Cisco CCNP Security 300-710 Questions & Answers

• Question 211:

  An organization has a compliance requirement to protect servers from clients, however, the clients and servers all reside on the same Layer 3 network. Without readdressing IP subnets for clients or servers, how is segmentation achieved?

  A. Change the IP addresses of the servers, while remaining on the same subnet.

  B. Deploy a firewall in routed mode between the clients and servers.

  C. Change the IP addresses of the clients, while remaining on the same subnet.

  D. Deploy a firewall in transparent mode between the clients and servers.

  Correct Answer: B

• Question 212:

  Within an organization's high availability environment where both firewalls are passing traffic, traffic must be segmented based on which department it is destined for. Each department is situated on a different LAN. What must be configured to meet these requirements?

  A. redundant interfaces

  B. span EtherChannel clustering

  C. high availability active/standby firewalls

  D. multi-instance firewalls

  Correct Answer: D

• Question 213:

  An engineer is restoring a Cisco FTD configuration from a remote backup using the command restore remote-manager-backup location 1.1.1.1 admin /volume/home/admin BACKUP_Cisc394602314.zip on a Cisco FMG. After connecting to the repository, an error occurred that prevents the FTD device from accepting the backup file. What is the problem?

  A. The backup file is not in .cfg format.

  B. The backup file is too large for the Cisco FTD device

  C. The backup file extension was changed from .tar to .zip

  D. The backup file was not enabled prior to being applied

  Correct Answer: C

  Reference: https://www.ciscolive.com/c/dam/r/ciscolive/emea/docs/2019/pdf/BRKSEC-3455.pdf

• Question 214:

  Refer to the exhibit.

  

  What must be done to fix access to this website while preventing the same communication to all other websites?

  A. Create an intrusion policy rule to have Snort allow port 80 to only 172.1.1 50.

  B. Create an access control policy rule to allow port 80 to only 172.1.1 50.

  C. Create an intrusion policy rule to have Snort allow port 443 to only 172.1.1.50

  D. Create an access control policy rule to allow port 443 to only 172.1.1 50

  Correct Answer: B

• Question 215:

  An engineer currently has a Cisco FTD device registered to the Cisco FMC and is assigned the address of 10 10.50.12. The organization is upgrading the addressing schemes and there is a requirement to convert the addresses to a format that provides an adequate amount of addresses on the network What should the engineer do to ensure that the new addressing takes effect and can be used for the Cisco FTD to Cisco FMC connection?

  A. Delete and reregister the device to Cisco FMC

  B. Update the IP addresses from IFV4 to IPv6 without deleting the device from Cisco FMC

  C. Format and reregister the device to Cisco FMC.

  D. Cisco FMC does not support devices that use IPv4 IP addresses.

  Correct Answer: A

• Question 216:

  An organization is using a Cisco FTD and Cisco ISE to perform identity-based access controls. A network administrator is analyzing the Cisco FTD events and notices that unknown user traffic is being allowed through the firewall. How should this be addressed to block the traffic while allowing legitimate user traffic?

  A. Modify lhe Cisco ISE authorization policy to deny this access to the user.

  B. Modify Cisco ISE to send only legitimate usernames to the Cisco FTD.

  C. Add the unknown user in the Access Control Policy in Cisco FTD.

  D. Add the unknown user in the Malware and File Policy in Cisco FTD.

  Correct Answer: C

  Reference: https://www.cisco.com/c/en/us/td/docs/security/firepower/640/fdm/fptd-fdm-config-guide-640/fptd-fdm-identity.html#concept_655B055575E04CA49B10186DEBDA301A

• Question 217:

  A network administrator needs to create a policy on Cisco Firepower to fast-path traffic to avoid Layer 7 inspection. The rate at which traffic is inspected must be optimized. What must be done to achieve this goal?

  A. Enable lhe FXOS for multi-instance.

  B. Configure a prefilter policy.

  C. Configure modular policy framework.

  D. Disable TCP inspection.

  Correct Answer: B

• Question 218:

  An engineer is building a new access control policy using Cisco FMC. The policy must inspect a unique IPS policy as well as log rule matching. Which action must be taken to meet these requirements?

  A. Configure an IPS policy and enable per-rule logging.

  B. Disable the default IPS policy and enable global logging.

  C. Configure an IPS policy and enable global logging.

  D. Disable the default IPS policy and enable per-rule logging.

  Correct Answer: A

  There is no per-rule logging on the system. Also there would be no need to log the ACL rule as an Intrusion event will cause the rule to generate an event.

• Question 219:

  Which two conditions must be met to enable high availability between two Cisco FTD devices? (Choose two.)

  A. same flash memory size

  B. same NTP configuration

  C. same DHCP/PPoE configuration

  D. same host name

  E. same number of interfaces

  Correct Answer: BE

  https://www.cisco.com/c/en/us/support/docs/security/firepower-management-center/212699-configure-ftd-high-availability-on-firep.html Conditions

  In order to create an HA between 2 FTD devices, these conditions must be met:

  Same model Same version (this applies to FXOS and to FTD - (major (first number), minor (second number), and maintenance (third number) must be equal)) Same number of interfaces Same type of interfaces Both devices as part of same group/domain in FMC Have identical Network Time Protocol (NTP) configuration Be fully deployed on the FMC without uncommitted changes Be in the same firewall mode: routed or transparent. Note that this must be checked on both FTD devices and FMC GUI since there have been cases where the FTDs had the same mode, but FMC does not reflect this. Does not have DHCP/Point-to-Point Protocol over Ethernet (PPPoE) configured in any of the interface Different hostname (Fully Qualified Domain Name (FQDN)) for both chassis. In order to check the chassis hostname navigate to FTD CLI and run this command

• Question 220:

  A network administrator notices that inspection has been interrupted on all non-managed interfaces of a device. What is the cause of this?

  A. The value of the highest MTU assigned to any non-management interface was changed.

  B. The value of the highest MSS assigned to any non-management interface was changed.

  C. A passive interface was associated with a security zone.

  D. Multiple inline interface pairs were added to the same inline interface.

  Correct Answer: A