300-710

Question 1

What is a result of enabling Cisco FTD clustering?

A. For the dynamic routing feature, if the master unit fails, the newly elected master unit maintains all existing connections.
B. Integrated Routing and Bridging is supported on the master unit.
C. Site-to-site VPN functionality is limited to the master unit, and all VPN connections are dropped if the master unit fails.
D. All Firepower appliances support Cisco FTD clustering.

Answer 1

Answer C

Question 2

Which two conditions are necessary for high availability to function between two Cisco FTD devices? (Choose two.)

A. The units must be the same version
B. Both devices can be part of a different group that must be in the same domain when configured within the FMC.
C. The units must be different models if they are part of the same series.
D. The units must be configured only for firewall routed mode.
E. The units must be the same model.

Answer 2

Answer A, E

Question 3

On the advanced tab under inline set properties, which allows interfaces to emulate a passive interface?

A. transparent inline mode
B. TAP mode
C. strict TCP enforcement
D. propagate link state

Answer 3

Answer B

Tap Mode — Set to inline tap mode.

Question 4

What are the minimum requirements to deploy a managed device inline?

A. inline interfaces, security zones, MTU, and mode
B. passive interface, MTU, and mode
C. inline interfaces, MTU, and mode
D. passive interface, security zone, MTU, and mode

Answer 4

Answer C

Question 5

What is the difference between inline and inline tap on Cisco Firepower?

A. Inline tap mode can send a copy of the traffic to another device.
B. Inline tap mode does full packet capture.
C. Inline mode cannot do SSL decryption.
D. Inline mode can drop malicious traffic.

Answer 5

Answer D

Question 6

With Cisco FTD software, which interface mode must be configured to passively receive traffic that passes through the appliance?

A. inline set
B. passive
C. routed
D. inline tap

Answer 6

Answer D

With tap mode, the FTD is deployed inline, but the network traffic flow is undisturbed. Instead, the FTD makes a copy of each packet so that it can analyze the packets.

Question 7

Which two deployment types support high availability? (Choose two.)

A. transparent
B. routed
C. clustered
D. intra-chassis multi-instance
E. virtual appliance in public cloud

Answer 7

Answer A, B

Question 8

Which protocol establishes network redundancy in a switched Firepower device deployment?

A. STP
B. HSRP
C. GLBP
D. VRRP

Answer 8

Answer A

Question 9

Which interface type allows packets to be dropped?

A. passive
B. inline
C. ERSPAN
D. TAP

Answer 9

Answer B

Question 10

Which Cisco Firepower Threat Defense, which two interface settings are required when configuring a routed interface? (Choose two.)

A. Redundant Interface
B. EtherChannel
C. Speed
D. Media Type
E. Duplex

Answer 10

Answer C, E

Question 11

Which two dynamic routing protocols are supported in Cisco FTD without using FlexConfig? (Choose two.)

A. EIGRP
B. OSPF
C. static routing
D. IS-IS
E. BGP

Answer 11

Answer B, E

Question 12

Which policy rule is included in the deployment of a local DMZ during the initial deployment of a Cisco NGFW through the Cisco FMC GUI?

A. a default DMZ policy for which only a user can change the IP addresses.
B. deny ip any
C. no policy rule is included
D. permit ip any

Answer 12

Answer C

Question 13

What are two application layer preprocessors? (Choose two.)

A. CIFS
B. IMAP
C. SSL
D. DNP3
E. ICMP

Answer 13

Answer B, C

Question 14

An engineer is implementing Cisco FTD in the network and is determining which Firepower mode to use. The organization needs to have multiple virtual Firepower devices working separately inside of the FTD appliance to provide traffic segmentation. Which deployment mode should be configured in the Cisco Firepower Management Console to support these requirements?

A. multi-instance
B. multiple deployment
C. single deployment
D. single-context

Answer 14

Answer A

Question 15

A network engineer is extending a user segment through an FTD device for traffic inspection without creating another IP subnet. How is this accomplished on an FTD device in routed mode?

A. by assigning an inline set interface
B. by using a BVI and creating a BVI IP address in the same subnet as the user segment
C. by leveraging the ARP to direct traffic through the firewall
D. by bypassing protocol inspection by leveraging pre-filter rules

Answer 15

Answer B

Question 16

An engineer is configuring a Cisco FTD appliance in IPS-only mode and needs to utilize fail-to-wire interfaces. Which interface mode should be used to meet these requirements?

