Cisco 400-251 Online Practice
Questions and Exam Preparation
400-251 Exam Details
Exam Code
:400-251
Exam Name
:CCIE Security Written
Certification
:Cisco Certifications
Vendor
:Cisco
Total Questions
:665 Q&As
Last Updated
:Dec 10, 2021
Cisco 400-251 Online Questions &
Answers
Question 571:
Which of the following statements about the IKEv2 protocol compared to IKEv1 is incorrect?
A. IKEv2 is more secure by requiring reauthentication for IKE SA B. IKEv2 is more efficient with reduced message exchange C. IKEv2 has more flexible authentication support with EAP D. IKEv2 is more reliable by requiring all messages to be acknowledged E. IKEv2 has built-in DoS (Denial of Services) protection
E. IKEv2 has built-in DoS (Denial of Services) protection
Question 572:
What will be used by WSA to apply the policies when identification is based on ISE?
A. SGT B. propriety protocol over TCP/8302 C. SXP D. RADIUS E. EAP F. RPC
A. SGT
Question 573:
Which of the following is true regarding ASA clustering requirements?
A. Units in the cluster can be in different security context modes. B. Units in the cluster can be in different geographical locations C. Units in the cluster can have different hardware configuration as long as they are running same software version D. Units in the cluster can be running different software version as long as they have identical hardware configuration E. Only routed mode is allowed in the Single context mode F. Units in the cluster can have different amount of flash memory
F. Units in the cluster can have different amount of flash memory
Question 574:
A client computer at 10.10.7.4 is trying to access a Linux server(11.0.1.9) that is running a Tomcat Server application. What TCP dump filter would be best to verify that traffic is reaching the Linux Server eth0 interface?
A. tcpdump -I eth0 host 10.10.7.4 and host 11.0.1.9 and port 8080. B. tcpdump -l eth0 host 10.10.7.4 and 11.0.1.9. C. tcpdump -I eth0 dst 11.0.1.9 and dst port 8080. D. tcpdump -I eth0 scr 10.10.7.4 and dst 11.0.1.9 and dst port 8080
D. tcpdump -I eth0 scr 10.10.7.4 and dst 11.0.1.9 and dst port 8080
Question 575:
Which three of these make use of a certificate as part of the protocol? (Choose three)
A. LEAP B. EAP-MD5 C. EAP-TTLS D. EAP-PEAP E. EAP-FAST F. EAP-TLS
C. EAP-TTLS E. EAP-FAST F. EAP-TLS
Question 576:
Which statement is true regarding the wireless security technologies?
A. WPA provides message integrity using AES. B. WPA2-PSK mode allows passphrase to store locally on the device. C. WEP is more secure than WPA2 because it uses AES for encryption. D. WPA2-ENT mode does not require RADIUS for authentication E. WPA2-PSK mode provides better security by having same passphrase across the network. F. WPA2 is more secure than WPA because it uses TKIP for encryption.
A. WPA provides message integrity using AES.
Question 577:
Which three statements about VRF-Aware Cisco Firewall are true? (Choose three)
A. It supports both global and per-VRF commands and DoS parameters. B. It enables service providers to deploy firewalls on customer devices. C. It can generate syslog messages that are visible only to individual VPNs. D. It can support VPN networks with overlapping address ranges without NAT. E. It enables service providers to implement firewalls on PE devices. F. It can run as more than one instance.
C. It can generate syslog messages that are visible only to individual VPNs. E. It enables service providers to implement firewalls on PE devices. F. It can run as more than one instance.
Question 578:
Which five next-generation features are available on the Cisco NGFWs to traditional stateful firewalls? (Choose five.)
A. Advanced Malware Protection B. TLS Decryption C. IPS D. Security Intelligence E. Identity and Access Management F. NetFlow Analytics G. URL Filtering
A. Advanced Malware Protection C. IPS D. Security Intelligence E. Identity and Access Management G. URL Filtering
Question 579:
Which statements is an advantage of network segmentation?
A. It enables efficient network monitoring due to a flat network. B. It improves network performance by having broadcast traffic limited to local subnets. C. It allows ehlficient containment of a security incident because the effect influences multiple sub nets. D. It allows flat network design for better security implementation. E. It takes less time to design a complex network with segmentation as one of the critical requirements. F. It allows users to access the resource even though they won't need to for better visibility.
B. It improves network performance by having broadcast traffic limited to local subnets.
Question 580:
Which two statements about application protocol detectors in Cisco Firepower System are true? (Choose two)
A. They can analyze network traffic for specific application fingerprints B. Port-based application protocol detectors can be modified for use as custom detectors C. Port-based and Firepower-based application protocol detectors can be imported by the administrator D. Firepower-based application protocol detectors are built in to the Firepower system and can be deactivated only by the system E. They can be activated by VDB updates, but must be deactivated manually F. They can detect web-based application activity in HTTP traffic
B. Port-based application protocol detectors can be modified for use as custom detectors E. They can be activated by VDB updates, but must be deactivated manually
Nowadays, the certification exams become more and more important and required by more and more
enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare
for the exam in a short time with less efforts? How to get a ideal result and how to find the
most reliable resources? Here on Vcedump.com, you will find all the answers.
Vcedump.com provide not only Cisco exam questions,
answers and explanations but also complete assistance on your exam preparation and certification
application. If you are confused on your 400-251 exam preparations
and Cisco certification application, do not hesitate to visit our
Vcedump.com to find your solutions here.