Scor 350-701-V7

SCOR 350-701 V7
Number: 350-701
Passing Score: 800
Time Limit: 120 min
File Version: 7.0
Updated june 23rd with 48 new questions from Securitytut

Exam A
QUESTION 1
In which form of attack is alternate encoding, such as hexadecimal representation, most often observed?
A. Smurf
B. distributed denial of service
C. cross-site scripting
D. rootkit exploit
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Explanation
Cross site scripting (also known as XSS) occurs when a web application gathers malicious data from a user.
The data is usually gathered in the form of a hyperlink which contains malicious content within it. The user will
most likely click on this link from another website, instant message, or simply just reading a web board or email
message.
Usually the attacker will encode the malicious portion of the link to the site in HEX (or other encoding methods)
so the request is less suspicious looking to the user when clicked on.
For example the code below is written in hex:
<a
href=&#x6A&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#x70&#x74&#x3A&#x61&#x6C&#x65&#x72&#x74&#
x28&#x27&#x58&#x53&#x53&#x27&#x29>Click Here</a>
is equivalent to:
<a href=javascript:alert('XSS')>Click Here</a>

Note: In the format “&#xhhhh“, hhhh is the code point in hexadecimal form.
QUESTION 2
Which flaw does an attacker leverage when exploiting SQL injection vulnerabilities?
A. user input validation in a web page or web application

B. Linux and Windows operating systems
C. database
D. web page images
Correct Answer: A
Section: (none)
Explanation
Explanation
SQL injection usually occurs when you ask a user for input, like their username/userid, but the user gives
(“injects”) you an SQL statement that you will unknowingly run on your database. For example:
Look at the following example, which creates a SELECT statement by adding a variable (txtUserId) to a select
string. The variable is fetched from user input (getRequestString):
txtUserId = getRequestString(“UserId”);
txtSQL = “SELECT * FROM Users WHERE UserId = ” + txtUserId;
If user enter something like this: “100 OR 1=1” then the SQL statement will look like this:
SELECT * FROM Users WHERE UserId = 100 OR 1=1;

The SQL above is valid and will return ALL rows from the “Users” table, since OR 1=1 is always TRUE. A
hacker might get access to all the user names and passwords in this database.
QUESTION 3
Which two prevention techniques are used to mitigate SQL injection attacks? (Choose two)
A. Check integer, float, or Boolean string parameters to ensure accurate values.

B. Use prepared statements and parameterized queries.
C. Secure the connection between the web and the app tier.
D. Write SQL code instead of using object-relational mapping libraries.
E. Block SQL code execution in the web application database login.
Correct Answer: AB
Section: (none)
Explanation
QUESTION 4
Which two endpoint measures are used to minimize the chances of falling victim to phishing and social
engineering attacks? (Choose two)
A. Patch for cross-site scripting.

B. Perform backups to the private cloud.
C. Protect against input validation and character escapes in the endpoint.
D. Install a spam and virus email filter.
E. Protect systems with an up-to-date antimalware program.
Correct Answer: DE
Section: (none)
Explanation
Explanation
Phishing attacks are the practice of sending fraudulent communications that appear to come from a reputable
source. It is usually done through email. The goal is to steal sensitive data like credit card and login information,
or to install malware on the victim’s machine.
QUESTION 5
Which two mechanisms are used to control phishing attacks? (Choose two)
A. Enable browser alerts for fraudulent websites.

B. Define security group memberships.
C. Revoke expired CRL of the websites.
D. Use antispyware software.
E. Implement email filtering techniques.
Correct Answer: AE
Section: (none)
Explanation
QUESTION 6
Which two behavioral patterns characterize a ping of death attack? (Choose two)
A. The attack is fragmented into groups of 16 octets before transmission.

B. The attack is fragmented into groups of 8 octets before transmission.
C. Short synchronized bursts of traffic are used to disrupt TCP connections.
D. Malformed packets are used to crash systems.
E. Publicly accessible DNS servers are typically used to execute the attack.
Correct Answer: BD
Section: (none)
Explanation
Explanation
Ping of Death (PoD) is a type of Denial of Service (DoS) attack in which an attacker attempts to crash,
destabilize, or freeze the targeted computer or service by sending malformed or oversized packets using a
simple ping command.
A correctly-formed ping packet is typically 56 bytes in size, or 64 bytes when the ICMP header is considered,
and 84 including Internet Protocol version 4 header. However, any IPv4 packet (including pings) may be as
large as 65,535 bytes. Some computer systems were never designed to properly handle a ping packet larger
than the maximum packet size because it violates the Internet Protocol documented
Like other large but well-formed packets, a ping of death is fragmented into groups of 8 octets before
transmission. However, when the target computer reassembles the malformed packet, a buffer overflow can
occur, causing a system crash and potentially allowing the injection of malicious code.
QUESTION 7
Which two preventive measures are used to control cross-site scripting? (Choose two)
A. Enable client-side scripts on a per-domain basis.

B. Incorporate contextual output encoding/escaping.
C. Disable cookie inspection in the HTML inspection engine.
D. Run untrusted HTML input through an HTML sanitization engine.
E. Same Site cookie attribute should not be used.
Correct Answer: AB
Section: (none)
Explanation
QUESTION 8
What is the difference between deceptive phishing and spear phishing?
A. Deceptive phishing is an attacked aimed at a specific user in the organization who holds a C-level role.
B. A spear phishing campaign is aimed at a specific person versus a group of people.
C. Spear phishing is when the attack is aimed at the C-level executives of an organization.
D. Deceptive phishing hijacks and manipulates the DNS server of the victim and redirects the user to a false
webpage.
Correct Answer: B
Section: (none)
Explanation
Explanation
In deceptive phishing, fraudsters impersonate a legitimate company in an attempt to steal people’s personal
data or login credentials. Those emails frequently use threats and a sense of urgency to scare users into doing
what the attackers want.
Spear phishing is carefully designed to get a single recipient to respond. Criminals select an individual target
within an organization, using social media and other public information – and craft a fake email tailored for that
person.
QUESTION 9
Which attack is commonly associated with C and C++ programming languages?
A. cross-site scripting
B. water holing
C. DDoS
D. buffer overflow
Correct Answer: D
Section: (none)
Explanation
Explanation
A buffer overflow (or buffer overrun) occurs when the volume of data exceeds the storage capacity of the
memory buffer. As a result, the program attempting to write the data to the buffer overwrites adjacent memory
locations.
Buffer overflow is a vulnerability in low level codes of C and C++. An attacker can cause the program to crash,
make data corrupt, steal some private information or run his/her own code. It basically means to access any
buffer outside of it’s alloted memory space. This happens quite frequently in the case of arrays.
QUESTION 10
What is a language format designed to exchange threat intelligence that can be transported over the TAXII
protocol?
A. STIX
B. XMPP
C. pxGrid
D. SMTP
Correct Answer: A
Section: (none)
Explanation
Explanation
TAXII (Trusted Automated Exchange of Indicator Information) is a standard that provides a transport
mechanism (data exchange) of cyber threat intelligence information in STIX (Structured Threat Information
eXpression) format. In other words, TAXII servers can be used to author and exchange STIX documents
among participants.
STIX (Structured Threat Information eXpression) is a standardized language which has been developed in a
collaborative way in order to represent structured information about cyber threats. It has been developed so it
can be shared, stored, and otherwise used in a consistent manner that facilitates automation and human
assisted analysis.
QUESTION 11
Which two capabilities does TAXII support? (Choose two)
A. Exchange
B. Pull messaging
C. Binding
D. Correlation
E. Mitigating
Correct Answer: BC
Section: (none)
Explanation
Explanation
The Trusted Automated eXchangeof Indicator Information (TAXII) specifies mechanisms for exchanging
structured cyber threat information between parties over the network.
TAXII exists to provide specific capabilities to those interested in sharing structured cyber threat information.
TAXII Capabilities are the highest level at which TAXII actions can be described. There are three capabilities
that this version of TAXII supports: push messaging, pull messaging, and discovery.
Although there is no “binding” capability in the list but it is the best answer here.
QUESTION 12
Which two risks is a company vulnerable to if it does not have a well-established patching solution for
endpoints? (Choose two)
A. exploits
B. ARP spoofing
C. denial-of-service attacks
D. malware
E. eavesdropping
Correct Answer: AD
Section: (none)
Explanation
Explanation
Malware means “malicious software”, is any software intentionally designed to cause damage to a computer,
server, client, or computer network. The most popular types of malware includes viruses, ransomware and
spyware.
Virus
Possibly the most common type of malware, viruses attach their malicious code to clean code and wait to be
run.
Ransomware is malicious software that infects your computer and displays messages demanding a fee to be
paid in order for your system to work again.
Spyware is spying software that can secretly record everything you enter, upload, download, and store on your
computers or mobile devices. Spyware always tries to keep itself hidden.
An exploit is a code that takes advantage of a software vulnerability or security flaw.
Exploits and malware are two risks for endpoints that are not up to date. ARP spoofing and eavesdropping are
attacks against the network while denial-of-service attack is based on the flooding of IP packets.
QUESTION 13
Which PKI enrollment method allows the user to separate authentication and enrollment actions and also
provides an option to specify HTTP/TFTP commands to perform file retrieval from the server?
A. url
B. terminal
C. profile
D. selfsigned
Correct Answer: C
Section: (none)
Explanation
Explanation
A trustpoint enrollment mode, which also defines the trustpoint authentication mode, can be performed via 3
main methods:
1. Terminal Enrollment – manual method of performing trustpoint authentication and certificate enrolment using
copy-paste in the CLI terminal.
2. SCEP Enrollment – Trustpoint authentication and enrollment using SCEP over HTTP.
3. Enrollment Profile – Here, authentication and enrollment methods are defined separately. Along with terminal
and SCEP enrollment methods, enrollment profiles provide an option to specify HTTP/TFTP commands to
perform file retrieval from the Server, which is defined using an authentication or enrollment url under the
profile.
Reference: https://www.cisco.com/c/en/us/support/docs/security-vpn/public-key-infrastructure-pki/211333-IOS-
PKI-Deployment-Guide-Initial-Design.html
QUESTION 14
What are two rootkit types? (Choose two)
A. registry
B. virtual
C. bootloader
D. user mode
E. buffer mode
Correct Answer: CD
Section: (none)
Explanation
Explanation
The term ‘rootkit’ originally comes from the Unix world, where the word ‘root’ is used to describe a user with the
highest possible level of access privileges, similar to an ‘Administrator’ in Windows. The word ‘kit’ refers to the
software that grants root-level access to the machine. Put the two together and you get ‘rootkit’, a program that
gives someone – with legitimate or malicious intentions – privileged access to a computer.
There are four main types of rootkits: Kernel rootkits, User mode rootkits, Bootloader rootkits, Memory rootkits
QUESTION 15
Which form of attack is launched using botnets?
A. EIDDOS
B. virus
C. DDOS
D. TCP flood
Correct Answer: C
Section: (none)
Explanation
Explanation
A botnet is a collection of internet-connected devices infected by malware that allow hackers to control them.
Cyber criminals use botnets to instigate botnet attacks, which include malicious activities such as credentials
leaks, unauthorized access, data theft and DDoS attacks.
QUESTION 16
Which threat involves software being used to gain unauthorized access to a computer system?
A. virus
B. NTP amplification
C. ping of death
D. HTTP flood
Correct Answer: A
Section: (none)
Explanation
QUESTION 17
Which type of attack is social engineering?
A. trojan
B. phishing
C. malware
D. MITM
Correct Answer: B
Section: (none)
Explanation
Explanation
Phishing is a form of social engineering. Phishing attacks use email or malicious web sites to solicit personal,
often financial, information. Attackers may send email seemingly from a reputable credit card company or
financial institution that requests account information, often suggesting that there is a problem.
QUESTION 18
Which two key and block sizes are valid for AES? (Choose two)
A. 64-bit block size, 112-bit key length

B. 64-bit block size, 168-bit key length
C. 128-bit block size, 192-bit key length
D. 128-bit block size, 256-bit key length
E. 192-bit block size, 256-bit key length
Correct Answer: CD
Section: (none)
Explanation
Explanation
The AES encryption algorithm encrypts and decrypts data in blocks of 128 bits (block size). It can do this using
128-bit, 192-bit, or 256-bit keys
QUESTION 19
Which two descriptions of AES encryption are true? (Choose two)
A. AES is less secure than 3DES.

B. AES is more secure than 3DES.
C. AES can use a 168-bit key for encryption.
D. AES can use a 256-bit key for encryption.
E. AES encrypts and decrypts a key three times in sequence.
Correct Answer: BD
Section: (none)
Explanation
QUESTION 20
Which algorithm provides encryption and authentication for data plane communication?
A. AES-GCM
B. SHA-96
C. AES-256
D. SHA-384
Correct Answer: A
Section: (none)
Explanation
Explanation
The data plane of any network is responsible for handling data packets that are transported across the network.
(The data plane is also sometimes called the forwarding plane.)
Maybe this Qwants to ask about the encryption and authentication in the data plane of a SD-WAN network (but
SD-WAN is not a topic of the SCOR 350-701 exam?).
In the Cisco SD-WAN network for unicast traffic, data plane encryption is done by AES-256-GCM, a symmetric-
key algorithm that uses the same key to encrypt outgoing packets and to decrypt incoming packets. Each router
periodically generates an AES key for its data path (specifically, one key per TLOC) and transmits this key to
the vSmart controller in OMP route packets, which are similar to IP route updates.
Reference: https://www.cisco.com/c/en/us/td/docs/routers/sdwan/configuration/security/vedge/security-book/
security-overview.html
QUESTION 21
Elliptic curve cryptography is a stronger more efficient cryptography method meant to replace which current
encryption technology?
A. 3DES
B. RSA
C. DES
D. AES
Correct Answer: B
Section: (none)
Explanation
Explanation
Compared to RSA, the prevalent public-key cryptography of the Internet today, Elliptic Curve Cryptography
(ECC) offers smaller key sizes, faster computation,as well as memory, energy and bandwidth savings and is
thus better suited forsmall devices.
QUESTION 22
What is the result of running the crypto isakmp key ciscXXXXXXXX address 172.16.0.0 command?
A. authenticates the IKEv2 peers in the 172.16.0.0/16 range by using the key ciscXXXXXXXX
B. authenticates the IP address of the 172.16.0.0/32 peer by using the key ciscXXXXXXXX
C. authenticates the IKEv1 peers in the 172.16.0.0/16 range by using the key ciscXXXXXXXX
D. secures all the certificates in the IKE exchange by using the key ciscXXXXXXXX
Correct Answer: B
Section: (none)
Explanation
Explanation
The syntax of above command is:
crypto isakmp key enc-type-digit keystring {address peer-address [mask] | ipv6 ipv6-address/ ipv6-prefix |
hostname hostname} [no-xauth]
The peer-address argument specifies the IP or IPv6 address of the remote peer.
Reference: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/a1/sec-a1-cr-book/sec-cr-
c4.html#wp6039879000
QUESTION 23
Which technology must be used to implement secure VPN connectivity among company branches over a
private IP cloud with any-to-any scalable connectivity?
A. DMVPN
B. FlexVPN
C. IPsec DVTI
D. GET VPN
Correct Answer: D
Section: (none)
Explanation
Explanation
Cisco‘s Group Encrypted Transport VPN (GETVPN) introduces the concept of a trusted group to eliminate
point-to-point tunnels and their associated overlay routing. All group members (GMs) share a common security
association (SA), also known as a group SA. This enables GMs to decrypt traffic that was encrypted by any
other GM.
GETVPN provides instantaneous large-scale any-to-any IP connectivity using a group IPsec security paradigm.
Reference: https://www.cisco.com/c/dam/en/us/products/collateral/security/group-encrypted-transport-vpn/
GETVPN_DIG_version_2_0_External.pdf
QUESTION 24
Which two conditions are prerequisites for stateful failover for IPsec? (Choose two)
A. Only the IKE configuration that is set up on the active device must be duplicated on the standby device; the
IPsec configuration is copied automatically
B. The active and standby devices can run different versions of the Cisco IOS software but must be the same
type of device.
C. The IPsec configuration that is set up on the active device must be duplicated on the standby device
D. Only the IPsec configuration that is set up on the active device must be duplicated on the standby device;
the IKE configuration is copied automatically.
E. The active and standby devices must run the same version of the Cisco IOS software and must be the
same type of device.
Correct Answer: CE
Section: (none)
Explanation
Explanation
Stateful failover for IP Security (IPsec) enables a router to continue processing and forwarding IPsec packets
after a planned or unplanned outage occurs. Customers employ a backup (secondary) router that automatically
takes over the tasks of the active (primary) router if the active router loses connectivity for any reason. This
failover process is transparent to users and does not require adjustment or reconfiguration of any remote peer.
Stateful failover for IPsec requires that your network contains two identical routers that are available to be either
the primary or secondary device. Both routers should be the same type of device, have the same CPU and
memory, and have either no encryption accelerator or identical encryption accelerators.
Prerequisites for Stateful Failover for IPsec

Complete, Duplicate IPsec and IKE Configuration on the Active and Standby Devices
This document assumes that you have a complete IKE and IPsec configuration.
The IKE and IPsec configuration that is set up on the active device must be duplicated on the standby device.
That is, the crypto configuration must be identical with respect to Internet Security Association and Key
Management Protocol (ISAKMP) policy, ISAKMP keys (preshared), IPsec profiles, IPsec transform sets, all
crypto map sets that are used for stateful failover, all access control lists (ACLs) that are used in match address
statements on crypto map sets, all AAA configurations used for crypto, client configuration groups, IP local
pools used for crypto, and ISAKMP profiles.
Reference: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_vpnav/configuration/15-mt/sec-vpn-
availability-15-mt-book/sec-state-fail-ipsec.html
Although the prerequisites only stated that “Both routers should be the same type of device” but in the
“Restrictions for Stateful Failover for IPsec” section of the link above, it requires “Both the active and standby
devices must run the identical version of the Cisco IOS software” so answer E is better than answer B.
QUESTION 25
Which VPN technology can support a multivendor environment and secure traffic between sites?
A. SSL VPN
B. GET VPN
C. FlexVPN
D. DMVPN
Correct Answer: C
Section: (none)
Explanation
Explanation
FlexVPN is an IKEv2-based VPN technology that provides several benefits beyond traditional site-to-site VPN
implementations. FlexVPN is a standards-based solution that can interoperate with non-Cisco IKEv2
implementations. Therefore FlexVPN can support a multivendor environment. All of the three VPN technologies
support traffic between sites (site-to-site or spoke-to-spoke).
QUESTION 26
A network engineer is configuring DMVPN and entered the crypto isakmp key cisc0380739941 address 0.0.0.0
command on hostA. The tunnel is not being established to hostB. What action is needed to authenticate the
VPN?
A. Change isakmp to ikev2 in the command on hostA.

B. Enter the command with a different password on hostB.
C. Enter the same command on hostB.
D. Change the password on hostA to the default password.
Correct Answer: C
Section: (none)
Explanation
QUESTION 27
Refer to the exhibit.
A network administrator configured a site-to-site VPN tunnel between two Cisco IOS routers, and hosts are
unable to communicate between two sites of VPN. The network administrator runs the debug crypto isakmp sa
command to track VPN status. What is the problem according to this command output?
A. hashing algorithm mismatch

B. encryption algorithm mismatch
C. authentication key mismatch
D. interesting traffic was not applied
Correct Answer: C
Section: (none)
Explanation
QUESTION 28
What is a difference between FlexVPN and DMVPN?
A. DMVPN uses IKEv1 or IKEv2, FlexVPN only uses IKEv1

B. DMVPN uses only IKEv1 FlexVPN uses only IKEv2
C. FlexVPN uses IKEv2, DMVPN uses IKEv1 or IKEv2
D. FlexVPN uses IKEv1 or IKEv2, DMVPN uses only IKEv2
Correct Answer: C
Section: (none)
Explanation
QUESTION 29
Which protocol provides the strongest throughput performance when using Cisco AnyConnect VPN?
A. TLSv1.2
B. TLSv1.1
C. BJTLSv1
D. DTLSv1
Correct Answer: D
Section: (none)
Explanation
Explanation
DTLS is used for delay sensitive applications (voice and video) as its UDP based while TLS is TCP based.
Therefore DTLS offers strongest throughput performance. The throughput of DTLS at the time of AnyConnect
connection can be expected to have processing performance close to VPN throughput.
QUESTION 30
What is a commonality between DMVPN and FlexVPN technologies?
A. FlexVPN and DMVPN use IS-IS routing protocol to communicate with spokes
B. FlexVPN and DMVPN use the new key management protocol
C. FlexVPN and DMVPN use the same hashing algorithms
D. IOS routers run the same NHRP code for DMVPN and FlexVPN
Correct Answer: D
Section: (none)
Explanation
Explanation
In its essence, FlexVPN is the same as DMVPN. Connections between devices are still point-to-point GRE
tunnels, spoke-to-spoke connectivity is still achieved with NHRP redirect message, IOS routers even run the
same NHRP code for both DMVPN and FlexVPN, which also means that both are Cisco’s proprietary
technologies.
Reference: https://packetpushers.net/cisco-flexvpn-dmvpn-high-level-design/
QUESTION 31
The main function of northbound APIs in the SDN architecture is to enable communication between which two
areas of a network?
A. SDN controller and the cloud

B. management console and the SDN controller
C. management console and the cloud
D. SDN controller and the management solution
Correct Answer: D
Section: (none)
Explanation
QUESTION 32
Which two features of Cisco DNA Center are used in a Software Defined Network solution? (Choose two)
A. accounting
B. assurance
C. automation
D. authentication
E. encryption
Correct Answer: BC
Section: (none)
Explanation
Explanation
What Cisco DNA Center enables you to do
Automate: Save time by using a single dashboard to manage and automate your network. Quickly scale your
business with intuitive workflows and reusable templates. Configure and provision thousands of network
devices across your enterprise in minutes, not hours.
Secure policy: Deploy group-based secure access and network segmentation based on business needs. With
Cisco DNA Center, you apply policy to users and applications instead of to your network devices. Automation
reduces manual operations and the costs associated with human errors, resulting in more uptime and improved
security. Assurance then assesses the network and uses context to turn data into intelligence, making sure that
changes in the network device policies achieve your intent.
Assurance: Monitor, identify, and react in real time to changing network and wireless conditions. Cisco DNA
Center uses your network’s wired and wireless devices to create sensors everywhere, providing real-time
feedback based on actual network conditions. The Cisco DNA Assurance engine correlates network sensor
insights with streaming telemetry and compares this with the current context of these data sources. With a
quick check of the health scores on the Cisco DNA Center dashboard, you can see where there is a
performance issue and identify the most likely cause in minutes.
Extend ecosystem: With the new Cisco DNA Center platform, IT can now integrate Cisco® solutions and third-
party technologies into a single network operation for streamlining IT workflows and increasing business value
and innovation. Cisco DNA Center allows you to run the network with open interfaces with IT and business
applications, integrates across IT operations and technology domains, and can manage heterogeneous
network devices.
Reference: https://www.cisco.com/c/en/us/products/collateral/cloud-systems-management/dna-center/nb-06-
cisco-dna-center-aag-cte-en.html
QUESTION 33
Which functions of an SDN architecture require southbound APIs to enable communication?
A. SDN controller and the network elements

B. management console and the SDN controller
C. management console and the cloud
D. SDN controller and the cloud
Correct Answer: A
Section: (none)
Explanation
Explanation
The Southbound API is used to communicate between Controllers and network devices.
QUESTION 34
Which API is used for Content Security?
A. NX-OS API
B. IOS XR API
C. OpenVuln API
D. AsyncOS API
Correct Answer: D
Section: (none)
Explanation
QUESTION 35
Which two request of REST API are valid on the Cisco ASA Platform? (Choose two)
A. put
B. options
C. get
D. push
E. connect
Correct Answer: AC
Section: (none)
Explanation
Explanation
The ASA REST API gives you programmatic access to managing individual ASAs through a Representational
State Transfer (REST) API. The API allows external clients to perform CRUD (Create, Read, Update, Delete)
operations on ASA resources; it is based on the HTTPS protocol and REST methodology.
All API requests are sent over HTTPS to the ASA, and a response is returned.
Request Structure
Available request methods are:
GET – Retrieves data from the specified object.
PUT – Adds the supplied information to the specified object; returns a 404 Resource Not Found error if the
object does not exist.
POST – Creates the object with the supplied information.
DELETE – Deletes the specified object.
PATCH – Applies partial modifications to the specified object.
Reference: https://www.cisco.com/c/en/us/td/docs/security/asa/api/qsg-asa-api.html
QUESTION 36
What is the result of this Python script of the Cisco DNA Center API?
A. adds authentication to a switch

B. adds a switch to Cisco DNA Center
C. receives information about a switch
Correct Answer: B
Section: (none)
Explanation
QUESTION 37
What does the API do when connected to a Cisco security appliance?
A. get the process and PID information from the computers in the network
B. create an SNMP pull mechanism for managing AMP
C. gather network telemetry information from AMP for endpoints
D. gather the network interface information about the computers AMP sees
Correct Answer: D
Section: (none)
Explanation
Explanation
The call to API of “https://api.amp.cisco.com/v1/computers” allows us to fetch list of computers across your
organization that Advanced Malware Protection (AMP) sees.
Reference: https://api-docs.amp.cisco.com/api_actions/details?api_action=GET+%2Fv1%
2Fcomputers&api_host=api.apjc.amp.cisco.com&api_resource=Computer&api_version=v1
QUESTION 38
Which feature requires a network discovery policy on the Cisco Firepower Next Generation Intrusion Prevention
System?
A. Security Intelligence
B. Impact Flags
C. Health Monitoring
D. URL Filtering
Correct Answer: B
Section: (none)
Explanation
QUESTION 39
Which two deployment model configurations are supported for Cisco FTDv in AWS? (Choose two)
A. Cisco FTDv configured in routed mode and managed by an FMCv installed in AWS
B. Cisco FTDv with one management interface and two traffic interfaces configured
C. Cisco FTDv configured in routed mode and managed by a physical FMC appliance on premises
D. Cisco FTDv with two management interfaces and one traffic interface configured
E. Cisco FTDv configured in routed mode and IPv6 configured
Correct Answer: AC
Section: (none)
Explanation
QUESTION 40
Which option is the main function of Cisco Firepower impact flags?
A. They alert administrators when critical events occur.

