Examen 1

What is the role of the casebook feature in Cisco Threat Response?. Sharing threat analysts. pulling data via the browser extension. triage automaton with alerting. alert prioritization.

An administrator is adding a new URL-based category feed to the Cisco FMC for use within the policies. The intelligence source does not use STIX. but instead uses a .txt file format. Which action ensures that regular updates are provided?. Add a URL source and select the flat file type within Cisco FMC. Upload the .txt file and configure automatic updates using the embedded URL. Add a TAXII feed source and input the URL for the feed. Convert the .txt file to STIX and upload it to the Cisco FMC.

An engineer installs a Cisco FTD device and wants to inspect traffic within the same subnet passing through a firewall and inspect traffic destined to the Internet. Which configuration will meet this requirement?. transparent firewall mode with IRB only. routed firewall mode with BVI and routed interfaces. transparent firewall mode with multiple BVIs. routed firewall mode with routed interfaces only.

A network administrator configured a NAT policy that translates a public IP address to an internal web server IP address. An access policy has also been created that allows any source to reach the public IP address on port 80. The web server is still not reachable from the Internet on port 80. Which configuration change is needed?. The intrusion policy must be disabled for port 80. The access policy rule must be configured for the action trust. The NAT policy must be modified to translate the source IP address as well as destination IP address. The access policy must allow traffic to the internal web server IP address.

A network administrator is migrating from a Cisco ASA to a Cisco FTD. EIGRP is configured on the Cisco ASA but it is not available in the Cisco FMC. Which action must the administrator take to enable this feature on the Cisco FTD?. Configure EIGRP parameters using FlexConfig objects. Add the command feature-eigrp via the FTD CLI. Create a custom variable set and enable the feature in the variable set. Enable advanced configuration options in the FMC.

A security engineer found a suspicious file from an employee email address and is trying to upload it for analysis, however the upload is failing. The last registration status is still active. What is the cause for this issue?. Cisco AMP for Networks is unable to contact Cisco Threat Grid on premise. Cisco AMP for Networks is unable to contact Cisco Threat Grid Cloud. There is a host limit set. The user agent status is set to monitor.

An administrator is attempting to add a new FTD device to their FMC behind a NAT device with a NAT ID of NAT001 and a password of Cisco0420l06525. The private IP address of the FMC server is 192.168.45.45 which is being translated to the public IP address of 209.165.200.225/27. Which command set must be used in order to accomplish this task?. configure manager add 209.165.200.225 <reg_key> <nat_id>. configure manager add 192.168.45.45 <reg_key> <nat_id>. configure manager add 209.165.200.225 255.255.255.224 <reg_key> <nat_id>. configure manager add 209.165.200.225/27 <reg_key> <nat_id>.

A security analyst must create a new report within Cisco FMC to show an overview of the daily attacks, vulnerabilities, and connections. The analyst wants to reuse specific dashboards from other reports to create this consolidated one. Which action accomplishes this task?. Create a dashboard object via Object Management to represent the desired views. Modify the Custom Workflows within the Cisco FMC to feed the desired data into the report. Copy the Malware Report and modify the sections to pull components from other reports. Use the import feature in the newly created report to select which dashboards to add.

A network engineer must provide redundancy between two Cisco FTD devices. The redundancy configuration must include automatic configuration, translation, and connection updates. After the initial configuration of the two appliances, which two steps must be taken to proceed with the redundancy configuration? (Choose two). Configure the virtual MAC address on the failover link. Disable hellos on the inside interface. Configure the standby IP addresses. Ensure the high availability license is enabled. Configure the failover link with stateful properties.

An engineer attempts to pull the configuration for a Cisco FTD sensor to review with Cisco TAC but does not have direct access to the CLI for the device. The CLI for the device is managed by Cisco FMC to which the engineer has access. Which action in Cisco FMC grants access to the CLI for the device?. Export the configuration using the Import/Export tool within Cisco FMC. Create a backup of the configuration within the Cisco FMC. Use the show run all command in the Cisco FTD CLI feature within Cisco FMC. Download the configuration file within the File Download section of Cisco FMC.

Which policy rule is included in the deployment of a local DMZ during the initial deployment of a Cisco NGFW through the Cisco FMC GUI?. a default DMZ policy for which only a user can change the IP addresses. deny ip any. no policy rule is included. permit ip any.

