350-701: Implementing and Operating Cisco Security Core Technologies Part 2
Question #: 61
Topic #: 1
Which algorithm provides asymmetric encryption?
A. 3DES
B. RC4
C. AES
D. RSA
Selected Answer: D
Question #: 62
Topic #: 1
What is a difference between an XSS attack and an SQL injection attack?
A. SQL injection is a hacking method used to attack SQL databases, whereas XSS attack can exist in many different types of applications.
B. XSS attacks are used to steal information from databases, whereas SQL injection attacks are used to redirect users to websites where attackers can steal data from them.
C. XSS is a hacking method used to attack SQL databases, whereas SQL injection attacks can exist in many different types of applications.
D. SQL injection attacks are used to steal information from databases, whereas XSS attacks are used to redirect users to websites where attackers can steal data from them.
Selected Answer: D
Question #: 63
Topic #: 1
What is a difference between a DoS attack and DDos attack?
A. A DoS attack is where a computer is used to flood a server with TCP packets, whereas DDoS attack is where a computer is used to flood a server with UDP packets.
B. A DoS attack is where a computer is used to flood a server with UDP packets, whereas DDoS attack is where a computer is used to flood a server with TCP packets.
C. A DoS attack is where a computer is used to flood a server with TCP and UDP packets, whereas DDoS attack is where a computer is used to flood multiple servers that are distributed over a LAN.
D. A DoS attack is where a computer is used to flood a server with TCP and UDP packets, whereas DDoS attack is where multiple systems target a single system with a DoS attack.
Selected Answer: D
Question #: 64
Topic #: 1
What are two advantages of using Cisco AnyConnect over DMVPN? (Choose two.)
A. It provides spoke-to-spoke communications without traversing the hub.
B. It enables VPN access for individual users from their machines.
C. It allows multiple sites to connect to the data center.
D. It allows different routing protocols to work over the tunnel.
E. It allows customization of access policies based on user identity.
Selected Answer: BE
Question #: 65
Topic #: 1
What is the difference between a vulnerability and an exploit?
A. A vulnerability is a weakness that can be exploited by an attacker.
B. A vulnerability is a hypothetical event for an attacker to exploit.
C. An exploit is a hypothetical event that causes a vulnerability in the network.
D. An exploit is a weakness that can cause a vulnerability in the network.
Selected Answer: A
Question #: 66
Topic #: 1
What is the term for having information about threats and threat actors that helps mitigate harmful events that would otherwise compromise networks or systems?
A. threat intelligence
B. Indicators of Compromise
C. trusted automated exchange
D. The Exploit Database
Selected Answer: A
Question #: 67
Topic #: 1
Refer to the exhibit. An engineer is implementing a certificate based VPN. What is the result of the existing configuration?
A. Only an IKEv2 peer that has an OU certificate attribute set to MANGLER establishes an IKEv2 SA successfully.
B. The OU of the IKEv2 peer certificate is used as the identity when matching an IKEv2 authorization policy.
C. The OU of the IKEv2 peer certificate is set to MANGLER.
D. The OU of the IKEv2 peer certificate is encrypted when the OU is set to MANGLER.
Selected Answer: B
Question #: 68
Topic #: 1
Which kind of API that is used with Cisco DNA Center provisions SSIDs, QoS policies, and update software versions on switches?
A. event
B. intent
C. integration
D. multivendor
Selected Answer: B
Question #: 69
Topic #: 1
A network engineer needs to select a VPN type that provides the most stringent security, multiple security associations for the connections, and efficient VPN establishment with the least bandwidth consumption. Why should the engineer select either FlexVPN or DMVPN for this environment?
A. DMVPN because it uses multiple SAs and FlexVPN does not.
B. DMVPN because it supports IKEv2 and FlexVPN does not.
C. FlexVPN because it supports IKEv2 and DMVPN does not.
D. FlexVPN because it uses multiple SAs and DMVPN does not.
Selected Answer: D
Question #: 70
Topic #: 1
Refer to the exhibit. Which command was used to generate this output and to show which ports are authenticating with dot1x or mab?
A. show authentication registrations
B. show authentication method
C. show dot1x all
D. show authentication sessions
Selected Answer: D
Question #: 71
Topic #: 1
Refer to the exhibit. What does the number 15 represent in this configuration?
