Name: 350-701
Brand: Dumpsvibe
SKU: 350-701
Rating: 4.1 (464 reviews)

Answer: D
Explanation: EPP and EDR are two types of endpoint security solutions that have different
goals and capabilities. EPP stands for endpoint protection platform, which is a suite of
technologies that work together to prevent, detect, and remediate security threats on
endpoints. EPP solutions use techniques such as antivirus, firewall, application control, and
patch management to block known and unknown malware and malicious activity. EDR
stands for endpoint detection and response, which is a solution that provides real-time
visibility into endpoint activities and enables security teams to detect, investigate, and
respond to advanced threats that may have bypassed EPP defenses. EDR solutions use
techniques such as behavioral analysis, threat intelligence, and incident response to flag
offending files at the first sign of malicious behavior, contain and isolate compromised
endpoints, and remediate the damage caused by the attack. Therefore, the correct answer
is D, as having an EDR solution gives an engineer the capability to flag offending files at
the first sign of malicious behavior. The other options are incorrect because:
A is false, as EPP focuses primarily on threats that have evaded front-line
defenses that entered the environment, not EDR.
B is false, as having an EPP solution allows an engineer to detect, investigate, and
remediate modern threats, not EDR.
C is false, as EDR focuses on detection and response at the endpoint level, not
prevention at the perimeter. References:
EPP vs. EDR: Why You Need Both - CrowdStrike

Answer: C,E
Explanation: A next-generation endpoint security solution is a modern approach of
combining user and system behavior analytics with AI and machine learning to provide
endpoint security12. These solutions are specifically designed to detect unknown malware
and zero-day threats, which other non-next-generation solutions might fail to detect3. Two
key deliverables that help justify the implementation of a next-generation endpoint security
solution are:
Continuous monitoring of all files that are located on connected endpoints. This
feature allows the solution to scan and analyze all files on the endpoints,
regardless of their origin or type, and identify any malicious or suspicious
behavior. This helps to prevent malware from infecting the endpoints or spreading
to other devices on the network4.

Answer: A
Explanation:
Cisco CloudLock is a cloud-native cloud access security broker (CASB) that helps you
move to the cloud safely. It protects your cloud users, data, and apps. CloudLock’s simple,
open, and automated approach uses APIs to manage the risks in your cloud app
ecosystem. With CloudLock you can more easily combat data breaches while meeting
compliance regulations1.
Cisco CloudLock provides the following features that meet the requirements of visibility into
data transfers as well as protection against data exfiltration:
User security: Cloudlock uses advanced machine learning algorithms to detect
anomalies based on multiple factors. It also identifies activities outside allowed
countries and spots actions that seem to take place at impossible speeds across
distances1.
Data security: Cloudlock’s data loss prevention (DLP) technology continuously
monitors cloud environments to detect and secure sensitive information. It
provides countless out-of-the-box policies as well as highly tunable custom
policies. It also supports inline and out-of-band data inspection and blocking
capabilities to protect sensitive data12.
App security: The Cloudlock Apps Firewall discovers and controls cloud apps
connected to your corporate environment. You can see a crowd-sourced
Community Trust Rating for individual apps, and you can ban or allowlist them
based on risk1.
The other solutions do not provide the same level of visibility and protection as Cisco
CloudLock: Cisco Umbrella is a cloud-delivered network security service that provides DNSlayer security, secure web gateway, cloud-delivered firewall, cloud access security
broker, and threat intelligence3. It does not offer data security features such as
DLP, data inspection, and data blocking4.
Cisco AppDynamics Cloud Monitoring is a cloud-native application performance
management solution that helps you monitor, troubleshoot, and optimize your
cloud applications. It does not offer user security, data security, or app security
features as a CASB solution.
Cisco Stealthwatch is a network traffic analysis solution that provides visibility and
threat detection across your network, endpoints, and cloud. It does not offer data
security features such as DLP, data inspection, and data blocking.
References: 3: Cisco Umbrella Packages - Cisco Umbrella 1: Cisco Cloudlock - Cisco 2:
Cisco Cloudlock Cisco Cloudlock: Secure Cloud Data 4: Easy to Deploy & Simple to
Manage CASB Solution - Cisco Umbrella : Cisco AppDynamics Cloud Monitoring : Cisco
Stealthwatch - Cisco

Answer: B
Explanation:
Simple Custom Detection is a feature of Cisco AMP for Endpoints that allows
administrators to block specific files based on their SHA-256 or MD5 hashes. This feature can be used to detect and quarantine files of unknown disposition, such as
abc424400664.zip, by adding their hashes to a custom list in the AMP portal. The list can
then be applied to a policy that is assigned to the endpoints. Simple Custom Detection
works on files of any type, size, or platform, unlike the other options that are either
platform-specific (Android Custom Detection), size-limited (Blocked Application), or
signature-based (Advanced Custom Detection). References: 1, 2, 3

Answer: A
Explanation:
Contextual awareness is the ability to collect and analyze information about the network
environment, such as users, devices, applications, threats, and vulnerabilities, and use it to
enhance security policies and actions. Cisco Firepower is a network security device that
supports contextual awareness by providing real-time visibility into network traffic and
activity, security intelligence from Cisco Talos and other sources, and advanced threat
protection with Cisco AMP and sandboxing. Cisco Firepower can also leverage Cisco
pxGrid to share contextual data with other security solutions, such as SIEM and TD
platforms, to enable faster and more accurate threat detection and
response123 References := 1: Cisco Firepower NGIPS Data Sheet - Cisco 2: Cisco Identity
Services Engine with Integrated Security Information and Event Management and Threat
Defense Platforms At-a-Glance - Cisco 3: A Visibility-Driven Approach to Next-Generation
Firewalls

Answer: A
Explanation: The FMC and managed devices communicate using a two-way, SSL encrypted communication channel, which by default is on port 8305.Cisco strongly
recommends that you keep the default settings for the remote management port, but if
themanagement port conflicts with other communications on your network, you can choose
a different port. If you change the management port, you must change it for all devices in
your deployment that need to communicate with each other.
Reference: https://www.cisco.com/c/en/us/td/docs/security/firepower/misc/fmc-ftd-mgmtnw/fmc-ftd-mgmtnw.html

Answer: C
Explanation: Intra-EPG Isolation is an option to prevent physical or virtual endpoint devices that are in the same base EPG or microsegmented (uSeg) EPG from
communicating with each other. By default, endpoint devices included in the same EPG are
allowed to communicate with one another.

Answer: C,D
Explanation:
To add switches into the fabric, administrators can use PowerOn Auto Provisioning
(POAP) or Seed IP methods. POAP is a feature that automates the process of upgrading
software images and installing configuration files on Cisco switches that are being
deployed in the network for the first time. Seed IP is a method that allows administrators to
specify the IP address of a switch that is already part of the fabric, and then use it to
discover and add other switches that are connected to it. Both methods enable
administrators to control how switches are added into DCNM for private cloud
management. References:
POAP, section “PowerOn Auto Provisioning (POAP)”.
Seed IP, section “Add Switches”.
https://www.cisco.com/c/en/us/td/docs/security/ise/1-4-
1/admin_guide/b_ise_admin_guide_141/b_ise_admin_guide_141_chapter_01110.htm

Answer: B
Explanation: DHCP option 82 is a feature that allows the network access device (NAD) to
insert additional information into the DHCP request packet from the endpoint. This
information can include the switch ID, port number, VLAN ID, and other attributes that can
help Cisco ISE to identify and profile the endpoint. Cisco ISE can use DHCP option 82 to
assign the endpoint to the appropriate identity group, policy, and authorization profile.
DHCP option 82 is also useful to prevent rogue DHCP servers from assigning IP addresses
to endpoints, as Cisco ISE can verify the legitimacy of the DHCP request based on the
option 82 data. To use DHCP option 82, the NAD must be configured to enable this feature
and send the option 82 data to Cisco ISE. Cisco ISE must also be configured to accept and
parse the option 82 data from the NAD. For more details on how to configure DHCP option
82 on Cisco ISE and NAD, see the references below. References:
Configuring the DHCP Probe
Securing Your Network From DHCP Risks
Can we use ISE as DHCP/DNS server to prevent guest traffic using …

