Cisco CCNP Security 300-710 Questions & Answers

• Question 81:

  Which default action setting in a Cisco FTD Access Control Policy allows all traffic from an undefined application to pass without Snort Inspection?

  A. Trust All Traffic

  B. Inherit from Base Policy

  C. Network Discovery Only

  D. Intrusion Prevention

  Correct Answer: A

  The default action setting in a Cisco FTD Access Control Policy determines how the system handles and logs traffic that is not handled by any other access control configuration. The default action can block or trust all traffic without further inspection, or inspect traffic for intrusions and discovery data3. The Trust All Traffic option allows all traffic from an undefined application to pass without Snort inspection. This option also disables Security Intelligence filtering, file and malware inspection, and URL filtering for all traffic handled by the default action. This option is useful when you want to minimize the performance impact of access control on your network3. The other options are incorrect because: The Inherit from Base Policy option inherits the default action setting from the base policy. The base policy is the predefined access control policy that you use as a starting point for creating your own policies. Depending on which base policy you choose, the inherited default action setting can be different3. The Network Discovery Only option inspects all traffic for discovery data only. This option enables Security Intelligence filtering for all traffic handled by the default action, but disables file and malware inspection, URL filtering, and intrusion inspection. This option is useful when you want to collect information about your network before you configure access control rules3. The Intrusion Prevention option inspects all traffic for intrusions and discovery data. This option enables Security Intelligence filtering, file and malware inspection, URL filtering, and intrusion inspection for all traffic handled by the default action. This option provides the most comprehensive protection for your network, but also has the most performance impact3.

• Question 82:

  A network administrator is reviewing a weekly scheduled attacks risk report and notices a host that is flagged for an impact 2 attack. Where should the administrator look within Cisco FMC to find out more relevant information about this host and attack?

  A. Analysis > Lookup > Whols

  B. Analysis > Correlation > Correlation Events

  C. Analysis > Hosts > Vulnerabilities

  D. Analysis > Hosts > Host Attributes

  Correct Answer: C

  The Analysis > Hosts > Vulnerabilities page in Cisco FMC displays information about the hosts on the network and their associated vulnerabilities. The administrator can filter the hosts by impact level, which indicates how likely an attack is to succeed against a host. An impact level of 2 means that the host was attacked and is potentially vulnerable, but no exploit was confirmed. The administrator can click on a host to view more details, such as its IP address, operating system, applications, protocols, and intrusion events. The administrator can also view the details of each vulnerability, such as its CVE ID, description, severity, and recommended actions3

• Question 83:

  A network administrator is reviewing a monthly advanced malware risk report and notices a host that Is listed as CnC Connected. Where must the administrator look within Cisco FMC to further determine if this host is infected with malware?

  A. Analysis > Hosts > indications of Compromise

  B. Analysts > Files > Malware Events

  C. Analysis > Hosts > Host Attributes

  D. Analysis > Flies > Network File Trajectory

  Correct Answer: A

  To determine if a host is infected with malware, the network administrator can look at the Indications of Compromise (IOC) feature in Cisco FMC. The IOC feature analyzes network and endpoint data collected by Firepower sensors and AMP for Endpoints connectors, and identifies hosts that exhibit signs of compromise or infection. The IOC feature uses predefined rules based on Cisco Talos intelligence and other sources to detect IOCs on hosts. One of these rules is CnC Connected, which indicates that a host has communicated with a command-and-control (CnC) server that is known to be associated with malware activity2. To view the IOC information for a host, the network administrator can navigate to Analysis > Hosts > Indications of Compromise in Cisco FMC, and select a host from the table. The IOC Details page will show the IOC events for that host, including the CnC Connected event, along with other information such as severity, timestamp, source, destination, protocol, and rule name. The network administrator can also view more details about each IOC event by clicking on it2. The other options are incorrect because: Analysis > Files > Malware Events shows information about files that have been detected as malware by Firepower sensors or AMP for Endpoints connectors. This does not show information about hosts that are infected with malware or have communicated with CnC servers3. Analysis > Hosts > Host Attributes shows information about hosts that have been discovered by Firepower sensors, such as IP address, MAC address, operating system, applications, users, vulnerabilities, and so on. This does not show information about IOCs or CnC connections on hosts4. Analysis > Files > Network File Trajectory shows information about files that have traversed your network and have been detected by Firepower sensors or AMP for Endpoints connectors. This allows you to track where a file came from, where it went, and what happened to it along the way. This does not show information about hosts that are infected with malware or have communicated with CnC servers5.

• Question 84:

  An engineer is configuring URL filtering for a Cisco FTD device in Cisco FMC. Users must receive a warning when they access http:/'www.Dac'additstte.corn with the option of continuing to the website if they choose to. No other websites should be blacked. Which two actions must the engineer lake to meet these requirements? (Choose two.)

