Cisco CCNP Security 350-701 Questions & Answers

• Question 271:

  An administrator is adding a new switch onto the network and has configured AAA for network access control. When testing the configuration, the RADIUS authenticates to Cisco ISE but is being rejected. Why is the ip radius source-interface command needed for this configuration?

  A. Only requests that originate from a configured NAS IP are accepted by a RADIUS server

  B. The RADIUS authentication key is transmitted only from the defined RADIUS source interface

  C. RADIUS requests are generated only by a router if a RADIUS source interface is defined.

  D. Encrypted RADIUS authentication requires the RADIUS source interface be defined

  Correct Answer: A

  https://www.cisco.com/c/en/us/td/docs/ios/12_2/security/command/reference/srfrad.html#wp1027454

• Question 272:

  Which category includes DoS Attacks?

  A. Virus attacks

  B. Trojan attacks

  C. Flood attacks

  D. Phishing attacks

  Correct Answer: C

• Question 273:

  In which scenario is endpoint-based security the solution?

  A. inspecting encrypted traffic

  B. device profiling and authorization

  C. performing signature-based application control

  D. inspecting a password-protected archive

  Correct Answer: C

• Question 274:

  An engineer is configuring Cisco Umbrella and has an identity that references two different policies. Which action ensures that the policy that the identity must use takes precedence over the second one?

  A. Configure the default policy to redirect the requests to the correct policy

  B. Place the policy with the most-specific configuration last in the policy order

  C. Configure only the policy with the most recently changed timestamp

  D. Make the correct policy first in the policy order

  Correct Answer: D

• Question 275:

  A network engineer must configure a Cisco ESA to prompt users to enter two forms of information before gaining access The Cisco ESA must also join a cluster machine using preshared keys. What must be configured to meet these requirements?

  A. Enable two-factor authentication through a RADIUS server and then join the cluster by using the Cisco ESA CLI.

  B. Enable two-factor authentication through a RADIUS server and then join the cluster by using the Cisco ESA GUI

  C. Enable two-factor authentication through a TACACS+ server and then join the cluster by using the Cisco ESA GUI.

  D. Enable two-factor authentication through a TACACS+ server and then join the cluster by using the Cisco ESA CLI

  Correct Answer: A

  https://www.cisco.com/c/ja_jp/td/docs/security/esa/esa11-0/user_guide_fs/b_ESA_Admin_Guide_fs/b_ESA_Admin_Guide_fs_chapter_0101000.html

• Question 276:

  Refer to the exhibit.

  

  Consider that any feature of DNS requests, such as the length off the domain name and the number of subdomains, can be used to construct models of expected behavior to which observed values can be compared. Which type of malicious attack are these values associated with?

  A. Spectre Worm

  B. Eternal Blue Windows

  C. Heartbleed SSL Bug

  D. W32/AutoRun worm

  Correct Answer: D

• Question 277:

  An engineer needs to configure an access control policy rule to always send traffic for inspection without using the default action. Which action should be configured for this rule?

  A. monitor

  B. allow

  C. block

  D. trust

  Correct Answer: B

  https://www.cisco.com/c/en/us/td/docs/security/firepower/623/configuration/guide/fpmc- config-guidev623/access_control_using_intrusion_and_file_policies.html#:~:text=File%20Policies- ,Access%20Control%20Traffic%20Handling%20with%20Intrusion%20and%20File%20Poli cies,-The%20following%20diagram the first three access control rules in the policy--Monitor, Trust, and Block--cannot inspect matching traffic. Monitor rules track and log but do not inspect network traffic, so the system continues to match traffic against additional rules to determine whether to permit or deny it https://www.cisco.com/c/en/us/td/docs/security/firepower/623/configuration/guide/fpmc- config-guide-v623/access_control_rules.html#:~:text=Rule%20Blocking%20Actions- ,Access%20Control%20Rule%20Allow%20Action,network% 20discovery%20policy%3B%2 0additionally%2C%20application%20discovery%20is%20limited%20for%20encrypted%20s essions.,-Related%20Concepts

• Question 278:

  An engineer is implementing Cisco CES in an existing Microsoft Office 365 environment and must route inbound email to Cisco CE.. record must be modified to accomplish this task?

  A. CNAME

  B. MX

  C. SPF

  D. DKIM

  Correct Answer: B

• Question 279:

  Refer to the exhibit.

  

  Refer to the exhibit. A Cisco ISE administrator adds a new switch to an 802.1X deployment and has difficulty with some endpoints gaining access.

  Most PCs and IP phones can connect and authenticate using their machine certificate credentials. However printer and video cameras cannot base d on the interface configuration provided, what must be to get these devices on to the network using Cisco ISE for authentication and authorization while maintaining security controls?

  A. Change the default policy in Cisco ISE to allow all devices not using machine authentication .

  B. Enable insecure protocols within Cisco ISE in the allowed protocols configuration.

  C. Configure authentication event fail retry 2 action authorize vlan 41 on the interface

  D. Add mab to the interface configuration.

  Correct Answer: D

  https://community.cisco.com/t5/network-access-control/problems-with-connecting-printers-via-mab/td-p/3528002

• Question 280:

  Which technology limits communication between nodes on the same network segment to individual applications?

  A. serverless infrastructure

  B. microsegmentation

  C. SaaS deployment

  D. machine-to-machine firewalling

  Correct Answer: B