Cisco 400-251 Online Practice Questions and Exam Preparation

Cisco 400-251 Online Questions & Answers

• Question 181:

  While troubleshooting access to site www.cisco.com. you notice the following access_logs line in Cisco Web Security Appliance (WSA):

  

  Which of the following statements is true regarding this request?

  A. The Request is matching custom URL category
  B. WSA used upstream proxy defined
  C. The HTTP response size was 80037B
  D. WSA allowed traffic from client 10.42.42.42 to https://www.cciedomain.com
  B. WSA used upstream proxy defined

• Question 182:

  DRAG DROP

  Drag and Drop each Cisco Intrusion Prevention System anomaly detection event action on the left onto the matching description on the right.

  Select and Place:

  

  

• Question 183:

  Your organization is deploying an ESA for email security for inbound and outbound email. To receive inbound emails from external organizations, you must set up your DNS servers with the appropriate records so that the sending email server can determine which email gateway to send to Assume that you have two ESAs deployed and the hostnames and IP address are as follows:

  esa1.myesa.com:5.5.5.25(preferred) esa2.myesa.com:5.5.5.26

  Which two options must you include in your DNS server to receive email from all external senders?(Choose two)

  A. Forward Lookup Zone: @ 3600 IN A 10 esa1.myesa.com @ 3600 IN A 20 esa2.myesa.com
  B. Forward lookup Zone: Esa1 IN 3600 A 5.5.5.25 Esa2 IN 3600 A 5.5.5.26
  C. Forward Lookup Zone: Mail1.myesa.com 120 CNAME esa1.mysesa.com Mail2.myesa.com 120 CNMAE esa2.mysesa.com
  D. Forward Lookup Zone: @ 3600 IN MX 10 mail1.myesa.com @ 3600 IN MX 20 mail1.myesa.com
  E. Reverse Lookup Zone for 5.5.5.: 25 3600 IN PTR esa1.myesa.com 26 3600 IN PTR esa2.myesa.com
  C. Forward Lookup Zone: Mail1.myesa.com 120 CNAME esa1.mysesa.com Mail2.myesa.com 120 CNMAE esa2.mysesa.com
  E. Reverse Lookup Zone for 5.5.5.: 25 3600 IN PTR esa1.myesa.com 26 3600 IN PTR esa2.myesa.com

• Question 184:

  Which statement about MDM is true?

  A. Each Cisco ISE node requires its own MDM server
  B. It can support endpoints without requiring the to register
  C. Cisco ISE communicates with the MDM server by way of REST API calls
  D. It reports the IP address of the endpoint to the Cisco ISE as the input parameter of the endpoint
  E. MDM policies can be configured with as few as two attributes
  F. If an authorized user refreshes the web browser, the session must be reauthorized with the LADP server
  C. Cisco ISE communicates with the MDM server by way of REST API calls

• Question 185:

  Which statement about Cisco ISE Guest portals is true?

  A. To permit BYOD access, a Guest portal must use RADIUS authentication.
  B. If you delete a Guest portal without removing its authorization policy and profiles, they will be assigned automatically to the default Guest portal.
  C. The Hotspot Guest portal can be configured for password-only authentication.
  D. The Sponsored Guest portal allows guest users to create an account.
  E. The sponsored-Guest portal and Self-Registered Guest portal require a defined Endpoint Identity Group.
  F. When you make changes to an authorized Guest portal configuration, it must be reauthorized before the changes will take effect.
  A. To permit BYOD access, a Guest portal must use RADIUS authentication.

• Question 186:

  Which statement about Dynamic ARP inspection is true?

  A. It is supported only in DHCP environments to detect invalid ARP requests and responses.
  B. It requires that DHCP snooping be enabled to build valid binding database.
  C. It validates ARP' requests and responses on untrusted ports using MAC address table.
  D. It validates ARP requests and responses on trusted ports using IP-to-MAC address binding.
  E. It forwards invalid ARP responses and requests on switch untrusted ports.
  F. It drops invalid ARP responses and requests on the switch trusted ports.
  D. It validates ARP requests and responses on trusted ports using IP-to-MAC address binding.

• Question 187:

  Which two statements about internal detector in the Cisco Firepower system are true? (Choose two)

  A. They are built in to the Firepower system and delivered automatically with firepower updates
  B. They can be activated manually or configured to activate automatically under specific conditions
  C. They can be modified for use as custom detectors
  D. They can detect client and application traffic
  E. They can detect only web-based application activity in HTTP traffic
  F. They can be deactivated manually or by VDB updates.
  A. They are built in to the Firepower system and delivered automatically with firepower updates
  E. They can detect only web-based application activity in HTTP traffic

• Question 188:

  In a Cisco ASA multiple-context mode of operation configuration, what three session types are resource- limited by default when their context is a member of the default class? (Choose three)

  A. SSL VPN sessions
  B. Telnet sessions
  C. TCP session
  D. IPSec sessions
  E. ASDM sessions
  F. SSH sessions
  B. Telnet sessions
  D. IPSec sessions
  F. SSH sessions

• Question 189:

  Refer to the exhibit. One of the Windows machines in your network is experiencing a Dot1x authentication failure. Windows machines are setup to acquire an IP address from the DHCP server configured on the switch, which is supposed to hand over IP addresses from the 50.1.1.0/24 network, and forward AAA requests to the radius server at 161.1.7.14 using shared key "cisco". Knowing that interface Gi0/2 on switch may receive authentication requests from other devices and looking at the provided switch configuration, what could be the possible cause of this failure?

  aaa new model aaa authentication login default group radius aaa authentication login NO_AUTH none aaa authentication login vty local aaa authentication dot1x default group radius aaa accounting dot1x default start-stop group radius ! username cisco privilege 15 password 0 cisco dot1x system-auth-control ! interface GigabitEthernet0/2 switchport mode access ip access-group Pre-Auth in authentication host-mode multi-auth authentication open authentication port-control auto dot1x pae authenticator ! vlan 50 interface Vlan50 ip address 50.1.1.1 255.255.255.0 ! ip dhcp excluded-address 50.1.1.1 ip dhcp pool pc-pool network 50.1.1.0 255.255.255.0 default-router 50.1.1.1 ! ip access-list extended Pre-Auth permit udp any eq bootpc any eq bootps deny ip any any ! radius server ccie address ipv4 161.1.7.14 auth-port 1645 acct-port 1646 key cisco ! line con 0 login authentication NO_AUTH line vty 0 4 login authentication vty

  A. authentication is note enabled on interface gi0/2
  B. an incorrect radius server address is defined
  C. authentication port-control is not set on interface gi0/2
  D. an incorrect pre-authentication acl is configured
  E. an incorrect dhcp pool is configured
  F. aaa network authorization is not configured
  G. aaa dot1x authentication is not configured
  F. aaa network authorization is not configured

• Question 190:

  Which four tasks are needed to configure RSA token authentication through ACS? (Choose four)

  A. Generate the sdconf.rec file on the RSA server for the authentication agent
  B. Add the ACS server to the allowed ODBC query list on the RSA server
  C. Define an OSBC client connection on the SRA server
  D. On the ACS server, define the ODBC connection and the stored SQL procedure needed to RSA server
  E. Define an authentication agent on the RSA server
  F. Add the RSA server as an external identity server on ACS
  G. Define an accounting agent on the RSA server
  H. Upload the sdconf.rec to the ACS server
  A. Generate the sdconf.rec file on the RSA server for the authentication agent
  E. Define an authentication agent on the RSA server
  F. Add the RSA server as an external identity server on ACS
  H. Upload the sdconf.rec to the ACS server