We just do not compromise with the bright future of our respected customers. PassExam4Sure takes the future of clients quite seriously and we ensure that our 350-701 exam dumps get you through the line. If you think that our exam question and answers did not help you much with the exam paper and you failed it somehow, we will happily return all of your invested money with a full 100% refund.
100% Real Questions
We verify and assure the authenticity of Cisco 350-701 exam dumps PDFs with 100% real and exam-oriented questions. Our exam questions and answers comprise 100% real exam questions from the latest and most recent exams in which you’re going to appear. So, our majestic library of exam dumps for Cisco 350-701 is surely going to push on forward on the path of success.
Security & Privacy
Free for download Cisco 350-701 demo papers are available for our customers to verify the authenticity of our legit helpful exam paper samples, and to authenticate what you will be getting from PassExam4Sure. We have tons of visitors daily who simply opt and try this process before making their purchase for Cisco 350-701 exam dumps.
Last Week 350-701 Exam Results
279
Customers Passed Cisco 350-701 Exam
99%
Average Score In Real 350-701 Exam
96%
Questions came from our 350-701 dumps.
Authentic 350-701 Exam Dumps
Prepare for Cisco 350-701 Exam like a Pro
PassExam4Sure is famous for its top-notch services for providing the most helpful, accurate, and up-to-date material for Cisco 350-701 exam in form of PDFs. Our 350-701 dumps for this particular exam is timely tested for any reviews in the content and if it needs any format changes or addition of new questions as per new exams conducted in recent times. Our highly-qualified professionals assure the guarantee that you will be passing out your exam with at least 85% marks overall. PassExam4Sure Cisco 350-701 ProvenDumps is the best possible way to prepare and pass your certification exam.
Easy Access and Friendly UI
PassExam4Sure is your best buddy in providing you with the latest and most accurate material without any hidden charges or pointless scrolling. We value your time and we strive hard to provide you with the best possible formatting of the PDFs with accurate, to the point, and vital information about Cisco 350-701. PassExam4Sure is your 24/7 guide partner and our exam material is curated in a way that it will be easily readable on all smartphone devices, tabs, and laptop PCs.
PassExam4Sure - The Undisputed King for Preparing 350-701 Exam
We have a sheer focus on providing you with the best course material for Cisco 350-701. So that you may prepare your exam like a pro, and get certified within no time. Our practice exam material will give you the necessary confidence you need to sit, relax, and do the exam in a real exam environment. If you truly crave success then simply sign up for PassExam4Sure Cisco 350-701 exam material. There are millions of people all over the globe who have completed their certification using PassExam4Sure exam dumps for Cisco 350-701.
100% Authentic Cisco 350-701 – Study Guide (Update 2024)
Our Cisco 350-701 exam questions and answers are reviewed by us on weekly basis. Our team of highly qualified Cisco professionals, who once also cleared the exams using our certification content does all the analysis of our recent exam dumps. The team makes sure that you will be getting the latest and the greatest exam content to practice, and polish your skills the right way. All you got to do now is to practice, practice a lot by taking our demo questions exam, and making sure that you prepare well for the final examination. Cisco 350-701 test is going to test you, play with your mind and psychology, and so be prepared for what’s coming. PassExam4Sure is here to help you and guide you in all steps you will be going through in your preparation for glory. Our free downloadable demo content can be checked out if you feel like testing us before investing your hard-earned money. PassExam4Sure guaranteed your success in the Cisco 350-701 exam because we have the newest and most authentic exam material that cannot be found anywhere else on the internet.
Cisco 350-701 Sample Questions
Question # 1
What is the difference between EPP and EDR?
A. EPP focuses primarily on threats that have evaded front-line defenses that entered theenvironment. B. Having an EPP solution allows an engineer to detect, investigate, and remediatemodern threats. C. EDR focuses solely on prevention at the perimeter. D. Having an EDR solution gives an engineer the capability to flag offending files at the firstsign of malicious behavior.
Answer: D
Explanation: EPP and EDR are two types of endpoint security solutions that have different
goals and capabilities. EPP stands for endpoint protection platform, which is a suite of
technologies that work together to prevent, detect, and remediate security threats on
endpoints. EPP solutions use techniques such as antivirus, firewall, application control, and
patch management to block known and unknown malware and malicious activity. EDR
stands for endpoint detection and response, which is a solution that provides real-time
visibility into endpoint activities and enables security teams to detect, investigate, and
respond to advanced threats that may have bypassed EPP defenses. EDR solutions use
techniques such as behavioral analysis, threat intelligence, and incident response to flag
offending files at the first sign of malicious behavior, contain and isolate compromised
endpoints, and remediate the damage caused by the attack. Therefore, the correct answer
is D, as having an EDR solution gives an engineer the capability to flag offending files at
the first sign of malicious behavior. The other options are incorrect because:
A is false, as EPP focuses primarily on threats that have evaded front-line
defenses that entered the environment, not EDR.
B is false, as having an EPP solution allows an engineer to detect, investigate, and
remediate modern threats, not EDR.
C is false, as EDR focuses on detection and response at the endpoint level, not
prevention at the perimeter. References:
EPP vs. EDR: Why You Need Both - CrowdStrike
Question # 2
Cisco Umbrella is a cloud-delivered network security service that provides DNSlayer security, secure web gateway, cloud-delivered firewall, cloud access securitybroker, and threat intelligence3. It does not offer data security features such asDLP, data inspection, and data blocking4.Cisco AppDynamics Cloud Monitoring is a cloud-native application performancemanagement solution that helps you monitor, troubleshoot, and optimize yourcloud applications. It does not offer user security, data security, or app securityfeatures as a CASB solution.Cisco Stealthwatch is a network traffic analysis solution that provides visibility andthreat detection across your network, endpoints, and cloud. It does not offer datasecurity features such as DLP, data inspection, and data blocking.References: 3: Cisco Umbrella Packages - Cisco Umbrella 1: Cisco Cloudlock - Cisco 2:Cisco Cloudlock Cisco Cloudlock: Secure Cloud Data 4: Easy to Deploy & Simple toManage CASB Solution - Cisco Umbrella : Cisco AppDynamics Cloud Monitoring : CiscoStealthwatch - Cisco
A. signature-based endpoint protection on company endpoints B. macro-based protection to keep connected endpoints safe C. continuous monitoring of all files that are located on connected endpoints D. email integration to protect endpoints from malicious content that is located in email E. real-time feeds from global threat intelligence centers
Answer: C,E
Explanation: A next-generation endpoint security solution is a modern approach of
combining user and system behavior analytics with AI and machine learning to provide
endpoint security12. These solutions are specifically designed to detect unknown malware
and zero-day threats, which other non-next-generation solutions might fail to detect3. Two
key deliverables that help justify the implementation of a next-generation endpoint security
solution are:
Continuous monitoring of all files that are located on connected endpoints. This
feature allows the solution to scan and analyze all files on the endpoints,
regardless of their origin or type, and identify any malicious or suspicious
behavior. This helps to prevent malware from infecting the endpoints or spreading
to other devices on the network4.
Question # 3
An engineer is trying to decide whether to use Cisco Umbrella, Cisco CloudLock, CiscoStealthwatch, or Cisco AppDynamics Cloud Monitoring for visibility into data transfers aswell as protection against data exfiltration Which solution best meets these requirements?
A. Cisco CloudLock B. Cisco AppDynamics Cloud Monitoring C. Cisco Umbrella D. Cisco Stealthwatch
Answer: A
Explanation:
Cisco CloudLock is a cloud-native cloud access security broker (CASB) that helps you
move to the cloud safely. It protects your cloud users, data, and apps. CloudLock’s simple,
open, and automated approach uses APIs to manage the risks in your cloud app
ecosystem. With CloudLock you can more easily combat data breaches while meeting
compliance regulations1.
