Q and A 300-710

Question 1

Which limitation applies to Cisco FMC dashboards in a multi-domain environment?

A. Child domains are able to view but not edit dashboards that originate from an ancestor domain.

B. Child domains have access to only a limited set of widgets from ancestor domains.

C. Only the administrator of the top ancestor domain is able to view dashboards.

D. Child domains are not able to view dashboards that originate from an ancestor domain.

Answer 1

D. Child domains are not able to view dashboards that originate from an ancestor domain.

Verified

In a multidomain deployment, you cannot view dashboards from ancestor domains; however, you can create new dashboards that are copies of the higher-level dashboards.

https://www.cisco.com/c/en/us/td/docs/security/firepower/60/configuration/guide/fpmc-config-guide-v60/Using_Dashboards.html

The limitation that applies to Cisco FMC dashboards in a multi-domain environment is:

D. Child domains are not able to view dashboards that originate from an ancestor domain.

In a multi-domain deployment, child domains cannot view dashboards from ancestor domains. However, they can create new dashboards that are copies of the higher-level dashboards²³. Always refer to the official Cisco documentation or consult with a network security professional when configuring network appliances¹²³.

Source: Conversation with Bing, 12/11/2023
(1) Firepower Management Center Configuration Guide, Version 6.2.3 - Cisco. https://www.cisco.com/c/en/us/td/docs/security/firepower/623/configuration/guide/fpmc-config-guide-v623/dashboards.html.
(2) Firepower Management Center Administration Guide, 7.1 - Cisco. https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/admin/710/management-center-admin-71/health-dashboards.html.
(3) Firepower Management Center Configuration Guide, Version 6.2.3 - Domain …. https://www.cisco.com/c/en/us/td/docs/security/firepower/623/configuration/guide/fpmc-config-guide-v623/domain_management.html.
(4) Which limitation applies to Cisco Firepower Management Center …. https://vceguide.com/which-limitation-applies-to-cisco-firepower-management-center-dashboards-in-a-multidomain-environment/.

Question 2

An organization does not want to use the default Cisco Firepower block page when blocking HTTP traffic. The organization wants to include information about its policies and procedures to help educate the users whenever a block occurs. Which two steps must be taken to meet these requirements? (Choose two.)

A. Edit the HTTP request handling in the access control policy to customized block
B. Modify the system-provided block page result using Python
C. Create HTML code with the information for the policies and procedures
D. Change the HTTP response in the access control policy to custom
E. Write CSS code with the information for the policies and procedures

Answer 2

C. Create HTML code with the information for the policies and procedures
D. Change the HTTP response in the access control policy to custom

Verified

To customize the Cisco Firepower block page when blocking HTTP traffic, the following two steps must be taken:

1. Create HTML code with the information for the policies and procedures²³. This HTML code will be used to create the custom block page that will be displayed to the users.
2. Change the HTTP response in the access control policy to custom¹². This will ensure that the custom block page is used instead of the default Cisco Firepower block page.

So, the correct answers are C. Create HTML code with the information for the policies and procedures and D. Change the HTTP response in the access control policy to custom. Please note that while Python can be used to modify web pages, it’s not typically used within the context of Cisco Firepower’s block page customization². Similarly, CSS can be used to style the block page, but it’s not necessary for including the organization’s policies and procedures². For more details, please refer to the Cisco documentation¹²³.

Source: Conversation with Bing, 12/11/2023
(1) Access Control Policy - Block Response Page - Cisco Community. https://community.cisco.com/t5/network-security/access-control-policy-block-response-page/td-p/2570606.
(2) Firepower URL Blocking page setup and management - WIRES AND WI.FI. https://www.wiresandwi.fi/blog/firepower-url-blocking-page-setup-and-management.
(3) HTTP Response Pages and Interactive Blocking - Cisco. https://www.cisco.com/c/en/us/td/docs/security/firepower/60/configuration/guide/fpmc-config-guide-v60/fpmc-config-guide-v60_chapter_01011100.pdf.
(4) Which two steps must be taken to meet these requirements?. https://www.exam4training.com/which-two-steps-must-be-taken-to-meet-these-requirements/.
(5) undefined. http://mycompany.com/logo.jpg.

Question 3

Which action must be taken on the Cisco FMC when a packet bypass is configured in case the Snort engine is down or a packet takes too long to process?

A. Enable Automatic Application Bypass.
B. Add a Bypass Threshold policy for failures.
C. Configure Fastpath rules to bypass inspection.
D. Enable Inspect Local Router Traffic.

Answer 3

A. Enable Automatic Application Bypass.

Verified

Configure Automatic Application Bypass
Automatic Application Bypass (AAB) allows packets to bypass detection if Snort is down or if a packet takes too long to process. AAB causes Snort to restart within ten minutes of the failure, and generates troubleshooting data that can be analyzed to investigate the cause of the Snort failure.

https://www.cisco.com/c/en/us/td/docs/security/firepower/623/configuration/guide/fpmc-config-guide-v623/device_management_basics.html#:~:text=Rules%20(8000%20Series)-,Configure%20Automatic%20Application%20Bypass,-Automatic%20Application%20Bypass

Question 4

An administrator is adding a QoS policy to a Cisco FTD deployment. When a new rule is added to the policy and QoS is applied on “Interfaces in Destination Interface Objects”, no interface objects are available. What is the problem?

A. The FTD is out of available resources for use, so QoS cannot be added.
B. The network segments that the interfaces are on do not have contiguous IP space.
C. A conflict exists between the destination interface types that is preventing QoS from being added.
D. QoS is available only on routed interfaces, and this device is in transparent mode.

Answer 4

D. QoS is available only on routed interfaces, and this device is in transparent mode.

The problem is that QoS is available only on routed interfaces, and this device is in transparent mode². So, the correct answer is D. QoS is available only on routed interfaces, and this device is in transparent mode. Please note that QoS policies deployed to managed devices govern rate limiting². Each QoS policy can target multiple devices; each device can have one deployed QoS policy at a time². For more details, please refer to the Cisco documentation².

Source: Conversation with Bing, 12/11/2023
(1) Quality of Service (QoS) for Firepower Threat Defense - Cisco. https://www.cisco.com/c/en/us/td/docs/security/firepower/620/configuration/guide/fpmc-config-guide-v62/quality_of_service_qos.pdf.
(2) QoS Policy On Firepower Threat Defense Configuration. https://community.cisco.com/t5/security-blogs/qos-policy-on-firepower-threat-defense-configuration/ba-p/4671162.
(3) TEST BORRADO, QUIZÁS LE INTERESE 300.710 - Tests Online. https://www.daypo.com/300-710.html.
(4) Test examen 5 19 - Tests Online. https://www.daypo.com/examen-5-19.html. https://www.cisco.com/c/en/us/td/docs/security/firepower/640/configuration/guide/fpmc-config-guide-v64/quality_of_service__qos__for_firepower_threat_defense.html

Question 5

A network security engineer must export packet captures from the Cisco FMC web browser while troubleshooting an issue. When navigating to the address https:///capture/CAPI/pcap/test.pcap, an error 403: Forbidden is given instead of the PCAP file. Which action must the engineer take to resolve this issue?

A. Disable the proxy setting on the browser
B. Disable the HTTPS server and use HTTP instead
C. Use the Cisco FTD IP address as the proxy server setting on the browser
D. Enable the HTTPS server for the device platform policy

Answer 5

D. Enable the HTTPS server for the device platform policy

To resolve the issue of receiving an error 403: Forbidden instead of the PCAP file when trying to export packet captures from the Cisco FMC web browser, the engineer must D. Enable the HTTPS server for the device platform policy⁴⁵. This action will allow the engineer to access the required files over a secure connection. Please note that disabling the proxy setting on the browser or using the Cisco FTD IP address as the proxy server setting on the browser may not resolve this issue⁴⁵. Similarly, disabling the HTTPS server and using HTTP instead is not recommended due to security concerns⁴⁵. For more details, please refer to the Cisco documentation⁴⁵.

Source: Conversation with Bing, 12/11/2023
(1) Which action must the engineer take to resolve this issue? - VCEguide.com. https://vceguide.com/which-action-must-the-engineer-take-to-resolve-this-issue-2/.
(2) [25-Sep-2021] New 2020 CCNP 300-710 SNCF Dumps with VCE and PDF from …. https://www.ciscovceplus.com/25-sep-2021-new-2020-ccnp-300-710-sncf-dumps-with-vce-and-pdf-from-passleader-update-questions.html?upm_export=html.
(3) Passive ID 403 forbidden in packet capture. - Cisco Community. https://community.cisco.com/t5/network-access-control/passive-id-403-forbidden-in-packet-capture/td-p/3538322.
(4) Use Firepower Threat Defense Captures and Packet Tracer - Cisco. https://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/212474-working-with-firepower-threat-defense-f.html.
(5) Export/Copy Network Objects from FMC - Cisco Community. https://community.cisco.com/t5/network-security/export-copy-network-objects-from-fmc/td-p/4140622.
(6) undefined. https://www.cisco.com/c/en/us/td/docs/security/firepower/650/api/REST/Firepower_Management_Center_REST_API_Quick_Start_Guide_650/objects_in_the_rest_api.html.

Question 6

An analyst using the security analyst account permissions is trying to view the Correlations Events Widget but is not able to access it. However, other dashboards are accessible. Why is this occurring?

A. The widget is configured to display only when active events are present
B. The security analyst role does not have permission to view this widget
C. An API restriction within the Cisco FMC is preventing the widget from displaying
D. The widget is not configured within the Cisco FMC

Answer 6

Absolutely no good answer

D. The widget is not configured within the Cisco FMC

This is what most in the community are going with. B is absolutely wrong.

Question 7

An engineer must configure a Cisco FMC dashboard in a child domain. Which action must be taken so that the dashboard is visible to the parent domain?

A. Adjust policy inheritance settings
B. Add a separate widget
C. Create a copy of the dashboard
D. Add a separate tab

Answer 7

C. Create a copy of the dashboard

In a multidomain deployment, you cannot view dashboards from ancestor domains¹²⁴. However, you can create new dashboards that are copies of the higher-level dashboards¹²⁴. So, the correct answer is C. Create a copy of the dashboard. Please note that only the administrator of the top ancestor domain can view dashboards³. For more details, please refer to the Cisco documentation¹²⁴.

Source: Conversation with Bing, 12/11/2023
(1) Inheritance in Multidomain Environment in FTD - Cisco. https://www.cisco.com/c/en/us/support/docs/security/firepower-management-center/216497-inheritance-in-multidomain-environment-i.html.
(2) Firepower Management Center Configuration Guide, Version 6.2.3 - Cisco. https://www.cisco.com/c/en/us/td/docs/security/firepower/623/configuration/guide/fpmc-config-guide-v623/dashboards.html.
(3) Firepower Management Center Administration Guide, 7.1 - Cisco. https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/admin/710/management-center-admin-71/health-dashboards.html.
(4) Which limitation applies to Cisco Firepower Management Center …. https://www.exam4training.com/which-limitation-applies-to-cisco-firepower-management-center-dashboards-in-a-multidomain-environment/.

Question 8

A network engineer sets up a secondary Cisco FMC that is integrated with Cisco Security Packet Analyzer. What occurs when the secondary Cisco FMC synchronizes with the primary Cisco FMC? (Choose two)

A. The existing configuration for integration of the secondary Cisco FMC the Cisco Security Packet Analyzer is overwritten.
B. The synchronization between the primary and secondary Cisco FMC fails.
C. The existing integration configuration is replicated to the primary Cisco FMC.
D. The secondary Cisco FMC must be reintegrated with the Cisco Security Packet Analyzer after the synchronization.

Answer 8

A. The existing configuration for integration of the secondary Cisco FMC the Cisco Security Packet Analyzer is overwritten.

D. The secondary Cisco FMC must be reintegrated with the Cisco Security Packet Analyzer after the synchronization.

The correct answer is A. The existing configuration for integration of the secondary Cisco FMC the Cisco Security Packet Analyzer is overwritten.

According to the Cisco documentation¹², when setting up a high availability pair of Cisco FMCs, the primary unit’s policies are synchronized to the secondary unit. After this synchronization, the primary FMC becomes the active peer, while the secondary FMC becomes the standby peer, and the two units act as a single appliance for managed device and policy configuration. Therefore, any existing configuration on the secondary FMC, including the integration with the Cisco Security Packet Analyzer, is overwritten by the primary FMC’s configuration. The secondary FMC must be reintegrated with the Cisco Security Packet Analyzer after the synchronization.

Source: Conversation with Bing, 12/11/2023
(1) Firepower Management Center Configuration Guide, Version 6.2 - Cisco. https://www.cisco.com/c/en/us/td/docs/security/firepower/620/configuration/guide/fpmc-config-guide-v62/firepower_management_center_high_availability.html.
(2) Firepower Management Center Administration Guide, 7.1 - High … - Cisco. https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/admin/710/management-center-admin-71/system-ha.html.
(3) Configure High Availability on FMC - Cisco. https://www.cisco.com/c/en/us/support/docs/security/secure-firewall-management-center/221089-configure-high-availability-on-fmc.html.

Question 9

An engineer is reviewing a ticket that requests to allow traffic for some devices that must connect to a server over 8699/udp. The request mentions only one IP address, 172.16.18.15, but the requestor asked for the engineer to open the port for all machines that have been trying to connect to it over the last week. Which action must the engineer take to troubleshoot this issue?

A. Use the context explorer to see the application blocks by protocol.
B. Filter the connection events by the source port 8699/udp.
C. Filter the connection events by the destination port 8699/udp.
D. Use the context explorer to see the destination port blocks.

Answer 9

C. Filter the connection events by the destination port 8699/udp.

The engineer should C. Filter the connection events by the destination port 8699/udp¹². This will allow the engineer to see all the devices that have been trying to connect to the server over the specified port in the last week. The engineer can then use this information to adjust the firewall rules accordingly. Please note that while the context explorer can provide useful information about blocked applications and ports, it may not provide the specific information needed in this case¹². Similarly, filtering by the source port may not yield the desired results, as the source port can vary for each device¹². For more details, please refer to the Cisco documentation¹².

Source: Conversation with Bing, 12/11/2023
(1) Firepower Management Center Device Configuration Guide, 7.1 - Cisco. https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/device-config/710/management-center-device-config-71/access-prefilter.html.
(2) Firepower Management Center Administration Guide, 7.1 - Cisco. https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/admin/710/management-center-admin-71/health-troubleshoot.html.
(3) [30-Nov-2021] New 2020 CCNP 300-710 SNCF Dumps with VCE and PDF from …. https://www.ciscovceplus.com/30-nov-2021-new-2020-ccnp-300-710-sncf-dumps-with-vce-and-pdf-from-passleader-update-questions.html?upm_export=doc.
(4) Site to Site VPN Configuration on FTD Managed by FMC - Cisco. https://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/215470-site-to-site-vpn-configuration-on-ftd-ma.html.
(5) Basic Troubleshooting For traffic through ASA Firewall. https://community.cisco.com/t5/security-knowledge-base/basic-troubleshooting-for-traffic-through-asa-firewall/ta-p/3162819.

Question 10

A network administrator is troubleshooting access to a website hosted behind a Cisco FTD device. External clients cannot access the web server via HTTPS. The IP address configured on the web server is 192.168.7.46. The administrator is running the command capture CAP interface outside match ip any 192.168.7.46 255.255.255.255 but cannot see any traffic in the capture. Why is this occurring?

A. The capture must use the public IP address of the web server.
B. The packet capture shows only blocked traffic.
C. The FTD has no route to the web server.
D. The access policy is blocking the traffic.

