300 210

Vendor: Cisco
Exam Code: 300-210
Exam Name: Implementing Cisco Threat Control Solutions

(SITCS)
Version: 17.031
Important Notice
Product
Our Product Manager keeps an eye for Exam updates by Vendors. Free update is available within
One year after your purchase.
You can login member center and download the latest product anytime. (Product downloaded
from member center is always the latest.)
PS: Ensure you can pass the exam, please check the latest product in 2-3 days before the exam
again.
Feedback
We devote to promote the product quality and the grade of service to ensure customers interest.
If you have any questions about our product, please provide Exam Number, Version, Page
Number, Question Number, and your Login Account to us, please contact us at
support@braindump2go.com and our technical experts will provide support in 24 hours.
Copyright
The product of each order has its own encryption code, so you should use it independently.
If anyone who share the file we will disable the free update and account access.
Any unauthorized changes will be inflicted legal punishment. We will reserve the right of final
explanation for this statement.
Order ID: ****************
PayPal Name: ****************
PayPal ID: ****************

QUESTION 1
Which command establishes a virtual console session to a CX module within a Cisco Adaptive
Security Appliance?
A. session 1 ip address
B. session 2 ip address
C. session 1
D. session ips console
E. session cxsc console
Answer: E
QUESTION 2
What is the default CX Management 0/0 IP address on a Cisco ASA 5512-X appliance?
A. 192.168.1.1
B. 192.168.1.2
C. 192.168.1.3
D. 192.168.1.4
E. 192.168.1.5
F. 192.168.8.8
Answer: F
QUESTION 3
An ASA with an IPS module must be configured to drop traffic matching IPS signatures and block
all traffic if the module fails. Which describes the correct configuration?
A. Inline Mode, Permit Traffic

B. Inline Mode, Close Traffic
C. Promiscuous Mode, Permit Traffic
D. Promiscuous Mode, Close Traffic
Answer: B
QUESTION 4
A new Cisco IPS device has been placed on the network without prior analysis. Which CLI
command shows the most fired signature?
A. Show statistics virtual-sensor

B. Show event alert
C. Show alert
D. Show version
Answer: A
QUESTION 5
What CLI command configures IP-based access to restrict GUI and CLI access to a Cisco Email
Security appliance's administrative interface?
Get Latest & Actual 300-210 Exam's Question and Answers from Braindump2go. 2
http://www.braindump2go.com
A. adminaccessconfig
B. sshconfig
C. sslconfig
D. ipaccessconfig
Answer: A
QUESTION 6
When attempting to tunnel FTP traffic through a stateful firewall that may be performing NAT or
PAT, which type of VPN tunneling should be used to allow the VPN traffic through the stateful
firewall?
A. clientless SSL VPN

B. IPsec over TCP
C. Smart Tunnel
D. SSL VPN plug-ins
Answer: B
QUESTION 7
Upon receiving a digital certificate, what are three steps that a Cisco ASA will perform to
authenticate the digital certificate? (Choose three.)
A. The identity certificate validity period is verified against the system clock of the Cisco ASA.
B. Identity certificates are exchanged during IPsec negotiations.
C. The identity certificate signature is validated by using the stored root certificate.
D. The signature is validated by using the stored identity certificate.
E. If enabled, the Cisco ASA locates the CRL and validates the identity certificate.
Answer: ACE
QUESTION 8
To enable the Cisco ASA Host Scan with remediation capabilities, an administrator must have
which two Cisco ASA licenses enabled on its security appliance? (Choose two.)
A. Cisco AnyConnect Premium license

B. Cisco AnyConnect Essentials license
C. Cisco AnyConnect Mobile license
D. Host Scan license
E. Advanced Endpoint Assessment license
F. Cisco Security Agent license
Answer: AE
QUESTION 9
After adding a remote-access IPsec tunnel via the VPN wizard, an administrator needs to tune
the IPsec policy parameters. Where is the correct place to tune the IPsec policy parameters in
Cisco ASDM?
A. IPsec user profile
B. Crypto Map
C. Group Policy
D. IPsec policy
E. IKE policy
Answer: D
QUESTION 10
Who or what calculates the signature fidelity rating?
A. the signature author

B. Cisco Professional Services
C. the administrator
D. the security policy
Answer: A
QUESTION 11
Which three zones are used for anomaly detection? (Choose three.)
A. Internal zone
B. External zone
C. Illegal zone
D. Inside zone
E. Outside zone
F. DMZ zone
Answer: ABC
QUESTION 12
What is the default IP range of the external zone?
A. 0.0.0.0 0.0.0.0
B. 0.0.0.0 - 255.255.255.255
C. 0.0.0.0/8
D. The network of the management interface
Answer: B
QUESTION 13
When learning accept mode is set to auto, and the action is set to rotate, when is the KB created
and used?
A. It is created every 24 hours and used for 24 hours.