Cisco CloudLock provides the following features that meet the requirements of visibility into
data transfers as well as protection against data exfiltration:
User security: Cloudlock uses advanced machine learning algorithms to detect
anomalies based on multiple factors. It also identifies activities outside allowed
countries and spots actions that seem to take place at impossible speeds across
distances1.
Data security: Cloudlock’s data loss prevention (DLP) technology continuously
monitors cloud environments to detect and secure sensitive information. It
provides countless out-of-the-box policies as well as highly tunable custom
policies. It also supports inline and out-of-band data inspection and blocking
capabilities to protect sensitive data12.
App security: The Cloudlock Apps Firewall discovers and controls cloud apps
connected to your corporate environment. You can see a crowd-sourced
Community Trust Rating for individual apps, and you can ban or allowlist them
based on risk1.
The other solutions do not provide the same level of visibility and protection as Cisco
CloudLock: Cisco Umbrella is a cloud-delivered network security service that provides DNSlayer security, secure web gateway, cloud-delivered firewall, cloud access security
broker, and threat intelligence3. It does not offer data security features such as
DLP, data inspection, and data blocking4.
Cisco AppDynamics Cloud Monitoring is a cloud-native application performance
management solution that helps you monitor, troubleshoot, and optimize your
cloud applications. It does not offer user security, data security, or app security
features as a CASB solution.
Cisco Stealthwatch is a network traffic analysis solution that provides visibility and
threat detection across your network, endpoints, and cloud. It does not offer data
security features such as DLP, data inspection, and data blocking.
An engineer needs to detect and quarantine a file named abc424400664 zip based on theMD5 signature of the file using the Outbreak Control list feature within Cisco AdvancedMalware Protection (AMP) for Endpoints The configured detection method must work onfiles of unknown disposition Which Outbreak Control list must be configured to providethis?
A. Blocked Application B. Simple Custom Detection C. Advanced Custom Detection D. Android Custom Detection
Answer: B
Explanation:
Simple Custom Detection is a feature of Cisco AMP for Endpoints that allows
administrators to block specific files based on their SHA-256 or MD5 hashes. This feature can be used to detect and quarantine files of unknown disposition, such as
abc424400664.zip, by adding their hashes to a custom list in the AMP portal. The list can
then be applied to a policy that is assigned to the endpoints. Simple Custom Detection
works on files of any type, size, or platform, unlike the other options that are either
platform-specific (Android Custom Detection), size-limited (Blocked Application), or
Services Engine with Integrated Security Information and Event Management and Threat
Defense Platforms At-a-Glance - Cisco 3: A Visibility-Driven Approach to Next-Generation
Firewalls
Question # 6
An organization uses Cisco FMC to centrally manage multiple Cisco FTD devices. Thedefault managementport conflicts with other communications on the network and must be changed. What mustbe done to ensurethat all devices can communicate together?
A. Manually change the management port on Cisco FMC and all managed Cisco FTD
devices B. Set the tunnel to go through the Cisco FTD C. Change the management port on Cisco FMC so that it pushes the change to allmanaged Cisco FTD devices D. Set the tunnel port to 8305
Answer: A
Explanation: The FMC and managed devices communicate using a two-way, SSL encrypted communication channel, which by default is on port 8305.Cisco strongly
recommends that you keep the default settings for the remote management port, but if
themanagement port conflicts with other communications on your network, you can choose
a different port. If you change the management port, you must change it for all devices in
your deployment that need to communicate with each other.
Which configuration method provides the options to prevent physical and virtual endpoint
devices that are in the same base EPG or uSeg from being able to communicate with each
other with Vmware VDS or Microsoft vSwitch?
A. inter-EPG isolation B. inter-VLAN security C. intra-EPG isolation D. placement in separate EPGs
Answer: C
Explanation: Intra-EPG Isolation is an option to prevent physical or virtual endpoint devices that are in the same base EPG or microsegmented (uSeg) EPG from
communicating with each other. By default, endpoint devices included in the same EPG are
allowed to communicate with one another.
Question # 8
Which role is a default guest type in Cisco ISE?
A. Monthly B. Yearly C. Contractor D. Full-Time
Answer: C,D
Explanation:
To add switches into the fabric, administrators can use PowerOn Auto Provisioning
(POAP) or Seed IP methods. POAP is a feature that automates the process of upgrading
software images and installing configuration files on Cisco switches that are being
deployed in the network for the first time. Seed IP is a method that allows administrators to
specify the IP address of a switch that is already part of the fabric, and then use it to
discover and add other switches that are connected to it. Both methods enable
administrators to control how switches are added into DCNM for private cloud
An engineer is implementing DHCP security mechanisms and needs the ability to addadditional attributes to profiles that are created within Cisco ISE Which action accomplishesthis task?
A. Define MAC-to-lP address mappings in the switch to ensure that rogue devices cannotget an IP address B. Use DHCP option 82 to ensure that the request is from a legitimate endpoint and sendthe information to Cisco ISE C. Modify the DHCP relay and point the IP address to Cisco ISE. D. Configure DHCP snooping on the switch VLANs and trust the necessary interfaces
Answer: B
Explanation: DHCP option 82 is a feature that allows the network access device (NAD) to
insert additional information into the DHCP request packet from the endpoint. This
information can include the switch ID, port number, VLAN ID, and other attributes that can
help Cisco ISE to identify and profile the endpoint. Cisco ISE can use DHCP option 82 to
assign the endpoint to the appropriate identity group, policy, and authorization profile.
DHCP option 82 is also useful to prevent rogue DHCP servers from assigning IP addresses
to endpoints, as Cisco ISE can verify the legitimacy of the DHCP request based on the
option 82 data. To use DHCP option 82, the NAD must be configured to enable this feature
and send the option 82 data to Cisco ISE. Cisco ISE must also be configured to accept and
parse the option 82 data from the NAD. For more details on how to configure DHCP option
82 on Cisco ISE and NAD, see the references below. References:
Configuring the DHCP Probe
Securing Your Network From DHCP Risks
Can we use ISE as DHCP/DNS server to prevent guest traffic using …
Question # 10
Which threat intelligence standard contains malware hashes?
A. advanced persistent threat B. open command and control C. structured threat information expression D. trusted automated exchange of indicator information
Answer: D
Explanation:
The threat intelligence standard that contains malware hashes is trusted automated
exchange of indicator information (TAXII). TAXII is a protocol that enables the exchange of
cyber threat information in a standardized and automated manner. It supports various types
of threat intelligence, such as indicators of compromise (IOCs), observables, incidents,
tactics, techniques, and procedures (TTPs), and campaigns. Malware hashes are one
example of IOCs that can be shared using TAXII. Malware hashes are cryptographic
signatures that uniquely identify malicious files or programs. They can be used to detect
and block malware infections on endpoints or networks. TAXII uses STIX (structured threat
information expression) as the data format for representing threat intelligence. STIX is a
language that defines a common vocabulary and structure for describing cyber threat
information. STIX allows threat intelligence producers and consumers to share information
in a consistent and interoperable way. STIX defines various objects and properties that can
be used to represent different aspects of cyber threat information, such as indicators,
observables, incidents, TTPs, campaigns, threat actors, courses of action, and
relationships. Malware hashes can be expressed as observables in STIX, which are
concrete items or events that are observable in the operational domain. Observables can
have various types, such as file, process, registry key, URL, IP address, domain name, etc.
