passyourccie@gmail.com
Part-1
Question 1
Which two protocols must be configured to authenticate end users to the Web Security Appliance?
(Choose two)
A. NTLMSSP
B. Kerberos
C. CHAP
D. TACACS+
E. RADIUS
Answer: A B
Question 2
An engineer is configuring Dropbox integration with Cisco Cloudlock. Which action must be taken
before granting API access in the Dropbox admin console?
A. Authorize Dropbox within the Platform settings in the Cisco Cloudlock portal.
B. Add Dropbox to the Cisco Cloudlock Authentication and API section in the Cisco Cloudlock
portal.
C. Send an API request to Cisco Cloudlock from Dropbox admin portal.
D. Add Cisco Cloudlock to the Dropbox admin portal.
Answer: A
Question 3
What is a benefit of using Cisco Umbrella?
A. DNS queries are resolved faster.
B. Attacks can be mitigated before the application connection occurs.
C. Files are scanned for viruses before they are allowed to run.
D. It prevents malicious inbound traffic.
Answer: B
Question 3b
Drag and drop the cryptographic algorithms for IPsec from the left onto the cryptographic
processes on the right.
passyourccie@gmail.com
Answer:
Authentication
+ esp-md5-hmac
+ esp-sha-hmac
Encryption
+ esp-3des
+ esp-aes-256
Explanation
esp-md5-hmac: ESP with MD5 authentication
esp-sha-hmac: ESP with SHA authentication
esp-3des: ESP with 168-bit DES encryption
esp-aes-256: ESP with the 256-bit AES encryption
Question 4
Which security solution is used for posture assessment of the endpoints in a BYOD solution?
A.
B.
C.
D.
Cisco FTD
Cisco ASA
Cisco Umbrella
Cisco ISE
Answer: D
Question 5
Which characteristic is unique to a Cisco WSAv as compared to a physical appliance?
A.
B.
C.
D.
supports VMware vMotion on VMware ESXi
requires an additional license
performs transparent redirection
supports SSL decryption
Answer: B
Explanation
Cisco Secure virtual appliances function the same as physical Cisco Secure Email Gateway, Cisco
Secure Web Appliance, or Cisco Secure Email and Web Manager hardware appliances, with only a
few
minor differences.
…
The Cisco Secure virtual appliance requires an additional license to run the virtual appliance on a
host. You can use this license for multiple, cloned virtual appliances. Licenses are hypervisorindependent.
Reference: https://www.cisco.com/c/dam/en/us/td/docs/security/content_security/virtual_applian
ces/Cisco_Content_Security_Virtual_Appliance_Install_Guide.pdf
Question 6
What are two benefits of using an MDM solution? (Choose two)
A. grants administrators a way to remotely wipe a lost or stolen device
B. provides simple and streamlined login experience for multiple applications and users
C. native integration that helps secure applications across multiple cloud platforms or on-premises
environments
D. encrypts data that is stored on endpoints
E. allows for centralized management of endpoint device applications and configurations
passyourccie@gmail.com
Answer: A E
Question 7
What are two benefits of using Cisco Duo as an MFA solution? (Choose two)
A. grants administrators a way to remotely wipe a lost or stolen device
B. provides simple and streamlined login experience for multiple applications and users
C. native integration that helps secure applications across multiple cloud platforms or on-premises
environments
D. encrypts data that is stored on endpoints
E. allows for centralized management of endpoint device applications and configurations
Answer: B C
Question 8
What is a benefit of using GET VPN over FlexVPN within a VPN deployment?
A.
B.
C.
D.
GET VPN supports Remote Access VPNs
GET VPN natively supports MPLS and private IP networks
GET VPN uses multiple security associations for connections
GET VPN interoperates with non-Cisco devices
Answer: B
Question 9
Which solution allows an administrator to provision, monitor, and secure mobile devices on
Windows and Mac computers from a centralized dashboard?
A.
B.
C.
D.
Cisco Umbrella
Cisco AMP for Endpoints
Cisco ISE
Cisco Stealthwatch
Answer: C
Question 10
Which type of data does the Cisco Stealthwatch system collect and analyze from routers, switches,
and firewalls?
A.
B.
C.
D.
NTP
syslog
SNMP
NetFlow
Answer: D
Question 11
What is the term for the concept of limiting communication between applications or containers on
the same node?
A.
B.
C.
D.
container orchestration
software-defined access
microservicing
microsegmentation
Answer: D
passyourccie@gmail.com
Explanation
Microservices are about dissecting applications to smaller units and run those units
independently instead of running them in a monolithic application. But this question asks about
communication between applications so “microservicing” is not correct.
Micro-segmentation is a network security technique that isolates different workloads from one
another within a data center. A workload can be broadly defined as the resources and processes
needed to run an application. Hosts, virtual machines and containers are a few examples of
workloads.
Question 12
What is a characteristic of an EDR solution and not of an EPP solution?
A. stops all ransomware attacks
B. retrospective analysis
C. decrypts SSL traffic for better visibility
D. performs signature-based detection
Answer: B
Question 13
Drag and drop the security solutions from the left onto the benefits they provide on the right.
Answer:
+ detection, blocking, tracking, analysis, and remediation to protect the enterprise
against targeted and persistent malware attacks: Cisco AMP for Endpoints
+ policy enforcement based on complete visibility of users, mobile devices, client-side
applications, communication between virtual machines, vulnerabilities, threats, and
URLs: Full contextual awareness
+ unmatched security and web reputation intelligence provides real-time threat
intelligence and security protection: Collective Security Intelligence
+ superior threat prevention and mitigation for known and unknown threats: NGIPS
Question 14
Based on the NIST 800-145 guide, which cloud architecture may be owned, managed, and
operated by one or more of the organizations in the community, a third party, or some
combination of them, and it may exist on or off premises?
A. hybrid cloud
B. private cloud
C. public cloud
D. community cloud
passyourccie@gmail.com
Answer: D
Question 15
How does Cisco AMP for Endpoints provide next-generation protection?
A. It encrypts data on user endpoints to protect against ransomware.
B. It leverages an endpoint protection platform and endpoint detection and response.
C. It utilizes Cisco pxGrid, which allows Cisco AMP to pull threat feeds from threat intelligence
centers.
D. It integrates with Cisco FTD devices.
Answer: B
Question 16
A company has 5000 Windows users on its campus. Which two precautions should IT take to
prevent WannaCry ransomware from spreading to all clients? (Choose two)
A. Segment different departments to different IP blocks and enable Dynamic ARP inspection on all
VLANs
B. Ensure that noncompliant endpoints are segmented off to contain any potential damage.
C. Ensure that a user cannot enter the network of another department.
D. Perform a posture check to allow only network access to those Windows devices that are
already patched.
E. Put all company users in the trusted segment of NGFW and put all servers to the DMZ segment
of the Cisco NGFW.
Answer: B D
Question 17
What are two characteristics of the RESTful architecture used within Cisco DNA Center? (Choose
two)
A. REST uses methods such as GET, PUT, POST, and DELETE.
B. REST codes can be compiled with any programming language.
C. REST is a Linux platform-based architecture.
D. The POST action replaces existing data at the URL path.
E. REST uses HTTP to send a request to a web service.
Answer: A E
Question 18
What is the process In DevSecOps where all changes in the central code repository are merged
and synchronized?
A.
B.
C.
D.
CD
EP
CI
QA
Answer: C
Question 19
Which Cisco platform onboards the endpoint and can issue a CA signed certificate while also
automatically configuring endpoint network settings to use the signed endpoint certificate, allowing
the endpoint to gain network access?
passyourccie@gmail.com
A.
B.
C.
D.
Cisco ISE
Cisco NAC
Cisco TACACS+
Cisco WSA
Answer: A
Question 20
Which cloud service offering allows customers to access a web application that is being hosted,
managed, and maintained by a cloud service provider?
A.
B.
C.
D.
IaC
SaaS
IaaS
PaaS
Answer: B
Question 21
How does Cisco Workload Optimization portion of the network do EPP solutions solely performance
issues?
A.
B.
C.
D.
It deploys an AWS Lambda system
It automates resource resizing
It optimizes a flow path
It sets up a workload forensic score
Answer: B
Question 22
Email security has become a high priority task for a security engineer at a large multi- national
organization due to ongoing phishing campaigns. To help control this, the engineer has deployed
an Incoming Content Filter with a URL reputation of (-10.00 to -6.00) on the Cisco ESA. Which
action will the system perform to disable any links in messages that match the filter?
A.
B.
C.
D.
Defang
Quarantine
FilterAction
ScreenAction
Answer: A
Question 23
What are two workload security models? (Choose two)
A. SaaS
B. PaaS
C. off-premises
D. on-premises
E. IaaS
Answer: A D
Explanation
Cisco Secure Workload offers flexible options for deployments including on-premises appliance,
virtual appliance, and Software as a Service (SaaS).
passyourccie@gmail.com
Reference: https://www.cisco.com/c/en/us/products/collateral/data-center-analytics/tetrationanalytics/solution-overview-c22-741289.pdf
Question 24
Which API method and required attribute are used to add a device into DNAC with the native API?
A.
B.
C.
D.
lastSyncTime and pid
POST and name
userSudiSerialNos and deviceInfo
GET and serialNumber
Answer: B
Question 25
What provides total management for mobile and PC including managing inventory and device
tracking, remote view, and live troubleshooting using the included native remote desktop support?
A.
B.
C.
D.
mobile device management
mobile content management
mobile application management
mobile access management
Answer: A
Question 26
What is the most common type of data exfiltration that organizations currently experience?
A.
B.
C.
D.
HTTPS file upload site
Microsoft Windows network shares
SQL database injections
encrypted SMTP
Answer: B
Explanation
A study by N. J. Percoco, Data exfiltration: How Data Gets Out, reviewed 400 data exfiltrations
and identified the following as the top methods for data exfiltration:
Native Remote Access Applications 27%
Microsoft Windows Network Shares 28%
Malware Capability: FTP 17%
Malware Capability: IRC 2%
Malware Capability: SMTP 4%
HTTP File Upload Site 1.5%
Native FTP Client 10%
SQL Injection 6%
Encrypted Backdoor <1%
Reference: https://blogs.cisco.com/security/sensitive-data-exfiltration-and-the-insider
Question 27
An administrator is configuring NTP on Cisco ASA via ASDM and needs to ensure that rogue NTP
servers cannot insert themselves as the authoritative time source. Which two steps must be taken
to accomplish this task? (Choose two)
A. Specify the NTP version
B. Configure the NTP stratum
C. Set the authentication key
D. Choose the interface for syncing to the NTP server
E. Set the NTP DNS hostname
passyourccie@gmail.com
Answer: C D
Explanation
Step 3 Enter the NTP server IPv4 IP Address.
You cannot enter a hostname for the server; the ASA does not support DNS lookup for the NTP
server -> Answer E is not correct.
…
Step 5 (Optional) Choose the Interface from the drop-down list.
This setting specifies the outgoing interface for NTP packets. If the interface is blank, then the ASA
uses the default admin context interface according to the management routing table.
Step 6 (Optional) Configure NTP authentication.
Reference: https://www.cisco.com/c/en/us/td/docs/security/asa/asa98/asdm78/general/asdm-78general-config/basic-hostname-pw.html
Question 28
Which two criteria must a certificate meet before the WSA uses it to decrypt application traffic?
(Choose two)
A. It must include the current date.
B. It must reside in the trusted store of the WSA.
C. It must reside in the trusted store of the endpoint.
D. It must have been signed by an internal CA.
E. It must contain a SAN.
Answer: A B
Question 29
DoS attacks are categorized as what?
A.
B.
C.
D.
phishing attacks
flood attacks
virus attacks
trojan attacks
Answer: B
Question 30
Which Cisco solution integrates Encrypted Traffic Analytics to perform enhanced visibility, promote
compliance, shorten response times, and provide administrators with the information needed to
provide educated and automated decisions to secure the environment?
A.
B.
C.
D.
Cisco SDN
Cisco ISE
Cisco Security Compliance Solution
Cisco DNA Center
Answer: D
Explanation
Recently announced at the June 2017 Cisco Live Event, Encrypted Traffic Analytics will be built into
the Cisco DNA Center (the single window UI for Cisco Apic-Em) and will provide the ability to
detect Encrypted Malware throughout your enterprise network.
passyourccie@gmail.com
Reference: https://www.linkedin.com/pulse/understanding-ciscos-new-anti-malware-tech-etaaustin-emuang-stubbs
Question 31
Which Cisco security solution stops exfiltration using HTTPS?
A.
B.
C.
D.
Cisco CTA
Cisco AnyConnect
Cisco FTD
Cisco ASA
Answer: A
Explanation
Attackers often try to exfiltrate sensitive data, including credentials, using HTTP and HTTPS
requests themselves. Cognitive Threat Analytics uses multiple indications of compromise
(IOCs), including global statistics and local anomaly scores, to reliably distinguish malicious
tunneling from benign use of the technique.
Reference: https://www.cisco.com/c/dam/en/us/products/collateral/security/cognitive-threatanalytics/at-a-glance-c45-736555.pdf
Question 32
What is a functional difference between Cisco AMP for Endpoints and Cisco Umbrella Roaming
Client?
A. The Umbrella Roaming client stops and tracks malicious activity on hosts, and AMP for
Endpoints tracks only URL-based threats.
B. The Umbrella Roaming Client authenticates users and provides segmentation, and AMP for
Endpoints allows only for VPN connectivity
C. AMP for Endpoints authenticates users and provides segmentation, and the Umbrella Roaming
Client allows only for VPN connectivity.
D. AMP for Endpoints stops and tracks malicious activity on hosts, and the Umbrella Roaming
Client tracks only URL-based threats.
Answer: D
Explanation
Cisco Advanced Malware Protection (AMP) for Endpoints is a malware and virus protection platform
that you can use to protect your environment from intrusion, infected files, and malicious
behavior.
Question 33
What is a benefit of flexible NetFlow records?
A.
B.
C.
D.
They have customized traffic identification
They are used for accounting
They monitor a packet from Layer 2 to Layer 5
They are used for security
Answer: A
Explanation
Key Advantages to using Flexible NetFlow:
+ Flexibility, scalability of flow data beyond traditional NetFlow
+ The ability to monitor a wider range of packet information producing new information about
network behavior not available today
+ Enhanced network anomaly and security detection
passyourccie@gmail.com
+ User configurable flow information to perform customized traffic identification and the ability to
focus and monitor specific network behavior (-> Therefore answer A is correct)
Reference: https://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/flexiblenetflow/product_data_sheet0900aecd804b590b.html
Question 34
An engineer recently completed the system setup on a Cisco WSA. Which URL information does
the system send to SensorBase Network servers?
A.
B.
C.
D.
Summarized server-name information and MD5-hashed path information
none because SensorBase Network Participation is disabled by default
URL information collected from clients that connect to the Cisco WSA using Cisco AnyConnect
complete URL, without obfuscating the path segments
Answer: D
Explanation
Note: Standard SensorBase Network Participation is enabled by default during system setup ->
Answer D is not correct.
Enabling Participation in The Cisco SensorBase Network
Step 1. Choose Security Services > SensorBase.
Step 2. Verify that Sensor Base Network Participation is enabled. When it is disabled, none of the
data that the appliance collects is sent back to the SensorBase Network servers.
Step 3. In the Participation Level section, choose one of the following levels:
+ Limited. Basic participation summarizes server name information and sends MD5-hashed path
segments to the Sensor Base Network servers.
+ Standard. Enhanced participation sends the entire URL with unobfuscated path segments to the
SensorBase Network servers. This option assists in providing a more robust database, and
continually improves the integrity of Web Reputation Scores.
Reference: https://www.cisco.com/c/en/us/td/docs/security/wsa/wsa115/user_guide/b_WSA_UserGuide_11_5_1/b_WSA_UserGuide_11_5_1_chapter_00.pdf
The “Standard” SensorBase Network Participation is enabled by default during system setup so
this question implies we are using standard level, not Limited level -> Answer D is correct while
answer A is not correct.
Question 35
What is the purpose of the Cisco Endpoint IoC feature?
A.
B.
C.
D.
It is an incident response tool
It provides precompromise detection
It is a signature-based engine
It provides stealth threat prevention
Answer: A
Explanation
The Endpoint Indication of Compromise (IOC) feature is a powerful incident response tool for
scanning of post-compromise indicators across multiple computers.
Reference: https://docs.amp.cisco.com/Cisco%20Endpoint%20IOC%20Attributes.pdf
Question 36
Which Cisco DNA Center RESTful PNP API adds and claims a device into a workflow?
A. api/v1/fie/config
B. api/v1/onboarding/workflow
passyourccie@gmail.com
C. api/v1/onboarding/pnp-device
D. api/v1/onboarding/pnp-device/import
Answer: D
Explanation
The Device Onboarding API supports the PnP process, giving the developer the option to create a
workflow that detects when a device joins the network and communicates with Cisco DNA Center,
and then sending the onboarding configuration to the device.
This API is composed of 28 endpoints, that can be used to manage workflows, include devices in
the PnP Process, claim devices, amongst other things.
PYTHON script:
ONBOARDING_PNP_IMPORT_URL = ‘/dna/intent/api/v1/onboarding/pnp-device/import’
Reference: https://developer.cisco.com/docs/dna-center/#!device-onboarding/onboarding-pnp-api
Question 37
What does endpoint isolation in Cisco AMP for Endpoints security protect from?
A.
B.
C.
D.
a malware spreading across the user device
an infection spreading across the network
an infection spreading across the LDAP or Active Directory domain from a user account
a malware spreading across the LDAP or Active Directory domain from a user account
Answer: A
Explanation
Endpoint Isolation is a feature that lets you block incoming and outgoing network activity on a
Windows computer to prevent threats such as data exfiltration and malware propagation.
Reference: https://cloudmanaged.ca/wp-content/uploads/2020/05/AMP-for-Endpoints-UserGuide.pdf
Question 38
An engineer is deploying Cisco Advanced Malware Protection (AMP) for Endpoints and wants to
create a policy that prevents users from executing file named abc424952615.exe without
quarantining that file. What type of Outbreak Control list must the SHA-256 hash value for the file
be added to in order to accomplish this?
A.
B.
C.
D.
Advanced Custom Detection
Blocked Application
Simple Custom Detection
Isolation
Answer: B
Explanation
A Simple Custom Detection list is similar to a blacklist. These are files that you want to detect
and quarantine. Not only will an entry in a Simple Custom Detection list quarantine future files, but
through Retrospective it will quarantine instances of the file on any endpoints in your organization
that the service has already seen it on -> Answer C is not correct.
Application Control – Blocked Applications
A blocked applications list is composed of files that you do not want to allow users to execute but
do not want to quarantine. You may want to use this for files you are not sure are malware,
unauthorized applications, or you may want to use this to stop applications with vulnerabilities
from executing until a patch has been released.
passyourccie@gmail.com
Reference: https://docs.amp.cisco.com/en/SecureEndpoint/Secure%20Endpoint%20User%20Guid
e.pdf
Question 39
Which feature does the IaaS model provide?
A.
B.
C.
D.
granular control of data
software-defined network segmentation
dedicated, restricted workstations
automatic updates and patching of software
Answer: C
Explanation
In the infrastructure-as-a-service (IaaS) model, the subscriber leases just the hardware
infrastructure (networking, data center space, storage, servers, and virtualization services), but
establishes and maintains all other components of the technology stack (applications, data,
runtime, middleware, operating systems, etc.).
====Question 40
Which VMware platform does Cisco ACI integrate with to provide enhanced visibility, provide policy
integration and deployment, and implement security policies with access lists?
A.
B.
C.
D.
VMware APIC
VMware vRealize
VMware fusion
VMware horizons
Answer: B
Question 41
Which two capabilities does an MDM provide? (Choose two)
A. delivery of network malware reports to an inbox in a schedule
B. unified management of mobile devices, Macs, and PCs from a centralized dashboard
C. enforcement of device security policies from a centralized dashboard
D. manual identification and classification of client devices
E. unified management of Android and Apple devices from a centralized dashboard
Answer: B C
Question 42
What are two recommended approaches to stop DNS tunneling for data exfiltration and command
and control call backs? (Choose two)
A. Use intrusion prevention system.
B. Block all TXT DNS records.
C. Enforce security over port 53.
D. Use next generation firewalls.
E. Use Cisco Umbrella.
Answer: C E
Question 43
In which two ways does the Cisco Advanced Phishing Protection solution protect users? (Choose
two)
passyourccie@gmail.com
A. It prevents use of compromised accounts and social engineering.
B. It prevents all zero-day attacks coming from the Internet.
C. It automatically removes malicious emails from users’ inbox.
D. It prevents trojan horse malware using sensors.
E. It secures all passwords that are shared in video conferences.
Answer: B C
Question 44
Which capability is provided by application visibility and control?
A. reputation filtering
B. data obfuscation
C. data encryption
D. deep packet inspection
Answer: D
Question 45
An organization is implementing AAA for their users. They need to ensure that authorization is
verified for every command that is being entered by the network administrator. Which protocol
must be configured in order to provide this capability?