Answer: D
Explanation:
The threat intelligence standard that contains malware hashes is trusted automated
exchange of indicator information (TAXII). TAXII is a protocol that enables the exchange of
cyber threat information in a standardized and automated manner. It supports various types
of threat intelligence, such as indicators of compromise (IOCs), observables, incidents,
tactics, techniques, and procedures (TTPs), and campaigns. Malware hashes are one
example of IOCs that can be shared using TAXII. Malware hashes are cryptographic
signatures that uniquely identify malicious files or programs. They can be used to detect
and block malware infections on endpoints or networks. TAXII uses STIX (structured threat
information expression) as the data format for representing threat intelligence. STIX is a
language that defines a common vocabulary and structure for describing cyber threat
information. STIX allows threat intelligence producers and consumers to share information
in a consistent and interoperable way. STIX defines various objects and properties that can
be used to represent different aspects of cyber threat information, such as indicators,
observables, incidents, TTPs, campaigns, threat actors, courses of action, and
relationships. Malware hashes can be expressed as observables in STIX, which are
concrete items or events that are observable in the operational domain. Observables can
have various types, such as file, process, registry key, URL, IP address, domain name, etc.
Each observable type has a set of attributes that describe its properties. For example, a file
observable can have attributes such as name, size, type, hashes, magic number, etc. A
hash attribute can have a type (such as MD5, SHA1, SHA256, etc.) and a value (such as
the hexadecimal representation of the hash). A file observable can have one or more hash
attributes to represent different hashing algorithms applied to the same file. For example, a
file observable can have both MD5 and SHA256 hashes to increase the confidence and
accuracy of identifying the file The other options are incorrect because they are not threat intelligence standards that
contain malware hashes. Option A is incorrect because advanced persistent threat (APT) is
not a standard, but a term that describes a stealthy and sophisticated cyberattack that aims
to compromise and maintain access to a target network or system over a long period of
time. Option B is incorrect because open command and control (OpenC2) is not a standard
that contains malware hashes, but a language that enables the command and control of
cyber defense components, such as sensors, actuators, and orchestrators. Option C is
incorrect because structured threat information expression (STIX) is not a standard that
contains malware hashes, but a data format that represents threat intelligence. STIX uses
TAXII as the transport protocol for exchanging threat intelligence, including malware
hashes. References:
TAXII
STIX
Malware Hashes

Answer: B,C
Explanation: IKEv1 has two modes of operation: main mode and aggressive mode. Main
mode uses six messages to establish the IKE SA, while aggressive mode uses only three
messages. Therefore, aggressive mode is faster than main mode, but less secure, as it
exposes the identities of the peers in cleartext. This makes it vulnerable to man-in-themiddle attacks. IKEv2 does not have these modes, but uses a single four-message
exchange to establish the IKE SA. IKEv2 also encrypts the identities of the peers, making it
more secure than IKEv1 aggressive mode.
IKEv1 uses EAP authentication only for remote access VPNs, not for site-to-site VPNs.
IKEv2 supports EAP authentication for both types of VPNs. EAP authentication allows the
use of various authentication methods, such as certificates, tokens, or passwords.
IKEv1 conversations are initiated by the ISAKMP header, which contains the security
parameters and the message type. IKEv2 conversations are initiated by the IKE_SA_INIT
message, which contains the security parameters, the message type, and the message ID.
The message ID is used to identify and order the messages in the IKEv2 exchange.
NAT-T is supported by both IKEv1 and IKEv2. NAT-T stands for Network Address
Translation-Traversal, and it is a mechanism that allows IKE and IPsec traffic to pass
through a NAT device. NAT-T detects the presence of NAT and encapsulates the IKE and
IPsec packets in UDP headers, so that they can be translated by the NAT
device. References:
IKEv1 vs IKEv2 – What is the Difference?

Answer: B
Explanation: The Secure Event Connector is a component of the Security Analytics and
Logging (SaaS) solution that enables the FMC to send logs to the cloud-based service. The
Secure Event Connector uses syslog to forward events from the FMC and the managed
devices to the cloud. This method reduces the load on the firewall resources, as the events
are sent in batches and compressed before transmission. The Secure Event Connector
also provides encryption, authentication, and reliability for the log data. The other methods
are not supported by the Security Analytics and Logging (SaaS)
solution12 References := 1: Cisco Security Analytics and Logging (On Premises)

Answer: D
Explanation: The open standard that creates a framework for sharing threat intelligence in
a machine-digestible format is STIX (Structured Threat Information Expression). STIX is a language and serialization format that enables the exchange of cyber threat information
across organizations, tools, and platforms. STIX defines a common vocabulary and data
model for representing various types of threat intelligence, such as indicators, observables,
incidents, campaigns, threat actors, courses of action, and more. STIX also supports the
expression of context, relationships, confidence, and handling of the threat information.
STIX aims to improve the speed, accuracy, and efficiency of threat detection, analysis, and
response.
STIX is often used in conjunction with TAXII (Trusted Automated Exchange of Indicator
Information), which is a protocol and transport mechanism that enables the secure and
automated communication of STIX data. TAXII defines how to request, send, receive, and
store STIX data using standard methods and formats, such as HTTPS, JSON, and XML.
TAXII supports various exchange models, such as hub-and-spoke, peer-to-peer, or
subscription-based. TAXII enables the interoperability and scalability of threat intelligence
sharing among different systems and organizations.
References:
Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0,
Module 1: Malware Threats, Lesson 3: Identifying Advanced Threats, Topic:
Threat Intelligence Sharing
What is STIX/TAXII? | Cloudflare
STIX 2.1 Specification Documents

Answer: A,C
Explanation:
The Cisco Identity Services Engine (ISE) posture module provides a service that allows
you to check the compliance of endpoints with corporate security policies. This service
consists of three main components: client provisioning, posture policy, and authorization
policy. Client provisioning ensures that the endpoints receive the appropriate posture
agent, such as the AnyConnect ISE Posture Agent or the Network Admission Control
(NAC) Agent. Posture policy defines the conditions and requirements that the endpoints
must meet to be considered compliant, such as having the latest antivirus updates or
patches installed. Authorization policy determines the level of network access granted to
the endpoints based on their posture assessment results, such as allowing full access,
limited access, or quarantine.
The two actions that the Cisco ISE posture module provides that ensure endpoint security
are:
The latest antivirus updates are applied before access is allowed. This action
prevents malware infections and protects the network from potential threats. The
posture policy can include predefined or custom conditions that check the antivirus
status of the endpoints, such as the product name, version, definition date, and
scan result. If the endpoint does not meet the antivirus requirement, the posture
agent can trigger a remediation action, such as launching the antivirus update or
scan, before allowing network access.
Patch management remediation is performed. This action ensures that the
endpoints have the latest security patches installed and are not vulnerable to
known exploits. The posture policy can include predefined or custom conditions
that check the patch status of the endpoints, such as the operating system, service
pack, hotfix, or update. If the endpoint does not meet the patch requirement, the
posture agent can trigger a remediation action, such as redirecting the endpoint to
a patch management server or launching the patch installation, before allowing
network access.
References :=
Cisco Identity Services Engine Administrator Guide, Release 2.2 - Configure Client
Posture Policies
Configuring posture services with the Cisco Identity Services Engine
Cisco Identity Services Engine Administrator Guide, Release 2.0 - Posture Policy

Answer: D
Explanation:
The Cisco WSA can enforce bandwidth restrictions for web applications by using the
Application Visibility and Control (AVC) engine. The AVC engine allows the WSA to identify
and control application activity on the network, and to apply bandwidth limits to certain
application types or individual applications. The WSA dynamically creates a scavenger
class QoS policy and applies it to each client that connects through the WSA. The
scavenger class QoS policy assigns a low priority to the application traffic and limits the
bandwidth usage based on the configured settings. This way, the WSA can prevent
congestion and ensure fair allocation of bandwidth among different applications and
users. References:
User Guide for AsyncOS 11.8 for Cisco Web Security Appliances - GD (General
Deployment) - Managing Access to Web Applications
WSA - limit bandwidth - Cisco Community

Answer: C
Explanation: To deploy Cisco WSA in transparent mode, the configuration component that
must be used is WCCP on switch. WCCP stands for Web Cache Communication Protocol,
which is a protocol that allows a network device (such as a switch) to redirect web traffic to
a proxy server (such as Cisco WSA) transparently. This means that the client does not
need to configure any proxy settings on the browser, and the proxy server can intercept
and process the web requests and responses without the client’s knowledge. WCCP can
also provide load balancing and failover capabilities for multiple proxy servers.
The other options are incorrect because they are not required or relevant for transparent
mode deployment. Option A is incorrect because MDA (Multilink PPP Dial Access) is a
feature that allows multiple physical links to be aggregated into a single logical link for dialup connections. It has nothing to do with transparent mode. Option B is incorrect because
PBR (Policy-Based Routing) is a feature that allows routing decisions to be based on
criteria other than the destination IP address, such as source IP address, protocol, port,
etc. It is not necessary for transparent mode, as WCCP can handle the traffic redirection.
Option D is incorrect because DNS resolution on Cisco WSA is not a configuration
component, but a function that allows the proxy server to resolve domain names to IP
addresses. It is not specific to transparent mode, as it is also used in explicit
mode. References:
What is the difference between transparent and forward proxy mode?
User Guide for AsyncOS 12.7 for Cisco Web Security Appliances - LD (Limited
Deployment) - Acquire End-User Credentials
Cisco WSA : Is it possible to use web proxy in transparent mode without WCCP?