Answer 10

A. The capture must use the public IP address of the web server.

The issue is occurring because A. The capture must use the public IP address of the web server¹². When capturing traffic on the outside interface of a Cisco FTD device, the capture must match the public IP address that the external clients are using to access the web server¹². This is because the FTD device performs Network Address Translation (NAT) on the traffic, translating the private IP address of the web server to a public IP address¹². Therefore, the capture command should be updated to match the public IP address of the web server¹². For more details, please refer to the Cisco documentation¹².

Source: Conversation with Bing, 12/11/2023
(1) Configure Management Access to FTD (HTTPS and SSH) via FMC - Cisco. https://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/200701-Configuration-of-Management-access-to-FT.html.
(2) Solved: FTD External Authentication - Cisco Community. https://community.cisco.com/t5/network-security/ftd-external-authentication/td-p/3044711.
(3) Test examen 5 19 - Tests Online. https://www.daypo.com/examen-5-19.html.
(4) Troubleshoot Common AnyConnect Communication Issues on FTD. https://www3-realm.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/216180-troubleshoot-common-anyconnect-communica.pdf.
(5) FTD RA VPN - DHCP Server configuration not working - Cisco Community. https://community.cisco.com/t5/network-security/ftd-ra-vpn-dhcp-server-configuration-not-working/td-p/4007398.

Question 11

An engineer must deploy a Cisco FTD appliance via Cisco FMC to span a network segment to detect malware and threats. When setting the Cisco FTD interface mode, which sequence of actions meets this requirement?

A. Set to passive, and configure an access control policy with an intrusion policy and a file policy defined.
B. Set to passive, and configure an access control policy with a prefilter policy defined.
C. Set to none, and configure an access control policy with an intrusion policy and a file policy defined.
D. Set to none, and configure an access control policy with a prefilter policy defined.

Answer 11

A. Set to passive, and configure an access control policy with an intrusion policy and a file policy defined.

To deploy a Cisco FTD appliance via Cisco FMC for malware and threat detection, the interface mode should be set to passive and an access control policy with an intrusion policy and a file policy should be defined. Therefore, the correct sequence of actions is:

A. Set to passive, and configure an access control policy with an intrusion policy and a file policy defined.

This is because in a passive deployment, the FTD appliance can monitor network traffic for threats and malware without affecting the flow of traffic¹². The intrusion policy and file policy are essential components of the access control policy that enable the appliance to detect and handle threats¹².

Please note that this is a general recommendation and the specific configuration may vary depending on the network environment and security requirements. Always refer to the official Cisco documentation or consult with a network security professional when configuring network appliances¹²³.

Source: Conversation with Bing, 12/11/2023
(1) Install and Upgrade FTD on Firepower Appliances - Cisco. https://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/200886-installing-and-upgrading-firepower-threa.html.
(2) FMC to remote FTD deployment - Cisco Community. https://community.cisco.com/t5/network-security/fmc-to-remote-ftd-deployment/td-p/3217743.
(3) Firepower Management Center Configuration Guide, Version 7.0 - Cisco. https://www.cisco.com/c/en/us/td/docs/security/firepower/70/configuration/guide/fpmc-config-guide-v70/interface_overview_for_firepower_threat_defense.html.

Question 12

A company is deploying intrusion protection on multiple Cisco FTD appliances managed by Cisco FMC. Which system-provided policy must be selected if speed and detection are priorities?

A. Maximum Detection
B. Connectivity Over Security
C. Security Over Connectivity
D. Balanced Security and Connectivity

Answer 12

D. Balanced Security and Connectivity

Verified

The Balanced Security and Connectivity policy is designed to provide a balance between network speed and performance while maintaining effective cybersecurity measures. It prioritizes the detection of threats while also ensuring that network traffic flows smoothly and efficiently.

If speed and detection are priorities, the system-provided policy to be selected is:

D. Balanced Security and Connectivity

This policy is built for both speed and detection. Used together with the network analysis policy of the same name, it serves as a good starting point for most networks and deployment types². Please note that the specific configuration may vary depending on the network environment and security requirements. Always refer to the official Cisco documentation or consult with a network security professional when configuring network appliances¹²³.

Source: Conversation with Bing, 12/11/2023
(1) Cisco Firepower Threat Defense Configuration Guide for Firepower Device …. https://www.cisco.com/c/en/us/td/docs/security/firepower/710/fdm/fptd-fdm-config-guide-710/fptd-fdm-intrusion.html.
(2) Cisco Firepower Threat Defense Configuration Guide for Firepower Device …. https://www.cisco.com/c/en/us/td/docs/security/firepower/670/fdm/fptd-fdm-config-guide-670/fptd-fdm-intrusion.html.
(3) Cisco Firepower Threat Defense Configuration Guide for Firepower Device …. https://www.cisco.com/c/en/us/td/docs/security/firepower/623/fdm/fptd-fdm-config-guide-623/fptd-fdm-intrusion.html.
(4) Cisco Firepower Threat Defense (FTD): Configuration and Troubleshooting …. https://community.cisco.com/t5/security-knowledge-base/self-paced-learning-for-cisco-firepower-ngfw-ngips-amp-with/ta-p/3306922.

Question 13

Upon detecting a flagrant threat on an endpoint, which two technologies instruct Cisco Identity Services Engine to contain the infected endpoint either manually or automatically? (Choose two.)

A. Cisco Stealthwatch
B. Cisco ASA 5500 Series
C. Cisco FMC
D. Cisco ASR 7200 Series
E. Cisco AMP

Answer 13

C. Cisco FMC
E. Cisco AMP

Verified.

In the context of this question FMC makes more sense than Stealthwatch.

Question 14

A network administrator tries to convert from LDAP to LDAPS for VPN user authentication on a Cisco FTD. Which action must be taken on the Cisco FTD objects to accomplish this task?

A. Identify the LDAPS cipher suite and use a Cipher Suite List object to define the Cisco FTD connection requirements.
B. Modify the Policy List object to define the session requirements for LDAPS.
C. Add a Key Chain object to acquire the LDAPS certificate.
D. Create a Certificate Enrollment object to get the LDAPS certificate needed.

Answer 14

D. Create a Certificate Enrollment object to get the LDAPS certificate needed.

To convert from LDAP to LDAPS for VPN user authentication on a Cisco FTD, the action that must be taken on the Cisco FTD objects is:

D. Create a Certificate Enrollment object to get the LDAPS certificate needed.

This is because when converting from LDAP to LDAPS, a certificate is required for the secure connection¹². The Certificate Enrollment object in Cisco FTD is used to acquire this certificate³. Please note that the specific configuration may vary depending on the network environment and security requirements. Always refer to the official Cisco documentation or consult with a network security professional when configuring network appliances¹²³.

Source: Conversation with Bing, 12/11/2023
(1) Configure AD (LDAP) Authentication and User Identity on FTD … - Cisco. https://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/216955-configure-ad-ldap-authentication-and-u.html.
(2) How to convert existing LDAP to LDAPS? - Spiceworks Community. https://community.spiceworks.com/topic/2192789-how-to-convert-existing-ldap-to-ldaps.
(3) Firepower AnyConnect LDAP/AD Authentication Issue - Cisco Community. https://community.cisco.com/t5/vpn/firepower-anyconnect-ldap-ad-authentication-issue/td-p/4048922.
(4) Configure Password Management Using LDAPs for RA VPN on FTD … - Cisco. https://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client-v4x/220880-configure-password-management-using-ldap.html.
(5) undefined. https://gist.github.com/magnetikonline/0ccdabfec58eb1929c997d22e7341e45.
(6) undefined. https://blogs.msdn.microsoft.com/microsoftrservertigerteam/2017/04/10/step-by-step-guide-to-setup-ld.

Question 15

A network administrator is configuring an FTD in transparent mode. A bridge group is set up and an access policy has been set up to allow all IP traffic. Traffic is not passing through the FTD. What additional configuration is needed?

A. An IP address must be assigned to the BVI.
B. The security levels of the interfaces must be set.
C. A default route must be added to the FTD.
D. A mac-access control list must be added to allow all MAC addresses.

Answer 15

A. An IP address must be assigned to the BVI.

The additional configuration needed when a network administrator is configuring an FTD in transparent mode and traffic is not passing through the FTD is:

A. An IP address must be assigned to the BVI.

In Transparent Mode, FTD bridges the inside and outside interfaces into a single Layer 2 network and remains transparent to the hosts. When FTD is in Transparent Mode, the FMC does not allow you to assign an IPv4 address to a directly connected interface⁴. As a result, the hosts are unable to communicate with any connected interfaces⁴. Therefore, assigning an IP address to the Bridge Virtual Interface (BVI) is necessary for traffic to pass through the FTD¹²³⁴. Please note that the specific configuration may vary depending on the network environment and security requirements. Always refer to the official Cisco documentation or consult with a network security professional when configuring network appliances¹²³⁴.

Source: Conversation with Bing, 12/12/2023
(1) Chapter 9 Firepower Deployment in Transparent Mode - Cisco Firepower …. https://www.oreilly.com/library/view/cisco-firepower-threat/9780134679471/ch09.xhtml.
(2) Firepower Threat Defense Transparent Firewall Mode Advanced … - Cisco. https://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/215530-firepower-threat-defense-transparent-fir.html.
(3) Solved: Inline FTD device not passing traffic - Cisco Community. https://community.cisco.com/t5/network-security/inline-ftd-device-not-passing-traffic/td-p/4448405.
(4) Transparent or Routed Firewall Mode for Firepower Threat Defense - Cisco. https://www.cisco.com/c/en/us/td/docs/security/firepower/601/configuration/guide/fpmc-config-guide-v601/fpmc-config-guide-v601_chapter_01101010.pdf.
(5) Firepower Management Center Configuration Guide, Version 6.4 - Cisco. https://www.cisco.com/c/en/us/td/docs/security/firepower/640/configuration/guide/fpmc-config-guide-v64/transparent_or_routed_firewall_mode_for_firepower_threat_defense.html.
(6) undefined. https://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/200924-configuring-firepower-threat-defense-int.html.

Question 16

Refer to the exhibit. A systems administrator conducts a connectivity test to their SCCM server from a host machine and gets no response from the server. Which action ensures that the ping packets reach the destination and that the host receives replies?

A. Configure a custom Snort signature to allow ICMP traffic after inspection.
B. Modify the Snort rules to allow ICMP traffic.
C. Create an access control policy rule that allows ICMP traffic.
D. Create an ICMP allow list and add the ICMP destination to remove it from the implicit deny list.

Answer 16

B. Modify the Snort rules to allow ICMP traffic.

Verified

Question 17

A security engineer is deploying a pair of primary and secondary Cisco FMC devices. The secondary must also receive updates from Cisco Talos. Which action achieves this goal?

A. Manually import rule updates onto the secondary Cisco FMC device.
B. Force failover for the secondary Cisco FMC to synchronize the rule updates from the primary.
C. Configure the primary Cisco FMC so that the rules are updated.
D. Configure the secondary Cisco FMC so that it receives updates from Cisco Talos.

Answer 17

C. Configure the primary Cisco FMC so that the rules are updated.

Verified

If your deployment includes a high availability pair of FMCs, import the update on the primary only. The secondary FMC receives the rule update as part of the regular synchronization process.

https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/admin/710/management-center-admin-71/system-updates.html#:~:text=currently%20installed%20rules.-,If%20your%20deployment%20includes%20a%20high%20availability%20pair%20of%20FMCs%2C%20import%20the%20update%20on%20the%20primary%20only.%20The%20secondary%20FMC%20receives%20the%20rule%20update%20as%20part%20of%20the%20regular%20synchronization%20process.,-An%20intrusion%20rule

Question 18

When a Cisco FTD device is configured in transparent firewall mode, on which two interface types can an IP address be configured? (Choose two.)

A. Physical
B. EtherChannel
C. Subinterface
D. BVI
E. Diagnostic

Answer 18

D. BVI
E. Diagnostic

Question 19

A security engineer needs to configure a network discovery policy on a Cisco FMC appliance and prevent excessive network discovery events from overloading the FMC database? Which action must be taken to accomplish this task?

A. Monitor only the default IPv4 and IPv6 network ranges.
B. Configure NetFlow exporters for monitored networks.
C. Change the network discovery method to TCP/SYN.
D. Exclude load balancers and NAT devices in the policy.

Answer 19

D. Exclude load balancers and NAT devices in the policy.

https://www.cisco.com/c/en/us/td/docs/security/firepower/610/configuration/guide/fpmc-config-guide-v61/network_discovery_policies.html

The action that must be taken to prevent excessive network discovery events from overloading the FMC database is:

D. Exclude load balancers and NAT devices in the policy.

Cisco recommends excluding load balancers and NAT devices from monitoring as these devices may create excessive and misleading events, filling the database and overloading the Firepower Management Center¹⁴. Please note that the specific configuration may vary depending on the network environment and security requirements. Always refer to the official Cisco documentation or consult with a network security professional when configuring network appliances¹²³⁴.

Source: Conversation with Bing, 12/12/2023
(1) Firepower Management Center Configuration Guide, Version 6.1. https://www.cisco.com/c/en/us/td/docs/security/firepower/610/configuration/guide/fpmc-config-guide-v61/network_discovery_policies.html.
(2) Network Discovery Policies. https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/device-config/710/management-center-device-config-71/discovery-policies.pdf.
(3) Network Discovery Policy - Cisco Secure Firewall. https://secure.cisco.com/secure-firewall/docs/discovery-policy.
(4) Network Discovery Policies. https://www.cisco.com/c/en/us/td/docs/security/firepower/621/configuration/guide/fpmc-config-guide-v621/network_discovery_policies.pdf.

Question 20

An engineer defines a new rule while configuring an Access Control Policy. After deploying the policy, the rule is not working as expected and the hit counters associated with the rule are showing zero. What is causing this error?

A. An incorrect application signature was used in the rule.
B. The wrong source interface for Snort was selected in the rule.
C. The rule was not enabled after being created.
D. Logging is not enabled for the rule.

Answer 20

A. An incorrect application signature was used in the rule.

Could be A or C, but new rules are enabled by default so “A” makes more sense. AI was not helpful and said it could be any of the 4.

Question 21

An administrator needs to configure Cisco FMC to send a notification email when a data transfer larger than 10 MB is initiated from an internal host outside of standard business hours. Which Cisco FMC feature must be configured to accomplish this task?

A. file and malware policy
B. application detector
C. correlation policy
D. intrusion policy

Answer 21

C. correlation policy

Verified

Sample Configuration for Excessive BitTorrent Data Transfers
Consider a scenario where you want to generate a correlation event if the system detects excessive BitTorrent data transfers after an initial connection to any host on your monitored network.

The following graphic shows a correlation rule that triggers when the system detects the BitTorrent application protocol on your monitored network. The rule has a connection tracker that constrains the rule so that the rule triggers only if hosts on your monitored network (in this example, 10.1.0.0/16) collectively transfer more than 7MB of data (7340032 bytes) via BitTorrent in the five minutes following the initial policy violation.

https://www.cisco.com/c/en/us/td/docs/security/firepower/621/configuration/guide/fpmc-config-guide-v621/correlation_policies.html#ID-2204-00000ca6:~:text=stops%20tracking%20connections.-,Sample%20Configuration%20for%20Excessive%20BitTorrent%20Data%20Transfers,-Consider%20a%20scenario

Question 22

Which process should be checked when troubleshooting registration issues between Cisco FMC and managed devices to verify that secure communication is occurring?

A. fpcollect
B. dhclient
C. sfrmgr
D. sftunnel

Answer 22

D. sftunnel

Verified

The process that should be checked when troubleshooting registration issues between Cisco FMC and managed devices to verify that secure communication is occurring is:

D. sftunnel

The sftunnel process is used for the secure connection between a managed FTD and the managed FMC¹. If there are registration issues, checking the status and functionality of the sftunnel process can help identify and resolve the problem¹. Please note that the specific configuration may vary depending on the network environment and security requirements. Always refer to the official Cisco documentation or consult with a network security professional when configuring network appliances¹.

