Name: Cisco 350-701 Exam
Brand: Certionary
SKU: 350-701
Rating: 5.0 (792 reviews)

Answer: D
Explanation: EPP and EDR are two types of endpoint security solutions that have differentgoals and capabilities. EPP stands for endpoint protection platform, which is a suite oftechnologies that work together to prevent, detect, and remediate security threats onendpoints. EPP solutions use techniques such as antivirus, firewall, application control, andpatch management to block known and unknown malware and malicious activity. EDRstands for endpoint detection and response, which is a solution that provides real-timevisibility into endpoint activities and enables security teams to detect, investigate, andrespond to advanced threats that may have bypassed EPP defenses. EDR solutions usetechniques such as behavioral analysis, threat intelligence, and incident response to flagoffending files at the first sign of malicious behavior, contain and isolate compromisedendpoints, and remediate the damage caused by the attack. Therefore, the correct answeris D, as having an EDR solution gives an engineer the capability to flag offending files atthe first sign of malicious behavior. The other options are incorrect because: A is false, as EPP focuses primarily on threats that have evaded front-linedefenses that entered the environment, not EDR.B is false, as having an EPP solution allows an engineer to detect, investigate, andremediate modern threats, not EDR.C is false, as EDR focuses on detection and response at the endpoint level, notprevention at the perimeter. References:EPP vs. EDR: Why You Need Both - CrowdStrike

Answer: C,E
Explanation: A next-generation endpoint security solution is a modern approach ofcombining user and system behavior analytics with AI and machine learning to provideendpoint security12. These solutions are specifically designed to detect unknown malwareand zero-day threats, which other non-next-generation solutions might fail to detect3. Twokey deliverables that help justify the implementation of a next-generation endpoint securitysolution are: Continuous monitoring of all files that are located on connected endpoints. Thisfeature allows the solution to scan and analyze all files on the endpoints,regardless of their origin or type, and identify any malicious or suspiciousbehavior. This helps to prevent malware from infecting the endpoints or spreadingto other devices on the network4.

Answer: A
Explanation: Cisco CloudLock is a cloud-native cloud access security broker (CASB) that helps youmove to the cloud safely. It protects your cloud users, data, and apps. CloudLock’s simple,open, and automated approach uses APIs to manage the risks in your cloud appecosystem. With CloudLock you can more easily combat data breaches while meetingcompliance regulations1. Cisco CloudLock provides the following features that meet the requirements of visibility intodata transfers as well as protection against data exfiltration: User security: Cloudlock uses advanced machine learning algorithms to detectanomalies based on multiple factors. It also identifies activities outside allowedcountries and spots actions that seem to take place at impossible speeds acrossdistances1.Data security: Cloudlock’s data loss prevention (DLP) technology continuouslymonitors cloud environments to detect and secure sensitive information. Itprovides countless out-of-the-box policies as well as highly tunable custompolicies. It also supports inline and out-of-band data inspection and blockingcapabilities to protect sensitive data12.App security: The Cloudlock Apps Firewall discovers and controls cloud appsconnected to your corporate environment. You can see a crowd-sourcedCommunity Trust Rating for individual apps, and you can ban or allowlist thembased on risk1.The other solutions do not provide the same level of visibility and protection as CiscoCloudLock: Cisco Umbrella is a cloud-delivered network security service that provides DNSlayer security, secure web gateway, cloud-delivered firewall, cloud access securitybroker, and threat intelligence3. It does not offer data security features such asDLP, data inspection, and data blocking4.Cisco AppDynamics Cloud Monitoring is a cloud-native application performancemanagement solution that helps you monitor, troubleshoot, and optimize yourcloud applications. It does not offer user security, data security, or app securityfeatures as a CASB solution.Cisco Stealthwatch is a network traffic analysis solution that provides visibility andthreat detection across your network, endpoints, and cloud. It does not offer datasecurity features such as DLP, data inspection, and data blocking.References: 3: Cisco Umbrella Packages - Cisco Umbrella 1: Cisco Cloudlock - Cisco 2:Cisco Cloudlock Cisco Cloudlock: Secure Cloud Data 4: Easy to Deploy & Simple toManage CASB Solution - Cisco Umbrella : Cisco AppDynamics Cloud Monitoring : CiscoStealthwatch - Cisco

Answer: B
Explanation: Simple Custom Detection is a feature of Cisco AMP for Endpoints that allowsadministrators to block specific files based on their SHA-256 or MD5 hashes. This feature can be used to detect and quarantine files of unknown disposition, such asabc424400664.zip, by adding their hashes to a custom list in the AMP portal. The list canthen be applied to a policy that is assigned to the endpoints. Simple Custom Detectionworks on files of any type, size, or platform, unlike the other options that are eitherplatform-specific (Android Custom Detection), size-limited (Blocked Application), orsignature-based (Advanced Custom Detection). References: 1, 2, 3

Answer: A
Explanation: Contextual awareness is the ability to collect and analyze information about the networkenvironment, such as users, devices, applications, threats, and vulnerabilities, and use it toenhance security policies and actions. Cisco Firepower is a network security device thatsupports contextual awareness by providing real-time visibility into network traffic andactivity, security intelligence from Cisco Talos and other sources, and advanced threatprotection with Cisco AMP and sandboxing. Cisco Firepower can also leverage CiscopxGrid to share contextual data with other security solutions, such as SIEM and TDplatforms, to enable faster and more accurate threat detection andresponse123 References := 1: Cisco Firepower NGIPS Data Sheet - Cisco 2: Cisco IdentityServices Engine with Integrated Security Information and Event Management and ThreatDefense Platforms At-a-Glance - Cisco 3: A Visibility-Driven Approach to Next-GenerationFirewalls

Answer: A
Explanation: The FMC and managed devices communicate using a two-way, SSL encrypted communication channel, which by default is on port 8305.Cisco stronglyrecommends that you keep the default settings for the remote management port, but ifthemanagement port conflicts with other communications on your network, you can choosea different port. If you change the management port, you must change it for all devices inyour deployment that need to communicate with each other. Reference: https://www.cisco.com/c/en/us/td/docs/security/firepower/misc/fmc-ftd-mgmtnw/fmc-ftd-mgmtnw.html

Answer: C
Explanation: Intra-EPG Isolation is an option to prevent physical or virtual endpoint devices that are in the same base EPG or microsegmented (uSeg) EPG fromcommunicating with each other. By default, endpoint devices included in the same EPG areallowed to communicate with one another.

Answer: C,D
Explanation: To add switches into the fabric, administrators can use PowerOn Auto Provisioning(POAP) or Seed IP methods. POAP is a feature that automates the process of upgradingsoftware images and installing configuration files on Cisco switches that are beingdeployed in the network for the first time. Seed IP is a method that allows administrators tospecify the IP address of a switch that is already part of the fabric, and then use it todiscover and add other switches that are connected to it. Both methods enableadministrators to control how switches are added into DCNM for private cloudmanagement. References: POAP, section “PowerOn Auto Provisioning (POAP)”.Seed IP, section “Add Switches”.https://www.cisco.com/c/en/us/td/docs/security/ise/1-4-1/admin_guide/b_ise_admin_guide_141/b_ise_admin_guide_141_chapter_01110.htm

Answer: B
Explanation: DHCP option 82 is a feature that allows the network access device (NAD) toinsert additional information into the DHCP request packet from the endpoint. Thisinformation can include the switch ID, port number, VLAN ID, and other attributes that canhelp Cisco ISE to identify and profile the endpoint. Cisco ISE can use DHCP option 82 toassign the endpoint to the appropriate identity group, policy, and authorization profile.DHCP option 82 is also useful to prevent rogue DHCP servers from assigning IP addressesto endpoints, as Cisco ISE can verify the legitimacy of the DHCP request based on theoption 82 data. To use DHCP option 82, the NAD must be configured to enable this featureand send the option 82 data to Cisco ISE. Cisco ISE must also be configured to accept andparse the option 82 data from the NAD. For more details on how to configure DHCP option82 on Cisco ISE and NAD, see the references below. References: Configuring the DHCP ProbeSecuring Your Network From DHCP RisksCan we use ISE as DHCP/DNS server to prevent guest traffic using …