B. It is created every 24 hours, but the current KB is used.
C. It is created every 1 hour and used for 24 hours.
D. A KB is created only in manual mode.
Answer: A
QUESTION 14
What is the CLI command to create a new Message Filter in a Cisco Email Security Appliance?
A. filterconfig
B. filters new
C. messagefilters
D. policyconfig-- inbound or outbound-- filters
Answer: B
QUESTION 15
A Cisco Email Security Appliance uses which message filter to drop all executable attachments
entering and leaving the Cisco Email Security Appliance?
A. drop-exe: if (attachment-filename == "\\.exe$") OR (attachment-filetype == "exe") { drop(); }

B. drop-exe: if (recv-listener == "InboundMail" ) AND ( (attachment-filename == "\\.exe$") OR
(attachment-filetype == "exe")) { drop(); }
C. drop-exe! if (attachment-filename == "\\.exe$") OR (attachment-filetype == "exe") { drop(); }
D. drop-exe! if (recv-listener == "InboundMail" ) AND ( (attachment-filename == "\\.exe$") OR
(attachment-filetype == "exe")) { drop(); }
Answer: A
QUESTION 16
What can Cisco Prime Security Manager (PRSM) be used to achieve?
A. Configure and Monitor Cisco CX Application Visibility and Control, web filtering, access and decryption policies
B. Configure Cisco ASA connection limits
C. Configure TCP state bypass in Cisco ASA and IOS
D. Configure Cisco IPS signature and monitor signature alerts
E. Cisco Cloud Security on Cisco ASA
Answer: A
QUESTION 17
Which is the default IP address and admin port setting for https in the Cisco Web Security
Appliance?
A. http://192.168.42.42:8080
B. http://192.168.42.42:80
C. https://192.168.42.42:443
D. https://192.168.42.42:8443
Answer: D
QUESTION 18
Which port is used for CLI Secure shell access?
A. Port 23
B. Port 25
C. Port 22
D. Port 443
Answer: C
QUESTION 19
Which Cisco technology prevents targeted malware attacks, provides data loss prevention and
spam protection, and encrypts email?
A. SBA
B. secure mobile access
C. IPv6 DMZ web service
D. ESA
Answer: D
QUESTION 20
Which Cisco technology combats viruses and malware with virus outbreak filters that are
downloaded from Cisco SenderBase?
A. ASA
B. WSA
C. Secure mobile access
D. IronPort ESA
E. SBA
Answer: D
QUESTION 21
Which Cisco WSA is intended for deployment in organizations of up to 1500 users?
A. WSA S370
B. WSA S670
C. WSA S370-2RU
D. WSA S170
Answer: D
QUESTION 22
Which Cisco WSA is intended for deployment in organizations of more than 6000 users?
A. WSA S370
B. WSA S670
C. WSA S370-2RU
D. WSA S170
Answer: B
QUESTION 23
Which command verifies that the correct CWS license key information was entered on the Cisco
ASA?
A. sh run scansafe server

B. sh run scansafe
C. sh run server
D. sh run server scansafe
Answer: B
QUESTION 24
Which four parameters must be defined in an ISAKMP policy when creating an IPsec site-to-site
VPN using the Cisco ASDM? (Choose four.)
A. encryption algorithm
B. hash algorithm
C. authentication method
D. IP address of remote IPsec peer
E. D-H group
F. perfect forward secrecy
Answer: ABCE
QUESTION 25
Which Cisco ASA SSL VPN feature provides support for PCI compliance by allowing for the
validation of two sets of username and password credentials on the SSL VPN login page?
A. Single Sign-On
B. Certificate to Profile Mapping
C. Double Authentication
D. RSA OTP
Answer: D
QUESTION 26
Which two types of digital certificate enrollment processes are available for the Cisco ASA
security appliance? (Choose two.)
A. LDAP
B. FTP
C. TFTP
D. HTTP
E. SCEP
F. Manual
Answer: EF
QUESTION 27
Your corporate finance department purchased a new non-web-based TCP application tool to run
on one of its servers. The finance employees need remote access to the software during non-
business hours. The employees do not have "admin" privileges to their PCs. How would you
configure the SSL VPN tunnel to allow this application to run?
A. Configure a smart tunnel for the application.

B. Configure a "finance tool" VNC bookmark on the employee clientless SSL VPN portal.
C. Configure the plug-in that best fits the application.
D. Configure the Cisco ASA appliance to download the Cisco AnyConnect SSL VPN client to the
finance employee each time an SSL VPN tunnel is established.
Answer: A
QUESTION 28
What three alert notification options are available in Cisco IntelliShield Alert Manager? (Choose
three.)
A. Alert Summary as Text

B. Complete Alert as an HTML Attachment
C. Complete Alert as HTML
D. Complete Alert as RSS
E. Alert Summary as Plain Text
F. Alert Summary as MMS
Answer: ABC
QUESTION 29
With Cisco IDM, which rate limit option specifies the maximum bandwidth for rate-limited traffic?
A. protocol
B. rate
C. bandwidth
D. limit
Answer: B
QUESTION 30
Which two benefits are provided by the dynamic dashboard in Cisco ASDM Version 5.2? (Choose
two.)
A. It configures system polices for NAC devices.

B. It forwards traffic to destination devices.
C. It provides statistics for device health.
D. It replaces syslog, RADIUS, and TACACS+ servers.
E. It automatically detects Cisco security appliances to configure.
Answer: CE
QUESTION 31
Which Cisco monitoring solution displays information and important statistics for the security
devices in a network?
A. Cisco Prime LAN Management

B. Cisco ASDM Version 5.2
C. Cisco Threat Defense Solution
D. Syslog Server
E. TACACS+
Answer: B
QUESTION 32
Which three search parameters are supported by the Email Security Monitor? (Choose three.)
A. Destination domain
B. Network owner
C. MAC address
D. Policy requirements
E. Internal sender IP address
F. Originating domain
Answer: ABE
QUESTION 33
Which Cisco Security IntelliShield Alert Manager Service component mitigates new botnet,
phishing, and web-based threats?
A. the IntelliShield Threat Outbreak Alert

