What must be configured on the client devices to avoid certificate errors?

A.Disable certificate validation on all client browsers.
B.Install the organization's CA certificate in the client's trusted root store.
C.Install the FTD's self-signed certificate on each client.
D.Use 'decrypt-known-key' instead, which does not require client configuration.
AnswerB

This ensures the re-signed certificates are trusted.

Why this answer

When using 'decrypt-resign', the FTD generates a new certificate signed by a CA that the organization controls. Clients must trust the organization's CA certificate (root CA) that is used to sign the re-encrypted certificates. Without that, clients will see certificate errors.

88
MCQhard

A Cisco FTD is configured with a file policy to detect malware. The policy includes a rule to block files with a SHA-256 hash that is known to be malicious. Which component provides the SHA-256 disposition?

A.Network discovery database
B.Local malware cache
C.Cisco AMP cloud
D.Snort rules
AnswerC

Correct. AMP cloud provides SHA-256 disposition for known files.

Why this answer

Cisco AMP (Advanced Malware Protection) cloud provides threat intelligence including SHA-256 dispositions (clean, malicious, unknown). The FTD queries the AMP cloud for file disposition.

89
Multi-Selecthard

A Cisco FTD is configured with an access control policy that includes an intrusion policy. Which three actions can be set in an access control rule regarding intrusion inspection? (Choose three.)

Select 3 answers
A.Block with intrusion inspection
B.Interactive Block with intrusion inspection
C.Allow with intrusion inspection
D.Trust
E.Allow without intrusion inspection
AnswersC, D, E

Correct; traffic allowed and inspected.

Why this answer

Access control rules can be set to 'Allow' with intrusion inspection, 'Allow' without inspection, 'Trust' (bypass inspection), 'Block', or 'Interactive Block'. The question asks for actions regarding intrusion inspection; 'Allow' with inspection, 'Allow' without, and 'Trust' are three possible actions.

90
MCQeasy

Which statement accurately describes the difference between signature-based and anomaly-based intrusion detection?

A.Signature-based detection generates fewer false positives than anomaly-based detection.
B.Anomaly-based detection compares traffic against a baseline of normal behavior.
C.Anomaly-based detection is more effective against known attacks than signature-based.
D.Signature-based detection uses machine learning to identify unknown attacks.
AnswerB

Correct. Anomaly-based detection establishes a baseline and flags deviations.

Why this answer

Signature-based detection matches known attack patterns; anomaly-based detects deviations from a baseline of normal traffic.

91
MCQeasy

An engineer needs to allow inbound HTTP traffic from the internet to a web server in the DMZ on a Cisco ASA. The DMZ interface security level is 50, and the outside interface is 0. Which interface direction should the access control entry be applied?

A.Inbound on the outside interface
B.Outbound on the DMZ interface
C.Outbound on the outside interface
D.Inbound on the DMZ interface
AnswerA

Correct. Traffic from lower to higher security level requires an ACL inbound on the lower security interface.

Why this answer

Traffic from outside (level 0) to DMZ (level 50) is inbound to the DMZ interface, so the ACL should be applied inbound on the outside interface or outbound on the DMZ interface; the standard approach is inbound on the lower security interface.

92
MCQeasy

Which interface security level is assigned to the inside interface on a Cisco ASA by default?

A.100
B.255
C.0
D.50
AnswerA

Default security level for inside is 100.

Why this answer

The Cisco ASA assigns security level 100 to the inside interface, 0 to the outside, and intermediate values for DMZ interfaces.

93
MCQmedium

A network administrator is configuring a site-to-site VPN between two Cisco ASA firewalls using IKEv2. Which component defines the encryption and authentication algorithms for the IPsec SA?

A.Crypto map
B.Group policy
C.ISAKMP policy
D.Transform set
AnswerD

Correct. Transform set specifies encryption and authentication for IPsec.

Why this answer

In IKEv2, IPsec SA parameters like encryption and authentication are defined in a transform set, which is then associated with a crypto map or VTI.

94
MCQmedium

A security engineer is configuring a Cisco FTD high availability pair in active/standby mode. Which statement is true about the failover configuration?