Each observable type has a set of attributes that describe its properties. For example, a file
observable can have attributes such as name, size, type, hashes, magic number, etc. A
hash attribute can have a type (such as MD5, SHA1, SHA256, etc.) and a value (such as
the hexadecimal representation of the hash). A file observable can have one or more hash
attributes to represent different hashing algorithms applied to the same file. For example, a
file observable can have both MD5 and SHA256 hashes to increase the confidence and
accuracy of identifying the file The other options are incorrect because they are not threat intelligence standards that
contain malware hashes. Option A is incorrect because advanced persistent threat (APT) is
not a standard, but a term that describes a stealthy and sophisticated cyberattack that aims
to compromise and maintain access to a target network or system over a long period of
time. Option B is incorrect because open command and control (OpenC2) is not a standard
that contains malware hashes, but a language that enables the command and control of
cyber defense components, such as sensors, actuators, and orchestrators. Option C is
incorrect because structured threat information expression (STIX) is not a standard that
contains malware hashes, but a data format that represents threat intelligence. STIX uses
TAXII as the transport protocol for exchanging threat intelligence, including malware
hashes. References:
TAXII
STIX
Malware Hashes
Question # 11
What are two functions of IKEv1 but not IKEv2? (Choose two)
A. NAT-T is supported in IKEv1 but rot in IKEv2. B. With IKEv1, when using aggressive mode, the initiator and responder identities arepassed cleartext C. With IKEv1, mode negotiates faster than main mode D. IKEv1 uses EAP authentication E. IKEv1 conversations are initiated by the IKE_SA_INIT message
Answer: B,C
Explanation: IKEv1 has two modes of operation: main mode and aggressive mode. Main
mode uses six messages to establish the IKE SA, while aggressive mode uses only three
messages. Therefore, aggressive mode is faster than main mode, but less secure, as it
exposes the identities of the peers in cleartext. This makes it vulnerable to man-in-themiddle attacks. IKEv2 does not have these modes, but uses a single four-message
exchange to establish the IKE SA. IKEv2 also encrypts the identities of the peers, making it
more secure than IKEv1 aggressive mode.
IKEv1 uses EAP authentication only for remote access VPNs, not for site-to-site VPNs.
IKEv2 supports EAP authentication for both types of VPNs. EAP authentication allows the
use of various authentication methods, such as certificates, tokens, or passwords.
IKEv1 conversations are initiated by the ISAKMP header, which contains the security
parameters and the message type. IKEv2 conversations are initiated by the IKE_SA_INIT
message, which contains the security parameters, the message type, and the message ID.
The message ID is used to identify and order the messages in the IKEv2 exchange.
NAT-T is supported by both IKEv1 and IKEv2. NAT-T stands for Network Address
Translation-Traversal, and it is a mechanism that allows IKE and IPsec traffic to pass
through a NAT device. NAT-T detects the presence of NAT and encapsulates the IKE and
IPsec packets in UDP headers, so that they can be translated by the NAT
device. References:
IKEv1 vs IKEv2 – What is the Difference?
Question # 12
A network administrator is setting up Cisco FMC to send logs to Cisco Security Analyticsand Logging (SaaS). The network administrator is anticipating a high volume of loggingevents from the firewalls and wants lo limit the strain on firewall resources. Which methodmust the administrator use to send these logs to Cisco Security Analytics and Logging?
A. SFTP using the FMCCLI B. syslog using the Secure Event Connector C. direct connection using SNMP traps D. HTTP POST using the Security Analytics FMC plugin
Answer: B
Explanation: The Secure Event Connector is a component of the Security Analytics and
Logging (SaaS) solution that enables the FMC to send logs to the cloud-based service. The
Secure Event Connector uses syslog to forward events from the FMC and the managed
devices to the cloud. This method reduces the load on the firewall resources, as the events
are sent in batches and compressed before transmission. The Secure Event Connector
also provides encryption, authentication, and reliability for the log data. The other methods
are not supported by the Security Analytics and Logging (SaaS)
solution12 References := 1: Cisco Security Analytics and Logging (On Premises)
Question # 13
Which open standard creates a framework for sharing threat intelligence in a machine digestible format?
A. OpenC2 B. OpenlOC C. CybOX D. STIX
Answer: D
Explanation: The open standard that creates a framework for sharing threat intelligence in
a machine-digestible format is STIX (Structured Threat Information Expression). STIX is a language and serialization format that enables the exchange of cyber threat information
across organizations, tools, and platforms. STIX defines a common vocabulary and data
model for representing various types of threat intelligence, such as indicators, observables,
incidents, campaigns, threat actors, courses of action, and more. STIX also supports the
expression of context, relationships, confidence, and handling of the threat information.
STIX aims to improve the speed, accuracy, and efficiency of threat detection, analysis, and
response.
STIX is often used in conjunction with TAXII (Trusted Automated Exchange of Indicator
Information), which is a protocol and transport mechanism that enables the secure and
automated communication of STIX data. TAXII defines how to request, send, receive, and
store STIX data using standard methods and formats, such as HTTPS, JSON, and XML.
TAXII supports various exchange models, such as hub-and-spoke, peer-to-peer, or
subscription-based. TAXII enables the interoperability and scalability of threat intelligence
sharing among different systems and organizations.
References:
Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0,
Which two actions does the Cisco identity Services Engine posture module provide thatensures endpoint security?(Choose two.)
A. The latest antivirus updates are applied before access is allowed. B. Assignments to endpoint groups are made dynamically, based on endpoint attributes. C. Patch management remediation is performed. D. A centralized management solution is deployed. E. Endpoint supplicant configuration is deployed.
Answer: A,C
Explanation:
The Cisco Identity Services Engine (ISE) posture module provides a service that allows
you to check the compliance of endpoints with corporate security policies. This service
consists of three main components: client provisioning, posture policy, and authorization
policy. Client provisioning ensures that the endpoints receive the appropriate posture
agent, such as the AnyConnect ISE Posture Agent or the Network Admission Control
(NAC) Agent. Posture policy defines the conditions and requirements that the endpoints
must meet to be considered compliant, such as having the latest antivirus updates or
patches installed. Authorization policy determines the level of network access granted to
the endpoints based on their posture assessment results, such as allowing full access,
limited access, or quarantine.
The two actions that the Cisco ISE posture module provides that ensure endpoint security
are:
The latest antivirus updates are applied before access is allowed. This action
prevents malware infections and protects the network from potential threats. The
posture policy can include predefined or custom conditions that check the antivirus
status of the endpoints, such as the product name, version, definition date, and
scan result. If the endpoint does not meet the antivirus requirement, the posture
agent can trigger a remediation action, such as launching the antivirus update or
scan, before allowing network access.
Patch management remediation is performed. This action ensures that the
endpoints have the latest security patches installed and are not vulnerable to
known exploits. The posture policy can include predefined or custom conditions
that check the patch status of the endpoints, such as the operating system, service
pack, hotfix, or update. If the endpoint does not meet the patch requirement, the
posture agent can trigger a remediation action, such as redirecting the endpoint to
a patch management server or launching the patch installation, before allowing
How does the Cisco WSA enforce bandwidth restrictions for web applications?
A. It implements a policy route to redirect application traffic to a lower-bandwidth link. B. It dynamically creates a scavenger class QoS policy and applies it to each client thatconnects through the WSA. C. It sends commands to the uplink router to apply traffic policing to the application traffic. D. It simulates a slower link by introducing latency into application traffic.