Source: Conversation with Bing, 12/14/2023
(1) Configure, Verify, and Troubleshoot Firepower Device Registration - Cisco. https://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/215540-configure-verify-and-troubleshoot-firep.html.
(2) Use FMC and FTD Smart License Registration and Common Issues to … - Cisco. https://www.cisco.com/c/en/us/support/docs/security/firepower-management-center/215838-fmc-and-ftd-smart-license-registration-a.html.
(3) Restored FMC from backup. Can’t see or deploy to devices?. https://community.cisco.com/t5/network-security/restored-fmc-from-backup-can-t-see-or-deploy-to-devices/td-p/4762177.

Question 23

A security engineer must integrate an external feed containing STIX/TAXII data with Cisco FMC. Which feature must be enabled on the Cisco FMC to support this connection?

A. Threat Intelligence Director
B. Cisco Success Network
C. Security Intelligence Feeds
D. Cisco Secure Endpoint Integration

Answer 23

A. Threat Intelligence Director

Verified

The correct answer is A. To integrate an external feed containing STIX/TAXII data with Cisco FMC, the Threat Intelligence Director feature must be enabled.

The Threat Intelligence Director is a feature of Cisco FMC that allows for the integration of external threat intelligence feeds, including those that use STIX/TAXII. The Threat Intelligence Director allows the Cisco FMC to receive threat intelligence data from external sources and use that data to inform security policies and block malicious traffic.

The feature that must be enabled on the Cisco FMC to support the integration of an external feed containing STIX/TAXII data is:

A. Threat Intelligence Director

The Threat Intelligence Director (TID) in Cisco FMC operationalizes threat intelligence data, helping you aggregate intelligence data, configure defensive actions, and analyze threats in your environment¹. TID supports other ingestion parameters such as STIX and TAXII³. Please note that the specific configuration may vary depending on the network environment and security requirements. Always refer to the official Cisco documentation or consult with a network security professional when configuring network appliances¹³.

Source: Conversation with Bing, 12/14/2023
(1) Firepower Management Center Device Configuration Guide, 7.1 - Cisco. https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/device-config/710/management-center-device-config-71/threat-intelligence-director.html.
(2) Third-Party Integration of Security Feeds with FMC (Cisco Threat …. https://community.cisco.com/t5/security-blogs/third-party-integration-of-security-feeds-with-fmc-cisco-threat/ba-p/3905840.
(3) Firepower Security Intelligence with third party free TAXII feeds. https://community.cisco.com/t5/integrated-security-platform/firepower-security-intelligence-with-third-party-free-taxii/td-p/4192811.
(4) Securing Networks with Cisco Firepower (SNCF) - VCEdump. https://www.vcedump.com/exam/300-710.html.
(5) undefined. http://hailataxii.com/.

Question 24

An engineer is configuring two new Cisco FTD devices to replace the existing high availability firewall pair in a highly secure environment. The information exchanged between the FTD devices over the failover link must be encrypted. Which protocol supports this on the Cisco FTD?

A. MACsec
B. IPsec
C. SSH
D. SSL

Answer 24

B. IPsec

The protocol that supports encrypted information exchange between Cisco FTD devices over the failover link is:

B. IPsec

By default, the communications on the failover and stateful failover links are plain text (unencrypted). However, you can enhance security by configuring an IPsec encryption key to encrypt these communications¹. Please note that the specific configuration may vary depending on the network environment and security requirements. Always refer to the official Cisco documentation or consult with a network security professional when configuring network appliances¹.

Source: Conversation with Bing, 12/14/2023
(1) Cisco Firepower Threat Defense Configuration Guide for Firepower Device …. https://www.cisco.com/c/en/us/td/docs/security/firepower/630/fdm/fptd-fdm-config-guide-630/fptd-fdm-ha.html.
(2) Configure FTD High Availability on Firepower Appliances - Cisco. https://www.cisco.com/c/en/us/support/docs/security/firepower-management-center/212699-configure-ftd-high-availability-on-firep.html.
(3) Solved: Supported encryption in FTD 6.7.0 - Cisco Community. https://community.cisco.com/t5/vpn/supported-encryption-in-ftd-6-7-0/td-p/4445577.
(4) Cisco Content Hub - SGT Exchange Protocol over TCP (SXP). https://content.cisco.com/chapter.sjs?uri=%2Fsearchable%2Fchapter%2Fwww.cisco.com%2Fcontent%2Fen%2Fus%2Ftd%2Fdocs%2Fswitches%2Flan%2Ftrustsec%2Fconfiguration%2Fguide%2Ftrustsec%2Fsxp_config.html.xml&platform=Cisco%20Catalyst%204900%20Series%20Switches&release=IOS%20XE%203E.
(5) undefined. https://www.cisco.com/c/en/us/td/docs/security/firepower/670/configuration/guide/fpmc-config-guide-v67/vpn_overview.html.

Question 25

A security engineer must configure policies for a recently deployed Cisco FTD. The security policy for the company dictates that when five or more connections from external sources are initiated within 2 minutes, there is cause for concern. Which type of policy must be configured in Cisco FMC to generate an alert when this condition is triggered?

A. application detector
B. access control
C. correlation
D. intrusion

Answer 25

C. correlation

Verified

The correct answer is C. correlation. A correlation policy can be configured in the Cisco Firepower Management Center (FMC) to generate an alert when a specific condition is triggered. Correlation policies allow you to define rules that specify the conditions under which the system should generate an alert, and the actions that the system should take when those conditions are met. In this case, a correlation rule can be created to generate an alert when five or more connections from external sources are initiated within 2 minutes

The type of policy that must be configured in Cisco FMC to generate an alert when this condition is triggered is:

C. Correlation Policy

A correlation policy allows you to define the conditions under which the system should generate an alert¹. These conditions can include a variety of factors, such as the detection of specific types of traffic or activities, and can be fine-tuned to occur during specific time periods¹. Therefore, a correlation policy can be configured to send a notification email when a data transfer larger than 10 MB is initiated from an internal host outside of standard business hours¹. Please note that the specific configuration may vary depending on the network environment and security requirements. Always refer to the official Cisco documentation or consult with a network security professional when configuring network appliances¹.

Source: Conversation with Bing, 12/14/2023
(1) Firepower Management Center Configuration Guide, Version 6.5 - Cisco. https://www.cisco.com/c/en/us/td/docs/security/firepower/650/configuration/guide/fpmc-config-guide-v65/external_alerting_with_alert_responses.html.
(2) Cisco FMC critical and major email alert - Cisco Community. https://community.cisco.com/t5/network-security/cisco-fmc-critical-and-major-email-alert/td-p/4083838.
(3) Solved: FMC IPS Critical Alert - Cisco Community. https://community.cisco.com/t5/network-security/fmc-ips-critical-alert/td-p/4083902.
(4) undefined. https://www.cisco.com/c/en/us/td/docs/security/firepower/60/configuration/guide/fpmc-config-guide-v60/fpmc-config-guide-v60_chapter_01110000.html.
(5) undefined. https://www.cisco.com/c/en/us/td/docs/security/firepower/620/configuration/guide/fpmc-config-guide-v62/external_alerting_for_intrusion_events.pdf.

Question 26

A consultant is working on a project where the customer is upgrading from a single Cisco Firepower 2130 managed by FDM to a pair of Cisco Firepower 2130s managed by FMC for high availability. The customer wants the configuration of the existing device being managed by FDM to be carried over to FMC and then replicated to the additional device being added to create the high availability pair. Which action must the consultant take to meet this requirement?

A. The current FDM configuration must be configured by hand into FMC before the devices are registered.
B. The current FDM configuration must be migrated to FMC using the Secure Firewall Migration Tool.
C. The FTD configuration must be converted to ASA command format, which can then be migrated to FMC.
D. The current FDM configuration will be converted automatically into FMC when the device registers.

Answer 26

The action that the consultant must take to meet this requirement is:

A. The current FDM configuration must be configured by hand into FMC before the devices are registered.

Currently, Cisco does not have any option to migrate FDM firepower configuration to an FMC and vice-versa¹. Therefore, the existing configuration on the device managed by FDM must be manually configured into FMC before the devices are registered¹. Please note that the specific configuration may vary depending on the network environment and security requirements. Always refer to the official Cisco documentation or consult with a network security professional when configuring network appliances¹.

Source: Conversation with Bing, 12/14/2023
(1) Configure FDM On-Box Management Service for Firepower 2100 - Cisco. https://www.cisco.com/c/en/us/support/docs/security/firepower-2100-series/213519-configure-fdm-firepower-device-manageme.html.
(2) Cisco Firepower 2100 Series - Configuration Guides - Cisco. https://www.cisco.com/c/en/us/support/security/firepower-2100-series/products-installation-and-configuration-guides-list.html.
(3) Adding new Firepower 2130 Series to Firepower Management Center - Cisco …. https://community.cisco.com/t5/network-security/adding-new-firepower-2130-series-to-firepower-management-center/td-p/4409623.
(4) Cisco Firepower Threat Defense Configuration Guide for Firepower Device …. https://www.cisco.com/c/en/us/td/docs/security/firepower/630/fdm/fptd-fdm-config-guide-630/fptd-fdm-ha.html.
(5) Firepower Management Center Configuration Guide, Version 6.2 - Cisco. https://www.cisco.com/c/en/us/td/docs/security/firepower/620/configuration/guide/fpmc-config-guide-v62/firepower_management_center_high_availability.html.

https://www.cisco.com/c/en/us/support/docs/security/firepower-2100-series/213519-configure-fdm-firepower-device-manageme.html#:~:text=Caution%3A%20Right%20now%20Cisco%20does%20not%20have%20any%20option%20to%20migrate%20FDM%20firepower%20configuration%20to%20an%20FMC%20and%20vice%2Dversa%2C%20take%20this%20into%20consideration%20when%20you%20choose%20what%20type%20of%20management%20you%20configure%20for%20the%20FTD%20installed%20in%20the%20firepower%202100.

Question 27

A network administrator must create an EtherChannel interface on a new Cisco Firepower 9300 appliance registered with an FMC for high availability. Where must the administrator create the EtherChannel interface?

A. FMC GUI
B. FMC CLI
C. FTD CLI
D. FXOS CLI

Answer 27

D. FXOS CLI

Verified

I was wrong, according to the link below the provided answer is correct, so D:
“The Firepower 4100/9300 manages the basic Ethernet settings of physical interfaces, VLAN subinterfaces for container instances, and EtherChannel (port-channel) interfaces. Within the application, you configure higher level settings. For example, you can only create EtherChannels in FXOS; but you can assign an IP address to the EtherChannel within the application.”

Reference: https://www.cisco.com/c/en/us/td/docs/security/firepower/fxos/fxos281/cli-guide/b_CLI_ConfigGuide_FXOS_281/interface_management.html

The administrator must create the EtherChannel interface at:

D. FXOS CLI

On Firepower 4100 and 9300 series devices, EtherChannel interfaces are created using the Firepower Chassis Manager (FCM) or the Firepower eXtensible Operating System (FXOS) CLI¹⁴. Once created, they can be assigned to and used by the Firepower Threat Defense (FTD) logical devices running on that hardware⁴. Please note that the specific configuration may vary depending on the network environment and security requirements. Always refer to the official Cisco documentation or consult with a network security professional when configuring network appliances¹⁴.

Source: Conversation with Bing, 12/15/2023
(1) Configure and Verify Port-Channel on Firepower Appliances - Cisco. https://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/215351-configure-verify-and-troubleshoot-port.html.
(2) FMC 4600 Version 6.7.0 Etherchannel Configuration - Cisco Community. https://community.cisco.com/t5/network-security/fmc-4600-version-6-7-0-etherchannel-configuration/td-p/4258317.
(3) Solved: Etherchannel(LACP) configuration in Firepower(FTD w/ FMC …. https://community.cisco.com/t5/network-security/etherchannel-lacp-configuration-in-firepower-ftd-w-fmc-inline/td-p/4640700.
(4) Configure FTD High Availability on Firepower Appliances - Cisco. https://www.cisco.com/c/en/us/support/docs/security/firepower-management-center/212699-configure-ftd-high-availability-on-firep.html.

Question 28

A network administrator is reviewing a monthly advanced malware risk report and notices a host that is listed as CnC Connected. Where must the administrator look within Cisco FMC to further determine if this host is infected with malware?

A. Analysis > Hosts > Indications of Compromise
B. Analysis > Hosts > Host Attributes
C. Analysis > Files > Malware Events
D. Analysis > Files > Network File Trajectory

Answer 28

A. Analysis > Hosts > Indications of Compromise

Verified

The administrator should look at:

A. Analysis > Hosts > Indications of Compromise

The “Indications of Compromise” feature in Cisco FMC provides alerts if individual hosts show signs of compromise from unknown attacks⁴. This can help the administrator to further determine if the host is infected with malware⁴. Please note that the specific configuration may vary depending on the network environment and security requirements. Always refer to the official Cisco documentation or consult with a network security professional when configuring network appliances¹²³⁴.

Source: Conversation with Bing, 12/15/2023
(1) Cisco Secure Firewall Management Center (formerly Firepower Management …. https://www.cisco.com/c/en/us/products/collateral/security/firesight-management-center/datasheet-c78-736775.html.
(2) Solved: 25 Compromise host-FTD/FMC - Cisco Community. https://community.cisco.com/t5/network-security/25-compromise-host-ftd-fmc/td-p/4403164.
(3) Firepower Management Center Configuration Guide, Version 6.2.3 - Cisco. https://www.cisco.com/c/en/us/td/docs/security/firepower/623/configuration/guide/fpmc-config-guide-v623/file_policies_and_advanced_malware_protection.html.
(4) Malware and File Policy - Cisco Secure Firewall. https://secure.cisco.com/secure-firewall/docs/malware-and-file-policy.
(5) Solved: The host may be under remote control - Cisco Community. https://community.cisco.com/t5/network-security/the-host-may-be-under-remote-control/td-p/3203315.

Also verified here:
https://community.cisco.com/t5/network-security/hosts-indications-of-compromise/td-p/2982680#:~:text=Analysis%3EHosts%3EIndications%20of%20Compromise

Question 29

An engineer is configuring a Cisco FTD device to place on the Finance VLAN to provide additional protection for company financial data. The device must be deployed without requiring any changes on the end user workstations, which currently use DHCP to obtain an IP address. How must the engineer deploy the device to meet this requirement?

A. Deploy the device in transparent mode and enable the DHCP Server feature.
B. Deploy the device in routed mode and enable the DHCP Relay feature.
C. Deploy the device in transparent mode and allow DHCP traffic in the access control policies.
D. Deploy the device in routed mode and allow DHCP traffic in the access control policies.

Answer 29

C. Deploy the device in transparent mode and allow DHCP traffic in the access control policies.

Verified

The correct answer is C. Deploy the device in transparent mode and allow DHCP traffic in the access control policies. When deploying a Cisco FTD device in transparent mode, it acts as a “bump in the wire” and is not seen as a router hop to connected devices. This means that the end user workstations, which currently use DHCP to obtain an IP address, will not require any changes to their configuration 1. To allow DHCP traffic to pass through the device, the engineer must configure the access control policies to permit DHCP traffic

The engineer must deploy the device as follows to meet this requirement:

C. Deploy the device in transparent mode and allow DHCP traffic in the access control policies.

In transparent mode, the Cisco FTD device acts like a “bump in the wire” and is virtually invisible to the network, making it ideal for situations where you want to add security without changing the existing network design¹. Allowing DHCP traffic in the access control policies ensures that the end user workstations, which currently use DHCP to obtain an IP address, can continue to do so without any changes¹. Please note that the specific configuration may vary depending on the network environment and security requirements. Always refer to the official Cisco documentation or consult with a network security professional when configuring network appliances¹.

