Cisco 400-251 Online Practice Questions and Exam Preparation

Cisco 400-251 Online Questions & Answers

• Question 581:

  Within Platform as a Service, which two components are managed by the customer? (Choose two)

  A. Data
  B. networking
  C. middleware
  D. applications
  E. operating system
  A. Data
  D. applications

• Question 582:

  Which three transports have been defined for SNMPv3?(Choose three)

  A. DTLS
  B. SSH
  C. TLS
  D. SSL
  E. IPSec secured tunnel
  F. GET
  A. DTLS
  B. SSH
  C. TLS

• Question 583:

  An sneaky employee using an Android phone on your network has disabled DHCP, enabled it's firewall, modified it's HTTP User-Agent header, to tool ISE into profiling it as a Windows 10 machine connected to the wireless network. This user is now able to get authorization for unrestricted network access using his Active Directory credentials, as your policy states that a Windows device using AD credentials should be able to get full network access. Whereas, an Android device should only get access to the Web proxy. Which two steps can you take to avoid this sort of rogue behavior? (Choose two)

  A. Create an authentication rule that should only allow session with a specific HTTP User-Agent header
  B. Modify the authorization policy to only allow Windows machines that have passed Machine Authentication to get full network access
  C. Add an authorization policy before the Windows authorization policy that redirects a user with a static IP to a web portal for authentication
  D. Chain an authorization policy to the Windows authorization policy that performs additional NMAP scans to verify the machine type, before allowing access
  E. Only allow certificate-based authentication from Windows endpoints, such as EAP-TLS or PEAP- TLS.Should the endpoint use MSCHAPv2 (EAP or PEAP), the user should be only given restricted access
  F. Perform CoA to push a restricted access when the machine is acquiring address using DHCP
  B. Modify the authorization policy to only allow Windows machines that have passed Machine Authentication to get full network access
  E. Only allow certificate-based authentication from Windows endpoints, such as EAP-TLS or PEAP- TLS.Should the endpoint use MSCHAPv2 (EAP or PEAP), the user should be only given restricted access

• Question 584:

  Which statement is correct regarding Cisco VSG functionality?

  A. It allows Active-Active failover operation mode when deployed as HA pair.
  B. It applies security profile only after VM instantiation.
  C. It allows third-party orchestration tool to interact with XML API is for its provisioning.
  D. It does not allow to extend Zone-based firewall capabilities to VMs on VXLAN.
  E. It allows administrative segregation due to which Security administration can author and manage port profiles.
  F. It does not provide trusted access to VMs in an enterprise data center.
  C. It allows third-party orchestration tool to interact with XML API is for its provisioning.

• Question 585:

  Which two evasion techniques are used by attackers? (Choose two)

  A. Telnet to launch device administrative session
  B. Resource exhaustion
  C. Port access using Dot1X
  D. ACL implementation to drop unwanted traffic
  E. Encryption
  F. NAT translations on routers and switches
  G. URL filtering to block malicious sites
  B. Resource exhaustion
  E. Encryption

• Question 586:

  Which three statements about SCEP are true? (Choose three)

  A. It supports online certification revocation.
  B. Cryptographically signed and encrypted messages are conveyed using PKCS#7
  C. It supports multiple cryptographic algorithms including RSA.
  D. The certificate request format uses PKCS#10.
  E. CRL retrieval is supported through CDP(Certificate Distribution Point) queries.
  F. It supports synchronous granting.
  B. Cryptographically signed and encrypted messages are conveyed using PKCS#7
  D. The certificate request format uses PKCS#10.
  E. CRL retrieval is supported through CDP(Certificate Distribution Point) queries.

• Question 587:

  How many report templates does the Cisco Firepower Management Center support?

  A. 5
  B. 10
  C. 50
  D. 100
  E. unlimited
  E. unlimited

• Question 588:

  A customer has configured a single Policy Set to authenticate and authorize MAB and 802.1x requests on Cisco ISE. The 802.1x authorization rules are on the top of the list and check Active Directory group membership for a match. The MAB results are at the bottom of the list and check local Identity Groups for a match. When a MAB request comes to ISE:

  A. ISE will drop the request because 802.1x and MAB rules are not allowed in the same Policy Set.
  B. ISE will not try to find Active Directory group membership based on the 802.1x request.
  C. ISE will ignore the 802.1x authentication rules on the top.
  D. ISE will never match the MAB authorization rules at the bottom.
  E. ISE will try to find the Active Directory group membership based on the MAB request.
  E. ISE will try to find the Active Directory group membership based on the MAB request.

• Question 589:

  Which type of header attack is detected by Cisco ASA basic threat detection?

  A. denial by access list
  B. bad packet format
  C. failed application inspection
  D. connection limit exceeded
  B. bad packet format

• Question 590:

  Which statement is true regarding TLS security protocol?

  A. It only supports data authentication for the client-server session using a browser
  B. TLS and SSL versions can interoperate in the client-server handshake
  C. There is no difference between TLS and SSL versions 2 and 3
  D. TLS version 1.0 is more secure then SSL version 3.0
  E. It is always recommended to disable TLS version 1.0 in the browser so that it only supports SSL for better security
  F. You need to replace SSL certificate with TLS certificate for successful TLS operation
  D. TLS version 1.0 is more secure then SSL version 3.0