A. privilege level for an authorized user to this router
B. access list that identifies the SNMP devices that can access the router
C. interval in seconds between SNMPv3 authentication attempts
D. number of possible failed attempts until the SNMPv3 user is locked out
Selected Answer: B
Question #: 72
Topic #: 1
What is the result of running the crypto isakmp key ciscXXXXXXXX address 172.16.0.0 command?
A. authenticates the IKEv2 peers in the 172.16.0.0/16 range by using the key ciscXXXXXXXX
B. authenticates the IP address of the 172.16.0.0/32 peer by using the key ciscXXXXXXXX
C. authenticates the IKEv1 peers in the 172.16.0.0/16 range by using the key ciscXXXXXXXX
D. secures all the certificates in the IKE exchange by using the key ciscXXXXXXXX
Selected Answer: C
Question #: 73
Topic #: 1
Which command enables 802.1X globally on a Cisco switch?
A. dot1x system-auth-control
B. dot1x pae authenticator
C. authentication port-control auto
D. aaa new-model
Selected Answer: A
Question #: 74
Topic #: 1
What is a characteristic of Dynamic ARP Inspection?
A. DAI determines the validity of an ARP packet based on valid IP to MAC address bindings from the DHCP snooping binding database.
B. In a typical network, make all ports as trusted except for the ports connecting to switches, which are untrusted.
C. DAI associates a trust state with each switch.
D. DAI intercepts all ARP requests and responses on trusted ports only.
Selected Answer: A
Question #: 75
Topic #: 1
Which statement about IOS zone-based firewalls is true?
A. An unassigned interface can communicate with assigned interfaces
B. Only one interface can be assigned to a zone.
C. An interface can be assigned to multiple zones.
D. An interface can be assigned only to one zone.
Selected Answer: D
Question #: 76
Topic #: 1
When wired 802.1X authentication is implemented, which two components are required? (Choose two.)
A. authentication server: Cisco Identity Service Engine
B. supplicant: Cisco AnyConnect ISE Posture module
C. authenticator: Cisco Catalyst switch
D. authenticator: Cisco Identity Services Engine
E. authentication server: Cisco Prime Infrastructure
Selected Answer: AC
Question #: 77
Topic #: 1
Which SNMPv3 configuration must be used to support the strongest security possible?
A. asa-host(config)#snmp-server group myv3 v3 priv asa-host(config)#snmp-server user andy myv3 auth sha cisco priv des ciscXXXXXXXX asa-host(config)#snmp-server host inside 10.255.254.1 version 3 andy
B. asa-host(config)#snmp-server group myv3 v3 noauth asa-host(config)#snmp-server user andy myv3 auth sha cisco priv aes 256 ciscXXXXXXXX asa-host(config)#snmp-server host inside 10.255.254.1 version 3 andy
C. asa-host(config)#snmp-server group myv3 v3 noauth asa-host(config)#snmp-server user andy myv3 auth sha cisco priv 3des ciscXXXXXXXX asa-host(config)#snmp-server host inside 10.255.254.1 version 3 andy
D. asa-host(config)#snmp-server group myv3 v3 priv asa-host(config)#snmp-server user andy myv3 auth sha cisco priv aes 256 ciscXXXXXXXX asa-host(config)#snmp-server host inside 10.255.254.1 version 3 andy
Selected Answer: D
Question #: 78
Topic #: 1
Under which two circumstances is a CoA issued? (Choose two.)
A. A new authentication rule was added to the policy on the Policy Service node.
B. An endpoint is deleted on the Identity Service Engine server.
C. A new Identity Source Sequence is created and referenced in the authentication policy.
D. An endpoint is profiled for the first time.
E. A new Identity Service Engine server is added to the deployment with the Administration persona.
Selected Answer: BD
Question #: 79
Topic #: 1
Which ASA deployment mode can provide separation of management on a shared appliance?
A. DMZ multiple zone mode
B. transparent firewall mode
C. multiple context mode
D. routed mode
Selected Answer: C
Question #: 80
Topic #: 1
Refer to the exhibit. Which command was used to display this output?
A. show dot1x all
B. show dot1x
C. show dot1x all summary
D. show dot1x interface gi1/0/12
Selected Answer: A
Question #: 81
Topic #: 1
What is a characteristic of Cisco ASA NetFlow v9 Secure Event Logging?
