ExamTopics 300-710 Flashcards

Question

An organization has a compliance requirement to protect servers from clients, however, the clients and servers all reside on the same Layer 3 network. Without readdressing IP subnets for clients or servers, how is segmentation achieved? A. Change the IP addresses of the servers, while remaining on the same subnet. B. Deploy a firewall in routed mode between the clients and servers. C. Change the IP addresses of the clients, while remaining on the same subnet. D. Deploy a firewall in transparent mode between the clients and servers.

Answer 1

D. Deploy a firewall in transparent mode between the clients and servers. Verified

Answer 2

B. Configure a trust policy for the CEO. Verified

Answer 3

A. In routed firewall mode, routing between bridge groups is supported. Verified In routed mode: The BVI acts as the gateway between the bridge group and other routed interfaces. To route between bridge groups/routed interfaces, you must name the BVI. For some interface-based features, you can use the BVI itself. https://www.cisco.com/c/en/us/td/docs/security/asa/asa97/configuration/general/asa-97-general-config/intro-fw.pdf

Answer 4

C. The destination MAC address is optional if a VLAN ID value is entered. Verified Specify a Destination MAC Address for the packet trace. If the Firepower Threat Defense device is running in transparent firewall mode, and the ingress interface is VTEP, Destination MAC Address is required if you enter a value in VLAN ID. Whereas if the interface is a bridge group member, **Destination MAC Address is optional if you enter a VLAN ID value, but required if you do not enter a VLAN ID value.** https://www.cisco.com/c/en/us/td/docs/security/firepower/620/configuration/guide/fpmc-config-guide-v62/troubleshooting\_the\_system.html

Answer 5

D. IPS-only Verified IPS-only, the traffic passes through the appliance. With ERSPAN, the traffic is coming from the network. IPS-only interfaces can be deployed as the following types: Inline Set, with optional Tap mode—An inline set acts like a bump on the wire, and binds two interfaces together to slot into an existing network. This function allows the FTD to be installed in any network environment without the configuration of adjacent network devices. Inline interfaces receive all traffic unconditionally, but all traffic received on these interfaces is retransmitted out of an inline set unless explicitly dropped. With tap mode, the FTD is deployed inline, but the network traffic flow is undisturbed. Instead, the FTD makes a copy of each packet so that it can analyze the packets. Note that rules of these types do generate intrusion events when they are triggered, and the table view of intrusion events indicates that the triggering packets would have dropped in an inline deployment. There are benefits to using tap mode with FTDs that are deployed inline. For example, you can set up the cabling between the FTD and the network as if the FTD were inline and analyze the kinds of intrusion events the FTD generates. Based on the results, you can modify your intrusion policy and add the drop rules that best protect your network without impacting its efficiency. When you are ready to deploy the FTD inline, you can disable tap mode and begin dropping suspicious traffic without having to reconfigure the cabling between the FTD and the network. Why it is not A. ERSPAN The SPAN or mirror port allows for traffic to be copied from other ports on the switch. This function provides the system **visibility within the network without being in the flow of network traffic.**

Answer 6

B. Use a dedicated IPS inline set for each department to maintain traffic separation. netwguy 9 months, 2 weeks ago The phrasing of answer D is terrible. "Use one pair of inline set in TAP mode for both departments". If what is meant is a dedicated pair for each department (two pairs, 4 interfaces), then Answer D is a correct answer (tap for monitoring). If what is meant is only one pair for both networks, then answer D is incorrect, and Answer B more appropriate. Also, note that by "dedicated IPS inline set", what is meant is likely IPS-only, which makes sense for monitoring as well. I will be answering B if this one pops up. upvoted 4 times cryptofetti 9 months, 2 weeks ago Key word here is "monitoring" -\> going w/ B here upvoted 1 times Bobster02 11 months, 2 weeks ago I am still convinced that B is a correct answer: Guidelines for Inline Sets and Passive Interfaces General Guidelines Inline sets and passive interfaces support physical interfaces and EtherChannels only, and cannot use redundant interfaces, VLANs, and so on. Firepower 4100/9300 subinterfaces are also not supported for IPS-only interfaces. For inline sets and passive interfaces, the FTD supports up to two 802.1Q headers in a packet (also known as Q-in-Q support), with the exception of the Firepower 4100/9300, which only supports one 802.1Q header. Note: Firewall-type interfaces do not support Q-in-Q, and only support one 802.1Q header. upvoted 4 times

Answer 7

B. Keep a copy of the current configuration to use as a backup. Verified

Answer 8

B. Modify the access control policy to redirect interesting traffic to the engine. Verified To apply intrusion policies to network traffic, you select the policy within an access control rule that allows traffic. You do not directly assign intrusion policies. You can assign different intrusion policies to provide variable intrusion protection based on the relative risks of the networks you are protecting. For example, you might use the more stringent Security over Connectivity policy for traffic between your inside network and external networks. On the other hand, you might apply the more lenient Connectivity over Security policy for traffic between inside networks. You can also simplify your configuration by using the same policy for all networks. For example, the Balanced Security and Connectivity policy is design to provide good protection without excessively impacting connectivity https://www.cisco.com/c/en/us/td/docs/security/firepower/670/fdm/fptd-fdm-config-guide-670/fptd-fdm-intrusion.html

Answer 9

B. Deploy the firewall in routed mode with access control policies May want to verify. The community strongly suggest B, the site says C with this reference: https://www.cisco.com/c/en/us/td/docs/security/asa/asa96/configuration/general/asa-96-general-config/intro-fw.html

Answer 10

C. in active/passive mode Verified

Answer 11

A. inline tap monitor-only mode Verified Double verified You can configure your ASA FirePOWER module using one of the following deployment models: Inline mode—In an inline deployment, the actual traffic is sent to the ASA FirePOWER module, and the module’s policy affects what happens to the traffic. After dropping undesired traffic and taking any other actions applied by policy, the traffic is returned to the ASA for further processing and ultimate transmission. Inline tap monitor-only mode (ASA inline)—In an inline tap monitor-only deployment, a copy of the traffic is sent to the ASA FirePOWER module, but it is not returned to the ASA. Inline tap mode lets you see what the ASA FirePOWER module would have done to traffic, and lets you evaluate the content of the traffic, without impacting the network. However, in this mode, the ASA does apply its policies to the traffic, so traffic can be dropped due to access rules, TCP normalization, and so forth. Passive monitor-only (traffic forwarding) mode—If you want to prevent any possibility of the ASA with FirePOWER Services device impacting traffic, you can configure a traffic-forwarding interface and connect it to a SPAN port on a switch. In this mode, traffic is sent directly to the ASA FirePOWER module without ASA processing. The traffic is dropped, and nothing is returned from the module, nor does the ASA send the traffic out any interface. You must operate the ASA in single context transparent mode to configure traffic forwarding. Community based answer " Let you evaluate the content of the traffic, without impacting the network. " The question is taken exact sentence from the Cisco site for the Inline tap monitor-only Mode. Please see link below. So A is the correct answer. https://www.cisco.com/c/en/us/td/docs/security/asa/asa910/configuration/firewall/asa-910-firewall-config/access-sfr.html The deployment mode that meets the needs of the organization is: A. Inline tap monitor-only mode⁶⁵ In an inline tap monitor-only deployment, a copy of the traffic is sent to the ASA FirePOWER module, but it is not returned to the ASA⁶⁵. This mode allows the organization to see what the ASA FirePOWER module would have done to traffic, and lets them evaluate the content of the traffic, without impacting the network⁶⁵. I hope this helps! If you have any more questions, feel free to ask. 😊 Source: Conversation with Bing, 12/8/2023 (1) CLI Book 2: Cisco ASA Series Firewall CLI Configuration Guide, 9.10. https://www.cisco.com/c/en/us/td/docs/security/asa/asa910/configuration/firewall/asa-910-firewall-config/access-sfr.html. (2) CLI Book 2: Cisco ASA Series Firewall CLI Configuration Guide, 9.16. https://www.cisco.com/c/en/us/td/docs/security/asa/asa916/configuration/firewall/asa-916-firewall-config/access-sfr.html. (3) Cisco ASA FirePOWER Module Quick Start Guide - Cisco. https://www.cisco.com/c/en/us/td/docs/security/asa/quick_start/sfr/firepower-qsg.html. (4) Cisco ASA Firepower - Monitor-Only Mode Deployment Question. https://community.cisco.com/t5/network-security/cisco-asa-firepower-monitor-only-mode-deployment-question/td-p/2964686. (5) CLI Book 2: Cisco ASA Series Firewall CLI Configuration Guide, 9.10. https://bing.com/search?q=Cisco+ASA+Firepower+module+deployment+mode+for+evaluating+traffic+contents+without+affecting+network. (6) Deploying a Cisco ASA Firepower Module: Best Deployment Mode for .... https://www.exam-answer.com/deploy-cisco-asa-firepower-module-multiple-instances. (7) undefined. http://www.cisco.com/c/en/us/td/docs/security/asa/asa93/configuration/firewall/asa-firewall-cli/modules-sfr.pdf.

Answer 12

D. Change the firewall mode to routed Not verified Reference: https://www.cisco.com/c/en/us/td/docs/security/firepower/623/configuration/guide/fpmc-config-guide-v623/ transparent\_or\_routed\_firewall\_mode\_for\_firepower\_threat\_defense.html

Answer 13

## Footnote D. Configure a bridge group in transparent mode Verified Traditionally, a firewall is a routed hop and acts as a default gateway for hosts that connect to one of its screened subnets. A transparent firewall, on the other hand, is a Layer 2 firewall that acts like a “bump in the wire,” or a “stealth firewall,” and is not seen as a router hop to connected devices. However, like any other firewall, access control between interfaces is controlled, and all of the usual firewall checks are in place. Layer 2 connectivity is achieved by using a "bridge group" where you group together the inside and outside interfaces for a network, and the ASA uses bridging techniques to pass traffic between the interfaces. Each bridge group includes a Bridge Virtual Interface (BVI) to which you assign an IP address on the network. You can have multiple bridge groups for multiple networks. In transparent mode, these bridge groups cannot communicate with each other. https://www.cisco.com/c/en/us/td/docs/security/asa/asa97/configuration/general/asa-97-general-config/intro-fw.html

Answer 14

B. same NTP configuration E. same number of interfaces Verified https://www.cisco.com/c/en/us/support/docs/security/firepower-management-center/212699-configure-ftd-high-availability-on-firep.html Conditions In order to create an HA between 2 FTD devices, these conditions must be met: Same model Same version (this applies to FXOS and to FTD - (major (first number), minor (second number), and maintenance (third number) must be equal)) Same number of interfaces Same type of interfaces Both devices as part of same group/domain in FMC Have identical Network Time Protocol (NTP) configuration Be fully deployed on the FMC without uncommitted changes Be in the same firewall mode: routed or transparent. Note that this must be checked on both FTD devices and FMC GUI since there have been cases where the FTDs had the same mode, but FMC does not reflect this. Does not have DHCP/Point-to-Point Protocol over Ethernet (PPPoE) configured in any of the interfaces Different hostname (Fully Qualified Domain Name (FQDN)) for both chassis. In order to check the chassis hostname navigate to FTD CLI and run this command Therefore original answers are correct: B and E

Answer 15

A. Configure an IPS policy and enable per-rule logging Not verified, but probably is correct based on community.

Answer 16

B. virtual links E. MD5 authentication to OSPF packets Verified B & E are the correct answers as per below : The Firepower Threat Defense device supports the following OSPF features Intra-area, inter-area, and external (Type I and Type II) routes. Virtual links. LSA flooding. Authentication to OSPF packets (both password and MD5 authentication). Configuring the Firepower Threat Defense device as a designated router or a designated backup router. The Firepower Threat Defense device also can be set up as an ABR. Stub areas and not-so-stubby areas. Area boundary router Type 3 LSA filtering. Reference : https://www.cisco.com/c/en/us/td/docs/security/firepower/610/configuration/guide/fpmc-config-guide-v61/ospf\_for\_firepower\_threat\_defense.html

Answer 17

B. Add an Input Parameter in the Advanced Settings of the report, and set the type to Network/IP. https://www.cisco.com/c/en/us/td/docs/security/firesight/541/user-guide/FireSIGHT-System-UserGuide-v5401/Reports.html#87267

Answer 18

C. VPN connections must be re-established when a new master unit is elected https://www.cisco.com/c/en/us/td/docs/security/firepower/fxos/clustering/ftd-cluster-solution.html#concept\_g32\_yml\_y2b

Answer 19

B. Bridge groups are supported in both transparent and routed firewall modes E. Each directly connected network must be on the same subnet Verified A bridge group is a group of interfaces that the FTD device bridges instead of routes. All interfaces are on the same network. Bridge groups are supported in both transparent and routed firewall modes. Each bridge group includes a Bridge Virtual Interface (BVI) to which you assign an IP address on the network. The bridge group is represented by a Bridge Virtual Interface (BVI) that has an IP address on the bridge network.

Answer 20

D. configure manager add 10.0.0.10 Cisco123 Verified https://www.cisco.com/c/en/us/td/docs/security/firepower/misc/fmc-ftd-mgmt-nw/fmc-ftd-mgmt-nw.html#id\_106101

Answer 21

A. Block with Reset B. Monitor Verified Correct Answer: AB 🗳️ Reference: https://www.cisco.com/c/en/us/td/docs/security/firesight/541/firepower-module-user-guide/asa-firepower-module-user-guide-v541/AC-Rules-Tuning- Overview.html#71854

Answer 22

A. BGPv6 C. ECMP with up to three equal cost paths across a single interface Verified Equal-Cost Multi-Path (ECMP) Routing The FTD device supports Equal-Cost Multi-Path (ECMP) routing. You can have up to 8 equal cost static or dynamic routes per interface. For example, you can configure multiple default routes on the outside interface that specify different gateways. route for 0.0.0.0 0.0.0.0 through outside to 10.1.1.2 route for 0.0.0.0 0.0.0.0 through outside to 10.1.1.3 route for 0.0.0.0 0.0.0.0 through outside to 10.1.1.4 In this case, traffic is load-balanced on the outside interface between 10.1.1.2, 10.1.1.3, and 10.1.1.4. Traffic is distributed among the specified gateways based on an algorithm that hashes the source and destination IP addresses, incoming interface, protocol, source and destination ports. https://www.cisco.com/c/en/us/td/docs/security/firepower/660/fdm/fptd-fdm-config-guide-660/fptd-fdm-ospf.html

Answer 23

C. network object Verified https://www.cisco.com/c/en/us/td/docs/security/firepower/60/configuration/guide/fpmc-config-guide-v60/Reusable\_Objects.html#concept\_8BFE8B9A83D742D9B647A74F7AD50053

Answer 24

C. Interactive Block Need to verify https://www.cisco.com/c/en/us/td/docs/security/firesight/541/user-guide/FireSIGHT-System-UserGuide-v5401/AC-Rules-Tuning-Overview.html#76698

Answer 25

B. Matching traffic is not rate-limited. Verified If you specify a limit greater than the maximum throughput of an interface, the system does not rate limit matching traffic. Maximum throughput may be affected by an interface’s hardware configuration, which you specify in each device’s properties (Devices \> Device Management). Reference: https://www.cisco.com/c/en/us/td/docs/security/firepower/640/configuration/guide/fpmc-config-guide-v64/quality\_of\_service\_\_qos\_\_for\_firepower\_threat\_defense.html

Answer 26

D. IRB Verified Integrated Routing and Bridging (IRB) : Customers often want to have multiple physical interfaces configured to be part of the same VLAN. The IRB feature meets this demand by allowing users to configure bridges in routed mode, and enables the devices to perform L2 switching between interfaces (including subinterfaces). https: //www.cisco.com/c/en/us/td/docs/security/firepower/620/relnotes/Firepower\_System\_Release\_Notes\_Version\_620/new\_features\_and\_functionality.html https: //www.cisco.com/c/en/us/td/docs/security/firepower/620/relnotes/Firepower\_System\_Release\_Notes\_Version\_620/ new\_features\_and\_functionality.html

Answer 27

A. on each IPS rule C. globally, per intrusion policy Verified Global Rule Thresholding Basics The global rule threshold sets limits for event logging by an intrusion policy. You can set a global rule threshold across all traffic to limit how often the policy logs events from a specific source or destination and displays those events per specified time period. You can also set thresholds per shared object rule, standard text rule, or preprocessor rule in the policy. When you set a global threshold, that threshold applies for each rule in the policy that does not have an overriding specific threshold. Thresholds can prevent you from being overwhelmed with a large number of events. Every intrusion policy contains a default global rule threshold that applies by default to all intrusion rules and preprocessor rules. This default threshold limits the number of events on traffic going to a destination to one event per 60 seconds. You can: Change the global threshold. Disable the global threshold. Override the global threshold by setting individual thresholds for specific rules. For example, you might set a global limit threshold of five events every 60 seconds, but then set a specific threshold of ten events for every 60 seconds for SID 1315. All other rules generate no more than five events in each 60-second period, but the system generates up to ten events for each 60-second period for SID 1315.

Answer 28

B. The system performs intrusion inspection followed by file inspection. C. They block traffic based on Security Intelligence data. Needs verified. Reference: https://www.cisco.com/c/en/us/td/docs/security/firepower/60/configuration/guide/fpmc-config-guide-v60/ Access\_Control\_Using\_Intrusion\_and\_File\_Policies.html It seems to be A and C When deploying changes SNORT can restart causing traffic interruptions --\> https://www.cisco.com/c/en/us/td/docs/security/firepower/623/configuration/guide/fpmc-config-guide-v623/policy\_management.html#reference\_F11C552688424DEF85ED145FA97283B7 I disagree with D because File policies don't make use of Variable sets, those are used for Intrusion policies.

Answer 29

B. reputation-based objects that represent Security Intelligence feeds and lists, application filters based on category and reputation, and file lists C. network-based objects that represent IP addresses and networks, port/protocol pairs, VLAN tags, security zones, and origin/destination country Double Verified https://www.cisco.com/c/en/us/td/docs/security/firepower/620/configuration/guide/fpmc-config-guide-v62/reusable\_objects.html#ID-2243-00000414 The two types of objects that are reusable and supported by Cisco FMC are: B. Reputation-based objects that represent Security Intelligence feeds and lists, application filters based on category and reputation, and file lists¹². C. Network-based objects that represent IP addresses and networks, port/protocol pairs, VLAN tags, security zones, and origin/destination country¹². These objects are used for increased flexibility and web interface ease-of-use in the Firepower System¹². They are reusable configurations that associate a name with a value¹². The system supports object use in various places in the web interface, including many policies and rules, event searches, reports, dashboards, and so on¹². Source: Conversation with Bing, 12/7/2023 (1) Firepower Management Center Configuration Guide, Version 6.2 - Cisco. https://www.cisco.com/c/en/us/td/docs/security/firepower/620/configuration/guide/fpmc-config-guide-v62/reusable_objects.html. (2) Firepower Management Center Configuration Guide, Version 7.0 - Cisco. https://www.cisco.com/c/en/us/td/docs/security/firepower/70/configuration/guide/fpmc-config-guide-v70/reusable_objects.html. (3) Reusable Objects Supported by Cisco FMC - Exam-Answer. https://www.exam-answer.com/best-practices-cisco-fmc-reusable-objects. (4) Firepower Management Center Configuration Guide, Version 6.0 - Cisco. https://www.cisco.com/c/en/us/td/docs/security/firepower/60/configuration/guide/fpmc-config-guide-v60/Reusable_Objects.html.