A. passive
B. routed
C. transparent
D. inline set

Answer 16

Answer D

Question 17

An organization has noticed that malware was downloaded from a website that does not currently have a known bad reputation. How will this issue be addressed globally in the quickest way possible and with the least amount of impact?

A. by creating a URL object in the policy to block the website.
B. Cisco Talos will automatically update the policies.
C. by denying outbound web access
D. by isolating the endpoint

Answer 17

Answer B

Question 18

The event dashboard within the Cisco FMC has been inundated with low priority intrusion drop events, which are overshadowing high priority events. An engineer has been tasked with reviewing the policies and reducing the low priority events. Which action should be configured to accomplish this task?

A. drop packet
B. generate events
C. drop connection
D. drop and generate

Answer 18

Answer A

Drop packets — Click Set this rule to drop the triggering packet… to set the rule to drop packets that trigger it.
If your managed device is deployed inline on your network, you can set the rule that triggered the event to drop packets that trigger the rule in all policies that you can edit locally.

Question 19

With Cisco FTD integrated routing and bridging, which interface does the bridge group use to communicate with a routed interface?

A. subinterface
B. switch virtual
C. bridge virtual
D. bridge group member

Answer 19

Answer C

Question 20

An engineer is setting up a new Firepower deployment and is looking at the default FMC policies to start the implementation. During the initial trial phase, the organization wants to test some common Snort rules while still allowing the majority of network traffic to pass. Which default policy should be used?

A. Balanced Security and Connectivity
B. Security Over Connectivity
C. Maximum Detection
D. Connectivity Over Security

Answer 20

Answer D

Question 21

An engineer is configuring a second Cisco FMC as a standby device but is unable to register with the active unit. What is causing this issue?

A. The code versions running on the Cisco FMC devices are different.
B. The licensing purchased does not include high availability.
C. The primary FMC currently has devices connected to it.
D. There is only 10 Mbps of bandwidth between the two devices.

Answer 21

Answer A

Before configuring FMC HA make sure that…
* Hardware is identical (no mix and match between virtual and/or physical form factors)
* Software release is identical on both FMCs
* There are no sensors registered to the secondary FMC

Question 22

While configuring FTD, a network engineer wants to ensure that traffic passing though the appliance does not require routing or VLAN rewriting. Which interface mode should the engineer implement to accomplish this task?

A. inline set
B. passive
C. transparent
D. inline tap

Answer 22

Answer A

An inline set acts like a bump on the wire, and binds two interfaces together to slot into an existing network. This function allows the FTD to be installed in any network environment without the configuration of adjacent network devices.

Question 23

A mid-sized company is experiencing higher network bandwidth utilization due to a recent acquisition. The network operations team is asked to scale up their one Cisco FTD appliance deployment to higher capacities due to the increased network bandwidth. Which design option should be used to accomplish this goal?

A. Deploy multiple Cisco FTD HA pairs in clustering mode to increase performance.
B. Deploy multiple Cisco FTD appliances in firewall clustering mode to increase performance.
C. Deploy multiple Cisco FTD appliances using VPN load-balancing to scale performance.
D. Deploy multiple Cisco FTD HA pairs to increase performance.

Answer 23

Answer B

Question 24

In a multi-tenant deployment where multiple domains are in use, which update should be applied outside of the Global Domain?

A. minor upgrade
B. local import of intrusion rules
C. Cisco Geolocation Database
D. local import of major upgrade

Answer 24

Answer B

In a multidomain deployment, you can import local intrusion rules in any domain. You can view local intrusion rules imported in the current domain and ancestor domains.

Question 25

An organization has a compliancy requirement to protect servers from clients, however, the clients and servers all reside on the same Layer 3 network. Without readdressing IP subnets for clients or servers, how is segmentation achieved?

A. Change the IP addresses of the servers, while remaining on the same subnet.
B. Deploy a firewall in routed mode between the clients and servers.
C. Change the IP addresses of the clients, while remaining on the same subnet.
D. Deploy a firewall in transparent mode between the clients and servers.