A. It tracks flow-create, flow-teardown, and flow-denied events.
B. It provides stateless IP flow tracking that exports all records of a specific flow.
C. It tracks the flow continuously and provides updates every 10 seconds.
D. Its events match all traffic classes in parallel.
Selected Answer: A
Question #: 82
Topic #: 1
A network engineer has entered the snmp-server user andy myv3 auth sha cisco priv aes 256 cisc0383320506 command and needs to send SNMP information to a host at 10.255.254.1. Which command achieves this goal?
A. snmp-server host inside 10.255.254.1 snmpv3 andy
B. snmp-server host inside 10.255.254.1 version 3 myv3
C. snmp-server host inside 10.255.254.1 snmpv3 myv3
D. snmp-server host inside 10.255.254.1 version 3 andy
Selected Answer: D
Question #: 83
Topic #: 1
An engineer wants to generate NetFlow records on traffic traversing the Cisco ASA. Which Cisco ASA command must be used?
A. flow exporter
B. ip flow-export destination 1.1.1.1 2055
C. flow-export destination inside 1.1.1.1 2055
D. ip flow monitor input
Selected Answer: C
Question #: 84
Topic #: 1
Which two tasks allow NetFlow on a Cisco ASA 5500 Series firewall? (Choose two.)
A. Define a NetFlow collector by using the flow-export command
B. Create a class map to match interesting traffic
C. Create an ACL to allow UDP traffic on port 9996
D. Enable NetFlow Version 9
E. Apply NetFlow Exporter to the outside interface in the inbound direction
Selected Answer: AB
Question #: 85
Topic #: 1
Refer to the exhibit. A network administrator configures command authorization for the admin5 user. What is the admin5 user able to do on HQ_Router after this configuration?
A. set the IP address of an interface
B. add subinterfaces
C. complete no configurations
D. complete all configurations
Selected Answer: C
Question #: 86
Topic #: 1
A network engineer is configuring DMVPN and entered the crypto isakmp key cisc0383320506 address 0.0.0.0 command on host A. The tunnel is not being established to host B. What action is needed to authenticate the VPN?
A. Change the password on host A to the default password
B. Enter the command with a different password on host B
C. Enter the same command on host B
D. Change isakmp to ikev2 in the command on host A
Selected Answer: C
Question #: 87
Topic #: 1
How many interfaces per bridge group does an ASA bridge group deployment support?
A. up to 16
B. up to 2
C. up to 4
D. up to 8
Selected Answer: C
Question #: 88
Topic #: 1
A network administrator configures Dynamic ARP Inspection on a switch. After Dynamic ARP Inspection is applied, all users on that switch are unable to communicate with any destination. The network administrator checks the Interface status of all interfaces, and there is no err-disabled interface. What is causing this problem?
A. DHCP snooping has not been enabled on all VLANs
B. Dynamic ARP inspection has not been enabled on all VLANs
C. The ip arp inspection limit command is applied on all interfaces and is blocking the traffic of all users
D. The no ip arp inspection trust command is applied on all user host interfaces
Selected Answer: A
Question #: 89
Topic #: 1
What is a difference between FlexVPN and DMVPN?
A. DMVPN uses only IKEv1. FlexVPN uses only IKEv2
B. FlexVPN uses IKEv2. DMVPN uses IKEv1 or IKEv2
C. DMVPN uses IKEv1 or IKEv2. FlexVPN only uses IKEv1
D. FlexVPN uses IKEv1 or IKEv2. DMVPN uses only IKEv2
Selected Answer: B
Question #: 90
Topic #: 1
DRAG DROP –
Drag and drop the capabilities of Cisco Firepower versus Cisco AMP from the left into the appropriate category on the right.
Select and Place:
Suggestion Answer:
Question #: 91
Topic #: 1
An engineer needs behavioral analysis to detect malicious activity on the hosts, and is configuring the organization’s public cloud to send telemetry using the cloud provider’s mechanisms to a security device. Which mechanism should the engineer configure to accomplish this goal?
A. sFlow
B. NetFlow
C. mirror port
D. VPC flow logs
Selected Answer: D
Question #: 92
Topic #: 1
An engineer is trying to securely connect to a router and wants to prevent insecure algorithms from being used. However, the connection is failing. Which action should be taken to accomplish this goal?
A. Generate the RSA key using the crypto key generate rsa command.
B. Configure the port using the ip ssh port 22 command.
C. Enable the SSH server using the ip ssh server command.
D. Disable telnet using the no ip telnet command.
Selected Answer: A
Question #: 93
Topic #: 1
Refer to the exhibit. Which type of authentication is in use?