Answer: D
Explanation:
The Cisco WSA can enforce bandwidth restrictions for web applications by using the
Application Visibility and Control (AVC) engine. The AVC engine allows the WSA to identify
and control application activity on the network, and to apply bandwidth limits to certain
application types or individual applications. The WSA dynamically creates a scavenger
class QoS policy and applies it to each client that connects through the WSA. The
scavenger class QoS policy assigns a low priority to the application traffic and limits the
bandwidth usage based on the configured settings. This way, the WSA can prevent
congestion and ensure fair allocation of bandwidth among different applications and
users. References:
User Guide for AsyncOS 11.8 for Cisco Web Security Appliances - GD (General
Deployment) - Managing Access to Web Applications
WSA - limit bandwidth - Cisco Community
Question # 16
An engineer is configuring Cisco WSA and needs to deploy it in transparent mode. Whichconfiguration component must be used to accomplish this goal?
A. MDA on the router B. PBR on Cisco WSA C. WCCP on switch D. DNS resolution on Cisco WSA
Answer: C
Explanation: To deploy Cisco WSA in transparent mode, the configuration component that
must be used is WCCP on switch. WCCP stands for Web Cache Communication Protocol,
which is a protocol that allows a network device (such as a switch) to redirect web traffic to
a proxy server (such as Cisco WSA) transparently. This means that the client does not
need to configure any proxy settings on the browser, and the proxy server can intercept
and process the web requests and responses without the client’s knowledge. WCCP can
also provide load balancing and failover capabilities for multiple proxy servers.
The other options are incorrect because they are not required or relevant for transparent
mode deployment. Option A is incorrect because MDA (Multilink PPP Dial Access) is a
feature that allows multiple physical links to be aggregated into a single logical link for dialup connections. It has nothing to do with transparent mode. Option B is incorrect because
PBR (Policy-Based Routing) is a feature that allows routing decisions to be based on
criteria other than the destination IP address, such as source IP address, protocol, port,
etc. It is not necessary for transparent mode, as WCCP can handle the traffic redirection.
Option D is incorrect because DNS resolution on Cisco WSA is not a configuration
component, but a function that allows the proxy server to resolve domain names to IP
addresses. It is not specific to transparent mode, as it is also used in explicit
mode. References:
What is the difference between transparent and forward proxy mode?
User Guide for AsyncOS 12.7 for Cisco Web Security Appliances - LD (Limited
Deployment) - Acquire End-User Credentials
Cisco WSA : Is it possible to use web proxy in transparent mode without WCCP?
Question # 17
An engineer is configuring cloud logging using a company-managed Amazon S3 bucket forCisco Umbrella logs. What benefit does this configuration provide for accessing log data?
A. It is included m the license cost for the multi-org console of Cisco Umbrella B. It can grant third-party SIEM integrations write access to the S3 bucket C. No other applications except Cisco Umbrella can write to the S3 bucket D. Data can be stored offline for 30 days
Answer: B
Explanation: Using a company-managed Amazon S3 bucket for Cisco Umbrella logs
allows the administrator to have full control over the access and lifecycle of the log data.
This configuration can grant third-party SIEM integrations write access to the S3 bucket,
which can enable more advanced analysis and correlation of the log data with other
sources. This configuration also provides more flexibility in terms of how long the data can
be stored offline, as opposed to the Cisco-managed S3 bucket, which has a fixed retention
period of 30 days. References:
Enable Logging to Your Own S3 Bucket
Centralized Umbrella Log Management with Amazon’s S3 service for MSP, MSSP,
and Multi-org customers
Question # 18
An engineer is configuring IPsec VPN and needs an authentication protocol that is reliableand supports ACKand sequence. Which protocol accomplishes this goal?
A. AES-192 B. IKEv1 C. AES-256 D. ESP
Answer: B
Explanation: IKEv1 is the authentication protocol that is reliable and supports ACK and
sequence for IPsec VPN. IKEv1 is a key management protocol that is used in conjunction
with IPsec to establish secure and authenticated connections between IPsec peers. IKEv1
uses UDP port 500 and consists of two phases: phase 1 and phase 2. In phase 1, the
peers authenticate each other and negotiate a shared secret key that is used to encrypt the
subsequent messages. In phase 2, the peers negotiate the security parameters for the
IPsec tunnel, such as the encryption and authentication algorithms, the lifetime, and the
mode (transport or tunnel). IKEv1 uses ACK and sequence numbers to ensure the
reliability and integrity of the messages exchanged between the peers. ACK is an
acknowledgment message that confirms the receipt of a previous message. Sequence
number is a unique identifier that is assigned to each message to prevent replay attacks
and to detect missing or out-of-order messages. IKEv1 also supports various authentication
methods, such as pre-shared keys, digital certificates, and extended authentication
(XAUTH). References : Internet Key Exchange for IPsec VPNs Configuration Guide, Security for VPNs with IPsec Configuration Guide, IPSec Architecture
Question # 19
With regard to RFC 5176 compliance, how many IETF attributes are supported by theRADIUS CoA feature?
A. 3 B. 5 C. 10 D. 12
Answer: B
Explanation: The RADIUS CoA feature supports five IETF attributes as defined in RFC
5176. These are:
Event-Timestamp: This attribute indicates the time when the CoA request was
generated by the server.
State: This attribute contains a value that is copied from the Access-Accept
message that authorized the session.
Session-Timeout: This attribute specifies the maximum number of seconds of
service provided to the user before termination of the session or prompt.
Idle-Timeout: This attribute specifies the maximum number of consecutive
seconds of idle connection allowed to the user before termination of the session or
prompt.
Filter-Id: This attribute identifies the filter list to be applied to the user session.
The RADIUS CoA feature also supports vendor-specific attributes (VSAs) that are defined
by Cisco or other vendors. These VSAs can be used to perform additional actions such as
port shutdown, port bounce, or security and password accounting. References :=
Some possible references are:
RFC 5176: This document describes the dynamic authorization extensions to
RADIUS, including the CoA request and response codes, and the supported IETF
attributes.
RADIUS Change of Authorization - Cisco: This document provides the
configuration guide for the RADIUS CoA feature on Cisco IOS devices, including
the supported IETF and Cisco VSAs.
Supported IETF attributes in RFC 5176 - Ruckus Networks: This document lists
the supported IETF attributes and error clause values for the RADIUS CoA feature
on Ruckus devices.
Question # 20
Which Cisco security solution gives the most complete view of the relationships andevolution of Internet domains IPs, and flies, and helps to pinpoint attackers' infrastructuresand predict future threat?
A. Cisco Secure Network Analytics B. Cisco Secure Cloud Analytics C. Cisco Umbrella Investigate D. Cisco pxGrid
Answer: C
Explanation: Cisco Umbrella Investigate is a cloud-based service that provides interactive
threat intelligence on domains, IPs, and files. It helps security analysts to uncover the
attacker’s infrastructure and predict future threats by analyzing the relationships and
evolution of internet domains, IPs, and files. It also integrates with other Cisco security
solutions, such as Cisco Secure Network Analytics, Cisco Secure Cloud Analytics, and
Cisco pxGrid, to provide a holistic view of the network and cloud security posture. Cisco
Umbrella Investigate is based on the data collected by Cisco Umbrella, which processes
more than 620 billion DNS requests per day from over 190 countries. Cisco Umbrella
Investigate uses statistical and machine learning models to automatically score and classify
the data, and provides a risk score for each domain, IP, and file, along with the contributing
factors and historical context. Cisco Umbrella Investigate also allows security analysts to
query the data using a web-based console or an API, and to visualize the results using
graphs, tables, and maps. Cisco Umbrella Investigate is the most complete and interactive
threat intelligence solution that helps to prevent cyber attacks before they
happen. References :=
Some possible references are: Cisco Umbrella Investigate
Cyber Attack Prevention - Cisco Umbrella
Cisco Umbrella Investigate - Cisco Umbrella
Question # 21
An administrator enables Cisco Threat Intelligence Director on a Cisco FMC. Whichprocess uses STIX and allows uploads and downloads of block lists?