Source: Conversation with Bing, 12/15/2023
(1) Cisco Firepower Threat Defense Configuration Guide for Firepower Device …. https://www.cisco.com/c/en/us/td/docs/security/firepower/650/fdm/fptd-fdm-config-guide-650/fptd-fdm-interfaces.html.
(2) Cisco Firepower Threat Defense Configuration Guide for Firepower Device …. https://www.cisco.com/c/en/us/td/docs/security/firepower/610/fdm/fptd-fdm-config-guide-610/fptd-fdm-get-started.html.
(3) Solved: Cisco FTD DHCP relay on FMC - Cisco Community. https://community.cisco.com/t5/network-security/cisco-ftd-dhcp-relay-on-fmc/td-p/3773319.
(4) Cisco Exam 300-710 Questions and Answers - Update Dec 2023 - DumpsMate. https://www.dumpsmate.com/300-710-securing-networks-with-cisco-firepower-300-710-sncf-question.html.

Question 30

Which default action setting in a Cisco FTD Access Control Policy allows all traffic from an undefined application to pass without Snort inspection?

A. Network Discovery Only
B. Inherit from Base Policy
C. Intrusion Prevention
D. Trust All Traffic

Answer 30

D. Trust All Traffic

Verified

https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/device-config/710/management-center-device-config-71.pdf

Question 31

An engineer plans to reconfigure an existing Cisco FTD from transparent mode to routed mode. Which additional action must be taken to maintain communication between the two network segments?

A. Assign a unique VLAN ID for the interface in each segment.
B. Update the IP addressing so that each segment is a unique IP subnet.
C. Configure a NAT rule so that traffic between the segments is exempt from NAT.
D. Deploy inbound ACLs on each interface to allow traffic between the segments.

Answer 31

B. Update the IP addressing so that each segment is a unique IP subnet.

Verified

The correct answer is B. Update the IP addressing so that each segment is a unique IP subnet. When reconfiguring an existing Cisco FTD from transparent mode to routed mode, it is necessary to update the IP addressing so that each segment is a unique IP subnet 1. In routed mode, the Cisco FTD device is considered to be a router hop in the network, and each interface that you want to route between must be on a different subnet 1. This means that the engineer must update the IP addressing of the network segments to ensure that they are unique IP subnets, and then configure the routing on the Cisco FTD device to maintain communication between the two network segments.

When reconfiguring an existing Cisco FTD from transparent mode to routed mode, the additional action that must be taken to maintain communication between the two network segments is B. Update the IP addressing so that each segment is a unique IP subnet¹².

In routed mode, the FTD device is considered to be a router hop in the network. Each interface that you want to route between is on a different subnet¹². Therefore, it’s necessary to update the IP addressing so that each segment is a unique IP subnet¹². This ensures that the FTD device can properly route traffic between the different network segments¹².

Source: Conversation with Bing, 12/16/2023
(1) Transparent or Routed Firewall Mode for Firepower Threat Defense - Cisco. https://www.cisco.com/c/en/us/td/docs/security/firepower/601/configuration/guide/fpmc-config-guide-v601/fpmc-config-guide-v601_chapter_01101010.pdf.
(2) Firepower Management Center Device Configuration Guide, 7.1 - Cisco. https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/device-config/710/management-center-device-config-71/device-ops-tfw.html.
(3) Cisco Secure Firewall Management Center Device Configuration Guide, 7.3. https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/device-config/730/management-center-device-config-73/device-ops-tfw.html.
(4) Configure Firepower Threat Defense Interfaces in Routed Mode - Cisco. https://www1-realm.cisco.com/c/en/us/support/docs/security/firepower-ngfw/200908-configuring-firepower-threat-defense-int.pdf.

Question 32

Network users are experiencing intermittent issues with internet access. An engineer identified that the issue is being caused by NAT exhaustion. How must the engineer change the dynamic NAT configuration to provide internet access for more users without running out of resources?

A. Convert the dynamic auto NAT rule to dynamic manual NAT.
B. Add an identity NAT rule to handle the overflow of users.
C. Configure fallthrough to interface PAT on the Advanced tab.
D. Define an additional static NAT for the network object in use.

Answer 32

C. Configure fallthrough to interface PAT on the Advanced tab.

Verified

Fallthrough to Interface PAT (Destination Interface) (Dynamic NAT only.)
Whether to use the IP address of the destination interface as a backup method when the other mapped addresses are already allocated (interface PAT fallback). This option is available only if you select a destination interface that is not a member of a bridge group. You cannot select this option if you already configured interface PAT as the translated address. You cannot use this option with IPv6 networks.

The engineer should choose C. Configure fallthrough to interface PAT on the Advanced tab¹²³. This option allows the NAT device to use Port Address Translation (PAT) when the pool of available IP addresses is exhausted¹²³. This way, multiple internal devices can share a single external IP address, effectively increasing the number of users that can access the internet without running out of resources¹²³.

Source: Conversation with Bing, 12/16/2023
(1) Dynamic NAT Configuration in Cisco - GeeksforGeeks. https://www.geeksforgeeks.org/dynamic-nat-configuration-in-cisco/.
(2) How to Configure Dynamic NAT in Cisco Router - ComputerNetworkingNotes. https://www.computernetworkingnotes.com/ccna-study-guide/how-to-configure-dynamic-nat-in-cisco-router.html.
(3) Cisco NAT Configuration - Network Configuration Manager - ManageEngine. https://www.manageengine.com/network-configuration-manager/configlets/configure-dynamic-nat-cisco.html.
(4) Configuring Dynamic NAT (NAT Overload) On A Cisco Router. https://www.firewall.cx/cisco/cisco-routers/cisco-router-dynamic-nat.html.

Question 33

An engineer is configuring a custom intrusion rule on Cisco FMC. The engineer needs the rule to search the payload or stream for the string “|44 78 97 13 2 0A|”. Which keyword must the engineer use with this string to create an argument for packet inspection?

A. protected_content
B. content
C. data
D. metadata

Answer 33

B. content

The engineer should use the keyword B. content¹² with the string to create an argument for packet inspection in Cisco Firepower Management Center (FMC). The content keyword is used to specify the payload or stream that the rule should search¹². Please note that the configuration details might vary based on your specific network setup and requirements¹². Always ensure to follow the appropriate guidelines and best practices for your network environment¹².

Source: Conversation with Bing, 12/16/2023
(1) CLI Book 2: Cisco ASA Series Firewall CLI Configuration Guide, 9.8. https://www.cisco.com/c/en/us/td/docs/security/asa/asa98/configuration/firewall/asa-98-firewall-config/inspect-overview.html.
(2) Firepower Management Center Configuration Guide, Version 6.0 - Cisco. https://www.cisco.com/c/en/us/td/docs/security/firepower/60/configuration/guide/fpmc-config-guide-v60/The_Intrusion_Rule_Editor.html.
(3) Firepower Management Center Configuration Guide, Version 7.0 - Cisco. https://www.cisco.com/c/en/us/td/docs/security/firepower/70/configuration/guide/fpmc-config-guide-v70/tuning_intrusion_policies_using_rules.html.
(4) CLI Book 2: Cisco ASA Series Firewall CLI Configuration Guide, 9.2. https://www.cisco.com/c/en/us/td/docs/security/asa/asa92/configuration/firewall/asa-firewall-cli/inspect-basic.html.

Question 34

An engineer must investigate a connectivity issue from an endpoint behind a Cisco FTD device and a public DNS server. The endpoint cannot perform name resolution queries. Which action must the engineer perform to troubleshoot the issue by simulating real DNS traffic on the Cisco FTD while verifying the Snort verdict?

A. Use the Capture w/Trace wizard in Cisco FMC.
B. Run the system support firewall-engine-debug command from the FTD CLI.
C. Create a Custom Workflow in Cisco FMC.
D. Perform a Snort engine capture using tcpdump from the FTD CLI.

Answer 34

A. Use the Capture w/Trace wizard in Cisco FMC.

https://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/212474-working-with-firepower-threat-defense-f.html#anc5

The Capture w/Trace wizard in Cisco FMC allows you to capture packets on an FTD device and trace their path through the Snort engine. This can help you troubleshoot connectivity issues from an endpoint behind an FTD device and a public DNS server, as well as verify the Snort verdict for the DNS traffic. The Capture w/Trace wizard lets you specify the source and destination IP addresses, ports, and protocols for the packets you want to capture and trace, as well as the FTD device and interface where you want to perform the capture. You can also apply filters to limit the capture size and duration.After you start the capture, you can ping the DNS server from the endpoint and then view the captured packets and their Snort verdicts in the FMC web interface2.

To use the Capture w/Trace wizard in Cisco FMC, you need to follow these steps2:

In the FMC web interface, navigate to Troubleshooting > Capture/Trace.

Click New Capture.

Choose an FTD device from the Device drop-down list.

Choose an interface from the Interface drop-down list.

Enter the source and destination IP addresses, ports, and protocols for the packets you want to capture and trace. For example, if you want to capture DNS queries from an endpoint with IP address 10.1.1.100 to a DNS server with IP address 8.8.8.8, you can enter these values:

Source IP: 10.1.1.100

Source Port: any

Destination IP: 8.8.8.8

Destination Port: 53

Protocol: UDP

Optionally, apply filters to limit the capture size and duration. For example, you can set the maximum number of packets to capture, the maximum capture file size, or the maximum capture time.

Click Start.

Ping the DNS server from the endpoint and wait for some packets to be captured.

Click Stop to stop the capture.

Click View Capture to see the captured packets and their Snort verdicts.

The other options are incorrect because:

Performing a Snort engine capture using tcpdump from the FTD CLI will not allow you to trace the path of the packets through the Snort engine or verify their Snort verdicts.Tcpdump is a command-line tool that can capture packets on an FTD device, but it does not provide any information about how Snort processes those packets or what actions Snort takes on them2.

Creating a Custom Workflow in Cisco FMC will not help you troubleshoot a connectivity issue from an endpoint behind an FTD device and a public DNS server. A Custom Workflow is a user-defined set of pages that display event data in different formats, such as tables, charts, maps, and so on.A Custom Workflow does not allow you to capture or trace packets on an FTD device3.

Running the system support firewall-engine-debug command from the FTD CLI will not allow you to simulate real DNS traffic on the FTD device or verify the Snort verdict for that traffic. The firewall-engine-debug command is a diagnostic tool that can generate synthetic packets and send them through the Snort engine on an FTD device.The synthetic packets are not real network traffic and do not affect any connections or policies on the FTD device4.

Question 35

When an engineer captures traffic on a Cisco Secure Firewall Threat Defense device to troubleshoot a connectivity problem, they receive a large amount of output data in the GUI tool. The engineer found that viewing the captures this way is time-consuming and difficult to sort and filter. Which file type must the engineer export the data in so that it can be reviewed using a tool built for this type of analysis?

A. NetFlow v9
B. PCAP
C. IPFIX
D. NetFlow v5

Answer 35

B. PCAP

Both agree

The best file type for the engineer to export the data in is B. PCAP. PCAP stands for packet capture, and it is a common format for storing network traffic data. PCAP files can be opened and analyzed by various tools, such as Wireshark, tcpdump, and Snort. These tools allow the engineer to sort, filter, search, and decode the captured packets, as well as generate statistics and graphs. PCAP files can also be imported back into the Cisco Secure Firewall Threat Defense device for further analysis.

NetFlow v9 and IPFIX are protocols for exporting network flow information, such as source and destination IP addresses, ports, protocols, and bytes. They are not suitable for capturing the full content of network packets, and they require a collector device or software to receive and process the exported data. Therefore, they are not the best file types for the engineer’s purpose.

Source: Conversation with Bing, 12/9/2023
(1) Use Firepower Threat Defense Captures and Packet Tracer - Cisco. https://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/212474-working-with-firepower-threat-defense-f.html.
(2) Cisco Secure Firewall Threat Defense Hardening Guide, Version 7.2. https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/hardening/threat_defense/Threat_Defense_Hardening_Guide_v72.html.
(3) Cisco Firepower Threat Defense (FTD): Configuration and Troubleshooting …. https://community.cisco.com/t5/security-knowledge-base/self-paced-learning-for-cisco-firepower-ngfw-ngips-amp-with/ta-p/3306922.
(4) Malware and File Policy - Cisco Secure Firewall. https://secure.cisco.com/secure-firewall/docs/malware-and-file-policy.

Question 36

An engineer is configuring a custom application detector for HTTP traffic and wants to import a file that was provided by a third party. Which type of files are advanced application detectors created and uploaded as?

A. Perl script
B. NBAR protocol
C. LUA script
D. Python program

Answer 36

C. LUA script

Both agree

The correct answer is C. LUA script. Custom application detectors are pattern-based and detect patterns in packets from client, web application, or application protocol traffic¹²³⁴. These detectors are created and uploaded as LUA scripts. LUA is a powerful, efficient, lightweight, embeddable scripting language that is used for a variety of purposes, including network traffic analysis. It allows engineers to write complex detection patterns that can match various characteristics of network traffic. Perl scripts and Python programs, while powerful, are not used for this specific purpose in the context of Cisco Secure Firewall Threat Defense. NBAR (Network Based Application Recognition) protocol is a mechanism used by certain Cisco routers to recognize a wide variety of applications, including web-based and client/server applications.

Source: Conversation with Bing, 12/9/2023
(1) Firepower Management Center Configuration Guide, Version 6.0 - Cisco. https://www.cisco.com/c/en/us/td/docs/security/firepower/60/configuration/guide/fpmc-config-guide-v60/Application_Detection.html.
(2) Application Control - Cisco Secure Firewall. https://secure.cisco.com/secure-firewall/docs/application-control.
(3) Firepower Management Center Configuration Guide, Version 7.0 - Cisco. https://www.cisco.com/c/en/us/td/docs/security/firepower/70/configuration/guide/fpmc-config-guide-v70/application_detection.html.
(4) Cisco Secure Firewall Management Center Device Configuration Guide, 7.4. https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/device-config/740/management-center-device-config-74/discovery-app-detection.html.
(5) undefined. https://appid.cisco.com/home.

Question 37

An engineer must deploy a Cisco Secure Firewall Threat Defense device. Management wants to examine traffic without requiring network changes that will disrupt end users. Corporate security policy requires the separation of management traffic from data traffic and the use of SSH over Telnet for remote administration. How must the device be deployed to meet these requirements?

A. in transparent mode with a management interface
B. in routed mode with a bridge virtual interface
C. in transparent mode with a data interface
D. in routed mode with a diagnostic interface

Answer 37

A. in transparent mode with a management interface

Both agree

The device must be deployed A. in transparent mode with a management interface to meet these requirements.

In transparent mode, the Cisco Secure Firewall Threat Defense device acts like a “bump in the wire,” or a “stealth firewall,” and is not seen as a router hop to connected devices¹. This allows the management to examine traffic without requiring network changes that will disrupt end users. Layer 2 connectivity is achieved by using a “bridge group” where you group together the inside and outside interfaces for a network, and the device uses bridging techniques to pass traffic between the interfaces¹.

A management interface is used to separate management traffic from data traffic². This aligns with the corporate security policy that requires the separation of management traffic from data traffic. The use of SSH over Telnet for remote administration can be configured separately and is not dependent on the deployment mode of the device.

Therefore, deploying the device in transparent mode with a management interface would meet all the stated requirements.