Answer 25

Answer D

Traditionally, a firewall is a routed hop and acts as a default gateway for hosts that connect to one of its screened subnets. A transparent firewall, on the other hand, is a Layer 2 firewall that acts like a “bump in the wire,” or a “stealth firewall,” and is not seen as a router hop to connected devices. However, like any other firewall, access control between interfaces is controlled, and all of the usual firewall checks are in place. Layer 2 connectivity is achieved by using a “bridge group” where you group together the inside and outside interfaces for a network, and the Firepower Threat Defense device uses bridging techniques to pass traffic between the interfaces. Each bridge group includes a Bridge Virtual Interface (BVI) to which you assign an IP address on the network. You can have multiple bridge groups for multiple networks. In transparent mode, these bridge groups cannot communicate with each other.

Question 26

Network traffic coming from an organization’s CEO must never be denied. Which access control policy configuration option should be used if the deployment engineer is not permitted to create a rule to allow all traffic?

A. Change the intrusion policy from security to balance.
B. Configure a trust policy for the CEO.
C. Configure firewall bypass.
D. Create a NAT policy just for the CEO.

Answer 26

Answer B

Question 27

What is a characteristic of bridge groups on a Cisco FTD?

A. In routed firewall mode, routing between bridge groups is supported.
B. Routing between bridge groups is achieved only with a router-on-a-stick configuration on a connected router.
C. In routed firewall mode, routing between bridge groups must pass through a routed interface.
D. In transparent firewall mode, routing between bridge groups is supported.

Answer 27

Answer A

Question 28

A Cisco FTD device is running in transparent firewall mode with a VTEP bridge group member ingress interface. What must be considered by an engineer tasked with specifying a destination MAC address for a packet trace?

A. The output format option for the packet logs is unavailable.
B. Only the UDP packet type is supported.
C. The destination MAC address is optional if a VLAN ID value is entered.
D. The VLAN ID and destination MAC address are optional.

Answer 28

Answer C

As long as an interface is in a bridge group, Destination MAC is optional if you provide a VLAN ID value.

Question 29

With Cisco FTD software, which interface mode must be configured to passively receive traffic that passes through the appliance?

A. ERSPAN
B. firewall
C. tap
D. IPS-only

Answer 29

Answer D

From the start, only two answers are possible. B and D. There are only two interface modes on FTD, “You can deploy FTD interfaces in two modes: Regular firewall mode and IPS-only mode. You can include both firewall and IPS-only interfaces on the same device. IPS-only interfaces can be deployed as the following types: Inline Set, with optional Tap mode”. So you could have IPS-only as inline with tap that would make it into IDS and therefore passive. Firewall interface mode can be deployed as Routed or Bridge Groups with BVI.

Question 30

An engineer is monitoring network traffic from their sales and product development departments, which are on two separate networks. What must be configured in order to maintain data privacy for both departments?

A. Use passive IDS ports for both departments.
B. Use a dedicated IPS inline set for each department to maintain traffic separation.
C. Use 802.1Q inline set Trunk interfaces with VLANs to maintain logical traffic separation.
D. Use one pair of inline set in TAP mode for both departments.

Answer 30

Answer A

Question 31

A hospital network needs to upgrade their Cisco FMC managed devices and needs to ensure that a disaster recovery process is in place. What must be done in order to minimize downtime on the network?
A. Configure a second circuit to an ISP for added redundancy.

B. Keep a copy of the current configuration to use as backup.
C. Configure the Cisco FMCs for failover.
D. Configure the Cisco FMC managed devices for clustering.

Answer 31

Answer B

Question 32

An organization has implemented Cisco Firepower without IPS capabilities and now wants to enable inspection for their traffic. They need to be able to detect protocol anomalies and utilize the Snort rule sets to detect malicious behavior. How is this accomplished?

A. Modify the network discovery policy to detect new hosts to inspect.
B. Modify the access control policy to redirect interesting traffic to the engine.
C. Modify the intrusion policy to determine the minimum severity of an event to inspect.
D. Modify the network analysis policy to process the packets for inspection.

Answer 32

Answer B

A network analysis policy (NAP) governs how traffic is decoded and preprocessed so that it can be further evaluated, especially for anomalous traffic that might signal an intrusion attempt.
To apply intrusion policies to network traffic, you select the policy within an access control rule that allows traffic. You do not directly assign intrusion policies.

Question 33

An engineer is tasked with deploying an internal perimeter firewall that will support multiple DMZs. Each DMZ has a unique private IP subnet range. How is this requirement satisfied?