B. They highlight known and suspected malicious IP addresses in reports.
C. They correlate data about intrusions and vulnerability.
D. They identify data that the ASA sends to the Firepower module.
Correct Answer: C
Section: (none)
Explanation
QUESTION 41
On Cisco Firepower Management Center, which policy is used to collect health modules alerts from managed
devices?
A. health policy
B. system policy
C. correlation policy
D. access control policy
E. health awareness policy
Correct Answer: A
Section: (none)
Explanation
QUESTION 42
Which license is required for Cisco Security Intelligence to work on the Cisco Next Generation Intrusion
Prevention System?
A. control
B. malware
C. URL filtering
D. protect
Correct Answer: D
Section: (none)
Explanation
QUESTION 43
Which two are valid suppression types on a Cisco Next Generation Intrusion Prevention System? (Choose two)
A. Port
B. Rule
C. Source
D. Application
E. Protocol
Correct Answer: BC
Section: (none)
Explanation
QUESTION 44
Which feature is configured for managed devices in the device platform settings of the Firepower Management
Center?
A. quality of service
B. time synchronization
C. network address translations
D. intrusion policy
Correct Answer: B
Section: (none)
Explanation
QUESTION 45
Which information is required when adding a device to Firepower Management Center?
A. username and password

B. encryption method
C. device serial number
D. registration key
Correct Answer: D
Section: (none)
Explanation
QUESTION 46
Which two deployment modes does the Cisco ASA FirePower module support? (Choose two)
A. transparent mode
B. routed mode
C. inline mode
D. active mode
E. passive monitor-only mode
Correct Answer: CE
Section: (none)
Explanation
Explanation
You can configure your ASA FirePOWER module using one of the following deployment models:
You can configure your ASA FirePOWER module in either an inline or a monitor-only (inline tap or
passive) deployment.
Reference: https://www.cisco.com/c/en/us/td/docs/security/asa/asa92/asdm72/firewall/asa-firewall-asdm/
modules-sfr.html
QUESTION 47
The Cisco ASA must support TLS proxy for encrypted Cisco Unified Communications traffic. Where must the
ASA be added on the Cisco UC Manager platform?
A. Certificate Trust List

B. Endpoint Trust List
C. Enterprise Proxy Service
D. Secured Collaboration Proxy
Correct Answer: A
Section: (none)
Explanation
QUESTION 48
Which statement about the configuration of Cisco ASA NetFlow v9 Secure Event Logging is true?
A. To view bandwidth usage for NetFlow records, the QoS feature must be enabled.
B. A sysopt command can be used to enable NSEL on a specific interface.
C. NSEL can be used without a collector configured.
D. A flow-export event type must be defined under a policy.
Correct Answer: D
Section: (none)
Explanation
QUESTION 49
Which feature is supported when deploying Cisco ASAv within AWS public cloud?
A. multiple context mode

B. user deployment of Layer 3 networks
C. IPv6
D. clustering
Correct Answer: B
Section: (none)
Explanation
Explanation
The ASAv on AWS supports the following features:
+ Support for Amazon EC2 C5 instances, the next generation of the Amazon EC2 Compute Optimized instance
family.
+ Deployment in the Virtual Private Cloud (VPC)
+ Enhanced networking (SR-IOV) where available
+ Deployment from Amazon Marketplace
+ Maximum of four vCPUs per instance
+ User deployment of L3 networks
+ Routed mode (default)
Note: The Cisco Adaptive Security Virtual Appliance (ASAv) runs the same software as physical Cisco ASAs to
deliver proven security functionality in a virtual form factor. The ASAv can be deployed in the public AWS cloud.
It can then be configured to protect virtual and physical data center workloads that expand, contract, or shift
their location over time.
Reference: https://www.cisco.com/c/en/us/td/docs/security/asa/asa96/asav/quick-start-book/asav-96-qsg/asav-
aws.html
QUESTION 50
Which statement describes a traffic profile on a Cisco Next Generation Intrusion Prevention System?
A. It allows traffic if it does not meet the profile.

B. It defines a traffic baseline for traffic anomaly deduction.
C. It inspects hosts that meet the profile with more intrusion rules.
D. It blocks traffic if it does not meet the profile.
Correct Answer: B
Section: (none)
Explanation
QUESTION 51
Which statement about IOS zone-based firewalls is true?
A. An unassigned interface can communicate with assigned interfaces
B. Only one interface can be assigned to a zone.
C. An interface can be assigned to multiple zones.
D. An interface can be assigned only to one zone.
Correct Answer: D
Section: (none)
Explanation
QUESTION 52
What is a characteristic of Cisco ASA Netflow v9 Secure Event Logging?
A. It tracks flow-create, flow-teardown, and flow-denied events.

B. It provides stateless IP flow tracking that exports all records of a specific flow.
C. It tracks the flow continuously and provides updates every 10 seconds.
D. Its events match all traffic classes in parallel.
Correct Answer: A
Section: (none)
Explanation
Explanation
The ASA and ASASM implementations of NetFlow Secure Event Logging (NSEL) provide a stateful, IP flow
tracking method that exports only those records that indicate significant events in a flow.
The significant events that are tracked include flow-create, flow-teardown, and flow-denied (excluding those
flows that are denied by EtherType ACLs).
Reference: https://www.cisco.com/c/en/us/td/docs/security/asa/asa92/configuration/general/asa-general-cli/
monitor-nsel.html
QUESTION 53
Which CLI command is used to register a Cisco FirePower sensor to Firepower Management Center?
A. configure system add <host><key>

B. configure manager <key> add host
C. configure manager delete
D. configure manager add <host><key>
Correct Answer: D
Section: (none)
Explanation
QUESTION 54
Which policy is used to capture host information on the Cisco Firepower Next Generation Intrusion Prevention
System?
A. Correlation
B. Intrusion
C. Access Control
D. Network Discovery
Correct Answer: D
Section: (none)
Explanation
Explanation
The Firepower System uses network discovery and identity policies to collect host, application, and user data
for traffic on your network. You can use certain types of discovery and identity data to build a comprehensive
map of your network assets, perform forensic analysis, behavioral profiling, access control, and mitigate and
respond to the vulnerabilities and exploits to which your organization is susceptible.
You can configure your network discovery policy to perform host and application detection.
Reference: https://www.cisco.com/c/en/us/td/docs/security/firepower/640/configuration/guide/fpmc-config-
guide-v64/introduction_to_network_discovery_and_identity.html
QUESTION 55
Which ASA deployment mode can provide separation of management on a shared appliance?
A. DMZ multiple zone mode

B. transparent firewall mode
C. multiple context mode
D. routed mode
Correct Answer: C
Section: (none)
Explanation
QUESTION 56
Refer to the exhibit. What is a result of the configuration?
A. Traffic from the DMZ network is redirected
B. Traffic from the inside network is redirected
C. All TCP traffic is redirected
D. Traffic from the inside and DMZ networks is redirected
Correct Answer: D
Section: (none)
Explanation
Explanation
The purpose of above commands is to redirect traffic that matches the ACL “redirect-acl” to the Cisco
FirePOWER (SFR) module in the inline (normal) mode. In this mode, after the undesired traffic is dropped and
any other actions that are applied by policy are performed, the traffic is returned to the ASA for further
processing and ultimate transmission.
The command “service-policy global_policy global” applies the policy to all of the interfaces.
Reference: https://www.cisco.com/c/en/us/support/docs/security/asa-firepower-services/118644-configure-
firepower-00.html
QUESTION 57
Which policy represents a shared set of features or parameters that define the aspects of a managed device
that are likely to be similar to other managed devices in a deployment?
A. Group Policy
B. Access Control Policy
C. Device Management Policy
D. Platform Service Policy
Correct Answer: D
Section: (none)
Explanation
Explanation
Cisco Firepower deployments can take advantage of platform settings policies. A platform settings policy is a
shared set of features or parameters that define the aspects of a managed device that are likely to be similar to
other managed devices in your deployment, such as time settings and external authentication. Examples of
these platform settings policies are time and date settings, external authentication, and other common
administrative features.
A shared policy makes it possible to configure multiple managed devices at once, which provides consistency
in your deployment and streamlines your management efforts. Any changes to a platform settings policy affects
all the managed devices where you applied the policy. Even if you want different settings per device, you must
create a shared policy and apply it to the desired device.
For example, your organization’s security policies may require that your appliances have a “No Unauthorized
Use” message when a user logs in. With platform settings, you can set the login banner once in a platform
settings policy.
guide-v62/platform_settings_policies_for_managed_devices.html
Therefore the answer should be “Platform Settings Policy”, not “Platform Service Policy” but it is the best
answer here so we have to choose it.
QUESTION 58
Which two tasks allow NetFlow on a Cisco ASA 5500 Series firewall? (Choose two)
A. Enable NetFlow Version 9.

B. Create an ACL to allow UDP traffic on port 9996.
C. Apply NetFlow Exporter to the outside interface in the inbound direction.
D. Create a class map to match interesting traffic.
E. Define a NetFlow collector by using the flow-export command.
Correct Answer: CE
Section: (none)
Explanation
QUESTION 59
A mall provides security services to customers with a shared appliance. The mall wants separation of
management on the shared appliance. Which ASA deployment mode meets these needs?
A. routed mode
B. transparent mode
C. multiple context mode
D. multiple zone mode
Correct Answer: C
Section: (none)
Explanation
QUESTION 60
What is a characteristic of Firepower NGIPS inline deployment mode?
A. ASA with Firepower module cannot be deployed.
B. It cannot take actions such as blocking traffic.
C. It is out-of-band from traffic.
D. It must have inline interface pairs configured.
Correct Answer: D
Section: (none)
Explanation
QUESTION 61
An engineer wants to generate NetFlow records on traffic traversing the Cisco ASA. Which Cisco ASA
command must be used?
A. flow-export destination inside 1.1.1.1 2055

B. ip flow monitor input
C. ip flow-export destination 1.1.1.1 2055
D. flow exporter
Correct Answer: A
Section: (none)
Explanation
Explanation
The syntax of this command is: flow-export destination interface-name ipv4-address | hostname udp-port
This command is used on Cisco ASA to configure Network Secure Event Logging (NSEL) collector to which
NetFlow packets are sent. The destination keyword indicates that a NSEL collector is being configured.
+ The interface-name argument is the name of the ASA and ASA Services Module interface through which the
collector is reached.
+ The ipv4-address argument is the IP address of the machine running the collector application.
+ The hostname argument is the destination IP address or name of the collector.
+ The udp-port argument is the UDP port number to which NetFlow packets are sent.
You can configure a maximum of five collectors. After a collector is configured, template records are
automatically sent to all configured NSEL collectors.
Reference: https://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_config/
monitor_nsel.html
QUESTION 62
How many interfaces per bridge group does an ASA bridge group deployment support?
A. up to 2
B. up to 4
C. up to 8
D. up to 16
Correct Answer: B
Section: (none)
Explanation
Explanation
Each of the ASAs interfaces need to be grouped into one or more bridge groups. Each of these groups acts as
an independent transparent firewall. It is not possible for one bridge group to communicate with another bridge
group without assistance from an external router.
As of 8.4(1) upto 8 bridge groups are supported with 2-4 interface in each group. Prior to this only one bridge
group was supported and only 2 interfaces.
Up to 4 interfaces are permitted per bridge–group (inside, outside, DMZ1, DMZ2)
QUESTION 63
Which two application layer preprocessors are used by Firepower Next Generation Intrusion Prevention
System? (Choose two)
A. packet decoder
B. SIP
C. modbus
D. inline normalization
E. SSL
Correct Answer: BE
Section: (none)
Explanation
Explanation
Application layer protocols can represent the same data in a variety of ways. The Firepower System provides
application layer protocol decoders that normalize specific types of packet data into formats that the intrusion
rules engine can analyze. Normalizing application-layer protocol encodings allows the rules engine to effectively
apply the same content-related rules to packets whose data is represented differently and obtain meaningful
results.
Reference: https://www.cisco.com/c/en/us/td/docs/security/firepower/60/configuration/guide/fpmc-config-guide-
v60/Application_Layer_Preprocessors.html#ID-2244-0000080c
FirePower uses many preprocessors, including DNS, FTP/Telnet, SIP, SSL, SMTP, SSH preprocessors.
QUESTION 64
Which two features of Cisco Email Security can protect your organization against email threats? (Choose two)
A. Time-based one-time passwords

B. Data loss prevention
C. Heuristic-based filtering
D. Geolocation-based filtering
E. NetFlow
Correct Answer: BD
Section: (none)
Explanation
Explanation
Protect sensitive content in outgoing emails with Data Loss Prevention (DLP) and easy-to-use email
encryption, all in one solution.
Cisco Email Security appliance can now handle incoming mail connections and incoming messages from
specific geolocations and perform appropriate actions on them, for example:
– Prevent email threats coming from specific geographic regions.
– Allow or disallow emails coming from specific geographic regions.
Reference: https://www.cisco.com/c/en/us/td/docs/security/esa/esa11-0/user_guide_fs/
b_ESA_Admin_Guide_11_0/b_ESA_Admin_Guide_chapter_00.html
QUESTION 65
Why would a user choose an on-premises ESA versus the CES solution?
A. Sensitive data must remain onsite.

B. Demand is unpredictable.
C. The server team wants to outsource this service.
D. ESA is deployed inline.
Correct Answer: A
Section: (none)
Explanation
QUESTION 66
Which two features are used to configure Cisco ESA with a multilayer approach to fight viruses and malware?
(Choose two)
A. Sophos engine
B. white list
C. RAT
D. outbreak filters
E. DLP
Correct Answer: AD
Section: (none)
Explanation
QUESTION 67
What is the purpose of the Decrypt for Application Detection feature within the WSA Decryption options?
A. It decrypts HTTPS application traffic for unauthenticated users.

B. It alerts users when the WSA decrypts their traffic.
C. It decrypts HTTPS application traffic for authenticated users.
D. It provides enhanced HTTPS application detection for AsyncOS.
Correct Answer: D
Section: (none)
Explanation
QUESTION 68
Which two statements about a Cisco WSA configured in Transparent mode are true? (Choose two)
A. It can handle explicit HTTP requests.

B. It requires a PAC file for the client web browser.
C. It requires a proxy for the client web browser.
D. WCCP v2-enabled devices can automatically redirect traffic destined to port 80.
E. Layer 4 switches can automatically redirect traffic destined to port 80.
Correct Answer: DE
Section: (none)
Explanation
QUESTION 69
Which action controls the amount of URI text that is stored in Cisco WSA logs files?
A. Configure the datasecurityconfig command

B. Configure the advancedproxyconfig command with the HTTPS subcommand
C. Configure a small log-entry size.
D. Configure a maximum packet size.
Correct Answer: B
Section: (none)
Explanation
QUESTION 70
An engineer is configuring a Cisco ESA and wants to control whether to accept or reject email messages to a
recipient address. Which list contains the allowed recipient addresses?
A. SAT
B. BAT
C. HAT
D. RAT
Correct Answer: D
Section: (none)
Explanation
QUESTION 71
Which two services must remain as on-premises equipment when a hybrid email solution is deployed? (Choose
two)
A. DDoS
B. antispam
C. antivirus
D. encryption
E. DLP
Correct Answer: DE
Section: (none)
Explanation
Explanation
Cisco Hybrid Email Security is a unique service offering that combines a cloud-based email security deployment
with an appliance-based email security deployment (on premises) to provide maximum choice and control for
your organization. The cloud-based infrastructure is typically used for inbound email cleansing, while the on-
premises appliances provide granular control – protecting sensitive information with data loss
prevention (DLP) and encryption technologies.
Reference: https://www.cisco.com/c/dam/en/us/td/docs/security/ces/overview_guide/
Cisco_Cloud_Hybrid_Email_Security_Overview_Guide.pdf
QUESTION 72
Which Talos reputation center allows you to track the reputation of IP addresses for email and web traffic?
A. IP Blacklist Center
B. File Reputation Center
C. AMP Reputation Center
D. IP and Domain Reputation Center
Correct Answer: D
Section: (none)
Explanation
Explanation
Talos’ IP and Domain Data Center is the world’s most comprehensive real-time threat detection network. The
data is made up of daily security intelligence across millions of deployed web, email, firewall and IPS
appliances. Talos detects and correlates threats in real time using the largest threat detection network in the
world spanning web requests, emails, malware samples, open-source data sets, endpoint intelligence, and
network intrusions. The Email and Web Traffic Reputation Center is able to transform some of Talos’ data into
actionable threat intelligence and tools to improve your security posture.
QUESTION 73
Which proxy mode must be used on Cisco WSA to redirect TCP traffic with WCCP?
A. transparent
B. redirection
C. forward
D. proxy gateway
Correct Answer: A
Section: (none)
Explanation
Explanation
There are two possible methods to accomplish the redirection of traffic to Cisco WSA: transparent proxy mode
and explicit proxy mode.
In a transparent proxy deployment, a WCCP v2-capable network device redirects all TCP traffic with a
destination of port 80 or 443 to Cisco WSA, without any configuration on the client. The transparent proxy
deployment is used in this design, and the Cisco ASA firewall is used to redirect traffic to the appliance because
all of the outbound web traffic passes through the device and is generally managed by the same operations
staff who manage Cisco WSA.
Reference: https://www.cisco.com/c/dam/en/us/td/docs/solutions/CVD/Aug2013/CVD-
WebSecurityUsingCiscoWSADesignGuide-AUG13.pdf
QUESTION 74
After deploying a Cisco ESA on your network, you notice that some messages fail to reach their destinations.
Which task can you perform to determine where each message was lost?
A. Configure the trackingconfig command to enable message tracking.

B. Generate a system report.
C. Review the log files.
D. Perform a trace.
Correct Answer: A
Section: (none)
Explanation
Explanation
Message tracking helps resolve help desk calls by giving a detailed view of message flow. For example, if a
message was not delivered as expected, you can determine if it was found to contain a virus or placed in a
spam quarantine — or if it is located somewhere else in the mail stream.
Reference: https://www.cisco.com/c/en/us/td/docs/security/esa/esa12-0/user_guide/
b_ESA_Admin_Guide_12_0/b_ESA_Admin_Guide_12_0_chapter_011110.html
QUESTION 75
What is the primary benefit of deploying an ESA in hybrid mode?
A. You can fine-tune its settings to provide the optimum balance between security and performance for your
environment
B. It provides the lowest total cost of ownership by reducing the need for physical appliances
C. It provides maximum protection and control of outbound messages
D. It provides email security while supporting the transition to the cloud
Correct Answer: D
Section: (none)
Explanation
Explanation
Cisco Hybrid Email Security is a unique service offering that facilitates the deployment of your email security
infrastructure both on premises and in the cloud. You can change the number of on-premises versus cloud
users at any time throughout the term of your contract, assuming the total number of users does not change.
This allows for deployment flexibility as your organization’s needs change.
QUESTION 76
What is the primary role of the Cisco Email Security Appliance?
A. Mail Submission Agent

B. Mail Transfer Agent
C. Mail Delivery Agent
D. Mail User Agent
Correct Answer: B
Section: (none)
Explanation
Explanation
Cisco Email Security Appliance (ESA) protects the email infrastructure and employees who use email at work
by filtering unsolicited and malicious email before it reaches the user. Cisco ESA easily integrates into existing
email infrastructures with a high degree of flexibility. It does this by acting as a Mail Transfer Agent (MTA) within
the email-delivery chain. Another name for an MTA is a mail relay.
Reference: https://www.cisco.com/c/dam/en/us/td/docs/solutions/SBA/February2013/
Cisco_SBA_BN_EmailSecurityUsingCiscoESADeploymentGuide-Feb2013.pdf
QUESTION 77
Which technology is used to improve web traffic performance by proxy caching?
A. WSA
B. Firepower
C. FireSIGHT
D. ASA
Correct Answer: A
Section: (none)
Explanation
QUESTION 78
In which two ways does a system administrator send web traffic transparently to the Web Security Appliance?
(Choose two)
A. configure Active Directory Group Policies to push proxy settings

B. configure policy-based routing on the network infrastructure
C. reference a Proxy Auto Config file
D. configure the proxy IP address in the web-browser settings
E. use Web Cache Communication Protocol
Correct Answer: CE
Section: (none)
Explanation
QUESTION 79
Which technology reduces data loss by identifying sensitive information stored in public computing
environments?
A. Cisco SDA
B. Cisco Firepower
C. Cisco HyperFlex
D. Cisco Cloudlock
Correct Answer: D
Section: (none)
Explanation
QUESTION 80
Which deployment model is the most secure when considering risks to cloud adoption?
A. Public Cloud
B. Hybrid Cloud
C. Community Cloud
D. Private Cloud
Correct Answer: D
Section: (none)
Explanation
QUESTION 81
In which cloud services model is the tenant responsible for virtual machine OS patching?
A. IaaS
B. UCaaS
C. PaaS
D. SaaS
Correct Answer: A
Section: (none)
Explanation
Explanation
Only in On-site (on-premises) and IaaS we (tenant) manage O/S (Operating System).
QUESTION 82
Which cloud service model offers an environment for cloud consumers to develop and deploy applications
without needing to manage or maintain the underlying cloud infrastructure?
A. PaaS
B. XaaS
C. IaaS
D. SaaS
Correct Answer: A
Section: (none)
Explanation
Explanation
Cloud computing can be broken into the following three basic models:
+ Infrastructure as a Service (IaaS): IaaS describes a cloud solution where you are renting infrastructure. You
purchase virtual power to execute your software as needed. This is much like running a virtual server on your
own equipment, except you are now running a virtual server on a virtual disk. This model is similar to a utility
company model because you pay for what you use.
+ Platform as a Service (PaaS): PaaS provides everything except applications. Services provided by this
model include all phases of the system development life cycle (SDLC) and can use application programming
interfaces (APIs), website portals, or gateway software. These solutions tend to be proprietary, which can cause
problems if the customer moves away from the provider’s platform.
+ Software as a Service (SaaS): SaaS is designed to provide a complete packaged solution. The software is
rented out to the user. The service is usually provided through some type of front end or web portal. While the
end user is free to use the service from anywhere, the company pays a peruse fee.
Reference: CCNP and CCIE Security Core SCOR 350-701 Official Cert Guide
QUESTION 83
What does the Cloudlock Apps Firewall do to mitigate security concerns from an application perspective?
A. It allows the administrator to quarantine malicious files so that the application can function, just not
maliciously.
B. It discovers and controls cloud apps that are connected to a company’s corporate environment.
C. It deletes any application that does not belong in the network.
D. It sends the application information to an administrator to act on.
Correct Answer: B
Section: (none)
Explanation
QUESTION 84
Which solution protects hybrid cloud deployment workloads with application visibility and segmentation?
A. Nexus
B. Stealthwatch
C. Firepower
D. Tetration
Correct Answer: D
Section: (none)
Explanation
QUESTION 85
In a PaaS model, which layer is the tenant responsible for maintaining and patching?
A. hypervisor
B. virtual machine
C. network
D. application
Correct Answer: D
Section: (none)
Explanation
QUESTION 86
On which part of the IT environment does DevSecOps focus?
A. application development
B. wireless network
C. data center
D. perimeter network
Correct Answer: A
Section: (none)
Explanation
QUESTION 87
What is the function of Cisco Cloudlock for data security?
A. data loss prevention

B. controls malicious cloud apps
C. detects anomalies
D. user and entity behavior analytics
Correct Answer: A
Section: (none)
Explanation
QUESTION 88
An administrator wants to ensure that all endpoints are compliant before users are allowed access on the
corporate network. The endpoints must have the corporate antivirus application installed and be running the
latest build of Windows 10.
What must the administrator implement to ensure that all devices are compliant before they are allowed on the
network?
A. Cisco Identity Services Engine and AnyConnect Posture module

B. Cisco Stealthwatch and Cisco Identity Services Engine integration
C. Cisco ASA firewall with Dynamic Access Policies configured
D. Cisco Identity Services Engine with PxGrid services enabled
Correct Answer: A
Section: (none)
Explanation
QUESTION 89
An engineer must force an endpoint to re-authenticate an already authenticated session without disrupting the
endpoint to apply a new or updated policy from ISE. Which CoA type achieves this goal?
A. Port Bounce
B. CoA Terminate
C. CoA Reauth
D. CoA Session Query
Correct Answer: C
Section: (none)
Explanation
QUESTION 90
Which two probes are configured to gather attributes of connected endpoints using Cisco Identity Services
Engine? (Choose two)
A. RADIUS
B. TACACS+
C. DHCP
D. sFlow
E. SMTP
Correct Answer: AC
Section: (none)
Explanation
QUESTION 91
Which ID store requires that a shadow user be created on Cisco ISE for the admin login to work?
A. RSA SecureID
B. Internal Database
C. Active Directory
D. LDAP
Correct Answer: C
Section: (none)
Explanation
QUESTION 92
An engineer used a posture check on a Microsoft Windows endpoint and discovered that the MS17-010 patch
was not installed, which left the endpoint vulnerable to WannaCry ransomware. Which two solutions mitigate
the risk of this ransom ware infection? (Choose two)
A. Configure a posture policy in Cisco Identity Services Engine to install the MS17-010 patch before allowing
access on the network.
B. Set up a profiling policy in Cisco Identity Service Engine to check and endpoint patch level before allowing
access on the network.
C. Configure a posture policy in Cisco Identity Services Engine to check that an endpoint patch level is met
before allowing access on the network.
D. Configure endpoint firewall policies to stop the exploit traffic from being allowed to run and replicate
throughout the network.
E. Set up a well-defined endpoint patching strategy to ensure that endpoints have critical vulnerabilities
patched in a timely fashion.
Correct Answer: AC
Section: (none)
Explanation
Explanation
A posture policy is a collection of posture requirements, which are associated with one or more identity groups,
and operating systems. We can configure ISE to check for the Windows patch at Work Centers > Posture >
Posture Elements > Conditions > File.
In this example, we are going to use the predefined file check to ensure that our Windows 10 clients have the
critical security patch installed to prevent the Wanna Cry malware.
Reference: https://community.cisco.com/t5/security-documents/ise-posture-prescriptive-deployment-guide/ta-
p/3680273
QUESTION 93
Which feature of Cisco ASA allows VPN users to be postured against Cisco ISE without requiring an inline
posture node?
A. RADIUS Change of Authorization

B. device tracking
C. DHCP snooping
D. VLAN hopping
Correct Answer: A
Section: (none)
Explanation
QUESTION 94
What two mechanisms are used to redirect users to a web portal to authenticate to ISE for guest services?
(Choose two)
A. multiple factor auth

B. local web auth
C. single sign-on
D. central web auth
E. TACACS+
Correct Answer: BD
Section: (none)
Explanation
QUESTION 95
For which two conditions can an endpoint be checked using ISE posture assessment? (Choose two)
A. Windows service
B. computer identity
C. user identity
D. Windows firewall
E. default browser
Correct Answer: AD
Section: (none)
Explanation
QUESTION 96
Which compliance status is shown when a configured posture policy requirement is not met?
A. compliant
B. unknown
C. authorized
D. noncompliant
Correct Answer: D
Section: (none)
Explanation
Explanation
Posture is a service in Cisco Identity Services Engine (Cisco ISE) that allows you to check the state, also
known as posture, of all the endpoints that are connecting to a network for compliance with corporate security
policies.
A posture policy is a collection of posture requirements that are associated with one or more identity groups and
operating systems.
Posture-policy requirements can be set to mandatory, optional, or audit types in posture policies.
+ If a mandatory requirement fails, the user will be moved to Non-Compliant state
+ If an optional requirement fails, the user is allowed to skip the specified optional requirements and the user
is moved to Compliant state
This Qdid not clearly specify the type of posture policy requirement (mandatory or optional) is not met so the
user can be in Non-compliant or compliant state. But “noncompliant” is the best answer here.
Reference: https://www.cisco.com/c/en/us/td/docs/security/ise/1-3/admin_guide/b_ise_admin_guide_13/
b_ise_admin_guide_sample_chapter_010111.html
QUESTION 97
Which benefit is provided by ensuring that an endpoint is compliant with a posture policy configured in Cisco
ISE?
A. It allows the endpoint to authenticate with 802.1x or MAB.

