Cisco 300-710 Online Practice Questions and Exam Preparation

Cisco 300-710 Online Questions & Answers

• Question 331:

  A network security engineer must replace a faulty Cisco FTD device in a high availability pair. Which action must be taken while replacing the faulty unit?

  A. Ensure that the faulty Cisco FTD device remains registered to the Cisco FMC
  B. Shut down the active Cisco FTD device before powering up the replacement unit
  C. Shut down the Cisco FMC before powering up the replacement unit
  D. Unregister the faulty Cisco FTD device from the Cisco FMC
  D. Unregister the faulty Cisco FTD device from the Cisco FMC

• Question 332:

  Refer to the exhibit. An engineer is analyzing a Network Risk Report from Cisco FMC. Which application must the engineer take immediate action against to prevent unauthorized network use?

  

  A. YouTube
  B. TOR
  C. Chrome
  D. Kerberos
  B. TOR

• Question 333:

  An engineer is configuring two new Cisco FTD devices to replace the existing high availability firewall pair in a highly secure environment. The information exchanged between the FTD devices over the failover link must be encrypted. Which protocol supports this on the Cisco FTD?

  A. IPsec
  B. SSH
  C. SSL
  D. MACsec
  A. IPsec

• Question 334:

  A network engineer is deploying a pair of Cisco Secure Firewall Threat Defense devices managed by Cisco Secure Firewall Management Center for High Availability. Internet access is a high priority for the business and therefore they have invested in internet circuits from two different ISPs. The requirement from the customer is that internet access must be available to their users even if one of the ISPs is down. Which two features must be deployed to achieve this requirement? (Choose two.)

  A. Route Tracking
  B. Redundant interfaces
  C. EtherChannel interfaces
  D. SLA Monitor
  E. BGP
  A. Route Tracking
  D. SLA Monitor

  ---

  To ensure high availability of internet access when deploying a pair of Cisco Secure Firewall Threat Defense (FTD) devices managed by Cisco Secure Firewall Management Center (FMC), the following features must be deployed: Route Tracking: This feature monitors the reachability of a specified target (such as an external IP address) through the configured routes. If the route to the target is lost, the FTD can dynamically adjust the routing to use an alternate path, ensuring continuous internet access. SLA Monitor: Service Level Agreement (SLA) monitoring works alongside route tracking to continuously verify the status and performance of the internet links. If the SLA for one of the ISP links fails (indicating the link is down or underperforming), the FTD can switch traffic to the secondary ISP link. Steps to configure: In FMC, navigate to Devices > Device Management. Select the FTD device and configure route tracking to monitor the ISP links. Configure SLA monitors to continuously check the health and performance of the internet circuits. These configurations ensure that internet access remains available to users even if one of the ISPs goes down. References: Cisco Secure Firewall Management Center Configuration Guide, Chapter on High Availability and SLA Monitoring.

• Question 335:

  An engineer is tasked with deploying an internal perimeter firewall that will support multiple DMZs Each DMZ has a unique private IP subnet range. How is this requirement satisfied?

  A. Deploy the firewall in transparent mode with access control policies.
  B. Deploy the firewall in routed mode with access control policies.
  C. Deploy the firewall in routed mode with NAT configured.
  D. Deploy the firewall in transparent mode with NAT configured.
  B. Deploy the firewall in routed mode with access control policies.

  ---

  Explanation Explanation/Reference:https://www.cisco.com/c/en/us/td/docs/security/asa/asa96/configuration/general/asa-96-general-config/intro-fw.html

• Question 336:

  An engineer wants to add an additional Cisco FTD Version 6.2.3 device to their current 6.2.3 deployment to create a high availability pair. The currently deployed Cisco FTD device is using local management and identical hardware including the available port density to enable the failover and stateful links required in a proper high availability deployment. Which action ensures that the environment is ready to pair the new Cisco FTD with the old one?

  A. Change from Cisco FDM management to Cisco FMC management on both devices and register them to FMC.
  B. Ensure that the two devices are assigned IP addresses from the 169 254.0.0/16 range for failover interfaces.
  C. Factory reset the current Cisco FTD so that it can synchronize configurations with the new Cisco FTD device.
  D. Ensure that the configured DNS servers match on the two devices for name resolution.
  A. Change from Cisco FDM management to Cisco FMC management on both devices and register them to FMC.

