(D&D) Steps to restore an automatic device registration failure on the standby Cisco FMC. - Enter the 'configure manager add' command at the CLI of the affected device - Unregister the device from the standy Cisco FMC - Register the affected device on the active Cisco FMC. - Enter the 'configure manager delete' command at the CLI of teh affected device. - Register the affected device on the standby Cisco FMC - Unregister the device from the active Cisco FMC

1. Unregister the device from the active Cisco FMC 2. Enter the 'configure manager delete' 3. Enter the 'configure manager add' 4. Register the affected device on the active FMC.

Test #1 Flashcards by Procala Procala

Which CLI command is used to control special handling of ClientHello messages?

A. system support ssl-client-hello-tuning
B. system support ssl-client-hello-display
C. system support ssl-client-hello-force-reset
D. system support ssl-client-hello-reset

How well did you know this?

Not at all

Perfectly

Which command is typed at the CLI on the primary Cisco FTD unit to temporarily stop running high-availability?

A. configure high-availability resume
B. configure high-availability disable
C. system support network-options
D. configure high-availability suspend

How well did you know this?

Not at all

Perfectly

Which command must be run to generate troubleshooting files on an FTD?

A. system support view-files
B. sudo sf_trobleshoot.pl
C. system generate-troubleshoot all
D. show tech-support

How well did you know this?

Not at all

Perfectly

When do you need the file-size command option during troubleshooting with packet capture?

A. when capture packets are less than 16 MB
B. when capture packets are restricted from the secondary memory.
C. when capture packets exceed 10 GM
D. when capture packets exceed 32 MB

How well did you know this?

Not at all

Perfectly

What is the functionality of port objects in Cisco FMC?

A. to mix transport protocols when setting both source and destination port conditions in a rule.
B. to represent protocols other than TCP, UDP, and ICMP
C. to represent all protocols in the same way.
D. to add any protocol other than TCP and UDP for source port conditions in access control rules.

How well did you know this?

Not at all

Perfectly

Within Cisco FMC, where does a user add or modify widgets?

A. dashboard
b. reporting
c. context explorer
d. summary tool

How well did you know this?

Not at all

Perfectly

A network engineer is configuring URL filtering on FTD. Which two port requirements on the FMC must be validated to allow communication with the cloud service?

a. outbound TCP/443
b. inbound TCP/80
C. outbound TCP/8080
d. inbound TCP/443
e. outbound TCP/80

A E

How well did you know this?

Not at all

Perfectly

What is the maximum bit size that Cisco FMC supports for HTTPS certificates?

a. 1024
b. 8192
c. 4096
d. 2048

How well did you know this?

Not at all

Perfectly

Which limitation applies to Cisco FMC dashboards in a multidomain environment?

A. Child domains can view but not edit dashboards that originate from an ancestor domain.
b. Child domains have access to only a limited set of widgets from ancestor domains.
c. only the administrator of the top ancestor domain can view dashbaords.
d. child domains cannot view dashboards that originate from an ancestor domain.

How well did you know this?

Not at all

Perfectly

An engineer is troubleshooting a file that is being blocked by a Cisco FTD device on the network. The user is reporting that the file is not malicious. Which action does the engineer take to identify the file and validate whether or not it is malicious?

A. Identify the file in the intrusion events and submit it to the Threat Grid for analysis.

B. Use FMC file analysis to look for the file and select Analyze to determine its disposition.

C. Use the context explorer to find the file and download it to the local machine for investigation.

D. Right click the connection event and send the file to AMP for Endpoints to see if the hash is malicious.

How well did you know this?

Not at all

Perfectly

What is a behavior of a Cisco FMC database purge?

A. User login and history data are removed from the database if the User Activity check box is not selected.

B. Data can be recovered from the device.

C. The appropriate process is restarted.

D. The specified data is removed from FMC and kept for 2 weeks.

How well did you know this?

Not at all

Perfectly

Which two packet captures does the FTD LINA engine support? (Choose two)

A. Layer 7 network ID
B. source IP
C. application ID
D. dynamic firewall importing
E. protocol

How well did you know this?

Not at all

Perfectly

Which two features of Cisco AMP allows for an uploaded file to be blocked? (Choose two)

A. application blocking
b. simple custom detection
c. file repository
d. exclusions
e. application whitelisting

How well did you know this?

Not at all

Perfectly

Which action should you take when Cisco Threat Response notifies you that AMP has identified a file as malware?

A. Add the malicious file to the block list.
B. Send a snapshot to Cisco for technical support.
C. Forward the result of the investigation to an external threat-analysis engine.
D. Wait for Cisco Threat Response to automatically block the malware.

How well did you know this?

Not at all

Perfectly

Which Cisco Advanced Malware Protection for Endpoints policy is used only for monitoring endpoint actively?

A. Windows domain controller
B. audit
C. triage
D. protection

How well did you know this?

Not at all

Perfectly

What is a valid Cisco AMP file disposition?

A. non-malicious
B. malware
C. known-good
D. pristine

How well did you know this?

Not at all

Perfectly

In a Cisco AMP deployment, which disposition is returned if the cloud cannot be reached?

a. unavailable
b. unknown
c. clean
d. disconnected

How well did you know this?

Not at all

Perfectly

Which two remediation options are available when Cisco FMC is integrated with Cisco ISE? (Choose Two)

A. dynamic null route configured
b. DHCP pool disablement
c. quarantine
d. port shutdown
e. host shutdown

How well did you know this?

Not at all

Perfectly

Which connector is used to integrate Cisco ISE with Cisco FMC for Rapid Threat Containment?

a. pxGrid
b. FTD RTC
c. FMC RTC
d. IseGrid

How well did you know this?

Not at all

Perfectly

What is the maximum SHA level of filtering that Threat Intelligence Director supports?

a. SHA-1024
b. SHA-4096
c. SHA-512
d. SHA-256

How well did you know this?

Not at all

Perfectly

(D&D) Steps to restore an automatic device registration failure on the standby Cisco FMC.

Enter the ‘configure manager add’ command at the CLI of the affected device
Unregister the device from the standy Cisco FMC
Register the affected device on the active Cisco FMC.
Enter the ‘configure manager delete’ command at the CLI of teh affected device.
Register the affected device on the standby Cisco FMC
Unregister the device from the active Cisco FMC

Unregister the device from the active Cisco FMC
Enter the ‘configure manager delete’
Enter the ‘configure manager add’
Register the affected device on the active FMC.

How well did you know this?

Not at all

Perfectly

Which protocol is needed to exchange threat details in rapid threat containment on Cisco FMC?

A. SGT
B. SNMP v3
C. BFD
D. pxGrid

How well did you know this?

Not at all

Perfectly

Which description of a correlation policy configuration in teh Cisco FMC is true?

A. The system displays correlation policies that are created on all of the domains in a multidomain deployment.

B. Deleting a response group deletes the responses of that group.

C. You cannot add a host profile qualification to a correlation rule that is triggered by a malware event.

D. Correlation policy priorities whitelist priorities.

How well did you know this?

Not at all

Perfectly

What is the result of enabling Cisco FTD clustering?

A. For the dynamic routing feature, if the master unit fails, the newly elected master unit maintains all existing connections.

B. Integrated Routing and Bridging is supposed on the master unit.

C. Site-to-Site VPN functionality is limited to the master unit, and all VPN connections are dropped if the master unit fails.

D. All Firepower appliances can support FTD clustering.

How well did you know this?

Not at all

Perfectly

Which two conditions are necessary for high availability to function between two Cisco FTD devices? (Choose two) A. The units must be the same version B. Both devices can be part of a different group that must be in the same domain when configured within the FMC. C. The units must be different models if they are part of the same series. D. The units must be configured only for firewall routed mode. E. The units must be the same model.

On the advanced tab under inline set properties, which allows interfaces to emulate a passive interface? a. transparent inline mode b. TAP mode c. strict TCP enforcement d. propagate link state

What are the minimum requirements to deploy a managed device inline? a. inline interfaces, security zones, MTU, and mode b. passive interfaces, MTU, and mode c. inline interfaces, MTU, and mode d. passive interface, security zone, MTU, and mode.

What is the difference between inline and inline tap on Cisco FP? a. Inline tap mode can send a copy of the traffic to another device b. Inline tap mode does full packet capture c. Inline mode cannot do SSL decryption d. Inline mode can drop malicious traffic

Which Cisco FTD software, which interface mode must be configured to passively receive traffic that passes through the appliance? a. inline set b. passive c. routed d. inline tap

Which two deployment types support high availability? (Choose two) a. Transparent b. routed c. clustered d. intra-chassis multi-instance e. vitrual appliance in public cloud

What are 2 types or forms of suppression on a FirePower policy (or FTD)? a. source b. port c. rule d. protocol e. application

Which two dynamic routing protocols are supported in FirePower TD v6.0? (Choose Two) a. IS-IS b. BGP c. OSPF d. static routing e. EIGRP

Which protocol establishes network redundancy in a switched Firepower device deployment? a. STP b. HSRP c. GLBP d. VRRP

Which interface type allows packets to be dropped? a. passive b. inline c. ERSPAN d. TAP

Which Cisco FTD, which two interface settings are required when configuring a routed interface? (Choose two) a. Redundant Interface b. EhterChannel c. Speed d. Media Type e. Duplex

Which two dynamic routing protocols are supported in FTD without using FlexConfig? (Choose Two) a. EIGRP b. OSPF c. static routing d. IS-IS e. BGP

Which Policy rule is included in the deployment of a local DMZ during the inital deployment of a Cisco NGFW through the Cisco FMC GUI? a. A default DMZ policy for which only a user can change the IP addresses b. deny ip any c. no policy rule is included d. permit ip any

What are two application layer preprocessesors? (Choose two) a. CIFS b. IMAP c. SSL d. DNP3 e. ICMP

Which two OSPF routing features are configured in the Cisco FMC and propagated to Cisco FTD? (Choose two) a. OSPFv2 with IPv6 capabilities b. virtual links c. SHA authentication to OSPF packets d. area boundary router type 1 LSA filtering. e. MD5 authentication to OSPF packets.

With Cisco FP Threat Defense software, which interface mode do you configure for an IPS deployment, where traffic passes through the applicance but does not require VLAN rewriting? A. inline set B. passive C. inline tap D. routed E. transparent

What software can be installed on the Cisco 4100 series appliance? (Choose Two) A. FTD B. ASA C. ASAv D. FMC

Which two fields can be used to create a new email alert within the Cisco Firepower Management Center under Policies-> Actions-> Alerts tab? (Choose two). A. Device B. Source C. Destination D. From E. Relay Host

When creating a report template, how can the results be limited to show only the activity of a specific subnet? A. Create a custom search in FMC and select it in each section of the report. B. Add an Input Parameter in the Advanced Settings of the report, and set the type to Network/IP. C. Add a Table View section to the report with the Search field defined as the network in CIDR format. D. Select IP Address as the X-Axis in each section of the report.

What is the disadvantage of setting up a site-to-site VPN in a clustered-units environment? A. VPN connection can be re-established only if the failed master unit recovers. B. Smart License is required to maintain VPN connections simultaneously across all cluster units. C. VPN connections must be re-established when a new master unit is elected. D. Only established VPN connections are maintained when a new master unit is elected.

What two statements about bridge-group interfaces in Cisco FTD are true? (Choose two). A. The BVI IP address must be in a separate subnet from the connected network. B. Bridge groups are supported in both transparent and routed firewall modes. C. Bridge groups are supported only in transparent firewall mode. D. Bidirectional Forwarding Dectection echo packets are allowed through the FTD when using bridge-group members. E. Each directly connected network must be on the same subnet.

Which command is run on an FTD unit to associate the unit to an FMC manager that is at IP address 10.0.0.10, and that has the registration key Cisco123? A. configure manager local 10.0.0.10 Cisco123 B. configure manager add Cisco123 10.0.0.10 C. configure manager local Cisco123 10.0.0.10 D. configure manager add 10.0.0.10 Cisco123

Which two actions can be used in an access control policy rule? (Choose two) A. Block with reset B. Monitor C. Analyze D. Discover E. Block All

Which two routing options are valid with Cisco Threat Defense? (Choose two) A. BGPv6 B. ECMP with up to three equal cost paths across multiple interfaces. C. ECMP with up to three equal costs paths across a single interface. D. BGPv4 in transparent firewall mode E. BGPv4 with nonstop forwarding

Which description of a correlation policy configuration in the Cisco FMC is true? a. Correlation policy priorities override whitelist priorities. b. The system displays correlation policies that are created on all of the domains in a multidomain deployment. c. You cannot add a host profile qualification to a correlation rule that is triggered by a malware event. d. Deleting a reponse group deletes the responses of that group.