Answer: B
Explanation: Using a company-managed Amazon S3 bucket for Cisco Umbrella logs
allows the administrator to have full control over the access and lifecycle of the log data.
This configuration can grant third-party SIEM integrations write access to the S3 bucket,
which can enable more advanced analysis and correlation of the log data with other
sources. This configuration also provides more flexibility in terms of how long the data can
be stored offline, as opposed to the Cisco-managed S3 bucket, which has a fixed retention
period of 30 days. References:
Enable Logging to Your Own S3 Bucket
Centralized Umbrella Log Management with Amazon’s S3 service for MSP, MSSP,
and Multi-org customers

Answer: B
Explanation: IKEv1 is the authentication protocol that is reliable and supports ACK and
sequence for IPsec VPN. IKEv1 is a key management protocol that is used in conjunction
with IPsec to establish secure and authenticated connections between IPsec peers. IKEv1
uses UDP port 500 and consists of two phases: phase 1 and phase 2. In phase 1, the
peers authenticate each other and negotiate a shared secret key that is used to encrypt the
subsequent messages. In phase 2, the peers negotiate the security parameters for the
IPsec tunnel, such as the encryption and authentication algorithms, the lifetime, and the
mode (transport or tunnel). IKEv1 uses ACK and sequence numbers to ensure the
reliability and integrity of the messages exchanged between the peers. ACK is an
acknowledgment message that confirms the receipt of a previous message. Sequence
number is a unique identifier that is assigned to each message to prevent replay attacks
and to detect missing or out-of-order messages. IKEv1 also supports various authentication
methods, such as pre-shared keys, digital certificates, and extended authentication
(XAUTH). References : Internet Key Exchange for IPsec VPNs Configuration Guide, Security for VPNs with IPsec Configuration Guide, IPSec Architecture

Answer: B
Explanation: The RADIUS CoA feature supports five IETF attributes as defined in RFC
5176. These are:
Event-Timestamp: This attribute indicates the time when the CoA request was
generated by the server.
State: This attribute contains a value that is copied from the Access-Accept
message that authorized the session.
Session-Timeout: This attribute specifies the maximum number of seconds of
service provided to the user before termination of the session or prompt.
Idle-Timeout: This attribute specifies the maximum number of consecutive
seconds of idle connection allowed to the user before termination of the session or
prompt.
Filter-Id: This attribute identifies the filter list to be applied to the user session.
The RADIUS CoA feature also supports vendor-specific attributes (VSAs) that are defined
by Cisco or other vendors. These VSAs can be used to perform additional actions such as
port shutdown, port bounce, or security and password accounting. References :=
Some possible references are:
RFC 5176: This document describes the dynamic authorization extensions to
RADIUS, including the CoA request and response codes, and the supported IETF
attributes.
RADIUS Change of Authorization - Cisco: This document provides the
configuration guide for the RADIUS CoA feature on Cisco IOS devices, including
the supported IETF and Cisco VSAs.
Supported IETF attributes in RFC 5176 - Ruckus Networks: This document lists
the supported IETF attributes and error clause values for the RADIUS CoA feature
on Ruckus devices.

Answer: C
Explanation: Cisco Umbrella Investigate is a cloud-based service that provides interactive
threat intelligence on domains, IPs, and files. It helps security analysts to uncover the
attacker’s infrastructure and predict future threats by analyzing the relationships and
evolution of internet domains, IPs, and files. It also integrates with other Cisco security
solutions, such as Cisco Secure Network Analytics, Cisco Secure Cloud Analytics, and
Cisco pxGrid, to provide a holistic view of the network and cloud security posture. Cisco
Umbrella Investigate is based on the data collected by Cisco Umbrella, which processes
more than 620 billion DNS requests per day from over 190 countries. Cisco Umbrella
Investigate uses statistical and machine learning models to automatically score and classify
the data, and provides a risk score for each domain, IP, and file, along with the contributing
factors and historical context. Cisco Umbrella Investigate also allows security analysts to
query the data using a web-based console or an API, and to visualize the results using
graphs, tables, and maps. Cisco Umbrella Investigate is the most complete and interactive
threat intelligence solution that helps to prevent cyber attacks before they
happen. References :=
Some possible references are: Cisco Umbrella Investigate
Cyber Attack Prevention - Cisco Umbrella
Cisco Umbrella Investigate - Cisco Umbrella

Answer: B
Explanation: The process that uses STIX and allows uploads and downloads of block lists
is sharing. STIX (Structured Threat Information Expression) is a standard language and
format for exchanging cyber threat intelligence data. Block lists are collections of
observables, such as IP addresses, URLs, or domains, that are associated with malicious
activity and can be used to block or monitor network traffic. Cisco Threat Intelligence
Director (TID) is a feature that operationalizes threat intelligence data by consuming,
normalizing, publishing, and correlating data from various sources, including third-party
STIX feeds. TID enables the administrator to upload STIX files from local or remote sources, or download STIX files from the Firepower Management Center (FMC) to share
with other systems. TID also allows the administrator to configure actions (such as block or
monitor) based on the indicators and observables in the STIX files, and generate incidents
and observations when the system detects traffic that matches the threat intelligence
data123
References := 1: Firepower Management Center Configuration Guide, Version 6.2.3 -
Threat Intelligence Director 2 2: Introduction to STIX - GitHub Pages 4 3: Third-Party
Integration of Security Feeds with FMC (Cisco Threat Intelligence Director) - Cisco
Community 3

Answer: A,C
Explanation: Cisco Advanced Phishing Protection (AAP) is a solution that adds
sophisticated machine learning capabilities to Cisco Email Security to block advanced
identity deception attacks for inbound email by assessing its threat posture1. It also uses
both global and local telemetry data combined with analytics and modeling to validate the
reputation and authenticity of senders2. AAP provides sender authentication and BEC
detection capabilities, and uses advanced machine learning techniques, real-time behavior
analytics, relationship modeling and telemetry to protect against identity deception–based
threats3.
In two ways, the Cisco Advanced Phishing Protection solution protects users:
It prevents use of compromised accounts and social engineering. AAP detects and
blocks phishing emails that attempt to impersonate legitimate senders, such as
executives, partners, or customers, and trick users into revealing sensitive
information or transferring funds. AAP analyzes the sender’s identity, behavior, and relationship with the recipient, and assigns a risk score to the email. If the
email is deemed suspicious or malicious, AAP can quarantine it, flag it, or deliver it
with a warning4.
It automatically removes malicious emails from users’ inbox. AAP provides
retrospective analysis and remediation capabilities, which means that it can
identify and remove emails that were initially delivered but later found to be
malicious. AAP leverages the Cisco Talos threat intelligence network and the
Sensor-based solution to continuously monitor the threat landscape and update
the email disposition accordingly. If an email is reclassified as malicious, AAP can
automatically delete it from the users’ inbox, or notify the administrator or the user
to take action45.
The other options are incorrect because they do not accurately describe the functions of
AAP. AAP does not prevent all zero-day attacks coming from the Internet, as it focuses on
phishing and identity deception attacks. AAP does not prevent trojan horse malware using
sensors, as sensors are used to collect and analyze email data, not to block malware. AAP
does not secure all passwords that are shared in video conferences, as it is not related to
video conferencing security. Therefore, the correct answer is A and C. References:
Cisco’s Security Innovations to Protect the Endpoint and Email
Cisco Advanced Phishing Protection - Cisco Video Portal
Cisco Advanced Phishing Protection At A Glance - AVANTEC
User Guide for Cisco Advanced Phishing Protection
Cisco Secure Email Threat Defense - Cisco
Integrating the Email Gateway with Cisco Advanced Phishing Protection

Answer: C,E
Explanation: DNS tunneling is a technique that uses the DNS protocol to exfiltrate data or
establish command and control channels between a compromised host and an attackercontrolled server. DNS tunneling can bypass network security controls that allow outbound
DNS traffic without inspection or filtering. To stop DNS tunneling, two recommended
approaches are:
Enforce security over port 53. This means applying firewall rules, access control
lists, or other mechanisms to restrict outbound DNS traffic to only authorized DNS
servers and domains. Additionally, DNS traffic should be inspected and analyzed
for anomalies, such as unusually large or frequent queries, non-standard
encoding, or suspicious domains. This can help detect and block DNS tunneling
attempts.
Use Cisco Umbrella. Cisco Umbrella is a cloud-based security service that
provides DNS security, web filtering, and threat intelligence. Cisco Umbrella can
prevent DNS tunneling by blocking malicious domains, enforcing policies based on
content categories, and applying machine learning to identify and stop emerging
threats. Cisco Umbrella can also provide visibility and reporting on DNS activity
and security events.
References :=
Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0,
Module 5: Securing the Cloud, Lesson 5.2: DNS Security
What Is DNS Tunneling? - Palo Alto Networks
An Introduction to DNS Tunneling Detection & Data Exfiltration via DNS - Vercara