B. IntelliShield Alert Manager vulnerability alerts
C. the IntelliShield Alert Manager historical database
D. the IntelliShield Alert Manager web portal
E. the IntelliShield Alert Manager back-end intelligence engine
Answer: A
QUESTION 34
A network engineer can assign IPS event action overrides to virtual sensors and configure which
three modes? (Choose three.)
A. Anomaly detection operational mode

B. Inline TCP session tracking mode
C. Normalizer mode
D. Load-balancing mode
E. Inline and Promiscuous mixed mode
F. Fail-open and fail-close mode
Answer: ABC
QUESTION 35
What is the correct deployment for an IPS appliance in a network where traffic identified as threat
traffic should be blocked and all traffic is blocked if the IPS fails?
A. Inline; fail open

B. Inline; fail closed
C. Promiscuous; fail open
D. Promiscuous; fail closed
Answer: B
QUESTION 36
Which two practices are recommended for implementing NIPS at enterprise Internet edges?
(Choose two.)
A. Integrate sensors primarily on the more trusted side of the firewall (inside or DMZ interfaces).
B. Integrate sensors primarily on the less trusted side of the firewall (outside interfaces).
C. Implement redundant IPS and make data paths symmetrical.
D. Implement redundant IPS and make data paths asymmetrical.
E. Use NIPS only for small implementations.
Answer: AC
QUESTION 37
Which set of commands changes the FTP client timeout when the sensor is communicating with
an FTP server?
A. sensor# configure terminal

sensor(config)# service sensor
sensor(config-hos)# network-settings
sensor(config-hos-net)# ftp-timeout 500
B. sensor# configure terminal
sensor(config)# service host
sensor(config-hos)# network-settings parameter ftp
C. sensor# configure terminal
sensor(config)# service host
D. sensor# configure terminal
sensor(config)# service network
Answer: C
QUESTION 38
What are two benefits of using SPAN with promiscuous mode deployment? (Choose two.)
A. SPAN does not introduce latency to network traffic.

B. SPAN can perform granular scanning on captures of per-IP-address or per-port monitoring.
C. Promiscuous Mode can silently block traffic flows on the IDS.
D. SPAN can analyze network traffic from multiple points.
Answer: AD
QUESTION 39
What are the initial actions that can be performed on an incoming SMTP session by the
workqueue of a Cisco Email Security Appliance?
A. Accept, Reject, Relay, TCPRefuse

B. LDAP Verification, Envelope Sender Verification, Bounce Verification, Alias Table Verification
C. Recipient Access Table Verification, Host DNS Verification, Masquerading, Spam Payload Check
D. SMTP Authentication, SBRS Verification, Sendergroup matching, DNS host verification
Answer: A
QUESTION 40
Refer to the exhibit. What CLI command generated the output?
A. smtproutes
B. tophosts
C. hoststatus
D. workqueuestatus
Answer: B
QUESTION 41
Which version of AsyncOS for web is required to deploy the Web Security Appliance as a CWS
connector?
A. AsyncOS version 7.7.x

B. AsyncOS version 7.5.x
C. AsyncOS version 7.5.7
D. AsyncOS version 7.5.0
Answer: C
QUESTION 42
What are three benefits of the Cisco AnyConnect Secure Mobility Solution? (Choose three.)
A. It can protect against command-injection and directory-traversal attacks.

B. It provides Internet transport while maintaining corporate security policies.
C. It provides secure remote access to managed computers.
D. It provides clientless remote access to multiple network-based systems.
E. It enforces security policies, regardless of the user location.
F. It uses ACLs to determine best-route connections for clients in a secure environment.
Answer: BCE
QUESTION 43
Which Cisco technology secures the network through malware filtering, category-based control,
and reputation-based control?
A. Cisco ASA 5500 Series appliances

B. Cisco remote-access VPNs
C. Cisco IronPort WSA
D. Cisco IPS
Answer: C
QUESTION 44
Which antispam technology assumes that email from server A, which has a history of distributing
spam, is more likely to be spam than email from server B, which does not have a history of
distributing spam?
A. Reputation-based filtering
B. Context-based filtering
C. Cisco ESA multilayer approach
D. Policy-based filtering
Answer: A
QUESTION 45
Which Cisco technology is a modular security service that combines a stateful inspection firewall
with next-generation application awareness, providing near real-time threat protection?
A. Cisco ASA 5500 series appliances
B. Cisco ASA CX Context-Aware Security
C. WSA
D. Internet Edge Firewall / IPS
Answer: B
QUESTION 46
Which three statements about Cisco ASA CX are true? (Choose three.)
A. It groups multiple ASAs as a single logical device.