Source: Conversation with Bing, 12/9/2023
(1) Cisco Secure Firewall Management Center Device Configuration Guide, 7.3. https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/device-config/730/management-center-device-config-73/device-ops-tfw.html.
(2) Secure Firewall Management Center and Threat Defense Management … - Cisco. https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/management-center-mgmt-nw/fmc-ftd-mgmt-nw.html.
(3) Cisco Firepower Hardening Guide - media.defense.gov. https://media.defense.gov/2023/Aug/02/2003272858/-1/-1/0/CTR_CISCO_FIREPOWER_HARDENING_GUIDE.PDF.
(4) Encrypted Visibility Engine - Cisco Secure Firewall. https://secure.cisco.com/secure-firewall/docs/encrypted-visibility-engine.
(5) Deploy a Threat Defense Virtual Cluster on Azure - Cisco. https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/cluster/deploy-threat-defense-virtual-cluster-azure.html.

Question 38

A network administrator reviews the attack risk report and notices several low-impact attacks. What does this type of attack indicate?

A. All attacks are listed as low until manually recategorized.
B. The host is not vulnerable to those attacks.
C. The host is not within the administrator’s environment.
D. The attacks are not dangerous to the network.

Answer 38

B. The host is not vulnerable to those attacks.

Low-impact attacks typically indicate that B. The host is not vulnerable to those attacks.

In the context of cybersecurity, the impact of an attack refers to the potential damage it could cause if it were successful. A low-impact attack is one that, even if successful, would not cause significant harm to the system or network¹. This could be because the system has defenses in place that would mitigate the attack, or because the system does not contain sensitive data that the attack is designed to compromise².

It’s important to note that while low-impact attacks may not pose a significant threat by themselves, they could potentially be part of a larger, more complex attack strategy. Therefore, all attacks, regardless of their assessed impact, should be taken seriously and investigated thoroughly.

The other options are not necessarily true:
- A. All attacks are listed as low until manually recategorized: This is not a standard practice. The impact of an attack is typically assessed based on its potential damage, not manually recategorized later.
- C. The host is not within the administrator’s environment: The location of the host does not determine the impact of an attack. An attack can have a high impact regardless of whether the host is within the administrator’s environment or not.
- D. The attacks are not dangerous to the network: Even low-impact attacks can be dangerous if they are part of a larger attack strategy or if they exploit a vulnerability that could be used in a future high-impact attack. Therefore, all attacks should be considered potentially dangerous.

Source: Conversation with Bing, 12/9/2023
(1) OWASP Risk Rating Methodology | OWASP Foundation. https://owasp.org/www-community/OWASP_Risk_Rating_Methodology.
(2) What is Cyber Risk? Examples & Impact - Hyperproof. https://hyperproof.io/resource/what-is-cyber-risk/.
(3) What is Conventional Warfare? | Small Wars Journal. https://smallwarsjournal.com/blog/what-is-conventional-warfare.
(4) undefined. https://owasp.org/www-community/Threat_Modeling.
(5) undefined. https://owasp.org/www-community/Application_Threat_Modeling.

Question 39

The security engineer reviews the syslog server events of an organization and sees many outbound connections to malicious sites initiated from hosts running Cisco Secure Endpoint. The hosts are on a separate network from the Cisco FTD device. Which action blocks the connections?

A. Modify the policy on Cisco Secure Endpoint to enable DFC.
B. Modify the access control policy on the Cisco FMC to block malicious outbound connections
C. Add the IP addresses of the malicious sites to the access control policy on the Cisco FMC
D. Add a Cisco Secure Endpoint policy with the Tetra and Spero engines enabled

Answer 39

C. Add the IP addresses of the malicious sites to the access control policy on the Cisco FMC

In the context of Cisco Secure Firewall Threat Defense (FTD) and Secure Endpoint, the access control policy on the Cisco Firepower Management Center (FMC) can be modified to block outbound connections to malicious sites². This can be done by adding an Access Control rule that blocks connections to the destination addresses observed to be in violation of the policy⁴.

The other options are not necessarily correct:
- A. Modify the policy on Cisco Secure Endpoint to enable DFC: DFC (Device Flow Correlation) is a feature of Cisco Secure Endpoint that correlates events across multiple devices. While it can provide valuable insights into network traffic, it does not directly block connections to malicious sites.
- C. Add the IP addresses of the malicious sites to the access control policy on the Cisco FMC: While this could potentially block connections to the specific malicious sites, it would not be a comprehensive solution as new malicious sites could emerge at any time.
- D. Add a Cisco Secure Endpoint policy with the Tetra and Spero engines enabled: The Tetra and Spero engines are components of Cisco Secure Endpoint that provide antivirus and machine learning capabilities, respectively. While they can help detect and prevent malware, they do not directly block connections to malicious sites.

Source: Conversation with Bing, 12/10/2023
(1) Protecting against Log4j with Secure Firewall & Secure IPS. https://blogs.cisco.com/security/protecting-against-log4j-with-secure-firewall-secure-ips.
(2) Need to block outbound VPN connection on FTD managed … - Cisco Community. https://community.cisco.com/t5/network-security/need-to-block-outbound-vpn-connection-on-ftd-managed-by-fmc-on-7/td-p/4710903.
(3) Configure IP Allow and Block List in the Secure Endpoint Cloud … - Cisco. https://www.cisco.com/c/en/us/support/docs/security/secure-endpoint/217750-configure-ip-allow-and-block-list-in-the.html.
(4) Solved: Block Outgoing VPN Access - Cisco Community. https://community.cisco.com/t5/network-security/block-outgoing-vpn-access/td-p/749812.
(5) undefined. https://blog.talosintelligence.com/2021/12/apache-log4j-rce-vulnerability.html.

Question 40

An engineer has been tasked with performing an audit of network objects to determine which objects are duplicated across the various firewall models (Cisco Secure Firewall Threat Defense, Cisco Secure Firewall ASA, and Meraki MX Series) deployed throughout the company. Which tool will assist the engineer in performing that audit?

A. Cisco Firepower Device Manager
B. Cisco Defense Orchestrator
C. Cisco Secure Firewall Management Center
D. Cisco SecureX

Answer 40

The tool that will assist the engineer in performing that audit is B. Cisco Defense Orchestrator¹³.

Both agree

Cisco Defense Orchestrator (CDO) is a cloud-based, multi-device manager that manages security products like Adaptive Security Appliance (ASA), Firepower Threat Defense next-generation firewall, and Meraki devices³. It hosts a cloud version of the Cisco Secure Firewall migration tool that can be used to migrate existing firewall configurations to a Secure Firewall Threat Defense device managed by the cloud-delivered Firewall Management Center¹. This makes it an ideal tool for auditing network objects across various firewall models deployed throughout the company.

The other options are not necessarily correct for this specific task:
- A. Cisco Firepower Device Manager: This is a web-based management interface for standalone Cisco Firepower Threat Defense devices that simplifies device configuration, management, and troubleshooting. It does not provide the capability to audit network objects across different firewall models.
- C. Cisco Secure Firewall Management Center: This provides centralized management of the Cisco Secure Firewall. While it does provide visibility and control across the network, it does not have the specific capability to audit network objects across different firewall models.
- D. Cisco SecureX: This is a cloud-native, built-in platform experience within Cisco’s security portfolio. It connects the breadth of Cisco’s integrated security portfolio and the customer’s infrastructure for a consistent experience. It does not have the specific capability to audit network objects across different firewall models.

Source: Conversation with Bing, 12/10/2023
(1) Migrating Firewalls with the Firewall Migration Tool in Cisco Defense …. https://www.cisco.com/c/en/us/td/docs/security/firepower/migration-tool/migration-guide-firewall-migration-tool-on-cdo/migrating-firewalls-with-the-firewall-migration-tool-in-cisco-defense-orchestrator/m-migrating-firewalls-with-the-cloud-firewall-migration-tool.html.
(2) What’s New for Cisco Defense Orchestrator (CDO). https://community.cisco.com/t5/security-knowledge-base/what-s-new-for-cisco-defense-orchestrator-cdo/ta-p/4066742.
(3) Cisco Secure Firewall ASA to Threat Defense Feature Mapping. https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/migration/asa-to-threat-defense-feature-mapping/asa-to-threat-defense-feature-mapping/firewall.html.
(4) 6 Best Firewall Audit Tools 2023: Review and Analyze Firewall Rules. https://www.enterprisenetworkingplanet.com/security/firewall-audit-tool/.

Question 41

A network engineer is deploying a pair of Cisco Secure Firewall Threat Defense devices managed by Cisco Secure Firewall Management Center for High Availability. Internet access is a high priority for the business and therefore they have invested in internet circuits from two different ISPs. The requirement from the customer is that internet access must be available to their users even if one of the ISPs is down. Which two features must be deployed to achieve this requirement? (Choose two.)

A. Route Tracking
B. Redundant interfaces
C. EtherChannel interfaces
D. SLA Monitor
E. BGP

Answer 41

The two features that must be deployed to achieve this requirement are:

A, D - Exam Topics

Verified

https://integratingit.wordpress.com/2020/08/14/ftd-dual-isp-failover/

A. Route Tracking
Route tracking allows the device to track the availability of a route and make routing decisions based on the status of the tracked objects¹. This can be used to ensure that if one ISP goes down, the device can switch to using the other ISP.

E. BGP
Border Gateway Protocol (BGP) is a protocol used to exchange routing information across autonomous systems on the internet². BGP can be used to automatically select the best path for internet traffic based on the availability and performance of the ISPs².

The other options are not necessarily correct for this specific task:
- B. Redundant interfaces: While redundant interfaces can provide a level of fault tolerance, they do not directly address the requirement of maintaining internet access if one of the ISPs goes down.
- C. EtherChannel interfaces: EtherChannel is a port link aggregation technology that allows the grouping of several physical Ethernet links to create one logical Ethernet link for the purpose of providing fault-tolerance and high-speed links between switches, routers, and servers³. However, it does not directly address the requirement of maintaining internet access if one of the ISPs goes down.
- D. SLA Monitor: Service Level Agreement (SLA) Monitor is a feature that allows you to monitor the performance of network services and generate alerts when performance thresholds are breached. While it can be used to monitor the performance of the ISPs, it does not directly address the requirement of maintaining internet access if one of the ISPs goes down.

Source: Conversation with Bing, 12/10/2023
(1) Cisco Firepower Threat Defense Configuration Guide for Firepower Device …. https://www.cisco.com/c/en/us/td/docs/security/firepower/710/fdm/fptd-fdm-config-guide-710/fptd-fdm-ha.html.
(2) Firepower Management Center Configuration Guide, Version 6.1 - High …. https://www.cisco.com/c/en/us/td/docs/security/firepower/610/configuration/guide/fpmc-config-guide-v61/firepower_threat_defense_high_availability.html.
(3) Managing Firewall Threat Defense with Cloud-delivered Firewall … - Cisco. https://www.cisco.com/c/en/us/td/docs/security/cdo/cloud-delivered-firewall-management-center-in-cdo/managing-firewall-threat-defense-services-with-cisco-defense-orchestrator/m_device-ops-ha.html.

Question 42

A network engineer is planning on replacing an Active/Standby pair of physical Cisco Secure Firewall ASAs with a pair of Cisco Secure Firewall Threat Defense Virtual appliances. Which two virtual environments support the current High Availability configuration? (Choose two.)

A. ESXi
B. Azure
C. Openstack
D. KVM
E. AWS

Answer 42

The two virtual environments that support the current High Availability configuration for Cisco Secure Firewall Threat Defense Virtual appliances are:

Both agree

A. ESXi
VMware ESXi is a bare-metal hypervisor that installs directly onto your physical server. With direct access to and control of underlying resources, ESXi is more efficient than hosted architectures and can effectively partition hardware to increase consolidation ratios and cut costs⁵.

D. KVM
Kernel-based Virtual Machine (KVM) is a full virtualization solution for Linux on x86 hardware containing virtualization extensions (Intel VT or AMD-V). It consists of a loadable kernel module, kvm.ko, that provides the core virtualization infrastructure and a processor-specific module, kvm-intel.ko or kvm-amd.ko⁵.

The other options, while they might support Cisco Secure Firewall Threat Defense Virtual appliances, they do not support the current High Availability configuration:
- B. Azure: While Cisco Secure Firewall Threat Defense Virtual can be deployed on Azure², the High Availability configuration is not supported in the Azure environment⁴.
- C. Openstack: There’s no mention of Openstack supporting the current High Availability configuration in the search results.
- E. AWS: There’s no mention of AWS supporting the current High Availability configuration in the search results.

Source: Conversation with Bing, 12/10/2023
(1) Threat Defense Virtual (formerly FTDv/NGFWv) Data Sheet - Cisco. https://www.cisco.com/c/en/us/products/collateral/security/firepower-ngfw-virtual/threat-defense-virtual-ngfwv-ds.html.
(2) Cisco Secure Firewall Threat Defense Virtual Getting Started Guide …. https://www.cisco.com/c/en/us/td/docs/security/firepower/quick_start/consolidated_ftdv_gsg/ftdv-gsg/m-ftdv-azure-gsg.html.
(3) FMC (Virtual) and FTD deployement with High Availability. https://community.cisco.com/t5/network-security/fmc-virtual-and-ftd-deployement-with-high-availability/td-p/3701529.
(4) Cisco Secure Firewall Device Manager Configuration Guide, Version 7.3. https://www.cisco.com/c/en/us/td/docs/security/firepower/730/fdm/fptd-fdm-config-guide-730/fptd-fdm-get-started.html.
(5) High Availability and Scalability Design and Deployment of Cisco …. https://community.cisco.com/t5/security-knowledge-base/high-availability-and-scalability-design-and-deployment-of-cisco/ta-p/4109439.
(6) undefined. https://azure.microsoft.com/en-us/.
(7) undefined. https://www.cisco.com/c/en/us/support/docs/security/firepower-management-center/212699-configure-ftd-high-availability-on-firep.html.

Question 43

A company is deploying AMP private cloud. The AMP private cloud instance has already been deployed by the server administrator. The server administrator provided the hostname of the private cloud instance to the network engineer via email. What additional information does the network engineer require from the server administrator to be able to make the connection to the AMP private cloud in Cisco FMC?

A. SSL certificate for the AMP private cloud instance
B. Username and password to the AMP private cloud instance
C. IP address and port number for the connection proxy
D. Internet access for the AMP private cloud to reach the AMP public cloud

Answer 43

The additional information the network engineer requires from the server administrator to be able to make the connection to the AMP private cloud in Cisco FMC is A. SSL certificate for the AMP private cloud instance³.

A. SSL certificate for the AMP private cloud instance

When integrating the AMP private cloud with the Cisco Firepower Management Center (FMC), the SSL certificate for the AMP private cloud instance is required³. This certificate is used to establish a secure connection between the FMC and the AMP private cloud instance³.

The other options are not necessarily correct:
- B. Username and password to the AMP private cloud instance: While these credentials might be needed for logging into the AMP private cloud instance directly, they are not required for the connection from the FMC to the AMP private cloud.
- C. IP address and port number for the connection proxy: These details might be needed in some network configurations, but they are not specifically required for the connection from the FMC to the AMP private cloud.
- D. Internet access for the AMP private cloud to reach the AMP public cloud: This is not necessary as the AMP private cloud is a standalone deployment that does not need to reach the AMP public cloud.