A. consumption B. sharing C. editing D. authoring
Answer: B
Explanation: The process that uses STIX and allows uploads and downloads of block lists
is sharing. STIX (Structured Threat Information Expression) is a standard language and
format for exchanging cyber threat intelligence data. Block lists are collections of
observables, such as IP addresses, URLs, or domains, that are associated with malicious
activity and can be used to block or monitor network traffic. Cisco Threat Intelligence
Director (TID) is a feature that operationalizes threat intelligence data by consuming,
normalizing, publishing, and correlating data from various sources, including third-party
STIX feeds. TID enables the administrator to upload STIX files from local or remote sources, or download STIX files from the Firepower Management Center (FMC) to share
with other systems. TID also allows the administrator to configure actions (such as block or
monitor) based on the indicators and observables in the STIX files, and generate incidents
and observations when the system detects traffic that matches the threat intelligence
data123
References := 1: Firepower Management Center Configuration Guide, Version 6.2.3 -
Threat Intelligence Director 2 2: Introduction to STIX - GitHub Pages 4 3: Third-Party
Integration of Security Feeds with FMC (Cisco Threat Intelligence Director) - Cisco
Community 3
Question # 22
In which two ways does the Cisco Advanced Phishing Protection solution protect users?(Choose two.)
A. It prevents use of compromised accounts and social engineering. B. It prevents all zero-day attacks coming from the Internet. C. It automatically removes malicious emails from users' inbox. D. It prevents trojan horse malware using sensors. E. It secures all passwords that are shared in video conferences.
Answer: A,C
Explanation: Cisco Advanced Phishing Protection (AAP) is a solution that adds
sophisticated machine learning capabilities to Cisco Email Security to block advanced
identity deception attacks for inbound email by assessing its threat posture1. It also uses
both global and local telemetry data combined with analytics and modeling to validate the
reputation and authenticity of senders2. AAP provides sender authentication and BEC
detection capabilities, and uses advanced machine learning techniques, real-time behavior
analytics, relationship modeling and telemetry to protect against identity deception–based
threats3.
In two ways, the Cisco Advanced Phishing Protection solution protects users:
It prevents use of compromised accounts and social engineering. AAP detects and
blocks phishing emails that attempt to impersonate legitimate senders, such as
executives, partners, or customers, and trick users into revealing sensitive
information or transferring funds. AAP analyzes the sender’s identity, behavior, and relationship with the recipient, and assigns a risk score to the email. If the
email is deemed suspicious or malicious, AAP can quarantine it, flag it, or deliver it
with a warning4.
It automatically removes malicious emails from users’ inbox. AAP provides
retrospective analysis and remediation capabilities, which means that it can
identify and remove emails that were initially delivered but later found to be
malicious. AAP leverages the Cisco Talos threat intelligence network and the
Sensor-based solution to continuously monitor the threat landscape and update
the email disposition accordingly. If an email is reclassified as malicious, AAP can
automatically delete it from the users’ inbox, or notify the administrator or the user
to take action45.
The other options are incorrect because they do not accurately describe the functions of
AAP. AAP does not prevent all zero-day attacks coming from the Internet, as it focuses on
phishing and identity deception attacks. AAP does not prevent trojan horse malware using
sensors, as sensors are used to collect and analyze email data, not to block malware. AAP
does not secure all passwords that are shared in video conferences, as it is not related to
video conferencing security. Therefore, the correct answer is A and C. References:
Cisco’s Security Innovations to Protect the Endpoint and Email
Cisco Advanced Phishing Protection - Cisco Video Portal
Cisco Advanced Phishing Protection At A Glance - AVANTEC
User Guide for Cisco Advanced Phishing Protection
Cisco Secure Email Threat Defense - Cisco
Integrating the Email Gateway with Cisco Advanced Phishing Protection
Question # 23
What are two recommended approaches to stop DNS tunneling for data exfiltration andcommand and control call backs? (Choose two.)
A. Use intrusion prevention system. B. Block all TXT DNS records. C. Enforce security over port 53. D. Use next generation firewalls. E. Use Cisco Umbrella
Answer: C,E
Explanation: DNS tunneling is a technique that uses the DNS protocol to exfiltrate data or
establish command and control channels between a compromised host and an attackercontrolled server. DNS tunneling can bypass network security controls that allow outbound
DNS traffic without inspection or filtering. To stop DNS tunneling, two recommended
approaches are:
Enforce security over port 53. This means applying firewall rules, access control
lists, or other mechanisms to restrict outbound DNS traffic to only authorized DNS
servers and domains. Additionally, DNS traffic should be inspected and analyzed
for anomalies, such as unusually large or frequent queries, non-standard
encoding, or suspicious domains. This can help detect and block DNS tunneling
attempts.
Use Cisco Umbrella. Cisco Umbrella is a cloud-based security service that
provides DNS security, web filtering, and threat intelligence. Cisco Umbrella can
prevent DNS tunneling by blocking malicious domains, enforcing policies based on
content categories, and applying machine learning to identify and stop emerging
threats. Cisco Umbrella can also provide visibility and reporting on DNS activity
and security events.
References :=
Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0,
Module 5: Securing the Cloud, Lesson 5.2: DNS Security
What Is DNS Tunneling? - Palo Alto Networks
An Introduction to DNS Tunneling Detection & Data Exfiltration via DNS - Vercara
Question # 24
For a given policy in Cisco Umbrella, how should a customer block website based on acustom list?
A. by specifying blocked domains in me policy settings B. by specifying the websites in a custom blocked category C. by adding the websites to a blocked type destination list D. by adding the website IP addresses to the Cisco Umbrella blocklist
Answer: B
Explanation: To block a website based on a custom list, the customer should add the
websites to a blocked type destination list. A destination list is a custom list of domains or
URLs that the customer wants to allow or block for their identities. The customer can create
destination lists through the Policy Components > Destination Lists page, or within the
policy wizard when creating or editing a policy. The custom URL destination block lists
feature enables Umbrella to extend a domain level block list to encompass full and partial
URLs. In turn, this allows the customer to block certain portions of a website based
specifically on the full or partial URL. This feature requires the customer to enable the
intelligent proxy and install a root certificate for SSL decryption. References:
Configure Web Policies and Destination Lists - Cisco Umbrella
Control Access to Custom URLs - Umbrella SIG User Guide
Cisco 350-701: How should customer block websites based on custom list
Umbrella Dashboard: New Features—Custom blocked URLs
Understanding Destination lists supported entries and … - Cisco Umbrella
Question # 25
An administrator is configuring N I P on Cisco ASA via ASDM and needs to ensure thatrogue NTP servers cannot insert themselves as the authoritative time source Which twosteps must be taken to accomplish this task? (Choose two)
A. Specify the NTP version B. Configure the NTP stratum C. Set the authentication key D. Choose the interface for syncing to the NTP server E. Set the NTP DNS hostname
Answer: C,D
Explanation:
To prevent rogue NTP servers from inserting themselves as the authoritative time source,
the administrator needs to configure NTP authentication and specify the interface for
syncing to the NTP server. NTP authentication allows the ASA to verify the identity and
integrity of the NTP packets received from the server, using a shared secret key.
Specifying the interface for syncing to the NTP server ensures that the ASA uses the
correct source address for sending and receiving NTP packets, and avoids potential routing
issues. The other options are not required or relevant for this task. Specifying the NTP
version is optional and does not affect security. Configuring the NTP stratum is only
applicable for NTP servers, not clients. The ASA can only act as an NTP client, not a server. Setting the NTP DNS hostname is not recommended, as it introduces a
dependency on DNS resolution and may cause synchronization problems if the DNS server
changes the IP address of the NTP server. References :=
Some possible references are:
Configure NTP Authentication on Secure Network Analytics
CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6 -
Basic Settings
Cisco ASA NTP and Clock Configuration with Examples
Question # 26
A security test performed on one of the applications shows that user input is not validated.Which security vulnerability is the application more susceptible to because of this lack ofvalidation?