Answer: D
Explanation: The threat intelligence standard that contains malware hashes is trusted automatedexchange of indicator information (TAXII). TAXII is a protocol that enables the exchange ofcyber threat information in a standardized and automated manner. It supports various typesof threat intelligence, such as indicators of compromise (IOCs), observables, incidents,tactics, techniques, and procedures (TTPs), and campaigns. Malware hashes are oneexample of IOCs that can be shared using TAXII. Malware hashes are cryptographicsignatures that uniquely identify malicious files or programs. They can be used to detectand block malware infections on endpoints or networks. TAXII uses STIX (structured threatinformation expression) as the data format for representing threat intelligence. STIX is alanguage that defines a common vocabulary and structure for describing cyber threatinformation. STIX allows threat intelligence producers and consumers to share informationin a consistent and interoperable way. STIX defines various objects and properties that canbe used to represent different aspects of cyber threat information, such as indicators,observables, incidents, TTPs, campaigns, threat actors, courses of action, andrelationships. Malware hashes can be expressed as observables in STIX, which areconcrete items or events that are observable in the operational domain. Observables canhave various types, such as file, process, registry key, URL, IP address, domain name, etc.Each observable type has a set of attributes that describe its properties. For example, a fileobservable can have attributes such as name, size, type, hashes, magic number, etc. Ahash attribute can have a type (such as MD5, SHA1, SHA256, etc.) and a value (such asthe hexadecimal representation of the hash). A file observable can have one or more hashattributes to represent different hashing algorithms applied to the same file. For example, afile observable can have both MD5 and SHA256 hashes to increase the confidence andaccuracy of identifying the file The other options are incorrect because they are not threat intelligence standards thatcontain malware hashes. Option A is incorrect because advanced persistent threat (APT) isnot a standard, but a term that describes a stealthy and sophisticated cyberattack that aimsto compromise and maintain access to a target network or system over a long period oftime. Option B is incorrect because open command and control (OpenC2) is not a standardthat contains malware hashes, but a language that enables the command and control ofcyber defense components, such as sensors, actuators, and orchestrators. Option C isincorrect because structured threat information expression (STIX) is not a standard thatcontains malware hashes, but a data format that represents threat intelligence. STIX usesTAXII as the transport protocol for exchanging threat intelligence, including malwarehashes. References: TAXIISTIXMalware Hashes

Answer: B,C
Explanation: IKEv1 has two modes of operation: main mode and aggressive mode. Mainmode uses six messages to establish the IKE SA, while aggressive mode uses only threemessages. Therefore, aggressive mode is faster than main mode, but less secure, as itexposes the identities of the peers in cleartext. This makes it vulnerable to man-in-themiddle attacks. IKEv2 does not have these modes, but uses a single four-messageexchange to establish the IKE SA. IKEv2 also encrypts the identities of the peers, making itmore secure than IKEv1 aggressive mode. IKEv1 uses EAP authentication only for remote access VPNs, not for site-to-site VPNs.IKEv2 supports EAP authentication for both types of VPNs. EAP authentication allows theuse of various authentication methods, such as certificates, tokens, or passwords. IKEv1 conversations are initiated by the ISAKMP header, which contains the securityparameters and the message type. IKEv2 conversations are initiated by the IKE_SA_INITmessage, which contains the security parameters, the message type, and the message ID.The message ID is used to identify and order the messages in the IKEv2 exchange. NAT-T is supported by both IKEv1 and IKEv2. NAT-T stands for Network AddressTranslation-Traversal, and it is a mechanism that allows IKE and IPsec traffic to passthrough a NAT device. NAT-T detects the presence of NAT and encapsulates the IKE andIPsec packets in UDP headers, so that they can be translated by the NATdevice. References: IKEv1 vs IKEv2 – What is the Difference?

Answer: B
Explanation: The Secure Event Connector is a component of the Security Analytics andLogging (SaaS) solution that enables the FMC to send logs to the cloud-based service. TheSecure Event Connector uses syslog to forward events from the FMC and the manageddevices to the cloud. This method reduces the load on the firewall resources, as the eventsare sent in batches and compressed before transmission. The Secure Event Connectoralso provides encryption, authentication, and reliability for the log data. The other methodsare not supported by the Security Analytics and Logging (SaaS)solution12 References := 1: Cisco Security Analytics and Logging (On Premises)

Answer: D
Explanation: The open standard that creates a framework for sharing threat intelligence ina machine-digestible format is STIX (Structured Threat Information Expression). STIX is a language and serialization format that enables the exchange of cyber threat informationacross organizations, tools, and platforms. STIX defines a common vocabulary and datamodel for representing various types of threat intelligence, such as indicators, observables,incidents, campaigns, threat actors, courses of action, and more. STIX also supports theexpression of context, relationships, confidence, and handling of the threat information.STIX aims to improve the speed, accuracy, and efficiency of threat detection, analysis, andresponse. STIX is often used in conjunction with TAXII (Trusted Automated Exchange of IndicatorInformation), which is a protocol and transport mechanism that enables the secure andautomated communication of STIX data. TAXII defines how to request, send, receive, andstore STIX data using standard methods and formats, such as HTTPS, JSON, and XML.TAXII supports various exchange models, such as hub-and-spoke, peer-to-peer, orsubscription-based. TAXII enables the interoperability and scalability of threat intelligencesharing among different systems and organizations. References: Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0,Module 1: Malware Threats, Lesson 3: Identifying Advanced Threats, Topic:Threat Intelligence SharingWhat is STIX/TAXII? | CloudflareSTIX 2.1 Specification Documents

Answer: A,C
Explanation: The Cisco Identity Services Engine (ISE) posture module provides a service that allowsyou to check the compliance of endpoints with corporate security policies. This serviceconsists of three main components: client provisioning, posture policy, and authorizationpolicy. Client provisioning ensures that the endpoints receive the appropriate postureagent, such as the AnyConnect ISE Posture Agent or the Network Admission Control(NAC) Agent. Posture policy defines the conditions and requirements that the endpointsmust meet to be considered compliant, such as having the latest antivirus updates orpatches installed. Authorization policy determines the level of network access granted tothe endpoints based on their posture assessment results, such as allowing full access,limited access, or quarantine. The two actions that the Cisco ISE posture module provides that ensure endpoint securityare: The latest antivirus updates are applied before access is allowed. This actionprevents malware infections and protects the network from potential threats. Theposture policy can include predefined or custom conditions that check the antivirusstatus of the endpoints, such as the product name, version, definition date, andscan result. If the endpoint does not meet the antivirus requirement, the postureagent can trigger a remediation action, such as launching the antivirus update orscan, before allowing network access.Patch management remediation is performed. This action ensures that theendpoints have the latest security patches installed and are not vulnerable toknown exploits. The posture policy can include predefined or custom conditionsthat check the patch status of the endpoints, such as the operating system, servicepack, hotfix, or update. If the endpoint does not meet the patch requirement, theposture agent can trigger a remediation action, such as redirecting the endpoint toa patch management server or launching the patch installation, before allowingnetwork access.References := Cisco Identity Services Engine Administrator Guide, Release 2.2 - Configure ClientPosture PoliciesConfiguring posture services with the Cisco Identity Services EngineCisco Identity Services Engine Administrator Guide, Release 2.0 - Posture Policy