A. Deploy the firewall in transparent mode with access control policies
B. Deploy the firewall in routed mode with access control policies
C. Deploy the firewall in routed mode with NAT configured
D. Deploy the firewall in transparent mode with NAT configured

Answer 33

Answer B

Question 34

An engineer must configure high availability for the Cisco Firepower devices. The current network topology does not allow for two devices to pass traffic concurrently. How must the devices be implemented in this environment?

A. in active/active mode
B. in a cluster span EtherChannel
C. in active/passive mode
D. in cluster interface mode

Answer 34

Answer C

Question 35

When deploying a Cisco ASA Firepower module, an organization wants to evaluate the contents of the traffic without affecting the network. It is currently configured to have more than one instance of the same device on the physical appliance. Which deployment mode meets the needs of the organization?

A. inline tap monitor-only mode
B. passive monitor-only mode
C. passive tap monitor-only mode
D. inline mode

Answer 35

Answer A

Question 36

An organization has a Cisco FTD that uses bridge groups to pass traffic from the inside interfaces to the outside interfaces. They are unable to gather information about neighboring Cisco devices or use multicast in their environment. What must be done to resolve this issue?

A. Create a firewall rule to allow CDP traffic
B. Create a bridge group with the firewall interfaces
C. Change the firewall mode to transparent
D. Change the firewall mode to routed

Answer 36

Answer C

Question 37

A network engineer implements a new Cisco Firepower device on the network to take advantage of its intrusion detection functionality. There is a requirement to analyze the traffic going across the device, alert on any malicious traffic, and appear as a bump in the wire. How should this be implemented?

A. Specify the BVI IP address as the default gateway for connected devices
B. Enable routing on the Cisco Firepower
C. Add an IP address to the physical Cisco Firepower interfaces
D. Configure a bridge group in transparent mode

Answer 37

Answer D

Question 38

Which two conditions must be met to enable high availability between two Cisco FTD devices? (Choose two.)

A. same flash memory size
B. same NTP configuration
C. same DHCP/PPoE configuration
D. same host name
E. same number of interfaces

Answer 38

Answer B, E

In order to create an HA between 2 FTD devices, these conditions must be met:

Same model
Same version (this applies to FXOS and to FTD - (major (first number), minor (second number), and maintenance (third number) must be equal))
Same number of interfaces
Same type of interfaces
Both devices as part of same group/domain in FMC
Have identical Network Time Protocol (NTP) configuration
Be fully deployed on the FMC without uncommitted changes
Be in the same firewall mode: routed or transparent.
Note that this must be checked on both FTD devices and FMC GUI since there have been cases where the FTDs had the same mode, but FMC does not reflect this.
Does not have DHCP/Point-to-Point Protocol over Ethernet (PPPoE) configured in any of the interface
Different hostname (Fully Qualified Domain Name (FQDN)) for both chassis. In order to check the chassis hostname navigate to FTD CLI and run this command

Question 39

An engineer is building a new access control policy using Cisco FMC. The policy must inspect a unique IPS policy as well as log rule matching. Which action must be taken to meet these requirements?

A. Configure an IPS policy and enable per-rule logging
B. Disable the default IPS policy and enable global logging
C. Configure an IPS policy and enable global logging
D. Disable the default IPS policy and enable per-rule logging

Answer 39

Answer A

Question 40

Which two OSPF routing features are configured in Cisco FMC and propagated to Cisco FTD? (Choose two.)

A. OSPFv2 with IPv6 capabilities
B. virtual links
C. SHA authentication to OSPF packets
D. area boundary router type 1 LSA filtering
E. MD5 authentication to OSPF packets

Answer 40

Answer B, E

The Firepower Threat Defense device supports the following OSPF features:

Intra-area, inter-area, and external (Type I and Type II) routes.

Virtual links.

LSA flooding.

Authentication to OSPF packets (both password and MD5 authentication).

Configuring the Firepower Threat Defense device as a designated router or a designated backup router. The Firepower Threat Defense device also can be set up as an ABR.

Stub areas and not-so-stubby areas.

Area boundary router Type 3 LSA filtering.

Question 41

When creating a report template, how are the results limited to show only the activity of a specific subnet?

A. Create a custom search in Cisco FMC and select it in each section of the report.
B. Add an Input Parameter in the Advanced Settings of the report, and set the type to Network/IP.
C. Add a Table View section to the report with the Search field defined as the network in CIDR format.
D. Select IP Address as the X-Axis in each section of the report.