A. denial -of-service B. cross-site request forgery C. man-in-the-middle D. SQL injection
Answer: D
Explanation: An application that does not validate user input is particularly susceptible to
SQL injection attacks. In an SQL injection attack, an attacker can insert or "inject" a SQL
query via the input data from the client to the application. Due to the lack of validation, the
malicious SQL commands are executed by the database server, leading to unauthorized
access or manipulation of the database.
Question # 27
Which function is included when Cisco AMP is added to web security?
A. multifactor, authentication-based user identity B. detailed analytics of the unknown file's behavior C. phishing detection on emails D. threat prevention on an infected endpoint
Answer: B
Explanation: Cisco Advanced Malware Protection (AMP) for Web Security is a solution
that provides protection against web-related threats before, during, and after an attack.
One of the functions that AMP for Web Security includes is detailed analytics of the
unknown file’s behavior. This means that AMP can continuously monitor and analyze the
activity of files that cross the web gateway, even after they have been initially scanned and
allowed. This allows AMP to detect and block any malicious behavior that may emerge
later, and provide retrospective security alerts and remediation actions12. References: 1:
Cisco Advanced Malware Protection for Web Security 2: Cisco Adds Advanced Malware
Protection to Web and Email Security Appliances and Cloud Services
Question # 28
What is the most commonly used protocol for network telemetry?
A. SMTP B. SNMP C. TFTP D. NctFlow
Answer: B
Explanation: SNMP (Simple Network Management Protocol) is the most commonly used
protocol for network telemetry. SNMP is a standard protocol that allows network devices to
exchange management information1. SNMP agents run on network devices and collect
data about their status, performance, configuration, and events. SNMP managers run on
network management systems and query the agents for data or receive notifications from
them. SNMP can also be used to configure or control network devices remotely2. SNMP is
widely supported by various vendors and platforms, and it provides a simple and flexible
way to monitor and manage networks3.
References: 1: What is SNMP? | Cisco 2: SNMP Basics: What is SNMP and How It Works
Which two functions does the Cisco Advanced Phishing Protection solution perform intrying to protect from phishing attacks? (Choose two.)
A. blocks malicious websites and adds them to a block list B. does a real-time user web browsing behavior analysis C. provides a defense for on-premises email deployments D. uses a static algorithm to determine malicious E. determines if the email messages are malicious
Answer: B,E
Cisco Advanced Phishing Protection (AAP) is a solution that helps
organizations protect against fraudulent senders and identity deception-based attacks,
such as business email compromise (BEC) and spear phishing. AAP uses advanced
machine learning techniques, real-time behavior analytics, relationship modeling, and
telemetry to perform two main functions12:
It determines if the email messages are malicious by assessing the threat posture
of the sender and the content of the message. It also validates the reputation and
authenticity of the sender by checking various indicators, such as the domain, the
IP address, the SPF, DKIM, and DMARC records, the display name, the reply-to
address, and the header information. AAP assigns a risk score to each email
message and provides a verdict of clean, malicious, or suspicious. It also adds a
banner to the email message to inform the recipient of the risk level and the
recommended action.
It does a real-time user web browsing behavior analysis by monitoring the user’s
interaction with the email message and the links embedded in it. It tracks the
user’s clicks, mouse movements, dwell time, and other indicators to detect any
signs of hesitation, confusion, or curiosity. It also analyzes the destination URL of
the links and compares it with the known malicious websites. If AAP detects any
anomalous or risky behavior, it intervenes with a warning message or a redirect
page to educate the user and prevent them from falling victim to the phishing
attack. References := 1: Cisco’s Security Innovations to Protect the Endpoint and
Email 2: Cisco Advanced Phishing Protection - Cisco Video Portal
Question # 30
Which two capabilities of Integration APIs are utilized with Cisco DNA center? (Choosetwo)
A. Upgrade software on switches and routers B. Third party reporting C. Connect to ITSM platforms D. Create new SSIDs on a wireless LAN controller E. Automatically deploy new virtual routers
What is a difference between GRE over IPsec and IPsec with crypto map?
A. Multicast traffic is supported by IPsec with crypto map. B. GRE over IPsec supports non-IP protocols. C. GRE provides its own encryption mechanism. D. IPsec with crypto map oilers better scalability.
Answer: B
Explanation: The difference between GRE over IPsec and IPsec with crypto map is that
GRE (Generic Routing Encapsulation) over IPsec can encapsulate and transport non-IP
protocols across an IP network, whereas IPsec with crypto map is typically used for IP
traffic. GRE tunnels wrapped in IPsec provide a way to transport multicast traffic and other
protocol types across an IPsec VPN, offering greater flexibility in the types of traffic that can
be secured
Question # 32
What are two ways a network administrator transparently identifies users using Active
Directory on the Cisco WSA? (Choose two.)
A. Create an LDAP authentication realm and disable transparent user identification. B. Create NTLM or Kerberos authentication realm and enable transparent useridentification. C. Deploy a separate Active Directory agent such as Cisco Context Directory Agent. D. The eDirectory client must be installed on each client workstation. E. Deploy a separate eDirectory server; the dent IP address is recorded in this server
Answer: B,C
Explanation: A network administrator can transparently identify users using Active
Directory on the Cisco WSA in two ways:
Create NTLM or Kerberos authentication realm and enable transparent user
identification. This option allows the WSA to use the NTLM or Kerberos protocol to
authenticate users without prompting them for credentials. The WSA must join the
Active Directory domain and have a valid service principal name (SPN) for this
option to work1.
Deploy a separate Active Directory agent such as Cisco Context Directory Agent
(CDA). This option allows the WSA to receive user-to-IP mappings from the CDA,
which monitors the Active Directory domain controllers for user logon events. The
CDA must be installed on a Windows server and have access to the domain
controllers and the WSA2.
The other options are not ways to transparently identify users using Active Directory on the
Cisco WSA. Creating an LDAP authentication realm and disabling transparent user
identification will require users to enter their credentials manually. Installing the eDirectory
client on each client workstation or deploying a separate eDirectory server are not related
to Active Directory, but to Novell eDirectory, which is a different directory service3.
References := 1: User Guide for AsyncOS 11.0 for Cisco Web Security Appliances,
Chapter: Acquire End-User Credentials, Topic: Active Directory/Kerberos, page 4-3. 2:
User Guide for AsyncOS 11.0 for Cisco Web Security Appliances, Chapter: Acquire EndUser Credentials, Topic: Active Directory Agent, page 4-5. 3: User Guide for AsyncOS 11.0
for Cisco Web Security Appliances, Chapter: Acquire End-User Credentials, Topic:
eDirectory, page 4-8.
Question # 33
Which solution is more secure than the traditional use of a username and password andencompasses at least two of the methods of authentication?
A. single-sign on B. RADIUS/LDAP authentication C. Kerberos security solution D. multifactor authentication
Answer: D
Explanation: Multifactor authentication (MFA) is a solution that requires the user to
provide two or more verification factors to gain access to a resource, such as an
application, online account, or a VPN. MFA is more secure than the traditional use of a
username and password because it reduces the risk of identity theft, phishing, and
credential compromise. MFA can use different types of factors, such as something the user
knows (e.g., password, PIN), something the user has (e.g., smartphone, token, smart
card), or something the user is (e.g., fingerprint, facial recognition). MFA can be
implemented using various methods, such as security defaults, Conditional Access
policies, or third-party solutions123. References:
Vulnerability Detection and Patch Management - Cisco 4: Cisco Tetration Platform Data Sheet - Cisco
Question # 35
Which metric is used by the monitoring agent to collect and output packet loss and jitter
information?
