Pass the Cisco CCNP Security 350-701 Questions and answers with CertsForce

 The management port on Cisco FMC is used to establish a secure connection with the managed Cisco FTD devices. If the default management port (8305) conflicts with other communications on the network, it must be changed on both the Cisco FMC and the Cisco FTD devices. This cannot be done automatically by the Cisco FMC, as it would lose connectivity with the devices. Therefore, the administrator must manually change the management port on the Cisco FMC and all the managed Cisco FTD devices using the command line interface (CLI). The steps to change the management port are as follows:

Log into the CLI of the Cisco FMC and the Cisco FTD devices using a console connection or SSH.

Enter the configure network {ipv4 | ipv6} manual ip_address netmask data-interfaces command to change the management port on the Cisco FMC. For example, configure network ipv4 manual 10.10.10.10 255.255.255.0 data-interfaces changes the management port to 10.10.10.10/24.

Enter the configure network {ipv4 | ipv6} manual ip_address netmask gateway management-only command to change the management port on the Cisco FTD devices. For example, configure network ipv4 manual 10.10.10.11 255.255.255.0 10.10.10.10 management-only changes the management port to 10.10.10.11/24 and sets the gateway to the Cisco FMC’s management port.

Save the configuration and restart the Cisco FMC and the Cisco FTD devices.

Verify the connectivity between the Cisco FMC and the Cisco FTD devices using the show managers command on the Cisco FTD devices and the show devices command on the Cisco FMC.

References :=

Firepower Management Center Device Configuration Guide, 7.1 - Device Management

Change management port fmc 1600 - Cisco Community

Solved: FMC 2120 FTD Management Only Port - Cisco Community

Change the FMC Access Interface from Management to Data

Add the DNS entry for the new Cisco ISE node into the DNS server. This is because the fully qualified domain name (FQDN) of the new Cisco ISE node, for example, ise1.cisco.com, must be DNS-resolvable from the primary Administration ISE node. Otherwise, node registration will fail. The DNS server must contain the IP addresses and FQDNs of the ISE nodes that are part of the distributed deployment1.

The other options are incorrect because:

Changing the IP address of the new Cisco ISE node to the same network as the others is not necessary, as long as the nodes can communicate with each other over the network.

Making the new Cisco ISE node a secondary PAN before registering it with the primary is not possible, as the node must be registered first before changing its persona or role.

Opening port 8905 on the firewall between the Cisco ISE nodes is not required, as this port is used for communication between the primary and secondary Monitoring ISE nodes, not for node registration.

The correct command to log all events to a destination collector is flow-export event-type all destination 209.165.201.10. This command configures a flow-export action that sends all NSEL events to the specified IP address. NSEL events include flow-create, flow-teardown, flow-denied, and flow-update events. The command must be entered in the policy-map class configuration mode, after defining a policy-map and a class-map that match the traffic and event type. The other commands are incorrect because they either specify the wrong event type (flow-update instead of all) or the wrong destination IP address (209.165.201 instead of 209.165.201.10). References :=

Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0, Module 5: Securing the Cloud, Lesson 5.2: DNS Security

Cisco Secure Firewall ASA NetFlow Implementation Guide

Configuring Cisco ASA for NetFlow Export via CLI – Plixer

Cisco ISE uses probes to collect endpoint attributes that are used in profiling. Probes are software modules that run on the ISE Policy Service Nodes (PSNs) and gather information about the endpoints connected to the network. Probes can use various protocols and methods to collect endpoint attributes, such as RADIUS, DHCP, SNMP, HTTP, DNS, NetFlow, NMAP, Active Directory, and Cisco pxGrid. The collected attributes are then matched to predefined or custom conditions that define the endpoint profiles. Endpoint profiling enables ISE to identify and classify the endpoints and apply the appropriate policies based on their identity, role, and context12. References: 1: Cisco ISE 2.4 Endpoint Profiling - Cisco 2: How To Create an Endpoint Profile - Cisco Community

Explanation

Explanation

A certificate signing request (CSR) is one of the first steps towards getting your own SSL Certificate. Generated on the same server you plan to install the certificate on, the CSR contains information (e.g. common name, organization, country) that the Certificate Authority (CA) will use to create your certificate. It also contains the public key that will be included in your certificate and is signed with the corresponding private key