B. It verifies that the endpoint has the latest Microsoft security patches installed.
C. It adds endpoints to identity groups dynamically.
D. It allows CoA to be applied if the endpoint status is compliant.
Correct Answer: A
Section: (none)
Explanation
QUESTION 98
Which IPS engine detects ARP spoofing?
A. Atomic ARP Engine

B. Service Generic Engine
C. ARP Inspection Engine
D. AIC Engine
Correct Answer: A
Section: (none)
Explanation
QUESTION 99
What is a characteristic of Dynamic ARP Inspection?
A. DAI determines the validity of an ARP packet based on valid IP to MAC address bindings from the DHCP
snooping binding database.
B. In a typical network, make all ports as trusted except for the ports connecting to switches, which are
untrusted
C. DAI associates a trust state with each switch.
D. DAI intercepts all ARP requests and responses on trusted ports only.
Correct Answer: A
Section: (none)
Explanation
QUESTION 100
What is a characteristic of traffic storm control behavior?
A. Traffic storm control drops all broadcast and multicast traffic if the combined traffic exceeds the level within
the interval.
B. Traffic storm control cannot determine if the packet is unicast or broadcast.
C. Traffic storm control monitors incoming traffic levels over a 10-second traffic storm control interval.
D. Traffic storm control uses the Individual/Group bit in the packet source address to determine if the packet is
unicast or broadcast.
Correct Answer: A
Section: (none)
Explanation
QUESTION 101
A malicious user gained network access by spoofing printer connections that were authorized using MAB on
four different switch ports at the same time. What two catalyst switch security features will prevent further
violations? (Choose two)
A. DHCP Snooping
B. 802.1AE MacSec
C. Port security
D. IP Device track
E. Dynamic ARP inspection
F. Private VLANs
Correct Answer: AE
Section: (none)
Explanation
QUESTION 102
Which command enables 802.1X globally on a Cisco switch?
A. dot1x system-auth-control
B. dot1x pae authenticator
C. authentication port-control aut
D. aaa new-model
Correct Answer: A
Section: (none)
Explanation
QUESTION 103
Which RADIUS attribute can you use to filter MAB requests in an 802.1 x deployment?
A. 1
B. 2
C. 6
D. 31
Correct Answer: C
Section: (none)
Explanation
Explanation
Because MAB uses the MAC address as a username and password, you should make sure that the RADIUS
server can differentiate MAB requests from other types of requests for network access. This precaution will
prevent other clients from attempting to use a MAC address as a valid credential. Cisco switches uniquely
identify MAB requests by setting Attribute 6 (Service-Type) to 10 (Call-Check) in a MAB Access-Request
message. Therefore, you can use Attribute 6 to filter MAB requests at the RADIUS server.
Reference: https://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/identity-based-networking-
services/config_guide_c17-663759.html
QUESTION 104
A network administrator configures Dynamic ARP Inspection on a switch. After Dynamic ARP Inspection is
applied, all users on that switch are unable to communicate with any destination. The network administrator
checks the interface status of all interfaces, and there is no err-disabled interface. What is causing this
problem?
A. DHCP snooping has not been enabled on all VLANs.

B. The ip arp inspection limit command is applied on all interfaces and is blocking the traffic of all users.
C. Dynamic ARP Inspection has not been enabled on all VLANs
D. The no ip arp inspection trust command is applied on all user host interfaces
Correct Answer: D
Section: (none)
Explanation
Explanation
Dynamic ARP inspection (DAI) is a security feature that validates ARP packets in a network. It intercepts, logs,
and discards ARP packets with invalid IP-to-MAC address bindings. This capability protects the network from
certain man-in-the-middle attacks. After enabling DAI, all ports become untrusted ports.
QUESTION 105
SwitchA(config)#interface gigabitethernet1/0/1
SwitchA(config-if)#dot1x host-mode multi-host
SwitchA(config-if)#dot1x timeout quiet-period 3
SwitchA(config-if)#dot1x timeout tx-period 15
SwitchA(config-if)#authentication port-control
auto
SwitchA(config-if)#switchport mode access
SwitchA(config-if)#switchport access vlan 12
An engineer configured wired 802.1x on the network and is unable to get a laptop to authenticate. Which port
configuration is missing?
A. authentication open
B. dotlx reauthentication
C. cisp enable
D. dot1x pae authenticator
Correct Answer: D
Section: (none)
Explanation
QUESTION 106
Which SNMPv3 configuration must be used to support the strongest security possible?
A. asa-host(config)#snmp-server group myv3 v3 priv

asa-host(config)#snmp-server user andy myv3 auth sha cisco priv des ciscXXXXXXXX
asa-host(config)#snmp-server host inside 10.255.254.1 version 3 andy
B. asa-host(config)#snmp-server group myv3 v3 noauth
asa-host(config)#snmp-server user andy myv3 auth sha cisco priv aes 256 ciscXXXXXXXX
C. asa-host(config)#snmpserver group myv3 v3 noauth
asa-host(config)#snmp-server user andy myv3 auth sha cisco priv 3des ciscXXXXXXXX
D. asa-host(config)#snmp-server group myv3 v3 priv
asa-host(config)#snmp-server user andy myv3 auth sha cisco priv aes 256 ciscXXXXXXXX
Correct Answer: D
Section: (none)
Explanation
QUESTION 107
Refer to the exhibit. Which command was used to generate this output and to show which ports are
authenticating with dot1x or mab?
A. show authentication registrations
B. show authentication method
C. show dot1x all
D. show authentication sessions
Correct Answer: D
Section: (none)
Explanation
QUESTION 108
What Cisco command shows you the status of an 802.1X connection on interface gi0/1?
A. show authorization status

B. show authen sess int gi0/1
C. show connection status gi0/1
D. show ver gi0/1
Correct Answer: B
Section: (none)
Explanation
QUESTION 109
Refer to the exhibit. What does the number 15 represent in this configuration?
snmp-server group SNMP v3 auth access
15
A. privilege level for an authorized user to this router

B. access list that identifies the SNMP devices that can access the router
C. interval in seconds between SNMPv3 authentication attempts
D. number of possible failed attempts until the SNMPv3 user is locked out
Correct Answer: B
Section: (none)
Explanation
Explanation
The syntax of this command is shown below:
snmp-server group [group-name {v1 | v2c | v3 [auth | noauth | priv]}] [read read-view] [write write-view]
[notify notify-view] [access access-list]
The command above restricts which IP source addresses are allowed to access SNMP functions on the router.
You could restrict SNMP access by simply applying an interface ACL to block incoming SNMP packets that
don’t come from trusted servers. However, this would not be as effective as using the global SNMP commands
shown in this recipe. Because you can apply this method once for the whole router, it is much simpler than
applying ACLs to block SNMP on all interfaces separately. Also, using interface ACLs would block not only
SNMP packets intended for this router, but also may stop SNMP packets that just happened to be passing
through on their way to some other destination device.
QUESTION 110
Under which two circumstances is a CoA issued? (Choose two)
A. A new authentication rule was added to the policy on the Policy Service node.
B. An endpoint is deleted on the Identity Service Engine server.
C. A new Identity Source Sequence is created and referenced in the authentication policy.
D. An endpoint is profiled for the first time.
E. A new Identity Service Engine server is added to the deployment with the Administration persona
Correct Answer: BD
Section: (none)
Explanation
Explanation
The profiling service issues the change of authorization in the following cases:
– Endpoint deleted—When an endpoint is deleted from the Endpoints page and the endpoint is disconnected
or removed from the network.
An exception action is configured—If you have an exception action configured per profile that leads to an
unusual or an unacceptable event from that endpoint. The profiling service moves the endpoint to the
corresponding static profile by issuing a CoA.
– An endpoint is profiled for the first time—When an endpoint is not statically assigned and profiled for the
first time; for example, the profile changes from an unknown to a known profile.
+ An endpoint identity group has changed—When an endpoint is added or removed from an endpoint identity
group that is used by an authorization policy.
The profiling service issues a CoA when there is any change in an endpoint identity group, and the endpoint
identity group is used in the authorization policy for the following:
++ The endpoint identity group changes for endpoints when they are dynamically profiled
++ The endpoint identity group changes when the static assignment flag is set to true for a dynamic endpoint
– An endpoint profiling policy has changed and the policy is used in an authorization policy—When an endpoint
profiling policy changes, and the policy is included in a logical profile that is used in an authorization policy. The
endpoint profiling policy may change due to the profiling policy match or when an endpoint is statically assigned
to an endpoint profiling policy, which is associated to a logical profile. In both the cases, the profiling service
issues a CoA, only when the endpoint profiling policy is used in an authorization policy.
b_ise_admin_guide_20_chapter_010100.html
QUESTION 111
HQ_Router(config)#username admin5 privilege 5
HQ_Router(config)#privilege interface level 5
shutdown
HQ_Router(config)#privilege interface level 5 ip
HQ_Router(config)#privilege interface level 5
description
A network administrator configures command authorization for the admin5 user. What is the admin5 user able
to do on HQ_Router after this configuration?
A. set the IP address of an interface

B. complete no configurations
C. complete all configurations
D. add subinterfaces
Correct Answer: B
Section: (none)
Explanation
Explanation
The user “admin5” was configured with privilege level 5. In order to allow configuration (enter global
configuration mode), we must type this command:
(config)#privilege exec level 5 configure terminal
Without this command, this user cannot do any configuration.
Note: Cisco IOS supports privilege levels from 0 to 15, but the privilege levels which are used by default are
privilege level 1 (user EXEC) and level privilege 15 (privilege EXEC).
QUESTION 112
A network engineer has entered the snmp-server user andy myv3 auth sha cisco priv aes 256
cisc0380739941 command and needs to send SNMP information to a host at 10.255.254.1. Which command
achieves this goal?
A. snmp-server host inside 10.255.254.1 version 3 andy

B. snmp-server host inside 10.255.254.1 version 3 myv3
C. snmp-server host inside 10.255.254.1 snmpv3 andy
D. snmp-server host inside 10.255.254.1 snmpv3 myv3
Correct Answer: A
Section: (none)
Explanation
Explanation
The command “snmp-server user user-name group-name [remote ip-address [udp-port port]] {v1 | v2c | v3
[encrypted] [auth {md5 | sha} auth-password]} [access access-list]” adds a new user (in this case “andy”) to an
SNMPv3 group (in this case group name “myv3”) and configures a password for the user.
In the “snmp-server host” command, we need to:
+ Specify the SNMP version with key word “version {1 | 2 | 3}”
+ Specify the username (“andy”), not group name (“myv3”).
Note: In “snmp-server host inside …” command, “inside” is the interface name of the ASA interface through
which the NMS (located at 10.255.254.1) can be reached.
QUESTION 113
Which telemetry data captures variations seen within the flow, such as the packets TTL, IP/TCP flags, and
payload length?
A. interpacket variation
B. software package variation
C. flow insight variation
D. process details variation
Correct Answer: A
Section: (none)
Explanation
Explanation
The telemetry information consists of three types of data:
+ Flow information: This information contains details about endpoints, protocols, ports, when the flow started,
how long the flow was active, etc.
+ Interpacket variation: This information captures any interpacket variations within the flow. Examples include
variation in Time To Live (TTL), IP and TCP flags, payload length, etc
+ Context details: Context information is derived outside the packet header. It includes details about variation in
buffer utilization, packet drops within a flow, association with tunnel endpoints, etc.
Reference: https://www.cisco.com/c/dam/global/en_uk/products/switches/
cisco_nexus_9300_ex_platform_switches_white_paper_uki.pdf
QUESTION 114
How is ICMP used an exfiltration technique?
A. by flooding the destination host with unreachable packets

B. by sending large numbers of ICMP packets with a targeted hosts source IP address using an IP broadcast
address
C. by encrypting the payload in an ICMP packet to carry out command and control tasks on a compromised
host
D. by overwhelming a targeted host with ICMP echo-request packets
Correct Answer: C
Section: (none)
Explanation
QUESTION 115
Which exfiltration method does an attacker use to hide and encode data inside DNS requests and queries?
A. DNS tunneling
B. DNSCrypt
C. DNS security
D. DNSSEC
Correct Answer: A
Section: (none)
Explanation
Explanation
DNS Tunneling is a method of cyber attack that encodes the data of other programs or protocols in DNS
queries and responses. DNS tunneling often includes data payloads that can be added to an attacked DNS
server and used to control a remote server and applications.
QUESTION 116
How is DNS tunneling used to exfiltrate data out of a corporate network?
A. It corrupts DNS servers by replacing the actual IP address with a rogue address to collect information or
start other attacks.
B. It encodes the payload with random characters that are broken into short strings and the DNS server
rebuilds the exfiltrated data.
C. It redirects DNS requests to a malicious server used to steal user credentials, which allows further damage
and theft on the network.
D. It leverages the DNS server by permitting recursive lookups to spread the attack to other DNS servers.
Correct Answer: B
Section: (none)
Explanation
Explanation
Domain name system (DNS) is the protocol that translates human-friendly URLs, such as securitytut.com, into
IP addresses, such as 183.33.24.13. Because DNS messages are only used as the beginning of each
communication and they are not intended for data transfer, many organizations do not monitor their DNS traffic
for malicious activity. As a result, DNS-based attacks can be effective if launched against their networks. DNS
tunneling is one such attack.
An example of DNS Tunneling is shown below:
1. The attacker incorporates one of many open-source DNS tunneling kits into an authoritative DNS
nameserver (NS) and malicious payload.
2. An IP address (e.g. 1.2.3.4) is allocated from the attacker’s infrastructure and a domain name (e.g.
attackerdomain.com) is registered or reused. The registrar informs the top-level domain (.com) nameservers to
refer requests for attackerdomain.com to ns.attackerdomain.com, which has a DNS record mapped to 1.2.3.4
3. The attacker compromises a system with the malicious payload. Once the desired data is obtained, the
payload encodes the data as a series of 32 characters (0-9, A-Z) broken into short strings (3KJ242AIE9,
P028X977W,…).
4. The payload initiates thousands of unique DNS record requests to the attacker’s domain with each string as
a part of the domain name (e.g. 3KJ242AIE9.attackerdomain.com). Depending on the attacker’s patience and
stealth, requests can be spaced out over days or months to avoid suspicious network activity.
5. The requests are forwarded to a recursive DNS resolver. During resolution, the requests are sent to the
attacker’s authoritative DNS nameserver,
6. The tunneling kit parses the encoded strings and rebuilds the exfiltrated data.
Reference: https://learn-umbrella.cisco.com/i/775902-dns-tunneling/0
QUESTION 117
Which two characteristics of messenger protocols make data exfiltration difficult to detect and prevent?
(Choose two)
A. Outgoing traffic is allowed so users can communicate with outside organizations.

B. Malware infects the messenger application on the user endpoint to send company data.
C. Traffic is encrypted, which prevents visibility on firewalls and IPS systems.
D. An exposed API for the messaging platform is used to send large amounts of data.
E. Messenger applications cannot be segmented with standard network controls.
Correct Answer: CE
Section: (none)
Explanation
QUESTION 118
Which Cisco AMP file disposition valid?
A. pristine
B. malware
C. dirty
D. non malicious
Correct Answer: B
Section: (none)
Explanation
QUESTION 119
When using Cisco AMP for Networks which feature copies a file to the Cisco AMP cloud for analysis?
A. Spero analysis
B. dynamic analysis
C. sandbox analysis
D. malware analysis
Correct Answer: B
Section: (none)
Explanation
Explanation
Spero analysis examines structural characteristics such as metadata and header information in executable
files. After generating a Spero signature based on this information, if the file is an eligible executable file, the
device submits it to the Spero heuristic engine in the AMP cloud. Based on the Spero signature, the Spero
engine determines whether the file is malware.
v60/Reference_a_wrapper_Chapter_topic_here.html
-> Spero analysis only uploads the signature of the (executable) files to the AMP cloud. It does not upload the
whole file. Dynamic analysis sends files to AMP ThreatGrid.
Dynamic Analysis submits (the whole) files to Cisco Threat Grid (formerly AMP Threat Grid). Cisco Threat
Grid runs the file in a sandbox environment, analyzes the file’s behavior to determine whether the file is
malicious, and returns a threat score that indicates the likelihood that a file contains malware. From the threat
score, you can view a dynamic analysis summary report with the reasons for the assigned threat score. You
can also look in Cisco Threat Grid to view detailed reports for files that your organization submitted, as well as
scrubbed reports with limited data for files that your organization did not submit.
Local malware analysis allows a managed device to locally inspect executables, PDFs, office documents, and
other types of files for the most common types of malware, using a detection rule set provided by the Cisco
Talos Security Intelligence and Research Group (Talos). Because local analysis does not query the AMP cloud,
and does not run the file, local malware analysis saves time and system resources. -> Malware analysis does
not upload files to anywhere, it only checks the files locally.
There is no sandbox analysis feature, it is just a method of dynamic analysis that runs suspicious files in a
virtual machine.
QUESTION 120
Which Cisco Advanced Malware protection for Endpoints deployment architecture is designed to keep data
within a network perimeter?
A. cloud web services

B. network AMP
C. private cloud
D. public cloud
Correct Answer: C
Section: (none)
Explanation
QUESTION 121
Which capability is exclusive to a Cisco AMP public cloud instance as compared to a private cloud instance?
A. RBAC
B. ETHOS detection engine
C. SPERO detection engine
D. TETRA detection engine
Correct Answer: B
Section: (none)
Explanation
QUESTION 122
An engineer is configuring AMP for endpoints and wants to block certain files from executing. Which outbreak
control method is used to accomplish this task?
A. device flow correlation

B. simple detections
C. application blocking list
D. advanced custom detections
Correct Answer: C
Section: (none)
Explanation
QUESTION 123
Which function is the primary function of Cisco AMP threat Grid?
A. automated email encryption

B. applying a real-time URI blacklist
C. automated malware analysis
D. monitoring network traffic
Correct Answer: C
Section: (none)
Explanation
QUESTION 124
What are two list types within AMP for Endpoints Outbreak Control? (Choose two)
A. blocked ports
B. simple custom detections
C. command and control
D. allowed applications
E. URL
Correct Answer: BD
Section: (none)
Explanation
Explanation
Advanced Malware Protection (AMP) for Endpoints offers a variety of lists, referred to as Outbreak Control, that
allow you to customize it to your needs. The main lists are: Simple Custom Detections, Blocked Applications,
Allowed Applications, Advanced Custom Detections, and IP Blocked and Allowed Lists.
A Simple Custom Detection list is similar to a blocked list. These are files that you want to detect and
quarantine.
Allowed applications lists are for files you never want to convict. Some examples are a custom application
that is detected by a generic engine or a standard image that you use throughout the company
Reference: https://docs.amp.cisco.com/AMP%20for%20Endpoints%20User%20Guide.pdf
QUESTION 125
What is a required prerequisite to enable malware file scanning for the Secure Internet Gateway?
A. Enable IP Layer enforcement.

B. Activate the Advanced Malware Protection license
C. Activate SSL decryption.
D. Enable Intelligent Proxy.
Correct Answer: D
Section: (none)
Explanation
QUESTION 126
When wired 802.1X authentication is implemented, which two components are required? (Choose two)
A. authentication server: Cisco Identity Service Engine

B. supplicant: Cisco AnyConnect ISE Posture module
C. authenticator: Cisco Catalyst switch
D. authenticator: Cisco Identity Services Engine
E. authentication server: Cisco Prime Infrastructure
Correct Answer: AC
Section: (none)
Explanation
QUESTION 127
Refer to the exhibit. Which command was used to display this output?
A. show dot1x all

B. show dot1x
C. show dot1x all summary
D. show dot1x interface gi1/0/12
Correct Answer: A
Section: (none)
Explanation
QUESTION 128
Refer to the exhibit. Which statement about the authentication protocol used in the configuration is true?
aaa new-model
radius-server host 10.0.0.12 key
secret12
A. The authentication request contains only a password

B. The authentication request contains only a username
C. The authentication and authorization requests are grouped in a single packet
D. There are separate authentication and authorization request packets
Correct Answer: C
Section: (none)
Explanation
Explanation
This command uses RADIUS which combines authentication and authorization in one function (packet).
QUESTION 129
An engineer needs a solution for TACACS+ authentication and authorization for device administration.
The engineer also wants to enhance wired and wireless network security by requiring users and endpoints to
use 802.1X, MAB, or WebAuth. Which product meets all of these requirements?
A. Cisco Prime Infrastructure

B. Cisco Identity Services Engine
C. Cisco Stealthwatch
D. Cisco AMP for Endpoints
Correct Answer: B
Section: (none)
Explanation
QUESTION 130
Which Cisco command enables authentication, authorization, and accounting globally so that CoA is supported
on the device?
A. aaa server radius dynamic-author

B. aaa new-model
C. auth-type all
D. ip device-tracking
Correct Answer: B
Section: (none)
Explanation
QUESTION 131
An MDM provides which two advantages to an organization with regards to device management? (Choose two)
A. asset inventory management

B. allowed application management
C. Active Directory group policy management
D. network device management
E. critical device management
Correct Answer: AB
Section: (none)
Explanation
QUESTION 132
Which Cisco product provides proactive endpoint protection and allows administrators to centrally manage the
deployment?
A. NGFW
B. AMP
C. WSA
D. ESA
Correct Answer: B
Section: (none)
Explanation
QUESTION 133
Which benefit does endpoint security provide the overall security posture of an organization?
A. It streamlines the incident response process to automatically perform digital forensics on the endpoint.
B. It allows the organization to mitigate web-based attacks as long as the user is active in the domain.
C. It allows the organization to detect and respond to threats at the edge of the network.
D. It allows the organization to detect and mitigate threats that the perimeter security devices do not detect.
Correct Answer: D
Section: (none)
Explanation
QUESTION 134
What are the two most commonly used authentication factors in multifactor authentication? (Choose two)
A. biometric factor
B. time factor
C. confidentiality factor
D. knowledge factor
E. encryption factor
Correct Answer: AD
Section: (none)
Explanation
Explanation
Multi-factor Authentication (MFA) is an authentication method that requires the user to provide two or more
verification factors to gain access to a resource. MFA requires means of verification that unauthorized users
won’t have.
Proper multi-factor authentication uses factors from at least two different categories.
MFA methods:
+ Knowledge – usually a password – is the most commonly used tool in MFA solutions. However, despite their
simplicity, passwords have become a security problem and slow down productivity.
+ Physical factors – also called possession factors–use tokens, such as a USB dongle or a portable device,
that generate a temporary QR (quick response) code. Mobile phones are commonly used, as they have the
advantage of being readily available in most situations.
+ Inherent – This category includes biometrics like fingerprint, face, and retina scans. As technology advances,
it may also include voice ID or other behavioral inputs like keystroke metrics. Because inherent factors are
reliably unique, always present, and secure, this category shows promise.
+ Location-based and time-based – Authentication systems can use GPS coordinates, network parameters,
and metadata for the network in use, and device recognition for MFA. Adaptive authentication combines these
data points with historical or contextual user data.
A time factor in conjunction with a location factor could detect an attacker attempting to authenticate in Europe
when the user was last authenticated in California an hour prior, for example.
+ Time-based one-time password (TOTP) – This is generally used in 2FA but could apply to any MFA
method where a second step is introduced dynamically at login upon completing a first step. The wait for a
second step–in which temporary passcodes are sent by SMS or email–is usually brief, and the process is easy
to use for a wide range of users and devices. This method is currently widely used.
+ Social media – In this case a user grants permission for a website to use their social media username and
password for login. This provide an easy login process, and one generally available to all users.
+ Risk-based authentication – Sometimes called adaptive multi-factor authentication, this method combines
adaptive authentication and algorithms that calculate risk and observe the context of specific login requests.
The goal of this method is to reduce redundant logins and provide a more user-friendly workflow.
+ Push-based 2FA – Push-based 2FA improves on SMS and TOTP 2FA by adding additional layers of security
while improving ease of use. It confirms a user’s identity with multiple factors of authentication that other
methods cannot. Because push-based 2FA sends notifications through data networks like cellular or Wi-Fi,
users must have data access on their mobile devices to use the 2FA functionality.
Reference: https://www.cisco.com/c/en/us/products/security/what-is-multi-factor-authentication.html
The two most popular authentication factors are knowledge and inherent (including biometrics like fingerprint,
face, and retina scans. Biometrics is used commonly in mobile devices).
QUESTION 135
Which two kinds of attacks are prevented by multifactor authentication? (Choose two)
A. phishing
B. brute force
C. man-in-the-middle
D. DDOS
E. teardrop
Correct Answer: BC
Section: (none)
Explanation
QUESTION 136
What is the primary difference between an Endpoint Protection Platform and an Endpoint Detection and
Response?
A. EPP focuses on prevention, and EDR focuses on advanced threats that evade perimeter defenses.
B. EDR focuses on prevention, and EPP focuses on advanced threats that evade perimeter defenses.
C. EPP focuses on network security, and EDR focuses on device security.
D. EDR focuses on network security, and EPP focuses on device security.
Correct Answer: A
Section: (none)
Explanation
QUESTION 137
An engineer wants to automatically assign endpoints that have a specific OUI into a new endpoint group. Which
probe must be enabled for this type of profiling to work?
A. NetFlow
B. NMAP
C. SNMP
D. DHCP
Correct Answer: B
Section: (none)
Explanation
Explanation
Cisco ISE can determine the type of device or endpoint connecting to the network by performing “profiling.”
Profiling is done by using DHCP, SNMP, Span, NetFlow, HTTP, RADIUS, DNS, or NMAP scans to collect as
much metadata as possible to learn the device fingerprint.
NMAP (“Network Mapper”) is a popular network scanner which provides a lot of features. One of them is the
OUI (Organizationally Unique Identifier) information. OUI is the first 24 bit or 6 hexadecimal value of the MAC
address.
Note: DHCP probe cannot collect OUIs of endpoints. NMAP scan probe can collect these endpoint attributes:
+ EndPointPolicy
+ LastNmapScanCount
+ NmapScanCount
+ OUI
+ Operating-system
Reference: http://www.network-node.com/blog/2016/1/2/ise-20-profiling
QUESTION 138
What are two reasons for implementing a multifactor authentication solution such as Duo Security provide to an
organization? (Choose two)
A. flexibility of different methods of 2FA such as phone callbacks, SMS passcodes, and push notifications
B. single sign-on access to on-premises and cloud applications
C. integration with 802.1x security using native Microsoft Windows supplicant
D. secure access to on-premises and cloud applications
E. identification and correction of application vulnerabilities before allowing access to resources
Correct Answer: AD
Section: (none)
Explanation
Explanation
Two-factor authentication adds a second layer of security to your online accounts. Verifying your identity using a
second factor (like your phone or other mobile device) prevents anyone but you from logging in, even if they
know your password.
Note: Single sign-on (SSO) is a property of identity and access management that enables users to securely
authenticate with multiple applications and websites by logging in only once with just one set of credentials
(username and password). With SSO, the application or website that the user is trying to access relies on a
trusted third party to verify that users are who they say they are.
QUESTION 139
An engineer configured a new network identity in Cisco Umbrella but must verify that traffic is being routed
through the Cisco Umbrella network. Which action tests the routing?
A. Ensure that the client computers are pointing to the on-premises DNS servers.
B. Enable the Intelligent Proxy to validate that traffic is being routed correctly.
C. Add the public IP address that the client computers are behind to a Core Identity.
D. Browse to http://welcome.umbrella.com/ to validate that the new identity is working.
Correct Answer: D
Section: (none)
Explanation
QUESTION 140
Which feature within Cisco Umbrella allows for the ability to inspect secure HTTP traffic?
A. File Analysis
B. SafeSearch
C. SSL Decryption
D. Destination Lists
Correct Answer: C
Section: (none)
Explanation
Explanation
SSL Decryption is an important part of the Umbrella Intelligent Proxy. he feature allows the Intelligent Proxy to
go beyond simply inspecting normal URLs and actually proxy and inspect traffic that’s sent over HTTPS. The
SSL Decryption feature does require the root certificate be installed.
Reference: https://support.umbrella.com/hc/en-us/articles/115004564126-SSL-Decryption-in-the-Intelligent-
Proxy
QUESTION 141
How is Cisco Umbrella configured to log only security events?
A. per policy
B. in the Reporting settings
C. in the Security Settings section
D. per network in the Deployments section
Correct Answer: A
Section: (none)
Explanation
Explanation
The logging of your identities’ activities is set per-policy when you first create a policy. By default, logging is on
and set to log all requests an identity makes to reach destinations. At any time after you create a policy, you can
change what level of identity activity Umbrella logs.
From the Policy wizard, log settings are:
Log All Requests—For full logging, whether for content, security or otherwise
Log Only Security Events—For security logging only, which gives your users more privacy—a good setting for
people with the roaming client installed on personal devices
Don’t Log Any Requests—Disables all logging. If you select this option, most reporting for identities with this
policy will not be helpful as nothing is logged to report on.
Reference: https://docs.umbrella.com/deployment-umbrella/docs/log-management
QUESTION 142
How does Cisco Umbrella archive logs to an enterprise owned storage?
A. by using the Application Programming Interface to fetch the logs