Source: Conversation with Bing, 12/10/2023
(1) How to integrated FMC with AMP private Cloud - Cisco Community. https://community.cisco.com/t5/endpoint-security/how-to-integrated-fmc-with-amp-private-cloud/td-p/3760236.
(2) Firepower Management Center Configuration Guide, Version 6.0 - Cisco. https://www.cisco.com/c/en/us/td/docs/security/firepower/60/configuration/guide/fpmc-config-guide-v60/Reference_a_wrapper_Chapter_topic_here.html.
(3) Integrating AMP for Endpoints with FMC for data feed. - Cisco. https://www.cisco.com/c/en/us/support/docs/security/amp-endpoints/214259-integrating-amp-for-endpoints-with-fmc-f.html.
(4) Integration of AMP Virtual Private Cloud and Threat Grid Appliance - Cisco. https://www.cisco.com/c/en/us/support/docs/security/amp-virtual-private-cloud-appliance/217209-integration-of-amp-virtual-private-cloud.html.

Question 44

A security engineer is deploying Cisco Secure Endpoint to detect a zero day malware attack with an SHA-256 hash of 47ea931f3e9dc23ec0b0885a80663e30ea013d493f8e88224b570a0464084628. What must be configured in Cisco Secure Endpoint to enable the application to take action based on this hash?

A. access control rule
B. correlation policy
C. transform set
D. custom detection list

Answer 44

The correct answer is D. custom detection list³.

Both agree

In Cisco Secure Endpoint, a custom detection list can be configured to take action based on specific file hashes³. This list can include the SHA-256 hash of the zero-day malware attack, allowing the application to detect and take appropriate action when it encounters a file with this hash³.

The other options are not necessarily correct for this specific task:
- A. access control rule: While access control rules are used in network security to control which users or systems can access resources in a network, they are not used in Cisco Secure Endpoint to take action based on a specific file hash.
- B. correlation policy: Correlation policies are used to define the conditions under which an event is generated, but they do not enable the application to take action based on a specific file hash.
- C. transform set: A transform set is a concept in IPsec VPN configurations and is not relevant to detecting malware based on a file hash in Cisco Secure Endpoint.

Source: Conversation with Bing, 12/10/2023
(1) Solved: Steps for blocking Sha-256 on FMC - Cisco Community. https://community.cisco.com/t5/network-security/steps-for-blocking-sha-256-on-fmc/td-p/4045940.
(2) Cisco Secure Firewall Management Center Device Configuration Guide, 7.2. https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/device-config/720/management-center-device-config-72/network-malware-protection.html.
(3) Cisco Secure Firewall Management Center Administration Guide, 7.3. https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/admin/730/management-center-admin-73/events-file-malware.html.
(4) Troubleshoot False Positive File Analysis Events in Cisco Secure Endpoint. https://www.cisco.com/c/en/us/support/docs/security/amp-endpoints/215993-troubleshoot-false-positive-file-analysi.html.
(5) Configure a Simple Custom Detection List on the AMP for … - Cisco. https://www.cisco.com/c/en/us/support/docs/security/amp-endpoints/215176-configure-a-simple-custom-detection-list.html.

Question 45

A security engineer must create a malware and file policy on a Cisco Secure Firewall Threat Defense device. The solution must ensure that PDF, DOCX, and XLSX files are not sent to Cisco Secure Malware Analytics. What must be configured to meet the requirements?

A. Spero analysis
B. local malware analysis
C. capacity handling
D. dynamic analysis

Answer 45

The correct answer is B. local malware analysis³.

Both agree

Local malware analysis allows a managed device to locally inspect executables, PDFs, office documents, and other types of files for the most common types of malware, using a detection rule set provided by the Talos Intelligence Group. Because local analysis does not query the AMP cloud, and does not run the file, local malware analysis saves time and system resources.

Local malware analysis is a feature of Cisco Secure Firewall Threat Defense that allows the device to analyze files locally without sending them to Cisco Secure Malware Analytics³. This can be used to ensure that PDF, DOCX, and XLSX files are not sent to Cisco Secure Malware Analytics³.

The other options are not necessarily correct for this specific task:
- A. Spero analysis: Spero is a machine learning-based analysis engine used by Cisco Secure Malware Analytics to identify malicious files. However, it does not control whether files are sent to Cisco Secure Malware Analytics.
- C. capacity handling: This refers to the device’s ability to handle large volumes of network traffic, but it does not control whether files are sent to Cisco Secure Malware Analytics.
- D. dynamic analysis: This is a type of malware analysis that observes the behavior of a file when it is executed in a controlled environment. However, it does not control whether files are sent to Cisco Secure Malware Analytics.

Source: Conversation with Bing, 12/10/2023
(1) Malware and File Policy - Cisco Secure Firewall. https://secure.cisco.com/secure-firewall/docs/malware-and-file-policy.
(2) Cisco Secure Firewall Threat Defense Hardening Guide, Version 7.2. https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/hardening/threat_defense/Threat_Defense_Hardening_Guide_v72.html.
(3) Secure Firewall Threat Defense 7.3 Documentation - Cisco. https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/landing-page/threat-defense/threatdefense-73-docs.html.
(4) Cisco Secure Firewall Threat Defense Syslog Messages. https://www.cisco.com/c/en/us/td/docs/security/firepower/Syslogs/b_fptd_syslog_guide/about.html.

Question 46

Encrypted Visibility Engine (EVE) is enabled under which tab on an access control policy in Cisco Secure Firewall Management Center?

A. Network Analysis Policy
B. SSL
C. Advanced
D. Security Intelligence

Answer 46

The Encrypted Visibility Engine (EVE) is enabled under the C. Advanced tab on an access control policy in Cisco Secure Firewall Management Center⁵.

Both agree

Source: Conversation with Bing, 12/10/2023
(1) Cisco Secure Firewall Management Center Snort 3 Configuration Guide …. https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/snort/720/snort3-configuration-guide-v72/m_encrypted-visibility-engine.html.
(2) Encrypted Visibility Engine - Cisco Secure Firewall. https://secure.cisco.com/secure-firewall/docs/encrypted-visibility-engine.
(3) Cisco Secure Firewall Management Center Device Configuration Guide, 7.3. https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/device-config/730/management-center-device-config-73/access-policies.html.
(4) Encrypted Visibility Engine - Cisco Secure Firewall. https://bing.com/search?q=Encrypted+Visibility+Engine+%28EVE%29+tab+in+access+control+policy+in+Cisco+Secure+Firewall+Management+Center.
(5) Encrypted Visibility Engine - Cisco Secure Firewall. https://secure.cisco.com/secure-firewall/v7.3/docs/encrypted-visibility-engine-73.

Question 47

An engineer is configuring a Cisco Secure Firewall Threat Defense device managed by Cisco Secure Firewall Management Center. The device must have SSH enabled and be accessible from the inside interface for remote administration. Which type of policy must the engineer configure to accomplish this?

A. platform settings
B. access control
C. prefilter
D. identity

Answer 47

B. Access Control

To enable SSH on a Cisco Secure Firewall Threat Defense device managed by Cisco Secure Firewall Management Center and make it accessible from the inside interface for remote administration, the engineer must configure an access control policy ². The access control policy must allow traffic from the inside to outside and enable SSH on the manager access interface ¹.

Option A is incorrect because platform settings are used to configure system-wide settings such as time, DNS, and SNMP ⁴.

Option C is incorrect because prefilter policies are used to filter traffic before it is processed by the access control policy ³.

Option D is incorrect because identity policies are used to identify users and endpoints and enforce access control based on user identity ⁵.

Source: Conversation with Bing, 12/24/2023
(1) Cisco Firepower Threat Defense Configuration Guide for Firepower Device …. https://www.cisco.com/c/en/us/td/docs/security/firepower/70/fdm/fptd-fdm-config-guide-700/fptd-fdm-get-started.html.
(2) Cisco Secure Firewall 4200 Getting Started Guide. https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/getting-started/4200/secure-firewall-4200-gsg/fmc-remote.html.
(3) Configure SSH on Routers and Switches - Cisco. https://www.cisco.com/c/en/us/support/docs/security-vpn/secure-shell-ssh/4145-ssh.html.
(4) Cisco Secure Firewall Threat Defense Virtual Getting Started Guide …. https://www.cisco.com/c/en/us/td/docs/security/firepower/quick_start/consolidated_ftdv_gsg/threat-defense-virtual-74-gsg/m_managing_ftdv_with_fdm.html.
(5) Lesson 11: Implementing Secure Network Protocols Flashcards. https://quizlet.com/714485003/lesson-11-implementing-secure-network-protocols-flash-cards/.
(6) Secure Shell Version 2 Support - Cisco. https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_ssh/configuration/xe-16/sec-usr-ssh-xe-16-book/sec-secure-shell-v2.html.

Question 48

What is the result when two users modify a VPN policy at the same time on a Cisco Secure Firewall Management Center managed device?

A. Both users can edit the policy and the last saved configuration persists.
B. The changes from both users will be merged together into the policy.
C. The first user locks the configuration when selecting edit on the policy.
D. The system prevents modifications to the policy by multiple users.

Answer 48

The correct answer is A. Both users can edit the policy and the last saved configuration persists¹.

Both agree

In the Cisco Secure Firewall Management Center, two users must not edit a remote access VPN policy at the same time; however, the web interface does not prevent simultaneous editing. If this occurs, the last saved configuration persists¹. The other options are not accurate in this context.

Source: Conversation with Bing, 12/10/2023
(1) Cisco Secure Firewall Management Center Device Configuration Guide, 7.4. https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/device-config/740/management-center-device-config-74/vpn-remote-access.html.
(2) Cisco Secure Firewall Management Center Device Configuration Guide, 7.2 …. https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/device-config/720/management-center-device-config-72/get-started-device-management.html.
(3) Cisco Secure Firewall Management Center Device Configuration Guide, 7.3 …. https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/device-config/730/management-center-device-config-73/vpn-s2s.html.
(4) Policy-Based Routing with Path Monitoring - Cisco Secure Firewall. https://secure.cisco.com/secure-firewall/docs/policy-based-routing-with-path-monitoring.
(5) Access Control Policy - Cisco Secure Firewall. https://secure.cisco.com/secure-firewall/docs/access-control-policy.

Question 49

A network administrator is configuring a BVI interface on a routed FTD. The administrator wants to isolate traffic on the interfaces connected to the bridge group and not have the FTD route this traffic using the routing table. What must be configured?

A. A new VRF must be created for the BVI interface
B. An IP address must be configured on the BVI
C. IP routing must be removed from the physical interfaces connected to the BVI
D. The BVI interface must be configured for transparent mode

Answer 49

D. The BVI interface must be configured for transparent mode

To isolate traffic on the interfaces connected to the bridge group and not have the FTD route this traffic using the routing table, the BVI interface must be configured for transparent mode ¹. In transparent mode, the FTD does not route traffic between interfaces in the same bridge group. Instead, the traffic is bridged between the interfaces ¹. Therefore, option D is the correct answer.

Option A is incorrect because creating a new VRF is not necessary to isolate traffic on the interfaces connected to the bridge group.

Option B is incorrect because configuring an IP address on the BVI interface is required to enable communication between the bridge group and routed interfaces ¹.

Option C is incorrect because removing IP routing from the physical interfaces connected to the BVI would prevent communication between the bridge group and routed interfaces ¹.

Source: Conversation with Bing, 12/23/2023
(1) Cisco Firepower Threat Defense Configuration Guide for Firepower Device …. https://www.cisco.com/c/en/us/td/docs/security/firepower/650/fdm/fptd-fdm-config-guide-650/fptd-fdm-interfaces.html.
(2) Firepower Management Center Configuration Guide, Version 6.4 - Cisco. https://www.cisco.com/c/en/us/td/docs/security/firepower/640/configuration/guide/fpmc-config-guide-v64/transparent_or_routed_firewall_mode_for_firepower_threat_defense.html.
(3) Cisco Content Hub - Integrated Routing and Bridging. https://content.cisco.com/chapter.sjs?uri=/searchable/chapter/content/en/us/td/docs/iosxr/cisco8000/l2vpn/73x/b-l2vpn-cg-cisco8000-73x/m-configure-irb.html.xml.
(4) Cisco Content Hub - Integrated Routing and Bridging. https://content.cisco.com/chapter.sjs?uri=%2Fsearchable%2Fchapter%2Fcontent%2Fen%2Fus%2Ftd%2Fdocs%2Fiosxr%2Fncs5xx%2Finterfaces%2F65x%2Fb-interfaces-hardware-component-cg-65x-ncs540%2Fcg_65_integrated_routing_and_bridging.html.xml&platform=Cisco%20Network%20Convergence%20System%20540%20Series%20Routers&release=IOS%20XR%206.5.x.
(5) Firepower Management Center Device Configuration Guide, 7.1. https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/device-config/710/management-center-device-config-71/routing-static.html.

Question 50

Which file format can standard reports from Cisco Secure Firewall Management Center be downloaded in?

A. doc
B. ppt
C. csv
D. xls

Answer 50

The correct answer is C. csv. According to the web search results, the Cisco Secure Firewall Management Center can generate standard reports in PDF, HTML, or CSV formats¹. CSV stands for comma-separated values, and it is a file format that stores tabular data in plain text. CSV files can be opened and edited by spreadsheet applications such as Microsoft Excel or Google Sheets.

Both agree

Source: Conversation with Bing, 12/10/2023
(1) Firepower Management Center Administration Guide, 7.1 - Reports [Cisco …. https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/admin/710/management-center-admin-71/report-reports.html.
(2) Cisco Secure Firewall Management Center Administration Guide, 7.3. https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/admin/730/management-center-admin-73/get-started-overview.html.
(3) Cisco Secure Firewall Management Center Device Configuration Guide, 7.2. https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/device-config/720/management-center-device-config-72/threat-intelligence-director.html.
(4) Cisco Secure Firewall - داده پرداز سپهر آسیا. https://dp-sepehr.ir/wp-content/uploads/2021/05/datasheet-c78-736775.pdf.
(5) undefined. http://www.cisco.com/go/firepower-mc-install.
(6) undefined. http://stixproject.github.io/documentation/suggested-practices/.

Question 51

Remote users who connect via Cisco Secure Client to the corporate network behind a Cisco Secure Firewall Threat Defense device are reporting no audio on calls when calling between remote users using their softphones. These same users can call internal users on the corporate network without any issues. What is the cause of this issue?

A. The hairpinning feature is not available on Cisco Secure Firewall Threat Defense
B. Cisco Secure Firewall Threat Defense needs a NAT policy that allows outside to outside communication
C. The Enable Spoke to Spoke Connectivity through Hub option is not selected on Cisco Secure Firewall Threat Defense
D. Split tunneling is enabled for the Remote Access VPN on Cisco Secure Firewall Threat Defense

Answer 51

The correct answer is B. Cisco Secure Firewall Threat Defense needs a NAT policy that allows outside to outside communication¹²³.

A - Exam Topics
B - AI

When remote users connect via Cisco Secure Client to the corporate network behind a Cisco Secure Firewall Threat Defense device and use their softphones to call each other, the audio traffic is routed from one remote user to another through the corporate network¹²³. This is often referred to as “hairpinning” or “U-turning” because the traffic enters and exits through the same interface of the firewall¹²³.

To allow this type of communication, a Network Address Translation (NAT) policy that allows “outside to outside” communication needs to be configured on the Cisco Secure Firewall Threat Defense device¹²³. This policy translates the source IP address of the audio traffic to the public IP address of the firewall, making it appear as if the traffic is coming from the firewall itself¹²³. This allows the audio traffic to be routed back to the other remote user¹²³.

The other options are not necessarily correct:
- A. The hairpinning feature is not available on Cisco Secure Firewall Threat Defense: Hairpinning is supported on Cisco Secure Firewall Threat Defense devices¹²³.
- C. The Enable Spoke to Spoke Connectivity through Hub option is not selected on Cisco Secure Firewall Threat Defense: This option is related to VPN configurations and is not directly related to the issue described.
- D. Split tunneling is enabled for the Remote Access VPN on Cisco Secure Firewall Threat Defense: Split tunneling allows a remote VPN user to access a public network, most commonly the Internet, at the same time that the user is allowed to access resources on the VPN. This is not directly related to the issue described.