Answer: D
Explanation: The Cisco WSA can enforce bandwidth restrictions for web applications by using theApplication Visibility and Control (AVC) engine. The AVC engine allows the WSA to identifyand control application activity on the network, and to apply bandwidth limits to certainapplication types or individual applications. The WSA dynamically creates a scavengerclass QoS policy and applies it to each client that connects through the WSA. Thescavenger class QoS policy assigns a low priority to the application traffic and limits thebandwidth usage based on the configured settings. This way, the WSA can preventcongestion and ensure fair allocation of bandwidth among different applications andusers. References: User Guide for AsyncOS 11.8 for Cisco Web Security Appliances - GD (GeneralDeployment) - Managing Access to Web ApplicationsWSA - limit bandwidth - Cisco Community

Answer: C
Explanation: To deploy Cisco WSA in transparent mode, the configuration component thatmust be used is WCCP on switch. WCCP stands for Web Cache Communication Protocol,which is a protocol that allows a network device (such as a switch) to redirect web traffic toa proxy server (such as Cisco WSA) transparently. This means that the client does notneed to configure any proxy settings on the browser, and the proxy server can interceptand process the web requests and responses without the client’s knowledge. WCCP canalso provide load balancing and failover capabilities for multiple proxy servers. The other options are incorrect because they are not required or relevant for transparentmode deployment. Option A is incorrect because MDA (Multilink PPP Dial Access) is afeature that allows multiple physical links to be aggregated into a single logical link for dialup connections. It has nothing to do with transparent mode. Option B is incorrect becausePBR (Policy-Based Routing) is a feature that allows routing decisions to be based oncriteria other than the destination IP address, such as source IP address, protocol, port,etc. It is not necessary for transparent mode, as WCCP can handle the traffic redirection.Option D is incorrect because DNS resolution on Cisco WSA is not a configurationcomponent, but a function that allows the proxy server to resolve domain names to IPaddresses. It is not specific to transparent mode, as it is also used in explicitmode. References: What is the difference between transparent and forward proxy mode?User Guide for AsyncOS 12.7 for Cisco Web Security Appliances - LD (LimitedDeployment) - Acquire End-User CredentialsCisco WSA : Is it possible to use web proxy in transparent mode without WCCP?

Answer: B
Explanation: Using a company-managed Amazon S3 bucket for Cisco Umbrella logsallows the administrator to have full control over the access and lifecycle of the log data.This configuration can grant third-party SIEM integrations write access to the S3 bucket,which can enable more advanced analysis and correlation of the log data with othersources. This configuration also provides more flexibility in terms of how long the data canbe stored offline, as opposed to the Cisco-managed S3 bucket, which has a fixed retentionperiod of 30 days. References: Enable Logging to Your Own S3 BucketCentralized Umbrella Log Management with Amazon’s S3 service for MSP, MSSP,and Multi-org customers

Answer: B
Explanation: IKEv1 is the authentication protocol that is reliable and supports ACK andsequence for IPsec VPN. IKEv1 is a key management protocol that is used in conjunctionwith IPsec to establish secure and authenticated connections between IPsec peers. IKEv1uses UDP port 500 and consists of two phases: phase 1 and phase 2. In phase 1, thepeers authenticate each other and negotiate a shared secret key that is used to encrypt thesubsequent messages. In phase 2, the peers negotiate the security parameters for theIPsec tunnel, such as the encryption and authentication algorithms, the lifetime, and themode (transport or tunnel). IKEv1 uses ACK and sequence numbers to ensure thereliability and integrity of the messages exchanged between the peers. ACK is anacknowledgment message that confirms the receipt of a previous message. Sequencenumber is a unique identifier that is assigned to each message to prevent replay attacksand to detect missing or out-of-order messages. IKEv1 also supports various authenticationmethods, such as pre-shared keys, digital certificates, and extended authentication(XAUTH). References : Internet Key Exchange for IPsec VPNs Configuration Guide, Security for VPNs with IPsec Configuration Guide, IPSec Architecture

Answer: B
Explanation: The RADIUS CoA feature supports five IETF attributes as defined in RFC5176. These are: Event-Timestamp: This attribute indicates the time when the CoA request wasgenerated by the server.State: This attribute contains a value that is copied from the Access-Acceptmessage that authorized the session.Session-Timeout: This attribute specifies the maximum number of seconds ofservice provided to the user before termination of the session or prompt.Idle-Timeout: This attribute specifies the maximum number of consecutiveseconds of idle connection allowed to the user before termination of the session orprompt.Filter-Id: This attribute identifies the filter list to be applied to the user session.The RADIUS CoA feature also supports vendor-specific attributes (VSAs) that are definedby Cisco or other vendors. These VSAs can be used to perform additional actions such asport shutdown, port bounce, or security and password accounting. References := Some possible references are: RFC 5176: This document describes the dynamic authorization extensions toRADIUS, including the CoA request and response codes, and the supported IETFattributes.RADIUS Change of Authorization - Cisco: This document provides theconfiguration guide for the RADIUS CoA feature on Cisco IOS devices, includingthe supported IETF and Cisco VSAs.Supported IETF attributes in RFC 5176 - Ruckus Networks: This document liststhe supported IETF attributes and error clause values for the RADIUS CoA featureon Ruckus devices.

Answer: C
Explanation: Cisco Umbrella Investigate is a cloud-based service that provides interactivethreat intelligence on domains, IPs, and files. It helps security analysts to uncover theattacker’s infrastructure and predict future threats by analyzing the relationships andevolution of internet domains, IPs, and files. It also integrates with other Cisco securitysolutions, such as Cisco Secure Network Analytics, Cisco Secure Cloud Analytics, andCisco pxGrid, to provide a holistic view of the network and cloud security posture. CiscoUmbrella Investigate is based on the data collected by Cisco Umbrella, which processesmore than 620 billion DNS requests per day from over 190 countries. Cisco UmbrellaInvestigate uses statistical and machine learning models to automatically score and classifythe data, and provides a risk score for each domain, IP, and file, along with the contributingfactors and historical context. Cisco Umbrella Investigate also allows security analysts toquery the data using a web-based console or an API, and to visualize the results usinggraphs, tables, and maps. Cisco Umbrella Investigate is the most complete and interactivethreat intelligence solution that helps to prevent cyber attacks before theyhappen. References := Some possible references are: Cisco Umbrella InvestigateCyber Attack Prevention - Cisco UmbrellaCisco Umbrella Investigate - Cisco Umbrella

Answer: B
Explanation: The process that uses STIX and allows uploads and downloads of block listsis sharing. STIX (Structured Threat Information Expression) is a standard language andformat for exchanging cyber threat intelligence data. Block lists are collections ofobservables, such as IP addresses, URLs, or domains, that are associated with maliciousactivity and can be used to block or monitor network traffic. Cisco Threat IntelligenceDirector (TID) is a feature that operationalizes threat intelligence data by consuming,normalizing, publishing, and correlating data from various sources, including third-partySTIX feeds. TID enables the administrator to upload STIX files from local or remote sources, or download STIX files from the Firepower Management Center (FMC) to sharewith other systems. TID also allows the administrator to configure actions (such as block ormonitor) based on the indicators and observables in the STIX files, and generate incidentsand observations when the system detects traffic that matches the threat intelligencedata123 References := 1: Firepower Management Center Configuration Guide, Version 6.2.3 -Threat Intelligence Director 2 2: Introduction to STIX - GitHub Pages 4 3: Third-PartyIntegration of Security Feeds with FMC (Cisco Threat Intelligence Director) - CiscoCommunity 3