 In a PaaS model, the cloud provider is responsible for managing and maintaining the underlying infrastructure, such as the hypervisor, the virtual machine, and the network. The tenant only needs to focus on developing and deploying the application, which runs on the cloud platform. The tenant is responsible for ensuring the security and availability of the application, as well as applying any patches or updates to the application code or configuration12. References :=

Shared responsibility in the cloud

Best practices for secure PaaS deployments

 Split tunneling is a feature that allows VPN users to access both the corporate network and the internet at the same time. By using split tunneling, only the traffic destined for the 10.0.0.0/24 network will be encrypted and sent through the VPN tunnel, while the rest of the traffic will be sent directly to the internet. This reduces the VPN bandwidth load on the headend Cisco ASA and ensures that bandwidth is available for VPN users needing access to corporate resources. Split tunneling can be configured on the ASA by using the split-tunnel-network-list value command under the group-policy attributes. The network list should include the 10.0.0.0/24 network as the only entry. References: Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0, Module 5: Secure Connectivity, Lesson 5.1: Implementing Site-to-Site VPNs on Cisco Routers and ASA Firewalls, Topic 5.1.3: Configuring Site-to-Site VPNs on Cisco ASA Firewalls, Subtopic 5.1.3.2: Configuring Split Tunneling.

Multiple context mode allows you to partition a single ASA into multiple virtual firewalls, each with its own security policy, interfaces, and management IP address. This mode is useful for providing security services to different customers or tenants on a shared appliance, while maintaining separation of management and configuration. Each context acts as an independent device and can be in either routed or transparent mode. You can also assign different administrators to each context and limit their access to specific commands and features. Multiple context mode is supported in Cisco ACI with the ASA device package version 1.2 or later. References: 

https://www.cisco.com/c/en/us/td/docs/switches/datacenter/aci/apic/sw/1-x/L4-L7_Service_Graph_Deployment_Guide/b_L4L7_Service_Graph_Deploy_ver122g/b_L4L7_Service_Graph_Deploy_ver122x_chapter_0110.pdf

https://www.cisco.com/c/en/us/td/docs/security/asa/asa96/configuration/general/asa-96-general-config/intro-fw.html

Explanation

Cisco Cloudlock is a cloud-native cloud access security broker (CASB) that helps you move to the cloud safely.

It protects your cloud users, data, and apps. Cisco Cloudlock provides visibility and compliance checks,

protects data against misuse and exfiltration, and provides threat protections against malware like ransomware.

https://confluence.netvizura.com/display/NVUG/Traditional+vs.+Flexible+NetFlow

According to the NIST 800-145 guide1, a community cloud is a cloud infrastructure that is provisioned for exclusive use by a specific community of consumers from organizations that have shared concerns (e.g., mission, security requirements, policy, and compliance considerations). It may be owned, managed, and operated by one or more of the organizations in the community, a third party, or some combination of them, and it may exist on or off premises. A community cloud is different from a hybrid cloud, which is a composition of two or more distinct cloud infrastructures (private, community, or public) that remain unique entities, but are bound together by standardized or proprietary technology that enables data and application portability (e.g., cloud bursting for load balancing between clouds). A private cloud is a cloud infrastructure that is provisioned for exclusive use by a single organization comprising multiple consumers (e.g., business units). It may be owned, managed, and operated by the organization, a third party, or some combination of them, and it may exist on or off premises. A public cloud is a cloud infrastructure that is provisioned for open use by the general public. It may be owned, managed, and operated by a business, academic, or government organization, or some combination of them. It exists on the premises of the cloud provider. References :=

Some possible references are:

1: NIST SP 800-145, The NIST Definition of Cloud Computing, 1 2: Evaluation of Cloud Computing Services Based on NIST SP 800-145, 3 3: What Is Community Cloud? Definition, Architecture, Examples, and Best Practices, 6

Explanation

Advanced Malware Protection (AMP) for Endpoints offers a variety of lists, referred to as Outbreak Control, that allow you to customize it to your needs. The main lists are: Simple Custom Detections, Blocked Applications, Allowed Applications, Advanced Custom Detections, and IP Blocked and Allowed Lists.

A Simple Custom Detection list is similar to a blocked list. These are files that you want to detect and

quarantine.

Allowed applications lists are for files you never want to convict. Some examples are a custom application that is detected by a generic engine or a standard image that you use throughout the company Reference: https://docs.amp.cisco.com/AMP%20for%20Endpoints%20User%20Guide.pdf