A. EAPOL
B. SSH
C. RADIUS
D. TACACS+
Answer: D
Question 46
Drag and drop the deployment models from the left onto the explanations on the right.
Answer:
+
+
+
+
A GRE tunnel is utilized in this solution: passive with ERSPAN
Attacks are not prevented with this solution: passive
This solution allows inspection between hosts on the same subnet: transparent
This solution does not provide filtering between hosts on the same subnet: routed
Explanation
Monitoring (passive) mode is the mode where the Cisco NGFW or NGIPS device does not usually
prevent attacks. The device uses one interface to silently inspect traffic and identify malicious
activity without interrupting traffic flow.
passyourccie@gmail.com
Passive with ERSPAN Mode: You can configure one physical interface operating as a sniffer –
very similar to a traditional remote intrusion detection system (IDS). A Generic Routing
Encapsulation (GRE) tunnel between the capture point and the Cisco FTD carries the packets to be
inspected.
Reference: CCNP and CCIE Security Core SCOR 350-701 Official Cert Guide
Question 47
When network telemetry is implemented, what is important to be enabled across all network
infrastructure devices to correlate different sources?
A.
B.
C.
D.
CDP
NTP
syslog
DNS
Answer: B
Question 48
What is the difference between EPP and EDR?
A. EPP focuses primarily on threats that have evaded front-line defenses that entered the
environment.
B. Having an EPP solution allows an engineer to detect, investigate, and remediate modern
threats.
C. EDR focuses solely on prevention at the perimeter.
D. Having an EDR solution gives an engineer the capability to flag offending files at the first sign of
malicious behavior.
Answer: D
Explanation
EPP (Endpoint Protection Platform) covers traditional anti-malware scanning, whereas EDR
(Endpoint Detection and Response) covers some more advanced capabilities like detecting and
investigating security incidents, and ability to remediate endpoints to pre-infection state.
Refefence: https://www.sans.org/webcasts/epp-edr-both-choose-generation-endpoint-security109470/
EDR focuses primarily on threats that have evaded front-line defenses and entered into your
environment. An endpoint protection platform, however, focuses solely on prevention -> Answer A
and answer C are not correct.
An EPP can often be described as a traditional anti-virus solution. While deploying an anti-virus
solution will improve your front-line security, it does not protect your endpoints from more
sophisticated threats that may find a way into your network. Endpoint security solutions should
have endpoint protection platform capabilities, but they must also have the capabilities of an
endpoint detection and response solution -> Answer B is not correct.
Reference: https://www.cisco.com/c/en/us/products/security/what-is-endpoint-protectionplatform.html
Question 49
An engineer is adding a Cisco router to an existing environment. NTP authentication is configured
on all devices in the environment with the command ntp authentication-key 1 md5
Clsc427128380. There are two routers on the network that are configured as NTP servers for
redundancy, 192.168.1.110 and 192.168.1.111. 192.168.1.110 is configured as the authoritative
time source. What command must be configured on the new router to use 192.168.1.110 as its
primary time source without the new router attempting to offer time to existing devices?
A. ntp server 192.168.1.110 key 1 prefer
B. ntp peer 192.168.1.110 prefer key 1
passyourccie@gmail.com
C. ntp server 192.168.1.110 primary key 1
D. ntp peer 192.168.1.110 key 1 primary
Answer: A
Explanation
A router can be configured to prefer an NTP source over another. A preferred server’s responses
are discarded only if they vary dramatically from the other time sources. Otherwise, the preferred
server is used for synchronization without consideration of the other time sources. Preferred
servers are usually specified when they are known to be extremely accurate. To specify a
preferred server, use the prefer keyword appended to the ntp server command.
Question 50
Which algorithm is an NGE hash function?
A.
B.
C.
D.
HMAC
SHA-1
MD5
SHA-2
Answer: D
Question 51
A university policy must allow open access to resources on the Internet for research, but internal
workstations are exposed to malware. Which Cisco AMP feature allows the engineering team to
determine whether a file is installed on a selected few workstations?
A.
B.
C.
D.
file prevalence
file discovery
file conviction
file manager
Answer: A
Explanation
Prevalence: AMP displays all files that are running across your organization, ordered by
prevalence (from lowest to highest number of instances), to help you surface previously
undetected threats seen by a small number of users. Files opened by only a few users may be
malicious.
Reference: https://cstor.com/wp-content/uploads/2016/10/Cisco_Advanced-Malware-Protectionfor-Endpoints_Data-Sheet.pdf
passyourccie@gmail.com
Question 52
During a recent security audit, a Cisco IOS router with a working IPSEC configuration using IKEv1
was flagged for using a wildcard mask with the crypto isakmp key command. The VPN peer is a
SOHO router with a dynamically assigned IP address. Dynamic DNS has been configured on the
SOHO router to map the dynamic IP address to the host name of vpn.sohoroutercompany.com. In
addition to the command crypto isakmp key Cisc123456789 hostname
vpn.sohoroutercompany.com, what other two commands are now required on the Cisco IOS
router for the VPN to continue to function after the wildcard command is removed? (Choose two)
A. ip host vpn.sohoroutercompany.com <VPN Peer IP Address>
B. crypto isakmp identity hostname
C. Add the dynamic keyword to the existing crypto map command
D. fqdn vpn.sohoroutercompany.com <VPN Peer IP Address>
E. ip name-server <DNS Server IP Address>
Answer: A B
Explanation
passyourccie@gmail.com
The command “crypto isakmp identity hostname” configures the identity of the ISAKMP peer to
the host name concatenated with the domain name (fully qualified domain name for example,
myhost.domain.com).
If you use the host name identity method, you may need to specify the host name for the remote
peer if a DNS server is not available for name resolution. An example of this follows:
RouterA(config)# ip host RouterB.domain.com 172.30.2.2
Reference: https://www.ccexpert.us/bcran/step-3configure-isakmp-identity.html
Question 53
Which command is used to log all events to a destination collector 209.165.201.10?
A.
B.
C.
D.
CiscoASA(config-pmap-c)# flow-export event-type all destination 209.165.201.10
CiscoASA(config-cmap)# flow-export event-type flow-update destination 209.165.201.10
CiscoASA(config-pmap-c)# flow-export event-type flow-update destination 209.165.201.10
CiscoASA(config-cmap)# flow-export event-type all destination 209.165.201.10
Answer: A
Explanation
This example shows how to configure NetFlow for ASA:
ASA(config)# access-list netflow-export extended permit ip any any
ASA(config)# flow-export destination inside 172.16.1.100 9996
ASA(config)# flow-export template timeout-rate 1
ASA(config)# flow-export delay flow-create 60
ASA(config)# class-map netflow-export-class
ASA(config-cmap)#match access-list netflow-export
ASA(config)#policy-map global_policy
ASA(config-pmap)# class netflow-export-class
ASA(config-pmap-c)# flow-export event-type all destination 172.16.1.100 //export all event log
types to 172.16.1.100
Question 54
A company identified a phishing vulnerability during a pentest. What are two ways the company
can protect employees from the attack? (Choose two)
A. using Cisco ISE
B. using Cisco FTD
C. using an inline IPS/IDS in the network
D. using Cisco ESA
E. using Cisco Umbrella
Answer: D E
Explanation
The following are the benefits of deploying Cisco Advanced Phishing Protection on the Cisco Email
Security Gateway (ESA):
Prevents the following:
+ Attacks that use compromised accounts and social engineering.
+ Phishing, ransomware, zero-day attacks and spoofing.
+ BEC with no malicious payload or URL.
Reference: https://www.cisco.com/c/en/us/td/docs/security/esa/esa135/user_guide/b_ESA_Admin_Guide_13-5/m_advanced_phishing_protection.html
Cisco Umbrella protects users from accessing malicious domains by proactively analyzing and
blocking unsafe destinations – before a connection is ever made. Thus it can protect from phishing
attacks by blocking suspicious domains when users click on the given links that an attacker sent.
passyourccie@gmail.com
Question 55
Which feature is used in a push model to allow for session identification, host reauthentication, and
session termination?
A.
B.
C.
D.
CoA request
AAA attributes
carrier-grade NAT
AV pair
Answer: A
Explanation
The Cisco software supports the RADIUS CoA request defined in RFC 5176 that is used in a pushed
model, in which the request originates from the external server to the device attached to the
network, and enables the dynamic reconfiguring of sessions from external authentication,
authorization, and accounting (AAA) or policy servers.
Use the following per-session CoA requests:
–
–
–
–
–
Session reauthentication
Session termination
Session termination with port shutdown
Session termination with port bounce
Security and Password Accounting
Question 56
What are the components of endpoint protection against social engineering attacks?
A.
B.
C.
D.
firewall
IDS
IPsec
ESA
Answer: D
Question 57
A company recently discovered an attack propagating throughout their Windows network via a file
named abc4350G8l99xyz.exe. The malicious file was uploaded to a Simple Custom Detection list in
the AMP for Endpoints Portal and the currently applied policy for the Windows clients was updated
to reference the detection list. Verification testing scans on known infected systems shows that
AMP for Endpoints is not detecting the presence of this file as an indicator of compromise. What
must be performed to ensure detection of the malicious file?
A. Upload the malicious file to the Blocked Application Control List
B. Use an Advanced Custom Detection list instead of a Simple Custom Detection List
C. Check the box in the policy configuration to send the file to Cisco Threat Grid for dynamic
analysis
D. Upload the SHA-256 hash for the file to the Simple Custom Detection List
Answer: D
Explanation
We can upload the SHA-256 hash of this file to the Simple Customer Detection List so that AMP for
Endpoints can block it.
Reference: https://www.cisco.com/c/en/us/support/docs/security/amp-endpoints/215176configure-a-simple-custom-detection-list.pdf
Question 58
passyourccie@gmail.com
Which feature requires that network telemetry be enabled?
A.
B.
C.
D.
SNMP trap notification
Layer 2 device discovery
central syslog system
per-interface stats
Answer: C
Question 59
Which two configurations must be made on Cisco ISE and on Cisco TrustSec devices to force a
session to be adjusted after a policy change is made? (Choose two)
A. posture assessment
B. aaa server radius dynamic-author
C. tacacs-server host 10.1.1250 key password
D. CoA
E. aaa authorization exec default local
Answer: A C
Explanation
You can click the Push button to initiate an environment CoA notification after updating multiple
SGTs. This environment CoA notification goes to all TrustSec network devices forcing them to start
a policy/data refresh request.
Reference: https://www.cisco.com/c/en/us/td/docs/security/ise/22/admin_guide/b_ise_admin_guide_22/b_ise_admin_guide_22_chapter_011000.html
Question 60
An engineer must set up 200 new laptops on a network and wants to prevent the users from
moving their laptops around to simply administration. Which switch port MAC address security
setting must be used?
A.
B.
C.
D.
static
sticky
maximum
aging
Answer: B
Explanation
The full syntax of the second command is:
switchport port-security mac-address sticky [MAC]
If we don’t specify the MAC address (like in this question) then the switch will dynamically learn
the attached MAC Address and place it into your running-configuration. There are too many
laptops so we have to let the switch learn the MAC addresses dynamically.
Question 61
Refer to the exhibit.
passyourccie@gmail.com
When configuring this access control rule in Cisco FMC, what happens with the traffic destined to
the DMZ_inside zone once the configuration is deployed?
A. No traffic will be allowed through to the DMZ_inside zone unless it’s already trusted
B. No traffic will be allowed though to the DMZ_inside zone regardless of if it’s trusted or not
C. All traffic from any zone will be allowed to the DMZ_inside zone only after inspection
D. All traffic from any zone to the DMZ_inside zone will be permitted with no further inspection
Answer: D
Explanation
There are seven different actions which a rule can use:
+ Allow: Allows traffic. There may yet be more inspections, such as Intrusion and File policies
+ Trust: Sends traffic straight to the egress interface, without any extra inspections. Identity
policies and rate limiting still apply
+ Monitor: Logs traffic, and continues to the rest of the rules
+ Block: Drops traffic silently, causing the connection to timeout
+ Block with reset: Drops traffic, and sends a TCP FIN, so the connection closes rather than times
out
+ Interactive Block: Displays a web page with conditions that users may accept. This is where the
Interactive Block Response Page comes into play
+ Interactive Block with Reset: Combination of interactive block, with a TCP FIN
Question 62
What is the concept of CI/CD pipelining?
A. Each project phase is independent from other phases to maintain adaptiveness and continual
improvement
B. The project is split into several phases where one phase cannot start before the previous phase
finishes successfully
C. The protect code a centrally maintained and each code change should trigger an automated
build and test sequence
D. The project is split into time-limited cycles and focuses on pair programming for continuous
code review
Answer: C
Explanation
Continuous integration (CI) is a software development practice in which developers merge their
changes to the main branch many times per day. Each merge triggers an automated code build
and test sequence.
passyourccie@gmail.com
Once we automatically build and test our software, it gets easier to release it. Thus Continuous
Integration is often extended with Continuous Delivery (CD), a process in which code changes are
also automatically prepared for a release (CI/CD).
CI and CD are often represented as a pipeline, where new code enters on one end, flows through a
series of stages (build, test, staging, production), and published as a new production release to
end users on the other end.
Each stage of the CI/CD pipeline is a logical unit in the delivery process. Developers usually divide
each unit into a series of subunits that run sequentially or in parallel.
Reference: https://semaphoreci.com/continuous-integration
Question 63
Which feature only implements on the Cisco ASA in the transparent mode?
A. inspect anycast traffic
B. stateful inspection
C. inspect application layer of the traffic sent between hosts
D. inspect traffic between hosts in the same subnet
Answer: D
Explanation
The Cisco ASA software supports two firewall modes, routed and transparent. A transparent
firewall is a layer 2 firewall that acts like a stealth firewall and is not seen as a router hop between
connected devices. Unlike a traditional deployment of a firewall in routed mode, where the firewall
is a routed hop between networks.
Question 64
What are two functionalities of SDN southbound APIs? (Choose two)
A. Southbound APIs provide a programmable interface for applications to configure the network
B. Southbound APIs form the interface between the SDN controller and the network switches and
routers
C. OpenFlow is a standardized southbound API protocol used between the SDN controller and the
switch.
D. Application layer programs communicate with the SDN controller through the southbound APIs
E. Southbound APIs form the interface between the SDN controller and business applications
Answer: B C
Explanation
OpenFlow and OpFlex are Southbound APIs
Southbound APIs ultilize NETCONF, RESTCONF, SNMP, Telnet, SSH…
passyourccie@gmail.com
================================== New Questions (added on 7th-Dec2022) ==================================
Question 65
An engineer is implementing DHCP security mechanisms and needs the ability to add additional
attributes to profiles that are created within Cisco ISE. Which action accomplishes this task ?
A. Define MAC-to-lP address mappings in the switch to ensure that rogue devices cannot get an IP
address
B. Use DHCP option 82 to ensure that the request is from a legitimate endpoint and send the
information to Cisco ISE
C. Modify the DHCP relay and point the IP address to Cisco ISE.
D. Configure DHCP snooping on the switch VLANs and trust the necessary interfaces
Answer: C
Explanation
Under the same interfaces, another ip helper-address command is configured to point to the ISE
PSN interface enabled with the DHCP probe. The ISE Policy Service node will not reply to these
packets, but the goal is simply to send a copy of the requests to ISE for parsing of DHCP
attributes. It is possible to configure multiple IP Helper targets on Cisco devices to allow multiple
ISE Policy Service nodes to receive copies of the DHCP requests.
Reference: https://community.cisco.com/t5/security-knowledge-base/ise-profiling-designguide/ta-p/3739456#toc-hId-826550277
Question 66
Which Cisco Firewall solution requires zone definition?
A.
B.
C.
D.
CBAC
Cisco AMP
ZBFW
Cisco ASA
Answer: C
Explanation
Zone Based Firewall (ZBFW) is the most advanced method of a stateful firewall that is available on
Cisco IOS routers. The idea behind ZBFW is that we don’t assign access-lists to interfaces but we
will create different zones. Interfaces will be assigned to the different zones and security policies
will be assigned to traffic between zones.
Question 67
For a given policy in Cisco Umbrella, how should a customer block website based on a custom list?
A.
B.
C.
D.
by specifying blocked domains in the policy settings
by specifying the websites in a custom blocked category
by adding the websites to a blocked type destination list
by adding the website IP addresses to the Cisco Umbrella blocklist
Answer: C
Explanation
A destination list is a list of internet destinations that can be blocked or allowed based on the
administrative preferences for the policies applied to the identities within your organization. A
destination is a URL or fully qualified domain name. You can add a destination list to Umbrella at
any time; however, a destination list does not come into use until it is added to a policy.
Reference: https://docs.umbrella.com/deployment-umbrella/docs/working-with-destination-lists
passyourccie@gmail.com
Question 68
What is the concept of CI/CD pipelining?
A. The project is split into several phases where one phase cannot start before the previous phase
finishes successfully.
B. The project code is centrally maintained and each code change should trigger an automated
build and test sequence
C. The project is split into time-limited cycles and focuses on pair programming for continuous
code review
D. Each project phase is independent from other phases to maintain adaptiveness and continual
improvement
Answer: B
Explanation
CI, short for Continuous Integration, is a software development practice in which all developers
merge code changes in a central repository multiple times a day.
With CI, each change in code triggers an automated build-and-test sequence for the given project,
providing feedback to the developer(s) who made the change.
Reference: https://semaphoreci.com/blog/cicd-pipeline
Question 69
Which threat intelligence standard contains malware hashes?
A.
B.
C.
D.
structured threat information expression
advanced persistent threat
trusted automated exchange or indicator information
open command and control
Answer: A
Explanation
Structured Threat Information Expression (STIX) is a standard language for describing cyber
threat intelligence in a way that both humans and machines can understand and act upon.
STIX describes cyber threats using an extensive set of properties, which include signs of malicious
activity (e.g., suspect file hashes, domains, etc.)
Reference: https://oasis-open.github.io/ctidocumentation/docs/Introduction_to_Structured_Threat_Information_Expression.pdf
Question 70
Which ESA implementation method segregates inbound and outbound email?
A. one listener on a single physical interface
B. pair of logical listeners on a single physical interface with two unique logical IPv4 addresses and
one IPv6 address
C. pair of logical IPv4 listeners and a pair of IPv6 listeners on two physically separate interfaces
D. one listener on one logical IPv4 address on a single logical interface
Answer: C
Explanation
You can segregate incoming and outgoing email traffic over separate listeners and on separate IP
addresses. You can use Internet Protocol version 4 (IPv4) and version 6 (IPv6) addresses.
However, the System Setup Wizard on the appliance supports initial configuration of the following
configurations:
passyourccie@gmail.com
+ 2 separate listeners on 2 logical IPv4 and 2 IPv6 addresses configured on separate physical
interfaces
…
Reference: https://www.cisco.com/c/en/us/td/docs/security/esa/esa111/user_guide/b_ESA_Admin_Guide_11_1/b_ESA_Admin_Guide_chapter_010.html
Question 71
An engineer is configuring Cisco WSA and needs to deploy it in transparent mode. Which
configuration component must be used to accomplish this goal?
A.
B.
C.
D.
MDA on the router
PBR on Cisco WSA
WCCP on switch
DNS resolution on Cisco WSA
Answer: C
Question 72
What is a function of Cisco AMP for Endpoints?
A.
B.
C.
D.
It detects DNS attacks
It protects against web-based attacks
It blocks email-based attacks
It automates threat responses of an infected host
Answer: D
Question 73
Refer to the exhibit.
aaa new-model
radius-server host 10.0.0.12 key secret12
What is the result of using this authentication protocol in the configuration?
A.
B.
C.
D.
The authentication request contains only a username.
The authentication request contains only a password.
There are separate authentication and authorization request packets.
The authentication and authorization requests are grouped in a single packet.
Answer: D
Question 74
An engineer needs to detect and quarantine a file named abc424400664 zip based on the MD5
signature of the file using the Outbreak Control list feature within Cisco Advanced Malware
Protection (AMP) for Endpoints. The configured detection method must work on files of unknown
disposition. Which Outbreak Control list must be configured to provide this?
A.
B.
C.
D.
Blocked Application
Simple Custom Detection
Advanced Custom Detection
Android Custom Detection
Answer: C
Explanation
passyourccie@gmail.com
Advanced Custom Detections are like traditional antivirus signatures, but they are written by the
user. These signatures can inspect various aspects of a file and have different signature formats.
Some of the available signature formats are:
– MD5 signatures
…
Reference: https://cloudmanaged.ca/wp-content/uploads/2020/05/AMP-for-Endpoints-UserGuide.pdf
Question 75
With regard to RFC 5176 compliance, how many IETF attributes are supported by the RADIUS CoA
feature?
A.
B.
C.
D.
3
5
10
12
Answer: B
Explanation
The following table shows the IETF attributes that are supported for the RADIUS Change of
Authorization (CoA) feature.
Attribute Number
Attribute Name
24
State
31
Calling-Station-ID
44
Acct-Session-ID
80
MessageAuthenticator
101
Error-Cause
Reference: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_aaa/configuration/xe-1610/sec-usr-aaa-xe-16-10-book/sec-rad-coa.pdf
Question 76
Which Cisco ISE feature helps to detect missing patches and helps with remediation?