Answer 30

D. creating an ACP with an INSIDE\_NET network object and object overrides Creating an ACP with an INSIDE_NET network object and object overrides is the most appropriate technique to retain policy consistency at each location while allowing only the locally significant network subnet within the application rules

Answer 31

C. Create a QoS policy rate-limiting high bandwidth applications. Verified

Answer 32

A. Source or destination security zones in the access control rule matches the security zones that are associated with interfaces on the target devices. Verified Note that access control rules that deploy these file policy configurations to security zones or tunnel zones cause a restart only when your configuration meets the following conditions: Source or destination security zones in your access control rule must match the security zones associated with interfaces on the target devices. Unless the destination zone in you access control rule is any, a source tunnel zone in the rule must match a tunnel zone assigned to a tunnel rule in the prefilter policy https://www.cisco.com/c/en/us/td/docs/security/firepower/623/configuration/guide/fpmc-config-guide-v623/policy\_management.html

Answer 33

A. Intrusion Events C. Appliance Status Not verified but resonable Correct Answer: AC 🗳️ Reference: https://www.cisco.com/c/en/us/td/docs/security/firepower/640/configuration/guide/fpmc-config-guide-v64/dashboards.html#ID-2206-00000283

Answer 34

A. It prompts the need for a corporate managed certificate. Verified

Answer 35

A. Confirm that both devices are running the same software version. B. Confirm that both devices are configured with the same types of interfaces. The two units in a High Availability configuration must: • Be the same model. • Have the same number and types of interfaces. https://www.cisco.com/c/en/us/td/docs/security/firepower/610/configuration/guide/fpmc-config-guide-v61/firepower\_threat\_defense\_high\_availability.html

Answer 36

A. Configure the Cisco Firepower devices to bypass the access control policies for VPN traffic. Not verified but community agrees A is correct answer. Check the following article. https://www.cisco.com/c/en/us/td/docs/security/firepower/620/configuration/guide/fpmc-config-guide-v62/prefiltering\_and\_prefilter\_policies.html#id\_31063 According to the article there are limitations to what type of traffic can be offloaded to fastpath. In the above article it is stated that "IPsec and TLS/DTLS VPN connections that terminate on the device" cannot be offloaded.

Answer 37

A. Prefilter Verified During the migration phase from Cisco ASA to Cisco FTD, if the administrator needs to test the rules without disrupting the traffic, the **Prefilter** policy type should be used to configure the ASA rules⁴. The Prefilter policy type matches the 5 tuple state like the ASA³. So, the correct answer is **A. Prefilter**. Source: Conversation with Bing, 12/5/2023 (1) Which policy type should be used to configure the ASA rules during this .... https://vceguide.com/which-policy-type-should-be-used-to-configure-the-asa-rules-during-this-phase-of-the-migration/. (2) Solved: Moving from ASA to FTD/FMC - Cisco Community. https://community.cisco.com/t5/network-security/moving-from-asa-to-ftd-fmc/td-p/3853068. (3) Migrating Cisco Secure Firewall ASA to Cisco Secure Firewall Threat .... https://www.cisco.com/c/en/us/td/docs/security/firepower/migration-tool/migration-guide/ASA2FTD-with-FP-Migration-Tool/m-asa-to-threat-defense-migration-workflow.html. (4) Migrating Cisco Secure Firewall ASA to Cisco Secure Firewall Threat .... https://www.cisco.com/c/en/us/td/docs/security/firepower/migration-tool/migration-guide/ASA2FTD-with-FP-Migration-Tool/m_migration_tool_faq.html. (5) Solved: ASA to FTD 1140 migration - Cisco Community. https://community.cisco.com/t5/network-security/asa-to-ftd-1140-migration/td-p/4602199.

Answer 38

B. dynamic analysis Verified Verified twice https://www.cisco.com/c/en/us/td/docs/security/firepower/60/configuration/guide/fpmc-config-guide-v60/Reference\_a\_wrapper\_Chapter\_topic\_here.html

Answer 39

C. Configure high-availability in both the primary and secondary Cisco FMCs. Verified https://www.cisco.com/c/en/us/td/docs/security/firepower/620/configuration/guide/fpmc-config-guide-v62/firepower\_management\_center\_high\_availability.html

Answer 40

A. configure manager add ACME001 Not verified but most likely correct https://www.cisco.com/c/en/us/support/docs/security/firesight-management-center/118596-configure-firesight-00.html

Answer 41

D. Modify the rule action from trust to allow Verified

Answer 42

D. dynamic analysis Verified https://www.cisco.com/c/en/us/td/docs/security/firepower/623/configuration/guide/fpmc-config-guide-v623/ file\_policies\_and\_advanced\_malware\_protection.html#ID-2199-000005d8 The answer is correct, and this link will explain each option in case you are interested to know the differences: https://www.cisco.com/c/en/us/td/docs/security/firepower/60/configuration/guide/fpmc-config-guide-v60/Reference\_a\_wrapper\_Chapter\_topic\_here.html#ID-2199-000005fa

Answer 43

A. Exclude load balancers and NAT devices. Verified https://www.cisco.com/c/en/us/td/docs/security/firepower/60/configuration/guide/fpmc-config-guide-v60/Network\_Discovery\_Policies.html

Answer 44

A. A manual NAT exemption rule does not exist at the top of the NAT table Not verified Answer A seems to be correct https://www.cisco.com/c/en/us/support/docs/security/firepower-management-center/212702-configure-and-verify-nat-on-ftd.html Confirmed A is correct: https://www.cisco.com/c/en/us/support/docs/security/firepower-management-center/212702-configure-and-verify-nat-on-ftd.html

Answer 45

B. The administrator is adding interfaces of multiple types Verified by community B is correct. https://www.cisco.com/c/en/us/td/docs/security/firepower/620/configuration/guide/fpmc-config-guide-v62/reusable\_objects.html#ID-2243-000009b4 "All interfaces in an interface object must be of the same type: all inline, passive, switched, routed, or ASA FirePOWER. After you create an interface object, you cannot change the type of interfaces it contains." https://www.cisco.com/c/en/us/td/docs/security/firepower/620/configuration/guide/fpmc-config-guide-v62/reusable\_objects.html#ID-2243-000009b4

Answer 46

C. Add the unknown user in the Access Control Policy in Cisco FTD Verified by community Unkown is a special identity that can be used in a rule if you use identity policies. C is correct. https://www.cisco.com/c/en/us/td/docs/security/firepower/640/fdm/fptd-fdm-config-guide-640/fptd-fdm- identity.html#concept\_655B055575E04CA49B10186DEBDA301A

Answer 47

A. The option indicates whether the packet was dropped or successful. Verified by community https://www.cisco.com/c/en/us/td/docs/security/firepower/650/configuration/guide/fpmc-config-guide-v65/troubleshooting\_the\_system.html#:~:text=Packet%20capture%20is%20available%20with%20the%20trace%20option%2C%20which%20provides%20you%20with%20a%20verdict%20as%20to%20whether%20the%20packet%20is%20dropped%20or%20successful The packet capture feature with trace option allows real packets that are captured on the ingress interface to be traced through the system. The trace information is displayed at a later stage. These packets are not dropped on the egress interface, as they are real data-path traffic. Packet capture for Firepower Threat Defense devices supports troubleshooting and analysis of data packets. Once the packet is acquired, snort detects the tracing flag that is enabled in the packet. Snort writes tracer elements, through which the packet traverses. Snort verdict as a result of capturing packets can be one of DROP/ALLOW/Would DROP. The file-size option is used when you need to capture packets with the size limit more than 32 MB. Correct answer is A. Because - Packet capture is available with the trace option, which provides you with a verdict as to whether the packet is dropped or successful. https://www.cisco.com/c/en/us/td/docs/security/firepower/650/configuration/guide/fpmc-config-guide-v65/troubleshooting\_the\_system.html#:~:text=Packet%20capture%20is%20available%20with%20the%20trace%20option%2C%20which%20provides%20you%20with%20a%20verdict%20as%20to%20whether%20the%20packet%20is%20dropped%20or%20successful.

Answer 48

C. /etc/sf/DCEALERT.MIB Not verified https://www.cisco.com/c/en/us/td/docs/security/firesight/541/firepower-module-user-guide/asa-firepower-module-user-guide-v541/Intrusion-External- Responses.pdf

Answer 49

C. show managers Verified https://www.cisco.com/c/en/us/td/docs/security/firepower/command\_ref/b\_Command\_Reference\_for\_Firepower\_Threat\_Defense/c\_3.html

Answer 50

C. capture Verified by community Reason: the command "capture-traffic" is used for SNORT Engine Captures. To capture a LINA Engine Capture, you use the "capture" command. Since the Lina Engine represents the actual physical interface of the device, "capture" is the only reasonable choice Reference: https://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/212474-working-with-firepower-threat-defense-f.html#anc10 https://community.cisco.com/t5/network-security/firepower-cli-capture-vs-capture-traffic/td-p/4145462

Answer 51

D. unlimited Verified https://www.cisco.com/c/en/us/td/docs/security/firepower/60/configuration/guide/fpmc-config-guide-v60/Working\_with\_Reports.html

Answer 52

C. Redeploy the updated configuration. Verified https://www.cisco.com/c/en/us/td/docs/security/firepower/630/configuration/guide/fpmc-config-guide-v63/reusable\_objects.html

Answer 53

D. thresholding Verified https://www.cisco.com/c/en/us/td/docs/security/firesight/541/firepower-module-user-guide/asa-firepower-module-user-guide-v541/Intrusion-Global- Threshold.html

Answer 54

C. bar chart Verified C is correct -Format - bar / pie / line / table view / detail view - Table -Preset -Search or Filter -X and y axis https://www.cisco.com/c/en/us/td/docs/security/firepower/60/configuration/guide/fpmc-config-guide-v60/Working\_with\_Reports.html

Answer 55

D. Cisco Talos Verified

Answer 56

Verified https://www.cisco.com/c/en/us/td/docs/security/firepower/620/configuration/guide/fpmc-config-guide-v62/ firepower\_management\_center\_high\_availability.html#id\_32288

Answer 57

A. system support firewall-engine-debug Verified https://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/212330-firepower-management-center-display-acc.html

Answer 58

C. configuration Verified https://www.cisco.com/c/en/us/td/docs/security/firepower/660/configuration/guide/fpmc-config-guide-v66/command\_line\_reference.pdf

Answer 59

D. sudo sf\_troubleshoot.pl Verified https://www.cisco.com/c/en/us/support/docs/security/sourcefire-defense-center/117663-technote-SourceFire-00.html

Answer 60

A. system support ssl-client-hello-tuning Verified

Answer 61

D. configure high-availability suspend Verified by community configure high-availability disable Disable high-availability configuration resume Resume temporarily suspended high-availability configuration suspend Temporarily suspend high-availability configuration Confirmed: D is correct choice. https://www.cisco.com/c/en/us/support/docs/security/firepower-management-center/212699-configure-ftd-high-availability-on-firep.html

Answer 62

C. system generate-troubleshoot all Verified Firepower Devices Enter this command on FirePOWER devices/modules and virtual managed devices in order to generate a troubleshoot file: > system generate-troubleshoot all Starting /usr/local/sf/bin/sf_troubleshoot.pl... Please, be patient. This may take several minutes. The troubleshoot option code specified is ALL. Troubleshoot information successfully created at /var/common/xxxxxx.tar.gz Correct answer is C (Tip: this is for FTD and not FMC) https://www.cisco.com/c/en/us/support/docs/security/sourcefire-defense-center/117663-technote-SourceFire-00.html#anc12

Answer 63

D. when capture packets exceed 32 MB Verified Cisco Documentation = **The file-size option is used when you need to capture packets with the size limit more than 32 MB.** https://www.cisco.com/c/en/us/td/docs/security/firepower/620/configuration/guide/fpmc-config-guide-v62/troubleshooting\_the\_system.html

Answer 64

B. to represent protocols other than TCP, UDP, and ICMP Verified B to represent OTHER protocols. In the FMC GUI, when you create a port object, the Protocol field allows TCP, UDP, ICMP, IPv6-ICMP, and others. When you choose other, a drop-down box becomes enabled, with 50+ additional protocols, none of which I recognized. https://www.cisco.com/c/en/us/td/docs/security/firepower/620/configuration/guide/fpmc-config-guide-v62/reusable\_objects.html

Answer 65

A. dashboard Verified https://www.cisco.com/c/en/us/td/docs/security/firepower/60/configuration/guide/fpmc-config-guide-v60/Using\_Dashboards.html

Answer 66

A. outbound port TCP/443 E. outbound port TCP/80 Verified https://www.cisco.com/c/en/us/td/docs/security/firepower/60/configuration/guide/fpmc-config-guide-v60/ Security\_\_Internet\_Access\_\_and\_Communication\_Ports.html

Answer 67

C. 4096 Verified The FMC supports 4096-bit HTTPS certificates. If the certificate used by the FMC was generated using a public server key larger than 4096 bits, you will not be able to log in to the FMC web interface. If this happens, contact Cisco TAC. Correct Answer is 4096, after updating cisco website https://www.cisco.com/c/en/us/td/docs/security/firepower/660/configuration/guide/fpmc-config-guide-v66/system\_configuration.html

Answer 68

D. Child domains are not able to view dashboards that originate from an ancestor domain. Verified In a multidomain deployment, you cannot view dashboards from ancestor domains; however, you can create new dashboards that are copies of the higher-level dashboards. https://www.cisco.com/c/en/us/td/docs/security/firepower/60/configuration/guide/fpmc-config-guide-v60/Using\_Dashboards.html

Answer 69

D - Is correct because when a device is deleted and then re-added, the FMC web interface prompts you to re-apply your access control policies. However, there is no option to re-apply the NAT and VPN policies during registration. Any previously applied NAT or VPN configuration will be removed during registration and must be re-applied after registration is complete. E - Is correct because there is no option to re-apply NAT and VPN policies during registration available, so users need to re-apply the policies after registration is completed. Verified A - Is wrong because when a device is deleted and then re-added, the FMC web interface prompts you to re-apply your access control policies. However, there is no option to re-apply the NAT and VPN policies during registration. Any previously applied NAT or VPN configuration will be removed during registration and must be re-applied after registration is complete. https: //www.cisco.com/c/en/us/td/docs/security/firepower/60/configuration/guide/fpmc-config-guide-v60/Device\_Management\_Basics.html https: //www.cisco.com/c/en/us/td/docs/security/firepower/670/configuration/guide/fpmc-config-guide-v67/device\_management\_basics.html?bookSearch=true

Answer 70

A. User login and history data are removed from the database if the User Activity check box is selected. C. The appropriate process is restarted. Verified You can use the database purge page to purge discovery, identity, connection, and Security Intelligence data files from the FMC databases. Note that when you purge a database, the appropriate process is restarted. https://www.cisco.com/c/en/us/td/docs/security/firepower/620/configuration/guide/fpmc-config-guide-v62/management\_center\_database\_purge.pdf

Answer 71

B. source IP E. protocol Verified https://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/212474-working-with-firepower-threat-defense-f.html

Answer 72

D. Delete and reregister the device to Cisco FMC. Verified Correct Answer is D If you registered a FMC and a device using IPv4 and want to convert them to IPv6, you must delete and reregister the device. https://www.cisco.com/c/en/us/td/docs/security/firepower/70/configuration/guide/fpmc-config-guide-v70/device\_management\_basics.html

Answer 73

The correct option is: A. The administrator manually updates the policies. Firepower Management Center (FMC) provides information about the operating systems, servers, and client application protocols detected on your network⁴. However, it does not automatically update the policies. The administrator needs to manually update the policies based on the information provided by FMC¹². This allows you to tailor your intrusion policy to the specific needs of your monitored network⁴. Please note that options B, C, and D are not accurate. While Firepower can provide recommendations and reports, it does not automatically update policies or provide a Remediation Recommendation Report. Source: Conversation with Bing, 10/1/2023 (1) Firepower Management Center Configuration Guide, Version 6.0 - Cisco. https://www.cisco.com/c/en/us/td/docs/security/firepower/60/configuration/guide/fpmc-config-guide-v60/Tailoring_Intrusion_Protection_to_Your_Network_Assets.html. (2) Firepower Management Center Configuration Guide, Version 6.0. https://www.cisco.com/c/en/us/td/docs/security/firepower/60/configuration/guide/fpmc-config-guide-v60/fpmc-config-guide-v60_chapter_01110011.html. (3) Firepower Management Center Configuration Guide, Version 6.5. https://www.cisco.com/c/en/us/td/docs/security/firepower/650/configuration/guide/fpmc-config-guide-v65/system_software_updates.html. (4) Cisco Secure Firewall ASA Upgrade Guide - Upgrade the ASA FirePOWER .... https://www.cisco.com/c/en/us/td/docs/security/asa/upgrade/asa-upgrade/firepower-fmc.html.