Answer: B
Explanation: To block a website based on a custom list, the customer should add the
websites to a blocked type destination list. A destination list is a custom list of domains or
URLs that the customer wants to allow or block for their identities. The customer can create
destination lists through the Policy Components > Destination Lists page, or within the
policy wizard when creating or editing a policy. The custom URL destination block lists
feature enables Umbrella to extend a domain level block list to encompass full and partial
URLs. In turn, this allows the customer to block certain portions of a website based
specifically on the full or partial URL. This feature requires the customer to enable the
intelligent proxy and install a root certificate for SSL decryption. References:
Configure Web Policies and Destination Lists - Cisco Umbrella
Control Access to Custom URLs - Umbrella SIG User Guide
Cisco 350-701: How should customer block websites based on custom list
Umbrella Dashboard: New Features—Custom blocked URLs
Understanding Destination lists supported entries and … - Cisco Umbrella

Answer: C,D
Explanation:
To prevent rogue NTP servers from inserting themselves as the authoritative time source,
the administrator needs to configure NTP authentication and specify the interface for
syncing to the NTP server. NTP authentication allows the ASA to verify the identity and
integrity of the NTP packets received from the server, using a shared secret key.
Specifying the interface for syncing to the NTP server ensures that the ASA uses the
correct source address for sending and receiving NTP packets, and avoids potential routing
issues. The other options are not required or relevant for this task. Specifying the NTP
version is optional and does not affect security. Configuring the NTP stratum is only
applicable for NTP servers, not clients. The ASA can only act as an NTP client, not a server. Setting the NTP DNS hostname is not recommended, as it introduces a
dependency on DNS resolution and may cause synchronization problems if the DNS server
changes the IP address of the NTP server. References :=
Some possible references are:
Configure NTP Authentication on Secure Network Analytics
CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6 -
Basic Settings
Cisco ASA NTP and Clock Configuration with Examples

Answer: D
Explanation: An application that does not validate user input is particularly susceptible to
SQL injection attacks. In an SQL injection attack, an attacker can insert or "inject" a SQL
query via the input data from the client to the application. Due to the lack of validation, the
malicious SQL commands are executed by the database server, leading to unauthorized
access or manipulation of the database.

Answer: B
Explanation: Cisco Advanced Malware Protection (AMP) for Web Security is a solution
that provides protection against web-related threats before, during, and after an attack.
One of the functions that AMP for Web Security includes is detailed analytics of the
unknown file’s behavior. This means that AMP can continuously monitor and analyze the
activity of files that cross the web gateway, even after they have been initially scanned and
allowed. This allows AMP to detect and block any malicious behavior that may emerge
later, and provide retrospective security alerts and remediation actions12. References: 1:
Cisco Advanced Malware Protection for Web Security 2: Cisco Adds Advanced Malware
Protection to Web and Email Security Appliances and Cloud Services

Answer: B
Explanation: SNMP (Simple Network Management Protocol) is the most commonly used
protocol for network telemetry. SNMP is a standard protocol that allows network devices to
exchange management information1. SNMP agents run on network devices and collect
data about their status, performance, configuration, and events. SNMP managers run on
network management systems and query the agents for data or receive notifications from
them. SNMP can also be used to configure or control network devices remotely2. SNMP is
widely supported by various vendors and platforms, and it provides a simple and flexible
way to monitor and manage networks3.
References: 1: What is SNMP? | Cisco 2: SNMP Basics: What is SNMP and How It Works
| SolarWinds 3: Network Telemetry Explained: Frameworks, Applications & Standards |
Splunk

Answer: B,E
Cisco Advanced Phishing Protection (AAP) is a solution that helps
organizations protect against fraudulent senders and identity deception-based attacks,
such as business email compromise (BEC) and spear phishing. AAP uses advanced
machine learning techniques, real-time behavior analytics, relationship modeling, and
telemetry to perform two main functions12:
It determines if the email messages are malicious by assessing the threat posture
of the sender and the content of the message. It also validates the reputation and
authenticity of the sender by checking various indicators, such as the domain, the
IP address, the SPF, DKIM, and DMARC records, the display name, the reply-to
address, and the header information. AAP assigns a risk score to each email
message and provides a verdict of clean, malicious, or suspicious. It also adds a
banner to the email message to inform the recipient of the risk level and the
recommended action.
It does a real-time user web browsing behavior analysis by monitoring the user’s
interaction with the email message and the links embedded in it. It tracks the
user’s clicks, mouse movements, dwell time, and other indicators to detect any
signs of hesitation, confusion, or curiosity. It also analyzes the destination URL of
the links and compares it with the known malicious websites. If AAP detects any
anomalous or risky behavior, it intervenes with a warning message or a redirect
page to educate the user and prevent them from falling victim to the phishing
attack. References := 1: Cisco’s Security Innovations to Protect the Endpoint and
Email 2: Cisco Advanced Phishing Protection - Cisco Video Portal

Answer: B,C
Reference: https://developer.cisco.com/docs/dna-center/#!cisco-dna-center-platformoverview/integration-api-wes...

Answer: B
Explanation: The difference between GRE over IPsec and IPsec with crypto map is that
GRE (Generic Routing Encapsulation) over IPsec can encapsulate and transport non-IP
protocols across an IP network, whereas IPsec with crypto map is typically used for IP
traffic. GRE tunnels wrapped in IPsec provide a way to transport multicast traffic and other
protocol types across an IPsec VPN, offering greater flexibility in the types of traffic that can
be secured

Answer: B,C
Explanation: A network administrator can transparently identify users using Active
Directory on the Cisco WSA in two ways:
Create NTLM or Kerberos authentication realm and enable transparent user
identification. This option allows the WSA to use the NTLM or Kerberos protocol to
authenticate users without prompting them for credentials. The WSA must join the
Active Directory domain and have a valid service principal name (SPN) for this
option to work1.
Deploy a separate Active Directory agent such as Cisco Context Directory Agent
(CDA). This option allows the WSA to receive user-to-IP mappings from the CDA,
which monitors the Active Directory domain controllers for user logon events. The
CDA must be installed on a Windows server and have access to the domain
controllers and the WSA2.
The other options are not ways to transparently identify users using Active Directory on the
Cisco WSA. Creating an LDAP authentication realm and disabling transparent user
identification will require users to enter their credentials manually. Installing the eDirectory
client on each client workstation or deploying a separate eDirectory server are not related
to Active Directory, but to Novell eDirectory, which is a different directory service3.
References := 1: User Guide for AsyncOS 11.0 for Cisco Web Security Appliances,
Chapter: Acquire End-User Credentials, Topic: Active Directory/Kerberos, page 4-3. 2:
User Guide for AsyncOS 11.0 for Cisco Web Security Appliances, Chapter: Acquire EndUser Credentials, Topic: Active Directory Agent, page 4-5. 3: User Guide for AsyncOS 11.0
for Cisco Web Security Appliances, Chapter: Acquire End-User Credentials, Topic:
eDirectory, page 4-8.

Answer: D
Explanation: Multifactor authentication (MFA) is a solution that requires the user to
provide two or more verification factors to gain access to a resource, such as an
application, online account, or a VPN. MFA is more secure than the traditional use of a
username and password because it reduces the risk of identity theft, phishing, and
credential compromise. MFA can use different types of factors, such as something the user
knows (e.g., password, PIN), something the user has (e.g., smartphone, token, smart
card), or something the user is (e.g., fingerprint, facial recognition). MFA can be
implemented using various methods, such as security defaults, Conditional Access
policies, or third-party solutions123. References:
https://support.microsoft.com/en-us/topic/what-is-multifactor-authentication-e5e39437-
121c-be60-d123-eda06bddf661
https://www.onelogin.com/learn/what-is-mfa

Answer: D
Cisco Tetration is a Cisco security solution that provides patch management
in the cloud. Patch management is the process of identifying, acquiring, installing, and
verifying patches for products and systems to correct security and functionality problems in
software and firmware1. Cisco Tetration is a cloud-native platform that delivers
comprehensive workload protection for multicloud data centers by enabling a zero-trust
model using segmentation2. One of the features of Cisco Tetration is software vulnerability
detection and patch management, which allows users to identify software vulnerabilities on
workloads, prioritize patching based on risk scores, and automate patch deployment using
orchestration tools3. Cisco Tetration leverages the National Vulnerability Database (NVD)
and Cisco Talos Intelligence Group to provide up-to-date information on software
vulnerabilities and their severity levels3. Cisco Tetration also supports patch management
for both Windows and Linux operating systems, as well as third-party applications such as
Apache, Java, MySQL, and Oracle4. Therefore, the correct answer is D. Cisco
Tetration. References: 1: RFC 9232: Network Telemetry Framework - Internet Engineering
Task Force 2: Cisco Tetration - Workload Protection - Cisco 3: Cisco Tetration Software
Vulnerability Detection and Patch Management - Cisco 4: Cisco Tetration Platform Data Sheet - Cisco

Answer: D
The monitoring agent uses the RTP (Real-time Transport Protocol) performance metric to
collect and output packet loss and jitter information. RTP is a network protocol used for
delivering audio and video over IP networks. It provides mechanisms for timestamping,
sequence numbering, and delivery monitoring, which allow for the measurement of packet
loss and jitter. RTP is specifically designed for real-time multimedia streaming applications,
which are more sensitive to changes in the transmission characteristics of data networks than other applications. Therefore, RTP performance is a suitable metric for monitoring and
collecting packet loss and jitter information.
The other options are not directly related to measuring packet loss and jitter. TCP
(Transmission Control Protocol) is a transport protocol that ensures reliable and ordered
delivery of data, but it is not typically used for real-time multimedia applications. WSAv
(Web Security Virtual Appliance) is a Cisco solution for web security, but it does not
measure packet loss and jitter. AVC (Application Visibility and Control) is a technology that
monitors and controls network applications, but it does not focus on packet loss and
jitter. References :=
Measuring Delay, Jitter, and Packet Loss with Cisco IOS SAA and RTTMON1
Implementing and Operating Cisco Security Core Technologies (SCOR) v1.02
Cisco 350-701: Which metric used by monitoring agent to collect and output
packet loss and jitter information?