A.Failover is triggered only by manual intervention
B.Configuration changes are made independently on each unit
C.Both units process traffic simultaneously
D.The standby unit must have the same hardware and software version
AnswerD

Correct. For failover to work, both units must be identical in hardware and software.

Why this answer

In active/standby failover for FTD, the standby unit monitors the active unit's health via failover link and takes over if the active fails. Configuration synchronization is automatic from active to standby.

95
MCQmedium

An engineer wants to configure high availability on a pair of Cisco Firepower Threat Defense (FTD) devices. Which HA mode supports active/standby failover with stateful replication of connection information?

A.Active/standby with stateful failover
B.Active/standby without stateful failover
C.Active/active with asymmetric routing
D.Clustering
AnswerA

Correct. Active/standby replicates connection tables to the standby unit.

Why this answer

Active/standby HA with stateful failover syncs connection states. Active/active is typically for routed mode with asymmetric routing.

96
MCQhard

An engineer observes that the Cisco ASA connection table shows a consistent number of entries for UDP traffic, but the xlate table shows no entries. What is the most likely reason?

A.The traffic is being dropped by ACLs
B.NAT is not configured for this traffic
C.The ASA is in transparent mode
D.UDP traffic does not create connections
AnswerB

Without NAT, xlate table is empty.

Why this answer

The xlate table holds NAT translations; if no NAT is configured, traffic passes without xlate entries, but connections are still tracked.

97
Multi-Selecthard

A company wants to deploy a DMZ segment accessible from the internet. Which THREE considerations are critical for firewall zone design and security?

Select 3 answers
A.Use separate firewall interfaces for inside, outside, and DMZ
B.DMZ servers should not initiate connections to the inside network
C.DMZ interface should have a security level of 100
D.Restrict inbound traffic from outside to DMZ to only required services
E.Allow all traffic from inside to DMZ without inspection
AnswersA, B, D

Segmentation requires separate interfaces/zones.

Why this answer

DMZ should have its own interface with a security level between inside and outside. Traffic from outside to DMZ should be restricted to necessary services. Inside to DMZ traffic should be permitted for management but initiated from inside.

98
MCQmedium

A network engineer is configuring a site-to-site VPN between two Cisco ASAs using IKEv2. Which component defines the encryption and hash algorithms for Phase 2?

A.IKEv2 proposal
B.Crypto map
C.ISAKMP policy
D.Transform set
AnswerD

Transform set defines Phase 2 proposals.

Why this answer

Transform sets define the Phase 2 parameters such as encryption and integrity algorithms.

99
Multi-Selectmedium

A security administrator is configuring URL filtering on Cisco FTD. Which three categories are commonly used in URL filtering policies? (Choose three.)

Select 3 answers
A.Social Networking
B.Encrypted Traffic
C.Malware
D.Adult Content
E.Phishing
AnswersA, C, D

Correct; common category.

Why this answer

Common URL categories include Social Networking, Malware, and Adult Content. Phishing is a subcategory of Malware, but Malware is a top-level category. Streaming Media is also a standard category.

100
Multi-Selectmedium

A company uses Cisco AnyConnect for remote access VPN. Which two components are used to enforce policies based on endpoint posture? (Choose two.)

Select 2 answers
A.Transform set
B.Dynamic Access Policy (DAP)
C.ISAKMP policy
D.Crypto map
E.Group policy
AnswersB, E

DAP uses endpoint attributes to dynamically apply access policies.

Why this answer

Dynamic Access Policies (DAP) and Group Policies are used with AnyConnect. DAP evaluates endpoint attributes (like antivirus status) to assign access policies, while Group Policies define VPN parameters.

101
MCQmedium

A Cisco Firepower administrator configures an access control policy with a rule that trusts traffic from a specific source network. What is the effect of the trust action on the traffic?

A.The traffic is blocked and logged.
B.The traffic is allowed without further inspection.
C.The traffic is allowed and inspected by the intrusion policy.
D.The traffic is allowed but subject to file policy.
AnswerB

Trust action permits traffic and skips additional inspection.

Why this answer

The trust action in Firepower bypasses further inspection (IPS, file, etc.) for matching traffic. It allows the traffic without any deep inspection, similar to a permit with fast-path.