A.
B.
C.
D.
posture assessment
profiling policy
authentication policy
enabling probes
Answer: A
Explanation
Posture assessment includes a set of rules in a security policy that define a series of checks
before an endpoint is granted access to the network. Posture assessment checks include the
installation of operating system patches, host-based firewalls, antivirus and antimalware software,
disk encryption, and more.
Question 77
passyourccie@gmail.com
An engineer is configuring cloud logging using a company-managed Amazon S3 bucket for Cisco
Umbrella logs. What benefit does this configuration provide for accessing log data?
A. It can grant third-party SIEM integrations write access to the S3 bucket
B. Data can be stored offline for 30 days.
C. It is included in the license cost for the multi-org console of Cisco Umbrella
D. No other applications except Cisco Umbrella can write to the S3 bucket
Answer: A
Explanation
By having your logs uploaded to an S3 bucket, you can then automatically download logs so that
you can keep them in perpetuity in backup storage outside of Umbrella’s data warehouse storage
system. Saving to an S3 bucket also gives you the ability to ingest logs through your SIEM or
another security tool. This can help you determine if any security events in your Umbrella logs
coincide with events in other security tools.
Reference: https://docs.umbrella.com/umbrella-user-guide/docs/manage-your-logs#sectionlogging-to-amazon-s3
Question 78
A network engineer is configuring NetFlow top talkers on a Cisco router. Drag and drop the steps
in the process from the left into the sequence on the right.
Answer:
+
+
+
+
+
Configure ip routing and enable Cisco Express Forwarding: Step 1
Configure the ip flow command on an interface: Step 2
Configure the ip flow-top-talkers command: Step 3
Specify the maximum number of top talkers: Step 4
Set the top-talkers sorting criterion: Step 5
Explanation
Before you enable NetFlow and NetFlow Top Talkers, you must:
– Configure the router for IP routing
– Ensure that one of the following is enabled on your router, and on the interfaces that you want
to configure NetFlow on: Cisco Express Forwarding (CEF), distributed CEF, or fast switching
This task describes the procedure for configuring the NetFlow Top Talkers feature. Perform the
steps in this required task using either the router CLI commands or the SNMP commands to
configure the NetFlow Top Talkers feature on the router.
SUMMARY STEPS
1. enable
2. configure terminal
3. ip flow-top-talkers
passyourccie@gmail.com
4.
5.
6.
7.
top number
sort-by [bytes | packets]
cache-timeout milliseconds
end
Reference: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/netflow/configuration/15-mt/nf15-mt-book/cfg-nflow-top-talk.html
Question 79
What are two functions of IKEv1 but not IKEv2? (Choose two)
A. NAT-T is supported in IKEv1 but not in IKEv2.
B. With IKEv1, when using aggressive mode, the initiator and responder identities are passed
cleartext
C. With IKEv1, mode negotiates faster than main mode
D. IKEv1 uses EAP authentication
E. IKEv1 conversations are initiated by the IKE_SA_INIT message
Answer: B C
Explanation
Aggressive Mode squeezes the IKE SA negotiation into three packets, with all data required for
the SA passed by the initiator. The responder sends the proposal, key material, and ID, and
authenticates the session in the next packet. The initiator replies and authenticates the
session. Negotiation is quicker, and the initiator and responder ID pass in the clear.
Reference: https://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ikeprotocols/217432-understand-ipsec-ikev1-protocol.html
Note: IKEv2 supports EAP authentication whereas IKEv1 does not. The IKE_SA_INIT exchange is
the first exchange of an IKEv2 (not IKEv1) activation attempt.
Question 80
Which feature must be configured before implementing NetFlow on a router?
A. SNMPv3
B. syslog
C. VRF
D. IP routing
Answer: D
Question 81
What is the most commonly used protocol for network telemetry?
A.
B.
C.
D.
SMTP
SNMP
TFTP
NetFlow
Answer: D
Question 82
An engineer is trying to decide whether to use Cisco Umbrella, Cisco CloudLock, Cisco
Stealthwatch, or Cisco AppDynamics Cloud Monitoring for visibility into data transfers as well as
protection against data exfiltration. Which solution best meets these requirements?
A.
B.
C.
D.
Cisco CloudLock
Cisco AppDynamics Cloud Monitoring
Cisco Umbrella
Cisco Stealthwatch
passyourccie@gmail.com
Answer: D
Explanation
Stealthwatch provides a consistent experience for detecting threats across private networks and
multiple-public clouds such as Microsoft Azure, Amazon Web Services, and Google Public Cloud.
Stealthwatch closely monitors the activity of every device on the network and is able to create a
baseline of normal behavior. Stealthwatch automatically normalizes traffic events gathered
natively from your network telemetry and natively from flow logs generated by your cloud
infrastructure, presents with you a single view of the threats across your entire environment.
Question 83
In which two customer environments is the Cisco WSAv connector traffic direction method
selected? (Choose two)
A. Customer owns ASA Appliance and SSL Tunneling is required.
B. Customer does not own Cisco hardware and needs Transparent Redirection (WCCP).
C. Customer needs to support roaming users.
D. Customer owns ASA Appliance and Virtual Form Factor is required.
E. Customer does not own Cisco hardware and needs Explicit Proxy.
Answer: B D
Explanation
Reference: https://www.denaliai.com/media/1182/cisco-cloud-web-security_data-sheet.pdf
Question 84
What is offered by an EPP solution but not an EDR solution?
A. containment
B. detection
passyourccie@gmail.com
C. investigation
D. sandboxing
Answer: D
Explanation
An EPP detects malicious activity using several methods:
+ Signature matching – detecting threats using known malware signatures
+ Sandboxing – testing for malicious behavior of files by executing them in a virtual environment
before allowing them to run
+ Behavioral analysis – determining the baseline of endpoint behavior and identify behavioral
anomalies, although there is no known threat signature
+ Static analysis – analyzing binaries and searching for malicious characteristics before execution
using machine learning algorithms
+ Allowlisting and denylisting – blocking access or only permitting access to specific IP addresses,
URLs, and applications
Reference: https://www.exabeam.com/information-security/edr-vs-epp/
In the options above only Sandboxing is a method of EPP.
Question 85
Which solution is more secure than the traditional use of a username and password and
encompasses at least two of the methods of authentication?
A.
B.
C.
D.
Kerberos security solution
single-sign on
multifactor authentication
RADIUS/LDAP authentication
Answer: C
Question 86
An engineer is configuring Cisco WSA and needs to ensure end clients are protected against DNS
spoofing attacks. Which deployment method accomplishes this goal?
A.
B.
C.
D.
transparent mode
Web Cache Communication Protocol
explicit forward
single context mode
Answer: C
Explanation
In transparent mode, DNS resolution is done by the client but in explicit (forward) proxy mode,
DNS resolution is done by WSA.
Reference: https://www.youtube.com/watch?v=s8OnuxnUydg (1:20)
Question 87
Which Cisco network security device supports contextual awareness?
A.
B.
C.
D.
ISE
Cisco IOS
Cisco ASA
Firepower
Answer: A
passyourccie@gmail.com
Explanation
ISE is designed to provide policy-based, context-aware security for Cisco networks.
Reference: https://www.networkworld.com/article/2224784/cisco-looks-to-standardize-contextaware-security.html
Question 88
Which two commands are required when configuring a flow-export action on a Cisco ASA? (Choose
two)
A. flow-export event-type
B. policy-map
C. access-list
D. flow-export template timeout-rate 15
E. access-group
Answer: A B
Explanation
This example shows how to configure NetFlow for ASA. It logs all events between hosts
209.165.200.224 and hosts 209.165.201.224 to 209.165.200.230, and log all other events to
209.165.201.29:
hostname (config)# access-list flow_export_acl permit ip host 209.165.200.224 host
209.165.201.224
hostname (config)# class-map flow_export_class
hostname (config-cmap)# match access-list flow_export_acl
hostname (config)# policy-map flow_export_policy
hostname (config-pmap)# class flow_export_class
hostname (config-pmap-c)# flow-export event-type all destination 209.165.200.230
hostname (config-pmap)# class class-default
hostname (config-pmap-c)# flow-export event-type all destination 209.165.201.29
hostname (config)# service-policy flow_export_policy global
Note: The “flow-export template timeout-rate” (which specifies the time elapsed before the
templates are re-sent) is just an optional command
The command “flow-export event-type eventtype destination flow_export_host1 [flow_export_host2]” configures a flow-export action.
The event_type keyword is the name of the supported event being filtered.
The flow_export_host argument is the IP address of a host. The destination keyword is the IP
address of the configured collector.
The command “policy-map flow_export_policy” defines the policy map to apply flow-export
actions to the defined classes.
Question 89
What does Cisco ISE use to collect endpoint attributes that are used in profiling?
A.
B.
C.
D.
probes
posture assessment
Cisco AnyConnect Secure Mobility Client
Cisco pxGrid
Answer: A
Explanation
The profiling service in Cisco Identity Services Engine (ISE) identifies the devices that connect to
your network and their location. The endpoints are profiled based on the endpoint profiling policies
configured in Cisco ISE. Cisco ISE then grants permission to the endpoints to access the resources
in your network based on the result of the policy evaluation.
passyourccie@gmail.com
Network probe is a method used to collect an attribute or a set of attributes from an endpoint on
your network. The probe allows you to create or update endpoints with their matched profile in the
Cisco ISE database.
Cisco ISE can profile devices using a number of network probes that analyze the behavior of
devices on the network and determine the type of the device. Network probes help you to gain
more network visibility.
Reference: https://content.cisco.com/chapter.sjs?uri=/searchable/chapter/content/en/us/td/docs/
security/ise/26/admin_guide/b_ise_admin_guide_26/b_ise_admin_guide_26_chapter_010100.html.xml
Question 90
Client workstations are experiencing extremely poor response time. An engineer suspects that an
attacker is eavesdropping and making independent connections while relaying messages between
victims to make them think they are talking to each other over a private connection. Which feature
must be enabled and configured to provide relief from this type of attack?
A. Link Aggregation
B. Reverse ARP
C. private VLANs
D. Dynamic ARP Inspection
Answer: D
Explanation
Dynamic ARP inspection (DAI) is a security feature that validates ARP packets in a network.
Dynamic ARP inspection determines the validity of packets by performing an IP-to-MAC address
binding inspection stored in a trusted database, (the DHCP snooping binding database) before
forwarding the packet to the appropriate destination.
DAI allows a network administrator to intercept, log, and discard ARP packets with invalid MAC
address to IP address bindings. This capability protects the network from certain “man-in-themiddle” attacks.
Reference: https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst4500/122/25ew/configuration/guide/conf/dynarp.html
Question 91
Drag and drop the Cisco CWS redirection options from the left onto the capabilities on the right.
Answer:
+ location-independent, bandwidth-efficient option: ISR with CWS connector
+ extends identity information and on-premises features to the cloud: WSAv with CWS connector
+ provides user-group granularity and supports cloud-based scanning: NGFW with CWS connector
passyourccie@gmail.com
+ supports cached credentials and makes directory information available off-premises: Cisco
AnyConnect client
Question 92
An engineer needs to configure a Cisco Secure Email Gateway (SEG) to prompt users to enter
multiple forms of identification before gaining access to the SEG. The SEG must also join a cluster
using the preshared key of cisc421555367. What steps must be taken to support this?
A. Enable two-factor authentication through a RADIUS server, and then join the cluster via the
SEG GUI.
B. Enable two-factor authentication through a TACACS+ server, and then join the cluster via the
SEG CLI.
C. Enable two-factor authentication through a RADIUS server, and then join the cluster via the
SEG CLI
D. Enable two-factor authentication through a TACACS+ server, and then join the cluster via the
SEG GUI.
Answer: C
Explanation
Cisco Email Security appliance now supports two-factor authentication that ensures secure access
when you log into your appliance.
You can configure two-factor authentication for your appliance through any standard RADIUS
server that complies with a standard RFC.
If you have enabled two-factor authentication on your appliance, you can join it to a
cluster machine using pre-shared keys. Use the clusterconfig > prepjoin command in the CLI to
configure this setting.
Reference: https://www.cisco.com/c/en/us/td/docs/security/esa/esa110/user_guide_fs/b_ESA_Admin_Guide_11_0/b_ESA_Admin_Guide_chapter_00.pdf
Question 93
Which action must be taken in the AMP for Endpoints console to detect specific MD5 signatures on
endpoints and then quarantine the files?
A.
B.
C.
D.
Configure an advanced custom detection list
Configure an IP Block & Allow custom detection list
Configure an application custom detection list
Configure a simple custom detection list
Answer: A
Explanation
Advanced Custom Detections are like traditional antivirus signatures, but they are written by the
user. These signatures can inspect various aspects of a file and have different signature formats.
Some of the available signature formats are:
– MD5 signatures
…
Reference: https://cloudmanaged.ca/wp-content/uploads/2020/05/AMP-for-Endpoints-UserGuide.pdf
-> Therefore we can upload specific MD5 signatures to quarantine the files.
Question 94
An organization is using DNS services for their network and want to help improve the security of
the DNS infrastructure. Which action accomplishes this task?
passyourccie@gmail.com
A.
B.
C.
D.
Use DNSSEC between the endpoints and Cisco Umbrella DNS servers.
Modify the Cisco Umbrella configuration to pass queries only to non-DNSSEC capable zones.
Integrate Cisco Umbrella with Cisco CloudLock to ensure that DNSSEC is functional.
Configure Cisco Umbrella and use DNSSEC for domain authentication to authoritative servers.
Answer: D
Question 95
Which Cisco security solution secures public, private, hybrid, and community clouds?
A.
B.
C.
D.
Cisco ISE
Cisco ASAv
Cisco Cloudlock
Cisco pxGrid
Answer: C
Question 96
What is the target in a phishing attack?
A.
B.
C.
D.
perimeter firewall
IPS
web server
endpoint
Answer: D
Question 97
Which Cisco security solution provides patch management in the cloud?
A.
B.
C.
D.
Cisco Umbrella
Cisco ISE
Cisco CloudLock
Cisco Tetration
Answer: C
passyourccie@gmail.com
PART-2
Question 1
Which function is performed by certificate authorities but is a limitation of registration authorities?
A.
B.
C.
D.
CRL publishing
verifying user identity
certificate re-enrollment
accepts enrollment requests
Answer: A
Explanation
A Registration Authority (RA) is an authority in a network that verifies user requests for a digital
certificate and tells the Certificate Authority (CA) to issue it. RAs are part of a public key
infrastructure (PKI), a networked system that enables companies and users to exchange
information and money safely and securely.
Certificate revocation list (CRL): This is a list of certificates, based on their serial numbers, that
had initially been issued by a CA but have since been revoked and as a result should not be
trusted.
Question 2
Which encryption algorithm provides highly secure VPN communications?
A.
B.
C.
D.
DES
3DES
AES 256
AES 128
Answer: C
Question 3
A hacker initiated a social engineering attack and stole username and passwords of some users
within a company. Which product should be used as a solution to this problem?
A.
B.
C.
D.
Cisco NGFW
Cisco AMP for Endpoints
Cisco Duo
Cisco AnyConnect
Answer: C
Question 4
How does a WCCP-configured router identify if the Cisco WSA is functional?
A. If an ICMP ping fails three consecutive times between a router and the WSA, traffic is no longer
transmitted to the router.
B. If an ICMP ping fails three consecutive times between a router and the WSA, traffic is no longer
transmitted to the WSA.
C. The router sends a Here-I-Am message every 10 seconds, and the WSA acknowledges with an
I-See-You message.
D. The WSA sends a Here-I-Am message every 10 seconds, and the router acknowledges with an
I-See-You message.
Answer: D
Explanation
passyourccie@gmail.com
If WCCP proxy health checking is enabled, the WSA’s WCCP daemon sends a proxy health check
message (xmlrpc client request) to the xmlrpc server running on the Web proxy every 10 seconds.
If the proxy is up and running, the WCCP service receives a response from the proxy and the WSA
sends a WCCP “here I am” (HIA) message to the specified WCCP-enabled routers every 10
seconds. If the WCCP service doesn’t receive a reply from the proxy, then HIA messages are not
sent to the WCCP routers.
After a WCCP router misses three consecutive HIA messages, the router removes the WSA from its
service group and traffic is no longer forwarded to the WSA.
Reference: https://www.cisco.com/c/en/us/td/docs/security/wsa/wsa110/user_guide/b_WSA_UserGuide/b_WSA_UserGuide_chapter_0111.html
Question 5
What is a feature of NetFlow Secure Event Logging?
A.
B.
C.
D.
It exports only records that indicate significant events in a flow.
It supports v5 and v8 templates.
It filters NSEL events based on the traffic and event type through RSVP.
It delivers data records to NSEL collectors through NetFlow over TCP only.
Answer: A
Explanation
The ASA and ASASM implementations of NSEL provide a stateful, IP flow tracking method
that exports only those records that indicate significant events in a flow -> Answer A is correct.
The ASA and ASASM implementations of NSEL provide the following major functions:
…
+ Tracks configured NSEL collectors and delivers templates and data records to these configured
NSEL collectors through NetFlow over UDP only -> Answer D is not correct.
+ Filters NSEL events based on the traffic and event type through Modular Policy Framework, then
sends records to different collectors -> Answer C is not correct.
Reference: https://www.cisco.com/c/en/us/td/docs/security/asa/asa91/asdm71/general/asdm_71
_general_config/monitor_nsel.pdf
Only NSEL version 9 supports templates -> Answer B is not correct.
Question 6
An administrator needs to configure the Cisco ASA via ASDM such that the network management
system can actively monitor the host using SNMPv3. Which two tasks must be performed for this
configuration? (Choose two)
A. Specify the SNMP manager and UDP port.
B. Specify a community string.
C. Add an SNMP USM entry.
D. Add an SNMP host access entry.
E. Specify an SNMP user group.
Answer: A D
Explanation
passyourccie@gmail.com
This is how to configure SNMP on your Cisco ASA using ASDM:
The first order of business is to navigate to the screen shown below:
Next, click on the Add button above and the window below appears:
Question 7
Which technology enables integration between Cisco ISE and other platforms to gather and share
network and vulnerability data and SIEM and location information?
A. pxGrid
B. SNMP
C. NetFlow
D. Cisco Talos
passyourccie@gmail.com
Answer: A
Explanation
Cisco ISE uses Cisco Platform Exchange Grid (pxGrid) technology to share contextual data with
leading SIEM and TD partner solutions.
Reference: https://www.cisco.com/c/en/us/products/collateral/security/identity-servicesengine/at-a-glance-c45-732858.html
Question 8
A large organization wants to deploy a security appliance in the public cloud to form a site-to-site
VPN and link the public cloud environment to the private cloud in the headquarters data center.
Which Cisco security appliance meets these requirements?
A.
B.
C.
D.
Cisco Cloud Orchestrator
Cisco Stealthwatch Cloud
Cisco ASAv
Cisco WSAv
Answer: C
Question 9
What is a benefit of using Cisco Tetration?
A. It collects policy compliance data and process details.
B. It collects telemetry data from servers and then uses software sensors to analyze flow
information.
C. It collects near-real time data from servers and inventories the software packages that exist on
servers
D. It collects enforcement data from servers and collects interpacket variation.
Answer: C
Explanation
Cisco Secure Workload (formerly Tetration) collects packet header metadata, process details and
installed software package information. This is collected via the software sensors deployed on the
workloads and made available as part of the solution. More detailed information is available in the
Cisco Secure Workload product documentation. Below are the high-level details regarding the
telemetry data that is collected by Cisco Secure Workload:
+ Flow information: Contains details about flow endpoints, protocols, and ports, when the flow
started, how long the flow was active, etc.
+ Inter-packet variation: Captures any inter-packet variations seen within the flow, including
variations in the packetʼs Time to Live (TTL), IP/TCP flags, packet length, etc.
+ Process details: Captures processes executed on the server, including information about process
parameters, start and stop time, process binary hash, etc.
+ Software packages: Inventory of all software packages installed on the server along with the
version and publisher information
+ Cisco Secure Workload forensics capability: If a customer turns on the Cisco Secure Workload
forensics capability, additional Personally Identifiable Information may be collected.
Reference: https://trustportal.cisco.com/c/dam/r/ctp/docs/privacydatasheet/security/ciscotetration-privacy-data-sheet.pdf
Question 10
Which standard is used to automate exchanging cyber threat information?
A. IoC
B. TAXII
passyourccie@gmail.com
C. MITRE
D. STIX
Answer: B
Explanation
Structured Threat Information Expression (STIX) and Trusted Automated Exchange of Intelligence
Information (TAXII) are standards developed in an effort to improve the prevention and mitigation
of cyber-attacks. STIX states the “what” of threat intelligence, while TAXII defines “how” that
information is relayed. Unlike previous methods of sharing, STIX and TAXII are machine-readable
and therefore easily automated.
TAXII should be the best answer here because it is Trusted Automated Exchange of Intelligence
Information.
Question 11
Which security solution uses NetFlow to provide visibility across the network, data center, branch
offices, and cloud?
