Cisco CCNP 300-710 Questions & Answers

• Question 41:

  An engineer is configuring a Cisco IPS to protect the network and wants to test a policy before deploying it. A copy of each incoming packet needs to be monitored while traffic flow remains constant. Which IPS mode should be implemented to meet these requirements?

  A. routed

  B. passive

  C. transparent

  D. inline tap

  Correct Answer: D

• Question 42:

  An organization has a compliance requirement to protect servers from clients, however, the clients and servers all reside on the same Layer 3 network. Without readdressing IP subnets for clients or servers, how is segmentation achieved?

  A. Change the IP addresses of the servers, while remaining on the same subnet.

  B. Deploy a firewall in routed mode between the clients and servers.

  C. Change the IP addresses of the clients, while remaining on the same subnet.

  D. Deploy a firewall in transparent mode between the clients and servers.

  Correct Answer: B

• Question 43:

  An engineer is restoring a Cisco FTD configuration from a remote backup using the command restore remote-manager-backup location 1.1.1.1 admin /volume/home/admin BACKUP_Cisc394602314.zip on a Cisco FMG. After connecting to the repository, an error occurred that prevents the FTD device from accepting the backup file. What is the problem?

  A. The backup file is not in .cfg format.

  B. The backup file is too large for the Cisco FTD device

  C. The backup file extension was changed from .tar to .zip

  D. The backup file was not enabled prior to being applied

  Correct Answer: C

  Reference: https://www.ciscolive.com/c/dam/r/ciscolive/emea/docs/2019/pdf/BRKSEC-3455.pdf

• Question 44:

  

  Refer to the exhibit. What must be done to fix access to this website while preventing the same communication to all other websites?

  A. Create an intrusion policy rule to have Snort allow port 80 to only 172.1.1 50.

  B. Create an access control policy rule to allow port 80 to only 172.1.1 50.

  C. Create an intrusion policy rule to have Snort allow port 443 to only 172.1.1.50

  D. Create an access control policy rule to allow port 443 to only 172.1.1 50

  Correct Answer: B

• Question 45:

  An engineer currently has a Cisco FTD device registered to the Cisco FMC and is assigned the address of 10 10.50.12. The organization is upgrading the addressing schemes and there is a requirement to convert the addresses to a format that provides an adequate amount of addresses on the network What should the engineer do to ensure that the new addressing takes effect and can be used for the Cisco FTD to Cisco FMC connection?

  A. Delete and reregister the device to Cisco FMC

  B. Update the IP addresses from IFV4 to IPv6 without deleting the device from Cisco FMC

  C. Format and reregister the device to Cisco FMC.

  D. Cisco FMC does not support devices that use IPv4 IP addresses.

  Correct Answer: A

• Question 46:

  An organization is using a Cisco FTD and Cisco ISE to perform identity-based access controls. A network administrator is analyzing the Cisco FTD events and notices that unknown user traffic is being allowed through the firewall. How should this be addressed to block the traffic while allowing legitimate user traffic?

  A. Modify lhe Cisco ISE authorization policy to deny this access to the user.

  B. Modify Cisco ISE to send only legitimate usernames to the Cisco FTD.

  C. Add the unknown user in the Access Control Policy in Cisco FTD.

  D. Add the unknown user in the Malware and File Policy in Cisco FTD.

  Correct Answer: C

  Reference: https://www.cisco.com/c/en/us/td/docs/security/firepower/640/fdm/fptd-fdm-config-guide-640/fptd-fdm-identity.html#concept_655B055575E04CA49B10186DEBDA301A

• Question 47:

  A network engineer is tasked with minimising traffic interruption during peak traffic limes. When the SNORT inspection engine is overwhelmed, what must be configured to alleviate this issue?

  A. Enable IPS inline link state propagation

  B. Enable Pre-filter policies before the SNORT engine failure.

  C. Set a Trust ALL access control policy.

  D. Enable Automatic Application Bypass.

  Correct Answer: D

• Question 48:

  A VPN user is unable to conned lo web resources behind the Cisco FTD device terminating the connection. While troubleshooting, the network administrator determines that the DNS responses are not getting through the Cisco FTD What must be done to address this issue while still utilizing Snort IPS rules?

  A. Uncheck the "Drop when Inline" box in the intrusion policy to allow the traffic.

  B. Modify the Snort rules to allow legitimate DNS traffic to the VPN users.

  C. Disable the intrusion rule threshes to optimize the Snort processing.

  D. Decrypt the packet after the VPN flow so the DNS queries are not inspected

  Correct Answer: B

• Question 49:

  An organization has a Cisco FTD that uses bridge groups to pass traffic from the inside interfaces to the outside interfaces. They are unable to gather information about neighbouring Cisco devices or use multicast in their environment. What must be done to resolve this issue?

  A. Create a firewall rule to allow CDP traffic.

  B. Create a bridge group with the firewall interfaces.

  C. Change the firewall mode to transparent.

  D. Change the firewall mode to routed.

  Correct Answer: C

  "In routed firewall mode, broadcast and multicast traffic is blocked even if you allow it in an access rule..." "The bridge group does not pass CDP packets packets..." https://www.cisco.com/c/en/us/td/docs/security/asa/asa913/configuration/ general/asa-913-general-config/intro-fw.html

  Passing Traffic Not Allowed in Routed Mode

  In routed mode, some types of traffic cannot pass through the ASA even if you allow it in an access rule. The bridge group, however, can allow almost any traffic through using either an access rule (for IP traffic) or an EtherType rule (for non-IP traffic):

  IP traffic--In routed firewall mode, broadcast and "multicast traffic is blocked even if you allow it in an access rule," including unsupported dynamic routing protocols and DHCP (unless you configure DHCP relay). Within a bridge group, you can allow this traffic with an access rule (using an extended ACL).

  Non-IP traffic--AppleTalk, IPX, BPDUs, and MPLS, for example, can be configured to go through using an EtherType rule.

  Note

  "The bridge group does not pass CDP packets packets, or any packets that do not have a valid EtherType greater than or equal to 0x600. An exception is made for BPDUs and IS- IS, which are supported. "

• Question 50:

  A network administrator needs to create a policy on Cisco Firepower to fast-path traffic to avoid Layer 7 inspection. The rate at which traffic is inspected must be optimized. What must be done to achieve this goal?

  A. Enable lhe FXOS for multi-instance.

  B. Configure a prefilter policy.

  C. Configure modular policy framework.

  D. Disable TCP inspection.

  Correct Answer: B