  A. On the HTTP Responses tab of the access control policy editor, set the Block Response Page to Custom.

  B. On the HTTP Responses tab of the access control policy editor, sot the Interactive Block Response Page to system-provided.

  C. Configure the default action for the access control policy to Interactive Block.

  D. Configure an access control rule that matches the Adult URL category and se: the action to interactive Block.

  E. Configure an access control rule that matches an URL object for http://www.badaduitslte.com; and set the action to interactive Block.

  Correct Answer: BE

  To configure URL filtering for a Cisco FTD device in Cisco FMC, and to meet the requirements of the question, the engineer must do the following:

  On the HTTP Responses tab of the access control policy editor, set the Interactive Block Response Page to system-provided. This will enable the system to display a warning page to the users when they try to access a blocked URL, and

  give them the option to continue or cancel. The system-provided page is a default page that contains a generic message and a logo1. Configure an access control rule that matches an URL object for http://www.badadultsite.com; and set the

  action to Interactive Block. This will apply the interactive block action to the specific URL that is defined in the URL object. The interactive block action will trigger the interactive block response page that was configured in the previous step1.

  The other options are incorrect because:

  On the HTTP Responses tab of the access control policy editor, setting the Block Response Page to Custom will not affect the interactive block action. The block response page is used when the action is set to Block, not Interactive Block1.

  Configuring the default action for the access control policy to Interactive Block will apply the interactive block action to all URLs that are not matched by any access control rule. This will not meet the requirement of blocking no other

  websites1. Configuring an access control rule that matches the Adult URL category and sets the action to Interactive Block will apply the interactive block action to all URLs that belong to the Adult category. This will not meet the requirement

  of blocking only http://www.badadultsite.com1.

• Question 85:

  What is a limitation to consider when running a dynamic routing protocol on a Cisco FTD device in IRB mode?

  A. Only link-stale routing protocols are supported.

  B. Only distance vector routing protocols are supported.

  C. Only EtherChannel interfaces are supposed.

  D. Only nonbridge interfaces are supported.

  Correct Answer: D

  Integrated routing and bridging (IRB) is a feature that allows you to route between different bridge groups on a Cisco FTD device. A bridge group is a logical interface that acts as a container for one or more physical or logical interfaces that belong to the same layer 2 broadcast domain. You can assign an IP address to a bridge group interface (BVI) and enable routing protocols on it, just like a regular routed interface. However, when you run a dynamic routing protocol on a Cisco FTD device in IRB mode, you can only use nonbridge interfaces as routing peers. You cannot use bridge group interfaces or bridge group member interfaces as routing peers2. This is because the routing protocol packets are sent and received on the nonbridge interfaces, and the bridge group interfaces are used only for forwarding data traffic3.

• Question 86:

  A security engineer must integrate an external feed containing STIX/TAXII data with Cisco FMC. Which feature must be enabled on the Cisco FMC to support this connection?

  A. Cisco Success Network

  B. Cisco Secure Endpoint Integration

  C. Threat Intelligence Director

  D. Security Intelligence Feeds

  Correct Answer: C

• Question 87:

  An organization is implementing Cisco FTD using transparent mode in the network. Which rule in the default Access Control Policy ensures that this deployment does not create a loop in the network?

  A. ARP inspection is enabled by default.

  B. Multicast and broadcast packets are denied by default.

  C. STP BPDU packets are allowed by default.

  D. ARP packets are allowed by default.

  Correct Answer: C

• Question 88:

  When using Cisco Threat Response, which phase of the Intelligence Cycle publishes the results of the investigation?

  A. direction

  B. dissemination

  C. processing

  D. analysis

  Correct Answer: B

  Disseminate: The dissemination phase publishes the results of the investigation or threat hunt. This information is disseminated with a focus on the receivers of the information. At the tactical level, this information feeds back into the beginning of the F3EAD model, Find. Figure 3 illustrates the F3EAD model.

• Question 89:

  An engineer is troubleshooting HTTP traffic to a web server using the packet capture tool on Cisco FMC. When reviewing the captures, the engineer notices that there are a lot of packets that are not sourced from or destined to the web server being captured. How can the engineer reduce the strain of capturing packets for irrelevant traffic on the Cisco FTD device?

  A. Use the host filter in the packet capture to capture traffic to or from a specific host.

  B. Redirect the packet capture output to a .pcap file that can be opened with Wireshark.

  C. Use the -c option to restrict the packet capture to only the first 100 packets.

  D. Use an access-list within the packet capture to permit only HTTP traffic to and from the web server.

  Correct Answer: A

• Question 90:

  An engineer is setting up a remote access VPN on a Cisco FTD device and wants to define which traffic gets sent over the VPN tunnel. Which named object type in Cisco FMC must be used to accomplish this task?

  A. split tunnel

  B. crypto map

  C. access list

  D. route map

  Correct Answer: C