Answer 74

B. Correlation Events Verified The Correlation Events widget shows the average number of correlation events per second by priority. ttps://www.cisco.com/c/en/us/td/docs/security/firepower/670/configuration/guide/fpmc-config-guide-v67/dashboards.html#ID-2206-00000283

Answer 75

A. Use the system support firewall-engine-debug command to determine which rules the traffic matching and modify the rule accordingly. Verified The correct option is: A. Use the `system support firewall-engine-debug` command to determine which rules the traffic is matching and modify the rule accordingly⁹[^10^]. This command can help identify which Access Control Policy (ACP) rule a flow is matching. If the connection events do not clearly show what the ACP is doing with the traffic, debugging can be performed on the Firepower Command Line Interface (CLI)⁸. Once the problematic rule is identified, it can be modified to ensure that the desired traffic is not being blocked. Please note that options B, C, and D are not valid commands for troubleshooting application failures through an FTD deployment according to the Cisco Secure Firewall Threat Defense Command Reference¹⁵. Always ensure to use the correct commands for your specific troubleshooting needs. Source: Conversation with Bing, 10/1/2023 (1) Cisco Secure Firewall Threat Defense Command Reference. https://www.cisco.com/c/en/us/td/docs/security/firepower/command_ref/b_Command_Reference_for_Firepower_Threat_Defense/dr.html. (2) Firepower Data Path Troubleshooting: Overview - Cisco. https://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/214572-firepower-data-path-troubleshooting-ove.html. (3) Firepower Data Path Troubleshooting Phase 4: Access Control Policy. https://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/214577-firepower-data-path-troubleshooting-phas.html. (4) Cisco Secure Firewall Threat Defense Command Reference. https://www.cisco.com/c/en/us/td/docs/security/firepower/command_ref/b_Command_Reference_for_Firepower_Threat_Defense/using_the_FTD_CLI.html. (5) Troubleshoot Firepower Threat Defense Policy Deployments. https://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw-virtual/215258-troubleshooting-firepower-threat-defense.html. (6) How to troubleshoot (or recover from) FTD/FMC Deployment failure. https://community.cisco.com/t5/network-security/how-to-troubleshoot-or-recover-from-ftd-fmc-deployment-failure/td-p/3378966. (7) Solved: Deployment failed due to failure to retrieve running .... https://community.cisco.com/t5/network-security/deployment-failed-due-to-failure-to-retrieve-running/td-p/4048886. (8) Solved: vFMC deploy configuration failed - Cisco Community. https://community.cisco.com/t5/other-security-subjects/vfmc-deploy-configuration-failed/td-p/4600441. (9) Troubleshoot Firepower Threat Defense High Availability Issues. https://www.cisco.com/c/en/us/support/docs/availability/high-availability/217763-troubleshoot-firepower-threat-defense-hi.html. (10) undefined. https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvk17813/?rfs=iqvred. (11) undefined. https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvk42088/?rfs=iqvred. (12) Debugging FTD Identity-based Policy - Cisco Community. https://community.cisco.com/t5/security-knowledge-base/debugging-ftd-identity-based-policy/ta-p/4287436. (13) FTD User Identity – integrating IT. https://integratingit.wordpress.com/2019/10/26/ftd-user-identity/. (14) ISE pxGrid integration with FMC – integrating IT. https://integratingit.wordpress.com/2018/08/25/cisco-ise-pxgrid-integration-with-firepower/. (15) Solved: FTD CLI SSH Debugging - Cisco Community. https://community.cisco.com/t5/network-security/ftd-cli-ssh-debugging/td-p/3711562. (16) Use Firepower Threat Defense Captures and Packet Tracer. https://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/212474-working-with-firepower-threat-defense-f.html. (17) Configure Firepower Threat Defense (FTD) Management Interface - Cisco. https://www2-realm.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-firewalls/212420-configure-firepower-threat-defense-ftd.pdf. (18) Solved: FMC/FTD - Cisco Community. https://community.cisco.com/t5/network-security/fmc-ftd/td-p/4388027. (19) undefined. https://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/214574-firepower-data-path-troubleshooting-phas.html. (20) undefined. https://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/214575-firepower-data-path-troubleshooting-phas.html. (21) undefined. https://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/214576-firepower-data-path-troubleshooting-phas.html. (22) undefined. https://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/214581-firepower-data-path-troubleshooting-phas.html. (23) undefined. https://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw-virtual/214608-firepower-data-path-troubleshooting-phas.html. (24) undefined. https://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/214609-firepower-data-path-troubleshooting-phas.html. (25) undefined. https://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/214610-firepower-data-path-troubleshooting-phas.html.

Answer 76

A. reports Verified

Answer 77

C. A troubleshoot file for the Cisco FMC. Not verified https://www.cisco.com/c/en/us/td/docs/security/firepower/620/configuration/guide/fpmc-config-guide-v62/troubleshooting\_the\_system.html

Answer 78

Image is correct. Could not load all images

Answer 79

B. Use the Packet Capture feature to collect real-time network traffic. Verified https://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/212474-working-with-firepower-threat-defense-f.html

Answer 80

A. by performing a packet capture on the firewall Verified A is the correct answer -Alan

Answer 81

C. Standard Report Verified https://www.cisco.com/c/en/us/td/docs/security/firepower/650/configuration/guide/fpmc-config-guide-v65/working\_with\_reports.html#id\_20016 Standard Reports The Firepower System provides a flexible reporting system that allows you to quickly and easily generate multi-section reports with the event views or dashboards that appear on your Firepower Management Center. You can also design your own custom reports from scratch. A report is a document file formatted in PDF, HTML, or CSV with the content you want to communicate. A report template specifies the data searches and formats for the report and its sections. The Firepower System includes a powerful report designer that automates the design of report templates. You can replicate the content of any event view table or dashboard graphic displayed in the web interface. You can build as many report templates as you need. Each report template defines the individual sections in the report and specifies the database search that creates the report’s content, as well as the presentation format (table, chart, detail view, and so on) and the time frame. Your template also specifies document attributes, such as the cover page and table of contents and whether the document pages have headers and footers (available only for reports in PDF format). You can export a report template in a single configuration package file and import it for reuse on another Firepower Management Center. You can include input parameters in a template to expand its usefulness. Input parameters allow you to produce tailored variations of the same report. When you generate a report with input parameters, the generation process prompts you to enter a value for each input parameter. The values you type constrain the report contents on a one-time basis. For example, you can place an input parameter in the destination IP field of the search that produces an intrusion event report; at report generation time, you can specify a department’s network segment when prompted for the destination IP address. The generated report then contains only information concerning that particular department.

Answer 82

A. Use SSL decryption to analyze the packets. Verified https://www.cisco.com/c/en/us/td/docs/security/firepower/623/fdm/fptd-fdm-config-guide-623/fptd-fdm-ssl-decryption.html

Answer 83

D. Add the NetFlow\_Add\_Destination object to the configuration. Verified

Answer 84

C. Configure the system clock settings to use NTP. Verified Because NTP is based on UTC which does not have a daylight savings time period, a switchover is not necessary inside the NTP system. The operation systems of servers and clients are solely responsible for switching from/to DST. See also: How time zones are handled with NTP?

Answer 85

B. Redeploy configurations to affected devices so that additional memory is allocated to the SI module. Verified by community

Answer 86

D. Create an access control policy rule to allow port 80 to only 172.1.1.50. Verified

Answer 87

D. Use packet-tracer to validate that the packet passes through the firewall and is NATed to the correct IP address Verified by community D-Packet-tracer/NAT "without generating traffic from the client", makes this a packet tracer answer. The only problem is that packet tracer doesnt track the return packet from the server, and therefor wont tell you if it is being dropped by an ACL in the return path. What I have seen in my real-life packet tracer use, is packet tracer dropping the initial packet because the return packet would hit an unexpected NAT rule, causing asymmetrical NAT and the connection failing anyways. As such, my answer is

Answer 88

B. Modify the Snort rules to allow legitimate DNS traffic to the VPN users Verified The solution to this issue would be to **modify the Snort rules to allow legitimate DNS traffic to the VPN users** (Option B). Snort is a powerful intrusion prevention system that can analyze network traffic in real time and detect a variety of attacks. However, it can sometimes block legitimate traffic, such as DNS responses, if the rules are not configured correctly¹⁵. In this case, the network administrator should adjust the Snort rules to allow DNS responses to pass through to the VPN users¹⁵. This will ensure that the VPN users can connect to web resources behind the Cisco FTD device without their connections being terminated⁴. Please note that while other options might seem plausible, they could potentially weaken the security posture of your network. For instance, unchecking the "Drop when Inline" box in the intrusion policy (Option A) or disabling the intrusion rule thresholds (Option C) could allow malicious traffic to pass through¹⁵. Decrypting the packet after the VPN flow so the DNS queries are not inspected (Option D) could also expose sensitive information⁴. Therefore, modifying the Snort rules to allow legitimate DNS traffic is the most appropriate solution in this scenario¹⁵. Source: Conversation with Bing, 10/8/2023 (1) How to verify enabled snort rules in FTD - Cisco Community. https://community.cisco.com/t5/network-security/how-to-verify-enabled-snort-rules-in-ftd/td-p/4518910. (2) Solved: Snort Dropping Packets - Cisco Community. https://community.cisco.com/t5/network-security/snort-dropping-packets/td-p/3710422. (3) A VPN user is unable to conned lo web resources behind the Cisco FTD .... https://vceguide.com/a-vpn-user-is-unable-to-conned-lo-web-resources-behind-the-cisco-ftd-device-terminating-the-connection-while-troubleshooting-the-network-administrator-determines-that-the-dns-responses-are-not-getti/. (4) Solved: DNS configuration on FTD - Cisco Community. https://community.cisco.com/t5/network-security/dns-configuration-on-ftd/td-p/4169966. (5) Configure AnyConnect Remote Access VPN on FTD - Cisco. https://www.cisco.com/c/en/us/support/docs/network-management/remote-access/212424-anyconnect-remote-access-vpn-configurati.html. (6) undefined. https://www.snort.org/advisories/talos-rules-2021-12-10.

Answer 89

C. The backup file extension was changed from .tar to .zip Verified https://www.ciscolive.com/c/dam/r/ciscolive/emea/docs/2019/pdf/BRKSEC-3455.pdf

Answer 90

A. It is retransmitted from the Cisco IPS inline set Not verified The Answer is absolutely A. "Inline interfaces receive all traffic unconditionally, but all traffic received on these interfaces is retransmitted out of an inline set unless explicitly dropped." You can verify my answer here: https://www.cisco.com/c/en/us/td/docs/security/firepower/601/configuration/guide/fpmc-config-guide-v601/fpmc-config-guide-v60\_chapter\_01011010.pdf The third page, under (Inline IPS Deployments)

Answer 91

C. Use a packet capture with match criteria Verified

Answer 92

A. flexconfig object for NetFlow Verified Step 4. Configure the Netflow Destination In order to configure the Netflow Destination, navigate to Objects \> FlexConfig \> FlexConfig Objects https://www.cisco.com/c/en/us/support/docs/quality-of-service-qos/netflow/216126-configure-netflow-secure-event-logging-o.html#anc14

Answer 93

D. vPC on the switches to the span EtherChannel on the firewall cluster Verified The answer is correct: Virtual Port Channels (vPC) are common EtherChannel deployments, especially in the data center, and allow multiple devices to share multiple interfaces EtherChannel Interface requires stack, VSS or vPC when connected to multiple switches https://www.ciscolive.com/c/dam/r/ciscolive/us/docs/2018/pdf/BRKSEC-2020.pdf

Answer 94

A. The value of the highest MTU assigned to any non-management interface was changed Verified The answer is correct Caution : Changing the highest MTU value among all non-management interfaces on the device restarts the Snort process when you deploy configuration changes, temporarily interrupting traffic inspection. Inspection is interrupted on all non-management interfaces, not just the interface you modified. Whether this interruption drops traffic or passes it without further inspection depends on the model of the managed device and the interface type. See Snort® Restart Traffic Behavior for more information. https://www.cisco.com/c/en/us/td/docs/security/firepower/60/configuration/guide/fpmc-config-guide-v60/fpmc-config-guide-v60\_chapter\_01101010.html

Answer 95

B. Configure a prefilter policy Verified https://www.cisco.com/c/en/us/td/docs/security/firepower/610/configuration/guide/fpmc-config-guide-v61/prefiltering\_and\_prefilter\_policies.html

Answer 96

D. Enable Automatic Application Bypass Verified Automatic Application Bypass (AAB) allows packets to bypass detection if Snort is down or if a packet takes too long to process. AAB causes Snort to restart within ten minutes of the failure, and generates troubleshooting data that can be analyzed to investigate the cause of the Snort failure. https://www.cisco.com/c/en/us/td/docs/security/firepower/623/configuration/guide/fpmc-config-guide-v623/device\_management\_basics.html

Answer 97

A. application blocking B. simple custom detection Verified answers are correct: configure custom malware detection policies and profiles for your entire organization, as well as perform flash and full scans on all your users’ files perform malware analysis, including view heat maps, detailed file information, network file trajectory, and threat root causes configure multiple aspects of outbreak control, including automatic quarantines, application blocking to stop non-quarantined executables from running, and exclusion lists https://www.cisco.com/c/en/us/td/docs/security/firepower/60/configuration/guide/fpmc-config-guide-v60/Reference\_a\_wrapper\_Chapter\_topic\_here.html#id\_96014

Answer 98

A. Add the malicious file to the block list. Verified

Answer 99

B. audit Verified https://www.cisco.com/c/en/us/support/docs/security/amp-endpoints/214933-amp-for-endpoints-deployment-methodology.html The answer is correct: Log the detection: In this mode, the identified malicious process is not blocked by MAP, but the detection is logged in the AMP for Endpoints console. (This is Audit mode, where no blocking or quarantine action happens, but the detection is logged.) https://www.cisco.com/c/en/us/products/collateral/security/amp-for-endpoints/white-paper-c11-740980.html

Answer 100

B. malware Verified Correct Answer: B 🗳️ Reference: https://www.cisco.com/c/en/us/td/docs/security/firepower/60/configuration/guide/fpmc-config-guide-v60/ Reference\_a\_wrapper\_Chapter\_topic\_here.html Disposition: malware, clean or unknown https://www.cisco.com/c/en/us/td/docs/security/firepower/623/configuration/guide/fpmc-config-guide-v623/file\_malware\_events\_and\_network\_file\_trajectory.html

Answer 101

A. unavailable Verified Queries the AMP cloud but cannot establish a connection or the cloud is otherwise unavailable = Unavailable You may see a small percentage of events with this disposition; this is expected behavior. correct: Unavailable indicates that the system could not query the AMP cloud https://www.cisco.com/c/en/us/td/docs/security/firepower/623/configuration/guide/fpmc-config-guide-v623/file\_malware\_events\_and\_network\_file\_trajectory.html

Answer 102

C. quarantine D. port shutdown Verified Correct Answer: CD 🗳️ Reference: https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/210524-configure-firepower-6-1-pxgrid-remediati.html Firepower 6.1 Remediation module allows Firepower system to use ISE EPS capabilities (quarantine, unquarantine, port shutdown) as a remediation when correlation rule is matched.

Answer 103

A. pxGrid Not verified ignore the previous one the FireSIGHT Management Center (FMC) is configured for using self-signed certificates for ISE pxGrid node operation.

Answer 104

D. SHA-256 Verified Correct Answer: D 🗳️ Reference: https://www.cisco.com/c/en/us/td/docs/security/firepower/623/configuration/guide/fpmc-config-guide-v623/cisco\_threat\_intelligence\_director\_\_tid\_.html

Answer 105

B. An on-premises proxy server does not need to set up and maintained. Verified Correct Answer: B 🗳️ Reference: https://www.cisco.com/c/en/us/td/docs/security/firepower/integrations/CTR/Firepower\_and\_Cisco\_Threat\_Response\_Integration\_Guide.pdf The correct answer is B -\> for sure ! See the following link to feel confident :) https://www.cisco.com/c/en/us/td/docs/security/firepower/integrations/CTR/Firepower\_and\_Cisco\_Threat\_Response\_Integration\_Guide/about\_integrating\_firepower\_and\_cisco\_threat\_response.html

Answer 106

B. plus Verified To integrate Cisco ISE with Cisco FMC pxGrid, a **Plus license** is required³. So, the correct answer is **B. Plus**. Source: Conversation with Bing, 12/5/2023 (1) ISE - Firepower pxGrid licensing - Cisco Community. https://community.cisco.com/t5/network-access-control/ise-firepower-pxgrid-licensing/td-p/3047612. (2) How To: Integrate Firepower Management Center (FMC) 6 ... - Cisco Community. https://community.cisco.com/t5/security-knowledge-base/how-to-integrate-firepower-management-center-fmc-6-0-with-ise/ta-p/3627024. (3) Configure ISE 2.4 and FMC 6.2.3 pxGrid Integration - Cisco. https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine-24/214481-configure-ise-2-4-and-fmc-6-2-3-pxgrid-i.html. (4) Solved: PXGrid licensing ? - Cisco Community. https://community.cisco.com/t5/network-access-control/pxgrid-licensing/td-p/3563181.

Answer 107

A. It disables direct connections to the public cloud. Verified Correct Answer is A. Please, read this line from the referenced article: "Connecting a Firepower Management Center to an AMP private cloud disables existing direct connections to the public AMP cloud." Selected ANswer is A. Connecting a Firepower Management Center to an AMP private cloud disables existing direct connections to the public AMP cloud. The AMP private cloud does not perform dynamic analysis, nor does it support anonymized retrieval of threat intelligence for other features that rely on Cisco Collective Security Intelligence (CSI), such as URL and Security Intelligence filtering.

Answer 108

B. Cisco AMP for Networks Verified Advanced Malware Protection (AMP) for Firepower can detect, capture, track, analyze, log, and optionally block the transmission of malware in network traffic. In the Firepower Management Center web interface, this feature is called AMP for Networks, formerly called AMP for Firepower. Advanced Malware Protection identifies malware using managed devices deployed inline and threat data from the Cisco cloud. https://www.cisco.com/c/en/us/td/docs/security/firepower/623/configuration/guide/fpmc-config-guide-v623/file\_policies\_and\_advanced\_malware\_protection.html

Answer 109

B. Reset Connection Verified by community Cisco recommends that you enable Reset Connection for the Block Files and Block Malware actions to prevent blocked application sessions from remaining open until the TCP connection resets. If you do not reset connections, the client session will remain open until the TCP connection resets itself.

Answer 110

A. The Cisco FMC needs to include a SSL decryption policy. E. The Cisco FMC needs to include a file inspection policy for malware lookup. Not verified, but high marks from community I believe the correct answers are A and E. Bobster is referencing local malware analysis requirements, but we have no information that local malware analysis is begin used. By default theat grid is used, and threat grid needs no configuration on the FMC to connect to the cloud. The question states "which configuration tasks" - we dont need to do anything related to threat grid afaik. Also, if all file downloads going through the firewall are encrypted, then C and E would accomplish nothing.

Answer 111

D. Enable Threat Intelligence Director using STIX and TAXII. Verified https://www.cisco.com/c/en/us/td/docs/security/firepower/623/configuration/guide/fpmc-config-guide-v623/cisco\_threat\_intelligence\_director\_\_tid\_.html

Answer 112

A. Add the hash to the simple custom detection list D. Add the hash from the infected endpoint to the network block list Verified A - Add the hash to the simple custom detection list1 This action allows the AMP for Endpoints to treat the file associated with the SHA-256 hash as malicious and block it accordingly. D - Add the hash from the infected endpoint to the network block list2 By adding the hash to the network block list, the network engineer can prevent the malicious file from being transmitted across the network. These configurations help in controlling the spread of the identified malware and protect the network from further infections.