A. WSAv performance B. AVC performance C. OTCP performance D. RTP performance
Answer: D
The monitoring agent uses the RTP (Real-time Transport Protocol) performance metric to
collect and output packet loss and jitter information. RTP is a network protocol used for
delivering audio and video over IP networks. It provides mechanisms for timestamping,
sequence numbering, and delivery monitoring, which allow for the measurement of packet
loss and jitter. RTP is specifically designed for real-time multimedia streaming applications,
which are more sensitive to changes in the transmission characteristics of data networks than other applications. Therefore, RTP performance is a suitable metric for monitoring and
collecting packet loss and jitter information.
The other options are not directly related to measuring packet loss and jitter. TCP
(Transmission Control Protocol) is a transport protocol that ensures reliable and ordered
delivery of data, but it is not typically used for real-time multimedia applications. WSAv
(Web Security Virtual Appliance) is a Cisco solution for web security, but it does not
measure packet loss and jitter. AVC (Application Visibility and Control) is a technology that
monitors and controls network applications, but it does not focus on packet loss and
jitter. References :=
Measuring Delay, Jitter, and Packet Loss with Cisco IOS SAA and RTTMON1
Implementing and Operating Cisco Security Core Technologies (SCOR) v1.02
Cisco 350-701: Which metric used by monitoring agent to collect and output
packet loss and jitter information?
Question # 36
An organization uses Cisco FMC to centrally manage multiple Cisco FTD devices Thedefault management port conflicts with other communications on the network and must be changed What must be done to ensure that all devices can communicate together?
A. Set the sftunnel to go through the Cisco FTD B. Change the management port on Cisco FMC so that it pushes the change to allmanaged Cisco FTD devices C. Set the sftunnel port to 8305. D. Manually change the management port on Cisco FMC and all managed Cisco FTDdevices
Answer: D
Explanation: The management port on Cisco FMC is used to establish a secure
connection with the managed Cisco FTD devices. If the default management port (8305)
conflicts with other communications on the network, it must be changed on both the Cisco
FMC and the Cisco FTD devices. This cannot be done automatically by the Cisco FMC, as
it would lose connectivity with the devices. Therefore, the administrator must manually
change the management port on the Cisco FMC and all the managed Cisco FTD devices
using the command line interface (CLI). The steps to change the management port are as
follows:
Log into the CLI of the Cisco FMC and the Cisco FTD devices using a console
connection or SSH.
Enter the configure network {ipv4 | ipv6} manual ip_address netmask datainterfaces command to change the management port on the Cisco FMC. For example, configure network ipv4 manual 10.10.10.10 255.255.255.0 datainterfaces changes the management port to 10.10.10.10/24.
Enter the configure network {ipv4 | ipv6} manual ip_address netmask gateway
management-only command to change the management port on the Cisco FTD
devices. For example, configure network ipv4 manual 10.10.10.11 255.255.255.0
10.10.10.10 management-only changes the management port to 10.10.10.11/24
and sets the gateway to the Cisco FMC’s management port.
Save the configuration and restart the Cisco FMC and the Cisco FTD devices.
Verify the connectivity between the Cisco FMC and the Cisco FTD devices using
the show managers command on the Cisco FTD devices and the show
devices command on the Cisco FMC.
References :=
Firepower Management Center Device Configuration Guide, 7.1 - Device
Management
Change management port fmc 1600 - Cisco Community
Solved: FMC 2120 FTD Management Only Port - Cisco Community
Change the FMC Access Interface from Management to Data
Question # 37
Why is it important for the organization to have an endpoint patching strategy?
A. so the organization can identify endpoint vulnerabilities B. so the internal PSIRT organization is aware of the latest bugs C. so the network administrator is notified when an existing bug is encountered D. so the latest security fixes are installed on the endpoints
Answer: D
Question # 38
What is the target in a phishing attack?
A. perimeter firewall B. IPS C. web server D. endpoint
Answer: D
Explanation: The target in a phishing attack is the endpoint, which is the device or system
that the user interacts with, such as a computer, smartphone, or tablet. Phishing attacks
aim to steal or damage sensitive data by deceiving people into revealing personal
information like passwords and credit card numbers, or clicking on malicious links or
attachments that can install malware on the endpoint. Phishing attacks can be delivered
through various channels, such as email, phone, or text message, but they all rely on social
engineering techniques to manipulate the user’s trust and curiosity. By compromising the
endpoint, attackers can gain access to the user’s accounts, files, network, or other resources. Therefore, endpoint security is essential to prevent phishing attacks and protect
the user’s data and identity. References:
What Is a Phishing Attack? Definition and Types - Cisco
8 types of phishing attacks and how to identify them
What Is Phishing? | Microsoft Security
Phishing | What Is Phishing?
Question # 39
A network engineer must configure a Cisco ESA to prompt users to enter two forms ofinformation before gaining access The Cisco ESA must also join a cluster machine usingpreshared keys What must be configured to meet these requirements?
A. Enable two-factor authentication through a RADIUS server and then join the cluster byusing the Cisco ESA CLI B. Enable two-factor authentication through a RADIUS server and then join the cluster byusing the Cisco ESA GUI C. Enable two-factor authentication through a TACACS+ server and then join the cluster byusing the Cisco ESA GUI. D. Enable two-factor authentication through a TACACS+ server and then join the cluster byusing the Cisco ESA CLI
Answer: A
Explanation: Two-factor authentication is a security feature that requires users to provide
two forms of information before gaining access to the Cisco ESA. The two factors are
usually something the user knows, such as a password, and something the user has, such
as a token or a code. Two-factor authentication can be enabled for specific user roles on
the Cisco ESA through a RADIUS server, which is an external authentication server that
supports the Remote Authentication Dial-In User Service (RADIUS) protocol. The RADIUS
server can generate and validate the second factor for the users, such as a one-time
password (OTP) or a time-based one-time password (TOTP). To enable two-factor
authentication through a RADIUS server, the network engineer must configure the RADIUS
server settings on the Cisco ESA, and assign the user roles that require two-factor
authentication to use the RADIUS server as the authentication source. This can be done on
the System Administration > Users page in the web interface, or by using the userconfig
command in the CLI12.
A cluster is a group of Cisco ESAs that share the same configuration information and can
be managed centrally. A cluster can provide increased reliability, flexibility, and scalability
for the email security system. To join a cluster, a Cisco ESA must have the same AsyncOS
version as the other cluster members, and must use a pre-shared key to authenticate with the cluster leader. The pre-shared key is a secret passphrase that is configured on the
cluster leader and must be entered on the joining appliance. To join a cluster by using the
Cisco ESA CLI, the network engineer must use the clusterconfig command, which allows
the engineer to create a new cluster, join an existing cluster, or leave a cluster. The
clusterconfig command also allows the engineer to specify the communication port and the
hostname or IP address of the cluster leader. If the Cisco ESA has enabled two-factor
authentication, the network engineer must also use the clusterconfig > prepjoin command
to configure the pre-shared key before joining the cluster34.