B. It can perform context-aware inspection.
C. It provides high-density security services with high availability.
D. It uses policy-based interface controls to inspect and forward TCP- and UDP-based packets.
E. It can make context-aware decisions.
F. It uses four cooperative architectural constructs to build the firewall.
Answer: BEF
QUESTION 47
During initial configuration, the Cisco ASA can be configured to drop all traffic if the ASA CX SSP
fails by using which command in a policy-map?
A. cxsc fail
B. cxsc fail-close
C. cxsc fail-open
D. cxssp fail-close
Answer: B
QUESTION 48
Cisco AVC allows control of which three of the following? (Choose three.)
A. Facebook
B. LWAPP
C. IPv6
D. MySpace
E. Twitter
F. WCCP
Answer: ADE
QUESTION 49
The Web Security Appliance has identities defined for faculty and staff, students, and default
access. The faculty and staff identity identifies users based on the source network and
authenticated credentials. The identity for students identifies users based on the source network
along with successful authentication credentials. The global identity is for guest users not
authenticated against the domain.
Recently, a change was made to the organization's security policy to allow faculty and staff
access to a social network website, and the security group changed the access policy for faculty
and staff to allow the social networking category.
Which are the two most likely reasons that the category is still being blocked for a faculty and
staff user? (Choose two.)
A. The user is being matched against the student policy because the user did not enter credentials.
B. The user is using an unsupported browser so the credentials are not working.
C. The social networking URL was entered into a custom URL category that is blocked in the access policy.
D. The user is connected to the wrong network and is being blocked by the student policy.
E. The social networking category is being allowed but the AVC policy is still blocking the website.
Answer: CE
QUESTION 50
Which five system management protocols are supported by the Intrusion Prevention System?
(Choose five.)
A. SNMPv2c
B. SNMPv1
C. SNMPv2
D. SNMPv3
E. syslog
F. SDEE
G. SMTP
Answer: ABCFG
QUESTION 51
Which IPS signature regular expression CLI command matches a host issuing a domain lookup
for www.theblock.com?
A. regex-string (\x03[Tt][Hh][Ee]\x05[Bb][Ll][Oo][Cc][Kk])
B. regex-string (\x0b[theblock.com])
C. regex-string (\x03[the]\x05[block]0x3[com])
D. regex-string (\x03[T][H][E]\x05[B][L][O][C][K]\x03[.][C][O][M]
Answer: A
QUESTION 52
Which three user roles are partially defined by default in Prime Security Manager? (Choose
three.)
A. networkoperator
B. admin
C. helpdesk
D. securityoperator
E. monitoringadmin
F. systemadmin
Answer: BCF
QUESTION 53
Which three options are IPS signature classifications? (Choose three.)
A. tuned signatures
B. response signatures
C. default signatures
D. custom signatures
E. preloaded signatures
F. designated signatures
Answer: ACD
QUESTION 54
At which value do custom signatures begin?
A. 1024
B. 10000
C. 1
D. 60000
Answer: D
QUESTION 55
Which two commands are valid URL filtering commands? (Choose two.)
A. url-server (DMZ) vendor smartfilter host 10.0.1.1

B. url-server (DMZ) vendor url-filter host 10.0.1.1
C. url-server (DMZ) vendor n2h2 host 10.0.1.1
D. url-server (DMZ) vendor CISCO host 10.0.1.1
E. url-server (DMZ) vendor web host 10.0.1.1
Answer: AC
QUESTION 56
Which Cisco technology is a customizable web-based alerting service designed to report threats
and vulnerabilities?
A. Cisco Security Intelligence Operations

B. Cisco Security IntelliShield Alert Manager Service
C. Cisco Security Optimization Service
D. Cisco Software Application Support Service
Answer: B
QUESTION 57
Hotspot Questions
Which signature definition is virtual sensor 0 assigned to use?
A. rules0
B. vs0
C. sig0
D. ad0
E. ad1
F. sigl
Answer: C
Explanation:
This is the default signature. You can create multiple security policies and apply them to
individual virtual sensors. A security policy is made up of a signature definition policy, an event
action rules policy, and an anomaly detection policy. Cisco IPS contains a default signature
definition policy called sig0, a default event action rules policy called rules0, and a default
anomaly detection policy called ad0. You can assign the default policies to a virtual sensor or you
can create new policies.
QUESTION 58
Hotspot Questions
What action will the sensor take regarding IP addresses listed as known bad hosts in the Cisco
SensorBase network?
A. Global correlation is configured in Audit mode fortesting the feature without actually denying
any hosts.
B. Global correlation is configured in Aggressive mode, which has a very aggressive effect on
deny actions.
C. It will not adjust risk rating values based on the known bad hosts list.
D. Reputation filtering is disabled.
Answer: D
Explanation:
This can be seen on the Globabl Correlation ?Inspection/Reputation tab show below:
QUESTION 59
Hotspot Questions
To what extent will the Cisco IPS sensor contribute data to the Cisco SensorBase network?
A. It will not contribute to the SensorBase network.

B. It will contribute to the SensorBase network, but will withhold some sensitive information
C. It will contribute the victim IP address and port to the SensorBase network.
D. It will not contribute to Risk Rating adjustments that use information from the SensorBase network.
Answer: B
Explanation:
To configure network participation, follow these steps: Step 1 Log in to IDM using an account with
administrator privileges. Step 2 Choose Configuration > Policies > Global Correlation > Network
Participation. Step 3 To turn on network participation, click the Partial or Full radio button: Partial--
Data is contributed to the SensorBase Network, but data considered potentially sensitive is
filtered out and never sent. Full--All data is contributed to the SensorBase Network
In this case, we can see that this has been turned off as shown below:
QUESTION 60
Hotspot Questions
Which two statements about Signature 1104 are true? (Choose two.)
A. This is a custom signature.

B. The severity level is High.
C. This signature has triggered as indicated by the red severity icon.
D. Produce Alert is the only action defined.
E. This signature is enabled, but inactive, as indicated bythe/0 to that follows the signature number.
Answer: BD
Explanation:
This can be seen here where signature 1004 is the 5th one down:
QUESTION 61
Hotspot Questions
Which three statements about the Cisco IPS appliance configurations are true? (Choose three.)
A. The maximum number of denied attackers is set to 10000.