Which two TCP ports can allow the Cisco FMC to communicate with FireAMP cloud for file disposition information? (Choose Two) A. 8080 B. 22 C. 8305 D. 32137 E. 443

Which Object type supports object overrides? A. Time range B. Security group tag. C. Network Object D. DNS Server Group

Which Cisco Firepower rule action displays an HTTP warning page? A. Monitor B. Block C. Interactive Block D. Allow with Warning

What is the result of specifying of QoS rule that has a rate limit that is greater than the maximum throughput of an interface? A. The rate-limiting rule is disabled B. Matching traffic is not rate limited. C. The system rate-limits all traffic. D. The system repeatedly generates warnings.

Which Firepower feature allows users to configure bridges in routed mode and enables devices to perform Layer 2 switching between interfaces? A. FlexConfig B. BDI C. SGT D. IRB

In which two places can thresholding settings be configured? (Choose two) A. on each IPS rule B. globally, within the network analysis policy C. globally, per intrusion policy D. on each access control rule E. per perprocessor, within the network analysis policy.

In which two ways do access control policies operate on a Cisco Firepower system? (Choose two) A. Traffic inspection can be interrupted temporarily when configuration changes are deployed. B. The system performs intrusion inspection followed by file inspection. C. They can block traffic based on Security Intelligence data. D. File policies use an associated variable set to perform intrusion prevention. E. The system performs a preliminary inspection on trusted traffic to validate that it matches the trusted parameters.

Which function is the primary function of Cisco AMP threat Grid? A. automated email encryption B. applying a real-time URI blacklist C. automated malware analysis D. monitoring network traffic.

Which two features does Cisco Trust Anchor support? (Choose Two) A. Flood attack detection B. secure boot C. image signing D. DDoS mitigation E. SYN flood detection

Which two types of objects are reuseable and supported by Cisco FMC? (Choose Two) A. dynamic key mapping objects that help link HTTP and HTTPS GET requests to Layer 7 application protocols. B. reputation-based objects that represent Security Intelligence feeds and lists, application filters based on category and reputation, and file lists. C. network-based objects that represent IP address and networks, port/protocols pairs, VLAN tags, security zones, and origin/destination country D. network-based objects the represent IP address and networks, port/protocol pairs, VXLAN tags, security zones, and origin/destination country. E. reputation-based objects, such as URL categories.

What is the benefit of selecting the trace option for packet capture? A. The option includes whether the packet was dropped or successfull B. The option indicated whether the destination host responds through a different path. C. The option limits the number of packets that are captured. D. The option captures details of each packet.

After deploying a network-monitoring tool to manage and monitor networking devices in your organization, you realize that you need to manually upload an MIB for the Cisco FMC. In which folder should you upload the MIB file? A. /etc/sf/DCMIB.ALERT B. /sf/etc/DCEALERT.MIB C. /etc/sf/DCEALERT.MIB D. system/etc/DCEALERT.MIB

Which command is run at the CLI when logged in to an FTD unit, to determine whether the unit is managed locally or by a remote FMC server? A. system generate-troubleshoot B. show configuration session C. show managers D. show running-config | include manager

Which command should be used on the Cisco FTD CLI to capture all the packets that hit an interface? A. configure coredump packet-engine enable. B. capture-traffic C. capture D. capture WORD

How many report templates does the Cisco Firepower Management Center support? A. 20 B. 10 C. 5 D. unlimited

Which action should be taken after editing an object that is used inside an access control policy? A. Delete the existing object in use. B. Refresh the Cisco FMC GUI for the access control policy. C. Redeploy the updated configuration. D. Create another rule using a different object name.

Which two characteristics represent a Cisco device operating in tap mode? (Choose two) A. It analyzes copies of packets from the packet flow. B. The device is deployed in a passive configuration. C. If a rule is triggered the device generates an intrusion event. D. The packet flow traverses the devices. E. If a rule is triggered the device drops the packet.

When using Cisco AMP for Networks, which feature copies a file to the Cisco AMP cloud for analysis? A. Spero analysis B. dynamic analysis C. sandbox analysis D. Malware analsysi

Which Cisco Firepower feature is used to reduce the number of events received in a period of time? a. rate-limiting B. suspending C. correlation D. thresholding

Which report template field format is available in Cisco FMC? A. box lever chart B. arrow chart C. bar chart D. benchmark chart

Which group within Cisco does the Threat Reponse team use for threat analysis and research? A. Cisco Deep Analytics B. OpenDNS Group C. Cisco Network Reponse D. Cisco Talos

Which CLI command is used to generate firewall debug messages on a Cisco Firepower? A. system support firewall-engine-debug B. system support ssl-debug C. system support platform D. system support dump-table

Which command-line mode is supported from the Cisco Firepower Management Center CLI? A. privileged B. user C. configuration D. admin

Which command is entered in the Cisco FMC CLI to generate a troubleshooting file? A. show running-config B. show tech-support chassis C. system support dianostic-cli D. sudo sf_troubleshooting.pl

While configuring FTD, a network engineer wants to ensure that traffic passing through the appliance does not require routing or VLAN rewriting. Which interface mode should the engineer implement to accomplish this task? A. passive B. transparent C. inline tap D. inline set

Which Cisco FTD integrated routing and bridging, which interface does the bridge group use to communicate with a routed interface? A. switch virtual B. bridge group member C. bridge virtual D. subinterface

A network engineer is extending a user segment through an FTD device for traffic inspection without creating another IP subnet. How is this accomplished on an FTD device in routed mode? A. by leveraging the ARP to direct traffic through the firewall. B. by assigning an inline set interface. C. by using a BVI and create a BVI IP address in the same subnet as the user segment. D. by bypassing protocol inspection by leveraging pre-filter rules.

[Refer to the exhibit] An engineer is analyzing the Attacks Risk Report and finds that there are over 300 instances of new operating systems being seen on the network. How is the firepower configuration updated to protect these new operating systems? A Cisco firepower automatically updated the policies. B. the administrator requests a remediation recommendation report from Cisco Firepower. C. Cisco Firepower gives recommendations to update the policies. D. The administrator manually updates the policies.

A security engineer is configuring an Access Control Policy for multiple branch locations. These locations share a common rule set and utilize a network object called INSIDE_NET which contains the locally significant internal network subnets at each location. What technique will retain the policy consistency at each location but allow only the locally significant network subnet within the applicable rules? A. utilizing policy inheritance B. utilizing a dynamic ACP that updates from Cisco Talos C. creating a unique ACP per device D. creating an ACP with an INSIDE_NET network object and object overrides.

An administrator is working on a migration from Cisco ASA to the Cisco FTD appliance and needs to test the rules without disrupting the traffic. Which policy type should be used to configure the ASA rules during this phase of the migration? A. identity B. intrusion C. Access Control D. Prefilter

An engineer currently has a Cisco FTD device registered to the Cisco FMC and is assigned the address of 10.10.50.12. The organization is upgrading the addressing schemes and there is a requirement to convert the adresses to a format that provides an adequate amount of addresses on the network. What should the engineer do to ensure that the new addessing takes effect and can be used for the Cisco FTD to Cisco FMC connection? A. Delete and reregister the device to Cisco FMC. B. Update the IP addresses from IPv4 to IPv6 without deleting the device from Cisco FMC. C. Format and reregister the device to Cisco FMC. D. Cisco FMC does not support devices that use IPv4 IP addresses.

After using Firepower for some time and learning about how it interacts with the network, an administrator is trying to correlate malicious activity with a user. Which widget should be configured to provide this visibility on the Cisco Firepower dashboards? A. Custom Analysis B. Current Status C. Current Sessions D. Correlation Events

An administrator is attempting to remotely log into a switch in a data center using SSH and is unable to connect. How does the administrator confirm that traffic is reaching the firewall? A. by running Wireshark on the admin's PC. B. By performing a packet capture on the firewall. C. By running a packet tracer on the firewall. D. By attempting to access it from a different workstation.

An engineer is configuring a second Cisco FMC as a standby device but is unable to register with the active unit. What is causing this issue? A. The primary FMC currently has devices connected to it. B. The code versions running on the Cisco FMC devices are different. C. The licensing purchased does not include High Availability. D. There is only 10 Mbps of bandwidth between the two devices.

The event dashboard within the Cisco FMC has been inudated with low priority intrusion drop events, which are overshadowing high priority events. An engineer has been tasked with reviewing the policies and reducing the low priority events. Which action should be configured to accomplish this task? A. Generate events B. drop packet C. drop connection D. drop and generate

An engineer is implementing Cisco FTD in the network and is determining which Firepower mode to use. The organization needs to have multiple virtual Firepower devices working separately inside of the FTD appliance to provide traffic segmentation. Which deployment mode should be configured in the Cisco Firepower Management Console to support these requirements? A. multiple deployment B. single-context C. single deployment D. multi-instance

Which two consideration must be made when deleting and re-adding devices while managing them via Cisco FMC? (Choose Two) A. Before re-adding the device in Cisco FMC, the manager must be added back. B. The Cisco FMC web interface prompts users to re-apply access control policies. C. Once a device has been deleted. It must be reconfigured before it is re-added to the Cisco FMC. D. An option to re-apply NAT and VPN policies during registration is available, so users do not need to re-apply the policies after registration is completed. E> There is no option to re-apply NAT and VPN policies during registration is available, so users need to re-apply the policies after registration is completed.

An engineer is configuring a Cisco FTD appliance in IPS-only mode needs to utilize fail-to-wire interfaces. Which interface mode should be used to meet these requirements. A. transparent. B. routed. C. passive D. inline set

An engineer is troubleshooting application failures through a FTD deployment. While using the FMC CLI has been determined that the traffic in question is not matching the desired policy. What should be done to correct this? A. Use the system support firewall-engine-debug command to determine which rules the traffic matching and modify the rule accordingly. B. Use the system support application-identification-debug command to determine which rules the traffic matching and modify the rule accordingly. C. Use the system support firewall-engine-dump-user-f density-data command to change the policy and allow the application through the firewall. D. Use the system support network-options command to fine tune the policy.

What is the advantage of having Cisco Firepower devices send events to Cisco Threat response via he security exchange portal directly as opposed to using syslog? A. Firepower devices do not need to be connected to the internet. B. All types of Firepower devices are supported. C. Supports all devices that are running supported version of Firepower. D. An on-permise proxy server does not need to set up and maintained.

An engineer has been asked to show application usages automatically on a monthly basis and send the information to management. What mechanism should be used to accomplish this task? A. event viewer B. reports C. dashboards D. context explorer

An organization has noticed that malware was downloaded from a website that does not currently have a known bad reputation. How will this issue be addressed globally in the quickest way possible and with the least amount of impact? A. by denying outbound web access B. Cisco Talos will automatically updated the policies. C. by isolating the endpoint D. by creating a URL object in the policy to block the website

An engineer is setting up a new Firepower deployment and is lookign at the default FMC policies to start the implementation. During the inital trial phase, the organization wants to test some common Snort rules while still allowing the majority of network traffic to pass. Which default policy should be used? A. Maximum Detection B. Security over Connectivity C. Balanced Security and Connectivity D. Connectivity Over Security

An organization has implemented Cisco Firepower without IPS capabilities and now wants to enable inspection for their traffic. They need to be able to detect protocol anomalies and utilize the Snort rule sets to detect malicious behavior. How is this accomplished? A. Modify the network discovery policy to detect new hosts to inspect. B. Modify the access control policy to redirect interesting traffic to the engine. C. Modify the intrusion policy to determine the minimum severity of an event to inspect. D. Modify the network analysis policy to process the packets for inspection

A hospital network needs to upgrade their Cisco FMC managed devices and needs to enure that a disaster recovery process is in place. What must be done in order to minimize downtime on the network? A. Configure a second circuit to an ISP for added redundancy. B. Keep a copy of the current configuration to use as backup. C. Configure the Cisco FMCs for failover D. Configure the Cisco FMC managed devices for clustering.

