Cisco CCNP Security 300-710 Questions & Answers

• Question 71:

  A security engineer must configure policies tor a recently deployed Cisco FTD. The security policy for the company dictates that when five or more connections from external sources are initiated within 2 minutes, there is cause for concern. Which type of policy must be configured in Cisco FMC \z generate an alert when this condition is triggered?

  A. application detector

  B. access control

  C. intrusion

  D. correlation

  Correct Answer: D

  A correlation policy is a feature that allows you to respond in real time to threats or specific conditions on your network, using correlation rules. A correlation rule can trigger when the system generates a specific type of event, or when your

  network traffic deviates from its normal profile1. When a correlation rule triggers, the system generates a correlation event and can also launch a response, such as sending an alert, blocking an IP address, or scanning a host1. In this case,

  the security engineer can configure a correlation rule that triggers when the system detects five or more connections from external sources within 2 minutes. The engineer can also configure a response that sends an alert to the FMC or an

  email recipient when this condition is triggered. The engineer can then create a correlation policy that includes this rule and activate it on the FTD device1.

  The other options are incorrect because:

  An application detector is a feature that allows you to detect web applications, clients, and application protocols based on patterns in network traffic. An application detector does not generate alerts based on the number of connections from

  external sources2.

  An access control policy is a feature that allows you to control traffic flow through your network and inspect traffic for intrusions, malware, and files. An access control policy does not generate alerts based on the number of connections from

  external sources3.

  An intrusion policy is a feature that allows you to detect and prevent malicious network activity using Snort rules. An intrusion policy does not generate alerts based on the number of connections from external sources4.

• Question 72:

  When an engineer captures traffic on a Cisco FTD to troubleshoot a connectivity problem, they receive a large amount of output data in the GUI tool. The engineer found that viewing the Captures this way is time-consuming and difficult lo son and filter. Which file type must the engineer export the data in so that it can be reviewed using a tool built for this type of analysis?

  A. NetFlow v9

  B. PCAP

  C. NetFlow v5

  D. IPFIX

  Correct Answer: B

  When capturing traffic on a Cisco FTD device to troubleshoot a connectivity problem, a file type that can be exported for reviewing using a tool built for this type of analysis is PCAP. PCAP stands for Packet Capture and it is a file format used to store network packet data captured from a network interface8. PCAP files contain the raw data of network packets, including the headers and payloads of each packet8. PCAP files are widely used in network analysis and troubleshooting tasks. They enable network administrators, analysts, and researchers to inspect and analyze network traffic for various purposes, such as diagnosing network issues, detecting malicious activity, measuring network performance, and understanding network protocols8. PCAP files can be read by applications that understand that format, such as Wireshark, tcpdump, CA NetMaster, or Microsoft Network Monitor8. The other options are incorrect because: NetFlow v9 is not a file type, but a protocol for collecting and exporting information about network flows. A network flow is a sequence of packets that share common attributes such as source and destination IP addresses, ports, and protocols9. NetFlow v9 records contain summary information about network flows, such as start and end times, byte counts, packet counts, and so on9. NetFlow v9 records do not contain the raw data of network packets. NetFlow v5 is not a file type, but an earlier version of the NetFlow protocol for collecting and exporting information about network flows. NetFlow v5 records contain similar information as NetFlow v9 records, but with fewer fields and less flexibility10. NetFlow v5 records do not contain the raw data of network packets. IPFIX is not a file type, but a protocol for collecting and exporting information about network flows. IPFIX stands for IP Flow Information Export and it is based on NetFlow v9, but with some extensions and improvements11. IPFIX records contain similar information as NetFlow v9 records, but with more fields and more flexibility11. IPFIX records do not contain the raw data of network packets.

• Question 73:

  An engineer Is configuring a Cisco FTD device to place on the Finance VLAN to provide additional protection tor company financial data. The device must be deployed without requiring any changes on the end user workstations, which currently use DHCP lo obtain an IP address. How must the engineer deploy the device to meet this requirement?