Answer: A,C
Explanation: Cisco Advanced Phishing Protection (AAP) is a solution that addssophisticated machine learning capabilities to Cisco Email Security to block advancedidentity deception attacks for inbound email by assessing its threat posture1. It also usesboth global and local telemetry data combined with analytics and modeling to validate thereputation and authenticity of senders2. AAP provides sender authentication and BECdetection capabilities, and uses advanced machine learning techniques, real-time behavioranalytics, relationship modeling and telemetry to protect against identity deception–basedthreats3. In two ways, the Cisco Advanced Phishing Protection solution protects users: It prevents use of compromised accounts and social engineering. AAP detects andblocks phishing emails that attempt to impersonate legitimate senders, such asexecutives, partners, or customers, and trick users into revealing sensitiveinformation or transferring funds. AAP analyzes the sender’s identity, behavior, and relationship with the recipient, and assigns a risk score to the email. If theemail is deemed suspicious or malicious, AAP can quarantine it, flag it, or deliver itwith a warning4.It automatically removes malicious emails from users’ inbox. AAP providesretrospective analysis and remediation capabilities, which means that it canidentify and remove emails that were initially delivered but later found to bemalicious. AAP leverages the Cisco Talos threat intelligence network and theSensor-based solution to continuously monitor the threat landscape and updatethe email disposition accordingly. If an email is reclassified as malicious, AAP canautomatically delete it from the users’ inbox, or notify the administrator or the userto take action45.The other options are incorrect because they do not accurately describe the functions ofAAP. AAP does not prevent all zero-day attacks coming from the Internet, as it focuses onphishing and identity deception attacks. AAP does not prevent trojan horse malware usingsensors, as sensors are used to collect and analyze email data, not to block malware. AAPdoes not secure all passwords that are shared in video conferences, as it is not related tovideo conferencing security. Therefore, the correct answer is A and C. References: Cisco’s Security Innovations to Protect the Endpoint and EmailCisco Advanced Phishing Protection - Cisco Video PortalCisco Advanced Phishing Protection At A Glance - AVANTECUser Guide for Cisco Advanced Phishing ProtectionCisco Secure Email Threat Defense - CiscoIntegrating the Email Gateway with Cisco Advanced Phishing Protection

Answer: C,E
Explanation: DNS tunneling is a technique that uses the DNS protocol to exfiltrate data orestablish command and control channels between a compromised host and an attackercontrolled server. DNS tunneling can bypass network security controls that allow outboundDNS traffic without inspection or filtering. To stop DNS tunneling, two recommendedapproaches are: Enforce security over port 53. This means applying firewall rules, access controllists, or other mechanisms to restrict outbound DNS traffic to only authorized DNSservers and domains. Additionally, DNS traffic should be inspected and analyzedfor anomalies, such as unusually large or frequent queries, non-standardencoding, or suspicious domains. This can help detect and block DNS tunnelingattempts.Use Cisco Umbrella. Cisco Umbrella is a cloud-based security service thatprovides DNS security, web filtering, and threat intelligence. Cisco Umbrella canprevent DNS tunneling by blocking malicious domains, enforcing policies based oncontent categories, and applying machine learning to identify and stop emergingthreats. Cisco Umbrella can also provide visibility and reporting on DNS activityand security events.References := Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0,Module 5: Securing the Cloud, Lesson 5.2: DNS SecurityWhat Is DNS Tunneling? - Palo Alto NetworksAn Introduction to DNS Tunneling Detection & Data Exfiltration via DNS - Vercara

Answer: B
Explanation: To block a website based on a custom list, the customer should add thewebsites to a blocked type destination list. A destination list is a custom list of domains orURLs that the customer wants to allow or block for their identities. The customer can createdestination lists through the Policy Components > Destination Lists page, or within thepolicy wizard when creating or editing a policy. The custom URL destination block listsfeature enables Umbrella to extend a domain level block list to encompass full and partialURLs. In turn, this allows the customer to block certain portions of a website basedspecifically on the full or partial URL. This feature requires the customer to enable theintelligent proxy and install a root certificate for SSL decryption. References: Configure Web Policies and Destination Lists - Cisco UmbrellaControl Access to Custom URLs - Umbrella SIG User GuideCisco 350-701: How should customer block websites based on custom listUmbrella Dashboard: New Features—Custom blocked URLsUnderstanding Destination lists supported entries and … - Cisco Umbrella

Answer: C,D
Explanation: To prevent rogue NTP servers from inserting themselves as the authoritative time source,the administrator needs to configure NTP authentication and specify the interface forsyncing to the NTP server. NTP authentication allows the ASA to verify the identity andintegrity of the NTP packets received from the server, using a shared secret key.Specifying the interface for syncing to the NTP server ensures that the ASA uses thecorrect source address for sending and receiving NTP packets, and avoids potential routingissues. The other options are not required or relevant for this task. Specifying the NTPversion is optional and does not affect security. Configuring the NTP stratum is onlyapplicable for NTP servers, not clients. The ASA can only act as an NTP client, not a server. Setting the NTP DNS hostname is not recommended, as it introduces adependency on DNS resolution and may cause synchronization problems if the DNS serverchanges the IP address of the NTP server. References := Some possible references are: Configure NTP Authentication on Secure Network AnalyticsCLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6 -Basic SettingsCisco ASA NTP and Clock Configuration with Examples

Answer: D
Explanation: An application that does not validate user input is particularly susceptible toSQL injection attacks. In an SQL injection attack, an attacker can insert or "inject" a SQLquery via the input data from the client to the application. Due to the lack of validation, themalicious SQL commands are executed by the database server, leading to unauthorizedaccess or manipulation of the database.

Answer: B
Explanation: Cisco Advanced Malware Protection (AMP) for Web Security is a solutionthat provides protection against web-related threats before, during, and after an attack.One of the functions that AMP for Web Security includes is detailed analytics of theunknown file’s behavior. This means that AMP can continuously monitor and analyze theactivity of files that cross the web gateway, even after they have been initially scanned and
allowed. This allows AMP to detect and block any malicious behavior that may emergelater, and provide retrospective security alerts and remediation actions12. References: 1:Cisco Advanced Malware Protection for Web Security 2: Cisco Adds Advanced MalwareProtection to Web and Email Security Appliances and Cloud Services

Answer: B
Explanation: SNMP (Simple Network Management Protocol) is the most commonly usedprotocol for network telemetry. SNMP is a standard protocol that allows network devices toexchange management information1. SNMP agents run on network devices and collectdata about their status, performance, configuration, and events. SNMP managers run onnetwork management systems and query the agents for data or receive notifications fromthem. SNMP can also be used to configure or control network devices remotely2. SNMP iswidely supported by various vendors and platforms, and it provides a simple and flexibleway to monitor and manage networks3. References: 1: What is SNMP? | Cisco 2: SNMP Basics: What is SNMP and How It Works| SolarWinds 3: Network Telemetry Explained: Frameworks, Applications & Standards |Splunk

Answer: B,E
Cisco Advanced Phishing Protection (AAP) is a solution that helps
organizations protect against fraudulent senders and identity deception-based attacks,such as business email compromise (BEC) and spear phishing. AAP uses advancedmachine learning techniques, real-time behavior analytics, relationship modeling, andtelemetry to perform two main functions12: It determines if the email messages are malicious by assessing the threat postureof the sender and the content of the message. It also validates the reputation andauthenticity of the sender by checking various indicators, such as the domain, theIP address, the SPF, DKIM, and DMARC records, the display name, the reply-toaddress, and the header information. AAP assigns a risk score to each emailmessage and provides a verdict of clean, malicious, or suspicious. It also adds abanner to the email message to inform the recipient of the risk level and therecommended action.It does a real-time user web browsing behavior analysis by monitoring the user’sinteraction with the email message and the links embedded in it. It tracks theuser’s clicks, mouse movements, dwell time, and other indicators to detect anysigns of hesitation, confusion, or curiosity. It also analyzes the destination URL ofthe links and compares it with the known malicious websites. If AAP detects anyanomalous or risky behavior, it intervenes with a warning message or a redirectpage to educate the user and prevent them from falling victim to the phishingattack. References := 1: Cisco’s Security Innovations to Protect the Endpoint andEmail 2: Cisco Advanced Phishing Protection - Cisco Video Portal

Answer: B,C
Reference: https://developer.cisco.com/docs/dna-center/#!cisco-dna-center-platformoverview/integration-api-wes...