An engineer is monitoring network traffic from their sales and product development departments, which are on two separate networks. What must be configured in order to maintain data privacy for both departments? A. Use a dedicated IPS inline set for each department to maintain traffic separation. B. Use 802.1Q mime set Trunk interfaces with VLANs to maintain logical traffic separation. C. Use passive IDS ports for both departments. D. Use one pair of inline set in TAP mode for both departments.

With Cisco FTD software, which interface mode must be configured to passively receive traffic that passes through the appliance? A. ERSPAN B. IPS-only C. firewall D. tap

A Cisco FTD device is running in transparent firewall mode with a VTEP bridge group member ingress interface. What must be considered by an engineer tasked with specifying a destination MAC address for a packet trace? A. The destination MAC address is optional if a VLAN ID value is entered. B. Only the UDP packet type is supported. C. The output format option for the packet logs unavailable. D. The VLAN ID and destination MAC address are optional.

What is a characteristic of bridge groups on a Cisco FTD? A. In routed firewall mode, routing between bridge groups must pass through a routed interface. B. In routed firewall mode, routing between bridge groups is supported. C. In transparent firewall mode, routing between groups is supported. D. Routing between bridge groups is achieved only with a router-on-a-stick configuration on a connected router.

Network traffic coining from an organization's CEO must never be denied. Which access control policy configuration option should be used if the deployment engineeer is not permitted to create a rule to allow all traffic? A. Configure the firewall bypass B. Change the intrusion policy from security to balance. C. Configure a trust policy for the CEO D. Create a NAT policy just for the CEO

An organization has a compliancy requirement to protect servers from clients, however the clients and servers all reside on the same Layer 3 network. Without readdressing IP subnets for clients or servers, how is segmentation achieved? A. Deploy a firewall in transparent mode between the clients and servers. B. Change the IP addresses of the clients, while remaining on the same subnet. C. Deploy a firewall in routed mode between the clients and servers. D. Change the IP addresses of the servers, while remaining on the same subnet.

In a multi-tenant deployment where multiple domains are in use. Which update should be applied outside of the Global Domain? A. minor upgrade B. local import of intrusion rules. C. Cisco Geolocation Database D. local import of major upgrade

A mid-sized company is experiencing higher network bandwidth utilization due to a recent acquistion. The network operations team is asked to scale up their one Cisco FTD appliance deployment to higher capacities due to the increased network bandwidth. Which design option should be used to accomplish this goal? A. Deploy multiple Cisco FTD appliances in firewall clustering mode to increase performance. B. Deploy multiple Cisco FTD appliances using VPN load-balancing to scale performance. C. Deploy multiple Cisco FTD HA pairs to increase performance. D. Deploy multiple Cisco FTD HA pairs in clustering mode to increase performance.

An organization has seen a lot of traffic congestion on their links going out to the internet. There is a Cisco Firepower device that processes all of the traffic going to the internet prior to leaving the enterprise. How is the congestion alleviated so that legitimate business traffic reaches the destination? A. Create a flexconfig policy to use WCCP for application aware bandwidth limiting. B. Create a VPN policy so that direct tunnels are established to the business applications. C. Create a NAT policy so that the Cisco Firepower device does not have to translate as many addresses. D. Create a QoS polic rate-limiting high bandwidth applications

An engineer configures an access control rule that deploys file policy configurations to security zone or tunnel zones, and it causes the device to restart. What is the reason for the restart? A. Source or destination security zones in the access control rule matches the security zones that are associated with interfaces on the target devices. B. The source tunnel zone in the rule does not match a tunnel zone that is assigned to a tunnel rule in the destination policy. C. Source or destination security zones in the source tunnel zone do not match the security zones that are associated with interfaces on the target devices. D. The source tunnel zone in the rule does not match a tunnel zone that is assigned to a tunnel rule in the source policy.

An engineer is attempting to create a new dashboard within the Cisco FMC to have a single view with widgets from many of the other dashboards. The goal is to have a mixture of threat and security related widgets along with Cisco Firepower device health information. Which two widgets must be configured to provide this information? (Choose Two) A. Intrusion Events B. Correlation Information C. Appliance Status D. Current Sessions E. Network Compliance

An organization is setting up two new Cisco FTD devices to replace their current firewalls and cannot have any network downtime. During the setup process, the synchronization between the two devices is failing. What action is needed to resolve this issue? A. Confirm that both devices have the same port-channel numbering. B. Confirm that both devices are running the same software version. C. Confirm that both devices are configured with the same type of interfaces. D. Confirm that both devices have the same memory sizes.

There is an increased amount of traffic on the network and for compliance reasons, management need visibility into the encrypted traffic. What is a result of enabling TLS/SSL decryption to allow this visibility? A. It prompts the need for a corporate managed certificate. B. It has minimal performance impact. C. It is not subject to any Privacy regulations. D. It will fail if certificate pinning is not enforced.

An organization wants to secure traffic from their branch office to the headquarter building using Cisco Firepower devices. They want to ensure that their Cisco Firepower devices are not wasting resources on inspecting the VPN traffic. What must be done to meet these requirements? A. Configure the Cisco Firepower devices to ignore the VPN traffic using prefilter policies. B. Enable a flexconfig policy to re-classify VPN traffic so that it no longer appears as interesting traffic. C. Configure the Cisco Firepower devices to bypass the access control policies for VPN traffic. D. Tune the intrusion policies in order to allow the VPN traffic through without inspection.

A network administrator is seeing an unknown verdict for a file detected by Cisco FTD. Which malware policy configuration option must be selected in order to further analyse the file in the Talos cloud? A. Spero analysis B. Malware analysis C. Dynamic analysis D. Sandbox analysis

An engineer has been tasked with providing disaster recovery for an organization's primary Cisco FMC. What must be done on the primary and secondary Cisco FMC's to ensure that a copy of original corporate policy is available if the primary Cisco FMC fails? A. Configure high-availability in both the primary and secondary Cisco FMCs B. Connect the primary and secondary Cisco FMC devices with Category 6 cables of not more than 10m in length. C. Place the active Cisco FMC device on the same trusted management network as the standby device. D. Restore the primary Cisco FMC backup configuration to the secondary Cisco FMC device when the primary device fails.

An engineer is attempting to add a new FTD device to their FMC behind a NAT device with a NAT ID of ACME001 and a password of Cisco388267669. Which command set must be used in order to accomplish this? A. Configure manager add ACME001 B. configure manager add ACME001 C. configure manager add DONTRESOLVE ACME001 D. configure manager add registration key> ACME001

Refer to exhibit: An organization has an access control rule with the intention of sending all social media traffic for inspection. After using the rule for some time, the administrator notices that the traffic is not being inspected, but is being automatically allowed. What must be done to address this issue? A. Modify the selected application within the rule . B. Change the intrusion policy to connectivity over security. C. Modify the rule action from trust to allow. D. Add the social network URLs to the block list.

A user within an organization opened a malicious file on a workstation which in turn caused a ransomware attack on the network. What should be configured within the Cisco FMC to ensure the file is tested for viruses on a sandbox system? A. Capacity handling B. Local malware analysis C. Spero analysis D. Dyanmic Analysis

An engineer configures a network discovery policy on Cisco FMC. Upon configuration, it is noticed that excessive and misleading events filing the database and overloading the Cisco FMC. A monitored NAT device is executing multiple updates of its operating system in a short period of time. What configuration change must be made to alleviate this issue? A. Leave default networks. B. Change the method to TCP/SYN C. Increase the number of entries on the NAT device. D. Exclude load balancers and NAT devices.

Administrator is configuring SNORT inspection policies and is seeing failed deployment messages in Cisco FMC. What information should the administrator generate for Cisco TAC to help troubleshoot? A. A troubleshoot file for the device in question. B. A 'show tech' file for the device in question. C. a 'show tech' for the cisco FMC. D. A 'troubleshoot' file for the Cisco FMC

What is SecureX considered? A. EDR B. MDR C. XDR D. All of the above

A network engineer is receiving reports of users randomly getting disconnected from their corportate applications which traverses the data center FTD appliance Network monitoring toosl show that the FTD appliance utilization is peaking above 90% of total capacity. What must be done in order to further analyze this issue? A. Use the Packet Exporte feature to save data onto external drives. B. Use the packet Capture feature to collect real-time network traffic. C. Use the Packet Tracer feature for traffic policy analysis. D. Use the Packet Analysis feature for capturing network data.

IT management is asking the network engineer to provide high-level summary statistics of the Cisco FTD appliance in the network. The business is approaching a peack season so the need to maintain business uptime is high. Which report type should be used to gather this information? A. Malware Report B. Standard Report C. SNMP Report D. Risk Report

Refer to the exhibit: An administrator is looking at some of the reporting capabilities for Cisco Firepower and noticed this section of the Network Rick report showing a lot of SSL activity that cloud be used for evasion. Which action will mitigate this risk? A. Use SSL decryption to analyze the packets. B. Use encrypted traffic analytics to detect attacks. C. Use Cisco AMP for Endpoints to block all SSL connection D. Use Cisco tetration to track SSL connections to servers.

An administrator is setting up Cisco Firepower to send data to the Cisco Stealthwatch appliances. The NetFlow_Set_Parameters object is already created, but NetFlow is not being sent to the flow collector. What must be done to prevent this from occurring? A. Add the NetFlow_Send_Destination object to the configuration. B. Create a Security Intelligence object to send the data to Cisco Stealthwatch. C. Create a service identifier to enable the NetFlow service. D. Add the NetFlow_Add_Destination object to the configuration.

With a recent summer time change, system logs are showing activity that occured to be an hour behind real time. Which action should be taken to resolve this issue? A. Manually adjust the time to the correct hour on all managed devices. B. Configure the system clock settings to use NTP with Daylight Savings checked. C. Manually adjust the time to the correct hour on the Cisco FMC. D. Configure the system clock settings to use NTP.

A network administrator noticies that SI events are not being updated the Cisco FTD device is unable to load all of the SI event entries and traffic is not being blocked as expected. What must be done to correct this issue? A. Restart the affected devices in order to reset the configurations. B. Manually update the SI event entries to that the appropriate traffic is blocked. C. Replace the affected devices with devices that provide more memory. D. Redeploy configurations to affected devices so that additional memory is allocated to the SI module.

Refer to the exhibit. What must be done to fix access to this website while preventing the same communication to all other websites? A. Create an intrusion policy rule to have Snort allow port 80 to only 172.1.1.50 B. Create an intrusion policy rule to have Snort allow port 443 to only 172.1.1.50 C. Create an access control policy rule to allow port 443 to only 172.1.1.50 D. Create an access control policy rule to allow port 80 to only 172.1.1.50

A network administrator discovers that a user connected to a file server and downloaded a malware file. The Cisco FMC generated an alert for the malware event, however the user still remained connected. Which Cisco APM file rule action within the Cisco FMC must be set to resolve this issue? A. Detect Files B. Malware Cloud Lookup C. Local Malware Analysis D. Reset Connection

Which feature within the Cisco FMC web interface allows for detecting, analyzing and blocking malware in network traffic? A. Intrusion and file events B. Cisco AMP for Endpoints C. Cisco AMP for Networks D. file policies

Which license type is required on Cisco ISE to integrate with Cisco FMC pxGrid? A. Mobility B. Plus C. base D. Apex

A network engineer wants to add a third-party threat feed into the Cisco FMC for enhanced threat detection. Which action should be taken to accomplish this goal? A. Enable Threat Intelligence Director using STIX and TAXII B. Enable Rapid Threat Containment using REST APIs C. Enable Threat Intelligence Director using REST APIs D. Enable Rapid Threat Containment using STIX and TAXII

What is a feature of Cisco AMP private cloud? A. It supports anonymized retrieval of threat intelligence. B. It supports security intelligence filtering. C. It disables direct connections to the public cloud. D. It performs dynamic analysis

An engineer has been tasked with using Cisco FMC to determine if files being sent through the network are malware. Which two configuration tasks must be performed to achieve this file lookup? (Choose Two) A. The Cisco FMC needs to include a SSL decryption policy. B. The Cisco FMC needs to connect to the Cisco AMP for Endpoints service. C. The Cisco FMC needs to connect to the Cisco ThreatGrid service directly for sandboxing. D. The Cisco FMC needs to connect with the FireAMP Cloud. E. The Cisco FMC needs to include a file inspection policy for malware lookup.