• Question 337:

  A network administrator configured a NAT policy that translates a public IP address to an internal web server IP address. An access policy has also been created that allows any source to reach the public IP address on port 80. The web server is still not reachable from the Internet on port 80.

  Which configuration change is needed?

  A. The intrusion policy must be disabled for port 80.
  B. The access policy rule must be configured for the action trust.
  C. The NAT policy must be modified to translate the source IP address as well as destination IP address.
  D. The access policy must allow traffic to the internal web server IP address.
  D. The access policy must allow traffic to the internal web server IP address.

• Question 338:

  An engineer must investigate a connectivity issue from an endpoint behind a Cisco FTD device and a public DNS server. The endpoint cannot perform name resolution queries. Which action must the engineer perform to troubleshoot the issue by simulating real DNS traffic on the Cisco FTD while verifying the Snarl verdict?

  A. Perform a Snort engine capture using tcpdump from the FTD CLI.
  B. Use the Capture w/Trace wizard in Cisco FMC.
  C. Create a Custom Workflow in Cisco FMC.
  D. Run me system support firewall-engine-debug command from me FTD CLI.
  B. Use the Capture w/Trace wizard in Cisco FMC.

  ---

  The Capture w/Trace wizard in Cisco FMC allows you to capture packets on an FTD device and trace their path through the Snort engine. This can help you troubleshoot connectivity issues from an endpoint behind an FTD device and a public DNS server, as well as verify the Snort verdict for the DNS traffic. The Capture w/Trace wizard lets you specify the source and destination IP addresses, ports, and protocols for the packets you want to capture and trace, as well as the FTD device and interface where you want to perform the capture. You can also apply filters to limit the capture size and duration. After you start the capture, you can ping the DNS server from the endpoint and then view the captured packets and their Snort verdicts in the FMC web interface2. To use the Capture w/Trace wizard in Cisco FMC, you need to follow these steps2: In the FMC web interface, navigate to Troubleshooting > Capture/Trace. Click New Capture. Choose an FTD device from the Device drop-down list. Choose an interface from the Interface drop-down list. Enter the source and destination IP addresses, ports, and protocols for the packets you want to capture and trace. For example, if you want to capture DNS queries from an endpoint with IP address 10.1.1.100 to a DNS server with IP address 8.8.8.8, you can enter these values: Optionally, apply filters to limit the capture size and duration. For example, you can set the maximum number of packets to capture, the maximum capture file size, or the maximum capture time. Click Start. Ping the DNS server from the endpoint and wait for some packets to be captured. Click Stop to stop the capture. Click View Capture to see the captured packets and their Snort verdicts. The other options are incorrect because: Performing a Snort engine capture using tcpdump from the FTD CLI will not allow you to trace the path of the packets through the Snort engine or verify their Snort verdicts. Tcpdump is a command-line tool that can capture packets on an FTD device, but it does not provide any information about how Snort processes those packets or what actions Snort takes on them2. Creating a Custom Workflow in Cisco FMC will not help you troubleshoot a connectivity issue from an endpoint behind an FTD device and a public DNS server. A Custom Workflow is a user-defined set of pages that display event data in different formats, such as tables, charts, maps, and so on. A Custom Workflow does not allow you to capture or trace packets on an FTD device3. Running the system support firewall-engine-debug command from the FTD CLI will not allow you to simulate real DNS traffic on the FTD device or verify the Snort verdict for that traffic. The firewall-engine- debug command is a diagnostic tool that can generate synthetic packets and send them through the Snort engine on an FTD device. The synthetic packets are not real network traffic and do not affect any connections or policies on the FTD device4.

• Question 339:

  Which feature is supported by IRB on Cisco FTD devices?

  A. redundant interface
  B. dynamic routing protocol
  C. EtherChannel interface
  D. high-availability cluster
  A. redundant interface

• Question 340:

  In which two places can thresholding settings be configured? (Choose two.)

  A. on each IPS rule
  B. globally, within the network analysis policy
  C. globally, per intrusion policy
  D. on each access control rule
  E. per preprocessor, within the network analysis policy
  A. on each IPS rule
  C. globally, per intrusion policy

  ---

  Explanation Explanation/Reference:https://www.cisco.com/c/en/us/td/docs/security/firesight/541/firepower-module-user-guide/asa-firepower-module-user-guide-v541/Intrusion-Global-Threshold.pdf