B. by sending logs via syslog to an on-premises or cloud-based syslog server
C. by the system administrator downloading the logs from the Cisco Umbrella web portal
D. by being configured to send logs to a self-managed AWS S3 bucket
Correct Answer: D
Section: (none)
Explanation
Explanation
The Cisco Umbrella Multi-Org console has the ability to upload, store, and archive traffic activity logs from
your organizations’ Umbrella dashboards to the cloud through Amazon S3. CSV formatted Umbrella logs
are compressed (gzip) and uploaded every ten minutes so that there’s a minimum of delay between traffic from
the organization’s Umbrella dashboard being logged and then being available to download from an S3 bucket.
By having your organizations’ logs uploaded to an S3 bucket, you can then download logs automatically to keep
in perpetuity in backup storage.
Reference: https://docs.umbrella.com/deployment-umbrella/docs/manage-logs
QUESTION 143
When web policies are configured in Cisco Umbrella, what provides the ability to ensure that domains are
blocked when they host malware, command and control, phishing, and more threats?
A. Application Control
B. Security Category Blocking
C. Content Category Blocking
D. File Analysis
Correct Answer: B
Section: (none)
Explanation
QUESTION 144
Which Cisco solution does Cisco Umbrella integrate with to determine if a URL is malicious?
A. AMP
B. AnyConnect
C. DynDNS
D. Talos
Correct Answer: D
Section: (none)
Explanation
Explanation
When Umbrella receives a DNS request, it uses intelligence to determine if the request is safe, malicious or
risky — meaning the domain contains both malicious and legitimate content. Safe and malicious requests are
routed as usual or blocked, respectively. Risky requests are routed to our cloud-based proxy for deeper
inspection. The Umbrella proxy uses Cisco Talos web reputation and other third-party feeds to determine if a
URL is malicious.
QUESTION 145
Where are individual sites specified to be blacklisted in Cisco Umbrella?
A. application settings
B. content categories
C. security settings
D. destination lists
Correct Answer: D
Section: (none)
Explanation
Explanation
A destination list is a list of internet destinations that can be blocked or allowed based on the administrative
preferences for the policies applied to the identities within your organization. A destination is an IP address
(IPv4), URL, or fully qualified domain name. You can add a destination list to Umbrella at any time; however, a
destination list does not come into use until it is added to a policy.
Reference: https://docs.umbrella.com/deployment-umbrella/docs/working-with-destination-lists
QUESTION 146
Which Cisco security solution protects remote users against phishing attacks when they are not connected to
the VPN?
A. Cisco Stealthwatch
B. Cisco Umbrella
C. Cisco Firepower
D. NGIPS
Correct Answer: B
Section: (none)
Explanation
Explanation
Cisco Umbrella protects users from accessing malicious domains by proactively analyzing and blocking unsafe
destinations – before a connection is ever made. Thus it can protect from phishing attacks by blocking
suspicious domains when users click on the given links that an attacker sent. Cisco Umbrella roaming protects
your employees even when they are off the VPN.
QUESTION 147
How does Cisco Stealthwatch Cloud provide security for cloud environments?
A. It delivers visibility and threat detection.

B. It prevents exfiltration of sensitive data.
C. It assigns Internet-based DNS protection for clients and servers.
D. It facilitates secure connectivity between public and private networks.
Correct Answer: A
Section: (none)
Explanation
Explanation
Cisco Stealthwatch Cloud: Available as an SaaS product offer to provide visibility and threat detection within
public cloud infrastructures such as Amazon Web Services (AWS), Microsoft Azure, and Google Cloud
Platform (GCP).
QUESTION 148
What are two Detection and Analytics Engines of Cognitive Threat Analytics? (Choose two)
A. data exfiltration
B. command and control communication
C. intelligent proxy
D. snort
E. URL categorization
Correct Answer: AB
Section: (none)
Explanation
Explanation
Cisco Cognitive Threat Analytics helps you quickly detect and respond to sophisticated, clandestine attacks that
are already under way or are attempting to establish a presence within your environment. The solution
automatically identifies and investigates suspicious or malicious web-based traffic. It identifies both potential
and confirmed threats, allowing you to quickly remediate the infection and reduce the scope and damage of an
attack, whether it’s a known threat campaign that has spread across multiple organizations or a unique threat
you’ve never seen before.
Detection and analytics features provided in Cognitive Threat Analytics are shown below:
+ Data exfiltration: Cognitive Threat Analytics uses statistical modeling of an organization’s network to identify
anomalous web traffic and pinpoint the exfiltration of sensitive data. It recognizes data exfiltration even in
HTTPS-encoded traffic, without any need for you to decrypt transferred content
+ Command-and-control (C2) communication: Cognitive Threat Analytics combines a wide range of data,
ranging from statistics collected on an Internet-wide level to host-specific local anomaly scores. Combining
these indicators inside the statistical detection algorithms allows us to distinguish C2 communication from
benign traffic and from other malicious activities. Cognitive Threat Analytics recognizes C2 even in HTTPS-
encoded or anonymous traffic, including Tor, without any need to decrypt transferred content, detecting a broad
range of threats
…
Reference: https://www.cisco.com/c/dam/en/us/products/collateral/security/cognitive-threat-analytics/at-a-
glance-c45-736555.pdf
QUESTION 149
Which network monitoring solution uses streams and pushes operational data to provide a near real-time view
of activity?
A. SNMP
B. SMTP
C. syslog
D. model-driven telemetry
Correct Answer: D
Section: (none)
Explanation
Explanation
The traditional use of the pull model, where the client requests data from the network does not scale when what
you want is near real-time data. Moreover, in some use cases, there is the need to be notified only when some
data changes, like interfaces status, protocol neighbors change etc.
Model-Driven Telemetry is a new approach for network monitoring in which data is streamed from network
devices continuously using a push model and provides near real-time access to operational statistics.
Applications can subscribe to specific data items they need, by using standard-based YANG data models over
NETCONF-YANG. Cisco IOS XE streaming telemetry allows to push data off of the device to an external
collector at a much higher frequency, more efficiently, as well as data on-change streaming.
Reference: https://developer.cisco.com/docs/ios-xe/#!streaming-telemetry-quick-start-guide
QUESTION 150
What provides visibility and awareness into what is currently occurring on the network?
A. CMX
B. WMI
C. Prime Infrastructure
D. Telemetry
Correct Answer: D
Section: (none)
Explanation
Explanation
Telemetry – Information and/or data that provides awareness and visibility into what is occurring on the network
at any given time from networking devices, appliances, applications or servers in which the core function of the
device is not to generate security alerts designed to detect unwanted or malicious activity from computer
networks.
Reference: https://www.cisco.com/c/dam/en_us/about/doing_business/legal/service_descriptions/docs/active-
threat-analytics-premier.pdf
QUESTION 151
What can be integrated with Cisco Threat Intelligence Director to provide information about security threats,
which allows the SOC to proactively automate responses to those threats?
A. Cisco Umbrella
B. External Threat Feeds
C. Cisco Threat Grid
D. Cisco Stealthwatch
Correct Answer: C
Section: (none)
Explanation
Explanation
Cisco Threat Intelligence Director (CTID) can be integrated with existing Threat Intelligence Platforms deployed
by your organization to ingest threat intelligence automatically.
Reference: https://blogs.cisco.com/developer/automate-threat-intelligence-using-cisco-threat-intelligence-
director
QUESTION 152
Which solution combines Cisco IOS and IOS XE components to enable administrators to recognize
applications, collect and send network metrics to Cisco Prime and other third-party management tools, and
prioritize application traffic?
A. Cisco Security Intelligence

B. Cisco Application Visibility and Control
C. Cisco Model Driven Telemetry
D. Cisco DNA Center
Correct Answer: B
Section: (none)
Explanation
Explanation
The Cisco Application Visibility and Control (AVC) solution leverages multiple technologies to recognize,
analyze, and control over 1000 applications, including voice and video, email, file sharing, gaming, peer-to-peer
(P2P), and cloud-based applications. AVC combines several Cisco IOS/IOS XE components, as well as
communicating with external tools, to integrate the following functions into a powerful solution…
Reference: https://www.cisco.com/c/en/us/td/docs/ios/solutions_docs/avc/guide/avc-user-guide/
avc_tech_overview.html
QUESTION 153
Which two activities can be done using Cisco DNA Center? (Choose two)
A. DHCP
B. Design
C. Accounting
D. DNS
E. Provision
Correct Answer: BE
Section: (none)
Explanation
Explanation
Cisco DNA Center has four general sections aligned to IT workflows:
Design: Design your network for consistent configurations by device and by site. Physical maps and logical
topologies help provide quick visual reference. The direct import feature brings in existing maps, images, and
topologies directly from Cisco Prime Infrastructure and the Cisco Application Policy Infrastructure Controller
Enterprise Module (APIC-EM), making upgrades easy and quick. Device configurations by site can be
consolidated in a “golden image” that can be used to automatically provision new network devices. These new
devices can either be pre-staged by associating the device details and mapping to a site. Or they can be
claimed upon connection and mapped to the site.
Policy: Translate business intent into network policies and apply those policies, such as access control, traffic
routing, and quality of service, consistently over the entire wired and wireless infrastructure. Policy-based
access control and network segmentation is a critical function of the Cisco Software-Defined Access (SD-
Access) solution built from Cisco DNA Center and Cisco Identity Services Engine (ISE). Cisco AI Network
Analytics and Cisco Group-Based Policy Analytics running in the Cisco DNA Center identify endpoints, group
similar endpoints, and determine group communication behavior. Cisco DNA Center then facilitates creating
policies that determine the form of communication allowed between and within members of each group. ISE
then activates the underlying infrastructure and segments the network creating a virtual overlay to follow these
policies consistently. Such segmenting implements zero-trust security in the workplace, reduces risk, contains
threats, and helps verify regulatory compliance by giving endpoints just the right level of access they need.
Provision: Once you have created policies in Cisco DNA Center, provisioning is a simple drag-and-drop task.
The profiles (called scalable group tags or “SGTs”) in the Cisco DNA Center inventory list are assigned a policy,
and this policy will always follow the identity. The process is completely automated and zero-touch. New
devices added to the network are assigned to an SGT based on identity—greatly facilitating remote office
setups.
Assurance: Cisco DNA Assurance, using AI/ML, enables every point on the network to become a sensor,
sending continuous streaming telemetry on application performance and user connectivity in real time. The
clean and simple dashboard shows detailed network health and flags issues. Then, guided remediation
automates resolution to keep your network performing at its optimal with less mundane troubleshooting work.
The outcome is a consistent experience and proactive optimization of your network, with less time spent on
troubleshooting tasks.
dna-center-so-cte-en.html
QUESTION 154
What must be used to share data between multiple security products?
A. Cisco Rapid Threat Containment

B. Cisco Platform Exchange Grid
C. Cisco Advanced Malware Protection
D. Cisco Stealthwatch Cloud
Correct Answer: B
Section: (none)
Explanation
QUESTION 155
Which Cisco product is open, scalable, and built on IETF standards to allow multiple security products from
Cisco and other vendors to share data and interoperate with each other?
A. Advanced Malware Protection

B. Platform Exchange Grid
C. Multifactor Platform Integration
D. Firepower Threat Defense
Correct Answer: B
Section: (none)
Explanation
Explanation
With Cisco pxGrid (Platform Exchange Grid), your multiple security products can now share data and work
together. This open, scalable, and IETF standards-driven platform helps you automate security to get answers
and contain threats faster.
QUESTION 156
What is a feature of the open platform capabilities of Cisco DNA Center?
A. intent-based APIs
B. automation adapters
C. domain integration
D. application adapters
Correct Answer: A
Section: (none)
Explanation
QUESTION 157
What is the function of the Context Directory Agent?
A. maintains users’ group memberships

B. relays user authentication requests from Web Security Appliance to Active Directory
C. reads the Active Directory logs to map IP addresses to usernames
D. accepts user authentication requests on behalf of Web Security Appliance for user identification
Correct Answer: C
Section: (none)
Explanation
Explanation
Cisco Context Directory Agent (CDA) is a mechanism that maps IP Addresses to usernames in order to allow
security gateways to understand which user is using which IP Address in the network, so those security
gateways can now make decisions based on those users (or the groups to which the users belong to).
CDA runs on a Cisco Linux machine; monitors in real time a collection of Active Directory domain controller
(DC) machines for authentication-related events that generally indicate user logins; learns, analyzes, and
caches mappings of IP Addresses and user identities in its database; and makes the latest mappings available
to its consumer devices.
Reference: https://www.cisco.com/c/en/us/td/docs/security/ibf/cda_10/Install_Config_guide/cda10/
cda_oveviw.html
QUESTION 158
What is a characteristic of a bridge group in ASA Firewall transparent mode?
A. It includes multiple interfaces and access rules between interfaces are customizable
B. It is a Layer 3 segment and includes one port and customizable access rules
C. It allows ARP traffic with a single access rule
D. It has an IP address on its BVI interface and is used for management traffic
Correct Answer: A
Section: (none)
Explanation
Explanation
A bridge group is a group of interfaces that the ASA bridges instead of routes. Bridge groups are only
supported in Transparent Firewall Mode. Like any other firewall interfaces, access control between interfaces is
controlled, and all of the usual firewall checks are in place.
Each bridge group includes a Bridge Virtual Interface (BVI). The ASA uses the BVI IP address as the source
address for packets originating from the bridge group. The BVI IP address must be on the same subnet as the
bridge group member interfaces. The BVI does not support traffic on secondary networks; only traffic on the
same network as the BVI IP address is supported.
You can include multiple interfaces per bridge group. If you use more than 2 interfaces per bridge group,
you can control communication between multiple segments on the same network, and not just between inside
and outside. For example, if you have three inside segments that you do not want to communicate with each
other, you can put each segment on a separate interface, and only allow them to communicate with the outside
interface. Or you can customize the access rules between interfaces to allow only as much access as
desired.
Reference: https://www.cisco.com/c/en/us/td/docs/security/asa/asa95/configuration/general/asa-95-general-
config/intro-fw.html
Note: BVI interface is not used for management purpose. But we can add a separate Management slot/port
interface that is not part of any bridge group, and that allows only management traffic to the ASA.
QUESTION 159
When Cisco and other industry organizations publish and inform users of known security findings and
vulnerabilities, which name is used?
A. Common Security Exploits

B. Common Vulnerabilities and Exposures
C. Common Exploits and Vulnerabilities
D. Common Vulnerabilities, Exploits and Threats
Correct Answer: B
Section: (none)
Explanation
Explanation
Vendors, security researchers, and vulnerability coordination centers typically assign vulnerabilities an identifier
that’s disclosed to the public. This identifier is known as the Common Vulnerabilities and Exposures (CVE).
CVE is an industry-wide standard. CVE is sponsored by US-CERT, the office of Cybersecurity and
Communications at the U.S. Department of Homeland Security.
The goal of CVE is to make it’s easier to share data across tools, vulnerability repositories, and security
services.
Reference: CCNP And CCIE Security Core SCOR 350-701 Official Cert Guide
QUESTION 160
Which two fields are defined in the NetFlow flow? (Choose two)
A. type of service byte

B. class of service bits
C. Layer 4 protocol type
D. destination port
E. output logical interface
Correct Answer: AD
Section: (none)
Explanation
Explanation
Cisco standard NetFlow version 5 defines a flow as a unidirectional sequence of packets that all share seven
values which define a unique key for the flow:
+ Ingress interface (SNMP ifIndex)
+ Source IP address
+ Destination IP address
+ IP protocol
+ Source port for UDP or TCP, 0 for other protocols
+ Destination port for UDP or TCP, type and code for ICMP, or 0 for other protocols
+ IP Type of Service
Note: A flow is a unidirectional series of packets between a given source and destination.
QUESTION 161
What provides the ability to program and monitor networks from somewhere other than the DNAC GUI?
A. NetFlow
B. desktop client
C. ASDM
D. API
Correct Answer: D
Section: (none)
Explanation
QUESTION 162
An organization has two machines hosting web applications. Machine 1 is vulnerable to SQL injection while
machine 2 is vulnerable to buffer overflows. What action would allow the attacker to gain access to machine 1
but not machine 2?
A. sniffing the packets between the two hosts

B. sending continuous pings
C. overflowing the buffer’s memory
D. inserting malicious commands into the database
Correct Answer: D
Section: (none)
Explanation
QUESTION 163
An organization is trying to improve their Defense in Depth by blocking malicious destinations prior to a
connection being established. The solution must be able to block certain applications from being used within
the network. Which product should be used to accomplish this goal?
A. Cisco Firepower
B. Cisco Umbrella
C. ISE
D. AMP
Correct Answer: B
Section: (none)
Explanation
Explanation
Cisco Umbrella protects users from accessing malicious domains by proactively analyzing and blocking unsafe
destinations – before a connection is ever made. Thus it can protect from phishing attacks by blocking
suspicious domains when users click on the given links that an attacker sent.
QUESTION 164
A company is experiencing exfiltration of credit card numbers that are not being stored on-premise. The
company needs to be able to protect sensitive data throughout the full environment. Which tool should be used
to accomplish this goal?
A. Security Manager
B. Cloudlock
C. Web Security Appliance
D. Cisco ISE
Correct Answer: B
Section: (none)
Explanation
Explanation
Cisco Cloudlock is a cloud-native cloud access security broker (CASB) that helps you move to the cloud safely.
It protects your cloud users, data, and apps. Cisco Cloudlock provides visibility and compliance checks,
protects data against misuse and exfiltration, and provides threat protections against malware like ransomware.
QUESTION 165
An engineer is trying to securely connect to a router and wants to prevent insecure algorithms from being used.
However, the connection is failing. Which action should be taken to accomplish this goal?
A. Disable telnet using the no ip telnet command.

B. Enable the SSH server using the ip ssh server command.
C. Configure the port using the ip ssh port 22 command.
D. Generate the RSA key using the crypto key generate rsa command.
Correct Answer: D
Section: (none)
Explanation
Explanation
In this question, the engineer was trying to secure the connection so maybe he was trying to allow SSH to the
device. But maybe something went wrong so the connection was failing (the connection used to be good). So
maybe he was missing the “crypto key generate rsa” command.
QUESTION 166
A network administrator is using the Cisco ESA with AMP to upload files to the cloud for analysis. The network
is congested and is affecting communication. How will the Cisco ESA handle any files which need analysis?
A. AMP calculates the SHA-256 fingerprint, caches it, and periodically attempts the upload.
B. The file is queued for upload when connectivity is restored.
C. The file upload is abandoned.
D. The ESA immediately makes another attempt to upload the file.
Correct Answer: C
Section: (none)
Explanation
Explanation
The appliance will try once to upload the file; if upload is not successful, for example because of
connectivity problems, the file may not be uploaded. If the failure was because the file analysis server was
overloaded, the upload will be attempted once more.
Reference: https://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/118796-technote-
esa-00.html
In this question, it stated “the network is congested” (not the file analysis server was overloaded) so the
appliance will not try to upload the file again.
QUESTION 167
Which type of algorithm provides the highest level of protection against brute-force attacks?
A. PFS
B. HMAC
C. MD5
D. SHA
Correct Answer: D
Section: (none)
Explanation
QUESTION 168
What must be configured in Cisco ISE to enforce reauthentication of an endpoint session when an endpoint is
deleted from an identity group?
A. posture assessment
B. CoA
C. external identity source
D. SNMP probe
Correct Answer: B
Section: (none)
Explanation
Explanation
Cisco ISE allows a global configuration to issue a Change of Authorization (CoA) in the Profiler Configuration
page that enables the profiling service with more control over endpoints that are already authenticated.
One of the settings to configure the CoA type is “Reauth”. This option is used to enforce reauthentication of an
already authenticated endpoint when it is profiled.
b_ise_admin_guide_sample_chapter_010101.html
QUESTION 169
A network administrator is configuring a rule in an access control policy to block certain URLs and selects the
“Chat and Instant Messaging” category. Which reputation score should be selected to accomplish this goal?
A. 1
B. 3
C. 5
D. 10
Correct Answer: D
Section: (none)
Explanation
Explanation
We choose “Chat and Instant Messaging” category in “URL Category”:
To block certain URLs we need to choose URL Reputation from 6 to 10.
QUESTION 170
Which group within Cisco writes and publishes a weekly newsletter to help cybersecurity professionals remain
aware of the ongoing and most prevalent threats?
A. PSIRT
B. Talos
C. CSIRT
D. DEVNET
Correct Answer: B
Section: (none)
Explanation
Explanation
Talos Threat Source is a regular intelligence update from Cisco Talos, highlighting the biggest threats each
week and other security news.
Reference: https://talosintelligence.com/newsletters
QUESTION 171
What are the two types of managed Intercloud Fabric deployment models? (Choose two)
A. Service Provider managed

B. Public managed
C. Hybrid managed
D. User managed
E. Enterprise managed
Correct Answer: AE
Section: (none)
Explanation
Explanation
Many enterprises prefer to deploy development workloads in the public cloud, primarily for convenience and
faster deployment. This approach can cause concern for IT administrators, who must control the flow of IT
traffic and spending and help ensure the security of data and intellectual property. Without the proper controls,
data and intellectual property can escape this oversight. The Cisco Intercloud Fabric solution helps control this
shadow IT, discovering resources deployed in the public cloud outside IT control and placing these resources
under Cisco Intercloud Fabric control.
Cisco Intercloud Fabric addresses the cloud deployment requirements appropriate for two hybrid cloud
deployment models: Enterprise Managed (an enterprise manages its own cloud environments) and Service
Provider Managed (the service provider administers and controls all cloud resources).
Reference: https://www.cisco.com/c/en/us/td/docs/solutions/Hybrid_Cloud/Intercloud/Intercloud_Fabric.pdf
The Cisco Intercloud Fabric architecture provides two product configurations to address the following two
consumption models:
+ Cisco Intercloud Fabric for Business
+ Cisco Intercloud Fabric for Providers
Reference: https://www.cisco.com/c/en/us/td/docs/solutions/Hybrid_Cloud/Intercloud/Intercloud_Fabric/
Intercloud_Fabric_2.html
QUESTION 172
What are two DDoS attack categories? (Choose two)
A. sequential
B. protocol
C. database
D. volume-based
E. screen-based
Correct Answer: BD
Section: (none)
Explanation
Explanation
There are three basic categories of attack:
+ volume-based attacks, which use high traffic to inundate the network bandwidth
+ protocol attacks, which focus on exploiting server resources
+ application attacks, which focus on web applications and are considered the most sophisticated and serious
type of attacks
Reference: https://www.esecurityplanet.com/networks/types-of-ddos-attacks/
QUESTION 173
Which type of authentication is in use?
A. LDAP authentication for Microsoft Outlook

B. POP3 authentication
C. SMTP relay server authentication
D. external user and relay mail authentication
Correct Answer: D
Section: (none)
Explanation
Explanation
The TLS connections are recorded in the mail logs, along with other significant actions that are related to
messages, such as filter actions, anti-virus and anti-spam verdicts, and delivery attempts. If there is a
successful TLS connection, there will be a TLS success entry in the mail logs. Likewise, a failed TLS
connection produces a TLS failed entry. If a message does not have an associated TLS entry in the log file, that
message was not delivered over a TLS connection.
Reference: https://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/118844-technote-
esa-00.html
The exhibit in this Qshows a successful TLS connection from the remote host (reception) in the mail log.
QUESTION 174
An organization received a large amount of SPAM messages over a short time period. In order to take action
on the messages, it must be determined how harmful the messages are and this needs to happen dynamically.
What must be configured to accomplish this?
A. Configure the Cisco WSA to modify policies based on the traffic seen
B. Configure the Cisco ESA to receive real-time updates from Talos
C. Configure the Cisco WSA to receive real-time updates from Talos
D. Configure the Cisco ESA to modify policies based on the traffic seen
Correct Answer: D
Section: (none)
Explanation
Explanation
The Mail Policies menu is where almost all of the controls related to email filtering happens. All the security and
content filtering policies are set here, so it’s likely that, as an ESA administrator, the pages on this menu are
where you are likely to spend most of your time.
QUESTION 175
Which product allows Cisco FMC to push security intelligence observable to its sensors from other products?
A. Encrypted Traffic Analytics

B. Threat Intelligence Director
C. Cognitive Threat Analytics
D. Cisco Talos Intelligence
Correct Answer: B
Section: (none)
Explanation
QUESTION 176
What are two differences between a Cisco WSA that is running in transparent mode and one running in explicit
mode? (Choose two)
A. When the Cisco WSA is running in transparent mode, it uses the WSA’s own IP address as the HTTP
request destination.
B. The Cisco WSA responds with its own IP address only if it is running in explicit mode.
C. The Cisco WSA is configured in a web browser only if it is running in transparent mode.
D. The Cisco WSA uses a Layer 3 device to redirect traffic only if it is running in transparent mode.
E. The Cisco WSA responds with its own IP address only if it is running in transparent mode.
Correct Answer: DE
Section: (none)
Explanation
Explanation
The Cisco Web Security Appliance (WSA) includes a web proxy, a threat analytics engine, antimalware engine,
policy management, and reporting in a single physical or virtual appliance. The main use of the Cisco WSA is to
protect users from accessing malicious websites and being infected by malware.
You can deploy the Cisco WSA in two different modes:
– Explicit forward mode
– Transparent mode
In explicit forward mode, the client is configured to explicitly use the proxy, subsequently sending all web traffic
to the proxy. Because the client knows there is a proxy and sends all traffic to the proxy in explicit forward
mode, the client does not perform a DNS lookup of the domain before requesting the URL. The Cisco WSA is
responsible for DNS resolution, as well.
When you configure the Cisco WSA in explicit mode, you do not need to configure any other network
infrastructure devices to redirect client requests to the Cisco WSA. However, you must configure each client to
send traffic to the Cisco WSA.
-> Therefore in explicit mode, WSA only checks the traffic between client & web server. WSA does not use its
own IP address to request -> Answer B is not correct.
When the Cisco WSA is in transparent mode, clients do not know there is a proxy deployed. Network
infrastructure devices are configured to forward traffic to the Cisco WSA. In transparent mode deployments,
network infrastructure devices redirect web traffic to the proxy. Web traffic redirection can be done using policy-
based routing (PBR)—available on many routers —or using Cisco’s Web Cache Communication Protocol
(WCCP) on Cisco ASA, Cisco routers, or switches.
The Web Cache Communication Protocol (WCCP), developed by Cisco Systems, specifies interactions between one or more
switches) and one or more web-caches. The purpose of the interaction is to establish and maintain the transparent redirectio
of traffic flowing through a group of routers.
Reference: https://www.cisco.com/c/en/us/tech/content-networking/web-cache-communications-protocol-wccp/index.html
->Therefore answer D is correct as redirection can be done on Layer 3 device only.
In transparent mode, the client is unaware its traffic is being sent to a proxy (Cisco WSA) and, as a result, the
client uses DNS to resolve the domain name in the URL and send the web request destined for the web server
(not the proxy). When you configure the Cisco WSA in transparent mode, you need to identify a network choke
point with a redirection device (a Cisco ASA) to redirect traffic to the proxy.
WSA in Transparent mode
-> Therefore in Transparent mode, WSA uses its own IP address to initiate a new connection the Web Server
(in step 4 above) -> Answer E is correct.
Answer C is surely not correct as WSA cannot be configured in a web browser in either mode.
Answer A seems to be correct but it is not. This answer is correct if it states “When the Cisco WSA is running in
transparent mode, it uses the WSA’s own IP address as the HTTP request source” (not destination).
QUESTION 177
After a recent breach, an organization determined that phishing was used to gain initial access to the network
before regaining persistence. The information gained from the phishing attack was a result of users visiting
known malicious websites. What must be done in order to prevent this from happening in the future?
A. Modify an access policy

B. Modify identification profiles
C. Modify outbound malware scanning policies
D. Modify web proxy settings
Correct Answer: A
Section: (none)
Explanation
Explanation
URL conditions in access control rules allow you to limit the websites that users on your network can access.
This feature is called URL filtering. There are two ways you can use access control to specify URLs you want to
block (or, conversely, allow):
– With any license, you can manually specify individual URLs, groups of URLs, and URL lists and feeds to
achieve granular, custom control over web traffic.
– With a URL Filtering license, you can also control access to websites based on the URL’s general
classification, or category, and risk level, or reputation. The system displays this category and reputation data in
connection logs, intrusion events, and application details.
Using category and reputation data also simplifies policy creation and administration. It grants you assurance
that the system will control web traffic as expected. Finally, because Cisco’s threat intelligence is continually
updated with new URLs, as well as new categories and risks for existing URLs, you can ensure that the system
uses up-to-date information to filter requested URLs. Malicious sites that represent security threats such as
malware, spam, botnets, and phishing may appear and disappear faster than you can update and deploy new
policies.
v60/Access_Control_Rules__URL_Filtering.html
QUESTION 178
What is the function of SDN southbound API protocols?
A. to allow for the dynamic configuration of control plane applications

B. to enable the controller to make changes
C. to enable the controller to use REST
D. to allow for the static configuration of control plane applications
Correct Answer: B
Section: (none)
Explanation
Explanation
Southbound APIs enable SDN controllers to dynamically make changes based on real-time demands and
scalability needs.
Reference: https://www.ciscopress.com/articles/article.asp?p=3004581&seqNum=2
Note: Southbound APIs helps us communicate with data plane (not control plane) applications.
QUESTION 179
Traffic is not passing through IPsec site-to-site VPN on the Firepower Threat Defense appliance. What is
causing this issue?
A. No split-tunnel policy is defined on the Firepower Threat Defense appliance.