Therefore, option A is the correct answer, and the other options are incorrect. Option B is
incorrect because the cluster configuration options must be done via the CLI on the Cisco
ESA and cannot be created or joined in the GUI. Option C is incorrect because the Cisco
ESA does not support TACACS+ as an external authentication source, only LDAP and
RADIUS. Option D is incorrect because it also uses TACACS+, which is not supported by
the Cisco ESA. References :=
User Guide for AsyncOS 14.0 for Cisco Secure Email Gateway - GD (General
Deployment) - Distributing Administrative Tasks
User Guide for AsyncOS 14.0 for Cisco Secure Email Gateway - GD (General
Deployment) - External Authentication
Configure an Email Security Appliance (ESA) Cluster
User Guide for AsyncOS 14.0 for Cisco Secure Email Gateway - GD (General
Deployment) - Centralized Management
Question # 40
Email security has become a high priority task for a security engineer at a large multinational organization due to ongoing phishing campaigns. To help control this, the engineerhas deployed an Incoming Content Filter with a URL reputation of (-10 00 to -6 00) on theCisco ESA Which action will the system perform to disable any links in messages thatmatch the filter?
A. Defang B. Quarantine C. FilterAction D. ScreenAction
Answer: A
Defanging is the process of modifying a URL in a message to prevent it from being
clickable. This can help protect users from malicious links that have a low URL reputation
score. Defanging is one of the actions that can be configured in the Incoming Content Filter
on the Cisco ESA. The other actions are Quarantine, FilterAction, and ScreenAction.
Quarantine sends the message to a quarantine area for further inspection. FilterAction
applies a predefined action such as drop, bounce, or deliver. ScreenAction displays a
warning message to the user before allowing them to access the URL. Defanging is the only action that disables the links in the message without affecting the delivery or visibility
of the message12. References: 1: URL Filtering on the Cisco IronPort ESA – Mikail’s
Blog 2: Configure URL Filtering for Secure Email Gateway and Cloud Gateway - Cisco
An engineer must configure Cisco AMP for Endpoints so that it contains a list of files thatshould not be executed by users. These files must not be quarantined. Which action meetsthis configuration requirement?
A. Identity the network IPs and place them in a blocked list. . B. Modify the advanced custom detection list to include these files. C. Create an application control blocked applications list. D. Add a list for simple custom detection.
Answer: C
Explanation:
create an application control blocked applications list. This option allows you to specify a
list of files that you want to prevent from running on the endpoints that have the AMP
connector installed. The files are identified by their SHA-256 hashes, and you can upload
them individually or in a batch. The files are not quarantined, but they are blocked from
execution and reported as events in the AMP console1. This option is different from the
simple custom detection list, which is used to detect and quarantine specific files that are
considered malicious2. The advanced custom detection list is also used to detect and
quarantine files, but it allows you to specify more criteria such as file size, file name, and
file path3. The IP block and allow lists are used to control the network traffic to and from the
endpoints, not the file execution4. References: 1: Configure Application Control on the
AMP for Endpoints Portal 2: Configure a Simple Custom Detection List on the AMP for
Endpoints Portal 3: [Configure an Advanced Custom Detection List on the AMP for
Endpoints Portal] 4: [Configure IP Block and Allow Lists on the AMP for Endpoints Portal]
Question # 42
Which VMware platform does Cisco ACI integrate with to provide enhanced visibility,
provide policy integration and deployment, and implement security policies with access
lists?
A. VMware APIC B. VMwarevRealize C. VMware fusion D. VMware horizons
Answer: A
Explanation: VMware APIC is a platform that integrates with Cisco ACI to provide
enhanced visibility, policy integration and deployment, and security policies with access
lists. VMware APIC is a virtual appliance that runs on VMware vSphere and communicates
with the Cisco APIC controller. VMware APIC allows administrators to create and manage
Cisco ACI policies for VMware virtual machines and networks. VMware APIC also provides
a unified view of the physical and virtual network topology, health, and statistics. VMware
APIC supports the following modes of Cisco ACI and VMware integration:
VMware VDS: When integrated with Cisco ACI, the VMware vSphere Distributed
Switch (VDS) enables administrators to configure VM networking in the ACI fabric.
Cisco ACI Virtual Edge: Cisco ACI Virtual Edge is a distributed service that
provides Layer 4 to Layer 7 services for applications running on VMware vSphere.
Cisco Application Virtual Switch (AVS): Cisco AVS is a distributed virtual switch
that provides policy-based network services for VMware vSphere
environments. References:
Cisco ACI with VMware VDS Integration
Cisco ACI and VMware NSX-T Data Center Integration
Cisco ACI and VMware: The Perfect Pair
Setting the Record Straight: Confusion about ACI on VMware Technologies
Question # 43
Which Cisco WSA feature supports access control using URL categories?
A. transparent user identification B. SOCKS proxy services C. web usage controls D. user session restrictions
Answer: C
Web usage controls are a feature of Cisco Web Security Appliance (WSA) that allow
administrators to define and enforce policies for web access based on URL categories.
URL categories are groups of websites that share a common theme or content, such as
news, sports, entertainment, etc. Cisco WSA uses the Cisco Dynamic Content Analysis
Engine and the Talos Security Intelligence and Research Group to provide accurate and
up-to-date URL categorization. Administrators can use the web usage controls to allow,
block, warn, or monitor web requests based on the URL category of the destination
website. They can also create custom URL categories to include or exclude specific
domains or URLs from the predefined categories. Web usage controls help administrators
to control web traffic, enhance security, improve productivity, and comply with regulatory
and organizational requirements. References :=
Some possible references are:
Web Usage Controls - Cisco Web Security Appliance User Guide, Cisco
Cisco Web Usage Control Filtering Categories Data Sheet, Cisco
Define Custom URL Categories in WSA, Cisco
Question # 44
Which API method and required attribute are used to add a device into Cisco DNA Centerwith the native API?
A. GET and serialNumber B. userSudiSerlalNos and deviceInfo C. POST and name D. lastSyncTime and pid
Answer: C
To add a device into Cisco DNA Center with the native API, the POST method and
the name attribute are required. The POST method is used to create a new resource on the
server, such as a device. The name attribute is used to specify the hostname or IP address
of the device to be added. The POST method requires a JSON body that contains the
device information, such as the name, type, role, credentials, and other optional
parameters. The Cisco DNA Center API documentation provides an example of the JSON
body and the response for adding a device1. The Cisco DNA Center Platform User Guide
also explains how to use the native API to add devices2. References := 1: Cisco DNA
Center API Documentation - Add Device 2: Cisco DNA Center Platform User Guide,
Release 2.3.5 - Manage Devices Using the Native API
My experience with PassExam4Sure Cisco 350-701 test engines proved very efficient and excellent because these papers passed my Cisco 350-701 exam with 90% marks. I am very satisfied with my performance and happy that I have also become a certified. PassExam4Sure test engines did a lot for me and I suggest you also use these papers for your Certification Cisco 350-701 exam.
Monica
My advice to you would be to trust PassExam4Sure from the core of your heart. I was amazed at the dumps these guys provided, they were the same format that I faced in real exam. Most of the questions were from their dumps too. This made my career, I cannot thanks enough passExam4Sure.
Paul
When I was not able to pass the 350-701 exam in my first attempt, it puts a lot of burden on me to try to pass the exam in my second attempt. I bought the PassExam4Sure preparatory material and started the revision for my course. Thanks, PassExam4Sure.
Milligan
Hey, PassExam4Sure Thank you and well done for putting together wonderful Cisco 350-701 online training, after passing I would just like to say that passing was not a big problem because of 30 days of online training, it covered my course on time and helped me abundantly with revision. It offered me comprehensively designed practice tests that were close to Cisco 350-701 real exam. I have recommended your site to 3 friends of mine and I will be recommending it in the future as well.
Stevens
I have never seen a better site that provides the kind of help that PassExam4Sure does. I desperately needed help to give the Cisco 350-701 exam, and if I had not got help from PassExam4Sure, I would have been in big trouble. I cleared the Cisco 350-701 exam, and I must thank PassExam4Sure Cisco 350-701 exam preparation course for helping me in clearing this tough exam. Thank you, PassExam4Sure, for your help.