102
MCQeasy

On a Cisco ASA, which NAT type allows multiple internal hosts to share a single public IP address by using different source ports?

A.PAT (overload)
B.Identity NAT
C.Static NAT
D.Dynamic NAT
AnswerA

Correct. PAT uses port numbers to multiplex multiple internal hosts to a single public IP.

Why this answer

PAT (Port Address Translation) or overload uses unique source ports to distinguish sessions from multiple internal hosts sharing one public IP.

103
MCQmedium

An organization wants to deploy Cisco Firepower in a high-availability pair with active/standby failover. Which management solution allows this configuration?

A.CLI only
B.FDM (on-box management)
C.FMC
D.ASDM
AnswerC

FMC supports HA configuration for FTD.

Why this answer

FMC (Firepower Management Center) supports high-availability configurations for FTD devices.

104
MCQmedium

A security analyst notices a high number of false positives from an intrusion detection system (IDS) using signature-based detection. Which action would best reduce false positives while maintaining detection of real threats?

A.Increase the sensor sensitivity level
B.Switch to anomaly-based detection
C.Disable all signatures with a high false positive rate
D.Decrease the severity threshold for alerts
AnswerC

Correct. Disabling specific problematic signatures reduces false positives while keeping others active.

Why this answer

False positives can be reduced by tuning signatures, such as adjusting thresholds or disabling specific signatures that are known to trigger incorrectly, rather than reducing sensor sensitivity broadly.

105
MCQmedium

A network architect is designing a DMZ for a web server that must be accessible from the internet. The server should not initiate connections to the internal network. Which firewall rule best achieves this?

A.Permit HTTP from DMZ to outside; deny all from inside to DMZ.
B.Permit HTTP from outside to DMZ; deny all from DMZ to inside.
C.Permit any from outside to DMZ; permit any from DMZ to inside.
D.Permit any from outside to DMZ; deny any from DMZ to outside.
AnswerB

Correct; allows external access but blocks DMZ from reaching inside.

Why this answer

To allow inbound traffic to the DMZ server but block outbound from DMZ to inside, an ACL on the DMZ interface should permit inbound traffic from outside and deny outbound to inside.

106
Multi-Selectmedium

An engineer is configuring a Cisco AnyConnect SSL VPN for remote access. Which TWO features are commonly used to control access based on endpoint security posture?

Select 2 answers
A.IPsec transform set
B.Posture assessment (e.g., AnyConnect Posture module)
C.Group policy
D.Crypto map
E.Dynamic Access Policy (DAP)
AnswersB, E

Posture assessment checks endpoint compliance.

Why this answer

Dynamic Access Policy (DAP) allows access control based on endpoint attributes. Posture assessment checks for compliance. Group policies provide general VPN parameters but not posture-based dynamically.

107
MCQeasy

Which of the following is a benefit of using Dynamic Access Policy (DAP) for AnyConnect SSL VPN?

A.It eliminates the need for group policies.
B.It enables split tunneling automatically.
C.It provides load balancing across multiple VPN peers.
D.It enforces access based on endpoint security posture.
AnswerD

Correct. DAP uses endpoint attributes to determine access rights.

Why this answer

DAP allows granular access based on endpoint attributes such as antivirus status, registry keys, and location.

108
MCQmedium

An engineer is configuring a Cisco ASA to allow inbound HTTPS traffic from the outside to a web server on the DMZ. The outside interface has security level 0, the DMZ interface has security level 50, and the inside has security level 100. Which set of commands correctly allows the traffic considering stateful inspection?

A.static (outside,dmz) tcp 10.1.1.10 443 192.168.1.10 443 netmask 255.255.255.255; access-list OUTSIDE_IN permit tcp any host 10.1.1.10 eq 443; access-group OUTSIDE_IN in interface outside
B.nat (dmz,outside) static 192.168.1.10; access-list OUTSIDE_IN permit tcp any host 10.1.1.10 eq 443; access-group OUTSIDE_IN in interface dmz
C.static (dmz,outside) tcp 192.168.1.10 443 10.1.1.10 443 netmask 255.255.255.255; access-list OUTSIDE_IN permit tcp any host 192.168.1.10 eq 443; access-group OUTSIDE_IN in interface outside
D.access-list OUTSIDE_IN permit tcp any host 10.1.1.10 eq 443; access-group OUTSIDE_IN in interface outside; static (inside,outside) tcp 10.1.1.10 443 10.1.1.10 443 netmask 255.255.255.255
AnswerC

Correct: static NAT from DMZ to outside, ACL permits traffic to mapped IP, and ACL is applied inbound on outside.