An organization is using a Cisco FTD and Cisco ISE to perform identity-based access controls. A network administrator is analyzing the Cisco FTD events and notices that unknown user traffic is being allowed through the firewall. How should this be addressed to block the traffic while allowing legitimate user traffic? A. Modify the Cisco ISE authorization policy to deny this access to the user. B. Modify Cisco ISE to send only legitimate usernames to the Cisco FTD. C. Add the unknown user in the Access Control Policy in Cisco FTD. D. Add the unknown user in the Malware & File Policy in CIsco FTD.

An engineer is restoring a Cisco FTD configuration from a remote backup using the command restore remote-manager-backup location 1.1.1.1 admin/volume/home/admin BACKUP_Cisco394602314.zip on a Cisco FMG. After connecting to the repository, an error occured that prevents the FTD device from accepting the backup file. What is the problem? A. The backup file is not in .cfg format B. The backup file is too large for the Cisco FTD device. C. The backup file extension was changed from tar to zip. D. The backup file was not enabled prior to being applied.

A network engineer is logged into the Cisco AMP for Endpoints console and sees a malicious verdict for an identified SHA-256 hash. Which configuration is needed to mitigate this threat? A. Add the hash to the simple custom deletion list. B. Use regular expressions to block the malicious file. C. Enable a personal firewall in the infected endpoint. D. Add the hash from the infected endpoint to the network block list.

A network engineer implements a new Cisco Firepower device on the network to take advantage of its intrusion detection functionality. There is a requirement to analyze the traffic going across the device, alert on any malicious traffic, and appear as a bump in the wire. How should this be implemented? A. Specify the BVI IP address as the default gateway for connected devices. B. Enable routing on the Cisco Firepower. C. Add an IP address to the phyiscal CIsco Firepower interfaces. D. Configure a bridge group in transparent mode.

An organization has a Cisco IPS running in inline mode and is inspecting traffic for malicious activity. When traffic is received by the Cisco IRS, if it is not dropped, how does the traffic get to its destination? A. It is retransmitted from the Cisco IPS inline set. B. The packets are duplicated and a copy is sent to the destination. C. It is transmitted out of the Cisco IPS outside interface. D. It is routed back to the Cisco ASA interfaces for transmission.

A network administrator is concerned about the high number of malware files affecting users' machines. What must be done within the access control policy in Cisco FMC to address this concern? A. Create an Intrusion policy and set the access control policy to block. B. Create an intrusion policy and set the access control policy to allow. C. Create a file policy and set the access control policy to allow. D. Create a file policy and set the access control policy to block.

An engineer is investigating connectivity problems on Cisco Firepower that is using service group tags. Specific devices are not being tagged correctly, which is preventing clients from using the proper policies when going through the firewall. How is this issue resolved? A. Use traceroute with advanced options. B. Use Wireshark with an IP subnet filter C. Use a packet capture with match criteria. D. Use a packet sniffer with correct filtering.

A connectivity issue is occurring between a client and a server which are communicating through a Cisco Firepower device. While troubleshooting, a network administrator sees that traffic is reaching the server, but the client is not getting a response. Which step must be taken to resolve this issue without initiating traffic from the client? A. Use packet-tracer to ensure that traffic is not being blocked by an access list. B. Use packet capture to ensure that traffic is not being blocked by an access list. C. Use packet capture to validate that the packet passes through the firewall and is NATed to the corrected IP address. D. Use packet-tracer to validate that the packet passes through the firewall and is NATed to the corrected IP address.

An organization must be able to ingest NetFlow traffic from their Cisco FTD device to Cisco Stealthwatch for behavioral analysis. What must be configured on the Cisco FTD to meet this requirement? A. flexconfig object for NetFlow B. interface object to export NetFlow C. security intelligence object for NetFlow D. variable set object for NetFlow

An engineer is tasked with deploying an internal perimeter firewall that will support multiple DMZs. Each DMZ has a unique private IP subnet range. How is this requirement satified? A. Deploy the Firewall in transparent mode with access control policies. B. Deploy the firewall in routed mode with access control policies. C. Deploy the firewall in routed mode with NAT configured. D. Deploy the firewall in transparent mode with NAT configured.

An engineer must build redundancy into the network and traffic must continuously flow if a redundant switch in front of the firewall goes down. What must be configured to accomplish this task? A. redundant interfaces on the firewall cluster mode and switches. B. redundant interfaces on the firewall noncluster mode and swtiches. C. vPC on the switches to the interface mode on the firewall duster. D. vPC on the switches to the span EtherChannel on the firewall cluster.

What is the advantage of having Cisco Firepower devices send events to Cisco Threat Response via the security services exchange portal directly as opposed to using syslog? A. All types of Cisco Firepower devices are supported. B. An on-premises proxy server does not need to be set up and maintained. C. Cisco Firepower devices do not need to be connected to the internet. D. Supports all devices that are running supported versions of Cisco Firepower.

A network administrator notices that remote access VPN users are not reachable from inside the network. It is determined that routing is configured correctly, however return traffic is entering the firewall but not leaving it. What is the reason for this issue? A. A manual NAT exemption rule does not exist at the top of the NAT table. B. An external NAT IP address is not configured. C. An external NAT IP address is configured to match the wrong interface. D. An object NAT exemption rule does not exist at the top of the NAT table.

An engineer must configure high availability for the Cisco Firepower devices. The current network topology does not allow for two devices to pass traffic concurrently. How must the devices be implemented in this environment? A. in active/active mode B. in a cluster span EtherChannel C. in active/passive mode D. in cluster interface mode

When deploying a Cisco ASA Firepower module, an organization wants to evaluate the contents of the traffic without affecting the network. It is currently configured to have more than one instance of the same device on the physical appliance. Which deployment mode meets the needs of the organization? A. inline tap monitor-only mode. B. passive monitor-only mode C. passive tap monitor-only mode D. inline mode

A network administrator notices that inspection has been interrupted on all non-managed interfaces of a device. What is the cause of this? A. The value of the highest MTU assigned to any non-management interface was changed. B. The value of the highest MSS assigned to any non-management interface was changed. C. A passive interface was associated with a security zone. D. Multiple inline interface pairs were added to the same inline interface.

An administrator is creating interface objects to better segment their network but is having trouble adding interfaces to the objects. What is the reason for this failure? A. The interfaces are being used for NAT for multiple networks. B. The administrator is adding interfaces of multiple types. C. The administrator is adding an interface that is in multiple zones. D. The interfaces belong to multiple interface groups.

Which two conditions must be met to enable high availability between two Cisco FTD devices? (Choose Two) A. same flash memory size B. same NTP configuration C. same DHCP/PPoE configuration D. same host name E. same number of interfaces.

A network adminitrator Snort inspection policies and is seeing failed deployment messages in Cisco FMC. What information should be administrator generate for Cisco TAC to help troubleshoot? A. A 'show tech' file for the device in question. B. A 'troubleshoot' file for the device in question. C. A 'troubleshoot' file for the Cisco FMC. D. A 'show tech' for the Cisco FMC.

An engineer is building a new access control policy using Cisco FMC. They policy must inspect a unqiue IPS policy as well as log rule matching. Which action msut be taken to meet these requirements? A. Configure an IPS policy and enable per-rule logging. B. Disable the default IPS policy and enable global logging. C. Configure an IPS policy and enable global logging D. Disable the default IPS policy and enable per-rule logging.

A network administrator needs to create a policy on Cisco Firepower to fast-path traffic to avoid Layer 7 inspection. The rate at which traffic is inspected must be optimized. What must be done to achieve this goal? A. Enable the FXOS for multi-instance. B. Configure a prefilter policy. C. Configure modular policy framework. D. Disable TCP inspection

A network engineer is tasked with minimizing traffic interruption during peak traffic time. When the SNORT inspection engine is overwhelmed, what must be configured to alleviate this issue? A. Enable IPS inline link state propagation B. Enable Pre-filter policies before the SNORT engine failure. C. Set a Trust ALL access control policy. D. Enable Automatic Application bypass.

A VPN user is unable to connect to web resources behind the Cisco FTD device terminating the connection. While troubleshooting the network administrator determines that the DNS responses are not getting through the Cisco FTD. What must be done to address this issue while still utilizing SNORT IPS rules? A. Uncheck the 'Drop when Inline' box in the intrusion policy to allow the traffic. B. Modify the SNORT rules to allow legitimate DNS traffic to the VPN users. C. Disable the intrusion rule threashold to optimize the SNORT processing. D. Decrypt the packet after the VPN flow so the DNS queries are not inspected.

An organization has a Cisco FTD that uses bridge groups to pass traffic from the inside interfaces to the outside interfaces. They are unable to gather information about neighboring Cisco devices or use multicast in their environment. What must be done to resolve this issue? A. Create a Firewall rule to allow CDP traffic. B. Create a bridge group with the firewall interfaces. C. Change the Firewall Mode to transparent. D. Change the Firewall mode to routed.

An organization is using a Cisco FTD and Cisco ISE to perform identity-based access controls. A network administrator is analyzing the Cisco FTD events and notices that unknown user traffic is being allowed through the firewall. How should this be addressed to block the traffic while allowing legitimate user traffic? A. Modify the Cisco ISE authorization policy to deny this access to the user. B. Modify the Cisco ISE to send only legitimate usernames to the Cisco FTD. C. Add the unknown user in the Access Control Policy in Cisco FTD. D. Add the unknown user in the Malware & File Policy in Cisco FTD.

Within an organization's high availability environment where both firewalls are passing traffic, traffic must be segmented based on which department it is destined for. Each department is situated on a different LAN. What must be configured to meet these requirements? A. redundant interfaces B. span EtherChannel clustering C. high availability active/standby firewalls. D. multi-instance firewalls

An engineer is configuring a Cisco IPS to protect the network and wants to test a policy before deploying it. A copy of each incoming packet needs to be monitored while traffic flow remains constant. Which IPS mode should be implemented to meet these requirements? A. routed B. passive C. transparent D. inline tap

A network security engineer must replace a faulty Cisco FTD device in a high availability pair. Which action must be taken while replacing the faulty unit? A. Ensure that the faulty Cisco FTD device remains registered to the Cisco FMC. B. Shut down the active Cisco FTD device before powering up the replacement unit. C. Shut down the Cisco FMC before powering up the replacement unit. D. Unregister the fault Cisco FTD device from the Cisco FMC.

An administrator is optimizing the Cisco FTD rules to improve network performance, and wants to bypass inspection for certain traffic types to reduce the load on the Cisco FTD. Which policy must be configured to accomplish this goal? A. Intrustion B. prefilter C. URL Filtering D. Identity

A company is in the process of deploying intrusion prevention with Cisco FTDs managed by a Cisco FMC. An engineer must configure policies to detect potential intrusions but not block the suspicious traffic. Which action accomplishes this task? A. Configure IPS mode when creating or editing a policy rule under the Cisco FMC intrusion tab in Access policies section by checking the 'Drop when Inline' option. B. Configure IPS mode when creating or editing a policy rule under the Cisco FMC intrusion tab in Access Policies section by unchecking the 'Drop when Inline' option. C. Configure IDS mode when creating or editing a policy rule under the Cisco FMC intrusion tab in Access Policies section by checking the 'Drop when Inline' option. D. Configure IDS mode when creating or editing a policy rule under the Cisco FMC intrusion tab in Access Policies section by unchecking the 'Drop when Inline' option.

An engineer is using the CONFIGURE MANAGER ADD CISCO12345 command to add a new Cisco FTD device to the FMC; however the device is not being added. Why? A. DONOTRESOLVE must be added to the command. B. The IP address used should be that of the Cisco FTD, not the FMC. C. The registartion key is missing from the command. D. The NAT ID is required since the Cisco FMC is behind a NAT device.