Answer 41

Answer B

Question 42

What is the disadvantage of setting up a site-to-site VPN in a clustered-units environment?

A. VPN connections can be re-established only if the failed master unit recovers.
B. Smart License is required to maintain VPN connections simultaneously across all cluster units.
C. VPN connections must be re-established when a new master unit is elected.
D. Only established VPN connections are maintained when a new master unit is elected.

Answer 42

Answer C

Question 43

What are two features of bridge-group interfaces in Cisco FTD? (Choose two.)

A. The BVI IP address must be in a separate subnet from the connected network.
B. Bridge groups are supported in both transparent and routed firewall modes.
C. Bridge groups are supported only in transparent firewall mode.
D. Bidirectional Forwarding Detection echo packets are allowed through the FTD when using bridge-group members.
E. Each directly connected network must be on the same subnet.

Answer 43

Answer B, E

Bridge Group Guidelines (Transparent and Routed Mode):
You can create up to 250 bridge groups, with 64 interfaces per bridge group. Each directly-connected network must be on the same subnet.

Question 44

Which command is run on an FTD unit to associate the unit to an FMC manager that is at IP address 10.0.0.10, and that has the registration key Cisco123?

A. configure manager local 10.0.0.10 Cisco123
B. configure manager add Cisco123 10.0.0.10
C. configure manager local Cisco123 10.0.0.10
D. configure manager add 10.0.0.10 Cisco123

Answer 44

Answer D

Question 45

Which two actions can be used in an access control policy rule? (Choose two.)

A. Block with Reset
B. Monitor
C. Analyze
D. Discover
E. Block ALL

Answer 45

Answer A, B

Question 46

Which two routing options are valid with Cisco FTD? (Choose two.)

A. BGPv6
B. ECMP with up to three equal cost paths across multiple interfaces
C. ECMP with up to three equal cost paths across a single interface
D. BGPv4 in transparent firewall mode
E. BGPv4 with nonstop forwarding

Answer 46

Answer A, C

Question 47

Which object type supports object overrides?

A. time range
B. security group tag
C. network object
D. DNS server group

Answer 47

Answer C

Question 48

Which Cisco Firepower rule action displays an HTTP warning page?

A. Monitor
B. Block
C. Interactive Block
D. Allow with Warning

Answer 48

Answer C

Question 49

What is the result a specifying of QoS rule that has a rate limit that is greater than the maximum throughput of an interface?

A. The rate-limiting rule is disabled.
B. Matching traffic is not rate limited.
C. The system rate-limits all traffic.
D. The system repeatedly generates warnings.

Answer 49

Answer B

If you specify a limit greater than the maximum throughput of an interface, the system does not rate limit matching traffic. Maximum throughput may be affected by an interface’s hardware configuration, which you specify in each device’s properties (Devices > Device Management).

Question 50

Which Firepower feature allows users to configure bridges in routed mode and enables devices to perform Layer 2 switching between interfaces?

A. FlexConfig
B. BDI
C. SGT
D. IRB

Answer 50

Answer D

Integrated Routing and Bridging (IRB) : Customers often want to have multiple physical interfaces configured to be part of the same VLAN. The IRB feature meets this demand by allowing users to configure bridges in routed mode, and enables the devices to perform L2 switching between interfaces (including subinterfaces).

Question 51

In which two places are thresholding settings configured? (Choose two.)

A. on each IPS rule
B. globally, within the network analysis policy
C. globally, per intrusion policy
D. on each access control rule
E. per preprocessor, within the network analysis policy

Answer 51

Answer A, C

You can set a global threshold across all traffic to limit how often events from a specific source or destination are logged and displayed per specified time period.

You can set thresholds per shared object rule, standard text rule, or preprocessor rule in your intrusion policy configuration

Question 52

In which two ways do access control policies operate on a Cisco Firepower system? (Choose two.)

A. Traffic inspection is interrupted temporarily when configuration changes are deployed.
B. The system performs intrusion inspection followed by file inspection.
C. They block traffic based on Security Intelligence data.
D. File policies use an associated variable set to perform intrusion prevention.
E. The system performs a preliminary inspection on trusted traffic to validate that it matches the trusted parameters.

Answer 52

Answer A, C

Question 53

Which two types of objects are reusable and supported by Cisco FMC? (Choose two.)