B. The access control policy is not allowing VPN traffic in.
C. Site-to-site VPN peers are using different encryption algorithms.
D. Site-to-site VPN preshared keys are mismatched.
Correct Answer: B
Section: (none)
Explanation
Explanation
If sysopt permit-vpn is not enabled then an access control policy must be created to allow the VPN traffic
through the FTD device. If sysopt permit-vpn is enabled skip creating an access control policy.
Reference: https://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/215470-
site-to-site-vpn-configuration-on-ftd-ma.html
QUESTION 180
An attacker needs to perform reconnaissance on a target system to help gain access to it. The system has
weak passwords, no encryption on the VPN links, and software bugs on the system’s applications. Which
vulnerability allows the attacker to see the passwords being transmitted in clear text?
A. weak passwords for authentication

B. unencrypted links for traffic
C. software bugs on applications
D. improper file security
Correct Answer: B
Section: (none)
Explanation
QUESTION 181
Using Cisco Firepower’s Security Intelligence policies, upon which two criteria is Firepower block based?
(Choose two)
A. URLs
B. protocol IDs
C. IP addresses
D. MAC addresses
E. port numbers
Correct Answer: AC
Section: (none)
Explanation
Explanation
Security Intelligence Sources
…
Custom Block lists or feeds (or objects or groups)
Block specific IP addresses, URLs, or domain names using a manually-created list or feed (for IP addresses,
you can also use network objects or groups.)
For example, if you become aware of malicious sites or addresses that are not yet blocked by a feed, add these
sites to a custom Security Intelligence list and add this custom list to the Block list in the Security Intelligence
tab of your access control policy.
guide-v623/security_intelligence_blacklisting.html
QUESTION 182
Which Cisco platform ensures that machines that connect to organizational networks have the recommended
antivirus definitions and patches to help prevent an organizational malware outbreak?
A. Cisco WiSM
B. Cisco ESA
C. Cisco ISE
D. Cisco Prime Infrastructure
Correct Answer: C
Section: (none)
Explanation
Explanation
A posture policy is a collection of posture requirements, which are associated with one or more identity groups,
and operating systems. We can configure ISE to check for the Windows patch at Work Centers > Posture >
Posture Elements > Conditions > File.
In this example, we are going to use the predefined file check to ensure that our Windows 10 clients have the
critical security patch installed to prevent the Wanna Cry malware; and we can also configure ISE to update the
client with this patch.
QUESTION 183
What are two benefits of Flexible NetFlow records? (Choose two)
A. They allow the user to configure flow information to perform customized traffic identification
B. They provide attack prevention by dropping the traffic
C. They provide accounting and billing enhancements
D. They converge multiple accounting technologies into one accounting mechanism
E. They provide monitoring of a wider range of IP packet information from Layer 2 to 4
Correct Answer: AC
Section: (none)
Explanation
Explanation
NetFlow is typically used for several key customer applications, including the following:
…
Billing and accounting. NetFlow data provides fine-grained metering (for instance, flow data includes details
such as IP addresses, packet and byte counts, time stamps, type of service (ToS), and application ports) for
highly flexible and detailed resource utilization accounting. Service providers may use the information for billing
based on time of day, bandwidth usage, application usage, quality of service, and so on. Enterprise customers
may use the information for departmental charge back or cost allocation for resource utilization.
Reference: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/fnetflow/configuration/15-mt/fnf-15-mt-book/fnf-
fnetflow.html
If the predefined Flexible NetFlow records are not suitable for your traffic requirements, you can create a user-
defined (custom) record using the Flexible NetFlow collect and match commands. Before you can create a
customized record, you must decide the criteria that you are going to use for the key and nonkey fields.
Reference: https://www.cisco.com/en/US/docs/ios/fnetflow/configuration/guide/
cust_fnflow_rec_mon_external_docbase_0900e4b18055d0d2_4container_external_docbase_0900e4b181b413
d9.html#wp1057997
Note: Traditional NetFlow allows us to monitor from Layer 2 to 4 but Flexible NetFlow goes beyond these
layers.
QUESTION 184
How does DNS Tunneling exfiltrate data?
A. An attacker registers a domain that a client connects to based on DNS records and sends malware through
that connection.
B. An attacker opens a reverse DNS shell to get into the client’s system and install malware on it.
C. An attacker uses a non-standard DNS port to gain access to the organization’s DNS servers in order to
poison the resolutions.
D. An attacker sends an email to the target with hidden DNS resolvers in it to redirect them to a malicious
domain.
Correct Answer: A
Section: (none)
Explanation
QUESTION 185
A user has a device in the network that is receiving too many connection requests from multiple machines.
Which type of attack is the device undergoing?
A. phishing
B. slowloris
C. pharming
D. SYN flood
Correct Answer: D
Section: (none)
Explanation
QUESTION 186
An organization is receiving SPAM emails from a known malicious domain. What must be configured in order to
prevent the session during the initial TCP communication?
A. Configure the Cisco ESA to drop the malicious emails

B. Configure policies to quarantine malicious emails
C. Configure policies to stop and reject communication
D. Configure the Cisco ESA to reset the TCP connection
Correct Answer: A
Section: (none)
Explanation
QUESTION 187
A Cisco Firepower administrator needs to configure a rule to allow a new application that has never been seen
on the network. Which two actions should be selected to allow the traffic to pass without inspection? (Choose
two)
A. permit
B. trust
C. reset
D. allow
E. monitor
Correct Answer: BE
Section: (none)
Explanation
Explanation
Each rule also has an action, which determines whether you monitor, trust, block, or allow matching traffic.
Note: With action “trust”, Firepower does not do any more inspection on the traffic. There will be no intrusion
protection and also no file-policy on this traffic.
QUESTION 188
An engineer needs behavioral analysis to detect malicious activity on the hosts, and is configuring the
organization’s public cloud to send telemetry using the cloud provider’s mechanisms to a security device. Which
mechanism should the engineer configure to accomplish this goal?
A. mirror port
B. Flow
C. NetFlow
D. VPC flow logs
Correct Answer: C
Section: (none)
Explanation
QUESTION 189
An engineer has enabled LDAP accept queries on a listener. Malicious actors must be prevented from quickly
identifying all valid recipients. What must be done on the Cisco ESA to accomplish this goal?
A. Configure incoming content filters

B. Use Bounce Verification
C. Configure Directory Harvest Attack Prevention
D. Bypass LDAP access queries in the recipient access table
Correct Answer: C
Section: (none)
Explanation
Explanation
A Directory Harvest Attack (DHA) is a technique used by spammers to find valid/existent email addresses at a
domain either by using Brute force or by guessing valid e-mail addresses at a domain using different
permutations of common username. Its easy for attackers to get hold of a valid email address if your
organization uses standard format for official e-mail alias (for example: jsmith@example.com). We can
configure DHA Prevention to prevent malicious actors from quickly identifying valid recipients.
Note: Lightweight Directory Access Protocol (LDAP) is an Internet protocol that email programs use to look up
contact information from a server, such as ClickMail Central Directory. For example, here’s an LDAP search
translated into plain English: “Search for all people located in Chicago who’s name contains “Fred” that have an
email address. Please return their full name, email, title, and description.”
QUESTION 190
What is a feature of Cisco NetFlow Secure Event Logging for Cisco ASAs?
A. Multiple NetFlow collectors are supported

B. Advanced NetFlow v9 templates and legacy v5 formatting are supported
C. Secure NetFlow connections are optimized for Cisco Prime Infrastructure
D. Flow-create events are delayed
Correct Answer: D
Section: (none)
Explanation
Explanation
The ASA and ASASM implementations of NetFlow Secure Event Logging (NSEL) provide the following major
functions:
…
– Delays the export of flow-create events.
Reference: https://www.cisco.com/c/en/us/td/docs/security/asa/asa92/configuration/general/asa-general-cli/
monitor-nsel.pdf
QUESTION 191
An engineer is configuring 802.1X authentication on Cisco switches in the network and is using CoA as a
mechanism. Which port on the firewall must be opened to allow the CoA traffic to traverse the network?
A. TCP 6514
B. UDP 1700
C. TCP 49
D. UDP 1812
Correct Answer: B
Section: (none)
Explanation
Explanation
CoA Messages are sent on two different udp ports depending on the platform. Cisco standardizes on UDP port
1700, while the actual RFC calls out using UDP port 3799.
QUESTION 192
Which public cloud provider supports the Cisco Next Generation Firewall Virtual?
A. Google Cloud Platform

B. Red Hat Enterprise Visualization
C. VMware ESXi
D. Amazon Web Services
Correct Answer: D
Section: (none)
Explanation
Explanation
Cisco Firepower NGFW Virtual (NGFWv) is the virtualized version of Cisco’s Firepower next generation firewall.
The Cisco NGFW virtual appliance is available in the AWS and Azure marketplaces. In AWS, it can be
deployed in routed and passive modes. Passive mode design requires ERSPAN, the Encapsulated Remote
Switched Port Analyzer, which is currently not available in Azure.
In passive mode, NGFWv inspects packets like an Intrusion Detection System (IDS) appliance, but no action
can be taken on the packet.
In routed mode NGFWv acts as a next hop for workloads. It can inspect packets and also take action on the
packet based on rule and policy definitions.
Reference: https://www.cisco.com/c/en/us/products/collateral/security/adaptive-security-virtual-appliance-asav/
white-paper-c11-740505.html
QUESTION 193
What is the purpose of the My Devices Portal in a Cisco ISE environment?
A. to register new laptops and mobile devices

B. to request a newly provisioned mobile device
C. to provision userless and agentless systems
D. to manage and deploy antivirus definitions and patches on systems owned by the end user
Correct Answer: A
Section: (none)
Explanation
Explanation
Depending on your company policy, you might be able to use your mobile phones, tablets, printers, Internet
radios, and other network devices on your company’s network. You can use the My Devices portal to register
and manage these devices on your company’s network.
Reference: https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/mydevices/b_mydevices_2x.html
QUESTION 194
ip dhcp snooping
ip dhcp snooping vlan 41,44
!
interface GigabitEthernet1/0/1
description Uplink_To_Distro_Switch_g1/0/11
switchport trunk native vlan 999
switchport trunk allowed vlan 40,41,44
switchport mode trunk
An organization is using DHCP Snooping within their network. A user on VLAN 41 on a new switch is
complaining that an IP address is not being obtained. Which command should be configured on the switch
interface in order to provide the user with network connectivity?
A. ip dhcp snooping verify mac-address

B. ip dhcp snooping limit 41
C. ip dhcp snooping vlan 41
D. ip dhcp snooping trust
Correct Answer: D
Section: (none)
Explanation
Explanation
To understand DHCP snooping we need to learn about DHCP spoofing attack first.
DHCP spoofing is a type of attack in that the attacker listens for DHCP Requests from clients and answers
them with fake DHCP Response before the authorized DHCP Response comes to the clients. The fake DHCP
Response often gives its IP address as the client default gateway -> all the traffic sent from the client will go
through the attacker computer, the attacker becomes a “man-in-the-middle”.
The attacker can have some ways to make sure its fake DHCP Response arrives first. In fact, if the attacker is
“closer” than the DHCP Server then he doesn’t need to do anything. Or he can DoS the DHCP Server so that it
can’t send the DHCP Response.
DHCP snooping can prevent DHCP spoofing attacks. DHCP snooping is a Cisco Catalyst feature that
determines which switch ports can respond to DHCP requests. Ports are identified as trusted and untrusted.
Only ports that connect to an authorized DHCP server are trusted, and allowed to send all types of DHCP
messages. All other ports on the switch are untrusted and can send only DHCP requests. If a DHCP response
is seen on an untrusted port, the port is shut down.
The port connected to a DHCP server should be configured as trusted port with the “ip dhcp snooping trust”
command. Other ports connecting to hosts are untrusted ports by default.
In this question, we need to configure the uplink to “trust” (under interface Gi1/0/1) as shown below.
QUESTION 195
What is the purpose of the certificate signing request when adding a new certificate for a server?
A. It is the password for the certificate that is needed to install it with.

B. It provides the server information so a certificate can be created and signed
C. It provides the certificate client information so the server can authenticate against it when installing
D. It is the certificate that will be loaded onto the server
Correct Answer: B
Section: (none)
Explanation
Explanation
A certificate signing request (CSR) is one of the first steps towards getting your own SSL Certificate. Generated
on the same server you plan to install the certificate on, the CSR contains information (e.g. common name,
organization, country) that the Certificate Authority (CA) will use to create your certificate. It also contains the
public key that will be included in your certificate and is signed with the corresponding private key.
QUESTION 196
What is the Cisco API-based broker that helps reduce compromises, application risks, and data breaches in an
environment that is not on-premise?
A. Cisco Cloudlock
B. Cisco Umbrella
C. Cisco AMP
D. Cisco App Dynamics
Correct Answer: A
Section: (none)
Explanation
Explanation
Cisco Cloudlock is a cloud-native cloud access security broker (CASB) that helps you move to the cloud safely.
It protects your cloud users, data, and apps. Cisco Cloudlock provides visibility and compliance checks,
protects data against misuse and exfiltration, and provides threat protections against malware like ransomware.
QUESTION 197
What is managed by Cisco Security Manager?
A. access point
B. WSA
C. ASA
D. ESA
Correct Answer: C
Section: (none)
Explanation
Explanation
Cisco Security Manager provides a comprehensive management solution for:
– Cisco ASA 5500 Series Adaptive Security Appliances
– Cisco intrusion prevention systems 4200 and 4500 Series Sensors
– Cisco AnyConnect Secure Mobility Client
Reference: https://www.cisco.com/c/en/us/products/security/security-manager/index.html
QUESTION 198
How does Cisco Advanced Phishing Protection protect users?
A. It validates the sender by using DKIM.

B. It determines which identities are perceived by the sender
C. It utilizes sensors that send messages securely.
D. It uses machine learning and real-time behavior analytics.
Correct Answer: D
Section: (none)
Explanation
Explanation
Cisco Advanced Phishing Protection provides sender authentication and BEC detection capabilities. It uses
advanced machine learning techniques, real-time behavior analytics, relationship modeling, and telemetry to
protect against identity deception-based threats.
Reference: https://docs.ces.cisco.com/docs/advanced-phishing-protection
QUESTION 199
What is a benefit of using Cisco FMC over Cisco ASDM?
A. Cisco FMC uses Java while Cisco ASDM uses HTML5.

B. Cisco FMC provides centralized management while Cisco ASDM does not.
C. Cisco FMC supports pushing configurations to devices while Cisco ASDM does not.
D. Cisco FMC supports all firewall products whereas Cisco ASDM only supports Cisco ASA devices
Correct Answer: B
Section: (none)
Explanation
Explanation
Cisco FTD devices, Cisco Firepower devices, and the Cisco ASA FirePOWER modules can be managed by
the Firepower Management Center (FMC), formerly known as the FireSIGHT Management Center -> Answer D
is not correct
Note: The ASA FirePOWER module runs on the separately upgraded ASA operating system
“You cannot use an FMC to manage ASA firewall functions.”
Reference: https://www.cisco.com/c/en/us/td/docs/security/firepower/compatibility/firepower-compatibility.html
The Cisco Secure Firewall Threat Defense Manager (Firepower Management Center) increases the
effectiveness of your Cisco network security solutions by providing centralized, integrated, and streamlined
management.
Reference: https://www.cisco.com/c/en/us/products/collateral/security/firesight-management-center/datasheet-
c78-736775.html
QUESTION 200
What is a key difference between Cisco Firepower and Cisco ASA?
A. Cisco ASA provides access control while Cisco Firepower does not.
B. Cisco Firepower provides identity-based access control while Cisco ASA does not.
C. Cisco Firepower natively provides intrusion prevention capabilities while Cisco ASA does not.
D. Cisco ASA provides SSL inspection while Cisco Firepower does not.
Correct Answer: C
Section: (none)
Explanation
QUESTION 201
An organization is implementing URL blocking using Cisco Umbrella. The users are able to go to some sites
but other sites are not accessible due to an error. Why is the error occurring?
A. Client computers do not have the Cisco Umbrella Root CA certificate installed.
B. IP-Layer Enforcement is not configured.
C. Client computers do not have an SSL certificate deployed from an internal CA server.
D. Intelligent proxy and SSL decryption is disabled in the policy.
Correct Answer: A
Section: (none)
Explanation
Explanation
Other features are dependent on SSL Decryption functionality, which requires the Cisco Umbrella root
certificate. Having the SSL Decryption feature improves:
Custom URL Blocking—Required to block the HTTPS version of a URL.
…
Umbrella’s Block Page and Block Page Bypass features present an SSL certificate to browsers that make
connections to HTTPS sites. This SSL certificate matches the requested site but will be signed by the Cisco
Umbrella certificate authority (CA). If the CA is not trusted by your browser, an error page may be displayed.
Typical errors include “The security certificate presented by this website was not issued by a trusted certificate
authority” (Internet Explorer), “The site’s security certificate is not trusted!” (Google Chrome) or “This
Connection is Untrusted” (Mozilla Firefox). Although the error page is expected, the message displayed can be
confusing and you may wish to prevent it from appearing.
To avoid these error pages, install the Cisco Umbrella root certificate into your browser or the browsers of
your users—if you’re a network admin.
Reference: https://docs.umbrella.com/deployment-umbrella/docs/rebrand-cisco-certificate-import-information
QUESTION 202
Which two aspects of the cloud PaaS model are managed by the customer but not the provider? (Choose two)
A. virtualization
B. middleware
C. operating systems
D. applications
E. data
Correct Answer: DE
Section: (none)
Explanation
Explanation
Customers must manage applications and data in PaaS.
QUESTION 203
What is an attribute of the DevSecOps process?
A. mandated security controls and check lists

B. security scanning and theoretical vulnerabilities
C. development security
D. isolated security team
Correct Answer: C
Section: (none)
Explanation
Explanation
DevSecOps (development, security, and operations) is a concept used in recent years to describe how to move
security activities to the start of the development life cycle and have built-in security practices in the continuous
integration/continuous deployment (CI/CD) pipeline. Thus minimizing vulnerabilities and bringing security closer
to IT and business objectives.
Three key things make a real DevSecOps environment:
+ Security testing is done by the development team.
+ Issues found during that testing is managed by the development team.
+ Fixing those issues stays within the development team.
QUESTION 204
An engineer notices traffic interruption on the network. Upon further investigation, it is learned that broadcast
packets have been flooding the network. What must be configured, based on a predefined threshold, to
address this issue?
A. Bridge Protocol Data Unit guard
B. embedded event monitoring
C. storm control
D. access control lists
Correct Answer: C
Section: (none)
Explanation
Explanation
Storm control prevents traffic on a LAN from being disrupted by a broadcast, multicast, or unicast storm on one
of the physical interfaces. A LAN storm occurs when packets flood the LAN, creating excessive traffic and
degrading network performance. Errors in the protocol-stack implementation, mistakes in network
configurations, or users issuing a denial-of-service attack can cause a storm.
By using the “storm-control broadcast level [falling-threshold]” we can limit the broadcast traffic on the switch.
QUESTION 205
Which two cryptographic algorithms are used with IPsec? (Choose two)
A. AES-BAC
B. AES-ABC
C. HMAC-SHA1/SHA2
D. Triple AMC-CBC
E. AES-CBC
Correct Answer: CE
Section: (none)
Explanation
Explanation
Cryptographic algorithms defined for use with IPsec include:
+ HMAC-SHA1/SHA2 for integrity protection and authenticity.
+ TripleDES-CBC for confidentiality
+ AES-CBC and AES-CTR for confidentiality.
+ AES-GCM and ChaCha20-Poly1305 providing confidentiality and authentication together efficiently.
QUESTION 206
In which type of attack does the attacker insert their machine between two hosts that are communicating with
each other?
A. LDAP injection
B. man-in-the-middle
C. cross-site scripting
D. insecure API
Correct Answer: B
Section: (none)
Explanation
========================= New Questions (added on 2nd-Jan-2021)
==============================
QUESTION 207
Which Dos attack uses fragmented packets to crash a target machine?
A. smurf
B. MITM
C. teardrop
D. LAND
Correct Answer: C
Section: (none)
Explanation
Explanation
A teardrop attack is a denial-of-service (DoS) attack that involves sending fragmented packets to a target
machine. Since the machine receiving such packets cannot reassemble them due to a bug in TCP/IP
fragmentation reassembly, the packets overlap one another, crashing the target network device. This generally
happens on older operating systems such as Windows 3.1x, Windows 95, Windows NT and versions of the
Linux kernel prior to 2.1.63.
QUESTION 208
Why is it important to have logical security controls on endpoints even though the users are trained to spot
security threats and the network devices already help prevent them?
A. to prevent theft of the endpoints

B. because defense-in-depth stops at the network
C. to expose the endpoint to more threats
D. because human error or insider threats will still exist
Correct Answer: D
Section: (none)
Explanation
QUESTION 209
Which type of API is being used when a security application notifies a controller within a software-defined
network architecture about a specific security threat? (Choose two)
A. westbound AP
B. southbound API
C. northbound API
D. eastbound API
Correct Answer: BC
Section: (none)
Explanation
QUESTION 210
When planning a VPN deployment, for which reason does an engineer opt for an active/active FlexVPN
configuration as opposed to DMVPN?
A. Multiple routers or VRFs are required.

B. Traffic is distributed statically by default.
C. Floating static routes are required.
D. HSRP is used for fallover.
Correct Answer: B
Section: (none)
Explanation
QUESTION 211
Which algorithm provides asymmetric encryption?
A. RC4
B. AES
C. RSA
D. 3DES
Correct Answer: C
Section: (none)
Explanation
QUESTION 212
What are two functions of secret key cryptography? (Choose two)
A. key selection without integer factorization

B. utilization of different keys for encryption and decryption
C. utilization of large prime number iterations
D. provides the capability to only know the key on one side
E. utilization of less memory
Correct Answer: BD
Section: (none)
Explanation
QUESTION 213
For Cisco IOS PKI, which two types of Servers are used as a distribution point for CRLs? (Choose two)
A. SDP
B. LDAP
C. subordinate CA
D. SCP
E. HTTP
Correct Answer: BE
Section: (none)
Explanation
Explanation
Cisco IOS public key infrastructure (PKI) provides certificate management to support security protocols such as
IP Security (IPSec), secure shell (SSH), and secure socket layer (SSL). This module identifies and describes
concepts that are needed to understand, plan for, and implement a PKI.
A PKI is composed of the following entities:
…
– A distribution mechanism (such as Lightweight Directory Access Protocol [LDAP] or HTTP) for certificate
revocation lists (CRLs)
Reference: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_pki/configuration/15-mt/sec-pki-15-mt-
book/sec-pki-overview.html
QUESTION 214
Which attack type attempts to shut down a machine or network so that users are not able to access it?
A. smurf
B. bluesnarfing
C. MAC spoofing
D. IP spoofing
Correct Answer: A
Section: (none)
Explanation
Explanation
Denial-of-service (DDoS) aims at shutting down a network or service, causing it to be inaccessible to its
intended users.
The Smurf attack is a DDoS attack in which large numbers of Internet Control Message Protocol (ICMP)
packets with the intended victim’s spoofed source IP are broadcast to a computer network using an IP
broadcast address.
QUESTION 215
What is a difference between DMVPN and sVTI?
A. DMVPN supports tunnel encryption, whereas sVTI does not.

