Practice Free 300-710 Exam Online Questions
An engineer is building a new access control policy using Cisco FMC. The policy must inspect a unique IPS policy as well as log rule matching.
Which action must be taken to meet these requirements?
- A . Configure an IPS policy and enable per-rule logging.
- B . Disable the default IPS policy and enable global logging.
- C . Configure an IPS policy and enable global logging.
- D . Disable the default IPS policy and enable per-rule logging.
An administrator receives reports that users cannot access a cloud-hosted web server. The access control policy was recently updated with several new policy additions and URL filtering.
What must be done to troubleshoot the issue and restore access without sacrificing the organization’s security posture?
- A . Create a new access control policy rule to allow ports 80 and 443 to the FQDN of the web server.
- B . Identify the blocked traffic in the Cisco FMC connection events to validate the block, and modify the policy to allow the traffic to the web server.
- C . Verify the blocks using the packet capture tool and create a rule with the action monitor for the traffic.
- D . Download a PCAP of the traffic attempts to verify the blocks and use the flexconfig objects to create a rule that allows only the required traffic to the destination server.
What is a limitation to consider when running a dynamic routing protocol on a Cisco FTD device in IRB mode?
- A . Only link-stale routing protocols are supported.
- B . Only distance vector routing protocols are supported.
- C . Only EtherChannel interfaces are supposed.
- D . Only nonbridge interfaces are supported.
D
Explanation:
Integrated routing and bridging (IRB) is a feature that allows you to route between different bridge groups on a Cisco FTD device. A bridge group is a logical interface that acts as a container for one or more physical or logical interfaces that belong to the same layer 2 broadcast domain. You can assign an IP address to a bridge group interface (BVI) and enable routing protocols on it, just like a regular routed interface. However, when you run a dynamic routing protocol on a Cisco FTD device in IRB mode, you can only use nonbridge interfaces as routing peers. You cannot use bridge group interfaces or bridge group member interfaces as routing peers2. This is because the routing protocol packets are sent and received on the nonbridge interfaces, and the bridge group interfaces are used only for forwarding data traffic3.
An administrator is optimizing the Cisco FTD rules to improve network performance, and wants to bypass inspection for certain traffic types to reduce the load on the Cisco FTD.
Which policy must be configured to accomplish this goal?
- A . prefilter
- B . intrusion
- C . identity
- D . URL filtering
When an engineer captures traffic on a Cisco FTD to troubleshoot a connectivity problem, they receive a large amount of output data in the GUI tool. The engineer found that viewing the Captures this way is time-consuming and difficult lo son and filter.
Which file type must the engineer export the data in so that it can be reviewed using a tool built for this type of analysis?
- A . NetFlow v9
- B . PCAP
- C . NetFlow v5
- D . IPFIX
B
Explanation:
When capturing traffic on a Cisco FTD device to troubleshoot a connectivity problem, a file type that can be exported for reviewing using a tool built for this type of analysis is PCAP. PCAP stands for Packet Capture and it is a file format used to store network packet data captured from a network interface8. PCAP files contain the raw data of network packets, including the headers and payloads of each packet8.
PCAP files are widely used in network analysis and troubleshooting tasks. They enable network administrators, analysts, and researchers to inspect and analyze network traffic for various purposes, such as diagnosing network issues, detecting malicious activity, measuring network performance, and understanding network protocols8. PCAP files can be read by applications that understand that format, such as Wireshark, tcpdump, CA NetMaster, or Microsoft Network Monitor8.
The other options are incorrect because:
NetFlow v9 is not a file type, but a protocol for collecting and exporting information about network flows. A network flow is a sequence of packets that share common attributes such as source and destination IP addresses, ports, and protocols9. NetFlow v9 records contain summary information about network flows, such as start and end times, byte counts, packet counts, and so on9. NetFlow v9 records do not contain the raw data of network packets.
NetFlow v5 is not a file type, but an earlier version of the NetFlow protocol for collecting and exporting information about network flows. NetFlow v5 records contain similar information as NetFlow v9 records, but with fewer fields and less flexibility10. NetFlow v5 records do not contain the raw data of network packets.
IPFIX is not a file type, but a protocol for collecting and exporting information about network flows. IPFIX stands for IP Flow Information Export and it is based on NetFlow v9, but with some extensions and improvements11. IPFIX records contain similar information as NetFlow v9 records, but with more fields and more flexibility11. IPFIX records do not contain the raw data of network packets.
A security engineer is deploying a pair of primary and secondary Cisco FMC devices. The secondary must also receive updates from Cisco Talos.
Which action achieves this goal?
- A . Force failover for the secondary Cisco FMC to synchronize the rule updates from the primary.
- B . Configure the secondary Cisco FMC so that it receives updates from Cisco Talos.
- C . Manually import rule updates onto the secondary Cisco FMC device.
- D . Configure the primary Cisco FMC so that the rules are updated.
An engineer is configuring Cisco FMC and wants to allow multiple physical interfaces to be part of the same VLAN. The managed devices must be able to perform Layer 2 switching between interfaces, including sub-interfaces.
What must be configured to meet these requirements?
- A . interface-based VLAN switching
- B . inter-chassis clustering VLAN
- C . integrated routing and bridging
- D . Cisco ISE Security Group Tag
An engineer plans to reconfigure an existing Cisco FTD from transparent mode to routed mode.
Which additional action must be taken to maintain communication Between me two network segments?
- A . Configure a NAT rule so mat traffic between the segments is exempt from NAT.
- B . Update the IP addressing so that each segment is a unique IP subnet.
- C . Deploy inbound ACLs on each interface to allow traffic between the segments.
- D . Assign a unique VLAN ID for the interface in each segment.
B
Explanation:
When reconfiguring an existing Cisco FTD from transparent mode to routed mode, an additional action that must be taken to maintain communication between the two network segments is to update the IP addressing so that each segment is a unique IP subnet. This is because in routed mode, the FTD device acts as a router hop in the network and requires each interface to be on a different subnet. In transparent mode, the FTD device acts as a layer 2 firewall and does not require different subnets for each interface1.
The other options are incorrect because:
Configuring a NAT rule so that traffic between the segments is exempt from NAT is not necessary to maintain communication between the two network segments. NAT is used to translate IP addresses between different networks, but it does not affect the routing of packets. Moreover, NAT is optional in routed mode and can be disabled if not needed2.
Deploying inbound ACLs on each interface to allow traffic between the segments is not required to maintain communication between the two network segments. ACLs are used to control access to network resources based on source and destination addresses, protocols, and ports. They do not affect the routing of packets. Furthermore, ACLs are optional in routed mode and can be configured as needed3.
Assigning a unique VLAN ID for the interface in each segment is not relevant to maintain communication between the two network segments. VLANs are used to create logical groups of hosts that share the same broadcast domain, regardless of their physical location or connection. They do not affect the routing of packets. Besides, VLANs are not supported in routed mode and can only be used in transparent mode4.
Refer to the exhibit.
What must be done to fix access to this website while preventing the same communication to all other websites?
- A . Create an intrusion policy rule to have Snort allow port 80 to only 172.1.1 50.
- B . Create an access control policy rule to allow port 80 to only 172.1.1 50.
- C . Create an intrusion policy rule to have Snort allow port 443 to only 172.1.1.50
- D . Create an access control policy rule to allow port 443 to only 172.1.1 50
An engineer must configure high availability for the Cisco Firepower devices. The current network topology does not allow for two devices to pass traffic concurrently.
How must the devices be implemented in this environment?
- A . in active/active mode
- B . in a cluster span EtherChannel
- C . in active/passive mode
- D . in cluster interface mode