An engineer is configuring Cisco FMC and wants to allow multiple physical interfaces to be part of the same VLAN. The managed devices must be able to perform Layer 2 switching between interfaces, including sub-interfaces. What must be configured to meet these requirements? A. inter-chassis clustering VLAN B. Cisco ISE Security Group Tag C. Interface-based VLAN switching. D. integrated routing and bridging.

An organization does not want to use the default Cisco Firepower block page when blocking HTTP traffic. The organization wants to include information about its policies and procedures to help educate the users whenever a block occurs. Which two steps must be taken to meet these requirements? (Choose two) A. Edit the HTTP request handling in the access control policy to customized block. B. Modify the system-provided block page result using Python. C. Create HTML code with the information for the policies and procedures. D. Change the HTTP response in the access control policy to custom. E .Write CSS code with the information for the policies and procedures.

A company has many Cisco FTD devices managed by a Cisco FMC. The security model requires that access control rule logs be collected for analysis. The security engineer is concerned that the Cisco FMC will not be able to process the volume of logging that will be generated. Which configuration addresses concern this? A. Send Cisco FTD connection events directly to a SIEM system and forward security events from Cisco FMC to the SIEM system for storage and analysis. B. Send Cisco FTD connection events and security events directly to SIEM system for storage and analysis. C. Send Cisco FTD connection events and security events to a cluster of Cisco FMC devices for storage and analysis. D. Send Cisco FTD connection events and security events to Cisco FMC and configure it to forward logs to SIEM for storage and analysis.

An administrator must use Cisco FMC to install a backup route within the Cisco FTD to route traffic in case of a routing failure with primary route. Which action accomplishes this task? A. Install the static backup route and modify the metric to be less than the primary route. B. Use a default route in the FMC instead of having multiple routes contending for priority. C. Configure EIGRP routing on the FMC to ensure that dynamic routes are always updated. D. Create the backup route and use route tracking on both routes to a destination IP address in the network.

A network security engineer must export packet captures from the Cisco FMC web browser while troubleshooting an issue. When navigating to the address https:///capture/CAP/pcap/test.pcap, an error 403: Forbidden is given instead of the PCAP file. Which action must the engineer take to resolve this issue? A. Disable the proxy setting on the browser. B. Disable the HTTPS server and use HTTP instead C. Use the Cisco FTD IP address as the proxy server setting on the browser. D. Enable the HTTPS server for the device platform policy.

An analyst is investigating a potentially compromised endpoint within the network and pulls a host report for the endpoint in question to collect metrics and documentation. What information should be taken from this report for the investigation? A. Client applications by user, web applications, and user connections. B. Number of attacked machines, sources of the attack, and traffic patterns. C. threat detections over time and application protocols transferring malware. D. intrusion events, host connections, and user sessions.

An engineer must investigate a connectivity issue and decides to use the packet capture feature on Cisco FTD. The goal is to see the real packet going through the Cisco FTD device and see SNORT detection actions as a part of the output. After the 'capture-traffic' command is issued, only the packets are displayed. Which action resolves this issue? A. Specify the trace using the '-T' option after the 'capture-traffic' command. B. Perform the trace within the Cisco FMC GUI instead of the Cisco FMC CLI. C. Use the 'verbose' option as a part of the 'capture-traffic' command. D. Use the 'capture' command and specify the 'trace' option to get the required information.

An analyst using the security analyst account permissions is trying to view the Correlations Events Widget but is not able to access it. However, other dashboards are accessible. Why is this occuring? A. The widget is configured to display only when active events are present. B. The security analyst role does not have permission to view this widget. C. An API restriction within the Cisco FMC is preventing the widget from displaying. D The Widget is not configured within the Cisco FMC.

An engineer is troubleshooting connectivity to the DNS servers from hosts behind a new Cisco FTD device. The hosts cannot send DNS queries to servers in the DMZ. Which action should the engineer take the troubleshoot this issue using the real DNS packets? A. Use the packet capture tool to check where the traffic is being blocked and adjust the access control or intrusion policy as needed. B. Use the Connection Events dashboard to check the block reason and adjust the inspection policy as needed. C. Use the packet tracer tool to determine at which hop the packet is being dropped. D. Use the 'show blocks' command in the Threat Defense CLI tool and create a policy to allow the blocked traffic.

An engineer must configure a Cisco FMC dashboard in a child domain. Which action must be taken so that the dashboard is visible to the parent domain? A. Adjust policy inheritance settings. B. Add a separate widget C. Create a copy of the dashboard D. Add a separate tab

An engineer integrates Cisco FMC and Cisco ISE using pxGrid. Which role is assigned for Cisco FMC? A. server B. controller C. publisher D. client

A company wants a solution to aggregate the capacity of two Cisco FTD devices to make the best use of resources such as bandwidth and connections per second. Which order of steps must be taken across the Cisco FTDs with Cisco FMC to meet this requirement? A. Add members to the Cisco FMC, configure Cisco FTD interfaces, create the cluster in Cisco FMC, and configure cluster members in the Cisco FMC. B. Add members to Cisco FMC, configure Cisco FTD interfaces in Cisco FMC, configure cluster member in Cisco FMC, create cluster in Cisco FMC, and configure cluster memebers in CIsco FMC. C. Configure the Cisco FTD interfaces, add members to FMC, configure cluster members in the FMC, and create cluster in the Cisco FMC. D. Configure the Cisco FTD interfaces and cluster members, add members to Cisco FMC, and create the cluster in Cisco FMC.

The administrator notices that there is malware present with an .exe extension and needs to verify if any of the systems on the network are running the executable file. What must be configured within Cisco AMP for Endpoints to show this data? A. vulnerable software B. file analysis C. threat root cause D. prevalence

An engineer must define a URL object on Cisco FMC. What is the correct method to specify the URL without performing SSL inspection? A. Use Subject Common Name value. B. Specify all subdomains in the object group. C. Specify the protocol in the object. D. Include all URLs from CRL Distribution Points.

An analyst is reviewing the Cisco FMC reports for the week. They notice that some peer-to-peer applications are being used on the network and they must identify which poses the greatest risk to the environment. Which report gives the analyst this information? A. Attacks Risk Report B. User Risk Report C. Network Risk Report D. Advanced Malware Risk Report

An administrator is adding a new URL-based category feed to the Cisco FMC for use within the policies. The intelligence source does not use STIX, but instead uses a .txt file format. Which action ensures that regular updates are provided? A. Add a URL source and select the flat file type within Cisco FMC. B. Upload the .txt file and configure automatic updates using the embedded URL. C. Add a TAXII feed source and input the URL for the feed. D. Convert the .txt file to STIX and upload it to the Cisco FMC.

A network administrator reviews the file report for the last month and notices that all file types, except .exe show a disposition of unknown. What is the cause of this issue? A. The malware license has not been applied to the Cisco FTD. B. The Cisco FMC cannot reach the internet to analyze files. C. A file policy has not been applied to the access policy. D. Only Spero file analysis is enabled.

Which firewall design allows a firewall to forward traffic at Layer 2 and Layer 3 for the same subnet? A. Cisco Firepower Threat Defense Mode B. Transparent Mode C. Routed mode D. Integrated routing and bridging.

An engineer is reviewing a ticket that requests to allow traffic for some devices that must connect to a server over 8699/UDP. The request mentions only one IP address, 172.16.18.15, but the requestor asked for the engineer to open the port for all machines that have been trying to connect to it over the last week. Which action must the engineer take the troubleshoot this issue? A. Use the context explorer to see the application blocks by protocol. B. Use the context explorer to see the destination port blocks. C. Filter the connection events by the source port 8699/UDP. D. Filter the connection events by the destination port 8699/UDP

A security engineer is configuring a remote Cisco FTD that has limited resources and internet bandwidth. Which malware action and protection option should be configured to reduce the requirement for cloud lookups? A. Malware cloud lookup and dynamic analysis. B. Black Malware action and dynamic analysis. C. Block Malware action and local malware analysis. D. Block file action and local malware analysis.

An administrator receives reports that users cannot access a cloud-hosted web server. The access control policy was recently updated with several new policy additions and URL filtering. What must be done to troubleshoot the issue and restore access without sacrificing the organization's security posture? A Create a new access control policy rule to allow ports 80 and 443 to the FQDN of the web server. B. Identify the blocked traffic in the Cisco FMC connection events to validate the block, and modify the policy to allow the traffic to the web server. C. Verify the blocks using the packet capture tool and create a rule with the action monitor for the traffic. D. Download a PCAP of the traffic attempts to verify the clocks and use the flexconfig objects to create a rule that allows only the required traffic to the destination server.

[Refer to the exhibit] An engineer is modifying an access control policy to add a rule to inspect all DNS traffic that passes through the firewall. After making the change and deploying the policy, they see that DNS traffic is not being inspected by the SNORT engine. What is the problem? A The rule must specify the security zone that originates the traffic. B. The rule is configured with the wrong setting for the source port. C. The rule must define the source network for inspection as well as the port. D. The action of the rule is set to trust instead of allow.

A Cisco FTD has two physical interfaces assigned to a BVI. Each interface is connected to a different VLAN on the same switch. Which Firewall mode is the Cisco FTD set up to support? A. active/active failover B. transparent C. routed D. high availability clustering.

While integrating Cisco Umbrella with Cisco Threat Response, a network security engineer wants to automatically push blocking of domains from the Cisco Threat Response interface to Cisco Umbrella. Which API meets this requirement? A. Investigate B. reporting C. enforcement D. REST

An engineer wants to connect a single IP subnet through a Cisco FTD firewall and enforce policy. There is a requirement to present the internal IP subnet to the outside as a different IP address. What must be configured to meet these requirements? A. Configure the downstream router to perform NAT. B. Configure the upstream router to perform NAT. C. Configure the Cisco FTD firewall in routed mode with NAT enabled. D. Configure the Cisco FTD firewall in transparent mode with NAT enabled.

Upon detecting a flagrant threat on an endpoint, which two technologies instruct Cisco Identity Services Engine to contain the infected endpoint either manually or automatically? (Choose Two) A. Cisco ASA 5500 Series B. Cisco FMC C. Cisco AMP D. Cisco Stealthwatch E. Cisco ASR 7200 Series

An organization is migrating their Cisco ASA devices running in multicontext mode to Cisco FTD devices. Which action must be taken to ensure that each context on the Cisco ASA is logically separated in the Cisco FTD devices? A. Add a native instance to distribute traffic to each Cisco FTD context. B. Add the Cisco FTD device to the Cisco ASA port channels. C. Configure a container instance in the Cisco FTD for each context in the Cisco ASA. D. Configure the Cisco FTD to use port channels spanning multiple networks.

A network administrator configured a NAT policy that translate a public IP address to an internal web server IP address. An access policy has also been created that allows any source to reach the public IP address on port 80. The web server is still not reachable from the internet on port 80. Which configuration change is needed? A. The intrusions policy must be disabled for port 80. B. The access policy rule must be configured for the action trust. C. The NAT policy must be modified to translate the source IP address as well as destination IP address. D. The access policy must allow traffic to the internal web server IP address.

An engineer must configure a Cisco FMC dashboard in a child domain. Which action must be taken so that the dashboard is visible to the parent domain? A. Add a separate tab. B. Adjust policy inheritance settings. C. Add a separate widget. D. Create a copy of the dashboard.

An engineer runs the command restore remote-manager-backup location 2.2.2.2 admin/volume/home/admin FTD 432103210.zip on a Cisco FMC. After connecting to the repository, the Cisco FTD device is unable to accept the backup file. What is the reason for this failure? A. The backup file is not in .cfg format. B. The wrong IP address is used. C. The backup file extension was changed from .tar to .zip D. The directory location is incorrect.

A security engineer found a suspicious file from an employee email address and is trying to upload it for analysis, however the upload is failing. The last registration status is still active. What is the cause for this issue? A. Cisco AMP for Networks is unable to contact Cisco Threat Grid on premise. B. Cisco AMP for Networks is unable to contact Cisco Threat Grid Cloud. C. There is a host limit set. D. The user agent status is set to monitor.