A. dynamic key mapping objects that help link HTTP and HTTPS GET requests to Layer 7 application protocols.
B. reputation-based objects that represent Security Intelligence feeds and lists, application filters based on category and reputation, and file lists
C. network-based objects that represent IP addresses and networks, port/protocol pairs, VLAN tags, security zones, and origin/destination country
D. network-based objects that represent FQDN mappings and networks, port/protocol pairs, VXLAN tags, security zones and origin/destination country
E. reputation-based objects, such as URL categories

Answer 53

Answer B, C

Question 54

A security engineer is configuring an Access Control Policy for multiple branch locations. These locations share a common rule set and utilize a network object called INSIDE_NET which contains the locally significant internal network subnets at each location. What technique will retain the policy consistency at each location but allow only the locally significant network subnet within the application rules?

A. utilizing a dynamic ACP that updates from Cisco Talos
B. creating a unique ACP per device
C. utilizing policy inheritance
D. creating an ACP with an INSIDE_NET network object and object overrides

Answer 54

Answer D

Object override allows you to create a single object with multiple values, which is what they’re doing for the two different networks sharing one rule set

Question 55

An organization has seen a lot of traffic congestion on their links going out to the internet. There is a Cisco Firepower device that processes all of the traffic going to the internet prior to leaving the enterprise. How is the congestion alleviated so that legitimate business traffic reaches the destination?

A. Create a NAT policy so that the Cisco Firepower device does not have to translate as many addresses.
B. Create a flexconfig policy to use WCCP for application aware bandwidth limiting.
C. Create a QoS policy rate-limiting high bandwidth applications.
D. Create a VPN policy so that direct tunnels are established to the business applications.

Answer 55

Answer C

Question 56

An engineer configures an access control rule that deploys file policy configurations to security zone or tunnel zones, and it causes the device to restart. What is the reason for the restart?

A. Source or destination security zones in the access control rule matches the security zones that are associated with interfaces on the target devices.
B. The source tunnel zone in the rule does not match a tunnel zone that is assigned to a tunnel rule in the destination policy.
C. Source or destination security zones in the source tunnel zone do not match the security zones that are associated with interfaces on the target devices.
D. The source tunnel zone in the rule does not match a tunnel zone that is assigned to a tunnel rule in the source policy.

Answer 56

Answer A

Note that access control rules that deploy these file policy configurations to security zones or tunnel zones cause a restart only when your configuration meets the following conditions:

Source or destination security zones in your access control rule must match the security zones associated with interfaces on the target devices.

Unless the destination zone in you access control rule is any, a source tunnel zone in the rule must match a tunnel zone assigned to a tunnel rule in the pre-filter policy.

Question 57

An engineer is attempting to create a new dashboard within the Cisco FMC to have a single view with widgets from many of the other dashboards. The goal is to have a mixture of threat and security related widgets along with Cisco Firepower device health information. Which two widgets must be configured to provide this information? (Choose two.)

A. Intrusion Events
B. Correlation Information
C. Appliance Status
D. Current Sessions
E. Network Compliance

Answer 57

Answer A, C

Question 58

There is an increased amount of traffic on the network and for compliance reasons, management needs visibility into the encrypted traffic. What is a result of enabling TLS/SSL decryption to allow this visibility?

A. It prompts the need for a corporate managed certificate.
B. It will fail if certificate pinning is not enforced.
C. It has minimal performance impact.
D. It is not subject to any Privacy regulations.

Answer 58

Answer A

Question 59

An organization is setting up two new Cisco FTD devices to replace their current firewalls and cannot have any network downtime. During the setup process, the synchronization between the two devices is failing. What action is needed to resolve this issue?

A. Confirm that both devices are running the same software version.
B. Confirm that both devices are configured with the same types of interfaces.
C. Confirm that both devices have the same flash memory sizes.
D. Confirm that both devices have the same port-channel numbering.

Answer 59

Answer C

Confirm that both devices have the same flash memory sizes.
If you are using units with different flash memory sizes in your High Availability configuration, make sure the unit with the smaller flash memory has enough space to accommodate the software image files and the configuration files. If it does not, configuration synchronization from the unit with the larger flash memory to the unit with the smaller flash memory will fail.

Question 60

An organization wants to secure traffic from their branch office to the headquarters building using Cisco Firepower devices. They want to ensure that their Cisco Firepower devices are not wasting resources on inspecting the VPN traffic. What must be done to meet these requirements?

