QUESTION 21
A network engineer must deploy a Cisco ASA to an existing network without changing any IP addresses or networking settings. The external devices connected to the firewall will be on the same subnet as the internal devices. Which command must the engineer use to meet the requirements?
A. mode multiple
B. no firewall transparent
C. firewall transparent
D. firewall routed
Correct Answer: C
QUESTION 22
An engineer must configure a new identity policy in Cisco Firepower Management Center. Active authentication must be configured by using a Kerberos connection. Which two realms must be configured? (Choose two.)
A. directory username
B. active directory primary domain
C. active directory join username
D. active directory join password
E. directory password
Correct Answer: CD
QUESTION 23
An engineer is implementing clustering in Cisco Secure Firewall Management Center. The configuration must ensure that the cluster has a designated control unit node with more resources than the other nodes. What must the engineer set for the priority value of the node?
A. value higher than the other units in the cluster
B. value lower than the other units in the cluster
C. 0
D. 255
Correct Answer: B
QUESTION 24
Which Cisco Rapid Threat Containment mitigation action is enabled by integrating pxGrid Adaptive Network Control with Cisco ISE and Cisco Secure Firewall Management Center?
A. suspend
B. terminate
C. reject
D. block
Correct Answer: D
QUESTION 25
What is the purpose of the IRB feature in next-generation firewall?
A. to block routing between two Layer 3 interfaces
B. to configure NAT in transparent mode
C. to allow multiple physical interfaces to be part of the same VLAN
D. to enable transparent bridging between two Layer 2 interfaces
Correct Answer: D
QUESTION 26
An engineer is configuring Cisco Security Devices by using Cisco Secure Firewall Management Center. Which configuration command must be run to compare the CA certificate bundle on the local system to the latest CA bundle from the Cisco server?
A. configure cert-update auto-update enable
B. configure cert-update run-now
C. configure cert-update test
D. configure cert-update compare
Correct Answer: C
QUESTION 27
An engineer is setting up two new Cisco Secure Firewall Threat Defense appliances as a high-availability pair. The company needs the high-availability pair to detect a failure on the failover link and trigger a failover faster. Which two settings must the engineer decrease? (Choose two.)
A. peer poll time
B. interface hold time
C. peer hold time
D. interface failure limit
E. interface poll time
Correct Answer: DE
QUESTION 28
An engineer is configuring a Cisco Secure Firewall Threat Defense device to operate in transparent mode between two switch stacks. VLAN 10 is used for in-band management on both switch stacks. Which two actions are required on the device to inspect traffic between the two switch stacks without causing any interruption to network traffic? (Choose two.)
A. Configure at least one bridge group.
B. Set the MTU to 9198 on all interfaces to support jumbo frames.
C. Add separate routes for data and management traffic.
D. Exempt BPDUs from advanced inspection.
E. Configure a BVI interface for VLAN 10.
Correct Answer: AD
QUESTION 29
An engineer must configure an ERSPAN passive interface on a Cisco Secure IPS by using the Cisco Secure Firewall Management Center. These configurations have been performed already:
1. Configure the passive interface.
2. Configure the ERSPAN IP address.
Which two additional settings must be configured to complete the configuration? (Choose two.)
A. Destination MAC
B. TCP Intercept
C. Flow Id
D. Source IP
E. Bypass Mode
Correct Answer: CD
QUESTION 30
An engineer is reviewing an existing custom server fingerprint on a Cisco Secure Firewall because the current information is inaccurate. Which action must the engineer take to improve the accuracy of the network discovery rules?
A. Set one common rule to override the reports in the multidomain environment.
B. Add NetFlow monitoring for the network segment.
C. Exclude the IP address that is used to communicate with the monitored host.
D. Exclude the ports that must be skipped.
Correct Answer: D
QUESTION 31
Which communication is blocked from the bridge groups when multiple are configured in transparent mode on a Cisco Secure Firewall Threat Defense appliance?
A. with each other
B. with client devices
C. with other routers
D. with the internet
Correct Answer: A
QUESTION 32
Which action occurs in the Rapid Threat Containment workflow when an infected endpoint is detected to isolate the infected endpoint?