Answer 113

C. Create a file policy and set the access control policy to allow Verified To address the concern of a high number of malware files affecting users' machines, the network administrator should **create a file policy and set the access control policy to allow**¹². This is because a file policy in Cisco Secure Firewall can detect, capture, and analyze files. If a file is found malicious, the solution can track and analyze it, and optionally block further transmission in a network¹. Associating a file policy to an access control rule ensures that before the system passes a file in traffic that matches an access control rule's conditions, it first inspects the file¹. So, the correct answer is **C. Create a file policy and set the access control policy to allow**. Source: Conversation with Bing, 12/5/2023 (1) Malware and File Policy - Cisco Secure Firewall. https://secure.cisco.com/secure-firewall/docs/malware-and-file-policy. (2) Blocking Malware and Prohibited Files - Cisco. https://www.cisco.com/c/en/us/td/docs/security/firesight/541/firepower-module-user-guide/asa-firepower-module-user-guide-v541/AMP-Config.pdf. (3) Firepower Management Center Configuration Guide, Version 6.5 - Cisco. https://www.cisco.com/c/en/us/td/docs/security/firepower/650/configuration/guide/fpmc-config-guide-v65/access_control_using_intrusion_and_file_policies.html. (4) Intrusion, File, and Malware Inspection in FDM-Managed Access ... - Cisco. https://edge.us.cdo.cisco.com/content/docs/c_intrusion-file-and-malware-inspection-in-ftd-access-control-policies.html.

Answer 114

D. multi-instance firewalls To segment traffic based on the department it is destined for in a high availability environment where both firewalls are passing traffic, **multi-instance firewalls** should be configured. This is because multi-instance firewalls allow for the creation of multiple, separate instances of the firewall on a single hardware appliance¹². Each instance operates and is managed independently, allowing for traffic to be segmented based on its destination¹². So, the correct answer is **D. Multi-instance firewalls**. Source: Conversation with Bing, 12/5/2023 (1) What Is Network Segmentation? - Cisco. https://www.cisco.com/c/en/us/products/security/what-is-network-segmentation.html. (2) 7 Network Segmentation Best Practices to Level-up | StrongDM. https://www.strongdm.com/blog/network-segmentation. (3) Implementing Network Segmentation and Segregation. https://www.cyber.gov.au/resources-business-and-government/maintaining-devices-and-systems/system-hardening-and-administration/network-hardening/implementing-network-segmentation-and-segregation.

Answer 115

D. inline tap Verified With tap mode, the FTD is deployed inline, but the network traffic flow is undisturbed. Instead, the FTD makes a copy of each packet so that it can analyze the packets https://www.cisco.com/c/en/us/td/docs/security/firepower/620/configuration/guide/fpmc-config-guide-v62/fpmc-config-guide-v62_chapter_01110111.pdf

Answer 116

D. Unregister the faulty Cisco FTD device from the Cisco FMC Verified

Answer 117

B. prefilter Verified

Answer 118

C. transparent Verified The Cisco Firepower Threat Defense (FTD) device is set up to support **Transparent** firewall mode¹⁴. In this mode, the FTD device uses bridging techniques to pass traffic between the interfaces that are grouped together in a bridge group¹. Each bridge group includes a Bridge Virtual Interface (BVI) to which you assign an IP address on the network¹. So, the correct answer is option C. Please note that the specific modes supported may vary depending on the version of the system you are using. Always refer to the official documentation for the most accurate information. Source: Conversation with Bing, 12/6/2023 (1) Firepower Management Center Configuration Guide, Version 6.4 - Cisco. https://www.cisco.com/c/en/us/td/docs/security/firepower/640/configuration/guide/fpmc-config-guide-v64/transparent_or_routed_firewall_mode_for_firepower_threat_defense.html. (2) What do you need to know about Transparent Firewall (ASA or FTD)?. https://community.cisco.com/t5/security-knowledge-base/what-do-you-need-to-know-about-transparent-firewall-asa-or-ftd/ta-p/3773884. (3) Cisco Firepower Threat Defense Configuration Guide for Firepower Device .... https://www.cisco.com/c/en/us/td/docs/security/firepower/650/fdm/fptd-fdm-config-guide-650/fptd-fdm-interfaces.html. (4) Firepower Management Center Configuration Guide, Version 6.4 - Cisco. https://www.cisco.com/c/en/us/td/docs/security/firepower/640/configuration/guide/fpmc-config-guide-v64/interface_overview_for_firepower_threat_defense.html.

Answer 119

A. Configure a container instance in the Cisco FTD for each context in the Cisco ASA. Verified

Answer 120

D. Implement non-overlapping IP subnets on each segment. Verified When changing an existing transparent Cisco FTD to routed mode, it's important to understand the differences between these two modes. In routed mode, the FTD device is considered to be a router hop in the network, and each interface that you want to route between is on a different subnet¹². Therefore, to allow hosts to reestablish communication between the two segments after the change, you would need to: D. Implement non-overlapping IP subnets on each segment. This is because in routed mode, each interface that you want to route between is on a different subnet¹². So, you would need to ensure that the IP subnets on each segment do not overlap to avoid IP address conflicts and to ensure proper routing. Please note that the remaining configuration must be migrated manually¹². You can leverage the Cisco Firepower Migration tool to migrate ASA firewall rules, NAT rules, static route, and critical interface configuration to FTD, which covers a significant volume of the ASA configuration¹². I hope this helps! If you have any more questions, feel free to ask. 😊 Source: Conversation with Bing, 12/7/2023 (1) Transparent or Routed Firewall Mode for Firepower Threat Defense - Cisco. https://www.cisco.com/c/en/us/td/docs/security/firepower/601/configuration/guide/fpmc-config-guide-v601/fpmc-config-guide-v601_chapter_01101010.pdf. (2) Firepower Management Center Configuration Guide, Version 6.6 - Cisco. https://www.cisco.com/c/en/us/td/docs/security/firepower/660/configuration/guide/fpmc-config-guide-v66/transparent_or_routed_firewall_mode_for_firepower_threat_defense.html. (3) Configure Firepower Threat Defense Interfaces in Routed Mode. https://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/200908-configuring-firepower-threat-defense-int.html. (4) 19. Cisco FTD Transparent Mode - RAYKA. https://rayka-co.com/lesson/cisco-ftd-transparent-mode/.

Answer 121

C. transparent firewall mode with multiple BVIs Verified Using the Transparent Firewall in Your Network The FTD device connects the same network between its interfaces. Because the firewall is not a routed hop, you can easily introduce a transparent firewall into an existing network.

Answer 122

C. promiscuous Verified The Cisco IPS mode that meets these requirements is: C. Promiscuous In promiscuous mode, the sensor receives a copy of the data for analysis, while the original traffic still makes its way to its ultimate destination⁵. The advantage of operating in promiscuous mode is that the IPS does not affect the packet flow with the forwarded traffic³. This allows the IPS to collect data and provide a baseline of unwanted traffic without affecting traffic flows³⁵. I hope this helps! If you have any more questions, feel free to ask. 😊 Source: Conversation with Bing, 12/7/2023 (1) Network Security Using Cisco IOS IPS - Cisco Community. https://community.cisco.com/kxiwq67737/attachments/kxiwq67737/discussions-network-security/53107/1/15374863-Ch%206_Network_Security_Using_Cisco_IOS_IPS.pdf. (2) Configuring Interfaces [Cisco IPS 4200 Series Sensors]. https://www.cisco.com/en/US/docs/security/ips/5.0/configuration/guide/cli/cliinter.html. (3) Cisco IPS Initialization, Inline, & Managed - Cisco Community. https://community.cisco.com/t5/security-knowledge-base/cisco-ips-initialization-inline-managed/ta-p/3127040. (4) Firepower Management Center Device Configuration Guide, 7.1 - Cisco. https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/device-config/710/management-center-device-config-71/interfaces-settings-ifcs-ips.html. (5) Cisco Intrusion Prevention System Sensor CLI Configuration Guide for .... https://www.cisco.com/c/en/us/td/docs/security/ips/5-1/configuration/guide/cli/cliguide/cliSSM.html.

Answer 123

D. Both Cisco FTD devices are not at the same software version. Verified The cause of the issue could be: D. Both Cisco FTD devices are not at the same software version. In a high availability configuration, both FTD devices must be at the same software version¹². If they are not, you may not be able to select the secondary peer when adding the high availability pair¹². Additionally, the two units in a high availability configuration must also meet the following conditions²: - Be the same model. - Have the same number and types of interfaces. - If you are using units with different flash memory sizes in your high availability configuration, make sure the unit with the smaller flash memory has enough space to accommodate the software image files and the configuration files². I hope this helps! If you have any more questions, feel free to ask. 😊 Source: Conversation with Bing, 12/8/2023 (1) Configure FTD High Availability on Firepower Appliances - Cisco. https://www.cisco.com/c/en/us/support/docs/security/firepower-management-center/212699-configure-ftd-high-availability-on-firep.html. (2) Firepower Management Center Configuration Guide, Version 6.1 - Cisco. https://www.cisco.com/c/en/us/td/docs/security/firepower/610/configuration/guide/fpmc-config-guide-v61/firepower_threat_defense_high_availability.html. (3) Configure FTD High Availability Using FDM - Cisco. https://www.cisco.com/c/en/us/support/docs/security/secure-firewall-threat-defense/221012-configure-ftd-high-availability-using-fd.html. (4) High Availability and Scalability Design and Deployment of Cisco .... https://community.cisco.com/t5/security-knowledge-base/high-availability-and-scalability-design-and-deployment-of-cisco/ta-p/4109439.

Answer 124

The problem is: C. The Cisco FTD must be in routed mode to process ERSPAN traffic²³⁴. ERSPAN interfaces are only allowed when the device is in routed firewall mode². Therefore, if the Cisco FTD is in transparent mode, it will not be able to process ERSPAN traffic²³⁴. I hope this helps! If you have any more questions, feel free to ask. 😊 Source: Conversation with Bing, 12/8/2023 (1) Firepower Management Center Configuration Guide, Version 6.4 - Cisco. https://www.cisco.com/c/en/us/td/docs/security/firepower/640/configuration/guide/fpmc-config-guide-v64/inline_sets_and_passive_interfaces_for_firepower_threat_defense.html. (2) Cisco. https://www.allfreedumps.com/downloadfile.html?id=18687. (3) What is the problem? - VCEguide.com. https://vceguide.com/what-is-the-problem-130/. (4) Solved: Inline FTD device not passing traffic - Cisco Community. https://community.cisco.com/t5/network-security/inline-ftd-device-not-passing-traffic/td-p/4448405. (5) undefined. https://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/200924-configuring-firepower-threat-defense-int.html.

Answer 125

A. Allows the IPS to identify inbound and outbound traffic as part of the same traffic flow. Verified Adding multiple inline interface pairs to the same inline interface set allows the system to identify the inbound and outbound traffic as part of the same traffic flow. For passive interfaces only, you can also achieve this by including the interface pairs in the same security zone. The advantage of adding multiple inline interface pairs to the same inline interface set when deploying an asynchronous routing configuration is: A. Allows the IPS to identify inbound and outbound traffic as part of the same traffic flow¹. Adding multiple inline interface pairs to the same inline interface set allows the system to identify the inbound and outbound traffic as part of the same traffic flow¹. This is particularly useful in an asynchronous routing configuration, where traffic for a single session does not follow the same path in both directions¹. I hope this helps! If you have any more questions, feel free to ask. 😊 Source: Conversation with Bing, 12/8/2023 (1) Firepower Management Center Configuration Guide, Version 6.0.1. https://www.cisco.com/c/en/us/td/docs/security/firepower/601/configuration/guide/fpmc-config-guide-v601/fpmc-config-guide-v60_chapter_01011010.html. (2) Setting Up an IPS Device - Cisco. https://www.cisco.com/c/en/us/td/docs/security/firesight/541/user-guide/FireSIGHT-System-UserGuide-v5401/IPS-Devices.pdf. (3) FireSIGHT System User Guide Version 5.4.1 - Cisco. https://www.cisco.com/c/en/us/td/docs/security/firesight/541/user-guide/FireSIGHT-System-UserGuide-v5401/IPS-Devices.html. (4) What is an advantage of adding multiple inline interface pairs to the .... https://vceguide.com/what-is-an-advantage-of-adding-multiple-inline-interface-pairs-to-the-same-inline-interface-set-when-deploying-an-asynchronous-routing-configuration/.

Answer 126

The configuration that must be changed before setting up the high-availability pair is: A. An IP address in the same subnet must be added to each Cisco FTD on the interface¹². When configuring an active/passive HA Cisco FTD pair, each FTD device needs to be connected to each other through a dedicated failover link¹². This requires an IP address in the same subnet to be added to each Cisco FTD on the interface that will be used for the failover link¹². I hope this helps! If you have any more questions, feel free to ask. 😊 Source: Conversation with Bing, 12/8/2023 (1) Configure FTD High Availability on Firepower Appliances - Cisco. https://www.cisco.com/c/en/us/support/docs/security/firepower-management-center/212699-configure-ftd-high-availability-on-firep.html. (2) Firepower Management Center Configuration Guide, Version 6.1 - Cisco. https://www.cisco.com/c/en/us/td/docs/security/firepower/610/configuration/guide/fpmc-config-guide-v61/firepower_threat_defense_high_availability.html. (3) Best option to configure FTD active/passive MAC - Cisco Community. https://community.cisco.com/t5/network-security/best-option-to-configure-ftd-active-passive-mac/td-p/4141578. (4) Cisco Firepower Threat Defense Configuration Guide for Firepower Device .... https://www.cisco.com/c/en/us/td/docs/security/firepower/630/fdm/fptd-fdm-config-guide-630/fptd-fdm-ha.html.

Answer 127

A. Configure Cisco Firepower as a transparent firewall. Verified

Answer 128

D. integrated routing and bridging Verified

Answer 129

D. Use a dedicated stateful link between chassis. Verified

Answer 130

B. Configure IPS mode when creating or editing a policy rule under the Cisco FMC Intrusion tab in Access Policies section by unchecking the “Drop when inline” option. Verified

Answer 131

C. The registration key is missing from the command Verified

Answer 132

D. integrated routing and bridging Verified

Answer 133

C. Create HTML code with the information for the policies and procedures D. Change the HTTP response in the access control policy to custom Verified

Answer 134

B. Send Cisco FTD connection events and security events directly to SIEM system for storage and analysis Verified

Answer 135

A. Only Spero file analysis is enabled. Verified

Answer 136

A. Configure the Cisco FTD firewall in routed mode with NAT enabled. Verified

Answer 137

D. Block Malware action and local malware analysis Verified

Answer 138

D. Create the backup route and use route tracking on both routes to a destination IP address in the network Verified The Firepower Threat Defense device implements static route tracking by associating a static route with a monitoring target host on the destination network that the Firepower Threat Defense device monitors using ICMP echo requests. If an echo reply is not received within a specified time period, the host is considered down, and the associated route is removed from the routing table. An untracked backup route with a higher metric is used in place of the removed route.

Answer 139

A. The action of the rule is set to trust instead of allow Verified

Answer 140

B. The access policy must allow traffic to the internal web server IP address Verified

Answer 141

A. Add a URL source and select the flat file type within Cisco FMC. Verified https://www.cisco.com/c/en/us/td/docs/security/firepower/622/configuration/guide/fpmc-config-guide-v622/threat_intelligence_director_tid.pdf

Answer 142

B. Automatic Application Bypass Verified

Answer 143

B. Use Subject Common Name value. Not totally verified

Answer 144

B. Use the Cisco FTD platform policy to change the minimum SSL version on the device to TLS 1.2. Verified

Answer 145

A. Configure EIGRP parameters using FlexConfig objects. Verified

Answer 146

C. Prefilter policy Verified

Answer 147

C. Use the subject common name from the website certificate. Verified

Answer 148

A. Enable Automatic Application Bypass. Verified

Answer 149

B. Interface groups can contain interfaces from many devices. Verified When defining interface objects in Cisco FMC for use with interfaces across multiple devices, the engineer must follow the rule that interface groups can contain interfaces from many devices. This allows an administrator to manage multiple devices and interfaces as a single entity, simplifying configuration and management.

Answer 150

D. QoS is available only on routed interfaces, and this device is in transparent mode. Verified D is correct: https://www.cisco.com/c/en/us/td/docs/security/firepower/640/configuration/guide/fpmc-config-guide-v64/quality_of_service__qos__for_firepower_threat_defense.html

Answer 151

C. DNS policy Kinda verified. Lean towards C but A is also a contender

Answer 152

D. Enable the HTTPS server for the device platform policy Not verified

Answer 153

D. intrusion events, host connections, and user sessions Verified https://www.cisco.com/c/en/us/td/docs/security/firepower/640/configuration/guide/fpmc-config-guide-v64/using_host_profiles.html#ID-2218-000003be

Answer 154

D. Use the capture command and specify the trace option to get the required information Verified

Answer 155

No clear answer

Answer 156

A. Use the packet capture tool to check where the traffic is being blocked and adjust the access control or intrusion policy as needed Verified The engineer should use the packet capture tool to check where the traffic is being blocked and adjust the access control or intrusion policy as needed. This is option A. The packet capture tool can be used to capture and analyze real DNS packets to determine where the traffic is being blocked. Once the source of the blockage is identified, the engineer can adjust the access control or intrusion policy as needed to allow DNS traffic to pass through to the servers in the DMZ. Is there anything else you would like to know?

Answer 157

C. Create a copy of the dashboard Verified

Answer 158

A. The existing configuration for integration of the secondary Cisco FMC the Cisco Security Packet Analyzer is overwritten. Verified

Answer 159

D. Network Risk Report Verified

Answer 160

B. Identify the blocked traffic in the Cisco FMC connection events to validate the block, and modify the policy to allow the traffic to the web server. Verified

Answer 161

C. Filter the connection events by the destination port 8699/udp. Verified

Answer 162

D. enforcement Verified

Answer 163

B. Link-state propagation is enabled. Verified

Answer 164

D. The backup file extension was changed from .tar to .zip. Verified

Answer 165

B. Create a new dashboard and add three custom analysis widgets that specify the tables needed. Verified

Answer 166

D. Network Report Verified

Answer 167

A. capture CAP type inline-tag 64 match ip any any Verified This command captures packets of any IP address using any protocol with the SGT tag number of 64. The "type inline-tag" parameter specifies that the SGT is included as an inline tag in the packet, allowing for the filtering and capturing of SGT traffic. The captured packets can be analyzed to troubleshoot any connectivity issues.