Answer: D
Explanation: The management port on Cisco FMC is used to establish a secure
connection with the managed Cisco FTD devices. If the default management port (8305)
conflicts with other communications on the network, it must be changed on both the Cisco
FMC and the Cisco FTD devices. This cannot be done automatically by the Cisco FMC, as
it would lose connectivity with the devices. Therefore, the administrator must manually
change the management port on the Cisco FMC and all the managed Cisco FTD devices
using the command line interface (CLI). The steps to change the management port are as
follows:
Log into the CLI of the Cisco FMC and the Cisco FTD devices using a console
connection or SSH.
Enter the configure network {ipv4 | ipv6} manual ip_address netmask datainterfaces command to change the management port on the Cisco FMC. For example, configure network ipv4 manual 10.10.10.10 255.255.255.0 datainterfaces changes the management port to 10.10.10.10/24.
Enter the configure network {ipv4 | ipv6} manual ip_address netmask gateway
management-only command to change the management port on the Cisco FTD
devices. For example, configure network ipv4 manual 10.10.10.11 255.255.255.0
10.10.10.10 management-only changes the management port to 10.10.10.11/24
and sets the gateway to the Cisco FMC’s management port.
Save the configuration and restart the Cisco FMC and the Cisco FTD devices.
Verify the connectivity between the Cisco FMC and the Cisco FTD devices using
the show managers command on the Cisco FTD devices and the show
devices command on the Cisco FMC.
References :=
Firepower Management Center Device Configuration Guide, 7.1 - Device
Management
Change management port fmc 1600 - Cisco Community
Solved: FMC 2120 FTD Management Only Port - Cisco Community
Change the FMC Access Interface from Management to Data

Answer: D

Answer: D
Explanation: The target in a phishing attack is the endpoint, which is the device or system
that the user interacts with, such as a computer, smartphone, or tablet. Phishing attacks
aim to steal or damage sensitive data by deceiving people into revealing personal
information like passwords and credit card numbers, or clicking on malicious links or
attachments that can install malware on the endpoint. Phishing attacks can be delivered
through various channels, such as email, phone, or text message, but they all rely on social
engineering techniques to manipulate the user’s trust and curiosity. By compromising the
endpoint, attackers can gain access to the user’s accounts, files, network, or other resources. Therefore, endpoint security is essential to prevent phishing attacks and protect
the user’s data and identity. References:
What Is a Phishing Attack? Definition and Types - Cisco
8 types of phishing attacks and how to identify them
What Is Phishing? | Microsoft Security
Phishing | What Is Phishing?

Answer: A
Explanation: Two-factor authentication is a security feature that requires users to provide
two forms of information before gaining access to the Cisco ESA. The two factors are
usually something the user knows, such as a password, and something the user has, such
as a token or a code. Two-factor authentication can be enabled for specific user roles on
the Cisco ESA through a RADIUS server, which is an external authentication server that
supports the Remote Authentication Dial-In User Service (RADIUS) protocol. The RADIUS
server can generate and validate the second factor for the users, such as a one-time
password (OTP) or a time-based one-time password (TOTP). To enable two-factor
authentication through a RADIUS server, the network engineer must configure the RADIUS
server settings on the Cisco ESA, and assign the user roles that require two-factor
authentication to use the RADIUS server as the authentication source. This can be done on
the System Administration > Users page in the web interface, or by using the userconfig
command in the CLI12.
A cluster is a group of Cisco ESAs that share the same configuration information and can
be managed centrally. A cluster can provide increased reliability, flexibility, and scalability
for the email security system. To join a cluster, a Cisco ESA must have the same AsyncOS
version as the other cluster members, and must use a pre-shared key to authenticate with the cluster leader. The pre-shared key is a secret passphrase that is configured on the
cluster leader and must be entered on the joining appliance. To join a cluster by using the
Cisco ESA CLI, the network engineer must use the clusterconfig command, which allows
the engineer to create a new cluster, join an existing cluster, or leave a cluster. The
clusterconfig command also allows the engineer to specify the communication port and the
hostname or IP address of the cluster leader. If the Cisco ESA has enabled two-factor
authentication, the network engineer must also use the clusterconfig > prepjoin command
to configure the pre-shared key before joining the cluster34.
Therefore, option A is the correct answer, and the other options are incorrect. Option B is
incorrect because the cluster configuration options must be done via the CLI on the Cisco
ESA and cannot be created or joined in the GUI. Option C is incorrect because the Cisco
ESA does not support TACACS+ as an external authentication source, only LDAP and
RADIUS. Option D is incorrect because it also uses TACACS+, which is not supported by
the Cisco ESA. References :=
User Guide for AsyncOS 14.0 for Cisco Secure Email Gateway - GD (General
Deployment) - Distributing Administrative Tasks
User Guide for AsyncOS 14.0 for Cisco Secure Email Gateway - GD (General
Deployment) - External Authentication
Configure an Email Security Appliance (ESA) Cluster
User Guide for AsyncOS 14.0 for Cisco Secure Email Gateway - GD (General
Deployment) - Centralized Management

Answer: A
Defanging is the process of modifying a URL in a message to prevent it from being
clickable. This can help protect users from malicious links that have a low URL reputation
score. Defanging is one of the actions that can be configured in the Incoming Content Filter
on the Cisco ESA. The other actions are Quarantine, FilterAction, and ScreenAction.
Quarantine sends the message to a quarantine area for further inspection. FilterAction
applies a predefined action such as drop, bounce, or deliver. ScreenAction displays a
warning message to the user before allowing them to access the URL. Defanging is the only action that disables the links in the message without affecting the delivery or visibility
of the message12. References: 1: URL Filtering on the Cisco IronPort ESA – Mikail’s
Blog 2: Configure URL Filtering for Secure Email Gateway and Cloud Gateway - Cisco
Reference: https://www.cisco.com/c/dam/en/us/products/collateral/security/esa-contentfilters.pdf

Answer: C
Explanation:
create an application control blocked applications list. This option allows you to specify a
list of files that you want to prevent from running on the endpoints that have the AMP
connector installed. The files are identified by their SHA-256 hashes, and you can upload
them individually or in a batch. The files are not quarantined, but they are blocked from
execution and reported as events in the AMP console1. This option is different from the
simple custom detection list, which is used to detect and quarantine specific files that are
considered malicious2. The advanced custom detection list is also used to detect and
quarantine files, but it allows you to specify more criteria such as file size, file name, and
file path3. The IP block and allow lists are used to control the network traffic to and from the
endpoints, not the file execution4. References: 1: Configure Application Control on the
AMP for Endpoints Portal 2: Configure a Simple Custom Detection List on the AMP for
Endpoints Portal 3: [Configure an Advanced Custom Detection List on the AMP for
Endpoints Portal] 4: [Configure IP Block and Allow Lists on the AMP for Endpoints Portal]

Answer: A
Explanation: VMware APIC is a platform that integrates with Cisco ACI to provide
enhanced visibility, policy integration and deployment, and security policies with access
lists. VMware APIC is a virtual appliance that runs on VMware vSphere and communicates
with the Cisco APIC controller. VMware APIC allows administrators to create and manage
Cisco ACI policies for VMware virtual machines and networks. VMware APIC also provides
a unified view of the physical and virtual network topology, health, and statistics. VMware
APIC supports the following modes of Cisco ACI and VMware integration:
VMware VDS: When integrated with Cisco ACI, the VMware vSphere Distributed
Switch (VDS) enables administrators to configure VM networking in the ACI fabric.
Cisco ACI Virtual Edge: Cisco ACI Virtual Edge is a distributed service that
provides Layer 4 to Layer 7 services for applications running on VMware vSphere.
Cisco Application Virtual Switch (AVS): Cisco AVS is a distributed virtual switch
that provides policy-based network services for VMware vSphere
environments. References:
Cisco ACI with VMware VDS Integration
Cisco ACI and VMware NSX-T Data Center Integration
Cisco ACI and VMware: The Perfect Pair
Setting the Record Straight: Confusion about ACI on VMware Technologies