B. The block action duraton is set to 3600 seconds.
C. The Meta Event Generator is globally enabled.
D. Events Summarization is globally disabled.
E. Threat Rating Adjustment is globally disabled.
Answer: ABC
QUESTION 62
Hotspot Questions
What is the status of OS Identification?
A. It is only enabled to identify "Cisco IOS" OS using statically mapped OS fingerprinting

B. OS mapping information will not be used for Risk Rating calculations.
C. It is configured to enable OS mapping and ARR only for the 10.0.0.0/24 network.
D. It is enabled for passive OS fingerprinting for all networks.
Answer: D
Explanation:
Understanding Passive OS Fingerprinting Passive OS fingerprinting lets the sensor determine the
OS that hosts are running. The sensor analyzes network traffic between hosts and stores the OS
of these hosts with their IP addresses. The sensor inspects TCP SYN and SYNACK packets
exchanged on the network to determine the OS type. The sensor then uses the OS of the target
host OS to determine the relevance of the attack to the victim by computing the attack relevance
rating component of the risk rating. Based on the relevance of the attack, the sensor may alter the
risk rating of the alert for the attack and/or the sensor may filter the alert for the attack. You can
then use the risk rating to reduce the number of false positive alerts (a benefit in IDS mode) or
definitively drop suspicious packets (a benefit in IPS mode). Passive OS fingerprinting also
enhances the alert output by reporting the victim OS, the source of the OS identification, and the
relevance to the victim OS in the alert. Passive OS fingerprinting consists of three components:
Passive OS learning occurs as the sensor observes traffic on the network.
Based on the characteristics of TCP SYN and SYNACK packets, the sensor makes a
determination of the OS running on the host of the source IP address.
User-configurable OS identification You can configure OS host mappings, which take precedence
over learned OS mappings.
Computation of attack relevance rating and risk rating
QUESTION 63
Lab Simulation
Answer:
Steps are in Explanation below:
First, enable the Gig 0/0 and Gig 0/1 interfaces:
Second, create the pair under the "interface pairs" tab:
Then, apply the HIGHRISK action rule to the newly created interface pair:
Then apply the same for the MEDIUMRISK traffic (deny attacker inline)
Finally. Log the packets for the LOWRICK event:
When done it should look like this:
QUESTION 64
During initial configuration, the Cisco ASA can be configured to drop all traffic if the ASA CX SSP
fails by using which command in a policy-map?
A. cxsc fail
B. cxsc fail-close
C. cxsc fail-open
D. cxssp fail-close
Answer: B
QUESTION 65
A network engineer may use which three types of certificates when implementing HTTPS
decryption services on the ASA CX? (Choose three.)
A. Self Signed Server Certificate

B. Self Signed Root Certificate
C. Microsoft CA Server Certificate
D. Microsoft CA Subordinate Root Certificate
E. LDAP CA Server Certificate
F. LDAP CA Root Certificate
G. Public Certificate Authority Server Certificate
H. Public Certificate Authority Root Certificate
Answer: BDF
QUESTION 66
Cisco's ASA CX includes which two URL categories? (Choose two.)
A. Proxy Avoidance
B. Dropbox
C. Hate Speech
D. Facebook
E. Social Networking
F. Instant Messaging and Video Messaging
Answer: CE
QUESTION 67
A Cisco Web Security Appliance's policy can provide visibility and control of which two elements?
(Choose two.)
A. Voice and Video Applications

B. Websites with a reputation between -100 and -60
C. Secure websites with certificates signed under an unknown CA
D. High bandwidth websites during business hours
Answer: CD
QUESTION 68
Which Cisco Web Security Appliance design requires minimal change to endpoint devices?
A. Transparent Mode
B. Explicit Forward Mode
C. Promiscuous Mode
D. Inline Mode
Answer: A
QUESTION 69
What step is required to enable HTTPS Proxy on the Cisco Web Security Appliance?
A. Web Security Manager HTTPS Proxy click Enable

B. Security Services HTTPS Proxy click Enable
C. HTTPS Proxy is enabled by default
D. System Administration HTTPS Proxy click Enable
Answer: B
QUESTION 70
Which two statements about Cisco Cloud Web Security functionality are true? (Choose two.)
A. It integrates with Cisco Integrated Service Routers.

B. It supports threat avoidance and threat remediation.
C. It extends web security to the desktop, laptop, and PDA.
D. It integrates with Cisco ASA Firewalls.
Answer: AD
QUESTION 71
Which Cisco Cloud Web Security tool provides URL categorization?
A. Cisco Dynamic Content Analysis Engine

B. Cisco ScanSafe
C. ASA Firewall Proxy
D. Cisco Web Usage Control
Answer: A
QUESTION 72
Which three functions can Cisco Application Visibility and Control perform? (Choose three.)
A. Validation of malicious traffic

B. Traffic control
C. Extending Web Security to all computing devices
D. Application-level classification
E. Monitoring
F. Signature tuning
Answer: BDE
QUESTION 73
Which two options are features of the Cisco Email Security Appliance? (Choose two.)
A. Cisco Anti-Replay Services

B. Cisco Destination Routing
C. Cisco Registered Envelope Service
D. Cisco IronPort SenderBase Network
Answer: CD
QUESTION 74
What is the authentication method for an encryption envelope that is set to medium security?
A. The recipient must always enter a password, even if credentials are cached.
B. A password is required, but cached credentials are permitted.
C. The recipient must acknowledge the sensitivity of the message before it opens.
D. The recipient can open the message without authentication.
Answer: B
QUESTION 75
What is the default antispam policy for positively identified messages?
A. Drop
B. Deliver and Append with [SPAM]
C. Deliver and Prepend with [SPAM]
D. Deliver and Alternate Mailbox
Answer: C
QUESTION 76
Which five system management protocols are supported by the Cisco Intrusion Prevention
System? (Choose five.)
A. SNMPv2c
B. SNMPv1
C. SNMPv2
D. SNMPv3
E. Syslog
F. SDEE
G. SMTP
Answer: ABCFG
QUESTION 77
Which four statements are correct regarding management access to a Cisco Intrusion Prevention
System? (Choose four.)
A. The Telnet protocol is enabled by default