Which limitation applies to Cisco FMC dashboards in a multidomain environment?. Child domains can view but not edit dashboards that originate from an ancestor domain. Child domains have access to only a limited set of widgets from ancestor domains. Only the administrator of the top ancestor domain can view dashboards. Child domains cannot view dashboards that originate from an ancestor domain.

Which command is run on an FTD unit to associate the unit to an FMC manager that is at IP address 10.0.0.10, and that has the registration key Cisco123?. configure manager local 10.0.0.10 Cisco123. configure manager add Cisco123 10.0.0.10. configure manager local Cisco123 10.0.0.10. configure manager add 10.0.0.10 Cisco123.

Which Cisco Firepower feature is used to reduce the number of events received in a period of time?. rate-limiting. suspending. correlation. thresholding.

While integrating Cisco Umbrella with Cisco Threat Response, a network security engineer wants to automatically push blocking of domains from the Cisco Threat Response interface to Cisco Umbrella. WhichAPI meets this requirement?. investigate. reporting. enforcement. REST.

The CIO asks a network administrator to present to management a dashboard that shows custom analysis tables for the top DNS queries URL category statistics, and the URL reputation statistics. Which action must the administrator take to quickly produce this information for management?. Run the Attack report and filter on DNS to show this information. Create a new dashboard and add three custom analysis widgets that specify the tables needed. Modify the Connection Events dashboard to display the information in a view for management. Copy the intrusion events dashboard tab and modify each widget to show the correct charts.

An analyst is investigating a potentially compromised endpoint within the network and pulls a host report for the endpoint in Qto collect metrics and documentation. What information should be taken from this report for the investigation?. client applications by user, web applications, and user connections. number of attacked machines, sources of the attack, and traffic patterns. threat detections over time and application protocols transferring malware. intrusion events, host connections, and user sessions.

A network administrator reviews the file report for the last month and notices that all file types, except exe show a disposition of unknown. What is the cause of this issue?. The malware license has not been applied to the Cisco FTD. The Cisco FMC cannot reach the Internet to analyze files. A file policy has not been applied to the access policy. Only Spero file analysis is enabled.

An administrator receives reports that users cannot access a cloud-hosted web server. The access control policy was recently updated with several new policy additions and URL filtering. What must be done to troubleshoot the issue and restore access without sacrificing the organization’s security posture?. Create a new access control policy rule to allow ports 80 and 443 to the FQDN of the web server. Identify the blocked traffic in the Cisco FMC connection events to validate the block, and modify the policy to allow the traffic to the web server. Verify the blocks using the packet capture tool and create a rule with the action monitor for the traffic. Download a PCAP of the traffic attempts to verify the blocks and use the flexconfig objects to create a rule that allows only the required traffic to the destination server.

A network security engineer must export packet captures from the Cisco FMC web browser while troubleshooting an issue. When navigating to the address https://<FMC IP>/capture/CAPI/pcap/test.pcap, an error 403: Forbidden is given instead of the PCAP file. Which action must the engineer take to resolve this issue?. Disable the proxy setting on the browser. Disable the HTTPS server and use HTTP instead. Use the Cisco FTD IP address as the proxy server setting on the browser. Enable the HTTPS server for the device platform policy.

An engineer wants to change an existing transparent Cisco FTD to routed mode. The device controls traffic between two network segments. Which action is mandatory to allow hosts to reestablish communication between these two segments after the change?. Remove the existing dynamic routing protocol settings. Configure multiple BVIs to route between segments. Assign unique VLAN IDs to each firewall interface. Implement non-overlapping IP subnets on each segment.

An engineer is reviewing a ticket that requests to allow traffic for some devices that must connect to a server over 8699/udp. The request mentions only one IP address, 172.16.18.15, but the requestor asked for the engineer to open the port for all machines that have been trying to connect to it over the last week. Which action must the engineer take to troubleshoot this issue?. Use the context explorer to see the application blocks by protocol. Use the context explorer to see the destination port blocks. Filter the connection events by the source port 8699/udp. Filter the connection events by the destination port 8699/udp.

An organization is migrating their Cisco ASA devices running in multicontext mode to Cisco FTD devices. Which action must be taken to ensure that each context on the Cisco ASA is logically separated in the Cisco FTD devices?. Add a native instance to distribute traffic to each Cisco FTD context. Add the Cisco FTD device to the Cisco ASA port channels. Configure a container instance in the Cisco FTD for each context in the Cisco ASA. Configure the Cisco FTD to use port channels spanning multiple networks.