A. Cisco Encrypted Traffic Analytics
B. Cisco CTA
C. Cisco Umbrella
D. Cisco Stealthwatch
Answer: D
Question 12
An email administrator is setting up a new Cisco ESA. The administrator wants to enable the
blocking of greymail for the end user. Which feature must the administrator enable first?
A. IP Reputation Filtering
B. Anti-Virus Filtering
C. File Analysis
D. Intelligent Multi-Scan
Answer: D
Explanation
For graymail detection, anti-spam scanning must be enabled globally. This can be either the
IronPort Anti-Spam, the Intelligent Multi-Scan feature, or Outbreak Filters.
Reference: https://www.cisco.com/c/en/us/td/docs/security/esa/esa120/user_guide/b_ESA_Admin_Guide_12_0/b_ESA_Admin_Guide_chapter_01101.html
Question 13
Drag and drop the exploits from the left onto the type of security vulnerability on the right.
passyourccie@gmail.com
Answer:
path transversal: gives unauthorized access to web server files
cross-site request forgery: makes the client the target of attack
SQL injection: accesses or modifies application data
buffer overflow: causes memory access errors
Explanation
The directory traversal/path traversal attack (also known as dot dot slash attack) is an HTTP
exploit that allows an attacker to access restricted files, directories and commands that reside
outside the web server’s root directory.
Question 14
Which technology provides the benefit of Layer 3 through Layer 7 innovative deep packet
inspection, enabling the platform to identify and output various applications within the network
traffic flows?
A.
B.
C.
D.
Cisco ASAv
Cisco Prime Infrastructure
Cisco NBAR2
Account on Resolution
Answer: C
Explanation
Operating on Cisco IOS and Cisco IOS XE, NBAR2 utilizes innovative deep packet inspection (DPI)
technology to identify a wide variety of applications within the network traffic flow, using L3 to L7
data.
Reference: https://www.cisco.com/c/en/us/td/docs/ios/solutions_docs/avc/guide/avc-userguide/avc_tech_overview.pdf
Question 15
An organization must add new firewalls to its infrastructure and wants to use Cisco ASA or Cisco
FTD. The chosen firewalls must provide methods of blocking traffic that include offering the user
the option to bypass the block for certain sites after displaying a warning page and to reset the
connection. Which solution should the organization choose?
A. Cisco ASA because it has an additional module that can be installed to provide multiple blocking
capabilities, whereas Cisco FTD does not.
B. Cisco FTD because it enables interactive blocking and blocking with reset natively, whereas
Cisco ASA does not.
C. Cisco FTD because it supports system rate level traffic blocking, whereas Cisco ASA does not.
D. Cisco ASA because it allows for interactive blocking and blocking with reset to be configured via
the GUI, whereas Cisco FTD does not.
Answer: B
Explanation
Firepower Management Center Configuration Guide
…
Interactive Block Response Page: Warns users, but also allows them to click a button (or
refresh the page) to load the originally requested site. Users may have to refresh after bypassing
the response page to load page elements that did not load.
Reference: https://www.cisco.com/c/en/us/td/docs/security/firepower/620/configuration/guide/fp
mc-config-guide-v62/http_response_pages_and_interactive_blocking.html
Question 16
passyourccie@gmail.com
An engineer is configuring web filtering for a network using Cisco Umbrella Secure Internet
Gateway. The requirement is that all traffic needs to be filtered. Using the SSL decryption feature,
which type of certificate should be presented to the end-user to accomplish this goal?
A.
B.
C.
D.
third-party
SubCA
self-signed
organization owned root
Answer: D
Explanation
The SSL Decryption feature does require the root certificate be installed.
Reference: https://community.cisco.com/t5/security-blogs/cisco-umbrella-intelligent-proxy-andssl-decryption/ba-p/4453056
Question 17
Which two parameters are used to prevent a data breach in the cloud? (Choose two)
A. encryption
B. complex cloud-based web proxies
C. strong user authentication
D. antispoofing programs
E. DLP solutions
Answer: A C
Explanation
A data breach is a security violation or incident that leads to the theft of sensitive or critical data or
its exposure to an unauthorized party. These incidents can be intentional, such as a database
hack, or accidental, such as an employee emailing confidential files to the wrong recipient.
Two-factor authentication and secure access solutions for cloud apps make it more difficult for
malicious hackers or insiders to compromise users, including those who work remotely or on a
contract basis -> Answer C is correct.
Reference: https://www.cisco.com/c/en/us/products/security/what-is-data-breach.html#~how-toprevent-a-breach
In the Data Breaches in Cloud Computing article, encryption is one of the top five methods to
prevent data breach in the cloud -> Answer A is correct.
Question 18
What is the term for when an endpoint is associated to a provisioning WLAN that is shared with
guest access, and the same guest portal is used as the BYOD portal?
A.
B.
C.
D.
streamlined access
multichannel GUI
single-SSID BYOD
dual-SSID BYOD
Answer: D
Explanation
If guest access is utilizing one of the named guest account, then same guest portal can be used for
employee BYOD portal. This flow is called Dual-SSID BYOD, where the endpoint is associated to a
provisioning WLAN which is typically shared with guest access.
passyourccie@gmail.com
Reference: https://community.cisco.com/t5/security-documents/ise-byod-dual-vs-single-ssidonboarding/ta-p/3641422
Question 19
What is the function of the crypto isakmp key cisc414685095 address 192.168.50.1
255.255.255.255 command when establishing an IPsec VPN tunnel?
A.
B.
C.
D.
It prevents 192.168.50.1 from connecting to the VPN server.
It defines that data destined to 192.168.50.1 is going to be encrypted.
It configures the pre-shared authentication key for host 192.168.50.1.
It configures the local address for the VPN server 192.168.50.1.
Answer: C
Explanation
Note:
+ “address 192.168.60.1 255.255.255.255” means remote peer is host 192.168.50.1
+ The Phase 1 password is “cisc414685095”.
Question 20
Which CLI command is used to enable URL filtering support for shortened URLs on the Cisco ESA?
A.
B.
C.
D.
outbreakconfig
websecurityadvancedconfig
webadvancedconfig
websecurityconfig
Answer: B
Explanation
Enabling URL filtering support for shortened URLs is able to be done by CLI only, using
websecurityadvancedconfig
Reference: https://www.cisco.com/c/en/us/support/docs/security/email-securityappliance/118775-technote-esa-00.html
Question 21
Which Cisco ASA deployment model is used to filter traffic between hosts in the same IP subnet
using higher-level protocols without readdressing the network?
A.
B.
C.
D.
single context mode
routed mode
transparent mode
multiple context mode
Answer: C
Explanation
An ASA Firewall is capable of operating at Layer 2 when running in transparent mode. Ability to
filter traffic between hosts using higher-level protocols (e.g. IP addressing and ports) without
readdressing the network.
Reference: https://grumpy-networkersjournal.readthedocs.io/en/latest/VENDOR/CISCO/FIREWALL/ASA/TRANSPARENTFW.html
Question 22
passyourccie@gmail.com
Which open source tool does Cisco use to create graphical visualizations of network telemetry on
Cisco IOS XE devices?
A.
B.
C.
D.
SNMP
Splunk
Grafana
InfluxDB
Answer: C
Explanation
Visualization with Grafana
Grafana is the visualization engine that is used to display the telemetry data.
Reference: https://blogs.cisco.com/developer/getting-started-with-model-driven-telemetry
Note: InfluxDB is used to store the telemetry data.
Question 23
Which Cisco DNA Center Intent API action is used to retrieve the number of devices known to a
DNA Center?
A. GET https://fqdnOrlPofDnaCenterPlatform/dna/intent/api/v1/network-device/count
B. GET https://fqdnOrlPofDnaCenterPlatform/dna/intent/api/v1/networkdevice/startIndex/recordsToReturn
C. GET https://fqdnOrlPofDnaCenterPlatform/dna/intent/api/v1/network-device
D. GET https://fqdnOrlPofDnaCenterPlatform/dna/intent/api/v1/networkdevice?parameter1=value&parameter2=value&…
Answer: A
Explanation
Once the developer has the token, it is possible to get the network devices count.
DEVICES_COUNT_URL = '/dna/intent/api/v1/network-device/count'
response = requests.get(BASE_URL + DEVICES_COUNT_URL, headers = headers,
verify=False)
print(response.json())
Reference: https://developer.cisco.com/docs/dna-center/#!devices/devices-api
Question 24
When NetFlow is applied to an interface, which component creates the flow monitor cache that is
used to collect traffic based on the key and nonkey fields in the configured record?
A.
B.
C.
D.
flow sampler
flow exporter
records
flow monitor
Answer: D
Explanation
The Netflow flow monitor component is used to provide the actual traffic monitoring on a
configured interface. When a flow monitor is applied to an interface, a flow monitor cache is
created that is used to collect the traffic based on the key and nonkey fields in the configured
record.
Reference: https://www.ciscopress.com/articles/article.asp?p=1730890
passyourccie@gmail.com
Question 25
Refer to the exhibit.
ASA# show service-policy sfr
Global policy:
Service-policy: global_policy
Class-map: SFR
SFR: card status Up, mode fail-open monitor-only
packet input 0, packet output 44715478687, drop 0, reset-drop 0
What are two indications of the Cisco Firepower Services Module configuration? (Choose two)
A. The module is operating in IPS mode.
B. The module fails to receive redirected traffic.
C. Traffic is blocked if the module fails.
D. Traffic continues to flow if the module fails.
E. The module is operating in IDS mode.
Answer: D E
Explanation
In a passive deployment, a copy of the traffic is sent to the SFR service module, but it is not
returned to the ASA. Passive mode allows you to view the actions that the SFR module would have
completed in regards to the traffic. It also allows you to evaluate the content of the traffic, without
an impact to the network.
If you want to configure the SFR module in passive mode, use the monitor-only keyword. If you
do not include the keyword, the traffic is sent in inline mode.
ciscoasa(config-pmap-c)# sfr fail-open monitor-only
Reference: https://www.cisco.com/c/en/us/support/docs/security/asa-firepower-services/118644configure-firepower-00.html
-> This SFR module is configured in passive mode (monitor-only)-> Answer E is correct.
In monitor-only mode, the input counters remain at zero. -> Answer B is not correct.
The Cisco ASA 5500 security appliance is not just a plain firewall. With an add-on security module
(AIP-SSM), you can transform the ASA 5500 into an IDS/IPS sensor as well.
The Sensor operates in either “Promiscuous Mode” (IDS functionality) or “Inline Mode” (IPS
functionality).
In Promiscuous Mode, the sensor does not intervene in traffic flow, but just “sniffs” the traffic that
passes through the firewall and takes appropriate actions in the event of an attack -> This module
is operating in IDS mode.
Reference: https://www.networkstraining.com/cisco-ids-ips-module-for-cisco-asa-firewalls-aipssm/
Question 26
Why is it important for the organization to have an endpoint patching strategy?
A.
B.
C.
D.
so the organization can identify endpoint vulnerabilities
so the network administrator is notified when an existing bug is encountered
so the internal PSIRT organization is aware of the latest bugs
so the latest security fixes are installed on the endpoints
Answer: A
passyourccie@gmail.com
Question 27
Which system is InfluxDB and Grafana be used on to pull the data and display the visualization
information?
A.
B.
C.
D.
Docker containers
Windows Server 2019
specialized Cisco Linux system
Windows Server 2016
Answer: C
Question 28
Which Cisco ASA Platform mode disables the threat detection features except for Advanced Threat
Statistics?
A.
B.
C.
D.
routed
multiple context
cluster
transparent
Answer: B
Explanation
Cisco ASA Threat Detection does not support multiple context mode.
Reference: https://grumpy-networkersjournal.readthedocs.io/en/latest/VENDOR/CISCO/FIREWALL/ASA/THREATDETECT.html
Question 29
Which two parameters are used for device compliance checks? (Choose two)
A. device operating system version
B. DHCP snooping checks
C. Windows registry values
D. endpoint protection software version
E. DNS integrity checks
Answer: A D
Question 30
A network engineer entered the snmp-server user asmith myv7 auth sha cisco priv aes 256
cisc0414685095 command and needs to send SNMP information to a host at 10.255.255.1.
Which command achieves this goal?
A.
B.
C.
D.
snmp-server host inside 10.255.255.1 version 3 asmith
snmp-server host inside 10.255.255.1 snmpv3 myv7
snmp-server host inside 10.255.255.1 snmpv3 asmith
snmp-server host inside 10.255.255.1 version 3 myv7
Answer: A
Explanation
The command snmp-server user asmith myv7 auth sha cisco priv aes 256
cisc0414685095 creates a user name “asmith” and he belongs to group “myv7”. The password
for this user is “cisco” and “cisc0414685095” is the shared secret.
passyourccie@gmail.com
In order to send SNMP information to a remote host, we have to configure the username (not
password) in the “snmp-server host …” command. So the command must include “asmith” as the
username. And we configure SNMPv3 by using keyword “version 3”, not “snmpv3”.
Question 31
An engineer is configuring Cisco WSA and needs to enable a separated email transfer flow from the
Internet and from the LAN. Which deployment mode must be used to accomplish this goal?
A.
B.
C.
D.
two-interface
single interface
multi-context
transparent
Answer: A
Explanation
The Cisco ESA can be deployed in different ways. Similar to the Cisco WSA, the Cisco ESA can be
deployed with a single physical interface to filter email to and from your mail servers or in a twointerface configuration. When you configure the Cisco ESA with two interfaces, one interface is
used for email transfers to and from the Internet and the other interface is used for email transfers
to and from the internal servers.
Reference: CCNP And CCIE Security Core SCOR 350-701 Official Cert Guide
Question 32
A small organization needs to reduce the VPN bandwidth load on their headend Cisco ASA in order
to ensure that bandwidth is available for VPN users needing access to corporate resources on the
10.0.0.0/24 local HQ network. How is this accomplished without adding additional devices to the
network?
A.
B.
C.
D.
Configure VPN load balancing to send non-corporate traffic straight to the internet.
Use split tunneling to tunnel traffic for the 10.0.0.0/24 network only.
Configure VPN load balancing to distribute traffic for the 10.0.0.0/24 network.
Use split tunneling to tunnel all traffic except for the 10.0.0.0/24 network.
Answer: B
Question 33
Which benefit does DMVPN provide over GETVPN?
A.
B.
C.
D.
DMVPN can be used over the public Internet, and GETVPN requires a private network
DMVPN is a tunnel-less VPN, and GETVPN is tunnel-based.
DMVPN supports QoS, multicast, and routing, and GETVPN supports only QoS.
DMVPN supports non-IP protocols, and GETVPN supports only IP protocols.
Answer: A
Explanation
DMVPN, FlexVPN and GETVPN comparison:
passyourccie@gmail.com
Note: GETVPN is tunnel-less VPN while DMVPN is tunnel-based.
Question 34
Which system facilitates deploying microsegmentation and multi-tenancy services with a policybased container?
A. Docker
B. SDLC
C. Lambda
D. Contiv
Answer: D
Explanation
Contiv is an Open Source Project to deliver Policy-Based container for Networking. The idea behind
Contiv is to make it easier for end users to deploy micro-services in their environments.
Contiv provides a higher level of networking abstraction for microservices. Contiv secures your
application using a rich policy framework. It provides built-in service discovery and service routing
for scale out services.
Reference: http://contiv.ciscolive.com/pod5/Intro/contiv_intro
Question 35
An engineer needs to configure an access control policy rule to always send traffic for inspection
without using the default action. Which action should be configured for this rule?
A. monitor
B. allow
C. trust
D. block
Answer: B
Explanation
Monitor evaluates traffic first. Monitor rules track and log network traffic. The system continues to
match traffic against additional rules to determine whether to permit or deny it. -> Therefore
monitor rule still uses other rules below, including the default action.
For Allow rule, matching traffic is allowed; however, prohibited files, malware, intrusions, and
exploits within that traffic are detected and blocked. Remaining non-prohibited, non-malicious
passyourccie@gmail.com
traffic is allowed to its destination, though it is still subject to identity requirements and rate
limiting. You can configure Allow rules that perform only file inspection, or only intrusion
inspection, or neither.
Reference: https://www.cisco.com/c/en/us/td/docs/security/firepower/610/configuration/guide/fp
mc-config-guide-v61/access_control_rules.html
Question 36
Which two functions does the Cisco Advanced Phishing Protection solution perform in trying to
protect from phishing attacks? (Choose two)
A. uses a static algorithm to determine malicious
B. determines if the email messages are malicious
C. does a real-time user web browsing behavior analysis
D. blocks malicious websites and adds them to a block list
E. provides a defense for on-premises email deployments
Answer: B E
Explanation
Benefits of Cisco Advanced Phishing Protection
…
+ Provides another layer of defense to more effectively secure your email environment. -> Answer
E is correct
+ Automatically remove malicious emails from the recipient’s inbox and calls out identity deception
techniques to prevent wire fraud or other advanced attacks. -> Answer B is correct.
Reference: https://www.cisco.com/c/en/us/td/docs/security/esa/esa135/user_guide/b_ESA_Admin_Guide_13-5/m_advanced_phishing_protection.html
Question 37
What are two things to consider when using PAC files with the Cisco WSA? (Choose two)
A. If the WSA host port is changed, the default port redirects web traffic to the correct port
automatically
B. The WSA hosts PAC files on port 6001 by default.
C. PAC files use if-else statements to determine whether to use a proxy or a direct connection for
traffic between the PC and the host.
D. By default, they direct traffic through a proxy when the PC and the host are on the same subnet
E. The WSA hosts PAC files on port 9001 by default.
passyourccie@gmail.com
Answer: C E
Explanation
By default, the proxy PAC file would be hosted on port 9001. When using WSA to host PAC files, by
default, we need to point the browser to the following location http://WSA_IP:9001/pacfile.pac ->
Answer B is not correct while answer E is correct.
The PAC file checks the local IP subnet address of the PC and then makes a decision based on IF /
ELSE statement/s -> Answer C is correct.
If the default port is changed in the PAC file hosting settings, then we would need to change the
port accordingly in the above URL -> Answer A is not correct.
Reference: https://www.cisco.com/c/en/us/support/docs/security/web-security-appliance/118082qanda-wsa-00.html
Question 38
When implementing transparent user identification for single sign-on with Internet Explorer, how is
the redirect hostname configured?
A.
B.
C.
D.
as an IP address
as a FQDN
as a distinguished name
as a short host name
Answer: D
Explanation
Configuring Single-Sign-on
Obtaining credentials transparently facilitates a single-sign-on environment. Transparent user
identification is an authentication realm setting.
For Internet Explorer, be sure the Redirect Hostname is the short host name (containing no dots)
or the NetBIOS name rather than a fully qualified domain.
Reference: https://www.cisco.com/c/en/us/td/docs/security/wsa/wsa110/user_guide/b_WSA_UserGuide/b_WSA_UserGuide_chapter_01001.html
Question 39
What kind of service that user can access to web application that managed, updated, maintained
by service provider?
A.
B.
C.
D.
IaC
IaaS
PaaS
SaaS
Answer: D
Question 40
What are two ways a network administrator transparently identifies users using Active Directory on
the Cisco WSA? (Choose two)
A. Create NTLM or Kerberos authentication realm and enable transparent user identification
B. The eDirectory client must be installed on each client workstation
C. Deploy a separate eDirectory server; the client IP address is recorded in this server
D. Create an LDAP authentication realm and disable transparent user identification
E. Deploy a separate Active Directory agent such as Cisco Context Directory Agent
passyourccie@gmail.com
Answer: A E
Explanation
Transparently identify users with authentication realms – This option is available when one or
more authentication realms are configured to support transparent identification using one of the
following authentication servers:
Active Directory – Create an NTLM or Kerberos authentication realm and enable transparent user
identification. In addition, you must deploy a separate Active Directory agent such as Cisco’s
Context Directory Agent.
LDAP – Create an LDAP authentication realm configured as an eDirectory, and enable transparent
user identification.
Reference: https://www.cisco.com/c/en/us/td/docs/security/wsa/wsa110/user_guide/b_WSA_UserGuide/b_WSA_UserGuide_chapter_01001.html
Question 41
Which technology limits communication between nodes on the same network segment to individual
applications?
A.
B.
C.
D.
serverless infrastructure
machine-to-machine firewalling
SaaS deployment
microsegmentation
Answer: D
Explanation
Micro-segmentation creates secure zones across cloud and data center environments to isolate
application workloads from one another and secure them individually.
Question 42
Which MDM configuration provides scalability?
A.
B.
C.
D.
BYOD support without extra appliance or licenses
enabling use of device features such as camera use
pushing WPA2-Enterprise settings automatically to devices
automatic device classification with level 7 fingerprinting
Answer: C
Explanation
Scalable endpoint configuration
Systems Manager also makes it easy to define and deploy network settings like wireless
connectivity, security settings, and remote VPN access to all devices on your network at once.
Instead of manually provisioning devices for network connectivity, or relying on end users to do
so, configure settings such as WPA2-Enterprise in the dashboard, and let the cloud push the
settings to end-user devices.
passyourccie@gmail.com
Reference: https://www.cloudwifiworks.com/Solutions-Mobile-Device-Management.asp
Question 43
Drag and drop the concepts from the left onto the correct descriptions on the right.