Answer: B
Explanation: The difference between GRE over IPsec and IPsec with crypto map is thatGRE (Generic Routing Encapsulation) over IPsec can encapsulate and transport non-IPprotocols across an IP network, whereas IPsec with crypto map is typically used for IPtraffic. GRE tunnels wrapped in IPsec provide a way to transport multicast traffic and otherprotocol types across an IPsec VPN, offering greater flexibility in the types of traffic that canbe secured

Answer: B,C
Explanation: A network administrator can transparently identify users using ActiveDirectory on the Cisco WSA in two ways: Create NTLM or Kerberos authentication realm and enable transparent useridentification. This option allows the WSA to use the NTLM or Kerberos protocol toauthenticate users without prompting them for credentials. The WSA must join theActive Directory domain and have a valid service principal name (SPN) for thisoption to work1.Deploy a separate Active Directory agent such as Cisco Context Directory Agent(CDA). This option allows the WSA to receive user-to-IP mappings from the CDA,which monitors the Active Directory domain controllers for user logon events. TheCDA must be installed on a Windows server and have access to the domaincontrollers and the WSA2.The other options are not ways to transparently identify users using Active Directory on theCisco WSA. Creating an LDAP authentication realm and disabling transparent useridentification will require users to enter their credentials manually. Installing the eDirectoryclient on each client workstation or deploying a separate eDirectory server are not relatedto Active Directory, but to Novell eDirectory, which is a different directory service3. References := 1: User Guide for AsyncOS 11.0 for Cisco Web Security Appliances,Chapter: Acquire End-User Credentials, Topic: Active Directory/Kerberos, page 4-3. 2:User Guide for AsyncOS 11.0 for Cisco Web Security Appliances, Chapter: Acquire EndUser Credentials, Topic: Active Directory Agent, page 4-5. 3: User Guide for AsyncOS 11.0for Cisco Web Security Appliances, Chapter: Acquire End-User Credentials, Topic:eDirectory, page 4-8.

Answer: D
Explanation: Multifactor authentication (MFA) is a solution that requires the user toprovide two or more verification factors to gain access to a resource, such as anapplication, online account, or a VPN. MFA is more secure than the traditional use of ausername and password because it reduces the risk of identity theft, phishing, andcredential compromise. MFA can use different types of factors, such as something the userknows (e.g., password, PIN), something the user has (e.g., smartphone, token, smartcard), or something the user is (e.g., fingerprint, facial recognition). MFA can beimplemented using various methods, such as security defaults, Conditional Accesspolicies, or third-party solutions123. References: https://support.microsoft.com/en-us/topic/what-is-multifactor-authentication-e5e39437-121c-be60-d123-eda06bddf661 https://www.onelogin.com/learn/what-is-mfa

Answer: D
Cisco Tetration is a Cisco security solution that provides patch managementin the cloud. Patch management is the process of identifying, acquiring, installing, andverifying patches for products and systems to correct security and functionality problems insoftware and firmware1. Cisco Tetration is a cloud-native platform that deliverscomprehensive workload protection for multicloud data centers by enabling a zero-trustmodel using segmentation2. One of the features of Cisco Tetration is software vulnerabilitydetection and patch management, which allows users to identify software vulnerabilities onworkloads, prioritize patching based on risk scores, and automate patch deployment usingorchestration tools3. Cisco Tetration leverages the National Vulnerability Database (NVD)and Cisco Talos Intelligence Group to provide up-to-date information on softwarevulnerabilities and their severity levels3. Cisco Tetration also supports patch managementfor both Windows and Linux operating systems, as well as third-party applications such asApache, Java, MySQL, and Oracle4. Therefore, the correct answer is D. CiscoTetration. References: 1: RFC 9232: Network Telemetry Framework - Internet EngineeringTask Force 2: Cisco Tetration - Workload Protection - Cisco 3: Cisco Tetration SoftwareVulnerability Detection and Patch Management - Cisco 4: Cisco Tetration Platform Data Sheet - Cisco

Answer: D
The monitoring agent uses the RTP (Real-time Transport Protocol) performance metric tocollect and output packet loss and jitter information. RTP is a network protocol used fordelivering audio and video over IP networks. It provides mechanisms for timestamping,sequence numbering, and delivery monitoring, which allow for the measurement of packetloss and jitter. RTP is specifically designed for real-time multimedia streaming applications,which are more sensitive to changes in the transmission characteristics of data networks than other applications. Therefore, RTP performance is a suitable metric for monitoring andcollecting packet loss and jitter information. The other options are not directly related to measuring packet loss and jitter. TCP(Transmission Control Protocol) is a transport protocol that ensures reliable and ordereddelivery of data, but it is not typically used for real-time multimedia applications. WSAv(Web Security Virtual Appliance) is a Cisco solution for web security, but it does notmeasure packet loss and jitter. AVC (Application Visibility and Control) is a technology thatmonitors and controls network applications, but it does not focus on packet loss andjitter. References := Measuring Delay, Jitter, and Packet Loss with Cisco IOS SAA and RTTMON1Implementing and Operating Cisco Security Core Technologies (SCOR) v1.02Cisco 350-701: Which metric used by monitoring agent to collect and outputpacket loss and jitter information?

Answer: D
Explanation: The management port on Cisco FMC is used to establish a secureconnection with the managed Cisco FTD devices. If the default management port (8305)conflicts with other communications on the network, it must be changed on both the CiscoFMC and the Cisco FTD devices. This cannot be done automatically by the Cisco FMC, asit would lose connectivity with the devices. Therefore, the administrator must manuallychange the management port on the Cisco FMC and all the managed Cisco FTD devicesusing the command line interface (CLI). The steps to change the management port are asfollows: Log into the CLI of the Cisco FMC and the Cisco FTD devices using a consoleconnection or SSH.Enter the configure network {ipv4 | ipv6} manual ip_address netmask datainterfaces command to change the management port on the Cisco FMC. For example, configure network ipv4 manual 10.10.10.10 255.255.255.0 datainterfaces changes the management port to 10.10.10.10/24.Enter the configure network {ipv4 | ipv6} manual ip_address netmask gatewaymanagement-only command to change the management port on the Cisco FTDdevices. For example, configure network ipv4 manual 10.10.10.11 255.255.255.010.10.10.10 management-only changes the management port to 10.10.10.11/24and sets the gateway to the Cisco FMC’s management port.Save the configuration and restart the Cisco FMC and the Cisco FTD devices.Verify the connectivity between the Cisco FMC and the Cisco FTD devices usingthe show managers command on the Cisco FTD devices and the showdevices command on the Cisco FMC.References := Firepower Management Center Device Configuration Guide, 7.1 - DeviceManagementChange management port fmc 1600 - Cisco CommunitySolved: FMC 2120 FTD Management Only Port - Cisco CommunityChange the FMC Access Interface from Management to Data

Answer: D

Answer: D
Explanation: The target in a phishing attack is the endpoint, which is the device or systemthat the user interacts with, such as a computer, smartphone, or tablet. Phishing attacksaim to steal or damage sensitive data by deceiving people into revealing personalinformation like passwords and credit card numbers, or clicking on malicious links orattachments that can install malware on the endpoint. Phishing attacks can be deliveredthrough various channels, such as email, phone, or text message, but they all rely on socialengineering techniques to manipulate the user’s trust and curiosity. By compromising theendpoint, attackers can gain access to the user’s accounts, files, network, or other resources. Therefore, endpoint security is essential to prevent phishing attacks and protectthe user’s data and identity. References: What Is a Phishing Attack? Definition and Types - Cisco8 types of phishing attacks and how to identify themWhat Is Phishing? | Microsoft SecurityPhishing | What Is Phishing?