Answer 168

A. Connectivity Over Security Verified

Answer 169

A. Change from Cisco FDM management to Cisco FMC management on both devices and register them to FMC. Verified

Answer 170

D. The management connection between the Cisco FMC and the Cisco FTD is disabled. Verified

Answer 171

A. FTD has no NAT policy that allows outside to outside communication. Verified

Answer 172

A. The capture must use the public IP address of the web server. Verified

Answer 173

A. Set to passive, and configure an access control policy with an intrusion policy and a file policy defined. Verified

Answer 174

D. -ne src 192.168.100.100 Verified https://www.cisco.com/c/de_de/support/docs/security/firepower-ngfw/212474-working-with-firepower-threat-defense-f.html#:~:text=Um%20Src%20IP%20%3D%20192.168.101.1%20zu,Options%3A%20%2Dne%20src%20192.168.101.1

Answer 175

C. Define VLAN subinterfaces for each logical device. Verified

Answer 176

A. Copy it to the current domain. Verified To edit a report template from an ancestor domain in a multidomain deployment in Cisco FMC, the engineer must copy the report template to the current domain. By default, report templates are available only in the domain in which they were created. If the engineer needs to edit a report template from an ancestor domain, they can make a copy of the report template and then edit the copy in the current domain. The other options listed are not the correct action to take to edit a report template from an ancestor domain. A is not applicable as it refers to adding a separate widget, which does not address the issue of editing a report template. C is not applicable as ownership of the report template is not relevant to editing it. D is not applicable as changing document attributes does not address the issue of editing a report template from an ancestor domain.

Answer 177

D. Balanced Security and Connectivity Verified The Balanced Security and Connectivity policy is designed to provide a balance between network speed and performance while maintaining effective cybersecurity measures. It prioritizes the detection of threats while also ensuring that network traffic flows smoothly and efficiently.

Answer 178

D. client Not verified, but no comments from community

Answer 179

D. Configure the Cisco FTD interfaces and cluster members, add members to Cisco FMC, and create the cluster in Cisco FMC Verified https://www.cisco.com/c/en/us/td/docs/security/firepower/fxos/clustering/ftd-4100-9300-cluster.html#task_tqm_ghj_qgb https://www.cisco.com/c/en/us/td/docs/security/firepower/fxos/clustering/ftd-4100-9300-cluster.html#task_06578AF798574CEEA9CB7CD6D2373E6B

Answer 180

D. prevalence Verified To verify if any of the systems on the network are running a specific executable file with .exe extension, the administrator should use the Prevalence function in Cisco AMP for Endpoints. Prevalence is a metric used to indicate the number of systems on which a file has been detected. When a file is detected on an endpoint, its prevalence score is incremented, and the information is sent to the AMP cloud. The Prevalence score allows you to see how many endpoints in your environment have seen a particular file. It also helps to understand the impact of a particular file in the environment and helps to prioritize the response to the identified threat.

Answer 181

A. Cisco Stealthwatch, might also be C. Cisco FMC E. Cisco AMP Not verified. Community is in disagreement

Answer 182

B. There is a host limit set. Verified

Answer 183

C. sharing threat analysis Verified

Answer 184

D. pxGrid Verified

Answer 185

C. Spero Verified

Answer 186

C. Cisco FMC instructs Cisco ISE to contain the infected endpoint. Verified

Answer 187

A. Ethos Verified

Answer 188

B. Create a Custom report. Verified

Answer 189

D. Create a Certificate Enrollment object to get the LDAPS certificate needed. Verified

Answer 190

A. An IP address must be assigned to the BVI. Verified

Answer 191

D. EtherChannel interface Community says A or C With Integrated Routing and Bridging, you can use a "bridge group" where you group together multiple interfaces on a network, and the FTD device uses bridging techniques to pass traffic between the interfaces. Each bridge group includes a Bridge Virtual Interface (BVI) to which you assign an IP address on the network. The FTD device routes between BVIs and regular routed interfaces. If you do not need clustering or EtherChannel member interfaces, you might consider using routed mode instead of transparent mode. In routed mode, you can have one or more isolated bridge groups like in transparent mode, but also have normal routed interfaces as well for a mixed deployment.

Answer 192

C. Use the import feature in the newly created report to select which dashboards to add. Verified

Answer 193

C. Create an access control policy rule that allows ICMP traffic Verified

Answer 194

A. Enable SSH and define an access list. Verified

Answer 195

A. Deregister the FTD device from FMC and configure transparent mode via the CLI. Verified https://www.cisco.com/c/en/us/td/docs/security/firepower/601/configuration/guide/fpmc-config-guide-v601/fpmc-config-guide-v601_chapter_01101010.html#:~:text=Deregister%20the%20FTD,deregister%20the%20devic

Answer 196

B. Configure the failover link with stateful properties. E. Configure the standby IP addresses. Verified

Answer 197

B. configure manager add 209.165.200.225 Cisco0123456789 NAT001 Verified

Answer 198

D. Use the show run all command in the Cisco FTD CLI feature within Cisco FMC. Verified

Answer 199

A. Change the rules using the Generate and Use Recommendations feature. Not verified About Firepower Recommended Rules You can use intrusion rule recommendations to target vulnerabilities associated with host assets detected in the network. For example, operating systems, servers, and client application protocols. This allows you to tailor your intrusion policy to the specific needs of your monitored network. The system makes an individual set of recommendations for each intrusion policy. It typically recommends rule state changes for standard text rules and shared object rules. However, it can also recommend changes for inspector and decoder rules. When you generate rule state recommendations, you can use the default settings or configure advanced settings. Advanced settings allow you to: Redefine which hosts on your network the system monitors for vulnerabilities Influence which rules the system recommends based on rule overhead Specify whether to generate recommendations to disable rules You can also choose either to use the recommendations immediately or to review the recommendations (and affected rules) before accepting them. Choosing to use recommended rule states adds a read-only Firepower Recommendations layer to your intrusion policy, and subsequently choosing not to use recommended rule states removes the layer. You can schedule a task to generate recommendations automatically based on the most recently saved configuration settings in your intrusion policy. The system does not change rule states that you set manually: Manually setting the states of specified rules before you generate recommendations prevents the system from modifying the states of those rules in the future. Manually setting the states of specified rules after you generate recommendations overrides the recommended states of those rules. Tip The intrusion policy report can include a list of rules with rule states that differ from the recommended state. While displaying the recommendation-filtered Rules page, or after accessing the Rules page directly from the navigation panel or the Policy Information page, you can manually set rule states, sort rules, and take any of the other actions available on the Rules page, such as suppressing rules, setting rule thresholds, and so on. Note The Cisco Talos Intelligence Group (Talos) determines the appropriate state of each rule in the system-provided policies. If you use a system-provided policy as your base policy, and you allow the system to set your rules to the Firepower recommended rule state, the rules in your intrusion policy match the settings recommended by Cisco for your network assets. Migrating Snort 2 Generated Firepower Recommendations to Snort 3 Starting or stopping use of Firepower recommendations may take several minutes, depending on the size of your network and intrusion rule set. Firepower recommendations cannot be generated for the Snort 3 version directly. Generate the Firepower recommendations for Snort 2 version of the intrusion policy and then follow the steps that are listed here to migrate the recommended rule settings to Snort 3. Before you begin Firepower recommendations have the following requirements: FTD License—Threat Classic License—Protection User Roles—Admin or Intrusion Admin Ensure that hosts are present in the system to generate recommendations. Procedure Step 1 Choose Policies > Intrusion. Step 2 Click Snort 2 Version button of the intrusion policy. Step 3 Generate and apply recommendations in the Snort 2 version of the intrusion policy. See the Generating and Applying Firepower Recommendations topic in the latest version of the Firepower Management Center Configuration Guide, and perform the steps provided in the topic. Step 4 Synchronize the Snort 2 rule changes with Snort 3. For steps, see Synchronize Snort 2 Rules with Snort 3. Note During upgrade from pre-7.0 to 7.0 version any existing Snort 2 recommendations will be synched to Snort 3. However, if you generated (not fresh) Snort 2 recommendations after upgrade to 7.0, then you can synchronize all these recommendations to Snort 3 version. What to do next Deploy configuration changes; see Deploy Configuration Changes. Back to Top Was this Document Helpful? Yes No FeedbackFeedback Customers Also Viewed Firepower Management Center Snort 3 Configuration Guide, Version 7.0 --- Migrating from Snort 2 to Snort 3 Cisco Firepower Management Center Upgrade Guide, Version 6.0–7.0 --- Planning Your Upgrade Cisco Firepower Management Center Upgrade Guide, Version 6.0–7.0 --- Upgrade Firepower Management Centers + Show 1 More Contact Cisco Open a Support Caselogin required

Answer 200

B. tap mode D. inline set pair Verified

Answer 201

D. DNS servers must be defined for name resolution. Verified

Answer 202

C. Configure the primary Cisco FMC so that the rules are updated. Verified

Answer 203

B. Set interface configuration mode to passive. Verified

Answer 204

B. TOR Verified

Answer 205

B. STP BPDU packets are allowed by default. Verified BPDU Handling To prevent loops using the Spanning Tree Protocol, BPDUs are passed by default. By default BPDUs are also forwarded for advanced inspection, which is unnecessary for this type of packet, and which can cause problems if they are blocked due to an inspection restart, for example. We recommend that you always exempt BPDUs from advanced inspection. To do so, use FlexConfig to configure an EtherType ACL that trusts BPDUs and exempts them from advanced inspection on each member interface. See FlexConfig Policies for FTD. https://www.cisco.com/c/en/us/td/docs/security/firepower/630/configuration/guide/fpmc-config-guide-v63/transparent_or_routed_firewall_mode_for_firepower_threat_defense.html

Answer 206

D. BVI E. Diagnostic Verified by community. Wouldn't hurt to research

Answer 207

D. Exclude load balancers and NAT devices in the policy. Verified but would not hurt to learn more

Answer 208

B. Assign an IP address to the Bridge Virtual Interface. Verified but would not hurt to learn more

Answer 209

A. An incorrect application signature was used in the rule. Verified

Answer 210

C. correlation policy Verified

Answer 211

B. Use the host filter in the packet capture to capture traffic to or from a specific host. Verified

Answer 212

D. sftunnel Verified

Answer 213

A. Threat Intelligence Director Verified The correct answer is A. To integrate an external feed containing STIX/TAXII data with Cisco FMC, the Threat Intelligence Director feature must be enabled. The Threat Intelligence Director is a feature of Cisco FMC that allows for the integration of external threat intelligence feeds, including those that use STIX/TAXII. The Threat Intelligence Director allows the Cisco FMC to receive threat intelligence data from external sources and use that data to inform security policies and block malicious traffic.

Answer 214

B. Enable IPsec Inspection on the access policy. Not verified The correct answer is B. To allow site-to-site IPsec VPN traffic through a Cisco FTD, the IPsec Inspection feature must be enabled on the access policy. IPsec Inspection is a feature that allows the FTD to inspect and permit IPsec traffic. It is required to allow site-to-site IPsec VPN traffic to pass through the FTD. By enabling IPsec Inspection on the access policy, the FTD will permit the necessary UDP ports (500, 4500) and ESP traffic.

Answer 215

C. dissemination Verified

Answer 216

B. Configure a NAT ID on both the Cisco FMC and the device. E. Add the port number being used for PAT on the router to the device’s IP address in the Cisco FMC. Need to verify

Answer 217

C. access list Verified

Answer 218

D. Use SMB for both backups and reports. Verified

Answer 219

B. IPsec Verified

Answer 220

Need to verify

Answer 221

C. correlation Verified The correct answer is C. correlation. A correlation policy can be configured in the Cisco Firepower Management Center (FMC) to generate an alert when a specific condition is triggered. Correlation policies allow you to define rules that specify the conditions under which the system should generate an alert, and the actions that the system should take when those conditions are met. In this case, a correlation rule can be created to generate an alert when five or more connections from external sources are initiated within 2 minutes

Answer 222

D. Analysis > Hosts > Host Attributes Verified

Answer 223

B. The current FDM configuration must be migrated to FMC using the Secure Firewall Migration Tool. Verified https://www.cisco.com/c/en/us/td/docs/security/firepower/migration-tool/migration-guide-fdm/fdm-to-threat-defense-using-the-migraton-tool/m-fdm-managed-device-to-threat-defense-workflow.html

Answer 224

D. FXOS CLI Verified I was wrong, according to the link below the provided answer is correct, so D: "The Firepower 4100/9300 manages the basic Ethernet settings of physical interfaces, VLAN subinterfaces for container instances, and EtherChannel (port-channel) interfaces. Within the application, you configure higher level settings. For example, you can only create EtherChannels in FXOS; but you can assign an IP address to the EtherChannel within the application." Reference: https://www.cisco.com/c/en/us/td/docs/security/firepower/fxos/fxos281/cli-guide/b_CLI_ConfigGuide_FXOS_281/interface_management.html

Answer 225

A. Analysis > Hosts > Indications of Compromise Verified

Answer 226

C. Deploy the device in transparent mode and allow DHCP traffic in the access control policies. Verified The correct answer is C. Deploy the device in transparent mode and allow DHCP traffic in the access control policies. When deploying a Cisco FTD device in transparent mode, it acts as a “bump in the wire” and is not seen as a router hop to connected devices. This means that the end user workstations, which currently use DHCP to obtain an IP address, will not require any changes to their configuration 1. To allow DHCP traffic to pass through the device, the engineer must configure the access control policies to permit DHCP traffic

Answer 227

D. Trust All Traffic Needs verified https://www.cisco.com/c/en/us/td/docs/security/firepower/710/fdm/fptd-fdm-config-guide-710/fptd-fdm-access.html#concept_621711DB8AFF4CD09EDE891B63B30673

Answer 228

B. Update the IP addressing so that each segment is a unique IP subnet. Verified The correct answer is B. Update the IP addressing so that each segment is a unique IP subnet. When reconfiguring an existing Cisco FTD from transparent mode to routed mode, it is necessary to update the IP addressing so that each segment is a unique IP subnet 1. In routed mode, the Cisco FTD device is considered to be a router hop in the network, and each interface that you want to route between must be on a different subnet 1. This means that the engineer must update the IP addressing of the network segments to ensure that they are unique IP subnets, and then configure the routing on the Cisco FTD device to maintain communication between the two network segments.

Answer 229

C. Configure fallthrough to interface PAT on the Advanced tab. Verified Fallthrough to Interface PAT (Destination Interface) (Dynamic NAT only.) Whether to use the IP address of the destination interface as a backup method when the other mapped addresses are already allocated (interface PAT fallback). This option is available only if you select a destination interface that is not a member of a bridge group. You cannot select this option if you already configured interface PAT as the translated address. You cannot use this option with IPv6 networks.

Answer 230

B. content Verified

Answer 231

D. Perform a Snort engine capture using tcpdump from the FTD CLI. Could also be A., but looks like D. https://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/212474-working-with-firepower-threat-defense-f.html#anc5

Answer 232

B. PCAP Both agree The best file type for the engineer to export the data in is **B. PCAP**. PCAP stands for **packet capture**, and it is a common format for storing network traffic data. PCAP files can be opened and analyzed by various tools, such as Wireshark, tcpdump, and Snort. These tools allow the engineer to sort, filter, search, and decode the captured packets, as well as generate statistics and graphs. PCAP files can also be imported back into the Cisco Secure Firewall Threat Defense device for further analysis. NetFlow v9 and IPFIX are protocols for exporting network flow information, such as source and destination IP addresses, ports, protocols, and bytes. They are not suitable for capturing the full content of network packets, and they require a collector device or software to receive and process the exported data. Therefore, they are not the best file types for the engineer's purpose. Source: Conversation with Bing, 12/9/2023 (1) Use Firepower Threat Defense Captures and Packet Tracer - Cisco. https://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/212474-working-with-firepower-threat-defense-f.html. (2) Cisco Secure Firewall Threat Defense Hardening Guide, Version 7.2. https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/hardening/threat_defense/Threat_Defense_Hardening_Guide_v72.html. (3) Cisco Firepower Threat Defense (FTD): Configuration and Troubleshooting .... https://community.cisco.com/t5/security-knowledge-base/self-paced-learning-for-cisco-firepower-ngfw-ngips-amp-with/ta-p/3306922. (4) Malware and File Policy - Cisco Secure Firewall. https://secure.cisco.com/secure-firewall/docs/malware-and-file-policy.

Answer 233

C. LUA script Both agree The correct answer is **C. LUA script**. Custom application detectors are pattern-based and detect patterns in packets from client, web application, or application protocol traffic¹²³⁴. These detectors are created and uploaded as LUA scripts. LUA is a powerful, efficient, lightweight, embeddable scripting language that is used for a variety of purposes, including network traffic analysis. It allows engineers to write complex detection patterns that can match various characteristics of network traffic. Perl scripts and Python programs, while powerful, are not used for this specific purpose in the context of Cisco Secure Firewall Threat Defense. NBAR (Network Based Application Recognition) protocol is a mechanism used by certain Cisco routers to recognize a wide variety of applications, including web-based and client/server applications. Source: Conversation with Bing, 12/9/2023 (1) Firepower Management Center Configuration Guide, Version 6.0 - Cisco. https://www.cisco.com/c/en/us/td/docs/security/firepower/60/configuration/guide/fpmc-config-guide-v60/Application_Detection.html. (2) Application Control - Cisco Secure Firewall. https://secure.cisco.com/secure-firewall/docs/application-control. (3) Firepower Management Center Configuration Guide, Version 7.0 - Cisco. https://www.cisco.com/c/en/us/td/docs/security/firepower/70/configuration/guide/fpmc-config-guide-v70/application_detection.html. (4) Cisco Secure Firewall Management Center Device Configuration Guide, 7.4. https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/device-config/740/management-center-device-config-74/discovery-app-detection.html. (5) undefined. https://appid.cisco.com/home.

Answer 234

A. in transparent mode with a management interface Both agree The device must be deployed **A. in transparent mode with a management interface** to meet these requirements. In **transparent mode**, the Cisco Secure Firewall Threat Defense device acts like a "bump in the wire," or a "stealth firewall," and is not seen as a router hop to connected devices¹. This allows the management to examine traffic without requiring network changes that will disrupt end users. Layer 2 connectivity is achieved by using a "bridge group" where you group together the inside and outside interfaces for a network, and the device uses bridging techniques to pass traffic between the interfaces¹. A **management interface** is used to separate management traffic from data traffic². This aligns with the corporate security policy that requires the separation of management traffic from data traffic. The use of SSH over Telnet for remote administration can be configured separately and is not dependent on the deployment mode of the device. Therefore, deploying the device in transparent mode with a management interface would meet all the stated requirements. Source: Conversation with Bing, 12/9/2023 (1) Cisco Secure Firewall Management Center Device Configuration Guide, 7.3. https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/device-config/730/management-center-device-config-73/device-ops-tfw.html. (2) Secure Firewall Management Center and Threat Defense Management ... - Cisco. https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/management-center-mgmt-nw/fmc-ftd-mgmt-nw.html. (3) Cisco Firepower Hardening Guide - media.defense.gov. https://media.defense.gov/2023/Aug/02/2003272858/-1/-1/0/CTR_CISCO_FIREPOWER_HARDENING_GUIDE.PDF. (4) Encrypted Visibility Engine - Cisco Secure Firewall. https://secure.cisco.com/secure-firewall/docs/encrypted-visibility-engine. (5) Deploy a Threat Defense Virtual Cluster on Azure - Cisco. https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/cluster/deploy-threat-defense-virtual-cluster-azure.html.