B. The Telnet protocol is disabled by default
C. HTTP is enabled by default
D. HTTP is disabled by default
E. SSH is enabled by default
F. SSH is disabled by default
G. HTTPS is enabled by default
H. HTTPS is disabled by default
Answer: BDEG
QUESTION 78
Which two GUI options display users' activity in Cisco Web Security Appliance? (Choose two.)
A. Web Security Manager Identity Identity Name

B. Security Services Reporting
C. Reporting Users
D. Reporting Reports by User Location
Answer: CD
QUESTION 79
The security team needs to limit the number of e-mails they receive from the Intellishield Alert
Service. Which three parameters can they adjust to restrict alerts to specific product sets?
(Choose three.)
A. Vendor
B. Chassis/Module
C. Device ID
D. Service Contract
E. Version/Release
F. Service Pack/Platform
Answer: AEF
QUESTION 80
A Cisco AnyConnect user profile can be pushed to the PC of a remote user from a Cisco ASA.
Which three user profile parameters are configurable? (Choose three.)
A. Backup Server list

B. DTLS Override
C. Auto Reconnect
D. Simultaneous Tunnels
E. Connection Profile Lock
F. Auto Update
Answer: ACF
QUESTION 81
An ASA with an IPS module must be configured to drop traffic matching IPS signatures and block
all traffic if the module fails. Which describes the correct configuration?

Answer: B
QUESTION 82
A new Cisco IPS device has been placed on the network without prior analysis. Which CLI
command shows the most fired signature?
A. Show statistics virtual-sensor

B. Show event alert
C. Show alert
D. Show version
Answer: A
QUESTION 83
Which three options are characteristics of router-based IPS? (Choose three.)
A. It is used for large networks.
B. It is used for small networks.
C. It supports virtual sensors.
D. It supports multiple VRFs.
E. It uses configurable anomaly detection.
F. Signature definition files have been deprecated.
Answer: BDF
QUESTION 84
What are three best practices for a Cisco Intrusion Prevention System? (Choose three.)
A. Checking for new signatures every 4 hours

B. Checking for new signatures on a staggered schedule
C. Automatically updating signature packs
D. Manually updating signature packs
E. Group tuning of signatures
F. Single tuning of signatures
Answer: BCE
QUESTION 85
Which three statements concerning keystroke logger detection are correct? (Choose three.)
A. requires administrative privileges in order to run

B. runs on Windows and MAC OS X systems
C. detects loggers that run as a process or kernel module
D. detects both hardware- and software-based keystroke loggers
E. allows the administrator to define "safe" keystroke logger applications
Answer: ACE
QUESTION 86
Which three webtype ACL statements are correct? (Choose three.)
A. are assigned per-Connection Profile

B. are assigned per-user or per-Group Policy
C. can be defined in the Cisco AnyConnect Profile Editor
D. supports URL pattern matching
E. supports implicit deny all at the end of the ACL
F. supports standard and extended webtype ACLs
Answer: BDE
QUESTION 87
Which four advanced endpoint assessment statements are correct? (Choose four.)
A. examines the remote computer for personnel firewalls applications
B. examines the remote computer for antivirus applications
C. examines the remote computer for antispyware applications
D. examines the remote computer for malware applications
E. does not perform any remediation but provides input that can be evaluated by DAP records
F. performs active remediation by applying rules, activating modules, and providing updates where
applicable
Answer: ABCF
QUESTION 88
Which statement regarding hashing is correct?
A. MD5 produces a 64-bit message digest