A. POP3 authentication
B. SMTP relay server authentication
C. external user and relay mail authentication
D. LDAP authentication for Microsoft Outlook
Selected Answer: B
Question #: 94
Topic #: 1
Refer to the exhibit. An organization is using DHCP Snooping within their network. A user on VLAN 41 on a new switch is complaining that an IP address is not being obtained. Which command should be configured on the switch interface in order to provide the user with network connectivity?
A. ip dhcp snooping limit 41
B. ip dhcp snooping verify mac-address
C. ip dhcp snooping trust
D. ip dhcp snooping vlan 41
Selected Answer: C
Question #: 95
Topic #: 1
Refer to the exhibit. Traffic is not passing through IPsec site-to-site VPN on the Firepower Threat Defense appliance. What is causing this issue?
A. Site-to-site VPN preshared keys are mismatched.
B. Site-to-site VPN peers are using different encryption algorithms.
C. No split-tunnel policy is defined on the Firepower Threat Defense appliance.
D. The access control policy is not allowing VPN traffic in.
Selected Answer: D
Question #: 96
Topic #: 1
Refer to the exhibit. A network administrator configured a site-to-site VPN tunnel between two Cisco IOS routers, and hosts are unable to communicate between two sites of VPN. The network administrator runs the debug crypto isakmp sa command to track VPN status. What is the problem according to this command output?
A. interesting traffic was not applied
B. encryption algorithm mismatch
C. authentication key mismatch
D. hashing algorithm mismatch
Selected Answer: C
Question #: 97
Topic #: 1
Which policy represents a shared set of features or parameters that define the aspects of a managed device that are likely to be similar to other managed devices in a deployment?
A. group policy
B. access control policy
C. device management policy
D. platform settings policy
Selected Answer: D
Question #: 98
Topic #: 1
The Cisco ASA must support TLS proxy for encrypted Cisco Unified Communications traffic.
Where must the ASA be added on the Cisco UC Manager platform?
A. Certificate Trust List
B. Endpoint Trust List
C. Enterprise Proxy Service
D. Secured Collaboration Proxy
Selected Answer: A
Question #: 99
Topic #: 1
Which two application layer preprocessors are used by Firepower Next Generation Intrusion Prevention System? (Choose two.)
A. SIP
B. inline normalization
C. SSL
D. packet decoder
E. modbus
Selected Answer: AC
Question #: 100
Topic #: 1
Which feature is configured for managed devices in the device platform settings of the Firepower Management Center?
A. quality of service
B. time synchronization
C. network address translations
D. intrusion policy
Selected Answer: B
Question #: 101
Topic #: 1
Which information is required when adding a device to Firepower Management Center?
A. username and password
B. encryption method
C. device serial number
D. registration key
Selected Answer: D
Question #: 102
Topic #: 1
What can be integrated with Cisco Threat Intelligence Director to provide information about security threats, which allows the SOC to proactively automate responses to those threats?
A. Cisco Umbrella
B. External Threat Feeds
C. Cisco Threat Grid
D. Cisco Stealthwatch
Selected Answer: B
Question #: 103
Topic #: 1
Which Cisco command enables authentication, authorization, and accounting globally so that CoA is supported on the device?
A. aaa server radius dynamic-author
B. auth-type all
C. aaa new-model
D. ip device-tracking
Selected Answer: C
Question #: 104
Topic #: 1
What is a characteristic of Firepower NGIPS inline deployment mode?
A. ASA with Firepower module cannot be deployed
B. It cannot take actions such as blocking traffic
C. It is out-of-band from traffic
D. It must have inline interface pairs configured
Selected Answer: D
Question #: 105
Topic #: 1
What is a characteristic of Firepower NGIPS inline deployment mode?
A. ASA with Firepower module cannot be deployed
B. It cannot take actions such as blocking traffic
C. It is out-of-band from traffic
D. It must have inline interface pairs configured
Selected Answer: D
Question #: 106
Topic #: 1
A mall provides security services to customers with a shared appliance. The mall wants separation of management on the shared appliance. Which ASA deployment mode meets these needs?
A. routed mode
B. multiple zone mode
C. multiple context mode
D. transparent mode
Selected Answer: C
Question #: 107
Topic #: 1
What is managed by Cisco Security Manager?
A. Cisco WLC
B. Cisco ESA
C. Cisco WSA
D. Cisco ASA
Selected Answer: D
Question #: 108
Topic #: 1
What is managed by Cisco Security Manager?