Answer 235

B. The host is not vulnerable to those attacks. D - Exam Topics B - AI Low-impact attacks typically indicate that **B. The host is not vulnerable to those attacks**. In the context of cybersecurity, the impact of an attack refers to the potential damage it could cause if it were successful. A low-impact attack is one that, even if successful, would not cause significant harm to the system or network¹. This could be because the system has defenses in place that would mitigate the attack, or because the system does not contain sensitive data that the attack is designed to compromise². It's important to note that while low-impact attacks may not pose a significant threat by themselves, they could potentially be part of a larger, more complex attack strategy. Therefore, all attacks, regardless of their assessed impact, should be taken seriously and investigated thoroughly. The other options are not necessarily true: - **A. All attacks are listed as low until manually recategorized**: This is not a standard practice. The impact of an attack is typically assessed based on its potential damage, not manually recategorized later. - **C. The host is not within the administrator's environment**: The location of the host does not determine the impact of an attack. An attack can have a high impact regardless of whether the host is within the administrator's environment or not. - **D. The attacks are not dangerous to the network**: Even low-impact attacks can be dangerous if they are part of a larger attack strategy or if they exploit a vulnerability that could be used in a future high-impact attack. Therefore, all attacks should be considered potentially dangerous. Source: Conversation with Bing, 12/9/2023 (1) OWASP Risk Rating Methodology | OWASP Foundation. https://owasp.org/www-community/OWASP_Risk_Rating_Methodology. (2) What is Cyber Risk? Examples & Impact - Hyperproof. https://hyperproof.io/resource/what-is-cyber-risk/. (3) What is Conventional Warfare? | Small Wars Journal. https://smallwarsjournal.com/blog/what-is-conventional-warfare. (4) undefined. https://owasp.org/www-community/Threat_Modeling. (5) undefined. https://owasp.org/www-community/Application_Threat_Modeling.

Answer 236

B. Only nonbridge interfaces are supported. Both agree When running a dynamic routing protocol on a Cisco Secure Firewall Threat Defense device in Integrated Routing and Bridging (IRB) mode, a limitation to consider is that **B. Only nonbridge interfaces are supported**¹². In IRB mode, the device operates both as a router and a bridge, allowing it to route packets between different networks while also bridging packets within the same network³. However, when it comes to running dynamic routing protocols, only nonbridge interfaces are supported¹². This means that the routing protocols cannot be run on the Bridge Virtual Interfaces (BVIs) that are used for bridging traffic. The other options are not necessarily true: - **A. Only link-state routing protocols are supported**: Cisco Secure Firewall Threat Defense devices support both link-state and distance vector routing protocols⁵. - **C. Only EtherChannel interfaces are supported**: While EtherChannel interfaces can be used, they are not the only type of interfaces supported. - **D. Only distance vector routing protocols are supported**: As mentioned above, both link-state and distance vector routing protocols are supported⁵. Source: Conversation with Bing, 12/9/2023 (1) Cisco Secure Firewall Management Center Device Configuration Guide, 7.4. https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/device-config/740/management-center-device-config-74/routing-vrf.html. (2) Cisco Secure Firewall Device Manager Configuration Guide, Version 7.3. https://www.cisco.com/c/en/us/td/docs/security/firepower/730/fdm/fptd-fdm-config-guide-730/fptd-fdm-routing.html. (3) How to configure IRB - Cisco Community. https://community.cisco.com/t5/networking-knowledge-base/how-to-configure-irb/ta-p/3131332. (4) Firepower Management Center Configuration Guide, Version 7.0 - Cisco. https://www.cisco.com/c/en/us/td/docs/security/firepower/70/configuration/guide/fpmc-config-guide-v70/transparent_or_routed_firewall_mode_for_firepower_threat_defense.html. (5) Cisco Content Hub - Integrated Routing and Bridging. https://content.cisco.com/chapter.sjs?uri=/searchable/chapter/content/en/us/td/docs/iosxr/cisco8000/l2vpn/73x/b-l2vpn-cg-cisco8000-73x/m-configure-irb.html.xml.

Answer 237

A. On the HTTP Responses tab of the access control policy editor, set the Interactive Block Response Page to System-provided. C. Configure an access control rule that matches an URL object for http://www.badadultsite.com/ and set the action to Interactive Block. Both agree The two actions the engineer must take to meet these requirements are: **A. On the HTTP Responses tab of the access control policy editor, set the Interactive Block Response Page to System-provided.** This action will ensure that users receive a system-provided warning page when they attempt to access the specified website¹. **C. Configure an access control rule that matches an URL object for http://www.badadultsite.com/ and set the action to Interactive Block.** This action will create a rule that specifically targets the URL in question and sets the action to Interactive Block, which will allow users to continue to the website if they choose¹. The other options are not necessary or relevant for this specific requirement: - **B. Configure the default action for the access control policy to Interactive Block.** This would apply the Interactive Block action to all websites, not just the specified one. - **D. Configure an access control rule that matches the Adult URL category and set the action to Interactive Block.** This would block all websites in the Adult URL category, not just the specified one. - **E. On the HTTP Responses tab of the access control policy editor, set the Block Response Page to Custom.** This is not necessary as the system-provided page should suffice for this requirement. Source: Conversation with Bing, 12/9/2023 (1) Firepower Management Center Device Configuration Guide, 7.1. https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/device-config/710/management-center-device-config-71/access-url-filtering.html. (2) URL Filtering FTD/FMC2100 - Cisco Community. https://community.cisco.com/t5/network-security/url-filtering-ftd-fmc2100/td-p/3939730. (3) Cisco Firepower Threat Defense Configuration Guide for Firepower Device .... https://www.cisco.com/c/en/us/td/docs/security/firepower/623/fdm/fptd-fdm-config-guide-623/fptd-fdm-access.html. (4) Firepower Management Center Configuration Guide, Version 6.3 - Cisco. https://www.cisco.com/c/en/us/td/docs/security/firepower/630/configuration/guide/fpmc-config-guide-v63/url_filtering.html. (5) undefined. https://www.cisco.com/c/en/us/td/docs/security/firepower/610/configuration/guide/fpmc-config-guide-v61/access_control_using_content_restriction.html.¬

Answer 238

The action that blocks the connections is **B. Modify the access control policy on the Cisco FMC to block malicious outbound connections**²⁴. C - Exam Topics B - AI In the context of Cisco Secure Firewall Threat Defense (FTD) and Secure Endpoint, the access control policy on the Cisco Firepower Management Center (FMC) can be modified to block outbound connections to malicious sites². This can be done by adding an Access Control rule that blocks connections to the destination addresses observed to be in violation of the policy⁴. The other options are not necessarily correct: - **A. Modify the policy on Cisco Secure Endpoint to enable DFC**: DFC (Device Flow Correlation) is a feature of Cisco Secure Endpoint that correlates events across multiple devices. While it can provide valuable insights into network traffic, it does not directly block connections to malicious sites. - **C. Add the IP addresses of the malicious sites to the access control policy on the Cisco FMC**: While this could potentially block connections to the specific malicious sites, it would not be a comprehensive solution as new malicious sites could emerge at any time. - **D. Add a Cisco Secure Endpoint policy with the Tetra and Spero engines enabled**: The Tetra and Spero engines are components of Cisco Secure Endpoint that provide antivirus and machine learning capabilities, respectively. While they can help detect and prevent malware, they do not directly block connections to malicious sites. Source: Conversation with Bing, 12/10/2023 (1) Protecting against Log4j with Secure Firewall & Secure IPS. https://blogs.cisco.com/security/protecting-against-log4j-with-secure-firewall-secure-ips. (2) Need to block outbound VPN connection on FTD managed ... - Cisco Community. https://community.cisco.com/t5/network-security/need-to-block-outbound-vpn-connection-on-ftd-managed-by-fmc-on-7/td-p/4710903. (3) Configure IP Allow and Block List in the Secure Endpoint Cloud ... - Cisco. https://www.cisco.com/c/en/us/support/docs/security/secure-endpoint/217750-configure-ip-allow-and-block-list-in-the.html. (4) Solved: Block Outgoing VPN Access - Cisco Community. https://community.cisco.com/t5/network-security/block-outgoing-vpn-access/td-p/749812. (5) undefined. https://blog.talosintelligence.com/2021/12/apache-log4j-rce-vulnerability.html.

Answer 239

The tool that will assist the engineer in performing that audit is **B. Cisco Defense Orchestrator**¹³. Both agree Cisco Defense Orchestrator (CDO) is a cloud-based, multi-device manager that manages security products like Adaptive Security Appliance (ASA), Firepower Threat Defense next-generation firewall, and Meraki devices³. It hosts a cloud version of the Cisco Secure Firewall migration tool that can be used to migrate existing firewall configurations to a Secure Firewall Threat Defense device managed by the cloud-delivered Firewall Management Center¹. This makes it an ideal tool for auditing network objects across various firewall models deployed throughout the company. The other options are not necessarily correct for this specific task: - **A. Cisco Firepower Device Manager**: This is a web-based management interface for standalone Cisco Firepower Threat Defense devices that simplifies device configuration, management, and troubleshooting. It does not provide the capability to audit network objects across different firewall models. - **C. Cisco Secure Firewall Management Center**: This provides centralized management of the Cisco Secure Firewall. While it does provide visibility and control across the network, it does not have the specific capability to audit network objects across different firewall models. - **D. Cisco SecureX**: This is a cloud-native, built-in platform experience within Cisco's security portfolio. It connects the breadth of Cisco’s integrated security portfolio and the customer’s infrastructure for a consistent experience. It does not have the specific capability to audit network objects across different firewall models. Source: Conversation with Bing, 12/10/2023 (1) Migrating Firewalls with the Firewall Migration Tool in Cisco Defense .... https://www.cisco.com/c/en/us/td/docs/security/firepower/migration-tool/migration-guide-firewall-migration-tool-on-cdo/migrating-firewalls-with-the-firewall-migration-tool-in-cisco-defense-orchestrator/m-migrating-firewalls-with-the-cloud-firewall-migration-tool.html. (2) What's New for Cisco Defense Orchestrator (CDO). https://community.cisco.com/t5/security-knowledge-base/what-s-new-for-cisco-defense-orchestrator-cdo/ta-p/4066742. (3) Cisco Secure Firewall ASA to Threat Defense Feature Mapping. https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/migration/asa-to-threat-defense-feature-mapping/asa-to-threat-defense-feature-mapping/firewall.html. (4) 6 Best Firewall Audit Tools 2023: Review and Analyze Firewall Rules. https://www.enterprisenetworkingplanet.com/security/firewall-audit-tool/.

Answer 240

The two features that must be deployed to achieve this requirement are: A, D - Exam Topics A, E - AI **A. Route Tracking** Route tracking allows the device to track the availability of a route and make routing decisions based on the status of the tracked objects¹. This can be used to ensure that if one ISP goes down, the device can switch to using the other ISP. **E. BGP** Border Gateway Protocol (BGP) is a protocol used to exchange routing information across autonomous systems on the internet². BGP can be used to automatically select the best path for internet traffic based on the availability and performance of the ISPs². The other options are not necessarily correct for this specific task: - **B. Redundant interfaces**: While redundant interfaces can provide a level of fault tolerance, they do not directly address the requirement of maintaining internet access if one of the ISPs goes down. - **C. EtherChannel interfaces**: EtherChannel is a port link aggregation technology that allows the grouping of several physical Ethernet links to create one logical Ethernet link for the purpose of providing fault-tolerance and high-speed links between switches, routers, and servers³. However, it does not directly address the requirement of maintaining internet access if one of the ISPs goes down. - **D. SLA Monitor**: Service Level Agreement (SLA) Monitor is a feature that allows you to monitor the performance of network services and generate alerts when performance thresholds are breached. While it can be used to monitor the performance of the ISPs, it does not directly address the requirement of maintaining internet access if one of the ISPs goes down. Source: Conversation with Bing, 12/10/2023 (1) Cisco Firepower Threat Defense Configuration Guide for Firepower Device .... https://www.cisco.com/c/en/us/td/docs/security/firepower/710/fdm/fptd-fdm-config-guide-710/fptd-fdm-ha.html. (2) Firepower Management Center Configuration Guide, Version 6.1 - High .... https://www.cisco.com/c/en/us/td/docs/security/firepower/610/configuration/guide/fpmc-config-guide-v61/firepower_threat_defense_high_availability.html. (3) Managing Firewall Threat Defense with Cloud-delivered Firewall ... - Cisco. https://www.cisco.com/c/en/us/td/docs/security/cdo/cloud-delivered-firewall-management-center-in-cdo/managing-firewall-threat-defense-services-with-cisco-defense-orchestrator/m_device-ops-ha.html.

Answer 241

The two virtual environments that support the current High Availability configuration for Cisco Secure Firewall Threat Defense Virtual appliances are: Both agree **A. ESXi** VMware ESXi is a bare-metal hypervisor that installs directly onto your physical server. With direct access to and control of underlying resources, ESXi is more efficient than hosted architectures and can effectively partition hardware to increase consolidation ratios and cut costs⁵. **D. KVM** Kernel-based Virtual Machine (KVM) is a full virtualization solution for Linux on x86 hardware containing virtualization extensions (Intel VT or AMD-V). It consists of a loadable kernel module, kvm.ko, that provides the core virtualization infrastructure and a processor-specific module, kvm-intel.ko or kvm-amd.ko⁵. The other options, while they might support Cisco Secure Firewall Threat Defense Virtual appliances, they do not support the current High Availability configuration: - **B. Azure**: While Cisco Secure Firewall Threat Defense Virtual can be deployed on Azure², the High Availability configuration is not supported in the Azure environment⁴. - **C. Openstack**: There's no mention of Openstack supporting the current High Availability configuration in the search results. - **E. AWS**: There's no mention of AWS supporting the current High Availability configuration in the search results. Source: Conversation with Bing, 12/10/2023 (1) Threat Defense Virtual (formerly FTDv/NGFWv) Data Sheet - Cisco. https://www.cisco.com/c/en/us/products/collateral/security/firepower-ngfw-virtual/threat-defense-virtual-ngfwv-ds.html. (2) Cisco Secure Firewall Threat Defense Virtual Getting Started Guide .... https://www.cisco.com/c/en/us/td/docs/security/firepower/quick_start/consolidated_ftdv_gsg/ftdv-gsg/m-ftdv-azure-gsg.html. (3) FMC (Virtual) and FTD deployement with High Availability. https://community.cisco.com/t5/network-security/fmc-virtual-and-ftd-deployement-with-high-availability/td-p/3701529. (4) Cisco Secure Firewall Device Manager Configuration Guide, Version 7.3. https://www.cisco.com/c/en/us/td/docs/security/firepower/730/fdm/fptd-fdm-config-guide-730/fptd-fdm-get-started.html. (5) High Availability and Scalability Design and Deployment of Cisco .... https://community.cisco.com/t5/security-knowledge-base/high-availability-and-scalability-design-and-deployment-of-cisco/ta-p/4109439. (6) undefined. https://azure.microsoft.com/en-us/. (7) undefined. https://www.cisco.com/c/en/us/support/docs/security/firepower-management-center/212699-configure-ftd-high-availability-on-firep.html.

Answer 242

The additional information the network engineer requires from the server administrator to be able to make the connection to the AMP private cloud in Cisco FMC is **A. SSL certificate for the AMP private cloud instance**³. B - Exam Topics A - AI When integrating the AMP private cloud with the Cisco Firepower Management Center (FMC), the SSL certificate for the AMP private cloud instance is required³. This certificate is used to establish a secure connection between the FMC and the AMP private cloud instance³. The other options are not necessarily correct: - **B. Username and password to the AMP private cloud instance**: While these credentials might be needed for logging into the AMP private cloud instance directly, they are not required for the connection from the FMC to the AMP private cloud. - **C. IP address and port number for the connection proxy**: These details might be needed in some network configurations, but they are not specifically required for the connection from the FMC to the AMP private cloud. - **D. Internet access for the AMP private cloud to reach the AMP public cloud**: This is not necessary as the AMP private cloud is a standalone deployment that does not need to reach the AMP public cloud. Source: Conversation with Bing, 12/10/2023 (1) How to integrated FMC with AMP private Cloud - Cisco Community. https://community.cisco.com/t5/endpoint-security/how-to-integrated-fmc-with-amp-private-cloud/td-p/3760236. (2) Firepower Management Center Configuration Guide, Version 6.0 - Cisco. https://www.cisco.com/c/en/us/td/docs/security/firepower/60/configuration/guide/fpmc-config-guide-v60/Reference_a_wrapper_Chapter_topic_here.html. (3) Integrating AMP for Endpoints with FMC for data feed. - Cisco. https://www.cisco.com/c/en/us/support/docs/security/amp-endpoints/214259-integrating-amp-for-endpoints-with-fmc-f.html. (4) Integration of AMP Virtual Private Cloud and Threat Grid Appliance - Cisco. https://www.cisco.com/c/en/us/support/docs/security/amp-virtual-private-cloud-appliance/217209-integration-of-amp-virtual-private-cloud.html.

Answer 243

The correct answer is **D. custom detection list**³. Both agree In Cisco Secure Endpoint, a custom detection list can be configured to take action based on specific file hashes³. This list can include the SHA-256 hash of the zero-day malware attack, allowing the application to detect and take appropriate action when it encounters a file with this hash³. The other options are not necessarily correct for this specific task: - **A. access control rule**: While access control rules are used in network security to control which users or systems can access resources in a network, they are not used in Cisco Secure Endpoint to take action based on a specific file hash. - **B. correlation policy**: Correlation policies are used to define the conditions under which an event is generated, but they do not enable the application to take action based on a specific file hash. - **C. transform set**: A transform set is a concept in IPsec VPN configurations and is not relevant to detecting malware based on a file hash in Cisco Secure Endpoint. Source: Conversation with Bing, 12/10/2023 (1) Solved: Steps for blocking Sha-256 on FMC - Cisco Community. https://community.cisco.com/t5/network-security/steps-for-blocking-sha-256-on-fmc/td-p/4045940. (2) Cisco Secure Firewall Management Center Device Configuration Guide, 7.2. https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/device-config/720/management-center-device-config-72/network-malware-protection.html. (3) Cisco Secure Firewall Management Center Administration Guide, 7.3. https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/admin/730/management-center-admin-73/events-file-malware.html. (4) Troubleshoot False Positive File Analysis Events in Cisco Secure Endpoint. https://www.cisco.com/c/en/us/support/docs/security/amp-endpoints/215993-troubleshoot-false-positive-file-analysi.html. (5) Configure a Simple Custom Detection List on the AMP for ... - Cisco. https://www.cisco.com/c/en/us/support/docs/security/amp-endpoints/215176-configure-a-simple-custom-detection-list.html.