Answer: C
Web usage controls are a feature of Cisco Web Security Appliance (WSA) that allow
administrators to define and enforce policies for web access based on URL categories.
URL categories are groups of websites that share a common theme or content, such as
news, sports, entertainment, etc. Cisco WSA uses the Cisco Dynamic Content Analysis
Engine and the Talos Security Intelligence and Research Group to provide accurate and
up-to-date URL categorization. Administrators can use the web usage controls to allow,
block, warn, or monitor web requests based on the URL category of the destination
website. They can also create custom URL categories to include or exclude specific
domains or URLs from the predefined categories. Web usage controls help administrators
to control web traffic, enhance security, improve productivity, and comply with regulatory
and organizational requirements. References :=
Some possible references are:
Web Usage Controls - Cisco Web Security Appliance User Guide, Cisco
Cisco Web Usage Control Filtering Categories Data Sheet, Cisco
Define Custom URL Categories in WSA, Cisco

Answer: C
To add a device into Cisco DNA Center with the native API, the POST method and
the name attribute are required. The POST method is used to create a new resource on the
server, such as a device. The name attribute is used to specify the hostname or IP address
of the device to be added. The POST method requires a JSON body that contains the
device information, such as the name, type, role, credentials, and other optional
parameters. The Cisco DNA Center API documentation provides an example of the JSON
body and the response for adding a device1. The Cisco DNA Center Platform User Guide
also explains how to use the native API to add devices2. References := 1: Cisco DNA
Center API Documentation - Add Device 2: Cisco DNA Center Platform User Guide,
Release 2.3.5 - Manage Devices Using the Native API

Answer: D
Explanation: One of the benefits of a Cisco Secure Email Gateway Virtual appliance
compared to a physical one is the ability to allocate additional resources as needed. Virtual
appliances can be easily scaled up by allocating more CPU, memory, or storage resources,
providing flexibility and scalability in response to changing demands or growth.

Answer: A
In a remote access VPN configuration, dynamic split tunneling allows traffic
to certain trusted domains to bypass the VPN tunnel and exit through the client's local
internet gateway. This feature selectively directs only the necessary traffic over the VPN,
while allowing direct internet access for specific domains or traffic deemed safe or trusted,
optimizing bandwidth and performance for remote users.

Answer: D
The error 403: Forbidden indicates that the web server denied access to the
requested resource, which in this case is the PCAP file. One possible reason for this error
is that the HTTPS server is not enabled for the device platform policy, which is a
configuration that applies to the FTD devices managed by the FMC. The device platform
policy defines the settings for the management interface, the SSH access, the SNMP, the
NTP, the DNS, and the HTTPS server. The HTTPS server allows the FMC to access the
FTD devices via HTTPS and perform tasks such as packet capture, packet tracer, and file
transfer. If the HTTPS server is not enabled for the device platform policy, the FMC cannot
access the PCAP file from the FTD device via HTTPS. Therefore, the engineer must
enable the HTTPS server for the device platform policy in order to resolve this issue. To
enable the HTTPS server for the device platform policy, the engineer must follow these
steps:
Log in to the FMC web interface and navigate to Devices > Platform Settings.
Select the device platform policy that applies to the FTD device and click Edit.
In the General tab, check the Enable HTTPS Server checkbox and click Save.
Deploy the policy changes to the FTD device and wait for the deployment to
complete.
Try to access the PCAP file again from the FMC web browser using the same
address.
Alternatively, the engineer can also enable the HTTPS server for the FTD device from the
FTD CLI using the command configure network https-server enable. However, this method
is not recommended because it may cause a configuration conflict with the FMC123
References := 1: Use Firepower Threat Defense Captures and Packet Tracer - Cisco 2:
Cisco Firepower Threat Defense Configuration Guide for Firepower Device Manager,
Version 6.6 - Device Management Basics [Cisco Firepower NGFW] - Cisco 3: Cisco
Firepower Threat Defense Command Reference - C through D Commands [Cisco
Firepower NGFW] - Cisco

Answer: B
Cisco AMP for Endpoints is the Cisco security solution that determines if an endpoint has
the latest OS updates and patches installed on the system. Cisco AMP for Endpoints is a
cloud-based endpoint protection platform that provides advanced malware prevention,
detection, and response capabilities. One of the features of Cisco AMP for Endpoints is the
Endpoint Compliance Scanner, which allows administrators to create and enforce policies
that check the compliance status of endpoints based on various criteria, such as OS
version, patch level, antivirus status, firewall status, and more. The Endpoint Compliance
Scanner can also remediate non-compliant endpoints by applying patches, updating
antivirus signatures, enabling firewall, and so on. By using the Endpoint Compliance Scanner, administrators can ensure that all endpoints are up to date and secure against
known vulnerabilities and threats. References:
Cisco AMP for Endpoints
Endpoint Compliance Scanner
Implementing and Operating Cisco Security Core Technologies (SCOR) - Module
4: Endpoint Protection and Detection

Answer: C

According to the NIST 800-145 guide1, a community cloud is a cloud
infrastructure that is provisioned for exclusive use by a specific community of consumers
from organizations that have shared concerns (e.g., mission, security requirements, policy,
and compliance considerations). It may be owned, managed, and operated by one or more
of the organizations in the community, a third party, or some combination of them, and it
may exist on or off premises. A community cloud differs from a private cloud, which is
provisioned for exclusive use by a single organization, and a public cloud, which is
provisioned for open use by the general public. A hybrid cloud is a composition of two or
more distinct cloud infrastructures (private, community, or public) that remain unique
entities, but are bound together by standardized or proprietary technology that enables
data and application portability (e.g., cloud bursting for load balancing between
clouds). References := 1: NIST SP 800-145, The NIST Definition of Cloud Computing,
page 3.

Answer: D
: To block all subdomains of domain.com, the administrator should configure
the domain.com address in the block list. This is because Umbrella automatically applies a
left side and right side wildcard to every domain in a block or allow destination list.
Therefore, adding domain.com to a block list will result in requests to domain.com or its
subdomains, such as www.domain.com, being blocked. Adding a wildcard character (*) is
not supported and will not work. Adding the *.com address in the block list will block all
domains that end with .com, which is not the desired outcome. References:
Understanding Destination lists supported entries and error messages
Wildcards and Destination Lists

Answer: B
Microsegmentation is a network security strategy that breaks a network into
smaller network “segments” to boost security and control over data traffic1. Unlike
traditional network security, which primarily defends the network’s outer boundaries,
microsegmentation focuses on securing individual workloads and devices within the
network2. Microsegmentation uses an allow-list model to significantly reduce the attack
surface across different workload types and environments3. Microsegmentation is also
referred to as application segmentation or east-west segmentation in a multicloud data
center4.
Option B is the correct description of microsegmentation, as it captures the essence of
applying a zero-trust model and specifying how applications on different servers or
containers can communicate. Option A is incorrect, as deploying a container orchestration
platform is not a sufficient condition for microsegmentation. Option C is incorrect, as
deploying host-based firewall rules is not a necessary condition for microsegmentation.
Option D is incorrect, as implementing private VLAN segmentation is a different technique from microsegmentation. References: An Introduction to Microsegmentation in Network
Security. What Is Micro-Segmentation? - Cisco. What Is Microsegmentation? - Palo Alto
Networks. What Is Microsegmentation in Networking? Beginner’s Guide.

