Cisco CCNP Security 300-710 Questions & Answers

• Question 51:

  A Cisco Secure Firewall Threat Defense device is configured in inline IPS mode to inspect all traffic that passes through the interfaces in the inline set. Which setting in the inline set configuration must be selected to allow traffic to pass through uninterrupted when VDB updates are being applied?

  A. Tap Mode

  B. Strict TCP Enforcement

  C. Propagate Link State

  D. Snort Fail Open

  Correct Answer: D

  In inline IPS mode, to ensure that traffic passes through uninterrupted when VDB (Vulnerability Database) updates are being applied, the "Short Fall Open" setting must be configured. This setting allows traffic to continue to flow through the

  firewall even if there are issues with the inspection process, such as during updates or if the inspection engine fails.

  Steps:

  In FMC, navigate to the inline set configuration.

  Enable the "Short Fall Open" option.

  Deploy the configuration to the FTD device.

  This ensures that network traffic is not disrupted during updates or other issues with the inspection process.

  References: Cisco Secure Firewall Threat Defense Configuration Guide, Chapter on Inline IPS Mode Configuration.

• Question 52:

  Which two features can be used with Cisco Secure Firewall Threat Defense remote access VPN? (Choose two.)

  A. enable Duo two-factor authentication using LDAPS

  B. support for Cisco Secure Firewall 4100 Series in cluster mode

  C. SSL remote access VPN supports port sharing with other Cisco FTD features using SSL port 443

  D. use of license utilization for zero-touch network deployment

  E. support for Rapid Threat Containment using RADIUS dynamic authorization

  Correct Answer: AC

• Question 53:

  Remote users who connect via Cisco Secure Client to the corporate network behind a Cisco Secure Firewall Threat Defense device are reporting no audio on calls when calling between remote users using their softphones. These same users can call internal users on the corporate network without any issues. What is the cause of this issue?

  A. The hairpinning feature is not available on Cisco Secure Firewall Threat Defense

  B. Cisco Secure Firewall Threat Defense needs a NAT policy that allows outside to outside communication

  C. The Enable Spoke to Spoke Connectivity through Hub option is not selected on Cisco Secure Firewall Threat Defense

  D. Split tunneling is enabled for the Remote Access VPN on Cisco Secure Firewall Threat Defense

  Correct Answer: B

• Question 54:

  An administrator is configuring the interface of a Cisco Secure Firewall Threat Defense firewall device in a passive IPS deployment. The device and interface have been identified. Which set of configuration steps must the administrator perform next to complete the implementation?

  A. Set the interface mode to passive. Associate the interface with a security zone. Enable the interface. Set the MTU parameter.

  B. Modify the interface to retransmit received traffic. Associate the interface with a security zone Set the MTU parameter

  C. Set the interface mode to passive. Associate the interface with a security zone. Set the MTU parameter. Reset the interface.

  D. Modify the interface to retransmit received traffic. Associate the interface with a security zone. Enable the interface. Set the MTU parameter.

  Correct Answer: A

  In a passive IPS deployment for a Cisco Secure Firewall Threat Defense (FTD) device, the administrator must configure the interface to operate in passive mode. This involves setting the interface mode, associating it with a security zone,

  enabling the interface, and setting the MTU parameter.

  Steps:

  Set the interface mode to passive:

  Associate the interface with a security zone:

  Enable the interface:

  Set the MTU parameter:

  This ensures that the FTD device can inspect traffic passively without impacting the network flow.

  References: Cisco Secure Firewall Management Center Device Configuration Guide, Chapter on Interface Settings

• Question 55:

  What is the result when two users modify a VPN policy at the same time on a Cisco Secure Firewall Management Center managed device?

  A. Both users can edit the policy and the last saved configuration persists.

  B. The changes from both users will be merged together into the policy.

  C. The first user locks the configuration when selecting edit on the policy.

  D. The system prevents modifications to the policy by multiple users.

  Correct Answer: A

• Question 56:

  A network administrator is configuring a BVI interface on a routed FTD. The administrator wants to isolate traffic on the interfaces connected to the bridge group and not have the FTD route this traffic using the routing table. What must be configured?