Source: Conversation with Bing, 12/10/2023
(1) Solved: No audio on voice calls over VPN softphone to/from remote site …. https://community.cisco.com/t5/ip-telephony-and-phones/no-audio-on-voice-calls-over-vpn-softphone-to-from-remote-site/td-p/2224430.
(2) How to troubleshoot one-way / no audio issues - Cisco Community. https://community.cisco.com/t5/collaboration-knowledge-base/how-to-troubleshoot-one-way-no-audio-issues/ta-p/3164442.
(3) Solved: No audio at remote sites - Cisco Community. https://community.cisco.com/t5/ip-telephony-and-phones/no-audio-at-remote-sites/td-p/2372311.

Question 52

An administrator is configuring the interface of a Cisco Secure Firewall Threat Defense firewall device in a passive IPS deployment. The device and interface have been identified. Which set of configuration steps must the administrator perform next to complete the implementation?

A. Set the interface mode to passive. Associate the interface with a security zone. Enable the interface. Set the MTU parameter.
B. Modify the interface to retransmit received traffic. Associate the interface with a security zone Set the MTU parameter
C. Set the interface mode to passive. Associate the interface with a security zone. Set the MTU parameter. Reset the interface.
D. Modify the interface to retransmit received traffic. Associate the interface with a security zone. Enable the interface. Set the MTU parameter.

Answer 52

The correct answer is A. Set the interface mode to passive. Associate the interface with a security zone. Enable the interface. Set the MTU parameter¹.

Both agree

In a passive IPS deployment, the Firepower System monitors traffic flowing across a network using a switch SPAN (or mirror) port¹. This provides the system visibility within the network without being in the flow of network traffic¹. When configured in a passive deployment, the system cannot take certain actions such as blocking or shaping traffic¹. Passive interfaces receive all traffic unconditionally, and no traffic received on these interfaces is retransmitted¹.

When you enable a passive interface to monitor traffic, you designate mode and MDI/MDIX settings, which are available only for copper interfaces¹. When you disable a passive interface, users can no longer access it for security purposes¹. The range of MTU values can vary depending on the model of the managed device and the interface type¹. Changing the highest MTU value among all non-management interfaces on the device restarts the Snort process when you deploy configuration changes, temporarily interrupting traffic inspection¹. Inspection is interrupted on all non-management interfaces, not just the interface you modified¹.

Source: Conversation with Bing, 12/10/2023
(1) Firepower Management Center Configuration Guide, Version 6.5. https://www.cisco.com/c/en/us/td/docs/security/firepower/650/configuration/guide/fpmc-config-guide-v65/ips_device_deployments_and_configuration.html.
(2) Cisco Secure Firewall Device Manager Configuration Guide, Version 7.3. https://www.cisco.com/c/en/us/td/docs/security/firepower/730/fdm/fptd-fdm-config-guide-730/fptd-fdm-get-started.html.
(3) Fundamentals of Cisco Firewall Threat Defense and Intrusion Prevention …. https://learningnetworkstore.cisco.com/on-demand-e-learning/fundamentals-of-cisco-firewall-threat-defense-and-intrusion-prevention-sfwipf-v1.0/CSCU-LP-SFWIPF-V1-028125.html.
(4) Cisco Firepower Threat Defense (FTD): Configuration and Troubleshooting …. https://community.cisco.com/t5/security-knowledge-base/self-paced-learning-for-cisco-firepower-ngfw-ngips-amp-with/ta-p/3306922.
(5) High Availability and Scalability Design and Deployment of Cisco …. https://community.cisco.com/t5/security-knowledge-base/high-availability-and-scalability-design-and-deployment-of-cisco/ta-p/4109439.

Question 53

Which two statements are valid regarding the licensing model used on Cisco Secure Firewall Threat Defense Virtual appliances? (Choose two.)

A. All licenses support a maximum of 250 VPN peers
B. All licenses support up to 16 vCPUs
C. All licenses require 500G of available storage for the VM
D. Licenses can be used on both physical and virtual appliances
E. Licenses can be used on any supported cloud platform

Answer 53

D. Licenses can be used on both physical and virtual appliances
E. Licenses can be used on any supported cloud platform

Regarding the licensing model used on Cisco Secure Firewall Threat Defense Virtual appliances, the following statements are valid:

• Licenses can be used on both physical and virtual appliances ⁵.
• Licenses can be used on any supported cloud platform ¹.

Option A is incorrect because all licenses do not support a maximum of 250 VPN peers.

Option B is incorrect because all licenses do not support up to 16 vCPUs.

Option C is incorrect because all licenses do not require 500G of available storage for the VM.

Let me know if you have any other questions!

Source: Conversation with Bing, 12/24/2023
(1) Cisco Security Licensing Guide - Cisco Community. https://community.cisco.com/t5/security-knowledge-base/cisco-security-licensing-guide/ta-p/4445140.
(2) Threat Defense Virtual (formerly FTDv/NGFWv) Data Sheet - Cisco. https://www.cisco.com/c/en/us/products/collateral/security/firepower-ngfw-virtual/threat-defense-virtual-ngfwv-ds.html.
(3) Cisco Secure Firewall Threat Defense Virtual Getting Started Guide …. https://www.cisco.com/c/en/us/td/docs/security/firepower/quick_start/consolidated_ftdv_gsg/ftdv-gsg/m_ftdv_aws_gsg.html.
(4) Cisco Secure Firewall Device Manager Configuration Guide, Version 7.4. https://www.cisco.com/c/en/us/td/docs/security/firepower/740/fdm/fptd-fdm-config-guide-740/fptd-fdm-license.html.
(5) Secure and Save with Cisco Secure Firewall Threat Defense Virtual. https://blogs.cisco.com/security/secure-and-save-with-cisco-secure-firewall-threat-defense-virtual.
(6) Cloud-delivered Firewall Management Center - Cisco Secure Firewall. https://secure.cisco.com/secure-firewall/docs/cloud-delivered-firewall-management-center.
(7) undefined. https://www.cisco.com/c/dam/en/us/products/collateral/security/fireamp-endpoints/guide-c07-740737.pdf.
(8) undefined. https://www.cisco.com/c/en/us/products/collateral/security/amp-threat-grid-cloud/guide-c07-733608.html.
(9) undefined. https://umbrella.cisco.com/products/umbrella-enterprise-security-packages.
(10) undefined. https://www.cisco.com/c/dam/en/us/products/se/2018/2/Collateral/umbrella-edu-package.pdf.
(11) undefined. https://www.cisco.com/c/en/us/products/collateral/security/guide-c07-742970.html.

Question 54

A company is deploying Cisco Secure Firewall Threat Defense with IPS. What must be implemented in inline mode to pass the traffic without inspection during spikes and ensure that network traffic is kept?

A. Change the interface mode to Routed
B. Select Propagate Link State
C. Increase the MTU to 9000
D. Set the Snort Failsafe option

Answer 54

The correct answer is D. Set the Snort Failsafe option³⁴.

For inline sets other than those in tap mode, you can use the Snort Fail Open option to either drop traffic or allow traffic to pass without inspection when the Snort process is busy or down³⁴. This ensures that network traffic is kept even during spikes³⁴.

Both agree

The other options are not necessarily correct for this specific task:
- A. Change the interface mode to Routed: This would change the mode of operation of the device, but it would not specifically allow traffic to pass without inspection during spikes.
- B. Select Propagate Link State: This option is not directly related to allowing traffic to pass without inspection during spikes.
- C. Increase the MTU to 9000: While increasing the Maximum Transmission Unit (MTU) can improve network performance, it does not specifically allow traffic to pass without inspection during spikes.

Source: Conversation with Bing, 12/10/2023
(1) Cisco Secure Firewall Management Center Device Configuration Guide, 7.2. https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/device-config/720/management-center-device-config-72/interfaces-settings-ifcs-ips.html.
(2) Firepower Management Center Configuration Guide, Version 7.0 - Cisco. https://www.cisco.com/c/en/us/td/docs/security/firepower/70/configuration/guide/fpmc-config-guide-v70/inline_sets_and_passive_interfaces_for_firepower_threat_defense.html.
(3) Firepower Management Center Configuration Guide, Version 6.5. https://www.cisco.com/c/en/us/td/docs/security/firepower/650/configuration/guide/fpmc-config-guide-v65/ips_device_deployments_and_configuration.html.
(4) Firepower Threat Defense - brdige or inline? - Cisco Community. https://community.cisco.com/t5/network-security/firepower-threat-defense-brdige-or-inline/td-p/4177794.
(5) Cisco Firepower Threat Defense (FTD): Configuration and Troubleshooting …. https://community.cisco.com/t5/security-knowledge-base/self-paced-learning-for-cisco-firepower-ngfw-ngips-amp-with/ta-p/3306922.
(6) undefined. https://www.cisco.com/c/en/us/td/docs/security/firepower/640/configuration/guide/fpmc-config-guide-v64/transparent_or_routed_firewall_mode_for_firepower_threat_defense.html.
(7) undefined. https://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/200924-configuring-firepower-threat-defense-int.html.

Question 55

A Cisco Secure Firewall Threat Defense device is configured in inline IPS mode to inspect all traffic that passes through the interfaces in the inline set. Which setting in the inline set configuration must be selected to allow traffic to pass through uninterrupted when VDB updates are being applied?

A. Tap Mode
B. Strict TCP Enforcement
C. Propagate Link State
D. Snort Fail Open

Answer 55

The correct answer is D. Snort Fail Open³.

Both agree

For inline sets other than those in tap mode, you can use the Snort Fail Open option to either drop traffic or allow traffic to pass without inspection when the Snort process is busy or down³. This ensures that network traffic is kept even during spikes³.

Source: Conversation with Bing, 12/10/2023
(1) Firepower Management Center Configuration Guide, Version 6.3. https://www.cisco.com/c/en/us/td/docs/security/firepower/630/configuration/guide/fpmc-config-guide-v63/inline_sets_and_passive_interfaces_for_firepower_threat_defense.html.
(2) Cisco Secure Firewall Management Center Device Configuration Guide, 7.2. https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/device-config/720/management-center-device-config-72/interfaces-settings-ifcs-ips.html.
(3) Cisco Secure Firewall Threat Defense Hardening Guide, Version 7.2. https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/hardening/threat_defense/Threat_Defense_Hardening_Guide_v72.html.
(4) Firepower Management Center Configuration Guide, Version 6.5 - Cisco. https://www.cisco.com/c/en/us/td/docs/security/firepower/650/configuration/guide/fpmc-config-guide-v65/ips_device_deployments_and_configuration.html.

Question 56

Which two features can be used with Cisco Secure Firewall Threat Defense remote access VPN? (Choose two.)

A. enable Duo two-factor authentication using LDAPS
B. support for Cisco Secure Firewall 4100 Series in cluster mode
C. SSL remote access VPN supports port sharing with other Cisco FTD features using SSL port 443
D. use of license utilization for zero-touch network deployment
E. support for Rapid Threat Containment using RADIUS dynamic authorization

Answer 56

The two features that can be used with Cisco Secure Firewall Threat Defense remote access VPN are:

A and C

Both agree

The following two features can be used with Cisco Secure Firewall Threat Defense remote access VPN:

• SSL remote access VPN supports port sharing with other Cisco FTD features using SSL port 443 ¹.
• Enable Duo two-factor authentication using LDAPS ¹.

Option B is incorrect because support for Cisco Secure Firewall 4100 Series in cluster mode is not a feature of Cisco Secure Firewall Threat Defense remote access VPN.

Option D is incorrect because the use of license utilization for zero-touch network deployment is not a feature of Cisco Secure Firewall Threat Defense remote access VPN.

Option E is incorrect because support for Rapid Threat Containment using RADIUS dynamic authorization is not a feature of Cisco Secure Firewall Threat Defense remote access VPN.

Let me know if you have any other questions!

Source: Conversation with Bing, 12/26/2023
(1) Cisco Secure Firewall Management Center Device Configuration Guide, 7.4. https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/device-config/740/management-center-device-config-74/vpn-remote-access.html.
(2) Cisco Secure Firewall Threat Defense Dynamic Access Policy Use Cases. https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/cluster/ftd_dap_usecases.html.
(3) Cisco Secure Firewall ASA to Threat Defense Feature Mapping. https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/migration/asa-to-threat-defense-feature-mapping/asa-to-threat-defense-feature-mapping/vpn.html.

Question 57

Which rule action is only available in Snort 3?

A. Pass
B. Generate
C. Alert
D. Rewrite

Answer 57

D. Rewrite
YouTube video explains at 5:45
https://youtu.be/E7cHQBCM9Bc

Question 58

A company is deploying a Cisco Secure IPS device configured in inline mode with a single Interface set that contains four interface pairs. Which two configurations must be implemented to allow the IPS device to uniquely identify packet flows and prevent the reporting of duplicate traffic and false positives? (Choose two.)

A. Set the source SPAN ports to tx only on the switches connected to the IPS interfaces
B. Modify the security zones used by the Cisco Secure IPS device
C. Change the MTU for the inline set to at least 1518
D. Reconfigure access rules to drop all but the first occurrence of the packet
E. Reassign the interface pairs to separate inline sets

Answer 58

The two configurations that must be implemented to allow the IPS device to uniquely identify packet flows and prevent the reporting of duplicate traffic and false positives are:

Both agree

A. Set the source SPAN ports to tx only on the switches connected to the IPS interfaces
Setting the source SPAN (Switched Port Analyzer) ports to transmit (tx) only on the switches connected to the IPS interfaces can help prevent the reporting of duplicate traffic².

E. Reassign the interface pairs to separate inline sets
If you assign multiple interface pairs to a single inline interface set but you experience issues with duplicate traffic, reconfiguring to help the system uniquely identify packets could be beneficial. For example, you could reassign your interface pairs to separate inline sets².

Source: Conversation with Bing, 12/10/2023
(1) Firepower Management Center Configuration Guide, Version 6.5 - Cisco. https://www.cisco.com/c/en/us/td/docs/security/firepower/650/configuration/guide/fpmc-config-guide-v65/ips_device_deployments_and_configuration.html.
(2) Firepower Management Center Device Configuration Guide, 7.1 - Cisco. https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/device-config/710/management-center-device-config-71/interfaces-settings-ifcs-ips.html.
(3) User Guide for Cisco Security Manager 4.27. https://www.cisco.com/c/en/us/td/docs/security/security_management/cisco_security_manager/security_manager/427/user/csm-user-guide-427/chapter37-managing-ips-device-interface.html.
(4) Basic Configuration Of IPS Inline Mode - Cisco Learning Network. https://learningnetwork.cisco.com/s/question/0D53i00000KssZxCAJ/basic-configuration-of-ips-inline-mode.

Question 59

Cisco SecureX is classified as which type of threat detection and response solution?

A. MDR
B. EDR
C. XDR
D. NDR

Answer 59

Cisco SecureX is classified as an C. XDR (Extended Detection and Response) solution³. XDR is a security technology that automatically collects and correlates data from multiple security layers – endpoint, network, and cloud – to improve threat detection and provide incident response capabilities³. This approach enables a more comprehensive and integrated view of the threat landscape within an organization’s IT infrastructure³.

Both agree

Source: Conversation with Bing, 12/10/2023
(1) Managed Detection and Response for Cisco Secure Endpoint. https://www.cisco.com/c/dam/en/us/products/collateral/security/mdr-for-cisco-secure-endpoint.pdf.
(2) Cisco SecureX threat response Data Sheet - Cisco. https://www.cisco.com/c/en/us/products/collateral/security/datasheet-c78-743307.html.
(3) About Cisco SecureX Threat Response. https://docs.securex.security.cisco.com/Threat-Response-Help/Content/about-threat-response.html.
(4) undefined. https://www.cisco.com/c/en/us/products/security/threat-response.html.