  A. Deploy the device in routed mode and allow DHCP traffic in the access control policies.

  B. Deploy the device in routed made aid enable the DHCP Relay feature.

  C. Deploy the device in transparent mode and allow DHCP traffic in the access control policies

  D. Deploy the device in transparent mode and enable the DHCP Server feature.

  Correct Answer: C

  Transparent mode allows the FTD device to act as a "bump in the wire" that does not affect the IP addressing of the network. The end user workstations will not need any changes to their configuration, as they will still receive an IP address from the same DHCP server. However, the FTD device must allow DHCP traffic in the access control policies, otherwise it will block the DHCP requests and replies1

• Question 74:

  A network administrator reviews me attack risk report and notices several Low-Impact attacks. What does this type of attack indicate?

  A. All attacks are listed as low until manually categorized.

  B. The host is not vulnerable to those attacks.

  C. The attacks are not dangerous to the network.

  D. The host is not within the administrator's environment.

  Correct Answer: B

  A low-impact attack indicates that the host is not vulnerable to those attacks. A low-impact attack is an attack that does not exploit any known vulnerability on the target host or does not match any signature or anomaly rule on the FTD

  device5. A low-impact attack does not mean that the attack is not dangerous to the network or that the host is not within the administrator's environment. It simply means that the attack did not succeed in compromising or affecting the host.

  The other options are incorrect because:

  All attacks are not listed as low until manually categorized. The FTD device automatically assigns an impact level to each attack based on various factors, such as vulnerability information, threat score, and confidence rating5. The impact

  level can be high, medium, or low, depending on how likely and how severe the attack is.

  The attacks are not necessarily harmless to the network. A low-impact attack may still cause some damage or disruption to the network, such as consuming bandwidth, generating noise, or distracting attention from other attacks6. A low-

  impact attack may also indicate that the attacker is probing or scanning the network for potential vulnerabilities or weaknesses7. The host is not necessarily outside the administrator's environment. A low-impact attack can target any host on

  the network, regardless of its location or ownership. A low-impact attack does not imply that the host is external or irrelevant to the administrator's environment.

• Question 75:

  An engineer is configuring a custom application detector for HTTP traffic and wants to import a file that was provided by a third party. Which type of flies are advanced application detectors creates and uploaded as?

  A. Perl script

  B. NBAR protocol

  C. LUA script

  D. Python program

  Correct Answer: C

  A custom application detector is a user-defined script that can detect web applications, clients, and application protocols based on patterns in network traffic. Custom application detectors are written in LUA, which is a lightweight and

  embeddable scripting language. LUA scripts can use predefined functions and variables provided by the Firepower System to access packet data and metadata, and to specify the detection criteria and the application information1.

  To import a custom application detector file that was provided by a third party, you need to follow these steps1:

  In the FMC web interface, navigate to Objects > Object Management > Application Detectors.

  Click Import.

  Browse to the location of the LUA script file and select it.

  Click Upload.

  Review the detector details and click Save.

  The other options are incorrect because:

  Perl script is not a supported format for custom application detectors. Perl is a general-purpose programming language that is not embedded in the Firepower System. NBAR protocol is not a file type, but a feature of Cisco IOS routers that

  can classify and monitor network traffic based on application types. NBAR protocols are predefined and cannot be imported as custom application detectors. Python program is not a supported format for custom application detectors. Python

  is a general-purpose programming language that is not embedded in the Firepower System.

• Question 76:

  An engineer is configuring a custom intrusion rule on Cisco FMC. The engineer needs the rule to search the payload or stream for the string "|45 5* 26 27 4 0A|*. Which Keyword must the engineer use with this stung lo create an argument for packed inspection?