A. Cisco WLC
B. Cisco ESA
C. Cisco WSA
D. Cisco ASA
Selected Answer: D
Question #: 109
Topic #: 1
An organization is trying to improve their Defense in Depth by blocking malicious destinations prior to a connection being established. The solution must be able to block certain applications from being used within the network. Which product should be used to accomplish this goal?
A. Cisco Firepower
B. Cisco Umbrella
C. Cisco ISE
D. Cisco AMP
Selected Answer: B
Question #: 110
Topic #: 1
An engineer notices traffic interruptions on the network. Upon further investigation, it is learned that broadcast packets have been flooding the network. What must be configured, based on a predefined threshold, to address this issue?
A. Storm Control
B. embedded event monitoring
C. access control lists
D. Bridge Protocol Data Unit guard
Selected Answer: A
Question #: 111
Topic #: 1
What is a feature of Cisco NetFlow Secure Event Logging for Cisco ASAs?
A. Multiple NetFlow collectors are supported.
B. Advanced NetFlow v9 templates and legacy v5 formatting are supported.
C. Secure NetFlow connectors are optimized for Cisco Prime Infrastructure
D. Flow-create events are delayed.
Selected Answer: D
Question #: 112
Topic #: 1
What is a key difference between Cisco Firepower and Cisco ASA?
A. Cisco Firepower provides identity based access control while Cisco ASA does not.
B. Cisco AS provides access control while Cisco Firepower does not.
C. Cisco ASA provides SSL inspection while Cisco Firepower does not.
D. Cisco Firepower natively provides intrusion prevention capabilities while Cisco ASA does not.
Selected Answer: D
Question #: 113
Topic #: 1
DRAG DROP –
Drag and drop the suspicious patterns for the Cisco Tetration platform from the left onto the correct definitions on the right.
Select and Place:
Suggestion Answer:
Question #: 114
Topic #: 1
What is a benefit of using Cisco FMC over Cisco ASDM?
A. Cisco FMC uses Java while Cisco ASDM uses HTML5.
B. Cisco FMC provides centralized management while Cisco ASDM does not.
C. Cisco FMC supports pushing configurations to devices while Cisco ASDM does not.
D. Cisco FMC supports all firewall products whereas Cisco ASDM only supports Cisco ASA devices.
Selected Answer: D
Question #: 115
Topic #: 1
Which product allows Cisco FMC to push security intelligence observable to its sensors from other products?
A. Threat Intelligence Director
B. Encrypted Traffic Analytics.
C. Cognitive Threat Analytics.
D. Cisco Talos Intelligence
Selected Answer: A
Question #: 116
Topic #: 1
A Cisco FirePower administrator needs to configure a rule to allow a new application that has never been seen on the network. Which two actions should be selected to allow the traffic to pass without inspection? (Choose two.)
A. permit
B. allow
C. reset
D. trust
E. monitor
Selected Answer: DE
Question #: 117
Topic #: 1
What is a characteristic of a bridge group in a Cisco ASA Firewall running in transparent mode?
A. It has an IP address on its BVI interface and is used for management traffic.
B. It allows ARP traffic with a single access rule.
C. It includes multiple interfaces and access rules between interfaces are customizable.
D. It is a Layer 3 segment and includes one port and customizable access rules.
Selected Answer: A
Question #: 118
Topic #: 1
While using Cisco Firepower’s Security Intelligence policies, which two criteria is blocking based upon? (Choose two.)
A. IP addresses
B. URLs
C. port numbers
D. protocol IDs
E. MAC addresses
Selected Answer: AB
Question #: 119
Topic #: 1
What features does Cisco FTDv provide over Cisco ASAv?
A. Cisco FTDv provides 1GB of firewall throughput while Cisco ASAv does not.
B. Cisco FTDv runs on VMware while Cisco ASAv does not.
C. Cisco FTDv runs on AWS while Cisco ASAv does not.
D. Cisco FTDv supports URL filtering while Cisco ASAv does not.
Selected Answer: D
Question #: 120
Topic #: 1
A network engineer is deciding whether to use stateful or stateless failover when configuring two Cisco ASAs for high availability. What is the connection status in both cases?
A. need to be reestablished with stateful failover and preserved with stateless failover
B. preserved with both stateful and stateless failover
C. need to be reestablished with both stateful and stateless failover
D. preserved with stateful failover and need to be reestablished with stateless failover
Selected Answer: D