Question 60

An administrator configures new threat intelligence sources and must validate that the feeds are being downloaded and that the intelligence is being used within the Cisco Secure Firewall system. Which action accomplishes the task?

A. Look at the connection security intelligence events
B. Use the source status indicator to validate the usage
C. View the threat intelligence observables to see the downloaded data
D. Look at the access control policy to validate that the intelligence is being used

Answer 60

C) is correct because it verified the download worked and verifies it was published

The correct answer is C. View the threat intelligence observables to see the downloaded data. This is the answer given by the web page in the edge browser, and it is also supported by the official Cisco documentation . Viewing the threat intelligence observables allows the administrator to verify that the threat intelligence feeds are being downloaded and used within the Cisco Secure Firewall system . The other options are not necessarily correct for this specific task:

• A. Look at the connection security intelligence events: While this can provide information about security intelligence events, it does not specifically validate that the threat intelligence feeds are being downloaded and used.
• B. Use the source status indicator to validate the usage: The source status indicator can provide information about the status of the threat intelligence sources, but it does not specifically validate that the feeds are being downloaded and used.
• D. Look at the access control policy to validate that the intelligence is being used: The access control policy controls how the device handles traffic on your network, but it does not specifically validate that the threat intelligence feeds are being downloaded and used.

: Verifying Security Intelligence Feed on Cisco Secure Firewall. https://community.cisco.com/t5/security-knowledge-base/verifying-security-intelligence-feed-on-cisco-secure-firewall/ta-p/4527523.
: Cisco Secure Firewall Management Center Device Configuration Guide, 7.2. https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/device-config/720/management-center-device-config-72/threat-intelligence-director.html.

Question 61

Cisco Security Analytics and Logging SaaS licenses come with how many days of data retention by default?

A. 60
B. 90
C. 120
D. 365

Answer 61

Cisco Security Analytics and Logging (SaaS) licenses come with 90 days of data retention by default⁴³. So, the correct answer is B. 90.

Both agree

Source: Conversation with Bing, 12/10/2023
(1) Cisco Secure Analytics and Logging Trial. https://info.securexanalytics.com/sal-trial.html.
(2) WHITEPAPER - Firepower Threat Defense Cloud … - Cisco Community. https://community.cisco.com/t5/security-knowledge-base/whitepaper-firepower-threat-defense-cloud-management-with/ta-p/3991368.
(3) Cisco Security Analytics and Logging Ordering Guide - Cisco. https://www.cisco.com/c/en/us/products/collateral/security/security-analytics-logging/guide-c07-742707.html.
(4) Integrating Cisco ASA and Cisco Security Analytics and Logging (SaaS …. https://www.cisco.com/c/en/us/td/docs/security/security_management/cisco_security_manager/security_manager/all_releases/sal-asa-integration/cisco-asa-and-cisco-security-analytics-and-logging-csm-integration-guide.html.
(5) Cisco Security Analytics and Logging (On Premises) v2.0 and v3.0 …. https://www.cisco.com/c/en/us/td/docs/security/sal-on-prem/integration/deployment_guide/csal_op_for_fmc_7_0_deploy_guide/m_csal_op_deploy_steps.html.

Question 62

An external vendor is reporting that they are unable to access an ordering website hosted behind a Cisco Secure Firewall Threat Defense device. The administrator of the device wants to verify that the access policy and NAT policy are configured correctly to allow traffic from the public IP of the external vendor to TCP port 443 on the web server. Which two Cisco Secure Firewall Management Center tools must the administrator use to verify which rules the traffic from the external vendor is matching? (Choose two.)

A. Packet Capture
B. Generate Troubleshooting File
C. Threat Defense CLI
D. File Download
E. Packet Tracer

Answer 62

To verify which rules the traffic from the external vendor is matching, the administrator can use the following two Cisco Secure Firewall Management Center tools:

Both agree

1. Packet Tracer: This tool can be used to simulate traffic through the firewall and see which access and NAT rules are being hit.
2. Packet Capture: This tool can be used to capture actual packets flowing through the firewall. By analyzing these packets, the administrator can determine if they are being allowed or denied as expected.

So, the correct answers are A. Packet Capture and E. Packet Tracer. Please note that while the CLI (Command Line Interface) can also be used for troubleshooting, it’s not a tool within the Cisco Secure Firewall Management Center, so option C is not correct in this context. Similarly, options B and D are not relevant tools for this specific task.

Source: Conversation with Bing, 12/10/2023
(1) Firepower Management Center Configuration Guide, Version 6.0.1 - NAT …. https://www.cisco.com/c/en/us/td/docs/security/firepower/601/configuration/guide/fpmc-config-guide-v601/NAT_Policy_Management.html.
(2) Firepower Management Center Device Configuration Guide, 7.1. https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/device-config/710/management-center-device-config-71/vpn-remote-access.html.
(3) Troubleshoot ASA using CLI commands - Cisco. https://edge.us.cdo.cisco.com/content/docs/c_troubleshoot-asa-using-cli-commands.html.
(4) Firepower Management Center Administration Guide, 7.1 - Cisco. https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/admin/710/management-center-admin-71/tools-import-export.html.
(5) Cisco Secure Firewall Management Center Device Configuration Guide, 7.2. https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/device-config/720/management-center-device-config-72/access-service-policies.html.

Question 63

An organization created a custom application that is being flagged by Cisco Secure Endpoint. The application must be exempt from being flagged. What is the process to meet the requirement?

A. Configure the custom application to use the information-store paths.
B. Add the custom application to the DFC list and update the policy.
C. Precalculate the hash value of the custom application and add it to the allowed applications.
D. Modify the custom detection list to exclude the custom application.

Answer 63

To exempt a custom application from being flagged by Cisco Secure Endpoint, you can add the application to the exclusion list. Here’s the process:

C - Exam Topics
D - AI

1. Find the Exclusion Set you wish to modify³.
2. Click Add Exclusion and select Process³.
3. Enter the absolute path for the program to exclude, the User account that runs the program (optional), and whether the exclusion must apply to all child processes created by the program³.

So, the correct answer is D. Modify the custom detection list to exclude the custom application. Please note that this process requires access to the Secure Endpoint console². It’s also important to ensure that Cisco Maintained exclusions are in place as well⁴.

Source: Conversation with Bing, 12/10/2023
(1) Configure Secure Endpoint Process Exclusions on MacOS and Linux - Cisco. https://www.cisco.com/c/en/us/support/docs/security/amp-endpoints/214656-amp-for-endpoints-process-exclusions-in.html.
(2) Cisco Secure Endpoint (AMP) - Creating Exclusions & Allowed Applications. https://kb.wisc.edu/security/page.php?id=89648.
(3) AMSI Deleted for Windows Defender/Security - Cisco Community. https://community.cisco.com/t5/endpoint-security/amsi-deleted-for-windows-defender-security/td-p/4818883.
(4) Cisco Secure Endpoint Exclusions - How do they work?. https://community.cisco.com/t5/endpoint-security/cisco-secure-endpoint-exclusions-how-do-they-work/td-p/4662339.
(5) undefined. https://www.cisco.com/c/en/us/support/docs/security/amp-endpoints/215418-configure-and-manage-exclusions-in-cisco.html.
(6) undefined. https://www.cisco.com/c/en/us/support/docs/security/amp-endpoints/213681-best-practices-for-amp-for-endpoint-excl.html.
(7) undefined. https://community.cisco.com/t5/security-knowledge-base/cisco-endpoint-security-ask-the-experts-resources/ta-p/4394492.

Question 64

An engineer is configuring a new dashboard within Cisco Secure Firewall Management Center and is having trouble implementing a custom widget. When a custom analysis widget is configured, which option is mandatory for the system to display the information?

A. table
B. title
C. filter
D. results

Answer 64

A. table

Verified

I tested on FMC

A - Exam Topics

Question 65

A network engineer is planning on deploying a Cisco Secure Firewall Threat Defense Virtual appliance in transparent mode. Which two virtual environments support this configuration? (Choose two.)

A. OSI
B. AWS
C. GCP
D. KVM
E. ESXi

Answer 65

D. KVM
E. ESXi

Verified via Cisco documentation

Question 66

An engineer is configuring a Cisco Secure Firewall Threat Defense device and wants to create a new intrusion rule based on the detection of a specific pattern in the data payload for a new zero-day exploit. Which keyword type must be used to add a line that identifies the author of the rule and the date it was created?

A. gtp_info
B. metadata
C. reference
D. content

Answer 66

When creating a new intrusion rule in a Cisco Secure Firewall Threat Defense device, the metadata keyword is used to add a line that identifies the author of the rule and the date it was created¹. So, the correct answer is B. metadata. This keyword is part of the rule header and provides additional information about the rule¹. For more details, please refer to the Cisco Secure Firewall Threat Defense Syslog Messages guide³ and the Cisco Secure Firewall Device Manager Configuration Guide².

Both agree

Source: Conversation with Bing, 12/10/2023
(1) Managing Firewall Threat Defense with Cloud-delivered Firewall … - Cisco. https://www.cisco.com/c/en/us/td/docs/security/cdo/cloud-delivered-firewall-management-center-in-cdo/managing-firewall-threat-defense-services-with-cisco-defense-orchestrator/m_intrusion-tuning-rules.html.
(2) Cisco Secure Firewall Threat Defense Syslog Messages. https://www.cisco.com/c/en/us/td/docs/security/firepower/Syslogs/b_fptd_syslog_guide/security-event-syslog-messages.html.
(3) Cisco Secure Firewall Device Manager Configuration Guide, Version 7.2. https://www.cisco.com/c/en/us/td/docs/security/firepower/720/fdm/fptd-fdm-config-guide-720/fptd-fdm-intrusion.html.
(4) Managing Firewall Threat Defense with Cloud-delivered Firewall … - Cisco. https://www.cisco.com/c/en/us/td/docs/security/cdo/cloud-delivered-firewall-management-center-in-cdo/managing-firewall-threat-defense-services-with-cisco-defense-orchestrator/m_intrusion-custom-rules.html.

Question 67

What is the role of realms in the Cisco ISE and Cisco FMC integration?

A. Cisco Secure Firewall VDC
B. Cisco ISE context
C. TACACS+ database
D. AD definition

Answer 67

In the context of Cisco ISE and Cisco FMC integration, realms are used to establish a connection between the Firepower Management Center (FMC) and an LDAP or Microsoft AD server to retrieve user and user group metadata for certain detected users ²³. This metadata can be used for user awareness and user control ²³⁴.

Therefore, the correct answer is B. Cisco ISE context.

I hope this helps! Let me know if you have any other questions.

Source: Conversation with Bing, 1/2/2024
(1) Firepower Management Center Device Configuration Guide, 7.1 - Cisco. https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/device-config/710/management-center-device-config-71/identity-realms.html.
(2) Firepower Management Center Configuration Guide, Version 6.4 - Cisco. https://www.cisco.com/c/en/us/td/docs/security/firepower/640/configuration/guide/fpmc-config-guide-v64/create_and_manage_realms.html.
(3) Firepower User Identity: Migrating from User Agent to Identity … - Cisco. https://www1-realm.cisco.com/c/en/us/support/docs/security/firepower-management-center/215887-firepower-user-identity-migrating-from.pdf.
(4) Solved: Integrating FMC with ISE - Cisco Community. https://community.cisco.com/t5/network-security/integrating-fmc-with-ise/td-p/3341196.

Question 68

A network engineer must configure IPS mode on a Secure Firewall Threat Defense device to inspect traffic and act as an IDS. The engineer already configured the passive-interface on the Secure Firewall Threat Defense device and SPAN on the switch. What must be configured next by the engineer?

A. intrusion policy on the Secure Firewall Threat Defense device
B. active SPAN port on the switch
C. DHCP on the switch
D. active interface on the Secure Firewall Threat Defense device

Answer 68

After configuring the passive-interface on the Secure Firewall Threat Defense device and SPAN on the switch, the next step for the engineer would be to configure the intrusion policy on the Secure Firewall Threat Defense device¹². This policy will define how the device should inspect and handle the traffic it receives¹². So, the correct answer is A. intrusion policy on the Secure Firewall Threat Defense device. Please refer to the Cisco Secure Firewall Management Center Device Configuration Guide for more details¹².

Both agree

Source: Conversation with Bing, 12/10/2023
(1) Firepower Management Center Device Configuration Guide, 7.1. https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/device-config/710/management-center-device-config-71/interfaces-settings-ifcs-ips.html.
(2) Firepower Management Center Configuration Guide, Version 6.3. https://www.cisco.com/c/en/us/td/docs/security/firepower/630/configuration/guide/fpmc-config-guide-v63/inline_sets_and_passive_interfaces_for_firepower_threat_defense.html.
(3) How to configure passive HA Panorama ethernet interface. https://live.paloaltonetworks.com/t5/panorama-discussions/how-to-configure-passive-ha-panorama-ethernet-interface/td-p/488549.
(4) Firepower Management Center Configuration Guide, Version 7.0 - Cisco. https://www.cisco.com/c/en/us/td/docs/security/firepower/70/configuration/guide/fpmc-config-guide-v70/interface_overview_for_firepower_threat_defense.html.
(5) Cisco Secure Firewall Management Center Device Configuration Guide, 7.3. https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/device-config/730/management-center-device-config-73/interfaces-settings-ifcs-overview.html.
(6) undefined. https://docs.paloaltonetworks.com/panorama/10-1/panorama-admin/set-up-panorama/set-up-the-m-series-a.

Question 69

A software development company hosts the website https://dev.company.com for contractors to share code for projects they are working on with internal developers. The web server is on premises and is protected by a Cisco Secure Firewall Threat Defense appliance. The network administrator is worried about someone trying to transmit infected files to internal users via this site. Which type of policy must be associated with an access control policy to enable Cisco Secure Firewall Malware Defense to detect and block malware?

A. SSL policy
B. file policy
C. network discovery policy
D. prefilter policy

Answer 69

To enable Cisco Secure Firewall Malware Defense to detect and block malware, a file policy must be associated with an access control policy¹². This policy defines how the system should inspect and handle the traffic it receives¹². So, the correct answer is B. file policy. Please refer to the Cisco Secure Firewall Management Center Device Configuration Guide for more details¹².

Both agree

Source: Conversation with Bing, 12/10/2023
(1) Cisco Secure Firewall Management Center Device Configuration Guide, 7.4. https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/device-config/740/management-center-device-config-74/network-malware-protection.html.
(2) Malware and File Policy - Cisco Secure Firewall. https://secure.cisco.com/secure-firewall/v7.3/docs/malware-and-file-policy.
(3) Firepower Management Center Configuration Guide, Version 6.5 - Cisco. https://www.cisco.com/c/en/us/td/docs/security/firepower/650/configuration/guide/fpmc-config-guide-v65/file_policies_and_advanced_malware_protection.html.

Question 70

A company has many Cisco FTD devices managed by a Cisco FMC. The security model requires that access control rule logs be collected for analysis. The security engineer is concerned that the Cisco FMC will not be able to process the volume of logging that will be generated. Which configuration addresses concern this?

A. Send Cisco FTD connection events directly to a SIEM system and forward security events from Cisco FMC to the SIEM system for storage and analysis
B. Send Cisco FTD connection events and security events directly to SIEM system for storage and analysis
C. Send Cisco FTD connection events and security events to a cluster of Cisco FMC devices for storage and analysis
D. Send Cisco FTD connection events and security events to Cisco FMC and configure it to forward logs to SIEM for storage and analysis

Answer 70

B. Send Cisco FTD connection events and security events directly to SIEM system for storage and analysis

Verified