  A. metadata

  B. Content

  C. Protected _ content

  D. data

  Correct Answer: B

  The content keyword is used to specify a string or pattern to search for in the payload or stream of a packet. The string must be enclosed in quotation marks and can use modifiers such as nocase, depth, offset, and so on. The string can also use hexadecimal notation by using a pipe symbol (|) before and after the hexadecimal characters. For example, content:"|45 5* 26 27 4 0A|" will match any payload or stream that contains the hexadecimal bytes 45 5 26 27 4 0A followed by any number of bytes2

• Question 77:

  An engineer must deploy a Cisco FTD device. Management wants to examine traffic without requiring network changes that will disrupt end users. Corporate security policy requires the separation of management traffic from data traffic and the use of SSH over Telnet for remote administration. How must the device be deployed to meet these requirements?

  A. in routed mode with a diagnostic interface

  B. in transparent mode with a management Interface

  C. in transparent made with a data interface

  D. in routed mode with a bridge virtual interface

  Correct Answer: B

  To deploy a Cisco FTD device that meets the requirements of the question, the engineer must use transparent mode with a management interface. Transparent mode is a firewall configuration in which the FTD device acts as a "bump in the wire" or a "stealth firewall" and is not seen as a router hop to connected devices. In transparent mode, the FTD device can examine traffic without requiring network changes that will disrupt end users, such as changing IP addresses or routing configurations1. A management interface is a dedicated interface that is used for managing the FTD device and separating management traffic from data traffic. A management interface can be configured to allow SSH access for remote administration, which is more secure than Telnet2. The other options are incorrect because: Routed mode is a firewall configuration in which the FTD device acts as a router and performs address translation and routing for connected networks. Routed mode requires network changes that may disrupt end users, such as changing IP addresses or routing configurations1. A diagnostic interface is a special interface that is used for troubleshooting and capturing traffic on the FTD device. A diagnostic interface does not separate management traffic from data traffic or allow SSH access for remote administration. Transparent mode with a data interface does not meet the requirement of separating management traffic from data traffic. A data interface is a regular interface that is used for passing and inspecting traffic on the FTD device. A data interface does not allow SSH access for remote administration2. Routed mode with a bridge virtual interface (BVI) does not meet the requirement of examining traffic without requiring network changes that will disrupt end users. A BVI is a logical interface that acts as a container for one or more physical or logical interfaces that belong to the same layer 2 broadcast domain. A BVI allows the FTD device to route between different bridge groups on the same security module/engine. However, routed mode still requires network changes that may disrupt end users, such as changing IP addresses or routing configurations.

• Question 78:

  An engineer must investigate a connectivity issue from an endpoint behind a Cisco FTD device and a public DNS server. The endpoint cannot perform name resolution queries. Which action must the engineer perform to troubleshoot the issue by simulating real DNS traffic on the Cisco FTD while verifying the Snarl verdict?

  A. Perform a Snort engine capture using tcpdump from the FTD CLI.

  B. Use the Capture w/Trace wizard in Cisco FMC.

  C. Create a Custom Workflow in Cisco FMC.

  D. Run me system support firewall-engine-debug command from me FTD CLI.

  Correct Answer: B

  The Capture w/Trace wizard in Cisco FMC allows you to capture packets on an FTD device and trace their path through the Snort engine. This can help you troubleshoot connectivity issues from an endpoint behind an FTD device and a

  public DNS server, as well as verify the Snort verdict for the DNS traffic. The Capture w/Trace wizard lets you specify the source and destination IP addresses, ports, and protocols for the packets you want to capture and trace, as well as the

  FTD device and interface where you want to perform the capture. You can also apply filters to limit the capture size and duration. After you start the capture, you can ping the DNS server from the endpoint and then view the captured packets

  and their Snort verdicts in the FMC web interface2. To use the Capture w/Trace wizard in Cisco FMC, you need to follow these steps2:

  In the FMC web interface, navigate to Troubleshooting > Capture/Trace.

  Click New Capture.

  Choose an FTD device from the Device drop-down list. Choose an interface from the Interface drop-down list. Enter the source and destination IP addresses, ports, and protocols for the packets you want to capture and trace. For example, if

  you want to capture DNS queries from an endpoint with IP address 10.1.1.100 to a DNS server with IP address 8.8.8.8, you can enter these values:

  Optionally, apply filters to limit the capture size and duration. For example, you can set the maximum number of packets to capture, the maximum capture file size, or the maximum capture time.