Answer: A
Explanation: Two-factor authentication is a security feature that requires users to providetwo forms of information before gaining access to the Cisco ESA. The two factors areusually something the user knows, such as a password, and something the user has, suchas a token or a code. Two-factor authentication can be enabled for specific user roles onthe Cisco ESA through a RADIUS server, which is an external authentication server thatsupports the Remote Authentication Dial-In User Service (RADIUS) protocol. The RADIUSserver can generate and validate the second factor for the users, such as a one-timepassword (OTP) or a time-based one-time password (TOTP). To enable two-factorauthentication through a RADIUS server, the network engineer must configure the RADIUSserver settings on the Cisco ESA, and assign the user roles that require two-factorauthentication to use the RADIUS server as the authentication source. This can be done onthe System Administration > Users page in the web interface, or by using the userconfigcommand in the CLI12. A cluster is a group of Cisco ESAs that share the same configuration information and canbe managed centrally. A cluster can provide increased reliability, flexibility, and scalabilityfor the email security system. To join a cluster, a Cisco ESA must have the same AsyncOSversion as the other cluster members, and must use a pre-shared key to authenticate with the cluster leader. The pre-shared key is a secret passphrase that is configured on thecluster leader and must be entered on the joining appliance. To join a cluster by using theCisco ESA CLI, the network engineer must use the clusterconfig command, which allowsthe engineer to create a new cluster, join an existing cluster, or leave a cluster. Theclusterconfig command also allows the engineer to specify the communication port and thehostname or IP address of the cluster leader. If the Cisco ESA has enabled two-factorauthentication, the network engineer must also use the clusterconfig > prepjoin commandto configure the pre-shared key before joining the cluster34. Therefore, option A is the correct answer, and the other options are incorrect. Option B isincorrect because the cluster configuration options must be done via the CLI on the CiscoESA and cannot be created or joined in the GUI. Option C is incorrect because the CiscoESA does not support TACACS+ as an external authentication source, only LDAP andRADIUS. Option D is incorrect because it also uses TACACS+, which is not supported bythe Cisco ESA. References := User Guide for AsyncOS 14.0 for Cisco Secure Email Gateway - GD (GeneralDeployment) - Distributing Administrative TasksUser Guide for AsyncOS 14.0 for Cisco Secure Email Gateway - GD (GeneralDeployment) - External AuthenticationConfigure an Email Security Appliance (ESA) ClusterUser Guide for AsyncOS 14.0 for Cisco Secure Email Gateway - GD (GeneralDeployment) - Centralized Management

Answer: A
Defanging is the process of modifying a URL in a message to prevent it from beingclickable. This can help protect users from malicious links that have a low URL reputationscore. Defanging is one of the actions that can be configured in the Incoming Content Filteron the Cisco ESA. The other actions are Quarantine, FilterAction, and ScreenAction.Quarantine sends the message to a quarantine area for further inspection. FilterActionapplies a predefined action such as drop, bounce, or deliver. ScreenAction displays awarning message to the user before allowing them to access the URL. Defanging is the only action that disables the links in the message without affecting the delivery or visibilityof the message12. References: 1: URL Filtering on the Cisco IronPort ESA – Mikail’sBlog 2: Configure URL Filtering for Secure Email Gateway and Cloud Gateway - Cisco Reference: https://www.cisco.com/c/dam/en/us/products/collateral/security/esa-contentfilters.pdf

Answer: C
Explanation: create an application control blocked applications list. This option allows you to specify alist of files that you want to prevent from running on the endpoints that have the AMPconnector installed. The files are identified by their SHA-256 hashes, and you can uploadthem individually or in a batch. The files are not quarantined, but they are blocked fromexecution and reported as events in the AMP console1. This option is different from thesimple custom detection list, which is used to detect and quarantine specific files that areconsidered malicious2. The advanced custom detection list is also used to detect andquarantine files, but it allows you to specify more criteria such as file size, file name, andfile path3. The IP block and allow lists are used to control the network traffic to and from theendpoints, not the file execution4. References: 1: Configure Application Control on theAMP for Endpoints Portal 2: Configure a Simple Custom Detection List on the AMP forEndpoints Portal 3: [Configure an Advanced Custom Detection List on the AMP forEndpoints Portal] 4: [Configure IP Block and Allow Lists on the AMP for Endpoints Portal]

Answer: A
Explanation: VMware APIC is a platform that integrates with Cisco ACI to provideenhanced visibility, policy integration and deployment, and security policies with accesslists. VMware APIC is a virtual appliance that runs on VMware vSphere and communicateswith the Cisco APIC controller. VMware APIC allows administrators to create and manageCisco ACI policies for VMware virtual machines and networks. VMware APIC also providesa unified view of the physical and virtual network topology, health, and statistics. VMwareAPIC supports the following modes of Cisco ACI and VMware integration: VMware VDS: When integrated with Cisco ACI, the VMware vSphere DistributedSwitch (VDS) enables administrators to configure VM networking in the ACI fabric.Cisco ACI Virtual Edge: Cisco ACI Virtual Edge is a distributed service thatprovides Layer 4 to Layer 7 services for applications running on VMware vSphere.Cisco Application Virtual Switch (AVS): Cisco AVS is a distributed virtual switchthat provides policy-based network services for VMware vSphereenvironments. References:Cisco ACI with VMware VDS IntegrationCisco ACI and VMware NSX-T Data Center IntegrationCisco ACI and VMware: The Perfect PairSetting the Record Straight: Confusion about ACI on VMware Technologies

Answer: C
Web usage controls are a feature of Cisco Web Security Appliance (WSA) that allowadministrators to define and enforce policies for web access based on URL categories.URL categories are groups of websites that share a common theme or content, such asnews, sports, entertainment, etc. Cisco WSA uses the Cisco Dynamic Content AnalysisEngine and the Talos Security Intelligence and Research Group to provide accurate andup-to-date URL categorization. Administrators can use the web usage controls to allow,block, warn, or monitor web requests based on the URL category of the destinationwebsite. They can also create custom URL categories to include or exclude specificdomains or URLs from the predefined categories. Web usage controls help administratorsto control web traffic, enhance security, improve productivity, and comply with regulatoryand organizational requirements. References := Some possible references are: Web Usage Controls - Cisco Web Security Appliance User Guide, CiscoCisco Web Usage Control Filtering Categories Data Sheet, CiscoDefine Custom URL Categories in WSA, Cisco

Answer: C
To add a device into Cisco DNA Center with the native API, the POST method andthe name attribute are required. The POST method is used to create a new resource on theserver, such as a device. The name attribute is used to specify the hostname or IP addressof the device to be added. The POST method requires a JSON body that contains thedevice information, such as the name, type, role, credentials, and other optionalparameters. The Cisco DNA Center API documentation provides an example of the JSONbody and the response for adding a device1. The Cisco DNA Center Platform User Guidealso explains how to use the native API to add devices2. References := 1: Cisco DNACenter API Documentation - Add Device 2: Cisco DNA Center Platform User Guide,Release 2.3.5 - Manage Devices Using the Native API

Answer: D
Explanation: One of the benefits of a Cisco Secure Email Gateway Virtual appliancecompared to a physical one is the ability to allocate additional resources as needed. Virtualappliances can be easily scaled up by allocating more CPU, memory, or storage resources,providing flexibility and scalability in response to changing demands or growth.

Answer: A
In a remote access VPN configuration, dynamic split tunneling allows trafficto certain trusted domains to bypass the VPN tunnel and exit through the client's localinternet gateway. This feature selectively directs only the necessary traffic over the VPN,while allowing direct internet access for specific domains or traffic deemed safe or trusted,optimizing bandwidth and performance for remote users.