Answer: x
BYOD: My Devices portal that allows users to register their device
posture assessment: Results can have a status of compliant or noncompliant
profiling: requires probes to collect attributes of connected endpoints
guest services: sponsor portal that is used to gain access to network resources
Explanation
Posture assessment includes a set of rules in a security policy that define a series of checks
before an endpoint is granted access to the network. Posture assessment checks include the
passyourccie@gmail.com
installation of operating system patches, host-based firewalls, antivirus and antimalware software,
disk encryption, and more.
-> Posture assessment can be compliant or noncompliant.
Cisco Identity Services Engine (Cisco ISE) guest services enable you to provide secure network
access to guests such as visitors, contractors, consultants, and customers.
Sponsor Accounts: Use the Sponsor portal to create temporary accounts for authorized visitors to
securely access your corporate network or the Internet. After creating the guest accounts, you can
also use the Sponsor portal to manage these accounts and provide account details to the guests.
Reference: https://www.cisco.com/c/en/us/td/docs/security/ise/24/admin_guide/b_ISE_admin_guide_24/m_ise_guest.html
Question 44
An engineer is configuring device-hardening on a router in order to prevent credentials from being
seen if the router configuration was compromised. Which command should be used?
A. username < username> password <password>
B. username <username> privilege 15 password <password>
C. service password-recovery
D. service password-encryption
Answer: D
Question 45
What are two security benefits of an MDM deployment? (Choose two)
A. distributed software upgrade
B. robust security policy enforcement
C. on-device content management
D. privacy control checks
E. distributed dashboard
Answer: B C
Question 46
Refer to the exhibit.
passyourccie@gmail.com
The DHCP snooping database resides on router R1, and dynamic ARP inspection is configured only
on switch SW2. Which ports must be configured as untrusted so that dynamic ARP inspection
operates normally?
A.
B.
C.
D.
P2 and P3 only
P5, P6, and P7 only
P1, P2, P3, and P4 only
P2, P3, and P6 only
Answer: B
Explanation
In a typical network configuration for DAI, all ports connected to host ports are configured as
untrusted, while all ports connected to switches are configured as trusted. With this configuration,
all ARP packets entering the network from a given switch will have passed the security check.
Configuring interfaces as untrusted when they should be trusted can result in a loss of
connectivity. Configuring interfaces to be trusted when they are actually untrusted leaves a
security hole in the network.
Reference: https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst4500/122/25ew/configuration/guide/conf/dynarp.html
Question 47
Which Cisco platform provides an agentless solution to provide visibility across the network
including encrypted traffic analytics to detect malware in encrypted traffic without the need for
decryption?
A.
B.
C.
D.
Cisco Advanced Malware Protection
Cisco Stealthwatch
Cisco Identity Services Engine
Cisco AnyConnect
Answer: B
Question 48
A network engineer is tasked with configuring a Cisco ISE server to implement external
authentication against Active Directory. What must be considered about the authentication
requirements? (Choose two)
A. RADIUS communication must be permitted between the ISE server and the domain controller
B. The ISE account must be a domain administrator in Active Directory to perform JOIN operations
C. Active Directory only supports user authentication by using MSCHAPv2
D. LDAP communication must be permitted between the ISE server and the domain controller
E. Active Directory supports user and machine authentication by using MSCHAPv2
Answer: D E
Explanation
Cisco ISE supports user and machine authentication and change password against Active Directory
using EAP-FAST and PEAP with an inner method of Microsoft Challenge Handshake Authentication
Protocol version 2 (MS-CHAPv2) and Extensible Authentication Protocol-Generic Token Card (EAPGTC) -> Answer C is not correct while answer E is correct.
The Active Directory username that you provide while joining to an Active Directory domain should
be predefined in Active Directory and should have any one of the following permissions:
–Add the workstation to the domain to which you are trying to connect.
–On the computer where the Cisco ISE account was created, establish permissions for creating
computer objects or deleting computer objects before you join Cisco ISE to the domain.
–Permissions for searching users and groups that are required for authentication.
passyourccie@gmail.com
-> Therefore the ISE account must not be a domain administrator in Active Directory -> Answer B
is not correct.
Reference: https://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_man_id_stores.
html
ISE will use LDAP, KRB, and MSRBC to communicate with AD during the join/leave and
authentication process -> Answer D is correct.
Reference: https://www.cisco.com/c/en/us/support/docs/security/identity-servicesengine/215233-identity-service-engine-ise-and-active.html
Question 49
Which CoA response code is sent if an authorization state is changed successfully on a Cisco IOS
device?
A.
B.
C.
D.
CoA-ACK
CoA-NAK
CoA-MAB
CoA-NCL
Answer: A
Explanation
If an authorization state is changed successfully, a positive acknowledgment (ACK) is sent.
Reference: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_aaa/configuration/15sy/sec-usr-aaa-15-sy-book/sec-rad-coa.html
Question 50
What is a feature of container orchestration?
A.
B.
C.
D.
ability to deploy Amazon ECS clusters by using the Cisco Container Platform data plane
ability to deploy Kubernetes clusters in air-gapped sites
ability to deploy Amazon EKS clusters by using the Cisco Container Platform data plane
automated daily updates
Answer: B
Explanation
The ability to deploy Kubernetes clusters in air-gapped sites
Cisco Container Platform (CCP) tenant images contain all the necessary binaries and don’t need
internet access to function.
Reference: https://www.cisco.com/c/en/us/products/cloud-systems-management/containerplatform/index.html#~stickynav=3
Question 51
Which metric is used by the monitoring agent to collect and output packet loss and jitter
information?
A.
B.
C.
D.
WSAv performance
AVC performance
RTP performance
OTCP performance
Answer: C
Explanation
passyourccie@gmail.com
The monitoring agent collects:
– TCP performance metrics such as bandwidth usage, response time, and latency.
– RTP performance metrics such as packet loss and jitter.
Reference: https://www.cisco.com/c/en/us/td/docs/ios/solutions_docs/avc/ios15-4-3T-ios-xe313/avc-user-guide-ios15-4-3T-ios-xe3-13.pdf
Question 52
Which solution for remote workers enables protection, detection, and response on the endpoint
against known and unknown threats?
A.
B.
C.
D.
Cisco AMP for Endpoints
Cisco AnyConnect
Cisco Umbrella
Cisco Duo
Answer: A
Question 53
Which two components do southbound APIs use to communicate with downstream devices?
(Choose two)
A. services running over the network
B. external application APIs
C. OpenFlow
D. applications running over the network
E. OpFlex
Answer: C E
Question 54
Which solution detects threats across a private network, public clouds, and encrypted traffic?
A.
B.
C.
D.
Cisco Stealthwatch
Cisco CTA
Cisco Encrypted Traffic Analytics
Cisco Umbrella
Answer: A
Explanation
Stealthwatch provides a consistent experience for detecting threats across private networks and
multiple-public clouds such as Microsoft Azure, Amazon Web Services, and Google Public Cloud.
Stealthwatch closely monitors the activity of every device on the network and is able to create a
baseline of normal behavior. Stealthwatch automatically normalizes traffic events gathered
natively from your network telemetry and natively from flow logs generated by your cloud
infrastructure, presents with you a single view of the threats across your entire environment.
Reference: https://blogs.cisco.com/security/cisco-stealthwatch-becomes-the-only-securityanalytics-product-to-detect-threats-across-private-networks-public-clouds-and-encrypted-traffic
Question 55
What limits communication between applications or containers on the same node?
A.
B.
C.
D.
microservicing
container orchestration
microsegmentation
Software-Defined Access
passyourccie@gmail.com
Answer: C
Explanation
Microservices are about dissecting applications to smaller units and run those units
independently instead of running them in a monolithic application. But this question asks about
communication between applications so “microservicing” is not correct.
Micro-segmentation is a network security technique that isolates different workloads from one
another within a data center. A workload can be broadly defined as the resources and processes
needed to run an application. Hosts, virtual machines and containers are a few examples of
workloads.
Question 56
Which Cisco security solution integrates with cloud applications like Dropbox and Office 365 while
protecting data from being exfiltrated?
A.
B.
C.
D.
Cisco Talos
Cisco Stealthwatch Cloud
Cisco Cloudlock
Cisco Umbrella Investigate
Answer: C
Question 57
What do tools like Jenkins, Octopus Deploy, and Azure DevOps provide in terms of application and
infrastructure automation?
A.
B.
C.
D.
container orchestration
cloud application security broker
compile-time instrumentation
continuous integration and continuous deployment
Answer: D
Question 58
Which type of attack is MFA an effective deterrent for?
A.
B.
C.
D.
ping of death
phishing
teardrop
syn flood
Answer: B
Explanation
what types of cyberattacks does MFA protect against?
+ Phishing
+ Spear phishing
+ Keyloggers
+ Credential stuffing
+ Brute force and reverse brute force attacks
+ Man-in-the-middle (MITM) attacks
Reference: https://www.onelogin.com/learn/mfa-types-of-cyber-attacks
Question 59
An engineer enabled SSL decryption for Cisco Umbrella intelligent proxy and needs to ensure that
traffic is inspected without alerting end-users. Which action accomplishes this goal?
passyourccie@gmail.com
A.
B.
C.
D.
Install the Cisco Umbrella root CA onto the user’s device.
Modify the user’s browser settings to suppress errors from Cisco Umbrella.
Upload the organization root CA to Cisco Umbrella.
Restrict access to only websites with trusted third-party signed certificates.
Answer: A
Explanation
Other features are dependent on SSL Decryption functionality, which requires the Cisco
Umbrella root certificate. Having the SSL Decryption feature improves:
Custom URL Blocking—Required to block the HTTPS version of a URL.
…
Umbrella’s Block Page and Block Page Bypass features present an SSL certificate to browsers that
make connections to HTTPS sites. This SSL certificate matches the requested site but will be
signed by the Cisco Umbrella certificate authority (CA). If the CA is not trusted by your browser,
an error page may be displayed. Typical errors include “The security certificate presented by this
website was not issued by a trusted certificate authority” (Internet Explorer), “The site’s security
certificate is not trusted!” (Google Chrome) or “This Connection is Untrusted” (Mozilla Firefox).
Although the error page is expected, the message displayed can be confusing and you may wish to
prevent it from appearing.
To avoid these error pages, install the Cisco Umbrella root certificate into your browser or the
browsers of your users—if you’re a network admin.
Reference: https://docs.umbrella.com/deployment-umbrella/docs/rebrand-cisco-certificate-importinformation
Question 60
A network engineer has configured a NTP server on a Cisco ASA. The Cisco ASA has IP reachability
to the NTP server and is not filtering any traffic. The show ntp association detail command
indicates that the configured NTP server is unsynchronized and has a stratum of 16. What is the
cause of this issue?
A.
B.
C.
D.
Resynchronization of NTP is not forced
NTP is not configured to use a working server
An access list entry for UDP port 123 on the inside interface is missing
An access list entry for UDP port 123 on the outside interface is missing
Answer: B
Question 61
Which direction do attackers encode data in DNS requests during exfiltration using DNS tunneling?
A.
B.
C.
D.
inbound
north-south
east-west
outbound
Answer: D
Question 62
Which solution should be leveraged for secure access of a CI/CD pipeline?
A.
B.
C.
D.
SSL WebVPN
remote access client
Duo Network Gateway
Cisco FTD network gateway
passyourccie@gmail.com
Answer: C
Explanation
Continuous integration/continuous delivery, known as CI/CD, is a set of processes that help
software development teams deliver code changes more frequently and reliably. CI/CD is part of
DevOps, which helps shorten the software development lifecycle.
Using Cisco Secure Access by Duo will establish user-device trust and highly secure access to
applications to help you identify corporate versus personal devices with easy certificate
deployment, block untrusted endpoints, and give users secure access to internal applications
without using VPNs. Furthermore, Duo Network Gateway provides granular user and endpoint
access control to CI/CD applications and infrastructure over HTTPS, SSH and RDP.
Reference: https://blogs.cisco.com/developer/cloudnativesecurity01
Also from https://www.ciscolive.com/c/dam/r/ciscolive/emea/docs/2020/pdf/R6BGArNQ/TECSEC2768.pdf
Question 63
Which type of data exfiltration technique encodes data in outbound DNS requests to specific
servers and can be stopped by Cisco Umbrella?
A. DNS tunneling
B. DNS flood attack
C. cache poisoning
D. DNS hijacking
Answer: A
Question 64
Which system performs compliance checks and remote wiping?
A. OTP
B. MDM
C. AMP
D. ISE
Answer: B
Explanation
passyourccie@gmail.com
The MDM service usually offers a “corporate wipe”, which only deletes the vendor’s configuration
from the device (not the whole device). The user can also remove the files. For example, on an
iOS device, the user can go to the Settings > General >Device management window, and click
Remove Management. Or the user can go to the MyDevices portal in Cisco ISE and click Corporate
Wipe.
Reference: https://www.cisco.com/c/en/us/td/docs/security/ise/24/admin_guide/b_ISE_admin_guide_24/m_ise_interoperability_mdm.html
MDM can also perform periodic compliance check.
Question 65
Why is it important to patch endpoints consistently?
A.
B.
C.
D.
Patching helps to mitigate vulnerabilities.
Patching reduces the attack surface of the infrastructure.
Patching is required per the vendor contract.
Patching allows for creating a honeypot.
Answer: A
Question 66
What are two facts about WSA HTTP proxy configuration with a PAC file? (Choose two)
A. It is defined as a Transparent proxy deployment.
B. In a dual-NIC configuration, the PAC file directs traffic through the two NICs to the proxy.
C. The PAC file, which references the proxy, is deployed to the client web browser.
D. It is defined as an Explicit proxy deployment.
E. It is defined as a Bridge proxy deployment.
Answer: C D
Explanation
A Proxy Auto-Configuration (PAC) file is a JavaScript function that instructs a browser to forward
traffic to a proxy server, instead of directly to the destination server.
PAC files are used to support explicit proxy deployments (-> Answer A and answer E are not
correct while answer D is correct) in which client browsers are explicitly configured to send traffic
to the web proxy. The big advantage of PAC files is that they are usually relatively easy to create
and maintain.
When a user initiates a browser session, a request is sent to a Proxy server to download the Proxy
Auto-Configuration (PAC) file to the client PC -> Answer C is correct.
Question 67
How does Cisco Umbrella protect clients when they operate outside of the corporate network?
A.
B.
C.
D.
by modifying the registry for DNS lookups
by using Active Directory group policies to enforce Cisco Umbrella DNS servers
by forcing DNS queries to the corporate name servers
by using the Cisco Umbrella roaming client
Answer: D
Explanation
Umbrella Roaming is a cloud-delivered security service for Cisco’s next-generation firewall. It
protects your employees even when they are off the VPN.
Question 68
passyourccie@gmail.com
Which function is included when Cisco AMP is added to web security?
A.
B.
C.
D.
multifactor, authentication-based user identity
detailed analytics of the unknown file’s behavior
phishing detection on emails
threat prevention on an infected endpoint
Answer: B
Explanation
File Sandboxing provides you with the ability to analyze unknown files that are traversing the Cisco
Web Security gateway.
Reference: https://www.cisco.com/c/dam/global/th_th/assets/docs/seminar/AMP_WSA.pdf
Question 69
When a next-generation endpoint security solution is selected for a company, what are two key
deliverables that help justify the implementation? (Choose two)
A. continuous monitoring of all files that are located on connected endpoints
B. macro-based protection to keep connected endpoints safe
C. signature-based endpoint protection on company endpoints
D. email integration to protect endpoints from malicious content that is located in email
E. real-time feeds from global threat intelligence centers
Answer: A E
Question 70
Which two actions does the Cisco Identity Services Engine posture module provide that ensures
endpoint security? (Choose two)
A. The latest antivirus updates are applied before access is allowed.
B. Assignments to endpoint groups are made dynamically, based on endpoint attributes.
C. Patch management remediation is performed.
D. A centralized management solution is deployed.
E. Endpoint supplicant configuration is deployed.
Answer: A C
Explanation
You can create a patch management remediation, which updates clients with up-to-date file
definitions for compliance after remediation.
Reference: https://www.cisco.com/c/en/us/td/docs/security/ise/24/admin_guide/b_ISE_admin_guide_24/m_client_posture_policies.html
Question 71
Why should organizations migrate to a multifactor authentication strategy?
A.
B.
C.
D.
Single methods of authentication can be compromised more easily than MFA.
Biometrics authentication leads to the need for MFA due to its ability to be hacked easily.
MFA methods of authentication are never compromised.
MFA does not require any piece of evidence for an authentication mechanism.
Answer: A
Question 72
passyourccie@gmail.com
What is the purpose of joining Cisco WSAs to an appliance group?
A.
B.
C.
D.
All WSAs in the group can view file analysis results
It simplifies the task of patching multiple appliances
It supports cluster operations to expedite the malware analysis process
The group supports improved redundancy
Answer: A
Explanation
You must join all managed appliances to the same appliance group in order to allow all content
security appliances in your organization to display detailed results in the cloud about files sent for
analysis from any Cisco Email Security appliance or Cisco Web Security appliance in your
organization.
Reference: https://www.cisco.com/c/en/us/td/docs/security/security_management/sma/sma140/b_sma_admin_guide_14_0/b_NGSMA_Admin_Guide_chapter_0111.html
Question 73
Which Cisco solution extends network visibility, threat detection, and analytics to public cloud
environments?
A.
B.
C.
D.
Cisco Umbrella
Cisco Stealthwatch Cloud
Cisco Appdynamics
Cisco CloudLock
Answer: B
Question 74
Which two Cisco ISE components must be configured for BYOD? (Choose two)
A. central WebAuth
B. local WebAuth
C. null WebAuth
D. guest
E. dual
Answer: A D
Question 75
Which configuration method provides the options to prevent physical and virtual endpoint devices
that are in the same base EPG or uSeg from being able to communicate with each other with
Vmware VDS or Microsoft vSwitch?
A.
B.
C.
D.
inter-EPG isolation
intra-EPG isolation
inter-VLAN security
placement in separate EPGs
Answer: B
Explanation
Intra-EPG Isolation is an option to prevent physical or virtual endpoint devices that are in the
same base EPG or uSeg EPG from communicating with each other. By default, endpoint devices
included in the same EPG are allowed to communicate with one another. However, conditions exist
in which total isolation of the endpoint devices from on another within an EPG is desirable. For
passyourccie@gmail.com
example, you may want to enforce intra-EPG isolation if the endpoint VMs in the same EPG belong
to multiple tenants, or to prevent the possible spread of a virus.
Reference: https://www.cisco.com/c/en/us/td/docs/switches/datacenter/aci/apic/sw/3x/virtualization/b_ACI_Virtualization_Guide_3_1_1/b_ACI_Virtualization_Guide_3_1_1_chapter_01
01.html
Question 76
In which scenario is endpoint-based security the solution?
A.
B.
C.
D.
inspecting encrypted traffic
device profiling and authorization
performing signature-based application control
inspecting a password-protected archive
Answer: D
Question 77
What are two ways that Cisco Container Platform provides value to customers who utilize cloud
service providers? (Choose two)
A. allows developers to create code once and deploy to multiple clouds
B. helps maintain source code for cloud deployments
C. manages Docker containers
D. manages Kubernetes clusters
E. creates complex tasks for managing code
Answer: A D
Question 78
What is the recommendation in a zero-trust model before granting access to corporate applications
and resources?
A.
B.
C.
D.
to use multifactor authentication
to use strong passwords
to use a wired network, not wireless
to disconnect from the network when inactive
Answer: A
Question 79
An organization must add new firewalls to its infrastructure and wants to use Cisco ASA or Cisco
FTD. The chosen firewalls must provide methods of blocking traffic that include offering the user
the option to bypass the block for certain sites after displaying a warning page and to reset the
connection. Which solution should the organization choose?
A. Cisco FTD because it supports system rate level traffic blocking, whereas Cisco ASA does not
B. Cisco ASA because it allows for interactive blocking and blocking with reset to be configured via
the GUI, whereas Cisco FTD does not.
C. Cisco FTD because it enables interactive blocking and blocking with reset natively, whereas
Cisco ASA does not
D. Cisco ASA because it has an additional module that can be installed to provide multiple blocking
capabilities, whereas Cisco FTD does not.
Answer: C
Question 80
Which IETF attribute is supported for the RADIUS CoA feature?
passyourccie@gmail.com
A. 81 Message-Authenticator
B. 30 Calling-Station-ID
C. 42 Acct-Session-ID
D. 24 State
Answer: D
Explanation
The RADIUS Change of Authorization (CoA) feature provides a mechanism to change the attributes
of an authentication,authorization,and accounting(AAA)session after it is authenticated.When a
policy changes for a user or user group in AAA,administrators can send the RADIUS CoA packets
from the AAA server such as a Cisco Secure Access Control Server (ACS) to reinitialize
authentication and apply the new policy
The following table shows the IETF attributes that are supported for the RADIUS Change of
Authorization (CoA) feature.
Reference: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_aaa/configuration/xe-1610/sec-usr-aaa-xe-16-10-book/sec-rad-coa.pdf
Question 81
Which Cisco cloud security software centrally manages policies on multiple platforms such as Cisco
ASA, Cisco Firepower, Cisco Meraki, and AWS?