Answer: C,E
The Cisco WSA supports mainly two authentication protocols: LDAP and
NTLM. LDAP is a standard protocol for accessing directory services, such as Active
Directory or OpenLDAP. NTLM is a proprietary protocol for authenticating Windows clients
to Windows servers. NTLM has two versions: NTLMv1 and NTLMv2. NTLMSSP (NT LAN
Manager Security Support Provider) is a variant of NTLMv2 that provides additional
security features, such as message integrity and confidentiality. The Cisco WSA supports
both LDAP and NTLMSSP using basic authentication, which requires the user to enter a
username and password. The Cisco WSA also supports Kerberos, which is a network
authentication protocol that uses tickets to authenticate users and services. Kerberos is
based on symmetric-key cryptography and requires a trusted third party, called the Key
Distribution Center (KDC), to issue and validate tickets. Kerberos is more secure and
efficient than NTLM, as it does not require the user to enter credentials repeatedly and does not send passwords over the network. The Cisco WSA supports Kerberos only in
standard mode, not in cloud connector mode. The Cisco WSA does not support TACACS+
or CHAP as authentication protocols. TACACS+ is a Cisco proprietary protocol for
authenticating network devices and users to a central server. CHAP is a challengeresponse protocol for authenticating PPP connections. These protocols are not designed
for web security appliances and are not compatible with the Cisco WSA. References:
User Guide for AsyncOS 11.0 for Cisco Web Security Appliances (Section:
Acquire End-User Credentials)
Cisco WSA Authentication
WSA Authentication

Answer: A,D
Cisco Container Platform (CCP) is a solution that simplifies the deploymen and management of containerized applications across multiple clouds. It provides the
following benefits to customers who utilize cloud service providers12:
Allows developers to create code once and deploy to multiple clouds. CCP is
based on open source components, such as Kubernetes and Docker, that are
compatible with various cloud platforms. This enables developers to write code
once and run it anywhere, without worrying about the underlying infrastructure or
vendor lock-in. CCP also supports hybrid and multicloud scenarios, allowing
customers to leverage the best features of different cloud providers and optimize
their costs and performance.
Manages Kubernetes clusters. CCP automates the installation, configuration, and
maintenance of Kubernetes clusters, which are groups of nodes that run
containerized applications. CCP provides a simple GUI-driven menu system to
deploy clusters, as well as automated monthly updates for bug fixes, feature
enhancements, and security patches. CCP also offers a choice of networking
solutions, such as Cisco ACI, Calico, or Contiv, to connect and secure the clusters.
CCP also integrates with Cisco AppDynamics and Prometheus for visibility and
monitoring of the clusters and applications. References:
Cisco Container Platform - Cisco
Cisco Container Platform - At-a-Glance - Cisco

Answer: D
The destination command is required to complete the flow record and
specify the IP address of the Stealthwatch collector that will receive the NetFlow data. The
transport udp 2055 command is also needed, but it is part of the flow exporter
configuration, not the flow record. The match ipv4 ttl and cache timeout active 60
commands are optional and can be used to customize the flow record, but they are not
mandatory. The flow record defines the fields that are collected and exported for each flow,
such as source and destination IP addresses, ports, protocols, etc. The flow exporter defines the destination, source, transport protocol, and port for sending the NetFlow data.
The flow monitor binds the flow record and the flow exporter together and applies them to
an interface. The following is an example of a complete NetFlow configuration for sending
data to Stealthwatch:
flow exporter EXPORTER description Export NetFlow to Stealthwatch destination 1.1.1.1
export-protocol netflow-v9 source Vlan100 transport udp 2055 ! flow record RECORD
description NetFlow record match datalink mac source address input match datalink mac
destination address input match datalink vlan input match ipv4 ttl match ipv4 tos match ipv4
protocol match ipv4 source address match ipv4 destination address match transport
source-port match transport destination-port match interface input collect interface output
collect counter bytes long collect counter packets long collect timestamp absolute first
collect timestamp absolute last ! flow monitor IPv4_NETFLOW record RECORD exporter
EXPORTER cache timeout active 60 ! interface <> ip flow monitor IPv4_NETFLOW input
! References : Configuring and Troubleshooting NetFlow for Stealthwatch, Cisco NetFlow
Configuration, Building a Better Monitoring Solution with Flexible Netflow

Answer: B

Answer: B
A CoA request is a network protocol message used in the context of network access
control and authentication systems. It is typically employed in scenarios where a user’s
access privileges or attributes need to be modified during an active network session. CoA
requests are commonly used in conjunction with the RADIUS protocol, which is widely
used for managing user authentication and authorization in network environments. When a
CoA request is initiated, it is sent by a network access server (NAS) to a RADIUS server to
request a change in the user’s authorization state or attributes. The CoA request contains
information specifying the desired change, such as granting additional access privileges,
revoking existing privileges, modifying session parameters, or updating user attributes. The
RADIUS server processes the CoA request and applies the necessary changes to the
user’s session in real-time, allowing dynamic adjustments to the user’s authorization and
network access. CoA requests are often utilized in scenarios where an administrator needs
to promptly update a user’s access rights without requiring them to terminate their current
session. This flexibility is particularly valuable in environments that demand fine-grained
access control or where access privileges need to be adjusted based on changing
circumstances or policies. References :=
Some possible references for this answer are:
RADIUS Change of Authorization - Cisco

Answer: A
A multicontext firewall is a feature that allows a single physical firewall to be
divided into multiple virtual firewalls, also known as security contexts. Each context
operates as an independent device, with its own security policy, interfaces, and
administrators. This feature is useful for service providers, large enterprises, or any
network that requires more than one firewall. One of the problems that a multicontext firewall can solve is an overlapping IP addressing plan. This means that different contexts
can use the same IP addresses without causing conflicts, as long as they are separated by
different interfaces or VLANs. This allows for more efficient use of IP address space and
easier management of multiple networks. A multicontext firewall can also support dynamic
routing protocols and VPNs within each context, providing more flexibility and
functionality12 References := 1: What Are Multi-Context Firewalls? - Franklin Fitch 2:
Multiple Context Mode - Cisco

Answer: A
A teardrop attack is a type of DoS attack that uses fragmented packets in an
attempt to crash a target machine. The attacker sends IP packets that are deliberately
malformed, such that the fragments overlap or have invalid offsets. When the target
machine tries to reassemble the packets, it encounters an error or a buffer overflow,
resulting in a system crash or a denial of service. Teardrop attacks exploit a vulnerability in
the TCP/IP fragmentation reassembly process, which is responsible for splitting and
recombining large packets that exceed the maximum transmission unit (MTU) size.
Teardrop attacks can affect various operating systems, such as Windows, Linux, and BSD,
depending on the implementation of the TCP/IP stack. Teardrop attacks are also known as
IP fragmentation attacks or overlapping fragment attacks. References:
Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0,
Module 5: Securing the Cloud, Lesson 5.2: Cloud Security Threats, Topic 5.2.2:
DoS Attacks
What is an IP Fragmentation Attack (Teardrop ICMP/UDP)
Teardrop Attack - Radware
What Is a Teardrop Attack? | F5
Reference: https://www.radware.com/security/ddos-knowledge-center/ddospedia/teardropattack

Answer: B
The functional difference between Cisco Secure Endpoint (formerly known
as AMP for Endpoints) and Cisco Umbrella Roaming Client lies in their approach to
security. Cisco Secure Endpoint is designed to prevent, detect, and respond to threats on
the endpoint devices. It provides comprehensive protection by stopping and tracking
malicious files and activities on hosts, utilizing continuous analysis and retrospective
security to address threats at various stages of the attack continuum. On the other hand,
Cisco Umbrella Roaming Client is focused on DNS and IP layer enforcement to prevent
internet-based threats before a connection is established. It primarily tracks and blocks
URL-based threats by enforcing security at the DNS layer, thus preventing access to
malicious domains. Therefore, while Secure Endpoint provides broad endpoint protection
against a variety of threats, the Umbrella Roaming Client specifically targets URL-based
threats

Answer: D
Trusted Automated eXchange of Intelligence Information (TAXII) is a
collection of services and message exchanges that enable the sharing of cyber threat
intelligence across product, service, and organizational boundaries. It is designed to
support the exchange of CTI represented in STIX, but is not limited to STIX. TAXII defines
an API that aligns with common sharing models, such as hub-and-spoke, peer-to-peer, and
subscribe/publish. TAXII is not a public collection of threat intelligence feeds, a threat
intelligence sharing organization, or a language used to represent security information.
Those are possible descriptions of STIX, which is a complementary standard to
TAXII. References: STIX and TAXII Approved as OASIS Standards to Enable Automated
Exchange of Cyber Threat Intelligence, STIX V2.1 and TAXII V2.1 OASIS Standards are
published, What is STIX/TAXII? | Cloudflare, What is STIX / TAXII? Learn about the
industry standards for Cyber …, What are STIX/TAXII Standards I Resources I Anomali

Answer: C
For TACACS authentication to work, the key configured on the network
device must match the key configured on the TACACS server. If users are unable to
authenticate despite the TACACS server being reachable, it is likely due to a mismatch in
the keys. Ensuring that both the network device and the TACACS server have the same
key configured is crucial for successful authentication.

Answer: C
In Cisco Secure Endpoint, to create a custom detection file list for detecting
and quarantining future files, an advanced custom detection should be created, and the
hash of each file to be detected and quarantined should be uploaded. This allows the
system to uniquely identify and take action on files based on their hash values, providing a
precise method for targeting specific malicious or unwanted files.

Answer: B
To connect Cisco Secure Workload to external orchestrators at a client site
where incoming connections are not allowed, a reverse tunnel must be used. A reverse
tunnel initiates the connection from the inside of the client's network out to the external
orchestrator, thereby bypassing restrictions on incoming connections and enabling secure
communication.

