Practice Free 300-710 Exam Online Questions
Encrypted Visibility Engine (EVE) is enabled under which lab on an access control policy in Cisco Secure Firewall Management Centre?
- A . Network Analysis Policy
- B . Advanced
- C . Security Intelligence
- D . SSL
D
Explanation:
The Encrypted Visibility Engine (EVE) in Cisco Secure Firewall Management Center is enabled under the SSL tab of an access control policy. EVE provides visibility into encrypted traffic, allowing the firewall to detect threats even when traffic is encrypted.
Steps to enable EVE:
Navigate to the access control policy in FMC.
Go to the SSL tab.
Enable Encrypted Visibility Engine (EVE) to analyze encrypted traffic.
This configuration helps in identifying and mitigating threats within encrypted traffic without the need for full decryption.
Reference: Cisco Secure Firewall Management Center Configuration Guide, Chapter on SSL and Encrypted Traffic Visibility.
A network administrator notices that remote access VPN users are not reachable from inside the network. It is determined that routing is configured correctly, however return traffic is entering the firewall but not leaving it.
What is the reason for this issue?
- A . A manual NAT exemption rule does not exist at the top of the NAT table.
- B . An external NAT IP address is not configured.
- C . An external NAT IP address is configured to match the wrong interface.
- D . An object NAT exemption rule does not exist at the top of the NAT table.
A
Explanation:
https://www.cisco.com/c/en/us/support/docs/security/firepower-management-center/212702-configure-and-verify-nat-on-ftd.html
Refer to the exhibit.
A Cisco Secure Firewall Threat Defense (FTD) device is deployed in inline mode with an inline set. The network engineer wants router R2 to remove the directly connected route M 68.1.0/24 from its routing table when the cable between routed R1 and the Secure FTD device Is disconnected.
Which action must the engineer take?
- A . Implement the Propagate Link Stale option on the Secure FTD device
- B . Establish a routing protocol between R1 and R2.
- C . Disable hardware bypass on the Secure FTD device.
- D . Implement autostate functionality on the Gi0/2 interface of R2
A
Explanation:
To ensure that router R2 removes the directly connected route for 192.168.1.0/24 from its routing table when the cable between router R1 and the Secure FTD device is disconnected, the network engineer must implement the "Propagate Link State" option on the Secure FTD device. This option allows the FTD to propagate the link state changes to adjacent devices, ensuring that the disconnection is recognized and the routing table is updated accordingly. Steps:
Access the FTD device configuration via FMC.
Navigate to the interface settings for the relevant interfaces.
Enable the "Propagate Link State" option for the interfaces connected to R1 and R2.
Deploy the changes to the FTD device.
This configuration ensures that the link state changes are communicated to router R2, prompting it to remove the disconnected route from its routing table.
Reference: Cisco Secure Firewall Threat Defense Configuration Guide, Chapter on Interface Settings and Link State Propagation.
Which two remediation options are available when Cisco FMC is integrated with Cisco ISE? (Choose two.)
- A . dynamic null route configured
- B . DHCP pool disablement
- C . quarantine
- D . port shutdown
- E . host shutdown
CD
Explanation:
Reference: https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/210524-configure-firepower-6-1-pxgrid-remediati.html
Which two deployment types support high availability? (Choose two.)
- A . transparent
- B . routed
- C . clustered
- D . intra-chassis multi-instance
- E . virtual appliance in public cloud
AB
Explanation:
Reference: https://www.cisco.com/c/en/us/td/docs/security/firepower/610/configuration/guide/fpmc-config-guide-v61/firepower_threat_defense_high_availability.html
An engineer is troubleshooting application failures through a FTD deployment. While using the FMC CLI. it has been determined that the traffic in question is not matching the desired policy.
What should be done to correct this?
- A . Use the system support firewall-engine-debug command to determine which rules the traffic matching and modify the rule accordingly
- B . Use the system support application-identification-debug command to determine which rules the traffic matching and modify the rule accordingly
- C . Use the system support firewall-engine-dump-user-f density-data command to change the policy and allow the application through the firewall.
- D . Use the system support network-options command to fine tune the policy.
A software development company hosts the website http:dev.company.com for contractors to share code for projects they are working on with internal developers. The web server is on premises and is protected by a Cisco Secure Firewall Threat Defense appliance. The network administrator is worried about someone trying to transmit infected files to internal users via this site.
Which type of policy must be able associated with an access control policy to enable Cisco Secure Firewall Malware Defense to detect and block malware?
- A . SSL policy
- B . Prefilter policy
- C . File policy
- D . Network discovery policy
C
Explanation:
To enable Cisco Secure Firewall Malware Defense to detect and block malware, the network administrator must associate a File policy with an access control policy. File policies allow administrators to configure malware detection and file analysis capabilities on the Cisco Secure Firewall Threat Defense appliance.
Steps to configure File policy:
Navigate to Policies > Access Control > File Policies in the FMC.
Create a new file policy or edit an existing one to include malware detection and blocking settings.
Associate the file policy with the relevant access control policy.
Ensure that the access control policy is deployed to the FTD appliance.
By associating a file policy, the firewall will inspect files being transmitted through the web server for malware and take appropriate actions (block, allow, or alert) based on the configured rules.
Reference: Cisco Secure Firewall Management Center Administrator Guide, Chapter on File Policies.
A network administrator is deploying a Cisco IPS appliance and needs it to operate initially without affecting traffic flows.
It must also collect data to provide a baseline of unwanted traffic before being reconfigured to drop it.
Which Cisco IPS mode meets these requirements?
- A . failsafe
- B . inline tap
- C . promiscuous
- D . bypass
Which two routing options are valid with Cisco FTD? (Choose Two)
- A . BGPv6
- B . ECMP with up to three equal cost paths across multiple interfaces
- C . ECMP with up to three equal cost paths across a single interface
- D . BGPv4 in transparent firewall mode
- E . BGPv4 with nonstop forwarding
AC
Explanation:
Reference: https://www.cisco.com/c/en/us/td/docs/security/firepower/601/configuration/guide/fpmc-config-guide-v601/fpmc-config-guide-v60_chapter_01100011.html#ID-2101-0000000e
A VPN user is unable to conned lo web resources behind the Cisco FTD device terminating the connection. While troubleshooting, the network administrator determines that the DNS responses are not getting through the Cisco FTD.
What must be done to address this issue while still utilizing Snort IPS rules?
- A . Uncheck the "Drop when Inline" box in the intrusion policy to allow the traffic.
- B . Modify the Snort rules to allow legitimate DNS traffic to the VPN users.
- C . Disable the intrusion rule threshes to optimize the Snort processing.
- D . Decrypt the packet after the VPN flow so the DNS queries are not inspected