Why this answer

By default, ASA allows traffic from higher to lower security levels without ACL, but for lower to higher an ACL is needed. Static NAT is required for inbound access, and an ACL permitting HTTPS from outside to DMZ is needed on the outside interface.

109
MCQmedium

Which Cisco Firepower feature uses SHA-256 hashes to determine the disposition of files and block malware?

A.Intrusion policy
B.File policy
C.SSL policy
D.Network discovery
AnswerB

File policy with AMP uses SHA-256 for disposition.

Why this answer

File policy with AMP cloud lookup uses SHA-256 to check file reputation.

110
MCQhard

A Cisco FTD device is deployed in inline mode and configured with an SSL policy to decrypt traffic. The policy uses 'Decrypt - Known Key' for traffic to an internal server. What is required for this decryption to work?

A.The FTD must generate a new certificate for each session.
B.The server's certificate must be signed by a public CA.
C.The FTD must have the server's private key imported.
D.The client must trust the FTD's CA certificate.
AnswerC

Correct; the FTD needs the private key to decrypt traffic encrypted with the server's public key.

Why this answer

'Decrypt - Known Key' requires the server's private key to be imported into the FTD so it can decrypt the traffic by impersonating the server.

111
MCQeasy

Which of the following is a characteristic of a stateful firewall like Cisco ASA?

A.It filters traffic based solely on packet headers.
B.It maintains a state table of active connections.
C.It can only filter based on source IP address.
D.It requires a separate proxy for each application.
AnswerB

Correct. Stateful firewalls keep track of connections.

Why this answer

Stateful firewalls track the state of active connections and make decisions based on the state of the session.

112
MCQmedium

A company uses Cisco Firepower Management Center (FMC) to manage multiple FTD devices. They want to create an access control policy that allows traffic from a specific user group (Active Directory) to access a web server on the internet, but blocks all other traffic from that group to the internet. Which identity source should be configured in FMC?

A.LDAP
B.Local user database
D.Active Directory realm
AnswerD

Correct. FMC integrates with AD via realm to retrieve user and group information.

Why this answer

To map users to traffic, FMC integrates with Active Directory via the Identity Policy. The identity source can be configured using AD realm, and then user identities can be used in access control rules.

113
MCQhard

A network engineer is deploying a Cisco FTD in active/standby high availability. Which statement is true about the configuration synchronization?

A.Configuration changes on the active unit are automatically replicated to the standby unit.
B.Standby unit must be configured separately with identical settings.
C.Both units can be managed independently via FMC.
D.Failover is configured on the FTD directly without FMC.
AnswerA

FMC pushes configuration to both units; active changes are synced to standby.

Why this answer

In FTD HA, configuration is synchronized from active to standby via FMC. The standby unit does not accept configuration changes directly.

114
MCQhard

A Cisco FTD device is deployed in inline mode and is configured with an access control policy that includes an Intrusion Policy set to 'Balanced Security and Connectivity' and a File Policy with Malware & File blocking enabled. Traffic from a host inside to an external server is allowed by an access control rule. The administrator notices that a file download (PDF) is being blocked even though the file has a good reputation. What is the most likely cause?

A.The AMP cloud lookup returned an 'unknown' disposition and the policy blocks unknowns.
B.The access control rule requires a 'trust' action to bypass inspection.
C.The intrusion policy is set to 'Balanced' and the PDF contains a known exploit signature.
D.The file policy is configured to block PDF files regardless of disposition.
AnswerD

Correct. File policy can block file types even if they are not malicious.

Why this answer

The file policy may be configured to block files based on file type or other criteria regardless of malware disposition. In this case, the PDF may be blocked by file type restriction, not by malware detection. The Intrusion policy might also generate alerts but not block the file; the file policy is the one blocking.