  A. A new VRF must be created for the BVI interface

  B. An IP address must be configured on the BVI

  C. IP routing must be removed from the physical interfaces connected to the BVI

  D. The BVI interface must be configured for transparent mode

  Correct Answer: A

• Question 57:

  Which file format can standard reports from Cisco Secure Firewall Management Center be downloaded in?

  A. doc

  B. ppt

  C. csv

  D. xls

  Correct Answer: C

  Standard reports from Cisco Secure Firewall Management Center can be downloaded in CSV (Comma-Separated Values) format. This format is widely used for data exchange and can be opened in various applications such as Microsoft

  Excel.

  Steps to download reports:

  Navigate to Reports > Report Designer in the FMC. Select or create the report you wish to download. Choose the CSV format option when exporting the report. This allows the network engineer to analyze and manipulate the report data

  easily. References: Cisco Secure Firewall Management Center Administrator Guide, Chapter on Report Generation.

• Question 58:

  Encrypted Visibility Engine (EVE) is enabled under which tab on an access control policy in Cisco Secure Firewall Management Center?

  A. Network Analysis Policy

  B. SSL

  C. Advanced

  D. Security Intelligence

  Correct Answer: C

• Question 59:

  An engineer is configuring a Cisco Secure Firewall Threat Defense device managed by Cisco Secure Firewall Management Center. The device must have SSH enabled and be accessible from the inside interface for remote administration. Which type of policy must the engineer configure to accomplish this?

  A. platform settings

  B. access control

  C. prefilter

  D. identity

  Correct Answer: A

  To enable SSH access to a Cisco Secure Firewall Threat Defense (FTD) device from the inside interface for remote administration, the engineer needs to configure a Platform Settings policy in Cisco Secure Firewall Management Center

  (FMC). The Platform Settings policy allows the configuration of various system-related settings, including enabling SSH, specifying the allowed interfaces, and defining the SSH access parameters.

  Steps:

  In FMC, navigate to Policies > Access Control > Platform Settings. Create a new Platform Settings policy or edit an existing one.

  In the policy settings, go to the SSH section.

  Enable SSH and specify the inside interface as the allowed interface for SSH access.

  Define the SSH parameters such as allowed IP addresses, user credentials, and other security settings.

  Save and deploy the policy to the FTD device.

  This configuration ensures that SSH access is enabled on the specified interface, allowing secure remote administration.

  References: Cisco Secure Firewall Management Center Administrator Guide, Chapter on Platform Settings.

• Question 60:

  A network engineer is deploying a pair of Cisco Secure Firewall Threat Defense devices managed by Cisco Secure Firewall Management Center for High Availability. Internet access is a high priority for the business and therefore they have invested in internet circuits from two different ISPs. The requirement from the customer is that internet access must be available to their users even if one of the ISPs is down. Which two features must be deployed to achieve this requirement? (Choose two.)

  A. Route Tracking

  B. Redundant interfaces

  C. EtherChannel interfaces

  D. SLA Monitor

  E. BGP

  Correct Answer: AD

  To ensure high availability of internet access when deploying a pair of Cisco Secure Firewall Threat Defense (FTD) devices managed by Cisco Secure Firewall Management Center (FMC), the following features must be deployed:

  Route Tracking: This feature monitors the reachability of a specified target (such as an external IP address) through the configured routes. If the route to the target is lost, the FTD can dynamically adjust the routing to use an alternate path,

  ensuring continuous internet access.

  SLA Monitor: Service Level Agreement (SLA) monitoring works alongside route tracking to continuously verify the status and performance of the internet links. If the SLA for one of the ISP links fails (indicating the link is down or

  underperforming), the FTD can switch traffic to the secondary ISP link.

  Steps to configure:

  In FMC, navigate to Devices > Device Management.

  Select the FTD device and configure route tracking to monitor the ISP links. Configure SLA monitors to continuously check the health and performance of the internet circuits.

  These configurations ensure that internet access remains available to users even if one of the ISPs goes down.

  References: Cisco Secure Firewall Management Center Configuration Guide, Chapter on High Availability and SLA Monitoring.