  Click Start.

  Ping the DNS server from the endpoint and wait for some packets to be captured.

  Click Stop to stop the capture.

  Click View Capture to see the captured packets and their Snort verdicts.

  The other options are incorrect because:

  Performing a Snort engine capture using tcpdump from the FTD CLI will not allow you to trace the path of the packets through the Snort engine or verify their Snort verdicts. Tcpdump is a command-line tool that can capture packets on an

  FTD device, but it does not provide any information about how Snort processes those packets or what actions Snort takes on them2. Creating a Custom Workflow in Cisco FMC will not help you troubleshoot a connectivity issue from an

  endpoint behind an FTD device and a public DNS server. A Custom Workflow is a user-defined set of pages that display event data in different formats, such as tables, charts, maps, and so on. A Custom Workflow does not allow you to

  capture or trace packets on an FTD device3. Running the system support firewall-engine-debug command from the FTD CLI will not allow you to simulate real DNS traffic on the FTD device or verify the Snort verdict for that traffic. The

  firewall-engine- debug command is a diagnostic tool that can generate synthetic packets and send them through the Snort engine on an FTD device. The synthetic packets are not real network traffic and do not affect any connections or

  policies on the FTD device4.

• Question 79:

  An engineer plans to reconfigure an existing Cisco FTD from transparent mode to routed mode. Which additional action must be taken to maintain communication Between me two network segments?

  A. Configure a NAT rule so mat traffic between the segments is exempt from NAT.

  B. Update the IP addressing so that each segment is a unique IP subnet.

  C. Deploy inbound ACLs on each interface to allow traffic between the segments.

  D. Assign a unique VLAN ID for the interface in each segment.

  Correct Answer: B

  When reconfiguring an existing Cisco FTD from transparent mode to routed mode, an additional action that must be taken to maintain communication between the two network segments is to update the IP addressing so that each segment is a unique IP subnet. This is because in routed mode, the FTD device acts as a router hop in the network and requires each interface to be on a different subnet. In transparent mode, the FTD device acts as a layer 2 firewall and does not require different subnets for each interface1. The other options are incorrect because: Configuring a NAT rule so that traffic between the segments is exempt from NAT is not necessary to maintain communication between the two network segments. NAT is used to translate IP addresses between different networks, but it does not affect the routing of packets. Moreover, NAT is optional in routed mode and can be disabled if not needed2. Deploying inbound ACLs on each interface to allow traffic between the segments is not required to maintain communication between the two network segments. ACLs are used to control access to network resources based on source and destination addresses, protocols, and ports. They do not affect the routing of packets. Furthermore, ACLs are optional in routed mode and can be configured as needed3. Assigning a unique VLAN ID for the interface in each segment is not relevant to maintain communication between the two network segments. VLANs are used to create logical groups of hosts that share the same broadcast domain, regardless of their physical location or connection. They do not affect the routing of packets. Besides, VLANs are not supported in routed mode and can only be used in transparent mode4.

• Question 80:

  A consultant Is working on a project where the customer is upgrading from a single Cisco Firepower 2130 managed by FDM to a pair of Cisco Firepower 2130s managed oy FMC tor nigh availability. The customer wants the configures of the existing device being managed by FDM to be carried over to FMC and then replicated to the additional: device being added to create the high availability pair. Which action must the consultant take to meet this requirement?

  A. The current FDM configuration must be configured by hand into FMC before the devices are registered.

  B. The current FDM configuration will be converted automatically into FMC when the device registers.

  C. The current FDM configuration must be migrated to FMC using the Secure Firewall Migration Tool.

  D. The FTD configuration must be converted to ASA command format, which can then be migrated to FMC.

  Correct Answer: C

  https://www.cisco.com/c/en/us/td/docs/security/firepower/migration-tool/migration-guide-fdm/fdm-to-threat-defense-using-the-migraton-tool/m-fdm-managed-device-to-threat-defense-workflow.html