Cisco 350-701 Online Practice Questions and Exam Preparation

Cisco 350-701 Online Questions & Answers

• Question 361:

  A network administrator is configuring a switch to use Cisco ISE for 802.1X. An endpoint is failing authentication and is unable to access the network. Where should the administrator begin troubleshooting to verify the authentication details?

  A. Adaptive Network Control Policy List
  B. Context Visibility
  C. Accounting Reports
  D. RADIUS Live Logs
  D. RADIUS Live Logs

  ---

  Explanation

  ExplanationHow To Troubleshoot ISE Failed Authentications and AuthorizationsCheck the ISE Live LogsLogin to the primary ISE Policy Administration Node (PAN).Go to Operations > RADIUS > Live Logs(Optional) If the event is not present in the RADIUS Live Logs, go to Operations > Reports > Reports >Endpoints and Users > RADIUS AuthenticationsCheck for Any Failed Authentication Attempts in the Log

  https://community.cisco.com/t5/security-documents/how-to-troubleshoot-ise- failed-authenticationsamp/ta-p/3630960

• Question 362:

  Refer to the exhibit.

  

  Traffic is not passing through IPsec site-to-site VPN on the Firepower Threat Defense appliance. What is causing this issue?

  A. No split-tunnel policy is defined on the Firepower Threat Defense appliance.
  B. The access control policy is not allowing VPN traffic in.
  C. Site-to-site VPN peers are using different encryption algorithms.
  D. Site-to-site VPN preshared keys are mismatched.
  B. The access control policy is not allowing VPN traffic in.

  ---

  Explanation

• Question 363:

  An engineer is trying to securely connect to a router and wants to prevent insecure algorithms from being used.

  However, the connection is failing. Which action should be taken to accomplish this goal?

  A. Disable telnet using the no ip telnet command.
  B. Enable the SSH server using the ip ssh server command.
  C. Configure the port using the ip ssh port 22 command.
  D. Generate the RSA key using the crypto key generate rsa command.
  D. Generate the RSA key using the crypto key generate rsa command.

  ---

  Explanation

  In this question, the engineer was trying to secure the connection so maybe he was trying to allow SSH to the device. But maybe something went wrong so the connection was failing (the connection used to be good). So maybe he was missing the "crypto key generate rsa" command.

• Question 364:

  An organization recently installed a Cisco WSA and would like to take advantage of the AVC engine to allow the organization to create a policy to control application specific activity. After enabling the AVC engine, what must be done to implement this?

  A. Use security services to configure the traffic monitor, .
  B. Use URL categorization to prevent the application traffic.
  C. Use an access policy group to configure application control settings.
  D. Use web security reporting to validate engine functionality
  C. Use an access policy group to configure application control settings.

  ---

  Explanation

  The Application Visibility and Control (AVC) engine lets you create policies to control application activity on the network without having to fully understand the underlying technology of each application. You can configure application control settings in Access Policy groups. You can block or allow applications individually or according to application type. You can also apply controls to particular application types.

• Question 365:

  An engineer is configuring Cisco WSA and needs to deploy it in transparent mode. Which configuration component must be used to accomplish this goal?

  A. MDA on the router
  B. PBR on Cisco WSA
  C. WCCP on switch
  D. DNS resolution on Cisco WSA
  C. WCCP on switch

  ---

  Explanation

• Question 366:

  An administrator is establishing a new site-to-site VPN connection on a Cisco IOS router.

  The organization needs to ensure that the ISAKMP key on the hub is used only for terminating traffic from the IP address of 172.19.20.24. Which command on the hub will allow the administrator to accomplish this?

  A. crypto ca identity 172.19.20.24
  B. crypto isakmp key Cisco0123456789 172.19.20.24
  C. crypto enrollment peer address 172.19.20.24
  D. crypto isakmp identity address 172.19.20.24
  B. crypto isakmp key Cisco0123456789 172.19.20.24

  ---

  Explanation

  https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/a1/sec-a1-cr- book/sec-crc4.html

  #wp3880782430The command "crypto enrollment peer address" is not valid either.The command "crypto ca identity ..." is only used to declare a trusted CA for the router and puts you in the caidentity configuration mode. Also it should be followed by a name, not an IP address. For example: "crypto caidentity CA-Server" -> Answer A is not correct.Only answer B is the best choice left.

• Question 367:

  Which option is the main function of Cisco Firepower impact flags?

  A. They alert administrators when critical events occur.
  B. They highlight known and suspected malicious IP addresses in reports.
  C. They correlate data about intrusions and vulnerability.
  D. They identify data that the ASA sends to the Firepower module.
  C. They correlate data about intrusions and vulnerability.

  ---

  Explanation

• Question 368:

  Which ASA deployment mode can provide separation of management on a shared appliance?

  A. DMZ multiple zone mode
  B. transparent firewall mode
  C. multiple context mode
  D. routed mode
  C. multiple context mode

  ---

  Explanation

• Question 369:

  Which Cisco ISE service checks the state of all the endpoints connecting to a network for compliance with corporate security policies?

  A. Threat Centric NAC service
  B. posture service
  C. Cisco TrustSec
  D. compliance module
  B. posture service

  ---

  Explanation

• Question 370:

  A network administrator is setting up a site-to-site VPN from a Cisco FTD to a cloud environment. After the administrator configures the VPN on both sides, they still cannot reach the cloud environment. Which command must the administrator run on the FTD to verify that the VPN is encrypting traffic in both directions?

  A. show crypto ipsec sa
  B. show crypto ipsec stats
  C. show vpn-sessiondb detail l2l
  D. show crypto isakmp sa
  A. show crypto ipsec sa

  ---

  Explanation