115
MCQmedium

An organization is using Cisco FMC with FTD devices. They want to detect and block malware in HTTP traffic. Which policy component must be configured to inspect files and submit SHA-256 hashes to AMP cloud for disposition?

A.File Policy
B.Access Control Policy
C.Network Discovery Policy
D.Intrusion Policy
AnswerA

File policy inspects files and can perform AMP cloud lookup using SHA-256 to determine malware disposition.

Why this answer

File policy is used to inspect files, and it can be configured to send SHA-256 hashes to AMP cloud for malware detection. Intrusion policy is for signatures, access control policy for traffic flow, and network discovery for host detection.

116
MCQmedium

An engineer is configuring an ASA to allow inbound HTTP traffic from the outside to a server on the DMZ. The outside interface has security level 0 and the DMZ interface has security level 50. Which set of commands correctly implements the required access and NAT?

A.nat (outside,dmz) static 10.1.1.10; access-list dmz_access_in permit tcp any host 10.1.1.10 eq 80; access-group dmz_access_in in interface dmz
B.nat (inside,outside) static 10.1.1.10; access-list outside_access_in permit tcp any host 10.1.1.10 eq 80; access-group outside_access_in in interface outside
C.nat (dmz,outside) dynamic 10.1.1.10; access-list outside_access_in permit tcp any host 10.1.1.10 eq 80; access-group outside_access_in in interface outside
D.nat (dmz,outside) static 10.1.1.10; access-list outside_access_in permit tcp any host 10.1.1.10 eq 80; access-group outside_access_in in interface outside
AnswerD

Correct static NAT from DMZ to outside and ACL applied inbound on outside.

Why this answer

The ASA requires a static NAT for inbound traffic and an ACL on the outside interface to permit the traffic.

117
MCQeasy

Which Cisco Firepower management option is used for on-box management of a single FTD device, without a separate management center?

A.FDM (Firepower Device Manager)
B.Cisco Defense Orchestrator
C.FMC (Firepower Management Center)
D.ASA CLI
AnswerA

Correct. FDM is built into the FTD and manages a single device.

Why this answer

Firepower Device Manager (FDM) is the on-box management interface for a single FTD device. FMC is a centralized management platform for multiple devices.

118
MCQmedium

A network administrator is configuring site-to-site IPsec VPN between two Cisco ASAs using IKEv2. They want to ensure that only specific subnets are encrypted, using Virtual Tunnel Interface (VTI). Which configuration element is essential for VTI?

A.A crypto map applied to the physical interface.
B.A tunnel interface with an IP address and a crypto map.
C.A transform set with ESP encryption and authentication.
D.An ISAKMP policy with pre-shared key.
AnswerB

Correct. VTI requires a tunnel interface with an assigned IP address and a crypto map applied to it.

Why this answer

VTI uses a tunnel interface that is dedicated to the VPN, and the crypto map is applied to the tunnel interface rather than the physical interface. For IKEv2, the tunnel mode is enabled and the crypto map is applied to the VTI.

119
MCQhard

An organization has a Cisco ASA with two interfaces: inside (security 100) and outside (security 0). They want to allow traffic from inside to outside without NAT for a specific subnet. Which configuration achieves this?

A.nat (inside,outside) dynamic interface
B.nat (inside,outside) source dynamic any interface
C.access-list outside_access_in permit ip 192.168.1.0 255.255.255.0 any
D.nat (inside,outside) source static 192.168.1.0 192.168.1.0 no-proxy-arp route-lookup
AnswerD

This creates an identity NAT (no translation) for the subnet.

Why this answer

A NAT exemption rule with 'nat 0' (on ASA 9.x+) or 'nat (inside,outside) source static' with an identity NAT can be used. In modern ASA, 'nat (inside,outside) source static NET NET no-proxy-arp route-lookup' is typical.

120
Multi-Selecthard

An engineer is configuring a Cisco ASA to support a DMZ segment. Which three of the following are best practices for DMZ design? (Choose three.)