Answer: D
The error 403: Forbidden indicates that the web server denied access to the
requested resource, which in this case is the PCAP file. One possible reason for this erroris that the HTTPS server is not enabled for the device platform policy, which is aconfiguration that applies to the FTD devices managed by the FMC. The device platformpolicy defines the settings for the management interface, the SSH access, the SNMP, theNTP, the DNS, and the HTTPS server. The HTTPS server allows the FMC to access theFTD devices via HTTPS and perform tasks such as packet capture, packet tracer, and filetransfer. If the HTTPS server is not enabled for the device platform policy, the FMC cannotaccess the PCAP file from the FTD device via HTTPS. Therefore, the engineer mustenable the HTTPS server for the device platform policy in order to resolve this issue. Toenable the HTTPS server for the device platform policy, the engineer must follow thesesteps: Log in to the FMC web interface and navigate to Devices > Platform Settings.Select the device platform policy that applies to the FTD device and click Edit.In the General tab, check the Enable HTTPS Server checkbox and click Save.Deploy the policy changes to the FTD device and wait for the deployment tocomplete.Try to access the PCAP file again from the FMC web browser using the sameaddress.Alternatively, the engineer can also enable the HTTPS server for the FTD device from theFTD CLI using the command configure network https-server enable. However, this methodis not recommended because it may cause a configuration conflict with the FMC123 References := 1: Use Firepower Threat Defense Captures and Packet Tracer - Cisco 2:Cisco Firepower Threat Defense Configuration Guide for Firepower Device Manager,Version 6.6 - Device Management Basics [Cisco Firepower NGFW] - Cisco 3: CiscoFirepower Threat Defense Command Reference - C through D Commands [CiscoFirepower NGFW] - Cisco

Answer: B
Cisco AMP for Endpoints is the Cisco security solution that determines if an endpoint hasthe latest OS updates and patches installed on the system. Cisco AMP for Endpoints is acloud-based endpoint protection platform that provides advanced malware prevention,detection, and response capabilities. One of the features of Cisco AMP for Endpoints is theEndpoint Compliance Scanner, which allows administrators to create and enforce policiesthat check the compliance status of endpoints based on various criteria, such as OSversion, patch level, antivirus status, firewall status, and more. The Endpoint ComplianceScanner can also remediate non-compliant endpoints by applying patches, updatingantivirus signatures, enabling firewall, and so on. By using the Endpoint Compliance Scanner, administrators can ensure that all endpoints are up to date and secure againstknown vulnerabilities and threats. References: Cisco AMP for EndpointsEndpoint Compliance ScannerImplementing and Operating Cisco Security Core Technologies (SCOR) - Module4: Endpoint Protection and Detection

Answer: C

According to the NIST 800-145 guide1, a community cloud is a cloudinfrastructure that is provisioned for exclusive use by a specific community of consumersfrom organizations that have shared concerns (e.g., mission, security requirements, policy,and compliance considerations). It may be owned, managed, and operated by one or moreof the organizations in the community, a third party, or some combination of them, and itmay exist on or off premises. A community cloud differs from a private cloud, which isprovisioned for exclusive use by a single organization, and a public cloud, which isprovisioned for open use by the general public. A hybrid cloud is a composition of two ormore distinct cloud infrastructures (private, community, or public) that remain uniqueentities, but are bound together by standardized or proprietary technology that enablesdata and application portability (e.g., cloud bursting for load balancing betweenclouds). References := 1: NIST SP 800-145, The NIST Definition of Cloud Computing,page 3.

Answer: D
: To block all subdomains of domain.com, the administrator should configurethe domain.com address in the block list. This is because Umbrella automatically applies aleft side and right side wildcard to every domain in a block or allow destination list.Therefore, adding domain.com to a block list will result in requests to domain.com or itssubdomains, such as www.domain.com, being blocked. Adding a wildcard character (*) isnot supported and will not work. Adding the *.com address in the block list will block alldomains that end with .com, which is not the desired outcome. References: Understanding Destination lists supported entries and error messagesWildcards and Destination Lists

Answer: B
Microsegmentation is a network security strategy that breaks a network intosmaller network “segments” to boost security and control over data traffic1. Unliketraditional network security, which primarily defends the network’s outer boundaries,microsegmentation focuses on securing individual workloads and devices within thenetwork2. Microsegmentation uses an allow-list model to significantly reduce the attacksurface across different workload types and environments3. Microsegmentation is alsoreferred to as application segmentation or east-west segmentation in a multicloud datacenter4. Option B is the correct description of microsegmentation, as it captures the essence ofapplying a zero-trust model and specifying how applications on different servers orcontainers can communicate. Option A is incorrect, as deploying a container orchestrationplatform is not a sufficient condition for microsegmentation. Option C is incorrect, asdeploying host-based firewall rules is not a necessary condition for microsegmentation.Option D is incorrect, as implementing private VLAN segmentation is a different technique from microsegmentation. References: An Introduction to Microsegmentation in NetworkSecurity. What Is Micro-Segmentation? - Cisco. What Is Microsegmentation? - Palo AltoNetworks. What Is Microsegmentation in Networking? Beginner’s Guide.

Answer: C,E
The Cisco WSA supports mainly two authentication protocols: LDAP andNTLM. LDAP is a standard protocol for accessing directory services, such as ActiveDirectory or OpenLDAP. NTLM is a proprietary protocol for authenticating Windows clientsto Windows servers. NTLM has two versions: NTLMv1 and NTLMv2. NTLMSSP (NT LANManager Security Support Provider) is a variant of NTLMv2 that provides additionalsecurity features, such as message integrity and confidentiality. The Cisco WSA supportsboth LDAP and NTLMSSP using basic authentication, which requires the user to enter ausername and password. The Cisco WSA also supports Kerberos, which is a networkauthentication protocol that uses tickets to authenticate users and services. Kerberos isbased on symmetric-key cryptography and requires a trusted third party, called the KeyDistribution Center (KDC), to issue and validate tickets. Kerberos is more secure andefficient than NTLM, as it does not require the user to enter credentials repeatedly and does not send passwords over the network. The Cisco WSA supports Kerberos only instandard mode, not in cloud connector mode. The Cisco WSA does not support TACACS+or CHAP as authentication protocols. TACACS+ is a Cisco proprietary protocol forauthenticating network devices and users to a central server. CHAP is a challengeresponse protocol for authenticating PPP connections. These protocols are not designedfor web security appliances and are not compatible with the Cisco WSA. References: User Guide for AsyncOS 11.0 for Cisco Web Security Appliances (Section:Acquire End-User Credentials)Cisco WSA AuthenticationWSA Authentication

Answer: A,D
Cisco Container Platform (CCP) is a solution that simplifies the deploymen and management of containerized applications across multiple clouds. It provides the
following benefits to customers who utilize cloud service providers12: Allows developers to create code once and deploy to multiple clouds. CCP isbased on open source components, such as Kubernetes and Docker, that arecompatible with various cloud platforms. This enables developers to write codeonce and run it anywhere, without worrying about the underlying infrastructure orvendor lock-in. CCP also supports hybrid and multicloud scenarios, allowingcustomers to leverage the best features of different cloud providers and optimizetheir costs and performance.Manages Kubernetes clusters. CCP automates the installation, configuration, andmaintenance of Kubernetes clusters, which are groups of nodes that runcontainerized applications. CCP provides a simple GUI-driven menu system todeploy clusters, as well as automated monthly updates for bug fixes, featureenhancements, and security patches. CCP also offers a choice of networkingsolutions, such as Cisco ACI, Calico, or Contiv, to connect and secure the clusters.CCP also integrates with Cisco AppDynamics and Prometheus for visibility andmonitoring of the clusters and applications. References:Cisco Container Platform - CiscoCisco Container Platform - At-a-Glance - Cisco