An engineer is configuring Cisco FMC and wants to limit the time allowed for processing packets through the interface. However if the time is exceeded the configuration must allow packets to bypass detection. What must be configured on the Cisco FMC to accomplish this task? A. Fast-Path Rules Bypass B. Cisco ISE Security Group Tag C. Inspect Local Traffic Bypass D. Automatic Application Bypass

An engineer is working on a LAN switch and has noticed that its network connection to the mime Cisco IPS has gone down. Upon troubleshooting it is determined that the switch is working as expected. What must have been implemented for this failure to occur? A. The upstream router has a misconfigured routing protocol. B. Link-state propagation is enabled. C. The Cisco IPS has been configured to be in fail-open mode. D. The Cisco IPS is configured in detection mode

Refer to the exhibit. An engineer is modifying an access control policy to add a rule to inspect all DNS traffic that passes through the firewall. After making the change and deploying the policy, they see that DNS traffic is not being inspected by the SNORT engine. What is the problem? A. The rule must specify the security zone that originates the traffic. B. The rule must define the source network for inspection as well as the port. C. The action of the rule is set to trust instead of allow. D. The rule is configured with the wrong setting for the source port.

What is the role of the casebook feature in Cisco Threat Response? A. sharing threat analysts. B. pulling data via the browser extension C. triage automation with altering. D. Alert prioritization

A network engineer sets up a secondary Cisco FMC that is integrated with Cisco Security Packet Analyzer. What occurs when the secondary Cisco FMC synchronizes with the primary Cisco FMC? A. The existing integration configuration is replicated to the primary Cisco FMC. B. The existing configuration for integration of the secondary Cisco FMC the Cisco Security Packet Analyzer is overwritten. C. The synchronization between the primary and secondary Cisco FMC fails. D. The secondary CIsco FMC must be reintegrated with the Cisco Security Packet Analyzer after the synchronization.

An engineer wants to change an existing transparent Cisco FTD to routed mode. The device controls traffic between two network segments. Which action is mandatory to allow hosts to reestablish communication between these two segments after the change? A. Remove the existing dynamic routing protocol settings. B. Configure multiple BVIs to route between segments. C. Assign unique VLAN IDs to each firewall interface. D. Implement non-overlapping IP subnet on each segment.

An engineer installs a Cisco FTD device and wants to inspect traffic within the same subnet passing through a firewall and inspect traffic destined to the internet. Which configuration will meet this requirement? A. Transparent firewall mode with IRB only. B. Routed firewall mode with BVI and routed interfaces. C. Transparent firewall mode with multiple BVIs. D. Routed firewall mode with routed interfaces only.

A network administrator is deploying a Cisco IPS appliance and needs it to operate initially without affecting traffic flows. It must also collect data to provide a baseline of unwanted traffic before being reconfigured to drop it. Which Cisco IPS mode meets these requirements? A. failsafe B. inline tap C. promiscuous D. bypass

A network administrator is implementing an active/passive high availability Cisco FTD pair. When adding the high availability pair, the administrator cannot select the secondary peer. What is the cause? A. The second Cisco FTD is not the same model as the primary Cisco FTD. B. An high availability license must be added to the Cisco FMC before adding the high availability pair. C. The failover link must be defined on each Cisco FTD before adding the high availability pair. D. Both Cisco FTD devices are not at the same software version.

An administrator is configuring their transparent Cisco FTD device to receive ERSPAN traffic from multiple switches on a passive port, but the Cisco FTD is not processing the traffic. What is the problem? A. The switches do not have Layer 3 connectivity to the FTD device for GRE traffic transmission. B. The switches were not set up with a monitor session ID that matches the flow ID defined on the Cisco FTD. C. The Cisco FTD must be in routed mode to process ERSPAN traffic. D. The Cisco FTD must be configured with an ERSPAN port not a passive port.

What is an advantage of adding multiple inline interface pairs to the same inline interface set when deploying an asynchronous routing configuration? A. Allows the IPS to identify inbound and outbound traffic as part of the same traffic flow. B. The interfaces disable auto-negotiation and interface speed is hard coded set to 1000 Mbps. C. Allows traffic inspection to continue without interruption during the SNORT process restart. D. The interfaces are automatically configured as a media-independent interface crossover.

A network administrator cannot select the link to be used for failover when configuring an active/passive HA Cisco FTD pair. Which configuration must be changed before setting up the high availability pair? A. An IP address in the same subnet must be added to each Cisco FTD on the interface. B. The interface name must be removed from the interface on each Cisco FTD. C. The name failover must be configured manually on the interface on each Cisco FTD. D. The interface must be configured as part of a LACP Active/Active EhterChannel.

An organization recently implemented a transparent Cisco FTD in their network. They must ensure that the device does not respond to insecure SSL/TLS protocols. Which action accomplishes this task? A. Modify the device's settings using the device management feature within Cisco FMC to force only secure protocols. B. Use the Cisco FTD platform policy to change the minimum SSL version on the device to TLS1.2 C. Enable the UCAPL/CC compliance on the device to support only the most secure protocols available. D. Configure a FlexConfig object to disable any insecure TLS protocols on the Cisco FTD device.

A network administrator is migrating from a Cisco ASA to a Cisco FTD. EIGRP is configured on the Cisco ASA but it is not available in the Cisco FMC. Which action must the administrator take to enable this feature on the Cisco FTD? A. Configure EIGRP parameters using FlexConfig objects. B. Add the command 'feature eigrp' via the FTD CLI. C. Create a custom variable set and enable the feature in the variable set. D. Enable advanced configuration options in the FMC.

The CIO asks a network administrator to present to management a dashbaord that shows custom analysis tables for the top DNS queries URL category statistics, and the URL reputation statistics. Which action must the administrator take to quickly produce this information for management? A. Run the attack report and filter on DNS to show this information. B. Create a new dashboard and add three custom analysis widgets that specify the tabels needed. C. Modify the Connection Events dashboard to display the information in a view for management. D. Copy the intrusion events dashboard tab and modify each widget to show the correct charts.

Which Cisco FMC report gives the analyst informatioon about the ports and protocols that are related to the configured sensitive network for analysis? A. Malware Report B. Host Report C. Firepower Report D. Network Report

An engineer is investigating connectivity problems on Cisco Firepower for a specific SGT. Which command allows the engineer to capture real packets that pass through the firewall using an SGT of 64? A. capture CAP type inline-tag 64 match ip any any B capture CAP match 64 type inline-tag ip any any C. capture CAP headers-only type inline-type 64 match ip any any D. capture CAP buffer 64 match ip any any

A company is in the process of deploying intrusion protection with Cisco FTDs managed by a Cisco FMC. Which action must be selected to enable fewer rules detect only critical conditions and avoid false positives? A. Connectivity over security B. Balanced Security and Connectivity C. Maximum Detection D. No Rules Above

An engineer wants to add an additional Cisco FTD version 6.2.3 device to their current 6.2.3 deployment to create a high availability pair. The currently deployed Cisco FTD device is using local management and identical hardware including the available port density to enable the failover and stateful link required in a proper high availablility deployment. Which action ensures that the environment is ready to pair the new Cisco FTD with the old one? A. Change from CIsco FDM management to Cisco FMC management on both devices and register them to FMC. B. Ensure that the two devices are assigned IP addresses from the 169.254.0.0/16 range for failover interfaces. C. Factory reset the current Cisco FTD so that it can synchronize configurations with the new Cisco FTD device. D. Ensure that the configured DNS servers match on the two devices for name resolution.

Refer to the exhibit. What is the effect of the existing Cisco FMC configuration? A. The remote management port for communication between the Cisco FMC and the managed device changes to port 8443. B. The managed device is deleted from the Cisco FMC. C. The SSL-encrypted communication channel between the Cisco FMC and the managed device becomes plain-text communication channel. D. The management connection between the Cisco FMC and the Cisco FTD is disabled.

An administrator is setting up a CIsco FMC and must provide expert mode access for a security engineer. The engineer is permitted to use only a secured out-of-band network workstation with a static IP address to access the Cisco FMC. What must be configured to enable this access? A. Enable SSH and define an acccess list. B. Enable HTTP and define an access list. C. Enable SCP under the Access List section. D. Enable HTTPS and SNMP under the Access List Section.

An engineer must add DNS-specific rules to the Cisco FTD intrusion policy. The engineer wants to use the rules currently in the Cisco FTD Snort database that are not already enabled but does not want to enable more than are needed. Which action meets these requirements? A. Change the dynamic state of the rule within the policy. B. Change the base policy to Security over Connectivity. C. Change the rule state within the policy being used. D. Change the rules using the Generate and Use Recommendations feature.

A network administrator is trying to convert from LDAP to LDAPS for VPN user authentication on a Cisco FTD. Which action must be taken on the Cisco FTD objects to accomplish this task? A. Add a key Chain object to acquire the LDAPS certificate. B. Create a certificate enrollment object to get the LDAPS certificate needed. C. Identify the LDAPS cipher suite and use a Cipher Suite List object to define the Cisco FTD connection requirements. D. Modify the Policy List Object to define the session requirements for LDAPS.

What is RTC workflow when the infected endpoint is identified? A. CIsco ISE instructs Cisco AMP to contain the infected endpoint. B. Cisco ISE instructs Cisco FMC to contain the infected endpoint. C. Cisco AMP instructs Cisco FMC to contain the infected endpoint. D. Cisco FMC instucts Cisco ISE to contain the infected endpoint.

Which feature is supported by IRB on Cisco FTD devices? A. redundant interface. B. Dynamic routing protocol C. EhterChannel interface. D. high-availability cluster.

A security engineer is deploying a pair of primary and secondary Cisco FMC devices. The secondary must also receive updates from Cisco Talos. Which action achieves this goal? A. Force failover for the secondary Cisco FMC so synchronize the rule updates from the primary. B. Configure the secondary Cisco FMC so that it receives updates from Cisco Talos. C. Manually import rule updates onto the secondary Cisco FMC device. D. Configure the primary Cisco FMC so that the rules are updated.

Refer to exhibit. A systems administrator conducts a connectivity test to their SCCM server from a host machine and gets no response from the server. Which action ensures that the ping packets reach the destination and that the host receives replies? A. Create an access control policy rule that allows ICMP traffic. B. Configure a custom SNORT signature to allow ICMP traffic after inspection. C. Modify the Snort rules to allow ICMP traffic. D. Create an ICMP allow list and add the ICMP destination to remove it from the implicit deny list.

A security engineer must configure a Cisco FTD appliance to inspect traffic coming from the internet. The internet traffic will be mirrored from the Cisco Catalyst 9300 Switch. Which configuration accomplishes the task? A. Set interface configuration mode to none. B. Set the firewall mode to transparent. C. Set the firewall mode to routed. D. Set interface configuration mode to passive.

The network administrator wants to enhance the network security posture to enabling machine learning for malware detection due to a concern with suspicious Microsoft executable file types that were seen while creating monthly security reports for the CIO. Which feature must be enabled to accomplish this goal? A. Spero B. dynamic analysis C. static analysis D. Ethos

A network administrator is configuring a Cisco AMP public cloud instance and wants to capture infections and polymorphic variants of a threat to help detect families of malware. Which detection engine meets this requirement? A. RBAC B. Tetra C. Ehtos D. Spero

A network engineer must provide redundancy between two Cisco FTD devices. The redundancy configuration must include automatic configuration, translation, and connection updates. After the initial configuration of the two appliances, which two steps must be taken to proceed with the redundancy configuration (Choose Two) A. Configure the virtual MAC address on the failover link. B. Disable hellos on the inside interface. C. Configure the standby IP addresses. D. Ensure the high availability license is enabled. E. Configure the failover link with stateful properties.

A network administrator is configuring an FTD in transparent mode. A bridge group is set up and an access policy has been set up to allow all IP traffic. Traffic is not passing through the FTD. What additional configuration is needed? A. The security levels of the interfaces must be set. B. A default route must be added to the FTD. C. An IP address must be assigned to the BVI. D. A mac-access control list must be added to allow all MAC addresses.

A network administrator registered a new FTD to an existing FMC. The administrator cannot place the FTD in transparent mode. Which action enables transparent mode? A. Add a bridge group interface to the FTD before transparent mode is configured. B. Deregister the FTD device from FMC and configure transparent mode via the CLI. C. Obtain an FTD model that supports transparent mode. D. Assign an IP address to two physical interfaces.