Answer: D
DNSSEC (Domain Name System Security Extensions) is a technology that
protects DNS from cache poisoning and spoofing attacks by digitally signing DNS data with
cryptographic keys. DNSSEC ensures the integrity and authenticity of DNS responses,
preventing attackers from redirecting traffic to malicious domains. Cisco Umbrella supports
DNSSEC by performing validation on queries sent from Umbrella resolvers to upstream
authorities. This means that Umbrella will only accept DNS responses that are signed and
verified by the authoritative servers for each domain. To enable DNSSEC validation, the
organization needs to configure Cisco Umbrella and use DNSSEC for domain authentication to authoritative servers. This will ensure that Umbrella resolvers will reject
any forged or tampered DNS responses and provide secure DNS resolution for the
organization’s network. References :=
Some possible references are:
Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0,
Module 2: Network Security, Lesson 2.5: Implement DNS Security
What is DNSSEC and Why Is It Important? - Cisco Umbrella
DNSSEC General Availability – Cisco Umbrella

Answer: A
Cisco Secure Workload (formerly Tetration) is a solution that provides
visibility, segmentation, and security for cloud applications. It can monitor application
communications, detect abnormal application behavior, and identify vulnerabilities within
the applications. Cisco Secure Workload can also enforce granular policies to control the
traffic between applications and prevent unauthorized access. References: Implementing
and Operating Cisco Security Core Technologies (SCOR) v1.0, Module 6: Cloud and
Content Security, Lesson 6.2: Cisco Cloud Security Solutions, Topic 6.2.2: Cisco Secure
Workload

Answer: C
Cisco Cloudlock is a cloud-native security solution that secures public,
private, hybrid, and community clouds. It provides visibility, compliance, threat protection and data security for cloud applications and environments. Cisco Cloudlock integrates with
various cloud platforms and services, such as AWS, Azure, Google Cloud, Office 365,
Salesforce, Dropbox, and more. Cisco Cloudlock monitors user activities, configurations,
and sensitive data across the cloud, and alerts or blocks any violations of policies or
regulations. Cisco Cloudlock also leverages user and entity behavior analytics (UEBA) to
detect and respond to anomalous or malicious behaviors in the cloud. Cisco Cloudlock
helps organizations protect their cloud assets and data, while enabling them to embrace
the benefits of cloud computing. References :=
Cloud and Application Security - Cisco
Cloud Security Products and Solutions - Cisco
What Is Cloud Security? - Cisco
[Cisco Cloudlock: Cloud-Native CASB and Cloud Cybersecurity Platform]

Answer: B
File discovery is a feature of Cisco AMP that allows the engineering team to search for
files across all endpoints in the network based on their SHA-256 hashes. File discovery can
help identify whether a file is installed on a selected few workstations, and also provide
information such as file name, path, size, date, and disposition. File discovery can be used
to locate malicious files, unauthorized software, or sensitive data on the endpoints. File
discovery can be accessed from the Outbreak Control menu in the AMP
console1. References: https://www.cisco.com/c/en/us/support/docs/security/ampendpoints/215176-configure-a-simple-custom-d...

Answer: A
The command that results in these messages when attempting to
troubleshoot an iPsec VPN connection is debug crypto isakmp. This command displays
debug information about the Internet Key Exchange (IKE) protocol, which is used to
establish security associations (SAs) for IPsec VPNs. The messages in the exhibit show
various steps and statuses of the IKE negotiation process, such as creating and deleting
peer structures, receiving and sending packets, and checking the compatibility of the
security policies and proposals. The other commands are either invalid (debug crypto ipsec
endpoint and debug crypto isakmp connection) or display different information (debug
crypto ipsec shows the details of the IPsec encryption and decryption
operations). References:
https://www.cisco.com/c/en/us/training-events/training-certifications/training/trainingservices/cou...
https://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ikeprotocols/5409-ipsec-d...

Answer: C
Cisco Umbrella Investigate provides a comprehensive view of Internet
domains, IP addresses, and autonomous systems, offering a wealth of information about the infrastructure of the internet. It helps security analysts and threat investigators to
pinpoint current and emerging threats by providing access to data from Cisco's global
network, thereby enabling the identification of attackers and malicious infrastructures.

Answer: A
A destination list is a list of internet destinations: domains, URLs, and
CIDRs. To control identity access to specific destinations, you can add destination lists to
Umbrella and then select them when configuring your Web and DNS policies12. When you
add or edit a destination list, the changes are applied immediately if the destination list is
part of a policy3. This means that any identities that are associated with the policy will be
affected by the changes in the destination list. You do not need to save the configuration or
remove the destination list from the policy to apply the changes. However, you do need to
have the appropriate user role to manage destination lists. The user role of Block Page
Bypass or higher is needed to perform these changes4. References :=
Manage Destination Lists - Umbrella User Guide
Manage Destination Lists - Umbrella SIG User Guide
Add a Destination List - Umbrella User Guide
Add a DNS Destination List - Umbrella SIG User Guide

Answer: D
To achieve the goal of excluding some servers from the VPN tunnel and
accessing them directly, the engineer must modify the group policy that is applied to the
remote access VPN users. The group policy contains the settings for split tunneling, which
is a feature that allows the VPN client to route some traffic through the VPN tunnel and
some traffic directly to the internet. Split tunneling can be configured based on the
destination IP address, the application, or the domain name of the traffic. By modifying the
group policy, the engineer can specify which servers or networks should be excluded from
the VPN tunnel and accessed directly by the VPN client. This can improve the performance
and efficiency of the VPN connection, as well as reduce the load on the VPN gateway and
the corporate network. However, split tunneling also introduces some security risks, such
as exposing the VPN client to internet threats, bypassing the corporate firewall and security
policies, and leaking sensitive data. Therefore, the engineer must carefully evaluate the
trade-offs and best practices of using split tunneling for remote access
VPNs. References :=
Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0,
Module 3: Secure Connectivity, Lesson 3.1: Implementing and Troubleshooting Remote Access VPN, Topic 3.1.4: Configure and Verify Remote Access VPN,
Subtopic 3.1.4.2: Configure and Verify Split Tunneling
VPN Split Tunneling: What It Is & Pros and Cons
Cisco ASA - Enable Split Tunnel for Remote VPN Clients

Answer: B
When a Cisco WSA receives a web request, it evaluates it against the
policies in the policy table. Each policy type has a predefined, global policy, which
maintains default actions for that policy type. If the web request does not match any userdefined policy, the WSA applies the global policy. The global policy can be configured to
allow, block, or redirect the web request based on various criteria. The global policy acts as
a catch-all policy for any web request that is not explicitly handled by a user-defined
policy. References :=
User Guide for AsyncOS 11.0 for Cisco Web Security Appliances - Create Policies
to Control Internet Requests
User Guide for AsyncOS 12.7 for Cisco Web Security Appliances - LD (Limited
Deployment) - Acquire End-User Credentials

Answer: C
The correct answer is to enable two-factor authentication through a RADIUS
server, and then join the cluster via the SEG CLI. Two-factor authentication is a security
feature that requires users to provide two forms of identification before accessing the SEG,
such as a username and password, and a one-time code or token. This adds an extra layer
of protection against unauthorized access and phishing attacks. The SEG supports twofactor authentication through external RADIUS servers, which can be configured on the
System Administration > Users page in the web interface, or the userconfig command in
the CLI. See User Guide for AsyncOS 14.0 for Cisco Secure Email Gateway - GD (General
Deployment) (Section: Two-Factor Authentication) for more details.
To join a cluster, the SEG must communicate with other cluster members using either SSH
or CCS (Cluster Communication Service). The cluster communication port and method can
be configured on the Network > Cluster Communication page in the web interface, or the
clusterconfig command in the CLI. See User Guide for AsyncOS 14.0 for Cisco Secure
Email Gateway - GD (General Deployment) (Section: Cluster Communication) for more
details.
If two-factor authentication is enabled on the SEG, it cannot join a cluster using the web
interface, because the web interface does not support two-factor authentication for cluster
operations. Therefore, the SEG must join the cluster using the CLI, and provide a preshared key that matches the cluster’s admin passphrase. The pre-shared key can be
configured using the clusterconfig > prepjoin command in the CLI. See User Guide for
AsyncOS 14.0 for Cisco Secure Email Gateway - GD (General Deployment) (Section: Creating and Joining a Cluster) for more details.
The other options are incorrect because they either use the wrong authentication server
(TACACS+ instead of RADIUS), or the wrong communication method (GUI instead of
CLI). References:
User Guide for AsyncOS 14.0 for Cisco Secure Email Gateway - GD (General
Deployment)
Configure an Email Security Appliance (ESA) Cluster - Cisco
Reference: https://www.cisco.com/c/en/us/td/docs/security/esa/esa11-
0/user_guide_fs/b_ESA_Admin_Guide_11_0/b_ESA_Admin_Guide_chapter_00.pdf

Cisco 350-701 Exam Dumps

Implementing and Operating Cisco Security Core Technologies (SCOR 350-701)

Last Week 350-701 Exam Results

350-701 Dumps – Pass Your Cisco 350-701 Certification Exam with Confidence

How to Use Our 350-701 Dumps

Start Your 350-701 Exam Preparation Today!

Related Exams

Cisco 350-701 Sample Question Answers