Answer 244

The correct answer is **B. local malware analysis**³. Both agree Local malware analysis is a feature of Cisco Secure Firewall Threat Defense that allows the device to analyze files locally without sending them to Cisco Secure Malware Analytics³. This can be used to ensure that PDF, DOCX, and XLSX files are not sent to Cisco Secure Malware Analytics³. The other options are not necessarily correct for this specific task: - **A. Spero analysis**: Spero is a machine learning-based analysis engine used by Cisco Secure Malware Analytics to identify malicious files. However, it does not control whether files are sent to Cisco Secure Malware Analytics. - **C. capacity handling**: This refers to the device's ability to handle large volumes of network traffic, but it does not control whether files are sent to Cisco Secure Malware Analytics. - **D. dynamic analysis**: This is a type of malware analysis that observes the behavior of a file when it is executed in a controlled environment. However, it does not control whether files are sent to Cisco Secure Malware Analytics. Source: Conversation with Bing, 12/10/2023 (1) Malware and File Policy - Cisco Secure Firewall. https://secure.cisco.com/secure-firewall/docs/malware-and-file-policy. (2) Cisco Secure Firewall Threat Defense Hardening Guide, Version 7.2. https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/hardening/threat_defense/Threat_Defense_Hardening_Guide_v72.html. (3) Secure Firewall Threat Defense 7.3 Documentation - Cisco. https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/landing-page/threat-defense/threatdefense-73-docs.html. (4) Cisco Secure Firewall Threat Defense Syslog Messages. https://www.cisco.com/c/en/us/td/docs/security/firepower/Syslogs/b_fptd_syslog_guide/about.html.

Answer 245

The Encrypted Visibility Engine (EVE) is enabled under the **C. Advanced** tab on an access control policy in Cisco Secure Firewall Management Center⁵. Both agree Source: Conversation with Bing, 12/10/2023 (1) Cisco Secure Firewall Management Center Snort 3 Configuration Guide .... https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/snort/720/snort3-configuration-guide-v72/m_encrypted-visibility-engine.html. (2) Encrypted Visibility Engine - Cisco Secure Firewall. https://secure.cisco.com/secure-firewall/docs/encrypted-visibility-engine. (3) Cisco Secure Firewall Management Center Device Configuration Guide, 7.3. https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/device-config/730/management-center-device-config-73/access-policies.html. (4) Encrypted Visibility Engine - Cisco Secure Firewall. https://bing.com/search?q=Encrypted+Visibility+Engine+%28EVE%29+tab+in+access+control+policy+in+Cisco+Secure+Firewall+Management+Center. (5) Encrypted Visibility Engine - Cisco Secure Firewall. https://secure.cisco.com/secure-firewall/v7.3/docs/encrypted-visibility-engine-73.

Answer 246

The correct answer is **A. platform settings**²⁴. B - Exam Topics A - AI In the Cisco Secure Firewall Management Center, the platform settings policy is where you would configure access to the device for management purposes, including enabling SSH and specifying which interfaces can be used for remote administration²⁴. This policy controls the basic settings of the device, such as time synchronization, network settings, and user access²⁴. The other options are not necessarily correct for this specific task: - **B. access control**: This policy controls how the device handles traffic on your network, but it does not control access to the device for management purposes. - **C. prefilter**: This policy controls how the device handles traffic before it is processed by the access control policy, but it does not control access to the device for management purposes. - **D. identity**: This policy controls how the device identifies users on your network, but it does not control access to the device for management purposes. Source: Conversation with Bing, 12/10/2023 (1) Cisco Secure Firewall 4200 Getting Started Guide. https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/getting-started/4200/secure-firewall-4200-gsg/fmc-remote.html. (2) Cisco Firepower Hardening Guide - media.defense.gov. https://media.defense.gov/2023/Aug/02/2003272858/-1/-1/0/CTR_CISCO_FIREPOWER_HARDENING_GUIDE.PDF. (3) Cisco Firepower Threat Defense Configuration Guide for Firepower Device .... https://www.cisco.com/c/en/us/td/docs/security/firepower/70/fdm/fptd-fdm-config-guide-700/fptd-fdm-get-started.html. (4) Managing an FDM-Managed Device from the Inside Interface - Cisco. https://edge.us.cdo.cisco.com/content/docs/c-managing-ftdfrom-the-insideinterface.html.

Answer 247

The correct answer is **A. Both users can edit the policy and the last saved configuration persists**¹. Both agree In the Cisco Secure Firewall Management Center, two users must not edit a remote access VPN policy at the same time; however, the web interface does not prevent simultaneous editing. If this occurs, the last saved configuration persists¹. The other options are not accurate in this context. Source: Conversation with Bing, 12/10/2023 (1) Cisco Secure Firewall Management Center Device Configuration Guide, 7.4. https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/device-config/740/management-center-device-config-74/vpn-remote-access.html. (2) Cisco Secure Firewall Management Center Device Configuration Guide, 7.2 .... https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/device-config/720/management-center-device-config-72/get-started-device-management.html. (3) Cisco Secure Firewall Management Center Device Configuration Guide, 7.3 .... https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/device-config/730/management-center-device-config-73/vpn-s2s.html. (4) Policy-Based Routing with Path Monitoring - Cisco Secure Firewall. https://secure.cisco.com/secure-firewall/docs/policy-based-routing-with-path-monitoring. (5) Access Control Policy - Cisco Secure Firewall. https://secure.cisco.com/secure-firewall/docs/access-control-policy.

Answer 248

A network administrator is configuring a BVI interface on a routed FTD. The administrator wants to isolate traffic on the interfaces connected to the bridge group and not have the FTD route this traffic using the routing table. What must be configured? Both agree A. A new VRF must be created for the BVI interface B. An IP address must be configured on the BVI C. IP routing must be removed from the physical interfaces connected to the BVI D. The BVI interface must be configured for transparent mode

Answer 249

The correct answer is C. csv. According to the web search results, the Cisco Secure Firewall Management Center can generate standard reports in PDF, HTML, or CSV formats¹. CSV stands for comma-separated values, and it is a file format that stores tabular data in plain text. CSV files can be opened and edited by spreadsheet applications such as Microsoft Excel or Google Sheets. Both agree Source: Conversation with Bing, 12/10/2023 (1) Firepower Management Center Administration Guide, 7.1 - Reports [Cisco .... https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/admin/710/management-center-admin-71/report-reports.html. (2) Cisco Secure Firewall Management Center Administration Guide, 7.3. https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/admin/730/management-center-admin-73/get-started-overview.html. (3) Cisco Secure Firewall Management Center Device Configuration Guide, 7.2. https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/device-config/720/management-center-device-config-72/threat-intelligence-director.html. (4) Cisco Secure Firewall - داده پرداز سپهر آسیا. https://dp-sepehr.ir/wp-content/uploads/2021/05/datasheet-c78-736775.pdf. (5) undefined. http://www.cisco.com/go/firepower-mc-install. (6) undefined. http://stixproject.github.io/documentation/suggested-practices/.

Answer 250

The correct answer is **B. Cisco Secure Firewall Threat Defense needs a NAT policy that allows outside to outside communication**¹²³. A - Exam Topics B - AI When remote users connect via Cisco Secure Client to the corporate network behind a Cisco Secure Firewall Threat Defense device and use their softphones to call each other, the audio traffic is routed from one remote user to another through the corporate network¹²³. This is often referred to as "hairpinning" or "U-turning" because the traffic enters and exits through the same interface of the firewall¹²³. To allow this type of communication, a Network Address Translation (NAT) policy that allows "outside to outside" communication needs to be configured on the Cisco Secure Firewall Threat Defense device¹²³. This policy translates the source IP address of the audio traffic to the public IP address of the firewall, making it appear as if the traffic is coming from the firewall itself¹²³. This allows the audio traffic to be routed back to the other remote user¹²³. The other options are not necessarily correct: - **A. The hairpinning feature is not available on Cisco Secure Firewall Threat Defense**: Hairpinning is supported on Cisco Secure Firewall Threat Defense devices¹²³. - **C. The Enable Spoke to Spoke Connectivity through Hub option is not selected on Cisco Secure Firewall Threat Defense**: This option is related to VPN configurations and is not directly related to the issue described. - **D. Split tunneling is enabled for the Remote Access VPN on Cisco Secure Firewall Threat Defense**: Split tunneling allows a remote VPN user to access a public network, most commonly the Internet, at the same time that the user is allowed to access resources on the VPN. This is not directly related to the issue described. Source: Conversation with Bing, 12/10/2023 (1) Solved: No audio on voice calls over VPN softphone to/from remote site .... https://community.cisco.com/t5/ip-telephony-and-phones/no-audio-on-voice-calls-over-vpn-softphone-to-from-remote-site/td-p/2224430. (2) How to troubleshoot one-way / no audio issues - Cisco Community. https://community.cisco.com/t5/collaboration-knowledge-base/how-to-troubleshoot-one-way-no-audio-issues/ta-p/3164442. (3) Solved: No audio at remote sites - Cisco Community. https://community.cisco.com/t5/ip-telephony-and-phones/no-audio-at-remote-sites/td-p/2372311.

Answer 251

The correct answer is **A. Set the interface mode to passive. Associate the interface with a security zone. Enable the interface. Set the MTU parameter**¹. Both agree In a passive IPS deployment, the Firepower System monitors traffic flowing across a network using a switch SPAN (or mirror) port¹. This provides the system visibility within the network without being in the flow of network traffic¹. When configured in a passive deployment, the system cannot take certain actions such as blocking or shaping traffic¹. Passive interfaces receive all traffic unconditionally, and no traffic received on these interfaces is retransmitted¹. When you enable a passive interface to monitor traffic, you designate mode and MDI/MDIX settings, which are available only for copper interfaces¹. When you disable a passive interface, users can no longer access it for security purposes¹. The range of MTU values can vary depending on the model of the managed device and the interface type¹. Changing the highest MTU value among all non-management interfaces on the device restarts the Snort process when you deploy configuration changes, temporarily interrupting traffic inspection¹. Inspection is interrupted on all non-management interfaces, not just the interface you modified¹. Source: Conversation with Bing, 12/10/2023 (1) Firepower Management Center Configuration Guide, Version 6.5. https://www.cisco.com/c/en/us/td/docs/security/firepower/650/configuration/guide/fpmc-config-guide-v65/ips_device_deployments_and_configuration.html. (2) Cisco Secure Firewall Device Manager Configuration Guide, Version 7.3. https://www.cisco.com/c/en/us/td/docs/security/firepower/730/fdm/fptd-fdm-config-guide-730/fptd-fdm-get-started.html. (3) Fundamentals of Cisco Firewall Threat Defense and Intrusion Prevention .... https://learningnetworkstore.cisco.com/on-demand-e-learning/fundamentals-of-cisco-firewall-threat-defense-and-intrusion-prevention-sfwipf-v1.0/CSCU-LP-SFWIPF-V1-028125.html. (4) Cisco Firepower Threat Defense (FTD): Configuration and Troubleshooting .... https://community.cisco.com/t5/security-knowledge-base/self-paced-learning-for-cisco-firepower-ngfw-ngips-amp-with/ta-p/3306922. (5) High Availability and Scalability Design and Deployment of Cisco .... https://community.cisco.com/t5/security-knowledge-base/high-availability-and-scalability-design-and-deployment-of-cisco/ta-p/4109439.

Answer 252

The two valid statements regarding the licensing model used on Cisco Secure Firewall Threat Defense Virtual appliances are: **B. All licenses support up to 16 vCPUs**¹. **E. Licenses can be used on any supported cloud platform**¹³⁴. D, E - Exam Topics B, E - AI Cisco Secure Firewall Threat Defense Virtual supports performance-tiered licensing that provides different throughput levels and VPN connection limits based on deployment requirements⁵. The licenses can be used on any supported cloud platform, including VMware, KVM, OpenStack, Amazon Web Services (AWS), Microsoft Azure, Google Cloud Platform (GCP), Oracle Cloud Infrastructure (OCI), government clouds, and hyperconverged infrastructure (Cisco HyperFlex, Nutanix AHV)¹³⁴. The other options are not necessarily correct: - **A. All licenses support a maximum of 250 VPN peers**: The number of VPN peers supported can vary depending on the specific license and deployment requirements⁵. - **C. All licenses require 500G of available storage for the VM**: The amount of storage required can vary depending on the specific deployment and is not necessarily tied to the license⁵. - **D. Licenses can be used on both physical and virtual appliances**: While some licenses may be used on both physical and virtual appliances, this is not necessarily true for all licenses⁵. Source: Conversation with Bing, 12/10/2023 (1) Threat Defense Virtual (formerly FTDv/NGFWv) Data Sheet - Cisco. https://www.cisco.com/c/en/us/products/collateral/security/firepower-ngfw-virtual/threat-defense-virtual-ngfwv-ds.html. (2) Cisco Secure Firewall Threat Defense Virtual Getting Started Guide .... https://www.cisco.com/c/en/us/td/docs/security/firepower/quick_start/consolidated_ftdv_gsg/ftdv-gsg/m_ftdv_aws_gsg.html. (3) Cisco Secure Firewall Threat Defense Virtual Getting Started Guide .... https://www.cisco.com/c/en/us/td/docs/security/firepower/quick_start/consolidated_ftdv_gsg/ftdv-gsg/m-ftdv-azure-gsg.html. (4) Cisco Secure Firewall Threat Defense Virtual Getting Started Guide .... https://www.cisco.com/c/en/us/td/docs/security/firepower/quick_start/consolidated_ftdv_gsg/threat-defense-virtual-73-gsg/m-ftdv-kvm-gsg.html. (5) Cisco Network Security Ordering Guide - Cisco. https://www.cisco.com/c/en/us/products/collateral/security/secure-firewall/guide-c07-737902.html.

Answer 253

The correct answer is **D. Set the Snort Failsafe option**³⁴. For inline sets other than those in tap mode, you can use the Snort Fail Open option to either drop traffic or allow traffic to pass without inspection when the Snort process is busy or down³⁴. This ensures that network traffic is kept even during spikes³⁴. Both agree The other options are not necessarily correct for this specific task: - **A. Change the interface mode to Routed**: This would change the mode of operation of the device, but it would not specifically allow traffic to pass without inspection during spikes. - **B. Select Propagate Link State**: This option is not directly related to allowing traffic to pass without inspection during spikes. - **C. Increase the MTU to 9000**: While increasing the Maximum Transmission Unit (MTU) can improve network performance, it does not specifically allow traffic to pass without inspection during spikes. Source: Conversation with Bing, 12/10/2023 (1) Cisco Secure Firewall Management Center Device Configuration Guide, 7.2. https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/device-config/720/management-center-device-config-72/interfaces-settings-ifcs-ips.html. (2) Firepower Management Center Configuration Guide, Version 7.0 - Cisco. https://www.cisco.com/c/en/us/td/docs/security/firepower/70/configuration/guide/fpmc-config-guide-v70/inline_sets_and_passive_interfaces_for_firepower_threat_defense.html. (3) Firepower Management Center Configuration Guide, Version 6.5. https://www.cisco.com/c/en/us/td/docs/security/firepower/650/configuration/guide/fpmc-config-guide-v65/ips_device_deployments_and_configuration.html. (4) Firepower Threat Defense - brdige or inline? - Cisco Community. https://community.cisco.com/t5/network-security/firepower-threat-defense-brdige-or-inline/td-p/4177794. (5) Cisco Firepower Threat Defense (FTD): Configuration and Troubleshooting .... https://community.cisco.com/t5/security-knowledge-base/self-paced-learning-for-cisco-firepower-ngfw-ngips-amp-with/ta-p/3306922. (6) undefined. https://www.cisco.com/c/en/us/td/docs/security/firepower/640/configuration/guide/fpmc-config-guide-v64/transparent_or_routed_firewall_mode_for_firepower_threat_defense.html. (7) undefined. https://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/200924-configuring-firepower-threat-defense-int.html.

Answer 254

The correct answer is **D. Snort Fail Open**³. Both agree For inline sets other than those in tap mode, you can use the Snort Fail Open option to either drop traffic or allow traffic to pass without inspection when the Snort process is busy or down³. This ensures that network traffic is kept even during spikes³. Source: Conversation with Bing, 12/10/2023 (1) Firepower Management Center Configuration Guide, Version 6.3. https://www.cisco.com/c/en/us/td/docs/security/firepower/630/configuration/guide/fpmc-config-guide-v63/inline_sets_and_passive_interfaces_for_firepower_threat_defense.html. (2) Cisco Secure Firewall Management Center Device Configuration Guide, 7.2. https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/device-config/720/management-center-device-config-72/interfaces-settings-ifcs-ips.html. (3) Cisco Secure Firewall Threat Defense Hardening Guide, Version 7.2. https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/hardening/threat_defense/Threat_Defense_Hardening_Guide_v72.html. (4) Firepower Management Center Configuration Guide, Version 6.5 - Cisco. https://www.cisco.com/c/en/us/td/docs/security/firepower/650/configuration/guide/fpmc-config-guide-v65/ips_device_deployments_and_configuration.html.

Answer 255

The two features that can be used with Cisco Secure Firewall Threat Defense remote access VPN are: A, C - Exam Topics A, E - AI **A. enable Duo two-factor authentication using LDAPS** Duo two-factor authentication can be used to add an extra layer of security to the VPN connection¹. **E. support for Rapid Threat Containment using RADIUS dynamic authorization** Rapid Threat Containment can be used to automatically contain threats by blocking malicious traffic or quarantining affected users¹. The other options are not necessarily correct: - **B. support for Cisco Secure Firewall 4100 Series in cluster mode**: While the Cisco Secure Firewall 4100 Series can be deployed in cluster mode, this is not a feature of the remote access VPN itself. - **C. SSL remote access VPN supports port sharing with other Cisco FTD features using SSL port 443**: Port sharing is not a feature of the remote access VPN. - **D. use of license utilization for zero-touch network deployment**: License utilization is not a feature of the remote access VPN. Source: Conversation with Bing, 12/10/2023 (1) Cisco Secure Firewall Management Center Device Configuration Guide, 7.4. https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/device-config/740/management-center-device-config-74/vpn-remote-access.html. (2) Remote Access VPN - Cisco. https://www.cisco.com/c/en/us/td/docs/security/firepower/660/fdm/fptd-fdm-config-guide-660/fptd-fdm-ravpn.html. (3) Firepower Management Center Configuration Guide, Version 6.5 - Cisco. https://www.cisco.com/c/en/us/td/docs/security/firepower/650/configuration/guide/fpmc-config-guide-v65/firepower_threat_defense_remote_access_vpns.html. (4) Cisco Secure Firewall ASA to Threat Defense Feature Mapping. https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/migration/asa-to-threat-defense-feature-mapping/asa-to-threat-defense-feature-mapping/vpn.html.