Select 3 answers
A.Place public-facing servers in the DMZ.
B.Restrict traffic initiated from the DMZ to the inside network.
C.Assign the DMZ interface a security level of 0.
D.Implement strict ACLs between outside and DMZ.
E.Use the same subnet for DMZ and inside networks.
AnswersA, B, D

DMZ hosts services accessible from outside.

Why this answer

DMZ should have a different security level (typically between inside and outside). Traffic from DMZ to inside should be restricted. Services in DMZ should be hardened.

The DMZ interface should be a separate physical or VLAN interface.

121
MCQhard

In Cisco Firepower, a file policy is configured with a rule that detects malware. The action is set to 'Malware Cloud Lookup'. What happens if the SHA-256 hash of a file is unknown to the AMP cloud?

A.The file is blocked immediately.
B.The file is quarantined until the cloud responds.
C.The file is allowed and a retrospective alert is generated if later found malicious.
D.The file is sent for dynamic analysis in a sandbox.
AnswerC

Correct. Unknown files are typically allowed but later may be flagged.

Why this answer

When the hash is unknown, the file may be submitted for static or dynamic analysis depending on the disposition. If the hash is unknown, the file may be allowed or blocked based on additional configuration; typically it is allowed pending analysis.

122
MCQhard

A Cisco FTD sensor is deployed in passive mode (IDS) and is receiving traffic via a network tap. The access control policy is configured with an intrusion policy set to 'Security over Connectivity'. However, the administrator notices that the sensor is not generating alerts for some attacks that were identified by a previous inline sensor. What is the most likely reason?

A.The sensor is in passive mode and cannot see return traffic due to asymmetric routing.
B.The access control policy requires an 'allow' action to perform intrusion inspection.
C.The intrusion policy is set to 'Security over Connectivity', which reduces false positives but may miss some attacks.
D.The intrusion policy is not configured to generate alerts.
AnswerA

Correct. Passive sensors rely on seeing both directions of traffic; asymmetric routing can cause missed detections.

Why this answer

In passive mode, the sensor cannot block traffic, but it should still detect and alert. If it's not alerting, perhaps the traffic is not being seen correctly (e.g., due to asymmetric routing or tap issues) or the intrusion policy is not applied correctly. However, given the scenario, a common issue is that passive deployment can miss attacks if traffic is not visible to the sensor.

123
MCQmedium

A network engineer is configuring NAT on a Cisco ASA for internal servers to be accessible from the internet. One server (10.1.1.10) must always be reachable via a fixed public IP (203.0.113.10). Which NAT type should be used?

A.Identity NAT
B.Dynamic NAT
C.Dynamic PAT (overload)
D.Static NAT
AnswerD

Correct; static NAT creates a permanent one-to-one mapping.

Why this answer

Static NAT provides a one-to-one fixed mapping between a private IP and a public IP, ensuring the server is always reachable via the same public address.

124
MCQhard

A network security engineer is configuring site-to-site IPsec VPN between two Cisco ASA firewalls using IKEv2. Which of the following configuration elements is required to define the encryption and integrity algorithms for the IPsec SA?

A.Crypto map
B.Virtual Tunnel Interface (VTI)
C.Transform set
D.ISAKMP policy
AnswerC

Transform set defines the encryption and integrity algorithms for the IPsec SA.

Why this answer

In IKEv2, the IPsec SA parameters (encryption, integrity, etc.) are defined in the transform set. IKEv2 uses a single transform set. ISAKMP policy is for IKEv1 phase 1.

Crypto map binds the transform set to a peer and interface. VTI is a virtual interface for routing but not for algorithm definition.

125
Multi-Selectmedium

An organization is planning to deploy Cisco FTD in a high-availability pair. Which two statements about active/active failover are true? (Choose two.)

Select 2 answers
A.It requires multiple context mode.
B.Both units can actively pass traffic.
C.Stateful failover is supported.
D.It is the default failover mode.
E.Configuration is not synchronized.
AnswersA, B

Correct; active/active is only supported in multiple context mode.

Why this answer

Active/active failover requires multiple context mode and both units can process traffic simultaneously. Stateful failover is supported only in active/standby.

← PreviousPage 2 of 2 · 125 questions total

Ready to test yourself?

Try a timed practice session using only Scor Network Security questions.