A security engineer must deploy a Cisco FTD appliance as a bump in the wire to detect intrusion events without disrupting the flow of network traffic. Which two features must be configured to accomplish the task? (Choose two) A. inline set pair. B. transparent mode C. tap mode D. passive interfaces E. bridged mode

Due to an increase in malicious events, a security engineer must generate a threat report to include intrusion events, malware events, and security intelligence events. How is this information collected in a single report? A. Run the default Firepower report. B. Export the Attacks Risk report. C. Generate a malware report. D. Create a custom report.

An engineer attempts to pull the configuration for a Cisco FTD sensor to review the Cisco TAC but does not have direct access to the CY for the device. The CLI for the device is managed by Cisco FMC to which the engineer has access. Which action in Cisco FMC grants access to the CLI for the device? A. Export the configuration using the Import/Export tool within the Cisco FMC. B. Create a backup of the configuration within the Cisco FMC. C. Use the show all command in the Cisco FTD CLI feature within Cisco FMC. D. Download the configuration file within the File Download section of Cisco FMC.

An administrator is attempting to add a new FTD device to their FMC behind a NAT device with a NAT ID of NAT001 and a password of CISCO12345. The private IP address of the FMC server is 192.168.45.45, which is being translated to the public IP address of 209.165.200.122/27. Which command set must be used in order to accomplish this task? A. configure manager add 209.165.200.223 B. configure manager add 192.168.45 C. configure manager add 209.165.200.255 255.255.255.225 D configure manager add 109.165.200.225

A security analyst must create a new report within Cisco FMC to show an overview of the daily attacks, vulnerabilities, and connections. The analyst wants to reuse specific dashboards from other reports to create the consolidated one. Which action accomplishes this task? A. Create a new dashboard object via Object Management to represent the desired views. B. Modify the Custom Workflows within the Cisco FMC to feed the desired data into the new report. C. Copy the Malware Report and modify the sections to pull components from other reports. D. Use the import feature in the newly created report to select which dashboards to add.

A network administrator has converted a Cisco FTD from using LDAP to LDAPS for VPN authentication. The Cisco FMC can conect to the LDAPS server, but the Cisco FTD is not connecting. Which configuration must be enabled on the Cisco FTD? A. SSL must be set to a use TLSv1.2 or lower. B. The LDAPS must be allowed through the access control policy. C. DNS servers must be defined for name resolution. D. The RADIUS server must be defined.

Which description of a passive interface on a Cisco Firepower NGFW is true? A. Receives traffic that is specified on an NGIPS. B. Inacccessible when disable C. Effected by firewall mode. D. Retransmits received traffic.

An engineer is deploying AMP for the fire time and cannot afford any interrupted to network traffic. Which policy types does NOT distrupt the network? A. Protect B. Server C. Audit D. Triage

Which Cisco deployment architecture support Clustering? (Choose 2) A. Cisco FIrepower Managment Center B. Cisco ASAv C. Cisco Firepower Appliance (NGIPS) D. Cisco ASA with Firepower Services.

An engineer is deploying the Cisco Firepower NGIPs for VMware. Which two aspects are unsupported during this deployment? (Choose Two) A. vCenter B. restoring a backup. C. vCloud Director D. vMware tool E. Cloning a virutal machine.

What is a purpose of the network analysis policy on a Cisco Firepower NGIPS? A. If defines the rules for encrypting traffic. B. It governs how traffic is preproscessed before inspection. C. It examines packets for attacks by using intrusion rules. D. It specifies the outer-header criteria used to process traffic without using advanced inspection.

Which two descriptions of a Cisco Firepower NGIPS deployment that uses an Inline Pair interface in tap mode are ture? (Choose Two) A. All the Cisco ASA engine features are available. B. Wore than two interfaces can be bridged. C. Transit traffic can be dropped. D. The deployment is available in transparent mode only. E. Two physical interfaces are bridged internally.

Which option is the main function of Cisco Firepower impact flags? A. They alert administrators when critical events occur. B. They highlight known and suspected malicious IP addresses in reports. C. They correlate data about intrusions and vulnerability. D. They identify data that the ASA sends to the Firepower module.

Refer the exhibit. Which two descriptions of the configurations of the Cisco Firepower Services module are true? (Choose two) A. The module is operating in IPS mode. B. Traffic is blocked if the module fails. C. The module is operating in IDS mode. D. Traffic continues to flow if the module failes. E. The module fails to receive redirected traffic

On Cisco Firepower Management Center, which policy is used to collect health modules alerts from manage devices? A. health policy B. system policy C. correlation policy D. access control policy E. health awareness policy

Which CLI command is used to register a Cisco Firepower sensor to Firepower Management Center? A. configure system add < key> B. configure manager add host C. configure manager delete D. configure manager add

Which two tasks can the network discovery feature perform? (Choose two) A. host discovery B. block taffic. C. user discovery D. reset connection E. route traffic

Which description of the file trajectory feature in Cisco AMP is true? A. Tracks information about policy updates that affect each file on a network. B. Excludes information about file transmissions across the network. C. Blocks the malware detected in a file sent across the network. D. Display information about the actions performed on each file on a network.

Which access control policy action must be selected to inspect traffic for malware using Cisco AMP for Networks? A. monitor B. inspect C. trust D. allow

Which Cisco AMP for Endpoints, what is meant by simple custom detection? A. It is a rule for identifying a file that should be whitelisted by Cisco AMP. B. It is a method for identifying and quaranting a specific file by its SHA-256 hash. C. It is a feature of configuring a personal firewall. D. It is a method for identifying and quarantining a set of files by regular expression language.

With Cisco AMP for Endpionts, which option shows a list of all files that have been executed in your environment? A. vulnerable software. B. file analysis C. detections D. prevalence E. threat root cause.

When using Cisco Threat Response, which phase of the Intelligence Cycle publishes the results of the investigation? A. direction B. dissemination C. processing D. analysis

A security engineer must integrate an external feed containing STIX/TAXII data with Cisco FMC. Which feature must be enabled on the Cisco FMC to support this connection? A. Cisco Success Network. B. Cisco Secure Endpoint Integration C. Threat Intelligence Director D. Security Intelligence Feeds

A network administrator wants to block traffic to a known malware sit at https://www.badsite.com and all subdomains while ensuring no packets from any internal client are sent to that site. Which type of policy must the network administrator use to accomplish this goal? A. Prefilter Policy B. SSL policy C. DNS policy D. Access Control policy with URL filtering

An organization is configuring a new Cisco Firepower High Availability deployment. Which action must be taken to ensure that failover is as seamless as possible to end users? A. Set up a virtual failover MAC address between chassis. B. Use a dedicated stateful link between chassis. C. Load the same software version on both chassis. D. Set the same FQDN for both chassis.

An engineer must deploy a Cisco FTD appliance via Cisco FMC to span a network segment to detect malware and threats. When setting the Cisco FTD interface mode, which sequence of actions meets this requirement? A, Set to passive, and configure an access control policy with an intrusion policy and a file policy defined. B. Set to passive, and configure an access control policy with a prefilter policy defined. C. Set to none, and configure an access control policy with a prefilter policy defined. D. Set to non, and configure an access control policy with an intrusion policy and a file policy defined.

Refer to the exhibit: An engineer is analyzing a Network Risk Report from Cisco FMC. Which application must the engineer take immediate action against to prevent unauthorized network use? A. Kerberos B. YouTube C. Chrome D. TOR

An Engineer wants to perform a packet capture on the Cisco FTD to confirm that the host using IP address 192.168.100.100 has the MAC address of 004277341103 to help troublehsooting a connectivity issue. What is the correct tcpdump command syntax to ensure that the MAC address appears in the packet capture output? A. -nm src 19.168.100.100 B. -ne src 192.168.100.100 C. -w capture pcap -s 1518 host mac D. -w capture pcap -s 1518 host ether

An administrator is adding a QoS Policy to a Cisco FTD deployment. When a new rule is added to the policy and QoS is applied on 'Interfaces in Destination Interface Objects, no interface object are available. What is the problem? A. The FTD is out of available resources for use so QoS cannot be added. B. The network segments that the interfaces are on do not have continuous IP space. C. QoS is available only on routed interfaces ,and this device is in transparent mode. D. A conflict exists between the destination interface types that is preventing QoS from being added.

A Cisco FMC administrator wants to configure fastpathing of trust network traffic to increase performance. In which type of policy would the administrator configure this feature? A. Identity Policy B. Prefilter Policy C. Network Analysis POlicy D. Intrusion POlicy

A network administrator is troubleshooting access to a website hosted behind a Cisco FTD device. External clients cannot access the web server via HTTPS. The IP address configured on the web server is 192.168.7.46. The administrator is running the command capture CAP interface outside match ip any 192.168.7346.255.255.255.255 but cannot see any traffic in the capture. Why is that occuring? A. The capture must use the public IP address of the web server. B. The FTD has no route to the web server. C. The access policy is blocking the traffic. D. The packet capture shows only blocked traffic.

Remote users who connect via Cisco AnyConnect to the corporate network behind a Cisco FTD device report that they get no audio when calling between remote users using their softphones. These same users can call internal users on the corporate network without any issues. What is the cause of this issue? A. The hairpinning feature is not availabile on FTD B. Split tunneling is enabled. C. FTD has no NAT policy D. The Endable Spoke to spoke is not selected.

An engineer must configure the firewall to monitor traffic within a single subnet without increasing the hop count of that traffic. How would the engineer achieve this? A. Configure Cisco Firepower as a transparent firewall. B. Set up Cisco Firepower as managed by Cisco FDM. C. Configure Cisco Firepower in FXOS monitor only mode. D. Set up Cisco Firepower in intrusion prevention mode.

Which action must be taken on the Cisco FMC when a packet bypass is configured in case the Snort engine is down or a packet takes too long to process? A. Enable Inspect Local Router Traffic. B. Enable Automatic Application Bypass. C. Configure Fastpath rules to bypass inspection. D. Add a Bypass Threashold policy for failures.

An engineer is configuring multiple Cisco FTD appliances (or use int he network). Which rule must the engineer follow while defining interface objects in Cisco FMC or use with interfaces across multiple devices? A. An interface cannot belong to a security zone and an interface group. B. Interface groups can contain multiple interface types. C. Interface groups can contain interfaces from many devices. D. Two security zones can contain the same interface.

An engineer is creating an URL object on Cisco FMC. How must it be configured so that the object will match for HTTPS traffic in an access control policy? A. Specify the protocol to match (HTTP or HTTPS) B. Use the FQDN including the subdomain for the webiste. C. Define the path to the individual webpage that uses HTTPS. D. Use the subject common name from the website certificate.

An engineer must configure a Cisco FMC dashboard in a multidomain deployment. Which action must the engineer take to edit a report template from an ancestor domain? A. Add it as a separate widget. B. Copy it to the current domain. C. Assign themselves ownership of it. D. Change the document attributes.

What must be implemented on Cisco Firepower to allow multiple logical devices on a single physical device to have access to external hosts? A. Add at least two container instances from the same module. B. Set up a cluster control link between all logical devices. C. Add one shared management interface on all logical devices. D. Define VLAN subinterfaces for each logical device.

An administrator is configuring a transparent Cisco FTD device to receive ESRPAN traffic from multiple switches on a passive port but the FTD is not processing the traffic. What is the problem? A. The switches do not have L3 connectivity to the FTD device for GRE traffic transmission. B. The FTD must be configured with an ERSPAN port, not a passive port. C. The FTD must be in routed mode to process ERSPAN traffic. D. The switches were not set up with a monitor session ID

A company is deploying intrusion protection on multiple Cisco FTD appliances managed by Cisco FMC. Which system-provided policy must be selected if speed and detection are priorities. A Connectivity over security B. Security over connectivity C. Maximum Detection D. Balanced Security and Connectivity

An organization is implementing Cisco FTD using transparent mode in the network. Which rule in the default Access Control Policy ensures that this deployment does not create a loop in the network? A. ARP inspection is enabled by default. B. Multicast and braodcast packets are denied by default. C. STP BDPU packets are allowed by default. D. ARP packets are allowed by default.