Answer 256

The rule action that is only available in Snort 3 is **D. Rewrite**¹. This action enables overwrite packet contents based on a "replace" option in the rules¹. The other actions such as Pass, Generate, and Alert are also available in Snort 3, but they are not exclusive to it¹. C - Exam Topics D - AI Source: Conversation with Bing, 12/10/2023 (1) Rule Actions - Snort 3 Rule Writing Guide. https://docs.snort.org/rules/headers/actions. (2) The Basics - Snort 3 Rule Writing Guide. https://docs.snort.org/rules/. (3) Cisco Secure Firewall Management Center Snort 3 Configuration Guide .... https://www.cisco.com/c/en/us/td/docs/security/firepower/710/snort3/config-guide/snort3-configuration-guide-v71/tuning-intrusion-policies.html. (4) Snort Blog: How rules are improving in Snort 3. https://blog.snort.org/2020/08/how-rules-are-improving-in-snort-3.html. (5) Cisco Secure Firewall Management Center Snort 3 Configuration Guide .... https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/snort/730/snort3-configuration-guide-v73/overview.html.

Answer 257

The two configurations that must be implemented to allow the IPS device to uniquely identify packet flows and prevent the reporting of duplicate traffic and false positives are: Both agree **A. Set the source SPAN ports to tx only on the switches connected to the IPS interfaces** Setting the source SPAN (Switched Port Analyzer) ports to transmit (tx) only on the switches connected to the IPS interfaces can help prevent the reporting of duplicate traffic². **E. Reassign the interface pairs to separate inline sets** If you assign multiple interface pairs to a single inline interface set but you experience issues with duplicate traffic, reconfiguring to help the system uniquely identify packets could be beneficial. For example, you could reassign your interface pairs to separate inline sets². Source: Conversation with Bing, 12/10/2023 (1) Firepower Management Center Configuration Guide, Version 6.5 - Cisco. https://www.cisco.com/c/en/us/td/docs/security/firepower/650/configuration/guide/fpmc-config-guide-v65/ips_device_deployments_and_configuration.html. (2) Firepower Management Center Device Configuration Guide, 7.1 - Cisco. https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/device-config/710/management-center-device-config-71/interfaces-settings-ifcs-ips.html. (3) User Guide for Cisco Security Manager 4.27. https://www.cisco.com/c/en/us/td/docs/security/security_management/cisco_security_manager/security_manager/427/user/csm-user-guide-427/chapter37-managing-ips-device-interface.html. (4) Basic Configuration Of IPS Inline Mode - Cisco Learning Network. https://learningnetwork.cisco.com/s/question/0D53i00000KssZxCAJ/basic-configuration-of-ips-inline-mode.

Answer 258

Cisco SecureX is classified as an **C. XDR** (Extended Detection and Response) solution³. XDR is a security technology that automatically collects and correlates data from multiple security layers – endpoint, network, and cloud – to improve threat detection and provide incident response capabilities³. This approach enables a more comprehensive and integrated view of the threat landscape within an organization's IT infrastructure³. Both agree Source: Conversation with Bing, 12/10/2023 (1) Managed Detection and Response for Cisco Secure Endpoint. https://www.cisco.com/c/dam/en/us/products/collateral/security/mdr-for-cisco-secure-endpoint.pdf. (2) Cisco SecureX threat response Data Sheet - Cisco. https://www.cisco.com/c/en/us/products/collateral/security/datasheet-c78-743307.html. (3) About Cisco SecureX Threat Response. https://docs.securex.security.cisco.com/Threat-Response-Help/Content/about-threat-response.html. (4) undefined. https://www.cisco.com/c/en/us/products/security/threat-response.html.

Answer 259

The correct answer is **C. View the threat intelligence observables to see the downloaded data**¹². B - Exam Topics C - AI In the Cisco Secure Firewall system, you can view the threat intelligence observables to see the downloaded data¹². This allows you to verify that the threat intelligence feeds are being downloaded and used within the system¹². The other options are not necessarily correct for this specific task: - **A. Look at the connection security intelligence events**: While this can provide information about security intelligence events, it does not specifically validate that the threat intelligence feeds are being downloaded and used. - **B. Use the source status indicator to validate the usage**: The source status indicator can provide information about the status of the threat intelligence sources, but it does not specifically validate that the feeds are being downloaded and used. - **D. Look at the access control policy to validate that the intelligence is being used**: The access control policy controls how the device handles traffic on your network, but it does not specifically validate that the threat intelligence feeds are being downloaded and used. Source: Conversation with Bing, 12/10/2023 (1) Verifying Security Intelligence Feed on Cisco Secure Firewall. https://community.cisco.com/t5/security-knowledge-base/verifying-security-intelligence-feed-on-cisco-secure-firewall/ta-p/4527523. (2) Cisco Secure Firewall Management Center Device Configuration Guide, 7.2. https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/device-config/720/management-center-device-config-72/threat-intelligence-director.html. (3) SecureX + Cisco Threat Response Private Intelligence Feeds. https://docs.ces.cisco.com/docs/securex-cisco-threat-response-private-intelligence-feeds. (4) Cisco Secure Firewall Management Center Device Configuration Guide, 7.2. https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/device-config/720/management-center-device-config-72/access-security-intelligence.html. (5) undefined. https://www.binarydefense.com/banlist.txt.

Answer 260

Cisco Security Analytics and Logging (SaaS) licenses come with **90 days** of data retention by default⁴³. So, the correct answer is **B. 90**. Both agree Source: Conversation with Bing, 12/10/2023 (1) Cisco Secure Analytics and Logging Trial. https://info.securexanalytics.com/sal-trial.html. (2) WHITEPAPER - Firepower Threat Defense Cloud ... - Cisco Community. https://community.cisco.com/t5/security-knowledge-base/whitepaper-firepower-threat-defense-cloud-management-with/ta-p/3991368. (3) Cisco Security Analytics and Logging Ordering Guide - Cisco. https://www.cisco.com/c/en/us/products/collateral/security/security-analytics-logging/guide-c07-742707.html. (4) Integrating Cisco ASA and Cisco Security Analytics and Logging (SaaS .... https://www.cisco.com/c/en/us/td/docs/security/security_management/cisco_security_manager/security_manager/all_releases/sal-asa-integration/cisco-asa-and-cisco-security-analytics-and-logging-csm-integration-guide.html. (5) Cisco Security Analytics and Logging (On Premises) v2.0 and v3.0 .... https://www.cisco.com/c/en/us/td/docs/security/sal-on-prem/integration/deployment_guide/csal_op_for_fmc_7_0_deploy_guide/m_csal_op_deploy_steps.html.

Answer 261

To verify which rules the traffic from the external vendor is matching, the administrator can use the following two Cisco Secure Firewall Management Center tools: Both agree 1. **Packet Tracer**: This tool can be used to simulate traffic through the firewall and see which access and NAT rules are being hit. 2. **Packet Capture**: This tool can be used to capture actual packets flowing through the firewall. By analyzing these packets, the administrator can determine if they are being allowed or denied as expected. So, the correct answers are **A. Packet Capture** and **E. Packet Tracer**. Please note that while the CLI (Command Line Interface) can also be used for troubleshooting, it's not a tool within the Cisco Secure Firewall Management Center, so option C is not correct in this context. Similarly, options B and D are not relevant tools for this specific task. Source: Conversation with Bing, 12/10/2023 (1) Firepower Management Center Configuration Guide, Version 6.0.1 - NAT .... https://www.cisco.com/c/en/us/td/docs/security/firepower/601/configuration/guide/fpmc-config-guide-v601/NAT_Policy_Management.html. (2) Firepower Management Center Device Configuration Guide, 7.1. https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/device-config/710/management-center-device-config-71/vpn-remote-access.html. (3) Troubleshoot ASA using CLI commands - Cisco. https://edge.us.cdo.cisco.com/content/docs/c_troubleshoot-asa-using-cli-commands.html. (4) Firepower Management Center Administration Guide, 7.1 - Cisco. https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/admin/710/management-center-admin-71/tools-import-export.html. (5) Cisco Secure Firewall Management Center Device Configuration Guide, 7.2. https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/device-config/720/management-center-device-config-72/access-service-policies.html.

Answer 262

To exempt a custom application from being flagged by Cisco Secure Endpoint, you can add the application to the exclusion list. Here's the process: C - Exam Topics D - AI 1. Find the Exclusion Set you wish to modify³. 2. Click `Add Exclusion` and select `Process`³. 3. Enter the absolute path for the program to exclude, the User account that runs the program (optional), and whether the exclusion must apply to all child processes created by the program³. So, the correct answer is **D. Modify the custom detection list to exclude the custom application**. Please note that this process requires access to the Secure Endpoint console². It's also important to ensure that Cisco Maintained exclusions are in place as well⁴. Source: Conversation with Bing, 12/10/2023 (1) Configure Secure Endpoint Process Exclusions on MacOS and Linux - Cisco. https://www.cisco.com/c/en/us/support/docs/security/amp-endpoints/214656-amp-for-endpoints-process-exclusions-in.html. (2) Cisco Secure Endpoint (AMP) - Creating Exclusions & Allowed Applications. https://kb.wisc.edu/security/page.php?id=89648. (3) AMSI Deleted for Windows Defender/Security - Cisco Community. https://community.cisco.com/t5/endpoint-security/amsi-deleted-for-windows-defender-security/td-p/4818883. (4) Cisco Secure Endpoint Exclusions - How do they work?. https://community.cisco.com/t5/endpoint-security/cisco-secure-endpoint-exclusions-how-do-they-work/td-p/4662339. (5) undefined. https://www.cisco.com/c/en/us/support/docs/security/amp-endpoints/215418-configure-and-manage-exclusions-in-cisco.html. (6) undefined. https://www.cisco.com/c/en/us/support/docs/security/amp-endpoints/213681-best-practices-for-amp-for-endpoint-excl.html. (7) undefined. https://community.cisco.com/t5/security-knowledge-base/cisco-endpoint-security-ask-the-experts-resources/ta-p/4394492.

Answer 263

When configuring a custom analysis widget in the Cisco Secure Firewall Management Center, the **title** is a mandatory option for the system to display the information¹. So, the correct answer is **B. title**. The title helps to identify the widget on the dashboard and is essential for organizing and understanding the displayed data. Other options like table, filter, and results are not mandatory but can be used to customize the widget further. Please refer to the Cisco Secure Firewall Management Center Administration Guide for more details¹. A - Exam Topics B - AI Source: Conversation with Bing, 12/10/2023 (1) Cisco Secure Firewall Management Center Administration Guide, 7.2. https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/admin/720/management-center-admin-72/health-dashboards.html. (2) Cisco Secure Firewall Management Center Administration Guide, 7.4. https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/admin/740/management-center-admin-74/analysis-context-explorer.html. (3) Cisco Secure Firewall Management Center Administration Guide, 7.4. https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/admin/740/management-center-admin-74/analysis-external-tools.html. (4) Cisco Secure Dynamic Attribute Connector. https://secure.cisco.com/secure-firewall/docs/cisco-secure-dynamic-attribute-connector.

Answer 264

The Cisco Secure Firewall Threat Defense Virtual appliance in transparent mode can be deployed in the following two virtual environments: D, E - Exam Topics B, D - AI 1. **Amazon Web Services (AWS)**¹⁵ 2. **Kernel-based Virtual Machine (KVM)**¹³ So, the correct answers are **B. AWS** and **D. KVM**. Please note that while VMware ESXi and Google Cloud Platform (GCP) also support Cisco Secure Firewall Threat Defense Virtual appliance¹³, the question specifically asks for the environments that support the appliance in transparent mode. For more details, please refer to the Cisco Secure Firewall Threat Defense Virtual Data Sheet¹ and the Cisco Secure Firewall Threat Defense Virtual Getting Started Guide². Source: Conversation with Bing, 12/10/2023 (1) Threat Defense Virtual (formerly FTDv/NGFWv) Data Sheet - Cisco. https://www.cisco.com/c/en/us/products/collateral/security/firepower-ngfw-virtual/threat-defense-virtual-ngfwv-ds.html. (2) Secure and Save with Cisco Secure Firewall Threat Defense Virtual. https://blogs.cisco.com/security/secure-and-save-with-cisco-secure-firewall-threat-defense-virtual. (3) Virtual Firewall Clustering - secure.cisco.com. https://secure.cisco.com/secure-firewall/docs/clustering-virtual-firewalls. (4) Cisco Secure Firewall Threat Defense Virtual Getting Started Guide .... https://www.cisco.com/c/en/us/td/docs/security/firepower/quick_start/consolidated_ftdv_gsg/ftdv-gsg/m-ftdv-hx-gsg.html. (5) Cisco Firepower NGFW Virtual (NGFWv) Appliance Data Sheet - Connection. https://www.connection.com/~/media/pdfs/brands/c/cisco/firewall/cisco-ngfwv-data-sheet.pdf?la=en.

Answer 265

When creating a new intrusion rule in a Cisco Secure Firewall Threat Defense device, the **metadata** keyword is used to add a line that identifies the author of the rule and the date it was created¹. So, the correct answer is **B. metadata**. This keyword is part of the rule header and provides additional information about the rule¹. For more details, please refer to the Cisco Secure Firewall Threat Defense Syslog Messages guide³ and the Cisco Secure Firewall Device Manager Configuration Guide². Both agree Source: Conversation with Bing, 12/10/2023 (1) Managing Firewall Threat Defense with Cloud-delivered Firewall ... - Cisco. https://www.cisco.com/c/en/us/td/docs/security/cdo/cloud-delivered-firewall-management-center-in-cdo/managing-firewall-threat-defense-services-with-cisco-defense-orchestrator/m_intrusion-tuning-rules.html. (2) Cisco Secure Firewall Threat Defense Syslog Messages. https://www.cisco.com/c/en/us/td/docs/security/firepower/Syslogs/b_fptd_syslog_guide/security-event-syslog-messages.html. (3) Cisco Secure Firewall Device Manager Configuration Guide, Version 7.2. https://www.cisco.com/c/en/us/td/docs/security/firepower/720/fdm/fptd-fdm-config-guide-720/fptd-fdm-intrusion.html. (4) Managing Firewall Threat Defense with Cloud-delivered Firewall ... - Cisco. https://www.cisco.com/c/en/us/td/docs/security/cdo/cloud-delivered-firewall-management-center-in-cdo/managing-firewall-threat-defense-services-with-cisco-defense-orchestrator/m_intrusion-custom-rules.html.

Answer 266

In the context of Cisco ISE and Cisco FMC integration, a realm is used to establish a connection between the FMC and an LDAP or Microsoft AD server³⁴. This connection allows the FMC to retrieve user and user group metadata for certain detected users³⁴. This metadata can be used for user awareness and user control³⁴. B - Exam Topics D - AI So, the correct answer is **D. AD definition**. Please note that the realm does not necessarily have to be directly connected to those directories. The entity can also learn the users and groups metadata passively and then share it with the FMC⁵. For more details, please refer to the Cisco Secure Firewall Management Center Device Configuration Guide³ and the Cisco Secure Firewall Management Center Configuration Guide⁴. Source: Conversation with Bing, 12/10/2023 (1) Firepower Management Center Device Configuration Guide, 7.1 - Cisco. https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/device-config/710/management-center-device-config-71/identity-realms.html. (2) Firepower Management Center Configuration Guide, Version 6.7 - Cisco. https://www.cisco.com/c/en/us/td/docs/security/firepower/670/configuration/guide/fpmc-config-guide-v67/create_and_manage_realms.html. (3) How to create a Cisco FMC Realm with AD with some explanation. https://bluenetsec.com/fmc-ad-realm/. (4) Solved: Integrating FMC with ISE - Cisco Community. https://community.cisco.com/t5/network-security/integrating-fmc-with-ise/td-p/3341196. (5) Configure ISE 2.4 and FMC 6.2.3 pxGrid Integration - Cisco. https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine-24/214481-configure-ise-2-4-and-fmc-6-2-3-pxgrid-i.html.

Answer 267

After configuring the passive-interface on the Secure Firewall Threat Defense device and SPAN on the switch, the next step for the engineer would be to configure the **intrusion policy** on the Secure Firewall Threat Defense device¹². This policy will define how the device should inspect and handle the traffic it receives¹². So, the correct answer is **A. intrusion policy on the Secure Firewall Threat Defense device**. Please refer to the Cisco Secure Firewall Management Center Device Configuration Guide for more details¹². Both agree Source: Conversation with Bing, 12/10/2023 (1) Firepower Management Center Device Configuration Guide, 7.1. https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/device-config/710/management-center-device-config-71/interfaces-settings-ifcs-ips.html. (2) Firepower Management Center Configuration Guide, Version 6.3. https://www.cisco.com/c/en/us/td/docs/security/firepower/630/configuration/guide/fpmc-config-guide-v63/inline_sets_and_passive_interfaces_for_firepower_threat_defense.html. (3) How to configure passive HA Panorama ethernet interface. https://live.paloaltonetworks.com/t5/panorama-discussions/how-to-configure-passive-ha-panorama-ethernet-interface/td-p/488549. (4) Firepower Management Center Configuration Guide, Version 7.0 - Cisco. https://www.cisco.com/c/en/us/td/docs/security/firepower/70/configuration/guide/fpmc-config-guide-v70/interface_overview_for_firepower_threat_defense.html. (5) Cisco Secure Firewall Management Center Device Configuration Guide, 7.3. https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/device-config/730/management-center-device-config-73/interfaces-settings-ifcs-overview.html. (6) undefined. https://docs.paloaltonetworks.com/panorama/10-1/panorama-admin/set-up-panorama/set-up-the-m-series-a.

Answer 268

To enable Cisco Secure Firewall Malware Defense to detect and block malware, a **file policy** must be associated with an access control policy¹². This policy defines how the system should inspect and handle the traffic it receives¹². So, the correct answer is **B. file policy**. Please refer to the Cisco Secure Firewall Management Center Device Configuration Guide for more details¹². Both agree Source: Conversation with Bing, 12/10/2023 (1) Cisco Secure Firewall Management Center Device Configuration Guide, 7.4. https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/device-config/740/management-center-device-config-74/network-malware-protection.html. (2) Malware and File Policy - Cisco Secure Firewall. https://secure.cisco.com/secure-firewall/v7.3/docs/malware-and-file-policy. (3) Firepower Management Center Configuration Guide, Version 6.5 - Cisco. https://www.cisco.com/c/en/us/td/docs/security/firepower/650/configuration/guide/fpmc-config-guide-v65/file_policies_and_advanced_malware_protection.html.

ExamTopics 300-710 Flashcards

(294 cards)