A security engineer is configuring a remote Cisco FTD that has limited resources and internet bandwidth. Which malware action and protection option should be configured to reduce the requirement for cloud lookups?. Malware Cloud Lookup and dynamic analysis. Block Malware action and dynamic analysis. Block Malware action and local malware analysis. Block File action and local malware analysis.

Refer to the exhibit. Engineer is modifying an access control pokey to add a rule to inspect all DNS traffic that passes through the firewall. After making the change and deploying the pokey they see that DNS traffic is not bang inspected by the Snort engine. What is the problem?. The rule must specify the security zone that originates the traffic. The rule must define the source network for inspection as well as the port. The action of the rule is set to trust instead of allow. The rule is configured with the wrong setting for the source port.

A network administrator has converted a Cisco FTD from using LDAP to LDAPS for VPN authentication. The Cisco FMC can connect to the LDAPS server, but the Cisco FTD is not connecting, Which configuration must be enable on the Cisco FTD?. SSL must be set to a use TLSv1.2 or lower. DNS servers must be defined for name resolution. The RADIUS server must be defined. The LDAPS must be allowed through the access policy.

A security engineer must deploy a Cisco FTD appliance as a bump in the wire to detect intrusion events without disrupting the flow of network traffic. Which two features must be configured to accomplish the task? (Choose two.). inline set pair. transparent mode. tap mode. passive interfaces. bridged mode.

A network administrator is configuring an FTD in transparent mode. A bridge group is set up and an access policy has been set up t o allow all IP traffic. Traffic is not passing through the FTD. What additional configuration is needed?. The security levels of the interfaces must be set. A default route must be added to the FTD. An IP address must be assigned to the BVI. A mac-access control list must be added to allow all MAC addresses.

What is the difference between inline and inline tap on Cisco Firepower?. Inline tap mode can send a copy of the traffic to another device. Inline tap mode does full packet capture. Inline mode cannot do SSL decryption. Inline mode can drop malicious traffic.

What are the minimum requirements to deploy a managed device inline?. inline interfaces, security zones, MTU, and mode. passive interface, MTU, and mode. inline interfaces, MTU, and mode. passive interface, security zone, MTU, and mode.

What are two application layer preprocessors? (Choose two.). CIFS. IMAP. SSL. DNP3. ICMP.

With Cisco Firepower Threat Defense software, which interface mode must be configured to passively receive traffic that passes through the appliance?. inline set. passive. routed. inline tap.

Which two statements about bridge-group interfaces in Cisco FTD are true? (Choose two.). The BVI IP address must be in a separate subnet from the connected network. Bridge groups are supported in both transparent and routed firewall modes. Bridge groups are supported only in transparent firewall mode. Bidirectional Forwarding Detection echo packets are allowed through the FTD when using bridge- group members. Each directly connected network must be on the same subnet.

An engineer wants to add an additional Cisco FTD Version 6.2.3 device to their current 6.2.3 deployment to create a high availability pair. The currently deployed Cisco FTD device is using local management and identical hardware including the available port density to enable the failover and stateful links required in a proper high availability deployment. Which action ensures that the environment is ready to pair the new Cisco FTD with the old one?. Change from Cisco FDM management to Cisco FMC management on both devices and register them to FMC. Ensure that the two devices are assigned IP addresses from the 169 254.0.0/16 range for failover interfaces. Factory reset the current Cisco FTD so that it can synchronize configurations with the new Cisco FTD device. Ensure that the configured DNS servers match on the two devices for name resolution.

An administrator must use Cisco FMC to install a backup route within the Cisco FTD to route traffic in case of a routing failure with primary route. Which action accomplish this task?. Install the static backup route and modify the metric to be less than the primary route. Use a default route in the FMC instead of having multiple routes contending for priority. Configure EIGRP routing on the FMC to ensure that dynamic routes are always updated. Create the backup route and use route tracking on both routes to a destination IP address in the network.

An administrator is setting up a Cisco FMC and must provide expert mode access for a security engineer. The engineer is permitted to use only a secured out-of-band network workstation with a static IP address to access the Cisco FMC. What must be configured to enable this access?. Enable HTTP and define an access list. Enable HTTPS and SNMP under the Access List section. Enable SCP under the Access List section. Enable SSH and define an Access List.

