Cisco 300-710 Exam Questions Free Practice Test

Viewing page 6 out of 10 pages

Viewing questions 51-60 out of questions

Questions # 51:

An engineer must deploy a Cisco FTD device. Management wants to examine traffic without requiring network changes that will disrupt end users. Corporate security policy requires the separation of management traffic from data traffic and the use of SSH over Telnet for remote administration. How must the device be deployed to meet these requirements?

Options:

in routed mode with a diagnostic interface

in transparent mode with a management Interface

in transparent made with a data interface

in routed mode with a bridge virtual interface

Expert Solution

Answer

Explanation

To deploy a Cisco FTD device that meets the requirements of the question, the engineer must use transparent mode with a management interface. Transparent mode is a firewall configuration in which the FTD device acts as a “bump in the wire” or a “stealth firewall” and is not seen as a router hop to connected devices. In transparent mode, the FTD device can examine traffic without requiring network changes that will disrupt end users, such as changing IP addresses or routingconfigurations1. A management interface is a dedicated interface that is used for managing the FTD device and separating management traffic from data traffic. A management interface can be configured to allow SSH access for remote administration, which is more secure than Telnet2.

The other options are incorrect because:

Routed mode is a firewall configuration in which the FTD device acts as a router and performs address translation and routing for connected networks. Routed mode requires network changes that may disrupt end users, such as changing IP addresses or routing configurations1. A diagnostic interface is a special interface that is used for troubleshooting and capturing traffic on the FTD device. A diagnostic interface does not separate management traffic from data traffic or allow SSH access for remote administration.

Transparent mode with a data interface does not meet the requirement of separating management traffic from data traffic. A data interface is a regular interface that is used for passing and inspecting traffic on the FTD device. A data interface does not allow SSH access for remote administration2.

Routed mode with a bridge virtual interface (BVI) does not meet the requirement of examining traffic without requiring network changes that will disrupt end users. A BVI is a logical interface that acts as a container for one or more physical or logical interfaces that belong to the same layer 2 broadcast domain. A BVI allows the FTD device to route between different bridge groups on the same security module/engine. However, routed mode still requires network changes that may disrupt end users, such as changing IP addresses or routing configurations.

Questions # 52:

What is the advantage of having Cisco Firepower devices send events to Cisco Threat Response via the security services exchange portal directly as opposed to using syslog?

Options:

All types of Cisco Firepower devices are supported.

An on-premises proxy server does not need to be set up and maintained.

Cisco Firepower devices do not need to be connected to the Internet.

Supports all devices that are running supported versions of Cisco Firepower.

Expert Solution

Questions # 53:

An engineer is troubleshooting application failures through a FTD deployment. While using the FMC CLI. it has been determined that the traffic in question is not matching the desired policy. What should be done to correct this?

Options:

Use the system support firewall-engine-debug command to determine which rules the traffic matchingand modify the rule accordingly

Use the system support application-identification-debug command to determine which rules the traffic matching and modify the rule accordingly

Use the system support firewall-engine-dump-user-f density-data command to change the policy and allow the application through the firewall.

Use the system support network-options command to fine tune the policy.

Expert Solution

Questions # 54:

A security engineer needs to configure a network discovery policy on a Cisco FMC appliance and prevent excessive network discovery events from overloading the FMC database? Which action must be taken to accomplish this task?

Options:

Change the network discovery method to TCP/SYN.

Configure NetFlow exporters for monitored networks.

Monitor only the default IPv4 and IPv6 network ranges.

Exclude load balancers and NAT devices in the policy.

Expert Solution

Questions # 55:

What is an advantage of adding multiple inline interface pairs to the same inline interface set when deploying an asynchronous routing configuration?

Options:

Allows the IPS to identify inbound and outbound traffic as part of the same traffic flow.

The interfaces disable autonegotiation and interface speed is hard coded set to 1000 Mbps.

Allows traffic inspection to continue without interruption during the Snort process restart.

The interfaces are automatically configured as a media-independent interface crossover.

Expert Solution

Questions # 56:

An engineer must deny ICMP traffic to the networks of separate departments that use Cisco Secure Firewall Management Center. The engineer must use the same object on the relevant device for each network. What must be configured in Secure Firewall Management Center?

Options:

IP address

IP range

Deny ICMP check box

Allow Overrides check box

Expert Solution

Questions # 57:

An organization is implementing Cisco FTD using transparent mode in the network. Which rule in the default Access Control Policy ensures that this deployment does not create a loop in the network?

Options:

ARP inspection is enabled by default.

Multicast and broadcast packets are denied by default.

STP BPDU packets are allowed by default.

ARP packets are allowed by default.

Expert Solution

Questions # 58:

Which process should be checked when troubleshooting registration issues between Cisco FMC and managed devices to verify that secure communication is occurring?

Options:

fpcollect

dhclient

sfmgr

sftunnel

Expert Solution

Questions # 59:

A network administrator needs to create a policy on Cisco Firepower to fast-path traffic to avoid Layer 7 inspection. The rate at which traffic is inspected must be optimized. What must be done to achieve this goal?

Options:

Enable lhe FXOS for multi-instance.

Configure a prefilter policy.

Configure modular policy framework.

Disable TCP inspection.

Expert Solution

Questions # 60:

An engineer attempts to pull the configuration for a Cisco FTD sensor to review with Cisco TAC but does not have direct access to the CU for the device. The CLl for the device is managed by Cisco FMC to which the engineer has access. Which action in Cisco FMC grants access to the CLl for the device?

Options:

Export the configuration using the Import/Export tool within Cisco FMC.

Create a backup of the configuration within the Cisco FMC.

Use the show run all command in the Cisco FTD CLI feature within Cisco FMC.

Download the configuration file within the File Download section of Cisco FMC.

Expert Solution

Viewing page 6 out of 10 pages

Viewing questions 51-60 out of questions

Pass the Cisco CCNP Security 300-710 Questions and answers with CertsForce