B. SHA-1 produces a 160-bit message digest
C. MD5 takes more CPU cycles to compute than SHA-1.
D. Changing 1 bit of the input to SHA-1 can change up to 5 bits in the output.
Answer: B
QUESTION 89
What is the access-list command on a Cisco IPS appliance used for?
A. to permanently filter traffic coming to the Cisco IPS appliance via the sensing port
B. to filter for traffic when the Cisco IPS appliance is in the inline mode
C. to restrict management access to the sensor
D. to create a filter that can be applied on the interface that is under attack
Answer: C
QUESTION 90
How does a user access a Cisco Web Security Appliance for initial setup?
A. Connect the console cable and use the terminal at 9600 baud to run the setup wizard.
B. Connect the console cable and use the terminal at 115200 baud to run the setup wizard.
C. Open the web browser at 192.168.42.42:8443 for the setup wizard over https.
D. Open the web browser at 192.168.42.42:443 for the setup wizard over https.
Answer: C
QUESTION 91
What command alters the SSL ciphers used by the Cisco Email Security Appliance for TLS
sessions and HTTPS access?
A. sslconfig
B. sslciphers
C. tlsconifg
D. certconfig
Answer: A
QUESTION 92
Joe was asked to secure access to the Cisco Web Security Appliance to prevent unauthorized
access. Which four steps should Joe implement to accomplish this goal? (Choose four.)
A. Implement IP access lists to limit access to the management IP address in the Cisco Web
Security Appliance GUI.
B. Add the Cisco Web Security Appliance IP address to the local access list.
C. Enable HTTPS access via the GUI/CLI with redirection from HTTP.
D. Replace the Cisco self-signed certificate with a publicly signed certificate.
E. Put the Cisco WSA Management interface on a private management VLAN.
F. Change the netmask on the Cisco WSA Management interface to a 32-bit mask.
G. Create an MX record for the Cisco Web Security Appliance in DNS.
Answer: ACDE
QUESTION 93
Which command is used to enable strong ciphers on the Cisco Web Security Appliance?
A. interfaceconfig
B. strictssl
C. etherconfig
D. adminaccessconfig
Answer: B
QUESTION 94
Which Cisco ESA command is used to edit the ciphers that are used for GUI access?
A. interfaceconfig
B. etherconfig
C. certconfig
D. sslconfig
Answer: D
QUESTION 95
In order to set up HTTPS decryption on the Cisco Web Security Appliance, which two steps must
be performed? (Choose two.)
A. Enable and accept the EULA under Security Services > HTTPS Proxy.
B. Upload a publicly signed server certificate.
C. Configure or upload a certificate authority certificate.
D. Enable HTTPS decryption in Web Security Manager > Access Policies.
Answer: AC
QUESTION 96
When a Cisco Email Security Appliance joins a cluster, which four settings are inherited?
(Choose four.)
A. IP address
B. DNS settings
C. SMTP routes
D. HAT
E. RAT
F. hostname
G. certificates
Answer: BCDE
QUESTION 97
The helpdesk was asked to provide a record of delivery for an important email message that a
customer claims it did not receive. Which feature of the Cisco Email Security Appliance provides
this record?
A. Outgoing Mail Reports

B. SMTP Routes
C. Message Tracking
D. Scheduled Reports
E. System Administration
Answer: C
QUESTION 98
Connections are being denied because of SenderBase Reputation Scores. Which two features
must be enabled in order to record those connections in the mail log on the Cisco ESA? (Choose
two.)
A. Rejected Connection Handling

B. Domain Debug Logs
C. Injection Debug Logs
D. Message Tracking
Answer: AD
QUESTION 99
Which five system management and reporting protocols are supported by the Cisco Intrusion
Prevention System? (Choose five.)
A. SNMPv2c
B. SNMPv1
C. SNMPv2
D. SNMPv3
E. syslog
F. SDEE
G. SMTP
Answer: ABCFG
QUESTION 100
Refer to the exhibit. The system administrator of mydomain.com received complaints that some
messages that were sent from sender user@somedomain.com were delayed. Message tracking
data on the sender shows that an email sample that was received was clean and properly
delivered. What is the likely cause of the intermittent delays?
A. The remote MTA has a SenderBase Reputation Score of -1.0.

B. The remote MTA is sending emails from RFC 1918 IP addresses.
C. The remote MTA has activated the SUSPECTLIST sender group.
D. The remote MTA has activated the default inbound mail policy.
Answer: C
QUESTION 101
A system administrator wants to know if the email traffic from a remote partner will activate
special treatment message filters that are created just for them. Which tool on the Cisco Email
Security gateway can you use to debug or emulate the flow that a message takes through the
work queue?
A. the message tracker interface

B. centralized or local message tracking
C. the CLI findevent command
D. the trace tool
E. the CLI grep command
Answer: D
QUESTION 102
Which command verifies that CWS redirection is working on a Cisco IOS router?
A. show content-scan session active
B. show content-scan summary
C. show interfaces stats
D. show sessions
Answer: A
QUESTION 103
Which two commands are used to verify that CWS redirection is working on a Cisco ASA
appliance? (Choose two.)
A. show scansafe statistics

B. show webvpn statistics
C. show service-policy inspect scansafe
D. show running-config scansafe
E. show running-config webvpn
F. show url-server statistics
Answer: AC
QUESTION 104
A user is deploying a Cisco IPS appliance in a data center to mitigate most attacks, including
atomic attacks. Which two modes does Cisco recommend using to configure for this? (Choose
two.)
A. VLAN pair
B. interface pair
C. transparent mode
D. EtherChannel load balancing
E. promiscuous mode
Answer: AD
QUESTION 105
Which statement about Cisco IPS Manager Express is true?
A. It provides basic device management for large-scale deployments.

B. It provides a GUI for configuring IPS sensors and security modules.
C. It enables communication with Cisco ASA devices that have no administrative access.
D. It provides greater security than simple ACLs.
Answer: B
QUESTION 106
Refer to the exhibit. When designing the network to redirect web traffic utilizing the Catalyst 6500
to the Cisco Web Security Appliance, impact on the switch platform needs consideration.
Which four rows identify the switch behavior in correlation to the redirect method? (Choose four.)
A. Row 1
B. Row 2
C. Row 3
D. Row 4
E. Row 5
F. Row 6
G. Row 7
H. Row 8
Answer: BCFG
QUESTION 107
Refer to the exhibit. Which four rows exhibit the correct WCCP service to protocol assignments?
(Choose four.)
A. Row 1
B. Row 2
C. Row 3
D. Row 4
E. Row 5
F. Row 6
G. Row 7
H. Row 8
Answer: BDFH
QUESTION 108
Which three protocols are required when considering firewall rules for email services using a
Cisco Email Security Appliance? (Choose three.)
A. SMTP
B. HTTP
C. DNS
D. SNMP
E. FTP
Answer: ABC
QUESTION 109
Which two design considerations are required to add the Cisco Email Security Appliance to an
existing mail delivery chain? (Choose two.)
A. Existing MX records should be maintained and policy routing should be used to redirect traffic to
the ESA.
B. Update the MX records to point to the inbound listener interfaces on the ESA.
C. Update the MX records to point to the outbound listener interfaces on the ESA.
D. Different Listeners must be used to handle inbound and outbound mail handling.
E. The ESA should be connected to the same subnet as the Email Server because it maintains only
a single routing table.
F. The ESA can be connected to a DMZ external to the Email Server because it maintains multiple
routing tables.
G. The ESA can be connected to a DMZ external to the Email Server but it maintains only a single
routing table.
H. Mail Listeners by default can share the same IP interface by defining the routes for sending and
receiving.
Answer: BG
QUESTION 110
Which three sender reputation ranges identify the default behavior of the Cisco Email Security
Appliance? (Choose three.)
A. If it is between -1 and +10, the email is accepted