What is the RTC workflow when the infected endpoint is identified?. Cisco ISE instructs Cisco AMP to contain the infected endpoint. Cisco ISE instructs Cisco FMC to contain the infected endpoint. Cisco AMP instructs Cisco FMC to contain the infected endpoint. Cisco FMC instructs Cisco ISE to contain the infected endpoint.

Due to an increase in malicious events, a security engineer must generate a threat report to include intrusion events, malware events, and security intelligence events. How is this information collected in a single report?. Run the default Firepower report. Export the Attacks Risk report. Generate a malware report. Create a Custom report.

Which interface type allows packets to be dropped?. passive. inline. erspan. TAP.

An organization does not want to use the default Cisco Firepower block page when blocking HTTP traffic. The organization wants to include information about its policies and procedures to help educate the users whenever a block occurs. Which two steps must be taken to meet these requirements? (Choose two.). Edit the HTTP request handling in the access control policy to customized block. Modify the system-provided block page result using Python. Create HTML code with the information for the policies and procedures. Change the HTTP response in the access control policy to custom. Write CSS code with the information for the policies and procedures.

A connectivity issue is occurring between a client and a server which are communicating through a Cisco Firepower device While troubleshooting, a network administrator sees that traffic is reaching the server, but the client is not getting a response. Which step must be taken to resolve this issue without initiating traffic from the client?. Use packet-tracer to ensure that traffic is not being blocked by an access list. Use packet capture to ensure that traffic is not being blocked by an access list. Use packet capture to validate that the packet passes through the firewall and is NATed to the corrected IP address. Use packet-tracer to validate that the packet passes through the firewall and is NATed to the corrected IP address.

A company has many Cisco FTD devices managed by a Cisco FMC. The security model requires that access control rule logs be collected for analysis. The security engineer is concerned that the Cisco FMC will not be able to process the volume of logging that will be generated. Which configuration addresses concern this?. Send Cisco FTD connection events directly to a SIEM system and forward security events from Cisco FMC to the SIEM system for storage and analysis. Send Cisco FTD connection events and security events directly to SIEM system for storage and analysis. Send Cisco FTD connection events and security events to a cluster of Cisco FMC devices for storage and analysis. Send Cisco FTD connection events and security events to Cisco FMC and configure it to forward logs to SIEM for storage and analysis.

An engineer is setting up a new Firepower deployment and is looking at the default FMC policies to start the implementation. During the initial trial phase, the organization wants to test some common Snort rules while still allowing the majority of network traffic to pass. Which default policy should be used?. Maximum Detection. Security Over Connectivity. Balanced Security and Connectivity. Connectivity Over Security.

An engineer integrates Cisco FMC and Cisco ISE using pxGrid. Which role is assigned for Cisco FMC?. server. controller. publisher. client.

A network administrator notices that remote access VPN users are not reachable from inside the network. It is determined that routing is configured correctly, however return traffic is entering the firewall but not leaving it. What is the reason for this issue?. A manual NAT exemption rule does not exist at the top of the NAT table. An external NAT IP address is not configured. An external NAT IP address is configured to match the wrong interface. An object NAT exemption rule does not exist at the top of the NAT table.

An engineer is troubleshooting connectivity to the DNS servers from hosts behind a new Cisco FTD device. The hosts cannot send DNS queries to servers in the DMZ. Which action should the engineer take to troubleshoot this issue using the real DNS packets?. Use the packet capture tool to check where the traffic is being blocked and adjust the access control or intrusion policy as needed. Use the Connection Events dashboard to check the block reason and adjust the inspection policy as needed. Use the packet tracer tool to determine at which hop the packet is being dropped. Use the show blocks command in the Threat Defense CLI tool and create a policy to allow the blocked traffic.

A network engineer implements a new Cisco Firepower device on the network to take advantage of its intrusion detection functionality. There is a requirement to analyze the traffic going across the device, alert on any malicious traffic, and appear as a bump in the wire How should this be implemented?. Specify the BVl IP address as the default gateway for connected devices. Enable routing on the Cisco Firepower. Add an IP address to the physical Cisco Firepower interfaces. Configure a bridge group in transparent mode.

Which Cisco FMC report gives the analyst information about the ports and protocols that are related to the configured sensitive network for analysis?. Malware Report. Host Report. Firepower Report. Network Report.