A. Configure the Cisco Firepower devices to bypass the access control policies for VPN traffic.
B. Tune the intrusion policies in order to allow the VPN traffic through without inspection.
C. Configure the Cisco Firepower devices to ignore the VPN traffic using prefilter policies.
D. Enable a flexconfig policy to re-classify VPN traffic so that it no longer appears as interesting traffic.

Answer 60

Answer C

Question 61

An administrator is working on a migration from Cisco ASA to the Cisco FTD appliance and needs to test the rules without disrupting the traffic. Which policy type should be used to configure the ASA rules during this phase of the migration?

A. Prefilter
B. Intrusion
C. Access Control
D. Identity

Answer 61

Answer C

Question 62

A network administrator is seeing an unknown verdict for a file detected by Cisco FTD. Which malware policy configuration option must be selected in order to further analyze the file in the Talos cloud?

A. malware analysis
B. dynamic analysis
C. sandbox analysis
D. Spero analysis

Answer 62

Answer B

Spero and dynamic analysis acomplish the file disposition and both goes to the cloud , but Spero is only on exe files, the question says “a file”.

Question 63

An engineer has been tasked with providing disaster recovery for an organization’s primary Cisco FMC. What must be done on the primary and secondary Cisco FMCs to ensure that a copy of the original corporate policy is available if the primary Cisco FMC fails?

A. Restore the primary Cisco FMC backup configuration to the secondary Cisco FMC device when the primary device fails.
B. Connect the primary and secondary Cisco FMC devices with Category 6 cables of not more than 10 meters in length.
C. Configure high-availability in both the primary and secondary Cisco FMCs.
D. Place the active Cisco FMC device on the same trusted management network as the standby device.

Answer 63

Answer C

Question 64

An engineer is attempting to add a new FTD device to their FMC behind a NAT device with a NAT ID of ACME001 and a password of Cisco0391521107. Which command set must be used in order to accomplish this?

A. configure manager add<FMC> <registration>ACME001
B. configure manager add ACME001<registration> <FMC>
C. configure manager add <FMC>ACME001<registration>
D. configure manager add DONTRESOLVE <FMC> AMCE001<registration></registration></FMC></registration></FMC></FMC></registration></registration></FMC>

Answer 64

Answer A

Question 65

Refer to the exhibit. An organization has an access control rule with the intention of sending all social media traffic for inspection. After using the rule for some time, the administrator notices that the traffic is not being inspected, but is being automatically allowed. What must be done to address this issue?

A. Add the social network URLs to the block list.
B. Change the intrusion policy to connectivity over security.
C. Modify the selected application within the rule.
D. Modify the rule action from trust to allow.

Answer 65

Answer D

Rule 4: Allow is the final rule. For this rule, matching traffic is allowed; however, prohibited files, malware, intrusions, and exploits within that traffic are detected and blocked. Remaining non-prohibited, non-malicious traffic is allowed to its destination, though it is still subject to identity requirements and rate limiting. You can configure Allow rules that perform only file inspection, or only intrusion inspection, or neither.

Question 66

A user within an organization opened a malicious file on a workstation which in turn caused a ransomware attack on the network. What should be configured within the Cisco FMC to ensure the file is tested for viruses on a sandbox system?

A. Spero analysis
B. capacity handling
C. local malware analysis
D. dynamic analysis

Answer 66

Answer D

Question 67

An engineer configures a network discovery policy on Cisco FMC. Upon configuration, it is noticed that excessive and misleading events are filling the database and overloading the Cisco FMC. A monitored NAT device is executing multiple updates of its operating system in a short period of time. What configuration change must be made to alleviate this issue?

A. Exclude load balancers and NAT devices.
B. Leave default networks.
C. Increase the number of entries on the NAT device.
D. Change the method to TCP/SYN.

Answer 67

Answer A

The system can identify many load balancers and NAT devices by examining your network traffic.

Question 68

A network administrator notices that remote access VPN users are not reachable from inside the network. It is determined that routing is configured correctly; however, return traffic is entering the firewall but not leaving it. What is the reason for this issue?

A. A manual NAT exemption rule does not exist at the top of the NAT table
B. An external NAT IP address is not configured
C. An external NAT IP address is configured to match the wrong interface
D. An object NAT exemption rule does not exist at the top of the NAT table

Answer 68

Answer A

NAT exemptions can only be done with manual rules before Auto/Object NAT.