A. Cisco ISE instructs Cisco Secure Endpoint
B. Cisco Secure Firewall Management Centre instructs Cisco ISE
C. Cisco Secure Endpoint instructs Cisco ISE
D. Cisco ISE instructs Cisco Secure Firewall Management Centre
Correct Answer: B
QUESTION 33
A security engineer needs to monitor the activity of an endpoint using Cisco Secure Endpoint. The organization requires continuous visibility into the endpoint’s behaviour for threat detection purposes, however no enforcement or blocking actions must be applied to the device. The engineer must ensure that all activity for the endpoint is logged and available for review. Which policy type must be configured to meet the ethe requirement?
A. protect
B. audit
C. secure
D. forward
Correct Answer: B
QUESTION 34
An engineer must configure a SPAN to monitor traffic by using a Cisco Secure IPs device in passive mode. The Cisco secure IPs interface Gi0/1 is connected to Cisco Catalyst Switch interface Gi0/3. Which SPAN configuration meets the requirement?
A. Switch>enable
Switch#configure terminal
Switch(config)#monitor source interface Gi0/1
Switch(config)#monitor destination interface Gi0/3
Switch(config)#end
B. Switch>enable
Switch#configure terminal
Switch(config)#monitor session 1 source interface Gi0/1
Switch(config)#monitor session 1 destination interface Gi0/3
Switch(config)#end
C. Switch>enable
Switch#configure terminal
Switch(config)#monitor source interface Gi0/3
Switch(config)#monitor destination interface Gi0/1
Switch(config)#end
D. Switch>enable
Switch#configure terminal
Switch(config)#monitor session 1 source interface Gi0/3
Switch(config)#monitor session 1 destination interface Gi0/1
Switch(config)#end
Correct Answer: D
QUESTION 35
A network administrator sees an attempted attack from a specific IP address in the Cisco Secure Firewall Management Center. Which Cisco security tool must be used directly from the Secure Firewall Management Center web page to find out more information about the IP address?
A. Cisco Secure Network Analytics
B. Cisco Threat Response browser plugin
C. Cisco Secure Endpoint
D. Cisco ISE
Correct Answer: B
QUESTION 36
A security analyst is investigating a potential compromise in the network. The security analyst must produce a report for the suspicious activity from Cisco Secure Firewall Management Center. Which two details must be configured to be included in the report to aid in the investigation? (Choose two.)
A. client applications by user
B. host connections
C. intrusion events
D. number of attacked machines
E. user connections
Correct Answer: BC
QUESTION 37
An engineer must deploy URL filtering in Cisco Secure Firewll Management Center Version 7.0. The engineer is configuring the URL condition for an access control rule to filter URLs that display bad behavior or are malicious or undesirable. which reputation level must be configured?
A. Favorable
B. Untrusted
C. Neutral
D. Questionable
Correct Answer: B
QUESTION 38
A network administrator is configuring a Cisco Secure Firewall Threat Defense device managed by Cisco Secure Firewall Management Center to provide routing information via BGP with the upstream router. The administrator must verify which networks are being shared with the upstream router via BGP. Which action must the engineer take?
A. Run the show bgp neighbors NEIGHBOR-IP advertised-routes command from Advanced Troubleshooting.
B. Run the show route command from the Secure Firewall Management Center CLI.
C. Click Route Inject configuration under the Device Routing section of Secure Firewall Threat Defense.
D. Click Route Inject configuration under the Device Routing section of Secure Firewall Management Center.
Correct Answer: A
QUESTION 39
What acts as the remediation module for Rapid Threat Containment within Cisco Secure Firewall Management Center?
A. Cisco Secure Endpoint
B. Cisco ISE
C. Network Protection Services
D. Adaptive Network Control
Correct Answer: D
QUESTION 40
An engineer wants to convert a Cisco Secure Firewall Threat Defense device that is currently being managed by Cisco secure Firewall Management Center from routed mode to transparent mode. Which CLI command must the engineer execute first to perform this conversion?
A. no configure manager
B. configure firewall transparent
C. configure manager delete
D. no configure firewall routed
Correct Answer: C
We use cookies to improve your experience, including essential cookies required for the website to function. By continuing, you agree to our use of cookies. Learn more.
We use cookies to help you navigate efficiently and perform certain functions. You will find detailed information about all cookies under each consent category below.
Necessary cookies are required to enable the basic features of this site, such as providing secure log-in or adjusting your consent preferences. These cookies do not store any personally identifiable data.
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics such as the number of visitors, bounce rate, traffic source, etc.
Advertisement cookies are used to provide visitors with customised advertisements based on the pages you visited previously and to analyse the effectiveness of the ad campaigns.
Functional cookies help perform certain functionalities like sharing the content of the website on social media platforms, collecting feedback, and other third-party features.