Answer: D
The destination command is required to complete the flow record andspecify the IP address of the Stealthwatch collector that will receive the NetFlow data. Thetransport udp 2055 command is also needed, but it is part of the flow exporterconfiguration, not the flow record. The match ipv4 ttl and cache timeout active 60commands are optional and can be used to customize the flow record, but they are notmandatory. The flow record defines the fields that are collected and exported for each flow,such as source and destination IP addresses, ports, protocols, etc. The flow exporter defines the destination, source, transport protocol, and port for sending the NetFlow data.The flow monitor binds the flow record and the flow exporter together and applies them toan interface. The following is an example of a complete NetFlow configuration for sendingdata to Stealthwatch: flow exporter EXPORTER description Export NetFlow to Stealthwatch destination 1.1.1.1export-protocol netflow-v9 source Vlan100 transport udp 2055 ! flow record RECORDdescription NetFlow record match datalink mac source address input match datalink macdestination address input match datalink vlan input match ipv4 ttl match ipv4 tos match ipv4protocol match ipv4 source address match ipv4 destination address match transportsource-port match transport destination-port match interface input collect interface outputcollect counter bytes long collect counter packets long collect timestamp absolute firstcollect timestamp absolute last ! flow monitor IPv4_NETFLOW record RECORD exporterEXPORTER cache timeout active 60 ! interface <> ip flow monitor IPv4_NETFLOW input! References : Configuring and Troubleshooting NetFlow for Stealthwatch, Cisco NetFlowConfiguration, Building a Better Monitoring Solution with Flexible Netflow

Answer: B

Answer: B
A CoA request is a network protocol message used in the context of network accesscontrol and authentication systems. It is typically employed in scenarios where a user’saccess privileges or attributes need to be modified during an active network session. CoArequests are commonly used in conjunction with the RADIUS protocol, which is widelyused for managing user authentication and authorization in network environments. When aCoA request is initiated, it is sent by a network access server (NAS) to a RADIUS server torequest a change in the user’s authorization state or attributes. The CoA request containsinformation specifying the desired change, such as granting additional access privileges,revoking existing privileges, modifying session parameters, or updating user attributes. TheRADIUS server processes the CoA request and applies the necessary changes to theuser’s session in real-time, allowing dynamic adjustments to the user’s authorization andnetwork access. CoA requests are often utilized in scenarios where an administrator needsto promptly update a user’s access rights without requiring them to terminate their currentsession. This flexibility is particularly valuable in environments that demand fine-grainedaccess control or where access privileges need to be adjusted based on changingcircumstances or policies. References := Some possible references for this answer are: RADIUS Change of Authorization - Cisco

Answer: A
A multicontext firewall is a feature that allows a single physical firewall to be
divided into multiple virtual firewalls, also known as security contexts. Each contextoperates as an independent device, with its own security policy, interfaces, andadministrators. This feature is useful for service providers, large enterprises, or anynetwork that requires more than one firewall. One of the problems that a multicontext firewall can solve is an overlapping IP addressing plan. This means that different contextscan use the same IP addresses without causing conflicts, as long as they are separated bydifferent interfaces or VLANs. This allows for more efficient use of IP address space andeasier management of multiple networks. A multicontext firewall can also support dynamicrouting protocols and VPNs within each context, providing more flexibility andfunctionality12 References := 1: What Are Multi-Context Firewalls? - Franklin Fitch 2:Multiple Context Mode - Cisco

Answer: A
A teardrop attack is a type of DoS attack that uses fragmented packets in anattempt to crash a target machine. The attacker sends IP packets that are deliberatelymalformed, such that the fragments overlap or have invalid offsets. When the targetmachine tries to reassemble the packets, it encounters an error or a buffer overflow,resulting in a system crash or a denial of service. Teardrop attacks exploit a vulnerability inthe TCP/IP fragmentation reassembly process, which is responsible for splitting andrecombining large packets that exceed the maximum transmission unit (MTU) size.Teardrop attacks can affect various operating systems, such as Windows, Linux, and BSD,depending on the implementation of the TCP/IP stack. Teardrop attacks are also known asIP fragmentation attacks or overlapping fragment attacks. References: Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0,Module 5: Securing the Cloud, Lesson 5.2: Cloud Security Threats, Topic 5.2.2:DoS AttacksWhat is an IP Fragmentation Attack (Teardrop ICMP/UDP)Teardrop Attack - RadwareWhat Is a Teardrop Attack? | F5Reference: https://www.radware.com/security/ddos-knowledge-center/ddospedia/teardropattack

Answer: B
The functional difference between Cisco Secure Endpoint (formerly knownas AMP for Endpoints) and Cisco Umbrella Roaming Client lies in their approach tosecurity. Cisco Secure Endpoint is designed to prevent, detect, and respond to threats onthe endpoint devices. It provides comprehensive protection by stopping and trackingmalicious files and activities on hosts, utilizing continuous analysis and retrospectivesecurity to address threats at various stages of the attack continuum. On the other hand,Cisco Umbrella Roaming Client is focused on DNS and IP layer enforcement to preventinternet-based threats before a connection is established. It primarily tracks and blocks
URL-based threats by enforcing security at the DNS layer, thus preventing access tomalicious domains. Therefore, while Secure Endpoint provides broad endpoint protectionagainst a variety of threats, the Umbrella Roaming Client specifically targets URL-basedthreats

Answer: D
Trusted Automated eXchange of Intelligence Information (TAXII) is acollection of services and message exchanges that enable the sharing of cyber threatintelligence across product, service, and organizational boundaries. It is designed tosupport the exchange of CTI represented in STIX, but is not limited to STIX. TAXII definesan API that aligns with common sharing models, such as hub-and-spoke, peer-to-peer, andsubscribe/publish. TAXII is not a public collection of threat intelligence feeds, a threatintelligence sharing organization, or a language used to represent security information.Those are possible descriptions of STIX, which is a complementary standard toTAXII. References: STIX and TAXII Approved as OASIS Standards to Enable AutomatedExchange of Cyber Threat Intelligence, STIX V2.1 and TAXII V2.1 OASIS Standards arepublished, What is STIX/TAXII? | Cloudflare, What is STIX / TAXII? Learn about theindustry standards for Cyber …, What are STIX/TAXII Standards I Resources I Anomali

Answer: C
For TACACS authentication to work, the key configured on the networkdevice must match the key configured on the TACACS server. If users are unable toauthenticate despite the TACACS server being reachable, it is likely due to a mismatch inthe keys. Ensuring that both the network device and the TACACS server have the samekey configured is crucial for successful authentication.

Answer: C
In Cisco Secure Endpoint, to create a custom detection file list for detectingand quarantining future files, an advanced custom detection should be created, and thehash of each file to be detected and quarantined should be uploaded. This allows thesystem to uniquely identify and take action on files based on their hash values, providing aprecise method for targeting specific malicious or unwanted files.

Answer: B
To connect Cisco Secure Workload to external orchestrators at a client site
where incoming connections are not allowed, a reverse tunnel must be used. A reversetunnel initiates the connection from the inside of the client's network out to the externalorchestrator, thereby bypassing restrictions on incoming connections and enabling securecommunication.

Exam Code	350-701
Exam Name	Implementing and Operating Cisco Security Core Technologies (SCOR 350-701)
Questions	630 Questions Answers With Explanation
Update Date	July 07,2025
Price	Was : ~~$88.2~~ Today : $49 Was : ~~$106.2~~ Today : $59 Was : ~~$124.2~~ Today : $69

Cisco 350-701 Exam Dumps

Implementing and Operating Cisco Security Core Technologies (SCOR 350-701)

Pass the 350-701 Exam on Your First Try – 100% Guaranteed Study Material

Why Choose Certionary for 350-701?

We don’t just help you prepare — we guarantee your success.

Cisco 350-701 Sample Questions

Leave Your Review

Top Microsoft Exams

Top Cisco Exams

Top Amazon Exams