A security engineer must configure a Cisco FTD appliance to inspect traffic coming from the internet. The Internet traffic will be mirrored from the Cisco Catalyst 9300 Switch. Which configuration accomplishes the task?. Set interface configuration mode to none. Set the firewall mode to transparent. Set the firewall mode to routed. Set interface configuration mode to passive.

A network administrator registered a FTD to an existing FMC. The administrator cannot place the FTD in transparent mode. Which action enables transparent mode?. Add a Bridge Group Interface to the FTD before transparent mode is configured. Deregister the FTD device from FMC and configure transparent mode via the CLI. Obtain an FTD model that supports transparent mode. Assign an IP address to two physical interfaces.

An engineer must add DNS-specific rules to the Cisco FTD intrusion policy. THe engineer wants to use the rules currently in the Cisco FTD Snort database that are not alreadr enable but does not want to enable more than are needed.Which action meets these requirements?. Change the base polict to Security over Connectivity. Change the dynamic state of the rule within the policy. Change the rules using the Generate and use recommendations feature. Change the rule state within the policy being used.

A network administrator is trying to convert from LDAP to LDAPS fro VPN user authentication on a Cisco FTD. Which action must be taken on the Cisco FTD objects to accomplish this task?. Identify the LDAPS cipher suite and use a cipher suite list object to define the Cisco FTD connection requirements. Add a key chain object to acquire the LDAP certificate. Create a certificate enrollment object to get the LDAPS certificate needed. Modify the policy list object to define the session requirements LDAPS.

A security engineer is deploying a pair of primary and secondary Cisco FMC devices. The secondary must also receive updates from Cisco Talos. Which action achieves this goal?. Force failover for the secondary Cisco FMC to synchronize the rule updates from the primary. Configure the secondary Cisco FMC so that it receives updates from Cisco Talos. Manually import rule updates onto the secondary Cisco FMC device. Configure the primary Cisco FMC so that the rules are updated.

Which two statements about deleting and re-adding a device to Cisco FMC are true? (Choose two.). An option to re-apply NAT and VPN policies during registration is available, so users do not need to re-apply the policies after registration is completed. Before re-adding the device in Cisco FMC, you must add the manager back in the device. No option to delete and re-add a device is available in the Cisco FMC web interface. The Cisco FMC web interface prompts users to re-apply access control policies. No option to re-apply NAT and VPN policies during registration is available, so users need to re- apply the policies after registration is completed.

What is the maximum bit size that Cisco FMC supports for HTTPS certificates?. 1024. 8192. 4096. 2048.

An engineer is investigating connectivity problems on Cisco Firepower for a specific SGT. Which command allows the engineer to capture real packets that pass through the firewall using an SGT of 64?. capture CAP type inline-tag 64 match ip any any. capture CAP match 64 type inline-tag ip any any. capture CAP headers-only type inline-tag 64 match ip any any. capture CAP buffer 64 match ip any any.

An organization recently implemented a transparent Cisco FTD in their network. They must ensure that the device does not respond to insecure SSL/TLS protocols. Which action accomplishes this task?. Modify the device’s settings using the device management feature within Cisco FMC to force only secure protocols. Use the Cisco FTD platform policy to change the minimum SSL version on the device to TLS 1.2. Enable the UCAPL/CC compliance on the device to support only the most secure protocols available. Configure a FlexConfig object to disable any insecure TLS protocols on the Cisco FTD device.

Refer to the exhibit. Is the effect of the existing Cisco FMC configuration?. The remote management port for communication between the Cisco FMC and the managed device changes to port 8443. The managed device is deleted from the Cisco FMC. The SSL-encrypted communication channel between the Cisco FMC and the managed device becomes plain-text communication channel. The management connection between the Cisco FMC and the Cisco FTD is disabled.

An engineer is working on a LAN switch and has noticed that its network connection to the mime Cisco IPS has gone down. Upon troubleshooting it is determined that the switch is working as expected. What must have been implemented for this failure to occur?. The upstream router has a misconfigured routing protocol. Link-state propagation is enabled. The Cisco IPS has been configured to be in fail-open mode. The Cisco IPS is configured in detection mode.

An engineer must define a URL object on Cisco FMC. What is the correct method to specify the URL without performing SSL inspection?. Use Subject Common Name value. Specify all subdomains in the object group. Specify the protocol in the object. Include all URLs from CRL Distribution Points.