An organization is installing a new Cisco FTD appliance in the network. An engineer is tasked with configuring access between two network segments within the same IP subnet. Which step is needed to accomplish this task? A. Assign an IP address to the Bridge Virtual Interface. B. Permit BPDU packets to prevent loops. C. Specify a name for the bridge group. D. Add a separate bridge group for each segment.

When a Cisco FTD device is configured in transparent firewall mode, on which two interface types can an IP address be configured? (Choose Two) A. Diagnostic B. EtherChannel C. BVI D. Physical E. Subinterface

An administrator needs to configure Cisco FMC to send a notification email when a data transfer larger than 10 MB is initiated from an internal host outside of standard business hours. Which Cisco FMC feature must be configured to accomplish this task? A. File and malware policy B> Application Detector C. intrusion policy D. correlation policy

A security engineer is adding three Cisco FTD devices to a Cisco FMC. Two of the devices have successfully registered to the Cisco FMC. The device that is unable to register is located behind a router that translates all outbound traffic to the router's WAN IP address. Which two steps are required for this device to register to the Cisco FMC? (Choose Two) A. Reconfigure the Cisco FMC to use the device's private IP address instead of the WAN address. B. Configure a NAT ID on both the Cisco FMC and the device. C. Add the port number being used for PAT on the router to the device's IP address in teh Cisco FMC. D. Reconfigure the Cisco FMC to use the device's hostname instead of IP address. E. Remove the IP address defined for the device in the Cisco FMC.

An engineer defines a new rule while configuring an Access Control Policy. After deploying the policy, the rule is not working as expected and the hit counters associated with the rule are showing zero. What is causing this error? A. Logging is not enabled for the rule. B. The rule was not enabled after being created. C. The wrong source interface for Snort was selected in the rule. D. An incorrect application signature was used in the rule.

A network administrator is configuring a site-to-site IPsec VPN to a router siting behind a Cisco FTD. The administrator has configured an access policy to allow traffic to this device on UDP 500, 4500 and ESP VPN traffic is not working. Which action resolves this issue? A. Set the allow action in the access policy to trust. B. Enable IPsec inspection on the access policy. C. Modify the NAT policy to use the interface PAT. D. Change the access policy to allow all ports.

An engineer is configuring two new Cisco FTD devices to replace the existing high availability firewall pair in a highly secure environment. The information exchanged between the FTD devices over the failover link must be encrypted. Which protocol supports this on the Cisco FTD? A. IPsec B. SSH C. SSL D. MACsec

An engineer is troubleshooting HTTP traffic to a web server using the packet capture tool on Cisco FMC. When reviewing the captures, the engineer noticies that there are a lot of packets that are not sourced from or destined to the web server being captured. How can the engineer reduce the strain of capturing packets for irrelevant traffic on the Cisco FTD device? A. Use the host filter in the packet capture to capture traffic to or from a specific host. B. Redirect the packet capture output to a pcap file that an be opened with Wireshark. C. Use the -c option to restrict the packet capture to only the first 100 packets. D. Use an access-list within the packet capture to permit only HTTP traffic to and from the web server.

A security engineer needs to configure a network discovery policy on a Cisco FMC appliance and prevent excessive network discovery events from overloading the FMC database. Which action must be taken to accomplish this task? A. Change the network discovery method to TCP/SYN B. Configure NetFlow exporters for monitored networks. C. Monitor only the default IPv4 and IPv6 network ranges. D. Exclude load balancers and NAT devices in the policy.

An engineer is setting up a remote access VPN on a Cisco FTD device and wants to define which traffic gets sent over the VPN tunnel. Which named object type in Cisco FMC must be used to accomplish this task? A. split tunnel B. Crypto map C. Access list D. route map

Which process should be checked when troubleshooting registration issues between Cisco FMC and managed devices to verify that secure communication is occurring? A. fpcollect B. dhclient C. sfmgr D. sftunnel

An engineer needs to configure remote storage on Cisco FMC. Configuration backups must be available from a secure location on the network for disaster recovery. Reports need to back up to a shared location that auditors can access with their Active Directory logins. Which strategy must the engineer use to meet these objectives? A. Use SMB for backups and NFS for reports. B. Use NFS for both backups and reports. C. Use SMB for both backups and reports. D. Use SSH for backups and NFS for reports.

Which firewall design will allow it to forward traffic at Layers 2 and 3 for the same subnet? A. Cisco Firepower Threat Defense mode. B. routed mode C. Integrated routing and bridging D. transparent mode.

Drag and Drop Configuration steps from the left into the sequence on the right to enable external authentication on the Cisco FMC to a RADIUS server. -> Select Authentication -> Configure -> Select Users -> Add External

Configure Select Users Add External Select Authentication

A security engineer must configure policies for a recently deployed Cisco FTD. The security policy for the company dictates that when five or more connections from external sources are initiated within 2 minutes, there is cause for concern. Which type of policy must be configured in Cisco FMC to generate an alert when this condition is triggered? A. Application detector B. access control C. correlation D. intrusion

A Network administrator is reviewing a weekly scheduled attacks risk report and notices a host that is flagged for an Impact 2 attack. Where should the administrator look within CIsco FMC to find out more relevant information about this host and attack? A. Analysis > Lookup > Whois B. Analysis > Correlation > Correlation Events C. Analysis > Hosts > Vulnerabilities D. Analysis > Hosts > Host Attributes

A consultant is working on a project where the customer is upgrading from a single Cisco Firepower 2130 managed by FDM to a pair of Cisco Firepower 2130s managed by FMC for high availbility. The customer wants the configuration of the existing device being managed by FDM to be carried over to FMC and then replicated to the additional device being added to create the high availability pair. Which action must the consultant take to meet this requirement? A. The current FDM configuration must be configured by hand into FMC before the devices are registered. B. The current FDM configuration must be migrated to FMC using the Secure FIrewall Migration tool. C. The FTD configuration must be converted to ASA command format, which can then be migrated to FMC. D. The current FDM configuration will be converted automatically into FMC when the device registers.

A network administrator must create an EtherChannel interface on a new Cisco Firepower 9300 appliance registered with an FMC for high availability. Where must the administrator create the EhterChannel interface? A. FMC GUI B. FMC CLI C. FTD CLI D. FXOS CLI

A network administrator is reviewing a monthly advanced malware risk report and noticies a host that is listed as CnC Connected. Where must the administrator look within the Cisco FMC to further determine if this host is infected with malware? A. Analysis > Hosts > Indications of Compromise B. Analysis > Hosts > Host Attributes C. Analysis > Files > Malware Events D. Analysis > files > Network File Trajectory

An engineer is configuring a Cisco FTD devie to place on the Finance VLAN to provide additional protection for company financial data. The device must be deployed without requiring any changes on the end user workstations, which currently use DHCP to obtain an IP address. How must the engineer deploy the device to meet this requirement? A. Deploy the device in transparent mode and enable the DHCP Server feature. B. Deploy the device in routed mode and enable the DHCP Relay feature. C> Deploy the device in transparent mode and allow DHCP traffic in the access control policies. D. Deploy the device in routed mode and allow DHCP traffic in the access control policies.

Which default action setting in a Cisco FTD Access Control Policy allows all traffic from an undefined application to pass without Snort inspection? A. Network Discovery Only B. Inherit from Base Policy C. Intrusion Prevention D. Trust All Traffic

An engineer plans to reconfigure an existing Cisco FTD from transparent mode to routed mode. Which additional action must be taken to maintain communication between the two network segments? A. Assign a unique VLAN IDfor the interface in each segment. B. Update the IP addressing so that each segment is a unique IP subnet. C. Configure a NAT rule so that traffic between the segments is exempt from NAT. D. Deploy Inbound ACLs on each interface to allow traffic between the segments.

Network users are experiencing intermittent issues with internet access. An engineer identified that the issue is being caused by NAT exhaustion. How must the engineer change the dynamic NAT configuration to provide internet access for more users without running out of resources? A. Convert the dynamic auto NAT rule to dynamic manual NAT. B. Add an identify NAT rule to handle the overflow of users. C. Configure an fallthrough to interface PAT on the Advanced tab. D. Define an additional static NAT for the network object in use.

An engineer is configuring a custom intrusion rule on Cisco FMC. The engineer needs the rule to search the payload or stream for the string "|456 56465 234465|" . Which keyboard must the engineer use with this string to create an argument for packet inspection? A. protected_contect B. content C. data D. metadata

An engineer must investigate a connectivity issue from an endpoint behind a Cisco FTD device and a public DNS server. The endpoint cannot perform name resolution queries. Which action must the engineer preform to troubleshoot the issue by simulating real DNS traffic on the Cisco FTD while verifying the Snort verdict. A. Use the capture w/trace wizard in Cisco FMC. B. Run the System support firewall-engine-debug command from the FTD ClI. C> Create a Custom workflow in Cisco FMC. D. Perform a Snort engine capture using tcpdump from the FTD CLI.

What is a limitation to consider when running a dynamic routing protocol on a Cisco FTD device in IRB mode? A. Only link-state routing protocols are supported. B. Only distance vector routing protocols are supported. C. Only EtherChannel interfaces are supported. D. Only nonbridge interfaces are supported.

An engineer is configuring URL filtering for a Cisco FTD device in Cisco FMC. Users must recieve a warning when they access http://www.badadultsite.com with the option of continuing to the website if they choose to. No other websites should be blacked. Which two actions must the engineer take to meet these requirements? (Choose two) A. On the HTTP Responses tab of the access control policy editor, set the Block Response Page to Custom. B. On the HTTP Responses tab of the access control policy editor, set the Interactive Block Response Page to system-provided. C. Configure the default action for the access control policy to Interactive Block. D. Configure an access control rule that matches the Adult URL category and set the action to interactive block. E. Configure an access control rule that matches a URL object for http://www.badadultsite.com; and set the action to interactive block.

An engineer is configuring a custom application detector for HTTP traffic and wants to import a file that was provided by a third party. Which type of files are advanced application detectors creates and uploaded as? A. Perl script B. NBAR protocol C. LUA script D. Python program

A network administrator reviews me attack risk report and noticies several low-impact attacks. What does this type of attack indicate? A. All attacks are listed as low until manually categorized. B. The host is not vulnerable to those attacks. C. The attacks are not dangerous to the network. D. The host is not within the administrator's environment.

When an engineer captures traffic on a Cisco FTD to troubleshoot a connectivity problem, they recieve a large amount of output data in the GUI tool. The engineer found that viewing the captures this way is time-consuming and difficult to son and filter. While file type must the engineer export the data in so that it can be reviewed using a tool built for this type of analysis? A. Netflow v9 B. PCAP C. Netflow v5 D. IPFIX

An engineer must deploy a Cisco FTD device. Management wants to examine traffic without requiring network changes that will disrupt end users. Corporate security policy requires the separation of management traffic from data traffic and the use of SSH over Telnet for remote administration. How must the device be deployed to meet these requirements? A. in routed mode with a diagnostic interface. B. in transparent mode with a management interface. C. in transparent mode with a data interface. D. in routed mode with a bridge virutal interface.

Snort 2 Rules States

Generate Events Drop and Generate Events Disable

ISE Realms

Active Directory

SPERO

Machine Learning

ETHOS

File Grouping

Local SPAN

Mirrors traffic from one or more interface on the switch to one or more interfaces on the same switch.

RSPAN

Remote SPAN Allows you to monitor traffic from source ports distributed over multiple switches, which means taht you can centralize your network capture devices.

ERSPAN

Encapsulated remote SPAN Brings GRE (Generic Routing Encapsulation) for all captured traffic and allows it to be extended across L3 domains.

Where is EVE?

Access Control Policy -> Advanced Settings -> Pencil -> Bottom Right

What is the same on all FTDv?

Storage at 48GB

Fail-to-Wire Interfaces

Bypass traffic upon appliance failure, including loss of power.

Hardware bypass is only available in what mode?

Inline

Automatic Application Bypass

Traffic can bypass Snort processes when a performance threshold is crossed.

Intelligent Application Bypass

Application-specific acceleration of defined applications if performance is degraded.

Test #1 Flashcards

(310 cards)