B. DMVPN supports dynamic tunnel establishment, whereas sVTI does not.
C. DMVPN supports static tunnel establishment, whereas sVTI does not.
D. DMVPN provides interoperability with other vendors, whereas sVTI does not.
Correct Answer: B
Section: (none)
Explanation
QUESTION 216
What features does Cisco FTDv provide over ASAv?
A. Cisco FTDv runs on VMWare while ASAv does not

B. Cisco FTDv provides 1GB of firewall throughput while Cisco ASAv does not
C. Cisco FTDv runs on AWS while ASAv does not
D. Cisco FTDv supports URL filtering while ASAv does not
Correct Answer: D
Section: (none)
Explanation
QUESTION 217
In which situation should an Endpoint Detection and Response solution be chosen versus an Endpoint
Protection Platform?
A. when there is a need for traditional anti-malware detection

B. when there is no need to have the solution centrally managed
C. when there is no firewall on the network
D. when there is a need to have more advanced detection capabilities
Correct Answer: D
Section: (none)
Explanation
Explanation
Endpoint protection platforms (EPP) prevent endpoint security threats like known and unknown malware.
Endpoint detection and response (EDR) solutions can detect and respond to threats that your EPP and other
security tools did not catch.
EDR and EPP have similar goals but are designed to fulfill different purposes. EPP is designed to provide
device-level protection by identifying malicious files, detecting potentially malicious activity, and providing tools
for incident investigation and response.
The preventative nature of EPP complements proactive EDR. EPP acts as the first line of defense, filtering out
attacks that can be detected by the organization’s deployed security solutions. EDR acts as a second layer of
protection, enabling security analysts to perform threat hunting and identify more subtle threats to the endpoint.
Effective endpoint defense requires a solution that integrates the capabilities of both EDR and EPP to provide
protection against cyber threats without overwhelming an organization’s security team.
QUESTION 218
Which type of API is being used when a controller within a software-defined network architecture dynamically
makes configuration changes on switches within the network?
A. westbound AP
B. southbound API
C. northbound API
D. eastbound API
Correct Answer: B
Section: (none)
Explanation
Explanation
Southbound APIs enable SDN controllers to dynamically make changes based on real-time demands and
scalability needs.
QUESTION 219
An organization has two systems in their DMZ that have an unencrypted link between them for communication.
The organization does not have a defined password policy and uses several default accounts on the systems.
The application used on those systems also have not gone through stringent code reviews. Which vulnerability
would help an attacker brute force their way into the systems?
A. weak passwords
B. lack of input validation
C. missing encryption
D. lack of file permission
Correct Answer: A
Section: (none)
Explanation
QUESTION 220
What is the purpose of a Netflow version 9 template record?
A. It specifies the data format of NetFlow processes.

B. It provides a standardized set of information about an IP flow.
C. It defines the format of data records.
D. It serves as a unique identification number to distinguish individual data records
Correct Answer: C
Section: (none)
Explanation
Explanation
The version 9 export format uses templates to provide access to observations of IP packet flows in a flexible
and extensible manner. A template defines a collection of fields, with corresponding descriptions of
structure and semantics.
Reference: https://tools.ietf.org/html/rfc3954
QUESTION 221
What is provided by the Secure Hash Algorithm in a VPN?
A. integrity
B. key exchange
C. encryption
D. authentication
Correct Answer: A
Section: (none)
Explanation
Explanation
The HMAC-SHA-1-96 (also known as HMAC-SHA-1) encryption technique is used by IPSec to ensure that a
message has not been altered. (-> Therefore answer “integrity” is the best choice). HMAC-SHA-1 uses the
SHA-1 specified in FIPS-190-1, combined with HMAC (as per RFC 2104), and is described in RFC 2404.
Reference: https://www.ciscopress.com/articles/article.asp?p=24833&seqNum=4
QUESTION 222
A network engineer is deciding whether to use stateful or stateless failover when configuring two ASAs for high
availability. What is the connection status in both cases?
A. need to be reestablished with stateful failover and preserved with stateless failover
B. preserved with stateful failover and need to be reestablished with stateless failover
C. preserved with both stateful and stateless failover
D. need to be reestablished with both stateful and stateless failover
Correct Answer: B
Section: (none)
Explanation
QUESTION 223
Which type of protection encrypts RSA keys when they are exported and imported?
A. file
B. passphrase
C. NGE
D. nonexportable
Correct Answer: B
Section: (none)
Explanation
Exam B
QUESTION 1
Drag and drop the capabilities of Cisco Firepower versus Cisco AMP from the left into the appropriate category
on the right.
Select and Place:
Correct Answer:
Section: (none)
Explanation
The Firepower System uses network discovery and identity policies to collect host, application, and user data
for traffic on your network. You can use certain types of discovery and identity data to build a comprehensive
map of your network assets, perform forensic analysis, behavioral profiling, access control, and mitigate and
respond to the vulnerabilities and exploits to which your organization is susceptible.
The Cisco Advanced Malware Protection (AMP) solution enables you to detect and block malware, continuously
analyze for malware, and get retrospective alerts. AMP for Networks delivers network-based advanced
malware protection that goes beyond point-in-time detection to protect your organization across the entire
attack continuum – before, during, and after an attack. Designed for Cisco Firepower® network threat
appliances, AMP for Networks detects, blocks, tracks, and contains malware threats across multiple threat
vectors within a single system. It also provides the visibility and control necessary to protect your organization
against highly sophisticated, targeted, zero-day, and persistent advanced malware threats.
QUESTION 2
Drag and drop the suspicious patterns for the Cisco Tetration platform from the left onto the correct definitions
on the right.
Select and Place:
Correct Answer:
Section: (none)
Explanation
Cisco Tetration platform studies the behavior of the various processes and applications in the workload,
measuring them against known bad behavior sequences. It also factors in the process hashes it collects. By
studying various sets of malwares, the Tetration Analytics engineering team deconstructed it back into its basic
building blocks. Therefore, the platform understands clear and crisp definitions of these building blocks and
watches for them.
The various suspicious patterns for which the Cisco Tetration platform looks in the current release are:
+ Shell code execution: Looks for the patterns used by shell code.
+ Privilege escalation: Watches for privilege changes from a lower privilege to a higher privilege in the process
lineage tree.
+ Side channel attacks: Cisco Tetration platform watches for cache-timing attacks and page table fault bursts.
Using these, it can detect Meltdown, Spectre, and other cache-timing attacks.
+ Raw socket creation: Creation of a raw socket by a nonstandard process (for example, ping).
+ User login suspicious behavior: Cisco Tetration platform watches user login failures and user login methods.
+ Interesting file access: Cisco Tetration platform can be armed to look at sensitive files.
+ File access from a different user: Cisco Tetration platform learns the normal behavior of which file is
accessed by which user.
+ Unseen command: Cisco Tetration platform learns the behavior and set of commands as well as the lineage
of each command over time. Any new command or command with a different lineage triggers the interest of the
Tetration Analytics platform.
Reference: https://www.cisco.com/c/en/us/products/collateral/data-center-analytics/tetration-analytics/white-
paper-c11-740380.html
QUESTION 3
Drag and drop the descriptions from the left onto the encryption algorithms on the right.
Select and Place:
Correct Answer:
Section: (none)
Explanation
Symmetric encryption uses a single key that needs to be shared among the people who need to receive the
message while asymmetric encryption uses a pair of public key and a private key to encrypt and decrypt
messages when communicating.
Asymmetric encryption takes relatively more time than the symmetric encryption.
Diffie Hellman algorithm is an asymmetric algorithm used to establish a shared secret for a symmetric key
algorithm. Nowadays most of the people uses hybrid crypto system i.e, combination of symmetric and
asymmetric encryption. Asymmetric Encryption is used as a technique in key exchange mechanism to share
secret key and after the key is shared between sender and receiver, the communication will take place using
symmetric encryption. The shared secret key will be used to encrypt the communication.
Triple DES (3DES), a symmetric-key algorithm for the encryption of electronic data, is the successor of DES
(Data Encryption Standard) and provides more secure encryption then DES.
Note: Although “requires secret keys” option in this question is a bit unclear but it can only be assigned to
Symmetric algorithm.
QUESTION 4
Drag and drop the threats from the left onto examples of that threat on the right.
Select and Place:

Correct Answer:
Section: (none)
Explanation
A data breach is the intentional or unintentional release of secure or private/confidential information to an
untrusted environment.
When your credentials have been compromised, it means someone other than you may be in possession of
your account information, such as your username and/or password.
QUESTION 5
Drag and drop the VPN functions from the left onto the description on the right.
Select and Place:

Correct Answer:
Section: (none)
Explanation
The purpose of message integrity algorithms, such as Secure Hash Algorithm (SHA-1), ensures data has not
been changed in transit. They use one way hash functions to determine if data has been changed.
SHA-1, which is also known as HMAC-SHA-1 is a strong cryptographic hashing algorithm, stronger than
another popular algorithm known as Message Digest 5 (MD5). SHA-1 is used to provide data integrity (to
guarantee data has not been altered in transit) and authentication (to guarantee data came from the source it
was supposed to come from). SHA was produced to be used with the digital signature standard.
A VPN uses groundbreaking 256-bit AES encryption technology to secure your online connection against
cyberattacks that can compromise your security. It also offers robust protocols to combat malicious attacks and
reinforce your online identity.
IKE SAs describe the security parameters between two IKE devices, the first stage in establishing IPSec.
QUESTION 6
Drag and drop the Firepower Next Generation Intrusion Prevention System detectors from the left onto the
correct definitions on the right.
Select and Place:

Correct Answer:
Section: (none)
Explanation
QUESTION 7
Drag and drop the capabilities from the left onto the correct technologies on the right.
Select and Place:

Correct Answer:
Section: (none)
Explanation
QUESTION 8
Drag and drop the descriptions from the left onto the correct protocol versions on the right.
Select and Place:

Correct Answer:
Section: (none)
Explanation
QUESTION 9
Drag and drop the steps from the left into the correct order on the right to enable AppDynamics to monitor an
EC2 instance in Amazon Web Services.
Select and Place:

Correct Answer:
Section: (none)
Explanation
QUESTION 10
Drag and drop the NetFlow export formats from the left onto the descriptions on the right.
Select and Place:
Correct Answer:
Section: (none)
Explanation
The Version 1 format was the initially released version. Do not use the Version 1 format unless you are using a
legacy collection system that requires it. Use Version 9 or Version 5 export format.
Version 5 export format is suitable only for the main cache; it cannot be expanded to support new features.
Version 8 export format is available only for aggregation caches; it cannot be expanded to support new
features.
Reference: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/netflow/configuration/15-mt/nf-15-mt-book/cfg-
nflow-data-expt.html
QUESTION 11
Drag and drop the solutions from the left onto the solution’s benefits on the right.
Select and Place:
Correct Answer:
Section: (none)
Explanation
QUESTION 12
Drag and drop the common security threats from left onto the definitions on the right.
Select and Place:
Correct Answer:
Section: (none)
Explanation
Exam C
QUESTION 1
A Cisco ESA network administrator has been tasked to use a newly installed service to help create policy based
on the reputation verdict. During testing, it is discovered that the Cisco ESA is not dropping files that have an
undetermined verdict. What is causing this issue?
A. The policy was created to send a message to quarantine instead of drop

B. The file has a reputation score that is above the threshold
C. The file has a reputation score that is below the threshold
D. The policy was created to disable file analysis
Correct Answer: D
Section: (none)
Explanation
Explanation
Maybe the “newly installed service” in this Qmentions about Advanced Malware Protection (AMP) which can be
used along with ESA. AMP allows superior protection across the attack continuum.
+ File Reputation – captures a fingerprint of each file as it traverses the ESA and sends it to AMP’s cloud-
based intelligence network for a reputation verdict. Given these results, you can automatically block malicious
files and apply administrator-defined policy.
+ File Analysis – provides the ability to analyze unknown files that are traversing the ESA. A highly secure
sandbox environment enables AMP to glean precise details about the file’s behavior and to combine that data
with detailed human and machine analysis to determine the file’s threat level. This disposition is then fed into
AMP cloud-based intelligence network and used to dynamically update and expand the AMP cloud data set for
enhanced protection
QUESTION 2
An administrator is trying to determine which applications are being used in the network but does not want the
network devices to send metadata to Cisco Firepower. Which feature should be used to accomplish this?
A. NetFlow
B. Packet Tracer
C. Network Discovery
D. Access Control
Correct Answer: C
Section: (none)
Explanation
Explanation
NetFlow is a network protocol developed by Cisco for the collection and monitoring of network traffic flow data
generated by NetFlow-enabled routers and switches. The flows do not contain actual packet data, but rather the
metadata for communications. It is a standard form of session data that details who, what, when, and where of
network traffic -> Answer A is not correct.
Reference: https://www.cisco.com/c/en/us/solutions/collateral/enterprise-networks/enterprise-network-security/
white-paper-c11-736595.html
QUESTION 3
Which attack is preventable by Cisco ESA but not by the Cisco WSA?
A. buffer overflow
B. DoS
C. SQL injection
D. phishing
Correct Answer: D
Section: (none)
Explanation
Explanation
The following are the benefits of deploying Cisco Advanced Phishing Protection on the Cisco Email Security
Gateway:
Prevents the following:
+ Attacks that use compromised accounts and social engineering.
+ Phishing, ransomware, zero-day attacks and spoofing.
+ BEC with no malicious payload or URL.
Reference: https://www.cisco.com/c/en/us/td/docs/security/esa/esa13-5/user_guide/b_ESA_Admin_Guide_13-
5/m_advanced_phishing_protection.html
QUESTION 4
A Cisco ESA administrator has been tasked with configuring the Cisco ESA to ensure there are no viruses
before quarantined emails are delivered. In addition, delivery of mail from known bad mail servers must be
prevented. Which two actions must be taken in order to meet these requirements? (Choose two)
A. Use outbreak filters from SenderBase

B. Enable a message tracking service
C. Configure a recipient access table
D. Deploy the Cisco ESA in the DMZ
E. Scan quarantined emails using AntiVirus signatures.
Correct Answer: AE
Section: (none)
Explanation
Explanation
We should scan emails using AntiVirus signatures to make sure there are no viruses attached in emails.
Note: A virus signature is the fingerprint of a virus. It is a set of unique data, or bits of code, that allow it to be
identified. Antivirus software uses a virus signature to find a virus in a computer file system, allowing to detect,
quarantine, and remove the virus.
SenderBase is an email reputation service designed to help email administrators research senders, identify
legitimate sources of email, and block spammers. When the Cisco ESA receives messages from known or
highly reputable senders, it delivers them directly to the end user without any content scanning. However, when
the Cisco ESA receives email messages from unknown or less reputable senders, it performs antispam and
antivirus scanning.
b_ESA_Admin_Guide_12_0/b_ESA_Admin_Guide_12_0_chapter_0100100.html
-> Therefore Outbreak filters can be used to block emails from bad mail servers.
Web servers and email gateways are generally located in the DMZ so
Note: The recipient access table (RAT), not to be confused with remote-access Trojan (also RAT), is a Cisco
ESA term that defines which recipients are accepted by a public listener.
QUESTION 5
Which type of dashboard does Cisco DNA Center provide for complete control of the network?
A. service management
B. centralized management
C. application management
D. distributed management
Correct Answer: B
Section: (none)
Explanation
Explanation
Cisco’s DNA Center is the only centralized network management system to bring all of this functionality into a
single pane of glass.
dna-center-faq-cte-en.html
QUESTION 6
In an IaaS cloud services model, which security function is the provider responsible for managing?
A. Internet proxy
B. firewalling virtual machines
C. CASB
D. hypervisor OS hardening
Correct Answer: B
Section: (none)
Explanation
Explanation
In this IaaS model, cloud providers offer resources to users/machines that include computers as virtual
machines, raw (block) storage, firewalls, load balancers, and network devices.
Note: Cloud access security broker (CASB) provides visibility and compliance checks, protects data against
misuse and exfiltration, and provides threat protections against malware such as ransomware.
QUESTION 7
A network engineer has been tasked with adding a new medical device to the network. Cisco ISE is being used
as the NAC server, and the new device does not have a supplicant available. What must be done in order to
securely connect this device to the network?
A. Use MAB with profiling

B. Use MAB with posture assessment.
C. Use 802.1X with posture assessment.
D. Use 802.1X with profiling.
Correct Answer: A
Section: (none)
Explanation
Explanation
As the new device does not have a supplicant, we cannot use 802.1X.
MAC Authentication Bypass (MAB) is a fallback option for devices that don’t support 802.1x. It is virtually
always used in deployments in some way shape or form. MAB works by having the authenticator take the
connecting device’s MAC address and send it to the authentication server as its username and password. The
authentication server will check its policies and send back an Access-Accept or Access-Reject just like it would
with 802.1x.
Cisco ISE Profiling Services provides dynamic detection and classification of endpoints connected to the
network. Using MAC addresses as the unique identifier, ISE collects various attributes for each network
endpoint to build an internal endpoint database. The classification process matches the collected attributes to
prebuilt or user-defined conditions, which are then correlated to an extensive library of profiles. These profiles
include a wide range of device types, including mobile clients (iPads, Android tablets, Chromebooks, and so
on), desktop operating systems (for example, Windows, Mac OS X, Linux, and others), and numerous non-user
systems such as printers, phones, cameras, and game consoles.
Once classified, endpoints can be authorized to the network and granted access based on their profile. For
example, endpoints that match the IP phone profile can be placed into a voice VLAN using MAC Authentication
Bypass (MAB) as the authentication method. Another example is to provide differentiated network access to
users based on the device used. For example, employees can get full access when accessing the network from
their corporate workstation but be granted limited network access when accessing the network from their
personal iPhone.
Reference: https://community.cisco.com/t5/security-documents/ise-profiling-design-guide/ta-p/3739456
QUESTION 8
An engineer is implementing NTP authentication within their network and has configured both the client and
server devices with the command ntp authentication-key 1 md5 Cisc392368270. The server at 1.1.1.1 is
attempting to authenticate to the client at 1.1.1.2, however it is unable to do so. Which command is required to
enable the client to accept the server’s authentication key?
A. ntp peer 1.1.1.1 key 1

B. ntp server 1.1.1.1 key 1
C. ntp server 1.1.1.2 key 1
D. ntp peer 1.1.1.2 key 1
Correct Answer: B
Section: (none)
Explanation
Explanation
To configure an NTP enabled router to require authentication when other devices connect to it, use the
following commands:
NTP_Server(config)#ntp authentication-key 2 md5 securitytut
NTP_Server(config)#ntp authenticate
NTP_Server(config)#ntp trusted-key 2
Then you must configure the same authentication-key on the client router:
NTP_Client(config)#ntp authentication-key 2 md5 securitytut
NTP_Client(config)#ntp authenticate
NTP_Client(config)#ntp trusted-key 2
NTP_Client(config)#ntp server 10.10.10.1 key 2
Note: To configure a Cisco device as a NTP client, use the command ntp server <IP address>. For example:
Router(config)#ntp server 10.10.10.1. This command will instruct the router to query 10.10.10.1 for the time.
QUESTION 9
What is the role of an endpoint in protecting a user from a phishing attack?
A. Use Cisco Stealthwatch and Cisco ISE Integration.

B. Utilize 802.1X network security to ensure unauthorized access to resources.
C. Use machine learning models to help identify anomalies and determine expected sending behavior.
D. Ensure that antivirus and anti malware software is up to date.
Correct Answer: C
Section: (none)
Explanation
QUESTION 10
An organization has noticed an increase in malicious content downloads and wants to use Cisco Umbrella to
prevent this activity for suspicious domains while allowing normal web traffic. Which action will accomplish this
task?
A. Set content settings to High

B. Configure the intelligent proxy.
C. Use destination block lists.
D. Configure application block lists.
Correct Answer: B
Section: (none)
Explanation
Explanation
Obviously, if you allow all traffic to these risky domains, users might access malicious content, resulting in an
infection or data leak. But if you block traffic, you can expect false positives, an increase in support inquiries,
and thus, more headaches. By only proxying risky domains, the intelligent proxy delivers more granular visibility
and control.
The intelligent proxy bridges the gap by allowing access to most known good sites without being proxied and
only proxying those that pose a potential risk. The proxy then filters and blocks against specific URLs hosting
malware while allowing access to everything else.
Reference: https://docs.umbrella.com/deployment-umbrella/docs/what-is-the-intelligent-proxy
QUESTION 11
With which components does a southbound API within a software-defined network architecture communicate?
A. controllers within the network

B. applications
C. appliances
D. devices such as routers and switches
Correct Answer: D
Section: (none)
Explanation
Explanation
The Southbound API is used to communicate between Controllers and network devices.
QUESTION 12
A network administrator needs to find out what assets currently exist on the network. Third-party systems need
to be able to feed host data into Cisco Firepower. What must be configured to accomplish this?
A. a Network Discovery policy to receive data from the host

B. a Threat Intelligence policy to download the data from the host
C. a File Analysis policy to send file data into Cisco Firepower
D. a Network Analysis policy to receive NetFlow data from the host
Correct Answer: A
Section: (none)
Explanation
Explanation
You can configure discovery rules to tailor the discovery of host and application data to your needs.
The Firepower System can use data from NetFlow exporters to generate connection and discovery events, and
to add host and application data to the network map.
A network analysis policy governs how traffic is decoded and preprocessed so it can be further evaluated,
especially for anomalous traffic that might signal an intrusion attempt -> Answer D is not correct.
QUESTION 13
When configuring ISAKMP for IKEv1 Phase1 on a Cisco IOS router, an administrator needs to input the
command crypto isakmp key cisco address 0.0.0.0. The administrator is not sure what the IP addressing in
this command issued for. What would be the effect of changing the IP address from 0.0.0.0 to 1.2.3.4?
A. The key server that is managing the keys for the connection will be at 1.2.3.4
B. The remote connection will only be allowed from 1.2.3.4
C. The address that will be used as the crypto validation authority
D. All IP addresses other than 1.2.3.4 will be allowed
Correct Answer: B
Section: (none)
Explanation
Explanation
The command crypto isakmp key cisco address 1.2.3.4 authenticates the IP address of the 1.2.3.4 peer by
using the key cisco. The address of “0.0.0.0” will authenticate any address with this key.
QUESTION 14
Which suspicious pattern enables the Cisco Tetration platform to learn the normal behavior of users?
A. file access from a different user

B. interesting file access
C. user login suspicious behavior
D. privilege escalation
Correct Answer: C
Section: (none)
Explanation
Explanation
The various suspicious patterns for which the Cisco Tetration platform looks in the current release are:
+ Shell code execution: Looks for the patterns used by shell code.
+ Privilege escalation: Watches for privilege changes from a lower privilege to a higher privilege in the process
lineage tree.
+ Side channel attacks: Cisco Tetration platform watches for cache-timing attacks and page table fault bursts.
Using these, it can detect Meltdown, Spectre, and other cache-timing attacks.
+ Raw socket creation: Creation of a raw socket by a nonstandard process (for example, ping).
+ User login suspicious behavior: Cisco Tetration platform watches user login failures and user login
methods.
+ Interesting file access: Cisco Tetration platform can be armed to look at sensitive files.
+ File access from a different user: Cisco Tetration platform learns the normal behavior of which file is
accessed by which user.
+ Unseen command: Cisco Tetration platform learns the behavior and set of commands as well as the lineage
of each command over time. Any new command or command with a different lineage triggers the interest of the
Tetration Analytics platform.
Reference: https://www.cisco.com/c/en/us/products/collateral/data-center-analytics/tetration-analytics/white-
paper-c11-740380.html
QUESTION 15
Due to a traffic storm on the network, two interfaces were error-disabled, and both interfaces sent SNMP traps.
Which two actions must be taken to ensure that interfaces are put back into service? (Choose two)
A. Have Cisco Prime Infrastructure issue an SNMP set command to re-enable the ports after the pre
configured interval.
B. Use EEM to have the ports return to service automatically in less than 300 seconds.
C. Enter the shutdown and no shutdown commands on the interfaces.
D. Enable the snmp-server enable traps command and wait 300 seconds
E. Ensure that interfaces are configured with the error-disable detection and recovery feature
Correct Answer: CE
Section: (none)
Explanation
Explanation
You can also bring up the port by using these commands:
+ The “shutdown” interface configuration command followed by the “no shutdown” interface configuration
command restarts the disabled port.
+ The “errdisable recovery cause …” global configuration command enables the timer to automatically recover
error-disabled state, and the “errdisable recovery interval interval” global configuration command specifies the
time to recover error-disabled state.
QUESTION 16
What is the difference between Cross-site Scripting and SQL Injection, attacks?
A. Cross-site Scripting is an attack where code is injected into a database, whereas SQL Injection is an attack
where code is injected into a browser.
B. Cross-site Scripting is a brute force attack targeting remote sites, whereas SQL Injection is a social
engineering attack.
C. Cross-site Scripting is when executives in a corporation are attacked, whereas SQL Injection is when a
database is manipulated.
D. Cross-site Scripting is an attack where code is executed from the server side, whereas SQL Injection is an
attack where code is executed from the client side.
Correct Answer: A
Section: (none)
Explanation
Explanation
Answer B is not correct because Cross-site Scripting (XSS) is not a brute force attack.
Answer C is not correct because the statement “Cross-site Scripting is when executives in a corporation are
attacked” is not true. XSS is a client-side vulnerability that targets other application users.
Answer D is not correct because the statement “Cross-site Scripting is an attack where code is executed from
the server side”. In fact, XSS is a method that exploits website vulnerability by injecting scripts that will run at
client’s side.
Therefore only answer A is left. In XSS, an attacker will try to inject his malicious code (usually malicious links)
into a database. When other users follow his links, their web browsers are redirected to websites where
attackers can steal data from them. In a SQL Injection, an attacker will try to inject SQL code (via his browser)
into forms, cookies, or HTTP headers that do not use data sanitizing or validation methods of GET/POST
parameters.
Note: The main difference between a SQL and XSS injection attack is that SQL injection attacks are used to
steal information from databases whereas XSS attacks are used to redirect users to websites where attackers
can steal data from them.
QUESTION 17
A network administrator is configuring a switch to use Cisco ISE for 802.1X. An endpoint is failing
authentication and is unable to access the network. Where should the administrator begin troubleshooting to
verify the authentication details?
A. Adaptive Network Control Policy List