A. Cisco Secureworks
B. Cisco Configuration Professional
C. Cisco Defense Orchestrator
D. Cisco DNAC
Answer: C
Explanation
Cisco Defense Orchestrator is a cloud-based management solution that allows you to manage
security policies and device configurations with ease across multiple Cisco and cloud-native
security platforms.
Cisco Defense Orchestrator features:
….
Management of hybrid environments: Managing a mix of firewalls running the ASA, FTD,
and Meraki MX software is now easy, with the ability to share policy elements across platforms.
passyourccie@gmail.com
Reference: https://www.cisco.com/c/en/us/products/collateral/security/defenseorchestrator/datasheet-c78-736847.html
Question 82
Which Cisco DNA Center Intent API action is used to retrieve the number of devices known to a
DNA Center?
A. GET https://fqdnOrlPofDnaCenterPlatform/dna/intent/api/v1/network-device/count
B. GET https://fqdnOrlPofDnaCenterPlatform/dna/intent/api/v1/network-device
C. GET
https://fqdnOrlPofDnaCenterPlatform/dna/intent/api/v1/networkdevice?parameter1=value&param
eter2=value&….
D. GET
https://fqdnOrlPofDnaCenterPlatform/dna/intent/api/v1/networkdevice/startIndex/recordsToRetur
n
Answer: A
Explanation
“/dna/intent/api/v1/network-device/count”
Description: Returns the count of network devices based on the filter criteria by management IP
address, mac address, hostname and location name.
Reference: https://developer.cisco.com/docs/dna-center/#!get-device-count-1
Question 83
What is the difference between a vulnerability and an exploit?
A.
B.
C.
D.
A vulnerability is a hypothetical event for an attacker to exploit
An exploit is a hypothetical event that causes a vulnerability in the network
An exploit is a weakness that can cause a vulnerability in the network
A vulnerability is a weakness that can be exploited by an attacker
Answer: D
Explanation
A vulnerability is a weakness in a software system. And an exploit is an attack that leverages that
vulnerability.
Question 84
An administrator needs to configure the Cisco ASA via ASDM such that the network management
system can actively monitor the host using SNMPv3. Which two tasks must be performed for this
configuration? (Choose two)
A. Specify the SNMP manager and UDP port.
B. Specify an SNMP user group
C. Specify a community string.
D. Add an SNMP USM entry
E. Add an SNMP host access entry
Answer: A E
Explanation
passyourccie@gmail.com
This is how to configure SNMP on your Cisco ASA using ASDM:
The first order of business is to navigate to the screen shown below:
Next, click on the Add button above and the window below appears:
Question 85
Which Cisco security solution determines if an endpoint has the latest OS updates and patches
installed on the system?
A. Cisco Endpoint Security Analytics
B. Cisco AMP for Endpoints
C. Endpoint Compliance Scanner
D. Security Posture Assessment Service
Answer: D
passyourccie@gmail.com
Question 86
When a transparent authentication fails on the Web Security Appliance, which type of access does
the end user get?
A.
B.
C.
D.
guest
limited Internet
blocked
full Internet
Answer: C
Question 87
Using Cisco Cognitive Threat Analytics, which platform automatically blocks risky sites, and test
unknown sites for hidden advanced threats before allowing users to click them?
A.
B.
C.
D.
Cisco Identity Services Engine
Cisco Enterprise Security Appliance
Cisco Web Security Appliance
Cisco Advanced Stealthwatch Appliance
Answer: C
Question 88
Which technology provides a combination of endpoint protection endpoint detection, and response?
A.
B.
C.
D.
Cisco AMP
Cisco Talos
Cisco Threat Grid
Cisco Umbrella
Answer: A
Question 89
When a Cisco WSA checks a web request, what occurs if it is unable to match a user-defined
policy?
A.
B.
C.
D.
It blocks the request.
It applies the global policy.
It applies the next identification profile policy.
It applies the advanced policy.
Answer: B
Question 90
Which solution supports high availability in routed or transparent mode as well as in northbound
and southbound deployments?
A.
B.
C.
D.
Cisco FTD with Cisco ASDM
Cisco FTD with Cisco FMC
Cisco Firepower NGFW physical appliance with Cisco. FMC
Cisco Firepower NGFW Virtual appliance with Cisco FMC
Answer: B
Question 91
passyourccie@gmail.com
Which endpoint protection and detection feature performs correlation of telemetry, files, and
intrusion events that are flagged as possible active breaches?
A.
B.
C.
D.
retrospective detection
elastic search
file trajectory
indication of compromise
Answer: D
Explanation
Indications of compromise (IoCs): File and telemetry events are correlated and prioritized as
potential active breaches. AMP automatically correlates multisource security event data, such as
intrusion and malware events, to help security teams connect events to larger, coordinated attacks
and also prioritize high-risk events.
Reference: https://www.cisco.com/c/en/us/solutions/collateral/enterprise-networks/advancedmalware-protection/solution-overview-c22-734228.html
Question 92
Which RADIUS feature provides a mechanism to change the AAA attributes of a session after it is
authenticated?
A.
B.
C.
D.
Authorization
Accounting
Authentication
CoA
Answer: D
Question 93
Which two authentication protocols are supported by the Cisco WSA? (Choose two)
A. WCCP
B. NTLM
C. TLS
D. SSL
E. LDAP
Answer: B E
Question 94
Which technology should be used to help prevent an attacker from stealing usernames and
passwords of users within an organization?
A.
B.
C.
D.
RADIUS-based REAP
fingerprinting
Dynamic ARP Inspection
multifactor authentication
Answer: D
Explanation
Credential stuffing is a type of cyberattack in which a cybercriminal uses stolen usernames and
passwords from one organization (obtained in a breach or purchased off of the dark web) to access
user accounts at another organization.
passyourccie@gmail.com
How To Prevent Credential Stuffing Attacks
Most people know password reuse is unsafe but choose to use the same password on multiple sites
anyway because they have roughly 100 passwords to remember. Password managers are an
option, but adoption rates are low. So to prevent credential stuffing attacks, it’s up to
organizations to take measures — such as removing passwords altogether — to ensure
cybercriminals can’t use stolen credentials to access their users’ accounts. Below are several
methods for doing so.
…
Multi-factor authentication (MFA) is a highly effective way to prevent credential stuffing because it
requires users to log in with another form of authentication in addition to a username-password
combination. For example, this could mean biometric authentication such as a fingerprint, a onetime code sent to a device associated with the user, or an email sent to a secured account — none
of which a cybercriminal will have access to.
Reference: https://auth0.com/blog/what-is-credential-stuffing/
Question 95
Which baseline form of telemetry is recommended for network infrastructure devices?
A. SDNS
B. NetFlow
C. passive taps
D. SNMP
Answer: D
Question 96
Refer to the exhibit.
Consider that any feature of DNS requests, such as the length off the domain name and the
number of subdomains, can be used to construct models of expected behavior to which observed
values can be compared. Which type of malicious attack are these values associated with?
A. Spectre Worm
B. Eternal Blue Windows
C. Heartbleed SSL Bug
D. W32/AutoRun worm
Answer: D
Question 97
Drag and drop the posture assessment flow actions from the left into a sequence on the right.
passyourccie@gmail.com
Answer:
Step
Step
Step
Step
Step
1:
2:
3:
4:
5:
Validate user credentials
Permit just enough for the posture assessment
Check device compliance with security policy
Apply updates or take other necessary action
Grant appropriate access with compliant device
Question 98
Which Cisco WSA feature supports access control using URL categories?
A. transparent user identification
B. SOCKS proxy services
C. web usage controls
D. user session restrictions
Answer: C
Explanation
Using policy groups, you can create secure policies that control access to web sites containing
questionable content. The sites that are blocked, allowed, or decrypted depend on the categories
you select when setting up category blocking for each policy group. To control user access based
on a URL category, you must enable Cisco Web Usage Controls.
Reference: https://www.cisco.com/c/en/us/td/docs/security/wsa/wsa117/user_guide/b_WSA_UserGuide_11_7/b_WSA_UserGuide_11_7_chapter_01001.html
Question 99
What is an advantage of the Cisco Umbrella roaming client?
A. the ability to see all traffic without requiring TLS decryption
B. visibility into IP-based threats by tunneling suspicious IP connections
C. the ability to dynamically categorize traffic to previously uncategorized sites
D. visibility into traffic that is destined to sites within the office environment
Answer: B
Explanation
The Umbrella roaming client enables security at the DNS and IP layers, in the cloud, no matter
where the endpoint is located. The client simply forwards DNS requests or tunnels suspect IP
connections to the Umbrella global network.
Reference: https://learn-umbrella.cisco.com/feature-briefs/lightweight-transparent-roaming-client
passyourccie@gmail.com
Question 100
An organization has DHCP servers set up to allocate IP addresses to clients on the LAN. What must
be done to ensure the LAN switches prevent malicious DHCP traffic while also distributing IP
addresses to the correct endpoints?
A. Configure Dynamic ARP Inspection and add entries in the DHCP snooping database
B. Configure DHCP snooping and set an untrusted interface for all clients
C. Configure Dynamic ARP Inspection and antispoofing ACLs in the DHCP snooping database
D. Configure DHCP snooping and set a trusted interface for the DHCP server
Answer: D
Explanation
Dynamic ARP inspection is a security feature that validates ARP packets in a network. Dynamic
ARP inspection determines the validity of packets by performing an IP-to-MAC address binding
inspection stored in a trusted database, (the DHCP snooping binding database) before forwarding
the packet to the appropriate destination.
But this question asks about “prevent malicious DHCP traffic” so DHCP snooping is a better choice.
DHCP snooping is a feature which allows a Cisco switch to inspect DHCP traffic traversing a layer
two segment and track which IP addresses have been assigned to hosts on which switch ports.
We need to set a trusted interface (which is connected to the real DHCP server) because all the
interfaces are untrusted by default.
Question 101
Refer to the exhibit.
What is the result of the Python script?
A. It uses the POST HTTP method to obtain a username and password to be used for
authentication
B. It uses the POST HTTP method to obtain a token to be used for authentication
C. It uses the GET HTTP method to obtain a token to be used for authentication
D. It uses the GET HTTP method to obtain a username and password to be used for authentication
Answer: B
Question 102
Which solution stops unauthorized access to the system if a user’s password is compromised?
A. VPN
B. MFA
C. AMP
D. SSL
Answer: B
Question 103
Which feature enables a Cisco ISR to use the default bypass list automatically for web filtering?
passyourccie@gmail.com
A.
B.
C.
D.
filters
group key
company key
connector
Answer: D
Question 104
Which industry standard is used to integrate Cisco ISE and pxGrid to each other and with other
interoperable security platforms?
A.
B.
C.
D.
IEEE
IETF
NIST
ANSI
Answer: B
Question 105
What is a function of the Layer 4 Traffic Monitor on a Cisco WSA?
A.
B.
C.
D.
blocks traffic from URL categories that are known to contain malicious content
decrypts SSL traffic to monitor for malicious content
monitors suspicious traffic across all the TCP/UDP ports
prevents data exfiltration by searching all the network traffic for specified sensitive information
Answer: C
Explanation
The Web Security appliance has an integrated Layer-4 Traffic Monitor that detects rogue traffic
across all network ports and stops malware attempts to bypass port 80.
Reference: https://www.cisco.com/c/en/us/td/docs/security/wsa/wsa110/user_guide/b_WSA_UserGuide/b_WSA_UserGuide_chapter_010110.html
Question 106
Which solution is made from a collection of secure development practices and guidelines that
developers must follow to build secure applications?
A.
B.
C.
D.
OWASP
Fuzzing Framework
Radamsa
AFL
Answer: A
Explanation
OWASP secure coding is a set of secure coding best practices and guidelines put out by the Open
Source Foundation for Application Security. It outlines both general software security principles
and secure coding requirements.
Reference: https://snyk.io/learn/secure-coding-practices/
Question 107
What is the process of performing automated static and dynamic analysis of files against preloaded
behavioral indicators for threat analysis?
passyourccie@gmail.com
A.
B.
C.
D.
deep visibility scan
point-in-time checks
advanced sandboxing
advanced scanning
Answer: C
Question 108
Which Cisco ISE service checks the compliance of endpoints before allowing the endpoints to
connect to the network?
A.
B.
C.
D.
posture
profiler
Cisco TrustSec
Threat Centric NAC
Answer: A
Explanation
Posture is a service in Cisco Identity Services Engine (Cisco ISE) that allows you to check the
compliance, also known as posture, of endpoints, before allowing them to connect to your
network.
Reference: https://www.cisco.com/c/en/us/td/docs/security/ise/22/admin_guide/b_ise_admin_guide_22/b_ise_admin_guide_22_chapter_010111.html
Question 109
Refer to the exhibit.
import requests
client_id = ‘a1b2c3d4e5f6g7h8i9j0’
api_key = ‘a1b2c3d4-e5f6-g7h8-i9j0k1l2m3n4o5p6’
What does the API key do while working with https://api.amp.cisco.com/v1/computers?
A.
B.
C.
D.
displays client ID
HTTP authorization
Imports requests
HTTP authentication
Answer: D
Explanation
Use API keys for APIs and data extraction. API keys authenticate your client application with Cisco
GMM and includes an access key ID and a secret access key in place of a username and password.
API keys are used by partners who do not have access to the Cisco GMM Cloud Application.
For example, use API Keys to:
Securely authenticate API calls from external systems
Reference: https://developer.cisco.com/docs/GMM/#!generate-api-keys/generate-api-keys
Question 110
How does the Cisco WSA enforce bandwidth restrictions for web applications?
passyourccie@gmail.com
A. It implements a policy route to redirect application traffic to a lower-bandwidth link
B. It dynamically creates a scavenger class QoS policy and applies it to each client that connects
through the WSA
C. It sends commands to the uplink router to apply traffic policing to the application traffic
D. It simulates a slower link by introducing latency into application traffic
Answer: D
Explanation
Defining bandwidth limits only throttles the data going to users. It does not block data based on
reaching a quota. The Web Proxy introduces latency into each application transaction to mimic a
slower link to the server.
Reference: https://www.cisco.com/c/en/us/td/docs/security/wsa/wsa118/user_guide/b_WSA_UserGuide_11_8/b_WSA_UserGuide_11_7_chapter_01111.html
Question 111
Which feature within Cisco ISE verifies the compliance of an endpoint before providing access to
the network?
A.
B.
C.
D.
Posture
Profiling
pxGrid
MAB
Answer: A
Question 112
Which Cisco AMP feature allows an engineer to look back to trace past activities, such as file and
process activity on an endpoint?
A.
B.
C.
D.
endpoint isolation
advanced search
advanced investigation
retrospective security
Answer: D
passyourccie@gmail.com
Part-3
Question 1
Refer to the exhibit.
What does this python script accomplish?
A. It lists the LDAP users from the external identity store configured on Cisco ISE
B. It authenticates to a Cisco ISE server using the username of ersad
C. It allows authentication with TLSv1 SSL protocol
D. It authenticates to a Cisco ISE with an SSH connection
Answer: A
Explanation
In this question the username of “ersad” is just an example and it is in the comment section
(which is started by a #) so it has no effect on the script. In fact the username will be taken from
the second argument of the command. For example, suppose the file name of the above script is
“Internal_user.py” then if we call the script with the command:
python Internal_user.py 192.168.1.10 digitaltut
digitaltutPassWord!
Then the username would be “digitaltut”.
-> Answer B is not correct.
From the line “conn = http.client.HTTPSConnection(“{}:9060″.format(host),
context=ssl.SSLContext(ssl.PROTOCOL_TLSv1_2))”, we specify we are using TLS version 1.2 as
the channel encryption protocol (not TLSv1) -> Answer C is not correct.
Also from the line above, we are using HTTPS to make a request. It is different from a SSH
connection so answer D is not correct.
passyourccie@gmail.com
-> Therefore only answer A is left.
Note: The purpose of this Python script is used to get the guest users through ISE External
RESTful Services (ERS) API. ERS is designed to allow external clients to perform CRUD (Create,
Read, Update, Delete) operations on Cisco ISE resources.
Question 2
Refer to the exhibit.
ntp authentication-key 10 md5 cisco123
ntp trusted-key 10
A network engineer is testing NTP authentication and realizes that any device synchronizes time
with this router and that NTP authentication is not enforced. What is the cause of this issue?
A. The hashing algorithm that was used was MD5 which is unsupported.
B. The key was configured in plain text.
C. NTP authentication is not enabled.
D. The router was not rebooted after the NTP configuration updated
Answer: C
Explanation
In order to enable NTP, we need an additional command “ntp authenticate”.
Question 3
Refer to the exhibit.
How does Cisco Umbrella manage traffic that is directed toward risky domains?
A. Traffic is managed by the application settings, unhandled and allowed
B. Traffic is allowed but logged
C. Traffic is managed by the security settings and blocked
D. Traffic is proxied through the intelligent proxy
Answer: D
Explanation
passyourccie@gmail.com
The ‘greylist’ of risky domains is compromised of domains that host both malicious and safe
content—we consider these “risky” domains. These sites often allow users to upload and share
content—making them difficult to police, even for the admins of the site.
There’s no reason to proxy requests to domains that are already known to be safe or bad.
Umbrella’s intelligent proxy only routes the requests for risky domains for deeper inspection ->
Answer D is correct.
Reference: https://docs.umbrella.com/deployment-msp/docs/what-is-the-intelligent-proxy
Question 4
An administrator is adding a new Cisco ISE node to an existing deployment. What must be done to
ensure that the addition of the node will be successful when inputting the FQDN?
A.
B.
C.
D.
Change the IP address of the new Cisco ISE node to the same network as the others
Make the new Cisco ISE node a secondary PAN before registering it with the primary
Open port 8905 on the firewall between the Cisco ISE nodes
Add the DNS entry for the new Cisco ISE node into the DNS server
Answer: D
Explanation
You can register Cisco ISE nodes to the primary PAN to form a multinode deployment. Nodes in a
deployment other than the primary PAN are referred to as secondary nodes.
…
Ensure that the primary PAN and the node being registered are DNS resolvable to each other.
…
Step 4. Enter the DNS-resolvable fully qualified domain name (FQDN) of the standalone node that
you are going to register (in the format hostname.domain-name, for example, abc.xyz.com). The
FQDN of the primary PAN and the node being registered must be resolvable from each other.
Reference: https://www.cisco.com/c/en/us/td/docs/security/ise/27/admin_guide/b_ise_27_admin_guide/b_ISE_admin_27_deployment.html
Question 5
Refer to the exhibit.
crypto ikev2 name-mangler MANGLER
dn organization-unit
An engineer is implementing a certificate based VPN. What is the result of the existing
configuration?
A. The OU of the IKEv2 peer certificate is used as the identity when matching an IKEv2
authorization policy
B. Only an IKEv2 peer that has an OU certificate attribute set to MANGLER establishes an IKEv2
SA successfully
C. The OU of the IKEv2 peer certificate is encrypted when the OU is set to MANGLER
D. The OU of the IKEv2 peer certificate is set to MANGLER
Answer: A
Question 6
An organization wants to implement a cloud-delivered and SaaS-based solution to provide visibility
and threat detection across the AWS network. The solution must be deployed without software
agents and rely on AWS VPC flow logs instead. Which solution meets these requirements?
passyourccie@gmail.com
A.
B.
C.
D.
Cisco Stealthwatch Cloud
Cisco Umbrella
NetFlow collectors
Cisco Cloudlock
Answer: A
Question 7
How is data sent out to the attacker during a DNS tunneling attack?
A.
B.
C.
D.
as part of the UDP’53 packet payload
as part of the domain name
as part of the TCP/53 packet header
as part of the DNS response packet
Answer: B
Question 8
A network engineer must configure a Cisco ESA to prompt users to enter two forms of information
before gaining access. The Cisco ESA must also join a cluster machine using preshared keys. What
must be configured to meet these requirements?
A. Enable two-factor authentication through a RADIUS server and then join the cluster by using
the Cisco ESA CLI
B. Enable two-factor authentication through a RADIUS server and then join the cluster by using
the Cisco ESA GUI
C. Enable two-factor authentication through a TACACS+ server and then join the cluster by using
the Cisco ESA GUI
D. Enable two-factor authentication through a TACACS+ server and then join the cluster by using
the Cisco ESA CLI
Answer: A
Explanation
You cannot create or join a cluster from the Graphical User Interface (GUI). You must use the
Command Line Interface (CLI) to create, join, or configure clusters of machines. Once you have
created a cluster, you can change configuration settings from either the GUI or the CLI.
Reference: https://www.cisco.com/c/en/us/td/docs/security/esa/esa110/user_guide_fs/b_ESA_Admin_Guide_11_0/b_ESA_Admin_Guide_chapter_0100111.html
Cisco ESA does not support TACACS+ server.
Question 9
What is the term for having information about threats and threat actors that helps mitigate
harmful events that would otherwise compromise networks or systems?
A.
B.
C.