B. Context Visibility
C. Accounting Reports
D. RADIUS Live Logs
Correct Answer: D
Section: (none)
Explanation
Explanation
How To Troubleshoot ISE Failed Authentications & Authorizations
Check the ISE Live Logs
Login to the primary ISE Policy Administration Node (PAN).
Go to Operations > RADIUS > Live Logs
(Optional) If the event is not present in the RADIUS Live Logs, go to Operations > Reports > Reports >
Endpoints and Users > RADIUS Authentications
Check for Any Failed Authentication Attempts in the Log
Reference: https://community.cisco.com/t5/security-documents/how-to-troubleshoot-ise-failed-authentications-
amp/ta-p/3630960
QUESTION 18
What is a prerequisite when integrating a Cisco ISE server and an AD domain?
A. Place the Cisco ISE server and the AD server in the same subnet
B. Configure a common administrator account
C. Configure a common DNS server
D. Synchronize the clocks of the Cisco ISE server and the AD server
Correct Answer: D
Section: (none)
Explanation
Explanation
The following are the prerequisites to integrate Active Directory with Cisco ISE.
+ Use the Network Time Protocol (NTP) server settings to synchronize the time between the Cisco ISE server
and Active Directory. You can configure NTP settings from Cisco ISE CLI.
+ If your Active Directory structure has multidomain forest or is divided into multiple forests, ensure that trust
relationships exist between the domain to which Cisco ISE is connected and the other domains that have user
and machine information to which you need access. For more information on establishing trust relationships,
refer to Microsoft Active Directory documentation.
+ You must have at least one global catalog server operational and accessible by Cisco ISE, in the domain to
which you are joining Cisco ISE.
Reference: https://www.cisco.com/c/en/us/td/docs/security/ise/2-0/ise_active_directory_integration/
b_ISE_AD_integration_2x.html#reference_8DC463597A644A5C9CF5D582B77BB24F
QUESTION 19
An organization recently installed a Cisco WSA and would like to take advantage of the AVC engine to allow the
organization to create a policy to control application specific activity. After enabling the AVC engine, what must
be done to implement this?
A. Use security services to configure the traffic monitor, .
B. Use URL categorization to prevent the application traffic.
C. Use an access policy group to configure application control settings.
D. Use web security reporting to validate engine functionality
Correct Answer: C
Section: (none)
Explanation
Explanation
The Application Visibility and Control (AVC) engine lets you create policies to control application activity on the
network without having to fully understand the underlying technology of each application. You can configure
application control settings in Access Policy groups. You can block or allow applications individually or
according to application type. You can also apply controls to particular application types.
QUESTION 20
Which method is used to deploy certificates and configure the supplicant on mobile devices to gain access to
network resources?
A. BYOD on boarding
B. Simple Certificate Enrollment Protocol
C. Client provisioning
D. MAC authentication bypass
Correct Answer: A
Section: (none)
Explanation
Explanation
When supporting personal devices on a corporate network, you must protect network services and enterprise
data by authenticating and authorizing users (employees, contractors, and guests) and their devices. Cisco ISE
provides the tools you need to allow employees to securely use personal devices on a corporate network.
Guests can add their personal devices to the network by running the native supplicant provisioning (Network
Setup Assistant), or by adding their devices to the My Devices portal.
Because native supplicant profiles are not available for all devices, users can use the My Devices portal to add
these devices manually; or you can configure Bring Your Own Device (BYOD) rules to register these devices.
Reference: https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/admin_guide/b_ISE_admin_guide_24/
m_ise_devices_byod.html
QUESTION 21
import requests
url = https://api.amp.cisco.com/v1/computers
headers = {
'accept' : application/json
'content-type' : application/json
'authorization' : Basic API Credentials
'cache-control' : "no cache"
}
response = requests.request ("GET", url, headers = headers)
print (response.txt)
What will happen when this Python script is run?
A. The compromised computers and malware trajectories will be received from Cisco AMP
B. The list of computers and their current vulnerabilities will be received from Cisco AMP
C. The compromised computers and what compromised them will be received from Cisco AMP
D. The list of computers, policies, and connector statuses will be received from Cisco AMP
Correct Answer: D
Section: (none)
Explanation
Explanation
The call to API of “https://api.amp.cisco.com/v1/computers” allows us to fetch list of computers across your
organization that Advanced Malware Protection (AMP) sees
Reference: https://api-docs.amp.cisco.com/api_actions/details?api_action=GET+%2Fv1%
2Fcomputers&api_host=api.apjc.amp.cisco.com&api_resource=Computer&api_version=v1
It also lists policies and connector statuses as well. The figure below shows partial output of this script:
QUESTION 22
An organization is trying to implement micro-segmentation on the network and wants to be able to gain visibility
on the applications within the network. The solution must be able to maintain and force compliance. Which
product should be used to meet these requirements?
A. Cisco Umbrella
B. Cisco AMP
C. Cisco Stealthwatch
D. Cisco Tetration
Correct Answer: D
Section: (none)
Explanation
Explanation
Micro-segmentation secures applications by expressly allowing particular application traffic and, by default,
denying all other traffic. Micro-segmentation is the foundation for implementing a zero-trust security model for
application workloads in the data center and cloud.
Cisco Tetration is an application workload security platform designed to secure your compute instances across
any infrastructure and any cloud. To achieve this, it uses behavior and attribute-driven microsegmentation
policy generation and enforcement. It enables trusted access through automated, exhaustive context from
various systems to automatically adapt security policies.
To generate accurate microsegmentation policy, Cisco Tetration performs application dependency mapping to
discover the relationships between different application tiers and infrastructure services. In addition, the
platform supports “what-if” policy analysis using real-time data or historical data to assist in the validation and
risk assessment of policy application pre-enforcement to ensure ongoing application availability. The
normalized microsegmentation policy can be enforced through the application workload itself for a consistent
approach to workload microsegmentation across any environment, including virtualized, bare-metal, and
container workloads running in any public cloud or any data center. Once the microsegmentation policy is
enforced, Cisco Tetration continues to monitor for compliance deviations, ensuring the segmentation policy is
up to date as the application behavior change.
Reference: https://www.cisco.com/c/en/us/products/collateral/data-center-analytics/tetration-analytics/solution-
overview-c22-739268.pdf
QUESTION 23
Which factor must be considered when choosing the on-premise solution over the cloud-based one?
A. With an on-premise solution, the provider is responsible for the installation and maintenance of the product,
whereas with a cloud-based solution, the customer is responsible for it
B. With a cloud-based solution, the provider is responsible for the installation, but the customer is responsible
for the maintenance of the product.
C. With an on-premise solution, the provider is responsible for the installation, but the customer is responsible
for the maintenance of the product.
D. With an on-premise solution, the customer is responsible for the installation and maintenance of the
product, whereas with a cloud-based solution, the provider is responsible for it.
Correct Answer: D
Section: (none)
Explanation
QUESTION 24
Which term describes when the Cisco Firepower downloads threat intelligence updates from Cisco Talos?
A. consumption
B. sharing
C. analysis
D. authoring
Correct Answer: A
Section: (none)
Explanation
Explanation
… we will showcase Cisco Threat Intelligence Director (CTID) an exciting feature on Cisco’s Firepower
Management Center (FMC) product offering that automates the operationalization of threat intelligence. TID
has the ability to consume threat intelligence via STIX over TAXII and allows uploads/downloads of STIX and
simple blacklists.
Reference: https://blogs.cisco.com/developer/automate-threat-intelligence-using-cisco-threat-intelligence-
director
QUESTION 25
An organization has a Cisco Stealthwatch Cloud deployment in their environment. Cloud logging is working as
expected, but logs are not being received from the on-premise network, what action will resolve this issue?
A. Configure security appliances to send syslogs to Cisco Stealthwatch Cloud

B. Configure security appliances to send NetFlow to Cisco Stealthwatch Cloud
C. Deploy a Cisco FTD sensor to send events to Cisco Stealthwatch Cloud
D. Deploy a Cisco Stealthwatch Cloud sensor on the network to send data to Cisco Stealthwatch Cloud
Correct Answer: D
Section: (none)
Explanation
Explanation
You can also monitor on-premises networks in your organizations using Cisco Stealthwatch Cloud. In order to
do so, you need to deploy at least one Cisco Stealthwatch Cloud Sensor appliance (virtual or physical
appliance).
QUESTION 26
What does Cisco AMP for Endpoints use to help an organization detect different families of malware?
A. Ethos Engine to perform fuzzy fingerprinting

B. Tetra Engine to detect malware when me endpoint is connected to the cloud
C. Clam AV Engine to perform email scanning
D. Spero Engine with machine learning to perform dynamic analysis
Correct Answer: A
Section: (none)
Explanation
Explanation
ETHOS is the Cisco file grouping engine. It allows us to group families of files together so if we see variants of
a malware, we mark the ETHOS hash as malicious and whole families of malware are instantly detected.
Reference: https://docs.amp.cisco.com/AMP%20for%20Endpoints%20User%20Guide.pdf
ETHOS = Fuzzy Fingerprinting using static/passive heuristics
Reference: https://www.ciscolive.com/c/dam/r/ciscolive/emea/docs/2016/pdf/BRKSEC-2139.pdf
QUESTION 27
What are two characteristics of Cisco DNA Center APIs? (Choose two)
A. Postman is required to utilize Cisco DNA Center API calls.

B. They do not support Python scripts.
C. They are Cisco proprietary.
D. They quickly provision new devices.
E. They view the overall health of the network
Correct Answer: DE
Section: (none)
Explanation
QUESTION 28
What is a benefit of conducting device compliance checks?
A. It indicates what type of operating system is connecting to the network.

B. It validates if anti-virus software is installed.
C. It scans endpoints to determine if malicious activity is taking place.
D. It detects email phishing attacks.
Correct Answer: B
Section: (none)
Explanation
QUESTION 29
In which two ways does Easy Connect help control network access when used with Cisco TrustSec? (Choose
two)
A. It allows multiple security products to share information and work together to enhance security posture in
the network.
B. It creates a dashboard in Cisco ISE that provides full visibility of all connected endpoints.
C. It allows for the assignment of Security Group Tags and does not require 802.1x to be configured on the
switch or the endpoint.
D. It integrates with third-party products to provide better visibility throughout the network.
E. It allows for managed endpoints that authenticate to AD to be mapped to Security Groups (PassiveID).
Correct Answer: CE
Section: (none)
Explanation
Explanation
Easy Connect simplifies network access control and segmentation by allowing the assignment of Security
Group Tags to endpoints without requiring 802.1X on those endpoints, whether using wired or wireless
connectivity.
Reference: https://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise-networks/trustsec/trustsec-with-
easy-connect-configuration-guide.pdf
QUESTION 30
What is the benefit of installing Cisco AMP for Endpoints on a network?
A. It provides operating system patches on the endpoints for security.

B. It provides flow-based visibility for the endpoints network connections.
C. It enables behavioral analysis to be used for the endpoints.
D. It protects endpoint systems through application control and real-time scanning
Correct Answer: D
Section: (none)
Explanation
QUESTION 31
An administrator is configuring a DHCP server to better secure their environment. They need to be able to rate-
limit the traffic and ensure that legitimate requests are not dropped. How would this be accomplished?
A. Set a trusted interface for the DHCP server

B. Set the DHCP snooping bit to 1
C. Add entries in the DHCP snooping database
D. Enable ARP inspection for the required VLAN
Correct Answer: A
Section: (none)
Explanation
Explanation
To understand DHCP snooping we need to learn about DHCP spoofing attack first.
DHCP spoofing is a type of attack in that the attacker listens for DHCP Requests from clients and answers
them with fake DHCP Response before the authorized DHCP Response comes to the clients. The fake DHCP
Response often gives its IP address as the client default gateway -> all the traffic sent from the client will go
through the attacker computer, the attacker becomes a “man-in-the-middle”.
The attacker can have some ways to make sure its fake DHCP Response arrives first. In fact, if the attacker is
“closer” than the DHCP Server then he doesn’t need to do anything. Or he can DoS the DHCP Server so that it
can’t send the DHCP Response.
DHCP snooping can prevent DHCP spoofing attacks. DHCP snooping is a Cisco Catalyst feature that
determines which switch ports can respond to DHCP requests. Ports are identified as trusted and untrusted.
Only ports that connect to an authorized DHCP server are trusted, and allowed to send all types of DHCP
messages. All other ports on the switch are untrusted and can send only DHCP requests. If a DHCP response
is seen on an untrusted port, the port is shut down.
QUESTION 32
import requests
client_id = '<Client id>'
api_key = '<API Key>'
url = 'https://api.amp.cisco.com/v1/computers'
response = requests.get(url, auth=(client_id, api_key))
response_json = response.json()
for computer in response_json[‘data’]
hostname = computer[‘hostname’]
print(hostname)
What will happen when the Python script is executed?
A. The hostname will be translated to an IP address and printed.

B. The hostname will be printed for the client in the client ID field.
C. The script will pull all computer hostnames and print them.
D. The script will translate the IP address to FODN and print it
Correct Answer: C
Section: (none)
Explanation
QUESTION 33
When configuring a remote access VPN solution terminating on the Cisco ASA, an administrator would like to
utilize an external token authentication mechanism in conjunction with AAA authentication using machine
certificates. Which configuration item must be modified to allow this?
A. Group Policy
B. Method
C. SAML Server
D. DHCP Servers
Correct Answer: B
Section: (none)
Explanation
Explanation
In order to use AAA along with an external token authentication mechanism, set the “Method” as “Both” in
the Authentication.
QUESTION 34
An engineer has been tasked with implementing a solution that can be leveraged for securing the cloud users,
data, and applications. There is a requirement to use the Cisco cloud native CASB and cloud cybersecurity
platform. What should be used to meet these requirements?
A. Cisco Umbrella
B. Cisco Cloud Email Security
C. Cisco NGFW
D. Cisco Cloudlock
Correct Answer: D
Section: (none)
Explanation
Explanation
Cisco Cloudlock: Secure your cloud users, data, and applications with the cloud-native Cloud Access Security
Broker (CASB) and cloud cybersecurity platform.
Reference: https://www.cisco.com/c/dam/en/us/products/collateral/security/cloud-web-security/at-a-glance-c45-
738565.pdf
QUESTION 35
An engineer needs a cloud solution that will monitor traffic, create incidents based on events, and integrate with
other cloud solutions via an API. Which solution should be used to accomplish this goal?
A. SIEM
B. CASB
C. Adaptive MFA
D. Cisco Cloudlock
Correct Answer: D
Section: (none)
Explanation
Explanation
+ Cisco Cloudlock continuously monitors cloud environments with a cloud Data Loss Prevention (DLP) engine
to identify sensitive information stored in cloud environments in violation of policy.
+ Cloudlock is API-based.
+ Incidents are a key resource in the Cisco Cloudlock application. They are triggered by the Cloudlock policy
engine when a policy detection criteria result in a match in an object (document, field, folder, post, or file).
Reference: https://docs.umbrella.com/cloudlock-documentation/docs/endpoints
Note:
+ Security information and event management (SIEM) platforms collect log and event data from security
systems, networks and computers, and turn it into actionable security insights.
+ An incident is a record of the triggering of an alerting policy. Cloud Monitoring opens an incident when a
condition of an alerting policy has been met.
QUESTION 36
Why is it important to implement MFA inside of an organization?
A. To prevent man-the-middle attacks from being successful.

B. To prevent DoS attacks from being successful.
C. To prevent brute force attacks from being successful.
D. To prevent phishing attacks from being successful.
Correct Answer: C
Section: (none)
Explanation
QUESTION 37
A network administrator is configuring SNMPv3 on a new router. The users have already been created;
however, an additional configuration is needed to facilitate access to the SNMP views. What must the
administrator do to accomplish this?
A. map SNMPv3 users to SNMP views

B. set the password to be used for SNMPv3 authentication
C. define the encryption algorithm to be used by SNMPv3
D. specify the UDP port used by SNMP
Correct Answer: B
Section: (none)
Explanation
QUESTION 38
An organization is using Cisco Firepower and Cisco Meraki MX for network security and needs to centrally
manage cloud policies across these platforms. Which software should be used to accomplish this goal?
A. Cisco Defense Orchestrator

B. Cisco Secureworks
C. Cisco DNA Center
D. Cisco Configuration Professional
Correct Answer: A
Section: (none)
Explanation
Explanation
Cisco Defense Orchestrator is a cloud-based management solution that allows you to manage security policies
and device configurations with ease across multiple Cisco and cloud-native security platforms.
Cisco Defense Orchestrator features:
….
Management of hybrid environments: Managing a mix of firewalls running the ASA, FTD, and Meraki
MX software is now easy, with the ability to share policy elements across platforms.
Reference: https://www.cisco.com/c/en/us/products/collateral/security/defense-orchestrator/datasheet-c78-
736847.html
QUESTION 39
What is a function of 3DES in reference to cryptography?
A. It hashes files.
B. It creates one-time use passwords.
C. It encrypts traffic.
D. It generates private keys.
Correct Answer: C
Section: (none)
Explanation
QUESTION 40
Which risk is created when using an Internet browser to access cloud-based service?
A. misconfiguration of infrastructure, which allows unauthorized access

B. intermittent connection to the cloud connectors
C. vulnerabilities within protocol
D. insecure implementation of API
Correct Answer: C
Section: (none)
Explanation
QUESTION 41
An organization has a Cisco ESA set up with policies and would like to customize the action assigned for
violations. The organization wants a copy of the message to be delivered with a message added to flag it as a
DLP violation. Which actions must be performed in order to provide this capability?
A. deliver and send copies to other recipients

B. quarantine and send a DLP violation notification
C. quarantine and alter the subject header with a DLP violation
D. deliver and add disclaimer text
Correct Answer: D
Section: (none)
Explanation
Explanation
You specify primary and secondary actions that the appliance will take when it detects a possible DLP violation
in an outgoing message. Different actions can be assigned for different violation types and severities.
Primary actions include:
– Deliver
– Drop
– Quarantine
Secondary actions include:

– Sending a copy to a policy quarantine if you choose to deliver the message. The copy is a perfect clone of the
original, including the Message ID. Quarantining a copy allows you to test the DLP system before deployment in
addition to providing another way to monitor DLP violations. When you release the copy from the quarantine,
the appliance delivers the copy to the recipient, who will have already received the original message.
– Encrypting messages. The appliance only encrypts the message body. It does not encrypt the message
headers.
– Altering the subject header of messages containing a DLP violation.
– Adding disclaimer text to messages.
– Sending messages to an alternate destination mailhost.
– Sending copies (bcc) of messages to other recipients. (For example, you could copy messages with critical
DLP violations to a compliance officer’s mailbox for examination.)
– Sending a DLP violation notification message to the sender or other contacts, such as a manager or DLP
compliance officer.
b_ESA_Admin_Guide_12_0/b_ESA_Admin_Guide_chapter_010001.html
QUESTION 42
An administrator is adding a new Cisco FTD device to their network and wants to manage it with Cisco FMC.
The Cisco FTD is not behind a NAT device. Which command is needed to enable this on the Cisco FTD?
A. configure manager add DONTRESOLVE kregistration key>
B. configure manager add <FMC IP address> <registration key> 16
C. configure manager add DONTRESOLVE <registration key> FTD123
D. configure manager add <FMC IP address> <registration key>
Correct Answer: D
Section: (none)
Explanation
Explanation
To let FMC manages FTD, first we need to add manager from the FTD and assign a register key of your
choice. The command configure manager add 1.1.1.2 the_registration_key_you_want, where 1.1.1.2 is the IP
address of the FMC, you need to use the same registration key in FMC when adding this FTD as a managed
device.
Reference: https://cyruslab.net/2019/09/03/ciscocisco-firepower-lab-setup/
QUESTION 43
A switch with Dynamic ARP Inspection enabled has received a spoofed ARP response on a trusted interface.
How does the switch behave in this situation?
A. It forwards the packet after validation by using the MAC Binding Table.
B. It drops the packet after validation by using the IP & MAC Binding Table.
C. It forwards the packet without validation.
D. It drops the packet without validation.
Correct Answer: C
Section: (none)
Explanation
Exam D
QUESTION 1
What is a functional difference between a Cisco ASA and a Cisco IOS router with Zone-based policy firewall?
A. The Cisco ASA denies all traffic by default whereas the Cisco IOS router with Zone-Based Policy Firewall
starts out by allowing all traffic, even on untrusted interfaces
B. The Cisco IOS router with Zone-Based Policy Firewall can be configured for high availability, whereas the
Cisco ASA cannot
C. The Cisco IOS router with Zone-Based Policy Firewall denies all traffic by default, whereas the Cisco ASA
starts out by allowing all traffic until rules are added
D. The Cisco ASA can be configured for high availability whereas the Cisco IOS router with Zone-Based Policy
Firewall cannot
Correct Answer: A
Section: (none)
Explanation
QUESTION 2
What is a benefit of performing device compliance?
A. Verification of the latest OS patches

B. Device classification and authorization
C. Providing multi-factor authentication
D. Providing attribute-driven policies
Correct Answer: A
Section: (none)
Explanation
QUESTION 3
Which cloud model is a collaborative effort where infrastructure is shared and jointly accessed by several
organizations from a specific group?
A. Hybrid
B. Community
C. Private
D. Public
Correct Answer: B
Section: (none)
Explanation
Community Cloud allows system and services to be accessible by group of organizations. It shares the
infrastructure between several organizations from a specific community. It may be managed internally by
organizations or by the third-party.
QUESTION 4
Which cryptographic process provides origin confidentiality, integrity, and origin authentication for packets?
A. IKEv1
B. AH
C. ESP
D. IKEv2
Correct Answer: C
Section: (none)
Explanation
QUESTION 5
An organization wants to secure users, data, and applications in the cloud. The solution must be API-based and
operate as a cloud-native CASB. Which solution must be used for this implementation?
A. Cisco Cloudlock
B. Cisco Cloud Email Security
C. Cisco Firepower Next-Generation Firewall
D. Cisco Umbrella
Correct Answer: A
Section: (none)
Explanation
Cisco Cloudlock: Secure your cloud users, data, and applications with the cloud-native Cloud Access Security
Broker (CASB) and cloud cybersecurity platform.
Reference: https://www.cisco.com/c/dam/en/us/products/collateral/security/cloud-web-security/at-a-glance-c45-
738565.pdf
QUESTION 6
What are two Trojan malware attacks? (Choose two)
A. Frontdoor
B. Rootkit
C. Smurf
D. Backdoor
E. Sync
Correct Answer: BD
Section: (none)
Explanation
QUESTION 7
What is the role of Cisco Umbrella Roaming when it is installed on an endpoint?
A. To protect the endpoint against malicious file transfers

B. To ensure that assets are secure from malicious links on and off the corporate network
C. To establish secure VPN connectivity to the corporate network
D. To enforce posture compliance and mandatory software
Correct Answer:
Section: (none)
Explanation
Umbrella Roaming is a cloud-delivered security service for Cisco’s next-generation firewall. It protects your
employees even when they are off the VPN.
QUESTION 8
What is a capability of Cisco ASA Netflow?
A. It filters NSEL events based on traffic

B. It generates NSEL events even if the MPF is not configured
C. It logs all event types only to the same collector
D. It sends NetFlow data records from active and standby ASAs in an active standby failover pair
Correct Answer: A
Section: (none)
Explanation
QUESTION 9
Which component of Cisco umbrella architecture increases reliability of the service?
A. Anycast IP
B. AMP Threat grid
C. Cisco Talos
D. BGP route reflector
Correct Answer:
Section: (none)
Explanation
QUESTION 10
What is the benefit of integrating Cisco ISE with a MDM solution?
A. It provides compliance checks for access to the network

B. It provides the ability to update other applications on the mobile device
C. It provides the ability to add applications to the mobile device through Cisco ISE
D. It provides network device administration access
Correct Answer: A
Section: (none)
Explanation
https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/admin_guide/b_ISE_admin_guide_24/
m_ise_interoperability_mdm.html
QUESTION 11
An administrator configures a new destination list in Cisco Umbrella so that the organization can block specific
domains for its devices. What should be done to ensure that all subdomains of domain.com are blocked?
A. Configure the *.com address in the block list

B. Configure the *.domain.com address in the block list
C. Configure the www.domain.com address in the block list
D. Configure the domain.com address in the block list
Correct Answer:
Section: (none)
Explanation
It is not possible to use an asterisk to wildcard a different part of the domain. The following will not work:
*.domain.com
subdomain.*.com
sub*.com
domain.*
Reference: https://docs.umbrella.com/deployment-umbrella/docs/wild-cards
By configuring domain.com address in the block list, we implied to block *.domain.com/* (all subdomains would
be blocked too).
QUESTION 12
An organization wants to provide visibility and to identify active threats in its network using a VM. The
organization wants to extract metadata from network packet flow while ensuring that payloads are not retained
or transferred outside the network. Which solution meets these requirements?
A. Cisco Umbrella Cloud

B. Cisco Stealthwatch Cloud PNM
C. Cisco Stealthwatch Cloud PCM
D. Cisco Umbrella On-Premises
Correct Answer: B
Section: (none)
Explanation
Private Network Monitoring (PNM) provides visibility and threat detection for the on-premises network, delivered
from the cloud as a SaaS solution. It is the perfect solution for organizations who prefer SaaS products and
desire better awareness and security in their on-premises environments while reducing capital expenditure and
operational overhead. It works by deploying lightweight software in a virtual machine or server that can
consume a variety of native sources of telemetry or extract metadata from network packet flow. It encrypts this
metadata and sends it to the Stealthwatch Cloud analytics platform for analysis. Stealthwatch Cloud consumes
metadata only. The packet payloads are never retained or transferred outside the network.
This lab focuses on how to configure a Stealthwatch Cloud Private Network Monitoring (PNM) Sensor, in order
to provide visibility and effectively identify active threats, and monitors user and device behavior within on-
premises networks.
The Stealthwatch Cloud PNM Sensor is an extremely flexible piece of technology, capable of being utilized in a
number of different deployment scenarios. It can be deployed as a complete Ubuntu based virtual appliance on
different hypervisors (e.g. –VMware, VirtualBox). It can be deployed on hardware running a number of different
Linux-based operating systems.
Reference: https://www.ciscolive.com/c/dam/r/ciscolive/us/docs/2019/pdf/5eU6DfQV/LTRSEC-2240-LG2.pdf
QUESTION 13
An organization deploys multiple Cisco FTD appliances and wants to manage them using one centralized
solution. The organization does not have a local VM but does have existing Cisco ASAs that must migrate over
to Cisco FTDs. Which solution meets the needs of the organization?
A. Cisco FMC
B. CSM
C. Cisco FDM
D. CDO
Correct Answer: A
Section: (none)
Explanation
QUESTION 14
An organization wants to secure data in a cloud environment. Its security model requires that all users be
authenticated and authorized. Security configuration and posture must be continuously validated before access
is granted or maintained to applications and data. There is also a need to allow certain application traffic and
deny all other traffic by default. Which technology must be used to implement these requirements?
A. Virtual routing and forwarding

B. Microsegmentation
C. Access control policy
D. Virtual LAN
Correct Answer:
Section: (none)
Explanation
Zero Trust is a security framework requiring all users, whether in or outside the organization’s network, to be
authenticated, authorized, and continuously validated for security configuration and posture before being
granted or keeping access to applications and data. Zero Trust assumes that there is no traditional network
edge; networks can be local, in the cloud, or a combination or hybrid with resources anywhere as well as
workers in any location.
The Zero Trust model uses microsegmentation — a security technique that involves dividing perimeters into
small zones to maintain separate access to every part of the network — to contain attacks.
QUESTION 15
A Cisco FTD engineer is creating a new IKEv2 policy called s2s00123456789 for their organization to allow for
additional protocols to terminate network devices with. They currently only have one policy established and
need the new policy to be a backup in case some devices cannot support the stronger algorithms listed in the
primary policy. What should be done in order to support this?
A. Change the integrity algorithms to SHA* to support all SHA algorithms in the primary policy
B. Make the priority for the new policy 5 and the primary policy 1
C. Change the encryption to AES* to support all AES algorithms in the primary policy
D. Make the priority for the primary policy 10 and the new policy 1
Correct Answer: B
Section: (none)
Explanation
All IKE policies on the device are sent to the remote peer regardless of what is in the selected policy section.
The first IKE Policy matched by the remote peer will be selected for the VPN connection. Choose which policy
is sent first using the priority field. Priority 1 will be sent first.
Reference: https://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/215470-
site-to-site-vpn-configuration-on-ftd-ma.html
QUESTION 16
Which type of encryption uses a public key and private key?
A. Asymmetric
B. Symmetric
C. Linear
D. Nonlinear
Correct Answer: A
Section: (none)
Explanation
QUESTION 17
What are two features of NetFlow flow monitoring? (Choose two)
A. Can track ingress and egress information