D.
trusted automated exchange
Indicators of Compromise
The Exploit Database
threat intelligence
Answer: D
Explanation
Threat intelligence is referred to as the knowledge about an existing or emerging threat to assets,
including networks and systems. Threat intelligence includes context, mechanisms, indicators of
compromise (IoCs), implications, and actionable advice. Threat intelligence is referred to as the
passyourccie@gmail.com
information about the observables, IoCs intent, and capabilities of internal and external threat
actors and their attacks.
Reference: CCNP and CCIE Security Core SCOR 350-701 Official Cert Guide.
Question 10
Which Cisco platform processes behavior baselines, monitors for deviations, and reviews for
malicious processes in data center traffic and servers while performing software vulnerability
detection?
A.
B.
C.
D.
Cisco Tetration
Cisco ISE
Cisco AMP for Network
Cisco AnyConnect
Answer: A
Explanation
What use cases are supported by the Cisco Secure Workload platform (formerly Tetration)?
A. The platform supports the following use cases:
…
+ Process behavior baseline and deviation: Collect the complete process inventory along with the
process hash information, baseline the behavior, and identify deviations.
+ Software inventory and vulnerability detection: Identify all the software packages and versions
installed on the servers. Using the Common Vulnerabilities and Exposures (CVE) database and
additional data feeds, detect if there are any associated vulnerabilities or exposures and take
action to protect against active exploit.
Reference: https://www.cisco.com/c/en/us/products/collateral/data-center-analytics/tetrationanalytics/q-and-a-c67-737402.html
Question 11
Which portion of the network do EPP solutions solely focus on and EDR solutions do not?
A.
B.
C.
D.
server farm
perimeter
core
East-West gateways
Answer: B
Question 12
What is a benefit of using Cisco CWS compared to an on-premises Cisco WSA?
A. Cisco CWS eliminates the need to backhaul traffic through headquarters for remote workers
whereas Cisco WSA does not
B. Cisco CWS minimizes the load on the internal network and security infrastructure as compared
to Cisco WSA.
C. URL categories are updated more frequently on Cisco CWS than they are on Cisco WSA
D. Content scanning for SAAS cloud applications is available through Cisco CWS and not available
through Cisco WSA
Answer: A
Explanation
Malware can enter the Cisco network when an infected user PC connects over a direct link in the
office or a VPN link from a remote location. For these connections, Cisco IT uses the Cisco Web
Security Appliance (WSA) to protect the network from malware intrusion. However, WSA
protection is not available when a user connects to the Internet directly, without connecting via
passyourccie@gmail.com
the Cisco network, such as when using a public Wi-Fi service in a coffee shop. In this case, the
user’s PC can become infected with malware, which may disrupt the user’s activity, spread to
other networks and devices, and present the risk of a data security or privacy breach. Cisco IT
uses the Cisco Cloud Web Security (CWS) solution to help protect user PCs from these malware
infections.
The Cisco CWS solution, previously known as Cisco Scan Safe, enforces secure communication to
and from the Internet. It uses the Cisco AnyConnect Secure Mobility Client 3.0 to provide remote
workers the same level of security as onsite employees when using a laptop issued by Cisco.
Reference: https://www.cisco.com/c/dam/en_us/about/ciscoitatwork/borderless_networks/docs/Cl
oud_Web_Security_IT_Methods.pdf
Cisco ISR with Cloud Web Security Connector:
…
Eliminates the need to backhaul Internet traffic from branch offices, so offices can
access the web directly, without losing control of or visibility into web usage.
Reference: https://www.cisco.com/c/en/us/products/collateral/security/routersecurity/data_sheet_c78-655324.pdf
Question 13
An organization wants to improve its cybersecurity processes and to add intelligence to its data.
The organization wants to utilize the most current intelligence data for URL filtering, reputations,
and vulnerability information that can be integrated with the Cisco FTD and Cisco WSA. What must
be done to accomplish these objectives?
A. Create a Cisco pxGrid connection to NIST to import this information into the security products
for policy use
B. Create an automated download of the Internet Storm Center intelligence feed into the Cisco FTD
and Cisco WSA databases to tie to the dynamic access control policies.
C. Download the threat intelligence feed from the IETF and import it into the Cisco FTD and Cisco
WSA databases
D. Configure the integrations with Talos Intelligence to take advantage of the threat intelligence
that it provides
Answer: D
Explanation
We need an automated solution to deal with the rapid change of cybersecurity so answer A and C
are not correct.
According to the following facts about Talos, we believe answer D is the best choice:
Cisco WSA detects and correlates threats in real time by tapping into the largest threat-detection
network in the world, Cisco Talos. To discover where threats are hiding, Cisco Talos pulls massive
quantities of information across multiple vectors – firewall, IPS, web, email, and VPN. Cisco Talos
constantly refreshes information every 3 to 5 minutes – adding intelligence to and receiving
intelligence from Cisco WSA and other network security devices. This enables Cisco WSA to deliver
industry-leading defense hours and even days ahead of competitors.
Reference: https://www.cisco.com/c/en/us/products/collateral/security/web-securityappliance/solution-overview-c22-732948.html
Talos’ threat intelligence supports a two-way flow of telemetry and protection across marketleading security solutions including Next-Generation Intrusion Prevention System (NGIPS), NextGeneration Firewall (NGFW), Advanced Malware Protection (AMP), Email Security Appliance (ESA),
Cloud Email Security (CES), Cloud Web Security (CWS), Web Security Appliance (WSA), Umbrella,
and ThreatGrid, as well as numerous open-source and commercial threat protection systems.
Reference: https://www.talosintelligence.com/docs/Talos_WhitePaper.pdf
Question 14
passyourccie@gmail.com
Cisco SensorBase gathers threat information from a variety of Cisco products and services and
performs analytics to find patterns on threats. Which term describes this process?
A. deployment
B. consumption
C. authoring
D. sharing
Answer: A
Question 15
An organization has a requirement to collect full metadata information about the traffic going
through their AWS cloud services. They want to use this information for behavior analytics and
statistics. Which two actions must be taken to implement this requirement? (Choose two)
A. Configure Cisco ACI to ingest AWS information
B. Configure Cisco Thousand Eyes to ingest AWS information
C. Send syslog from AWS to Cisco Stealthwatch Cloud
D. Send VPC Flow Logs to Cisco Stealthwatch Cloud
E. Configure Cisco Stealthwatch Cloud to ingest AWS information
Answer: D E
Question 16
Refer to the exhibit.
What will occur when this device tries to connect to the port?
A. 802.1X will not work, but MAB will start and allow the device on the network
B. 802.1X will not work and the device will not be allowed network access
C. 802.1X will work and the device will be allowed on the network
D. 802.1X and MAB will both be used and ISE can use policy to determine the access level
Answer: C
Explanation
In this question we don’t see “mab” command so MAC Authentication Bypass (MAB) is not enabled
on the interface -> Answer A and answer D are not correct.
passyourccie@gmail.com
In order to enable 802.1X on a port, we need two commands:
+ access-session port-control auto: enables 802.1X port-based authentication on the interface
+ dot1x pae {supplicant | authenticator | both}: sets the Port Access Entity (PAE) type. In this
case “authenticator” keyword was chosen so the interface acts only as an authenticator and does
not respond to any messages meant for a supplicant.+ authentication periodic: enables reauthentication on the interface
We had both of these commands so 802.1X will work on the interface.
Reference: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_8021x/configuration/xe3se/3850/sec-user-8021x-xe-3se-3850-book/config-ieee-802x-pba.html
Other commands are explained below:
+ authentication host-mode multi-auth: allows voice and multiple endpoints on the same physical
access port
+ dot1x timeout tx-period 10: sets the retransmit period to 10 seconds
+ device-tracking attach-policy {policy-name}: applies the IP device tracking (IPDT) policy to
switchport. The main task is to keep track of connected hosts (association of MAC and IP address)
These commands enable the SNMP trap for added and removed MACs on the interface:
+ snmp trap mac-notification change added
+ snmp trap mac-notification change removed
Question 17
An engineer is configuring their router to send NetfFow data to Stealthwatch which has an IP
address of 1.1.1.1 using the flow record Steathwatch406397954 command. Which additional
command is required to complete the flow record?
A.
B.
C.
D.
transport udp 2055
match ipv4 ttl
cache timeout active 60
destination 1.1.1.1
Answer: B
Explanation
The “transport udp …” command can only be used under flow exporter. The “cache timeout active
…” command can only be used under flow monitor.
Under flow record, we cannot type “destination 1.1.1.1”. This command can only be used under
flow exporter. We can only use the “match ipv4 ttl” command under flow record in this question.
Good
reference: https://www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/netflow/configtrouble-netflow-stealth.pdf
Question 18
An engineer needs to add protection for data in transit and have headers in the email message.
Which configuration is needed to accomplish this goal?
A.
B.
C.
D.
Provision the email appliance
Deploy an encryption appliance
Map sender IP addresses to a host interface
Enable flagged message handling
Answer: B
Question 19
An administrator is adding a new switch onto the network and has configured AAA for network
access control. When testing the configuration, the RADIUS authenticates to Cisco ISE but is being
rejected. Why is the ip radius source-interface command needed for this configuration?
passyourccie@gmail.com
A.
B.
C.
D.
Only requests that originate from a configured NAS IP are accepted by a RADIUS server
The RADIUS authentication key is transmitted only from the defined RADIUS source interface
RADIUS requests are generated only by a router if a RADIUS source interface is defined
Encrypted RADIUS authentication requires the RADIUS source interface be defined
Answer: A
Explanation
The source IP address of the RADIUS packets must match the NAS IP address configured on the
RADIUS server. A mismatch leads to RADIUS packet timeout and the server gets marked “DEAD”.
Reference: https://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/identity-basednetworking-services/whitepaper_C11-731907.html
Question 20
Refer to the exhibit.
interface GigabitEthernet1/0/18
switchport access vlan 41
switchport mode access
switchport voice vlan 44
device-tracking attach-policy IPDT_MAX_10
authentication periodic
authentication timer reauthenticate server
access-session host-mode multi-domain
access-session port-control auto
dot1x pae authenticator
dot1x timeout tx-period 7
dot1x max-reauth-req 3
spanning-tree portfast
service-policy type control subscriber POLICY_Gi1/0/18
A Cisco ISE administrator adds a new switch to an 802.1X deployment and has difficulty with some
endpoints gaining access. Most PCs and IP phones can connect and authenticate using their
machine certificate credentials. However printer and video cameras cannot based on the interface
configuration provided. What must be to get these devices on to the network using Cisco ISE for
authentication and authorization while maintaining security controls?
A.
B.
C.
D.
Change the default policy in Cisco ISE to allow all devices not using machine authentication
Enable insecure protocols within Cisco ISE in the allowed protocols configuration
Configure authentication event fail retry 2 action authorize vlan 41 on the interface
Add mab to the interface configuration
Answer: A
Question 21
What is the function of the crypto isakmp key cisc406397954 address 0.0.0.0
0.0.0.0 command when establishing an IPsec VPN tunnel?
A.
B.
C.
D.
It defines what data is going to be encrypted via the VPN
It configures the pre-shared authentication key
It prevents all IP addresses from connecting to the VPN server.
It configures the local address for the VPN server.
Answer: B
passyourccie@gmail.com
Explanation
Note:
+ “address 0.0.0.0 0.0.0.0” means remote peer is any -> any destination can try to negotiate with
this router.
+ The Phase 1 password is “cisc406397954”.
Question 22
An engineer is adding a Cisco DUO solution to the current TACACS+ deployment using Cisco ISE.
The engineer wants to authenticate users using their account when they log into network devices.
Which action accomplishes this task?
A. Configure Cisco DUO with the external Active Directory connector and tie it to the policy set
within Cisco ISE
B. Install and configure the Cisco DUO Authentication Proxy and configure the identity source
sequence within Cisco ISE
C. Create an identity policy within Cisco ISE to send all authentication requests to Cisco DUO
D. Modify the current policy with the condition MFASourceSequence DUO=true in the authorization
conditions within Cisco ISE
Answer: B
Explanation
Duo MFA Integration with ISE for TACACS+ Device Administration with Local/Internal (ISE) Users
In this setup, ISE will forward the TACACS+ authentication requests to the Duo Authentication
proxy. The proxy will then punt the requests back to ISE for local user authentication. This can be
a little bit confusing but it is necessary for organizations that want to utilize the local user
database on ISE and not relay on external identity sources such as Active Directory, LDAP, etc. If
the authentication is successful, the end user/admin will be send a “DUO Push.” If the local ISE
authentication fails, then the process will stop and no “Duo Push” will occur.
1. Admin user initiates a shell connection to a network device where he/she uses Active Directory
based credentials
2. Network device forwards the request to the TACACS+ server (ISE)
3. ISE sends the authentication request to Duo’s Authentication Proxy
4. The proxy forwards the request back to ISE for the 1st factor authentication
5. ISE informs the Authentication Proxy if the local authentication was successful
6. Upon successful ISE authentication, the Authentication Proxy sends an authentication request to
Duo cloud for 2nd factor authentication
7. Duo cloud sends a “push” to the admin user
8. Admin user “approves” the “push”
9. Duo informs the Authentication Proxy of the successful push
10. Authentication proxy informs ISE of a successful Authentication
11. ISE Authorizes the admin user
passyourccie@gmail.com
Also according to this Cisco link, we need to configure “Identity Source Sequenc” in Cisco ISE:
Therefore answer B is the best choice.
Question 23
An organization is selecting a cloud architecture and does not want to be responsible for patch
management of the operating systems. Why should the organization select either Platform as a
Service or Infrastructure as a Service for this environment?
A. Platform as a Service because the customer manages the operating system
B. Infrastructure as a Service because the customer manages the operating system
C. Platform as a Service because the service provider manages the operating system
D. Infrastructure as a Service because the service provider manages the operating system
passyourccie@gmail.com
Answer: C
Explanation
We don’t want to manage the OS so we should choose PaaS or SaaS. But this question only wants
to compare between PaaS and IaaS so we must choose PaaS.
Question 24
How does a cloud access security broker function?
A. It is an authentication broker to enable single sign-on and multi-factor authentication for a
cloud solution
B. It integrates with other cloud solutions via APIs and monitors and creates incidents based on
events from the cloud solution
C. It acts as a security information and event management solution and receives syslog from other
cloud solutions
D. It scans other cloud solutions being used within the network and identifies vulnerabilities
Answer: B
Question 25
A Cisco AMP for Endpoints administrator configures a custom detection policy to add specific MD5
signatures. The configuration is created in the simple detection policy section, but it does not
work. What is the reason for this failure?
A. The administrator must upload the file instead of the hash for Cisco AMP to use
B. The MD5 hash uploaded to the simple detection policy is in the incorrect format
C. The APK must be uploaded for the application that the detection is intended
D. Detections for MD5 signatures must be configured in the advanced custom detection policies
Answer: D
passyourccie@gmail.com
Question 26
What is the difference between a vulnerability and an exploit?
A.
B.
C.
D.
A vulnerability is a hypothetical event for an attacker to exploit
A vulnerability is a weakness that can be exploited by an attacker
An exploit is a weakness that can cause a vulnerability in the network
An exploit is a hypothetical event that causes a vulnerability in the network
Answer: B
Explanation
A vulnerability is a weakness in a software system. And an exploit is an attack that leverages that
vulnerability.
Question 27
Which feature is leveraged by advanced antimalware capabilities to be an effective endpoint
protection platform?
A.
B.
C.
D.
big data
storm centers
sandboxing
blocklisting
Answer: C
Question 28
Which system facilitates deploying microsegmentation and multi-tenancy services with a policybased container?
A.
B.
C.
D.
SDLC
Docker
Lambda
Contiv
Answer: D
Explanation
Contiv is an open source project that allows you to deploy micro-segmentation policy-based
services in container environments. It offers a higher level of networking abstraction for
microservices by providing a policy framework. Contiv has built-in service discovery and service
routing functions to allow you to scale out services.
Reference: https://www.ciscopress.com/articles/article.asp?p=3004581&seqNum=2
Question 29
An engineer integrates Cisco FMC and Cisco ISE using pxGrid. Which role is assigned for Cisco
FMC?
A.
B.
C.
D.
client
server
publisher
controller
Answer: C
Explanation
passyourccie@gmail.com
pxGrid stands for Platform Exchange Grid, and it is a technology that allows integrating multiple
vendors security products together and grouping them in an ecosystem domain. The main purpose
of using pxGrid is to share contextual data between the integrated partners.
pxGrid uses a built-in API in ISE and it is comprised of three main components which are
the controller, publisher and the subscriber. The controller is the core component to make
everything working and as said is going to be ISE. The publisher instead is the partner that has
some contextual data to be shared with the other partners. And finally the subscriber is the
partner that is interested in parsing some contextual data from the other partners.
Reference: https://bluenetsec.com/fmc-pxgrid-integration-with-ise/
In fact, according to figure 6-5 (which is posted below) of this
link https://www.ciscopress.com/articles/article.asp?p=2963461&seqNum=2,
FMC is a subscriber but we have no such option so the best answer here is “publisher”.
Question 30
A network security engineer must export packet captures from the Cisco FMC web browser while
troubleshooting an issue. When navigating to the address https://<FMC
IP>/capure/CAPI/pcap/test.pcap, an error 403: Forbidden is given instead of the PCAP file. Which
action must the engineer take to resolve this issue?
A. Disable the proxy setting on the browser
B. Disable the HTTPS server and use HTTP instead
C. Use the Cisco FTD IP address as the proxy server setting on the browser
D. Enable the HTTPS server for the device platform policy
Answer: D
Explanation
When you see this HTTP RESPONSE in a packet capture (PCAP), it’s likely that proxy is denying the
request.
To verify this, get a policy trace, and look for the exact HTTP REQUEST sent by the client, and
match it with the policy rules. You will find either a DENY or Denied by Exception result.
You can then modify the rule to allow this HTTP REQUEST, if appropriate.
passyourccie@gmail.com
Reference: https://knowledge.broadcom.com/external/article/167567/why-do-my-pcaps-show-anhttp-response-fr.html
Therefore we should modify the policy to allow HTTPS request.
Question 31
Which security solution protects users leveraging DNS-layer security?
A.
B.
C.
D.
Cisco Umbrella
Cisco ISE
Cisco ASA
Cisco FTD
Answer: A
Question 32
What is the result of the
ACME-Router(config)#login block-for 100 attempts 4 within 60
command on a Cisco IOS router?
A. After four unsuccessful log in attempts, the line is blocked for 100 seconds and only permit IP
addresses A are permitted in ACL 60
B. After four unsuccessful log in attempts, the line is blocked for 60 seconds and only permit IP
addresses C are permitted in ACL 100
C. If four log in attempts fail in 100 seconds, wait for 60 seconds to next log in prompt
D. If four failures occur in 60 seconds, the router goes to quiet mode for 100 seconds
Answer: D
Explanation
The following example shows how to configure your router to enter a 100 second quiet period if 15
failed login attempts is exceeded within 100 seconds; all login requests will be denied during the
quiet period except hosts from the ACL “myacl.”
Router(config)# login block-for 100 attempts 15 within 100
Router(config)# login quiet-mode access-class myacl
Reference: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_cfg/configuration/xe16/sec-usr-cfg-xe-16-book/sec-login-enhance.html
Question 33
What is an advantage of network telemetry over SNMP pulls?
A.
B.
C.
D.
scalability
security
encapsulation
accuracy
Answer: A
Explanation
SNMP uses the pull model when retrieving data from a switch. This model cannot scale for today’s
high-density platforms, and offers very limited extensibility. The pull model is based on a client
sending a request to the switch, then the switch responds to that request. On average, network
operators using SNMP poll data every five to thirty minutes. But with today’s speeds and scale
that’s not enough to capture important network events.
passyourccie@gmail.com
…
These traditional models also impose limits like scale and efficiency -> So we can deduce network
telemetry is more scalable than SNMP pulls.
Reference: https://blogs.cisco.com/developer/its-time-to-move-away-from-snmp-and-cli-and-usemodel-driven-telemetry
Question 34
What is a benefit of using a multifactor authentication strategy?
A.
B.
C.
D.
It provides secure remote access for applications
It provides an easy, single sign-on experience against multiple applications
It protects data by enabling the use of a second validation of identity
It provides visibility into devices to establish device trust
Answer: C
Explanation
Multi-factor Authentication (MFA) is an authentication method that requires the user to provide two
or more verification factors to gain access to a resource. MFA requires means of verification that
unauthorized users won’t have.
Note: Single sign-on (SSO) is a property of identity and access management that enables users to
securely authenticate with multiple applications and websites by logging in only once with just one
set of credentials (username and password). With SSO, the application or website that the user is
trying to access relies on a trusted third party to verify that users are who they say they are.
Question 35
An engineer is trying to decide between using L2TP or GRE over IPsec for their site-to-site VPN
implementation. What must be understood before choosing a solution?
A.
B.
C.
D.
L2TP uses TCP port 47 and GRE over IPsec uses UDP port 1701.
GRE over IPsec cannot be used as a standalone protocol, and L2TP can.
GRE over IPsec adds its own header, and L2TP does not
L2TP is an IP packet encapsulation protocol, and GRE over IPsec is a tunneling protocol.
Answer: C
Explanation
L2TP uses UDP port 1701 while GRE use IP protocol 47 -> Answer A is not correct.
L2TP stands for Layer 2 Tunneling Protocol while GRE is a simple IP packet encapsulation protocol> Answer D is not correct
This Oreilly link says: “It is unlikely that you will set up L2TP as a standalone protocol, as it has no
authentication and encryption on its own. The more likely scenario is setting up an L2TP/IPsec
tunnel”. So we understand that L2TP can be set up as a standalone protocol, but should not ->
Answer B is not correct.
The CCNP and CCIE Security Core SCOR 350-701 Official Cert Guide book says “the GRE protocol
adds its own header (4 bytes plus options) between the payload (data) and the delivery header”
while the entire L2TP packet, including payload and L2TP header, is sent within a User Datagram
Protocol (UDP) datagram -> Answer C is correct.
Question 36
What are two functionalities of northbound and southbound APIs within Cisco SDN architecture?
(Choose two.)
A. Southbound APIs are used to define how SDN controllers integrate with applications.
B. Northbound interfaces utilize OpenFlow and OpFlex to integrate with network devices.
C. Northbound APIs utilize RESTful API methods such as GET, POST, and DELETE.
passyourccie@gmail.com
D. Southbound interfaces utilize device configurations such as VLANs and IP addresses.
E. Southbound APIs utilize CLI, SNMP, and RESTCONF.
Answer: C E
Explanation
Northbound APIs are used to define how SDN controllers integrate with applications -> Answer A is
not correct.
OpenFlow and OpFlex are Southbound APIs -> Answer B is not correct.
Southbound APIs ultilize NETCONF, RESTCONF, SNMP, Telnet, SSH… -> Answer D is not correct
while answer E is correct.
Question 37
Which two solutions help combat social engineering and phishing at the endpoint level? (Choose
two)
A. Cisco ISEN
B. Cisco Umbrella
C. Cisco DNA Center
D. Cisco TrustSec
E. Cisco Duo Security
Answer: B E
Question 38
A network engineer must migrate a Cisco WSA virtual appliance from one physical host to another
physical host by using VMware Motion. What is a requirement for both physical hosts?
A. The hosts must run different versions of Cisco Asyncos
B. The hosts must run Cisco AsyncOS 10.0 or greater
C. The hosts must have access to the same defined network
D. The hosts must use a different datastore than the virtual appliance
Answer: C
Explanation
Requirements:
+ Both physical hosts must have the same network configuration.
+ Both physical hosts must have access to the same defined network(s) to which the interfaces on
the virtual appliance are mapped.
+ Both physical hosts must have access to the datastore that the virtual appliance uses. This
passyourccie@gmail.com
datastore can be a storage area network (SAN) or Network-attached storage (NAS).
+ The Cisco Secure Email Virtual Gateway must have no mail in its queue.
Reference: https://www.cisco.com/c/dam/en/us/td/docs/security/content_security/virtual_applian
ces/Cisco_Content_Security_Virtual_Appliance_Install_Guide.pdf
Question 39
An engineer is implementing Cisco CES in an existing Microsoft Office 365 environment and must
route inbound email to Cisco CES addresses. Which DNS record must be modified to accomplish
this task?
A. CNAME
B. МХ
C. DKIM
D. SPF
Answer: B
Explanation
In order to route inbound email to Cisco CES addresses we must change the MX record.
Reference: https://www.ciscolive.com/c/dam/r/ciscolive/emea/docs/2020/pdf/BRKSEC-3433.pdf
At this point, you are ready to cut over the domain through a Mail Exchange (MX) record change.
Work with your DNS administrator to resolve your MX records to the IP addresses for your Cisco
Secure Email Cloud instance as provided in your Cisco Secure Email welcome letter.
Reference: https://www.cisco.com/c/en/us/support/docs/security/cloud-email-security/214812configuring-office-365-microsoft-with.html
Question 40
passyourccie@gmail.com
Which method of attack is used by a hacker to send malicious code through a web application to
an unsuspecting user to request that the victims web browser executes the code?
A.
B.
C.
D.
buffer overflow
SQL injection
browser WGET
cross-site scripting
Answer: D
Question 41
What are two ways a network administrator transparently identifies users using Active Directory on
the Cisco WSA? (Choose two)
A. Create an LDAP authentication realm and disable transparent user identification
B. Deploy a separate eDirectory server, the client IP address is recorded in this server.
C. Create NTLM or Kerberos authentication realm and enable transparent user identification.
D. The eDirectory client must be installed on each client workstation
E. Deploy a separate Active Directory agent such as Cisco Context Directory Agent.
Answer: C E
Explanation
Consider the following when you identify users transparently using Active Directory:
+ Transparent user identification with Active Directory works with an NTLM or Kerberos
authentication scheme only. You cannot use it with an LDAP authentication realm that corresponds
to an Active Directory instance.
+ Transparent user identification works with the versions of Active Directory supported by an
Active Directory agent.
Reference: https://www.cisco.com/c/en/us/td/docs/security/wsa/wsa110/user_guide/b_WSA_UserGuide/b_WSA_UserGuide_chapter_01001.html
Question 42
Which endpoint solution protects a user from a phishing attack?
A.
B.
C.
D.
Cisco AnyConnect with Umbrella Roaming Security module
Cisco AnyConnect with Network Access Manager module
Cisco Identity Services Engine
Cisco AnyConnect with ISE Posture module
Answer: A
Explanation
Umbrella Roaming is a cloud-delivered security service for Cisco’s next-generation firewall. It
protects your employees even when they are off the VPN. No additional agents are required.
Simply enable the Umbrella functionality in the Cisco AnyConnect client. You’ll get seamless
protection against malware, phishing, and command-and-control callbacks wherever your users
go.
Reference: https://www.cisco.com/c/en/us/products/security/umbrella/umbrella-roaming.html
Question 43
An engineer is configuring Cisco Umbrella and has an identity that references two different
policies. Which action ensures that the policy that the identity must use takes precedence over the
second one?
A. Configure only the policy with the most recently changed timestamp.
B. Make the correct policy first in the policy order.
passyourccie@gmail.com
C. Configure the default policy to redirect the requests to the correct policy.
D. Place the policy with the most-specific configuration last in the policy order.
Answer: B
Question 44
Refer to the exhibit.
Which configuration item makes it possible to have the AAA session on the network?
A. aaa authorization network default group ise
B. aaa authorization exec default ise
C. aaa authentication login console ise
D. aaa authentication enable default enable
Answer: A
Explanation
+ The exhibit in this question shows a a successful MAB authorization for the MAC address (from
the line “Status: Authorized” the last line “mab Authc Success”) so we need the keyword
“authorization” in our AAA command.
+ The authorized device is a Microsoft WorkStation so we need the keyword “network” in our AAA
command.
->The command “aaa authorization network default group ise” is the correct answer. This
command configures network authorization via ISE.
passyourccie@gmail.com
Question 45
Refer to the exhibit.
What is the function of the Python script code snippet for the Cisco ASA REST API?
A. deletes a global rule from policies
B. obtains the saved configuration of the Cisco ASA firewall
C. changes the hostname of the Cisco ASA
D. adds a global rule into policies
Answer: D
Explanation
passyourccie@gmail.com
Reference: https://github.com/timwukp/Cisco-ASA-RESTAPI/blob/master/POST api_access_global_rules_input_loop.py
Question 46
Refer to the exhibit.
When creating an access rule for URL filtering, a network engineer adds certain categories and
individual URLs to block. What is the result of the configuration?
A. Only URLs for botnets with a reputation score of 3 will be allowed while the rest will be blocked
B. Only URLs for botnets with reputation scores of 1-3 will be blocked
C. Only URLs for botnets with reputation scores of 3-5 will be blocked
D. Only URLs for botnets with a reputation score of 3 will be blocked
Answer: B
Explanation
When you create a rule to Block traffic based on a reputation level, selection of a reputation level
also selects all of the reputation levels more severe than the level you originally selected. For
example, if you configure a rule to block Benign Sites with security risks (level 3), it also
automatically blocks Suspicious sites (level 2) and High risk (level 1) sites.
Reference: https://www.cisco.com/c/en/us/support/docs/security/firesight-managementcenter/118852-technote-firesight-00.html
Question 47
What are two functionalities of SDN Northbound APIs? (Choose two)
A. Northbound APIs provide a programmable interface for applications to dynamically configure the
network.
B. Northbound APIs form the interface between the SDN controller and business applications.
C. Northbound APIs use the NETCONF protocol to communicate with applications.
D. Northbound APIs form the interface between the SDN controller and the network switches or
routers.
E. OpenFlow is a standardized northbound API protocol.
Answer: A B
Explanation
passyourccie@gmail.com
Northbound APIs present an abstraction of network functions with a programmable interface for
applications to consume the network services and configure the network dynamically -> Answer A
is correct.
Northbound APIs usually use RESTful APIs to communicate with applications -> Answer C is not
correct.
Southbound APIs form the interface between the SDN controller and the network switches or
routers -> Answer D is not correct.
OpenFlow and NETCONF are Southbound APIs used for most SDN implementations -> Answer E is
not correct.
Question 48
What must be enabled to secure SaaS-based applications?
A. two-factor authentication
B. end-to-end encryption
C. application security gateway
D. modular policy framework
Answer: A
Explanation
According to this link, we can use the following to secure SaaS-based applications:
+ Set up single sign-on (SSO) integrations
+ Use multi-factor authentication (MFA) -> Answer A is correct.
+ Install and integrate an identity governance solution
+ Stay up to date
Question 49
A Cisco ISE engineer configures Central Web Authentication (CWA) for wireless guest access and
must have the guest endpoints redirect to the guest portal for authentication and authorization.
While testing the policy, the engineer notices that the device is not redirected and instead gets full
guest access. What must be done for the redirect to work?
A. Create an advanced attribute setting of Cisco.cisco-gateway-id=guest within the authorization
profile for the authorization policy line that the unauthenticated devices hit.
B. Tag the guest portal in the CWA part of the Common Tasks section of the authorization profile
for the authorization policy line that the unauthenticated devices hit.
C. Add the DACL name for the Airespace ACL configured on the WLC in the Common Tasks section
of the authorization profile for the authorization policy line that the unauthenticated devices hit
D. Use the track movement option within the authorization profile for the authorization policy line
that the unauthenticated devices hit
Answer: C
passyourccie@gmail.com
Explanation
Using an Authorization Profile to Redirect Guest Endpoints to ISE
As explained in Understanding Guest Flow, when endpoints first access the network, they are
authenticated with MAB, and must be redirected to the Guest portal for authorization. ISE comes
with a built-in profile called Cisco_WebAuth that references a built-in self-registered Guest portal.
The WLC and switch require a preconfigured redirect ACL.
…
AireOS does not support downloadable ACLs. Therefore, ACLs must be configured locally on the
wireless controller (or access points in FlexConnect mode). The ACL names must match in both
ISE and in AireOS. The figure below indicates for a wireless guest:
Reference: https://community.cisco.com/t5/security-documents/ise-guest-access-prescriptivedeployment-guide/ta-p/3640475
Question 50
What is a difference between Cisco AMP for Endpoints and Cisco Umbrella?
A. Cisco AMP for Endpoints prevents, detects, and responds to attacks before damage can be
done, and Cisco Umbrella provides the first line of defense against Internet threats.
B. Cisco AMP for Endpoints prevents connections to malicious destinations, and Cisco Umbrella
works at the file level to prevent the initial execution of malware.
C. Cisco AMP for Endpoints automatically researches indicators of compromise and confirms
threats, and Cisco Umbrella does not
D. Cisco AMP for Endpoints is a cloud-based service, and Cisco Umbrella is not
Answer: A
Question 51
What is the intent of a basic SYN flood attack?
A. to flush the register stack to re-initiate the buffers
B. to solicit DNS responses
passyourccie@gmail.com
C. to exceed the threshold limit of the connection queue
D. to cause the buffer to overflow
Answer: C
Explanation
A SYN flood (half-open attack) is a type of denial-of-service (DDoS) attack which aims to make a
server unavailable to legitimate traffic by consuming all available server resources. By repeatedly
sending initial connection request (SYN) packets, the attacker is able to overwhelm all available
ports on a targeted server machine, causing the targeted device to respond to legitimate traffic
sluggishly or not at all.
Question 52
Which open standard creates a framework for sharing threat intelligence in a machine-digestible
format?
A.
B.
C.
D.
OpenC2
OpenIoC
STIX
Cybox
Answer: B
Explanation
OpenIOC is an open framework, meant for sharing threat intelligence information in a machinereadable format. It was developed by the American cybersecurity firm MANDIANT in November
2011. It is written in eXtensible Markup Language (XML) and can be easily customized for
additional intelligence so that incident responders can translate their knowledge into a standard
format. Organizations can leverage this format to share threat-related latest Indicators of
Compromise (IoCs) with other organizations, enabling real-time protection against the latest
threats.
Question 53
Which two methods must be used to add switches into the fabric so that administrators can control
how switches are added into DCNM for private cloud management? (Choose two)
A. PowerOn Auto Provisioning
B. Cisco Cloud Director
C. Seed IP
D. CDP AutoDiscovery
E. Cisco Prime Infrastructure
Answer: A C
Explanation
Cisco Data Center Network Manager (DCNM) offers network management system (NMS) support
for traditional or multiple-tenant LAN and SAN fabrics. Cisco DCNM uses PowerOn Auto
Provisioning (POAP) to automate the process of upgrading software images and installing
configuration files on Cisco Nexus switches that are being deployed in the network.
Reference: https://www.cisco.com/c/en/us/products/collateral/cloud-systems-management/primedata-center-network-manager/guide-c07-740626.html
Question 54
Which role is a default guest type in Cisco ISE?
A. Full-Time
B. Contractor
passyourccie@gmail.com
C. Yearly
D. Monthly
Answer: B
Explanation
Each guest account must be associated with a guest type. Guest types allow a sponsor to assign
different levels of access and different network connection times to a guest account. These guest
types are associated with particular network access policies. Cisco ISE includes these default guest
types:
Contractor – Users who need access to the network for an extended amount of time, up to a
year.
Daily – Guests who need access to the resources on the network for just 1 to 5 days.
Weekly – Users who need access to the network for a couple of weeks.
Reference: https://www.cisco.com/c/en/us/td/docs/security/ise/13/admin_guide/b_ise_admin_guide_13/b_ise_admin_guide_sample_chapter_01111.html
Question 55
An engineer configures new features within the Cisco Umbrella dashboard and wants to identify
and proxy traffic that is categorized as risky domains and may contain safe and malicious content.
Which action accomplishes these objectives?
A. Configure intelligent proxy within Cisco Umbrella to intercept and proxy the requests for only
those categories
B. Upload the threat intelligence database to Cisco Umbrella for the most current information on
reputations and to have the destination lists block them.
C. Create a new site within Cisco Umbrella to block requests from those categories so they can be
sent to the proxy device.
D. Configure URL filtering within Cisco Umbrella to track the URLs and proxy the requests for those
categories and below.
Answer: A
Explanation
The ‘greylist’ of risky domains is compromised of domains that host both malicious and safe
content—we consider these “risky” domains. These sites often allow users to upload and share
content—making them difficult to police, even for the admins of the site.
Reference: https://docs.umbrella.com/deployment-msp/docs/what-is-the-intelligent-proxy
In order to enable intelligent proxy, we need to use “Advanced Settings”:
passyourccie@gmail.com
Question 56
An administrator enables Cisco Threat Intelligence Director on a Cisco FMC. Which process uses
STIX and allows uploads and downloads of block lists?
A.
B.
C.
D.
consumption
editing
sharing
authoring
Answer: A
Question 57
Why is it important to have a patching strategy for endpoints?
A.
B.
C.
D.
so that functionality is increased on a faster scale when it is used
so that known vulnerabilities are targeted and having a regular patch cycle reduces risks
so that patching strategies can assist with disabling nonsecure protocols in applications
to take advantage of new features released with patches
Answer: B
Question 58
What is a description of microsegmentation?
A. Environments deploy a container orchestration platform, such as Kubernetes, to manage the
application delivery
B. Environments apply a zero-trust model and specify how applications on different servers or
containers can communicate
C. Environments implement private VLAN segmentation to group servers with similar applications
D. Environments deploy centrally managed host-based firewall rules on each server or container
Answer: B
Explanation
Zero Trust is a security framework requiring all users, whether in or outside the organization’s
network, to be authenticated, authorized, and continuously validated for security configuration and
posture before being granted or keeping access to applications and data. Zero Trust assumes that
there is no traditional network edge; networks can be local, in the cloud, or a combination or
hybrid with resources anywhere as well as workers in any location.
The Zero Trust model uses microsegmentation — a security technique that involves dividing
perimeters into small zones to maintain separate access to every part of the network — to contain
attacks.
Question 59
Which security product enables administrators to deploy Kubernetes clusters in air-gapped sites
without needing Internet access?
A.
B.
C.
D.
Cisco Container Controller
Cisco Container Platform
Cisco Cloud Platform
Cisco Content Platform
Answer: B
Explanation
passyourccie@gmail.com
The ability to deploy Kubernetes clusters in air-gapped sites
Cisco Container Platform (CCP) tenant images contain all the necessary binaries and don’t need
internet access to function.
Reference: https://www.cisco.com/c/en/us/products/cloud-systems-management/containerplatform/index.html#~stickynav=3
Question 60
What are two functions of TAXII in threat intelligence sharing? (Choose two)
A.
B.
C.
D.
exchanges trusted anomaly intelligence information
determines how threat intelligence information is relayed
determines the “what” of threat intelligence
supports STIX information and allows users to describe threat motivations and abilities
Answer: A B
Explanation
In short, TAXII is about how parties communicate to exchange threat intelligence and STIX is
about describing that threat intelligence in a structured way.
Reference: https://logsentinel.com/blog/the-importance-of-threat-intelligence-sharing-throughtaxii-and-stix/?cookie-state-change=1639912854054
STIX states the “what” of threat intelligence, while TAXII defines “how” that information is relayed.
Reference: https://www.anomali.com/resources/what-are-stix-taxii
Question 61
An engineer must modify a policy to block specific addresses using Cisco Umbrella. The policy is
created already and is actively used by devices, using many of the default policy elements. What
else must be done to accomplish this task?
A.
B.
C.
D.
Create a destination list for addresses to be allowed or blocked
Use content categories to block or allow specific addresses
Add the specified addresses to the identities list and create a block action
Modify the application settings to allow only applications to connect to required addresses
Answer: A
Explanation
Content Categories – Allows you to block access to categories of websites – groupings of sites
with similarly themed content. For example, sports, gambling, or astrology…, not specific
addresses -> Answer B is not correct.
Application Settings – Allows you to block access to specific applications (not specific
addresses). For example, Netflix, Facebook, or Amazon -> Answer D is not correct.
Destination Lists allows you to create a unique list of destinations (for example, domain name or
URL) to which you can block or allow access -> Answer A is correct.
Reference: https://docs.umbrella.com/deployment-umbrella/docs/customize-your-policies-1
An identity list cannot be an address as Umbrella uses the following identities:Network, Network
Device, Roaming Computers, Mobile Devices, Chrome Book, Network Tunnel and WebUsers and
Groups.
Reference: https://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise/design-zonesecurity/umbrella-design-guide.pdf
Question 62
Drag and drop the descriptions from the right onto the correct positions on the left.
passyourccie@gmail.com
Answer:
+ threat prevention and mitigation for known and unknown threats: NGIPS
+ real-time threat intelligence and security protection: Collective Security Intelligence
+ detection, blocking and remediation to protect the enterprise against targeted malware attacks:
AMP
+ policy enforcement based on complete visibility of users and communication between virtual
machines: Full Context Awareness
Question 63
Refer to the exhibit.
All servers are in the same VLAN/Subnet. DNS Server-1 and DNS Server-2 must communicate
with each other, and all servers must communicate with default gateway multilayer switch. Which
type of private VLAN ports should be configured to prevent communication between DNS servers
and the file server?
A. Configure GigabitEthernet0/1 as promiscuous port, GigabitEthernet0/2 as isolated port, and
GigabitEthernet0/3 and GigabitEthernet0/4 as community ports.
B. Configure GigabitEthernet0/1 as community port, GigabitEthernet0/2 as promiscuous port,
GigabitEthernet0/3 and GigabitEthernet0/4 as isolated ports.
C. Configure GigabitEthernet0/1 as promiscuous port, Gigabithernet0/2 as community port and
GigabitEthernet0/3 and GigabitEthernet0/4 as isolated ports.
D. Configure GigabitEthernet0/1 as community port, GigabitEthernet0/2 as isolated port, and
GigabitEthernet0/3 and GigabitEthernet0/4 as promiscuous ports.
Answer: A
passyourccie@gmail.com
Explanation
* Isolated: only communicate with promiscuous ports. Notice that it cannot even communicate
with another isolated port. Also, there can be only 1 isolated VLAN per PVLAN.
* Promiscuous: can communicate with all other ports. The default gateway is usually connected
to this port so that all devices in PVLAN can go outside.
* Community: can communicate with other members of that community and promiscuous ports
but cannot communicate with other communities. There can be multiple community VLANs per
PVLAN.