B. Include the flow record and the flow importer
C. Copies all ingress flow information to an interface
D. Does not required packet sampling on interfaces
E. Can be used to track multicast, MPLS, or bridged traffic
Correct Answer: AE
Section: (none)
Explanation
The following are restrictions for Flexible NetFlow:
+ Traditional NetFlow (TNF) accounting is not supported.
+ Flexible NetFlow v5 export format is not supported, only NetFlow v9 export format is supported.
+ Both ingress and egress NetFlow accounting is supported.
+ Microflow policing feature shares the NetFlow hardware resource with FNF.
+ Only one flow monitor per interface and per direction is supported.
Reference: https://www.cisco.com/en/US/docs/switches/lan/catalyst3850/software/release/3se/
consolidated_guide/b_consolidated_3850_3se_cg_chapter_011010.html
When configuring NetFlow, follow these guidelines and restrictions:
+ Except in PFC3A mode, NetFlow supports bridged IP traffic. PFC3A mode does not support NetFlow bridged
IP traffic.
+ NetFlow supports multicast IP traffic.
Reference: https://www.cisco.com/en/US/docs/general/Test/dwerblo/broken_guide/netflow.html
The Flexible NetFlow – MPLS Egress NetFlow feature allows you to capture IP flow information for packets that
arrive on a router as Multiprotocol Label Switching (MPLS) packets and are transmitted as IP packets. This
feature allows you to capture the MPLS VPN IP flows that are traveling through the service provider backbone
from one site of a VPN to another site of the same VPN
Reference: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/netflow/configuration/15-mt/nf-15-mt-book/cfg-
mpls-netflow.html
QUESTION 18
A customer has various external HTTP resources available including Intranet Extranet and Internet, with a
proxy configuration running in explicit mode. Which method allows the client desktop browsers to be configured
to select when to connect direct or when to use the proxy?
A. Transport mode
B. Forward file
C. PAC file
D. Bridge mode
Correct Answer:
Section: (none)
Explanation
A Proxy Auto-Configuration (PAC) file is a JavaScript function definition that determines whether web browser
requests (HTTP, HTTPS, and FTP) go direct to the destination or are forwarded to a web proxy server.
PAC files are used to support explicit proxy deployments in which client browsers are explicitly configured to
send traffic to the web proxy. The big advantage of PAC files is that they are usually relatively easy to create
and maintain.
QUESTION 19
Which Talos reputation center allows for tracking the reputation of IP addresses for email and web traffic?
A. IP and Domain Reputation Center

B. File Reputation Center
C. IP Slock List Center
D. AMP Reputation Center
Correct Answer: A
Section: (none)
Explanation
QUESTION 20
An engineer is configuring IPsec VPN and needs an authentication protocol that is reliable and supports ACK
and sequence. Which protocol accomplishes this goal?
A. AES-192
B. IKEv1
C. AES-256
D. ESP
Correct Answer: D
Section: (none)
Explanation
QUESTION 21
An administrator is establishing a new site-to-site VPN connection on a Cisco IOS router. The organization
needs to ensure that the ISAKMP key on the hub is used only for terminating traffic from the IP address of
172.19.20.24. Which command on the hub will allow the administrator to accomplish this?
A. crypto ca identity 172.19.20.24

B. crypto isakmp key Cisco0123456789 172.19.20.24
C. crypto enrollment peer address 172.19.20.24
D. crypto isakmp identity address 172.19.20.24
Correct Answer: B
Section: (none)
Explanation
The command “crypto isakmp identity address 172.19.20.24” is not valid. We can only use “crypto isakmp
identity {address | hostname}. The following example uses preshared keys at two peers and sets both their
ISAKMP identities to the IP address.
At the local peer (at 10.0.0.1) the ISAKMP identity is set and the preshared key is specified:
crypto isakmp identity address
crypto isakmp key sharedkeystring address 192.168.1.33
At the remote peer (at 192.168.1.33) the ISAKMP identity is set and the same preshared key is specified:
crypto isakmp identity address
crypto isakmp key sharedkeystring address 10.0.0.1
Reference: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/a1/sec-a1-cr-book/sec-cr-
c4.html#wp3880782430
The command “crypto enrollment peer address” is not valid either.
The command “crypto ca identity …” is only used to declare a trusted CA for the router and puts you in the ca-
identity configuration mode. Also it should be followed by a name, not an IP address. For example: “crypto ca
identity CA-Server” -> Answer A is not correct.
Only answer B is the best choice left.
QUESTION 22
What is a difference between an XSS attack and an SQL injection attack?
A. SQL injection is a hacking method used to attack SQL databases, whereas XSS attacks can exist in many
different types of applications
B. XSS is a hacking method used to attack SQL databases, whereas SQL injection attacks can exist in many
different types of applications
C. SQL injection attacks are used to steal information from databases whereas XSS attacks are used to
redirect users to websites where attackers can steal data from them
D. XSS attacks are used to steal information from databases whereas SQL injection attacks are used to
redirect users to websites where attackers can steal data from them
Correct Answer:
Section: (none)
Explanation
In XSS, an attacker will try to inject his malicious code (usually malicious links) into a database. When other
users follow his links, their web browsers are redirected to websites where attackers can steal data from them.
In a SQL Injection, an attacker will try to inject SQL code (via his browser) into forms, cookies, or HTTP
headers that do not use data sanitizing or validation methods of GET/POST parameters.
QUESTION 23
An engineer has been tasked with configuring a Cisco FTD to analyze protocol fields and detect anomalies in
the traffic from industrial systems. What must be done to meet these requirements?
A. Implement pre-filter policies for the CIP preprocessor

B. Enable traffic analysis in the Cisco FTD
C. Configure intrusion rules for the DNP3 preprocessor
D. Modify the access control policy to trust the industrial traffic
Correct Answer: A
Section: (none)
Explanation
The Modbus, DNP3, and CIP SCADA preprocessors detect traffic anomalies and provide data to intrusion
rules. Therefore in this question only answer A or answer C is correct.
The DNP3 preprocessor detects anomalies in DNP3 traffic and decodes the DNP3 protocol for processing by
the rules engine, which uses DNP3 keywords to access certain protocol fields.
The Common Industrial Protocol (CIP) is a widely used application protocol that supports industrial automation
applications. EtherNet/IP is an implementation of CIP that is used on Ethernet-based networks.The CIP
preprocessor detects CIP and ENIP traffic running on TCP or UDP and sends it to the intrusion rules engine.
You can use CIP and ENIP keywords in custom intrusion rules to detect attacks in CIP and ENIP traffic.
guide-v63/scada_preprocessors.html
Both DNP3 and CIP preprocessors can be used to detect traffic anomalies but we choose CIP as it is widely
used in industrial applications.
Note:
+ An intrusion rule is a specified set of keywords and arguments that the system uses to detect attempts to
exploit vulnerabilities in your network. As the system analyzes network traffic, it compares packets against the
conditions specified in each rule, and triggers the rule if the data packet meets all the conditions specified in the
rule.
+ Preprocessor rules, which are rules associated with preprocessors and packet decoder detection options in
the network analysis policy. Most preprocessor rules are disabled by default.
QUESTION 24
Which posture assessment requirement provides options to the client for remediation and requires the
remediation within a certain timeframe?
A. Audit
B. Mandatory
C. Optional
D. Visibility
Correct Answer:
Section: (none)
Explanation
A posture requirement is a set of compound conditions with an associated remediation action that can be linked
with a role and an operating system. All the clients connecting to your network must meet mandatory
requirements during posture evaluation to become compliant on the network.
Posture-policy requirements can be set to mandatory, optional, or audit types in posture policies. If
requirements are optional and clients fail these requirements, then the clients have an option to continue during
posture evaluation of endpoints.
Mandatory Requirements
During policy evaluation, the agent provides remediation options to clients who fail to meet the mandatory
requirements defined in the posture policy. End users must remediate to meet the requirements within the time
specified in the remediation timer settings.
For example, you have specified a mandatory requirement with a user-defined condition to check the existence
of C:\temp\text.file in the absolute path. If the file does not exist, the mandatory requirement fails and the user
will be moved to Non-Compliant state.
b_ise_admin_guide_14_chapter_010111.html
QUESTION 25
Which attribute has the ability to change during the RADIUS CoA?
A. NTP
B. Authorization
C. Accessibility
D. Membership
Correct Answer: B
Section: (none)
Explanation
The RADIUS Change of Authorization (CoA) feature provides a mechanism to change the attributes of an
authentication, authorization, and accounting (AAA) session after it is authenticated.
Reference: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_aaa/configuration/15-sy/sec-usr-aaa-15-
sy-book/sec-rad-coa.html
QUESTION 26
With Cisco AMP for Endpoints, which option shows a list of all files that have been executed in your
environment?
A. Prevalence
B. File analysis
C. Detections
D. Vulnerable software
E. Threat root cause
Correct Answer:
Section: (none)
Explanation
Prevalence allows you to view files that have been executed in your deployment.
Note: Threat Root Cause shows how malware is getting onto your computers.
Reference: https://docs.amp.cisco.com/en/A4E/AMP%20for%20Endpoints%20User%20Guide.pdf
QUESTION 27
A company discovered an attack propagating through their network via a file. A custom file policy was created
in order to track this in the future and ensure no other endpoints execute the infected file. In addition, it was
discovered during testing that the scans are not detecting the file as an indicator of compromise. What must be
done in order to ensure that the created is functioning as it should?
A. Create an IP block list for the website from which the file was downloaded
B. Block the application that the file was using to open
C. Upload the hash for the file into the policy
D. Send the file to Cisco Threat Grid for dynamic analysis
Correct Answer: C
Section: (none)
Explanation
QUESTION 28
A network engineer is trying to figure out whether FlexVPN or DMVPN would fit better in their environment.
They have a requirement for more stringent security multiple security associations for the connections, more
efficient VPN establishment as well consuming less bandwidth. Which solution would be best for this and why?
A. DMVPN because it supports IKEv2 and FlexVPN does not

B. FlexVPN because it supports IKEv2 and DMVPN does not
C. FlexVPN because it uses multiple SAs and DMVPN does not
D. DMVPN because it uses multiple SAs and FlexVPN does not
Correct Answer: C
Section: (none)
Explanation
FlexVPN supports IKEv2 -> Answer A is not correct.
DMVPN supports both IKEv1 & IKEv2 -> Answer B is not correct.
FlexVPN support multiple SAs -> Answer D is not correct.
Therefore answer C is the best choice left.
QUESTION 29
How does Cisco Workload Optimization Manager help mitigate application performance issues?
A. It deploys an AWS Lambda system

B. It automates resource resizing
C. It optimizes a flow path
D. It sets up a workload forensic score
Correct Answer: B
Section: (none)
Explanation
Cisco Workload Optimization Manager provides specific real-time actions that ensure workloads get the
resources they need when they need them, enabling continuous placement, resizing, and capacity decisions
that can be automated, driving continuous health in the environment. You can automate the software’s
decisions according to your level of comfort: recommend (view only), manual (select and apply), or automated
(executed in real time by software).
Reference: https://www.cisco.com/c/dam/en/us/solutions/collateral/data-center-virtualization/one-enterprise-
suite/solution-overview-c22-739078.pdf
QUESTION 30
An organization configures Cisco Umbrella to be used for its DNS services. The organization must be able to
block traffic based on the subnet that the endpoint is on but it sees only the requests from its public IP address
instead of each internal IP address. What must be done to resolve this issue?
A. Set up a Cisco Umbrella virtual appliance to internally field the requests and see the traffic of each IP
address
B. Use the tenant control features to identify each subnet being used and track the connections within the
Cisco Umbrella dashboard
C. Install the Microsoft Active Directory Connector to give IP address information stitched to the requests in the
Cisco Umbrella dashboard
D. Configure an internal domain within Cisco Umbrella to help identify each address and create policy from the
domains
Correct Answer: D
Section: (none)
Explanation
QUESTION 31
What is a difference between a DoS attack and a DDoS attack?
A. A DoS attack is where a computer is used to flood a server with TCP and UDP packets whereas a DDoS
attack is where multiple systems target a single system with a DoS attack
B. A DoS attack is where a computer is used to flood a server with TCP and UDP packets whereas a DDoS
attack is where a computer is used to flood multiple servers that are distributed over a LAN
C. A DoS attack is where a computer is used to flood a server with UDP packets whereas a DDoS attack is
where a computer is used to flood a server with TCP packets
D. A DoS attack is where a computer is used to flood a server with TCP packets whereas a DDoS attack is
where a computer is used to flood a server with UDP packets
Correct Answer: A
Section: (none)
Explanation
QUESTION 32
Which two capabilities of Integration APIs are utilized with Cisco DNA center? (Choose two)
A. Automatically deploy new virtual routers

B. Upgrade software on switches and routers
C. Application monitors for power utilization of devices and IoT sensors
D. Connect to Information Technology Service Management Platforms
E. Create new SSIDs on a wireless LAN controller
Correct Answer: CD
Section: (none)
Explanation
Integration API (Westbound)
Integration capabilities are part of Westbound interfaces. To meet the need to scale and accelerate operations
in modern data centers, IT operators require intelligent, end-to-end work flows built with open APIs. The Cisco
DNA Center platform provides mechanisms for integrating Cisco DNA Assurance workflows and data with third-
party IT Service Management (ITSM) solutions.
Reference: https://developer.cisco.com/docs/dna-center/#!cisco-dna-center-platform-overview/events-and-
notifications-eastbound
-> Therefore answer D is correct.
Westbound—Integration APIs
Cisco DNA Center platform can power end-to-end IT processes across the value chain by integrating various
domains such as ITSM, IPAM, and reporting. By leveraging the REST-based Integration Adapter APIs, bi-
directional interfaces can be built to allow the exchange of contextual information between Cisco DNA Center
and the external, third-party IT systems. The westbound APIs provide the capability to publish the network data,
events and notifications to the external systems and consume information in Cisco DNA Center from the
connected systems.
Reference: https://blogs.cisco.com/networking/with-apis-cisco-dna-center-can-improve-your-competitive-
advantage
Therefore the most suitable choice is Integration APIs can monitor for power utilization of devices and IoT
sensors -> Answer C is correct.
QUESTION 33
Which kind of API that is used with Cisco DNA Center provisions SSIDs, QoS policies, and update software
versions on switches?
A. Integration
B. Intent
C. Event
D. Multivendor
Correct Answer: B
Section: (none)
Explanation
QUESTION 34
What is the purpose of CA in a PKI?
A. To issue and revoke digital certificates

B. To validate the authenticity of a digital certificate
C. To create the private key for a digital certificate
D. To certify the ownership of a public key by the named subject
Correct Answer: A
Section: (none)
Explanation
A trusted CA is the only entity that can issue trusted digital certificates. This is extremely important because
while PKI manages more of the encryption side of these certificates, authentication is vital to understanding
which entities own what keys. Without a trusted CA, anyone can issue their own keys, authentication goes out
the window and chaos ensues.
Reference: https://cheapsslsecurity.com/blog/understanding-the-role-of-certificate-authorities-in-pki/
QUESTION 35
Which DevSecOps implementation process gives a weekly or daily update instead of monthly or quarterly in the
applications?
A. Orchestration
B. CI/CD pipeline
C. Container
D. Security
Correct Answer: B
Section: (none)
Explanation
Unlike the traditional software life cycle, the CI/CD implementation process gives a weekly or daily update
instead of monthly or quarterly. The fun part is customers won’t even realize the update is in their applications,
as they happen on the fly.
Reference: https://devops.com/how-to-implement-an-effective-ci-cd-pipeline/
QUESTION 36
Which parameter is required when configuring a Netflow exporter on a Cisco Router?
A. DSCP value
B. Source interface
C. Exporter name
D. Exporter description
Correct Answer: C
Section: (none)
Explanation
An example of configuring a NetFlow exporter is shown below:
flow exporter Exporter

destination 192.168.100.22
transport udp 2055
!
QUESTION 37
Which category includes DoS Attacks?
A. Virus attacks
B. Trojan attacks
C. Flood attacks
D. Phishing attacks
Correct Answer: C
Section: (none)
Explanation
QUESTION 38
What are two advantages of using Cisco Any connect over DMVPN? (Choose two)
A. It provides spoke-to-spoke communications without traversing the hub

B. It allows different routing protocols to work over the tunnel
C. It allows customization of access policies based on user identity
D. It allows multiple sites to connect to the data center
E. It enables VPN access for individual users from their machines
Correct Answer: CE
Section: (none)
Explanation
QUESTION 39
When choosing an algorithm to us, what should be considered about Diffie Hellman and RSA for key
establishment?
A. RSA is an asymmetric key establishment algorithm intended to output symmetric keys

B. RSA is a symmetric key establishment algorithm intended to output asymmetric keys
C. DH is a symmetric key establishment algorithm intended to output asymmetric keys
D. DH is on asymmetric key establishment algorithm intended to output symmetric keys
Correct Answer: D
Section: (none)
Explanation
Diffie Hellman (DH) uses a private-public key pair to establish a shared secret, typically a symmetric key. DH is
not a symmetric algorithm – it is an asymmetric algorithm used to establish a shared secret for a symmetric key
algorithm.
QUESTION 40
Which type of DNS abuse exchanges data between two computers even when there is no direct connection?
A. Malware installation
B. Command-and-control communication
C. Network footprinting
D. Data exfiltration
Correct Answer: D
Section: (none)
Explanation
Malware installation: This may be done by hijacking DNS queries and responding with malicious IP addresses.
Command & Control communication: As part of lateral movement, after an initial compromise, DNS
communications is abused to communicate with a C2 server. This typically involves making periodic DNS
queries from a computer in the target network for a domain controlled by the adversary. The responses contain
encoded messages that may be used to perform unauthorized actions in the target network.
Network footprinting: Adversaries use DNS queries to build a map of the network. Attackers live off the terrain
so developing a map is important to them.
Data theft (exfiltration): Abuse of DNS to transfer data; this may be performed by tunneling other protocols like
FTP, SSH through DNS queries and responses. Attackers make multiple DNS queries from a compromised
computer to a domain owned by the adversary. DNS tunneling can also be used for executing commands and
transferring malware into the target network.
Reference: https://www.netsurion.com/articles/5-types-of-dns-attacks-and-how-to-detect-them
QUESTION 41
What is a difference between GETVPN and IPsec?
A. GETVPN reduces latency and provides encryption over MPLS without the use of a central hub
B. GETVPN provides key management and security association management
C. GETVPN is based on IKEv2 and does not support IKEv1
D. GETVPN is used to build a VPN network with multiple sites without having to statically configure all devices
Correct Answer: A
Section: (none)
Explanation
QUESTION 42
What is a benefit of using telemetry over SNMP to configure new routers for monitoring purposes?
A. Telemetry uses a pull mehod, which makes it more reliable than SNMP
B. Telemetry uses push and pull, which makes it more scalable than SNMP
C. Telemetry uses push and pull which makes it more secure than SNMP
D. Telemetry uses a push method which makes it faster than SNMP
Correct Answer: D
Section: (none)
Explanation
SNMP polling can often be in the order of 5-10 minutes, CLIs are unstructured and prone to change which can
often break scripts.
The traditional use of the pull model, where the client requests data from the network does not scale when what
you want is near real-time data.
Moreover, in some use cases, there is the need to be notified only when some data changes, like interfaces
status, protocol neighbors change etc.
Model-Driven Telemetry is a new approach for network monitoring in which data is streamed from network
devices continuously using a push model and provides near real-time access to operational statistics.
Referfence: https://developer.cisco.com/docs/ios-xe/#!streaming-telemetry-quick-start-guide/streaming-
telemetry
QUESTION 43
An organization wants to use Cisco FTD or Cisco ASA devices. Specific URLs must be blocked from being
accessed via the firewall which requires that the administrator input the bad URL categories that the
organization wants blocked into the access policy. Which solution should be used to meet this requirement?
A. Cisco ASA because it enables URL filtering and blocks malicious URLs by default, whereas Cisco FTD
does not
B. Cisco ASA because it includes URL filtering in the access control policy capabilities, whereas Cisco FTD
does not
C. Cisco FTD because it includes URL filtering in the access control policy capabilities, whereas Cisco ASA
does not
D. Cisco FTD because it enables URL filtering and blocks malicious URLs by default, whereas Cisco ASA
does not
Correct Answer: C
Section: (none)
Explanation
QUESTION 44
An administrator configures a Cisco WSA to receive redirected traffic over ports 80 and 443. The organization
requires that a network device with specific WSA integration capabilities be configured to send the traffic to the
WSA to proxy the requests and increase visibility, while making this invisible to the users. What must be done
on the Cisco WSA to support these requirements?
A. Configure transparent traffic redirection using WCCP in the Cisco WSA and on the network device
B. Configure active traffic redirection using WPAD in the Cisco WSA and on the network device
C. Use the Layer 4 setting in the Cisco WSA to receive explicit forward requests from the network device
D. Use PAC keys to allow only the required network devices to send the traffic to the Cisco WSA
Correct Answer: A
Section: (none)
Explanation
QUESTION 45
An administrator configures new authorization policies within Cisco ISE and has difficulty profiling the devices.
Attributes for the new Cisco IP phones that are profiled based on the RADIUS authentication are seen however
the attributes for CDP or DHCP are not. What should the administrator do to address this issue?
A. Configure the ip dhcp snooping trust command on the DHCP interfaces to get the information to Cisco ISE
B. Configure the authentication port-control auto feature within Cisco ISE to identify the devices that are trying
to connect
C. Configure a service template within the switch to standardize the port configurations so that the correct
information is sent to Cisco ISE
D. Configure the device sensor feature within the switch to send the appropriate protocol information
Correct Answer: D
Section: (none)
Explanation
Device sensor is a feature of access devices. It allows to collect information about connected endpoints. Mostly,
information collected by Device Sensor can come from the following protocols:
+ Cisco Discovery Protocol (CDP)
+ Link Layer Discovery Protocol (LLDP)
+ Dynamic Host Configuration Protocol (DHCP)
Reference: https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/200292-Configure-
Device-Sensor-for-ISE-Profilin.html
QUESTION 46
A network engineer must monitor user and device behavior within the on-premises network. This data must be
sent to the Cisco Stealthwatch Cloud analytics platform for analysis. What must be done to meet this
requirement using the Ubuntu-based VM appliance deployed in a VMware-based hypervisor?
A. Configure a Cisco FMC to send syslogs to Cisco Stealthwatch Cloud

B. Deploy the Cisco Stealthwatch Cloud PNM sensor that sends data to Cisco Stealthwatch Cloud
C. Deploy a Cisco FTD sensor to send network events to Cisco Stealthwatch Cloud
D. Configure a Cisco FMC to send NetFlow to Cisco Stealthwatch Cloud
Correct Answer: B
Section: (none)
Explanation
The Stealthwatch Cloud Private Network Monitoring (PNM) Sensor is an extremely flexible piece of technology,
capable of being utilized in a number of different deployment scenarios. It can be deployed as a complete
Ubuntu based virtual appliance on different hypervisors (e.g. –VMware, VirtualBox). It can be deployed on
hardware running a number of different Linux-based operating systems.
Reference: https://www.ciscolive.com/c/dam/r/ciscolive/us/docs/2019/pdf/5eU6DfQV/LTRSEC-2240-LG2.pdf
QUESTION 47
An organization uses Cisco FMC to centrally manage multiple Cisco FTD devices. The default management
port conflicts with other communications on the network and must be changed. What must be done to ensure
that all devices can communicate together?
A. Manually change the management port on Cisco FMC and all managed Cisco FTD devices
B. Set the tunnel to go through the Cisco FTD
C. Change the management port on Cisco FMC so that it pushes the change to all managed Cisco FTD
devices
D. Set the tunnel port to 8305
Correct Answer: A
Section: (none)
Explanation
The FMC and managed devices communicate using a two-way, SSL-encrypted communication channel, which
by default is on port 8305.
Cisco strongly recommends that you keep the default settings for the remote management port, but if the
management port conflicts with other communications on your network, you can choose a different port. If you
change the management port, you must change it for all devices in your deployment that need to communicate
with each other.
Reference: https://www.cisco.com/c/en/us/td/docs/security/firepower/misc/fmc-ftd-mgmt-nw/fmc-ftd-mgmt-
nw.html
QUESTION 48
Which service allows a user export application usage and performance statistics with Cisco Application Visibility
and control?
A. SNORT
B. NetFlow
C. SNMP
D. 802.1X
Correct Answer: B
Section: (none)
Explanation
Application Visibility and control (AVC) supports NetFlow to export application usage and performance
statistics. This data can be used for analytics, billing, and security policies.
QUESTION 49
An engineer adds a custom detection policy to a Cisco AMP deployment and encounters issues with the
configuration. The simple detection mechanism is configured, but the dashboard indicates that the hash is not
64 characters and is non-zero. What is the issue?
A. The engineer is attempting to upload a hash created using MD5 instead of SHA-256
B. The file being uploaded is incompatible with simple detections and must use advanced detections
C. The hash being uploaded is part of a set in an incorrect format
D. The engineer is attempting to upload a file instead of a hash
Correct Answer: A
Section: (none)
Explanation

Scor 350-701-V7

Uploaded by

Copyright:

Available Formats

Scor 350-701-V7

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Scor 350-701-V7

Uploaded by

Copyright:

Available Formats

What is the main type of attack that uses alternate encoding like hexadecimal?

What is the main type of attack that uses alternate encoding like hexadecimal?

What are two techniques used to prevent SQL injection attacks?

What are two techniques used to prevent SQL injection attacks?

SCOR 350-701 V7

Updated june 23rd with 48 new questions from Securitytut

For example the code below is written in hex:

<a href=javascript:alert('XSS')>Click Here</a>

A. user input validation in a web page or web application

SELECT * FROM Users WHERE UserId = 100 OR 1=1;

A. Check integer, float, or Boolean string parameters to ensure accurate values.

A. Patch for cross-site scripting.

A. Enable browser alerts for fraudulent websites.

A. The attack is fragmented into groups of 16 octets before transmission.

A. Enable client-side scripts on a per-domain basis.

An exploit is a code that takes advantage of a software vulnerability or security flaw.

A. 64-bit block size, 112-bit key length

A. AES is less secure than 3DES.

The syntax of above command is:

Prerequisites for Stateful Failover for IPsec

A. Change isakmp to ikev2 in the command on hostA.

A. hashing algorithm mismatch

A. DMVPN uses IKEv1 or IKEv2, FlexVPN only uses IKEv1

A. SDN controller and the cloud

What Cisco DNA Center enables you to do

A. SDN controller and the network elements

A. adds authentication to a switch

A. They alert administrators when critical events occur.

A. username and password

A. Certificate Trust List

A. multiple context mode

A. It allows traffic if it does not meet the profile.

A. It tracks flow-create, flow-teardown, and flow-denied events.

A. configure system add <host><key>

A. DMZ multiple zone mode

A. Enable NetFlow Version 9.

A. flow-export destination inside 1.1.1.1 2055

A. Time-based one-time passwords

A. Sensitive data must remain onsite.

A. It decrypts HTTPS application traffic for unauthenticated users.

A. It can handle explicit HTTP requests.

A. Configure the datasecurityconfig command

A. Configure the trackingconfig command to enable message tracking.

A. Mail Submission Agent

A. configure Active Directory Group Policies to push proxy settings

A. data loss prevention

A. Cisco Identity Services Engine and AnyConnect Posture module

A. RADIUS Change of Authorization

A. multiple factor auth

A. It allows the endpoint to authenticate with 802.1x or MAB.

A. Atomic ARP Engine

A. DHCP snooping has not been enabled on all VLANs.

A. asa-host(config)#snmp-server group myv3 v3 priv

A. show authorization status

A. privilege level for an authorized user to this router

A. set the IP address of an interface

A. snmp-server host inside 10.255.254.1 version 3 andy

A. by flooding the destination host with unreachable packets

A. Outgoing traffic is allowed so users can communicate with outside organizations.