B. If it is between +1 and +10, the email is accepted
C. If it is between -3 and -1, the email is accepted and additional emails from the sender are throttled
D. If it is between -3 and +1, the email is accepted and additional emails from the sender are
throttled
E. If it is between -4 and +1, the email is accepted and additional emails from the sender are
throttled
F. If it is between -10 and -3, the email is blocked
G. If it is between -10 and -3, the email is sent to the virus and spam engines for additional scanning
H. If it is between -10 and -4, the email is blocked
Answer: ACF
QUESTION 111
Which two statements regarding the basic setup of the Cisco CX for services are correct?
(Choose two.)
A. The Packet capture feature is available for either permitted or dropped packets by default.
B. Public Certificates can be used for HTTPS Decryption policies.
C. Public Certificates cannot be used for HTTPS Decryption policies.
D. When adding a standard LDAP realm, the group attribute will be UniqueMember.
E. The Packet capture features is available for permitted packets by default.
Answer: CE
QUESTION 112
Which three zones are used for anomaly detection in a Cisco IPS? (Choose three.)
A. internal zone
B. external zone
C. illegal zone
D. inside zone
E. outside zone
F. DMZ zone
Answer: ABC
QUESTION 113
Who or what calculates the signature fidelity rating in a Cisco IPS?
A. the signature author

B. Cisco Professional Services
C. the administrator
D. the security policy
Answer: A
QUESTION 114
Which command sets the number of packets to log on a Cisco IPS sensor?
A. ip-log-count number
B. ip-log-packets number
C. ip-log-bytes number
D. ip-log number
Answer: B
QUESTION 115
Refer to the exhibit. The system administrator of mydomain.com was informed that one of the
users in his environment received spam from an Internet sender. Message tracking shows that
the emails for this user were not scanned by antispam. Why did the Cisco Email Security gateway
fail to do a spam scan on emails for user@mydomain.com?
A. The remote MTA activated the SUSPECTLIST sender group.
B. The Cisco Email Security gateway created duplicates of the message.
C. The user user@mydomain.com matched an inbound rule with antispam disabled.
D. The user bob@mydomain.com matched an inbound rule with antispam disabled.
Answer: D
QUESTION 116
Drag and Drop Question
Drag and drop the Cisco Security IntelliShield Alert Manager Service components on the left onto
the corresponding description on the right.
Answer:
QUESTION 117
Which three features does Cisco CX provide? (Choose three.)
A. HTTPS traffic decryption and inspection

B. Application Visibility and Control
C. Category or reputation-based URL filtering
D. Email virus scanning
E. Application optimization and acceleration
F. VPN authentication
Answer: ABC
QUESTION 118
Which three functions can Cisco Application Visibility and Control perform within Cisco Cloud
Web Security? (Choose three.)
A. validation of malicious traffic

B. traffic control
C. extending Web Security to all computing devices
D. application-level classification
E. monitoring
F. signature tuning
Answer: BDE
QUESTION 119
Which Cisco Web Security Appliance deployment mode requires minimal change to endpoint
devices?
A. Transparent Mode
B. Explicit Forward Mode
C. Promiscuous Mode
D. Inline Mode
Answer: A
QUESTION 120
What is the default antispam policy for positively identified messages within the Cisco Email
Security Appliance?
A. Drop
B. Deliver and Append with [SPAM]
C. Deliver and Prepend with [SPAM]
D. Deliver and Alternate Mailbox
Answer: C
QUESTION 121
Refer to the exhibit. What Cisco ESA CLI command generated the output?
A. smtproutes
B. tophosts
C. hoststatus
D. workqueuestatus
Answer: B
QUESTION 122
What Event Action in an IPS signature is used to stop an attacker from communicating with a
network using an access-list?
A. Request Block Host

B. Deny Attacker Inline
C. Deny Connection Inline
D. Deny Packet Inline
E. Request Block Connection
Answer: A
QUESTION 123
Within Cisco IPS anomaly detection, what is the default IP range of the external zone?
A. 0.0.0.0 0.0.0.0
B. 0.0.0.0 - 255.255.255.255
C. 0.0.0.0/8
D. the network of the management interface
Answer: B
QUESTION 124
Which two Cisco IPS events will generate an IP log? (Choose two.)
A. A signature had an event action that was configured with log packets.
B. A statically configured IP or IP network criterion was matched.
C. A dynamically configured IP address or IP network was matched.
D. An attack produced a response action.
Answer: AB
QUESTION 125
Which three options are valid event actions for a Cisco IPS? (Choose three.)
A. deny-packet-inline
B. deny-attack-reset
C. produce-verbose-alert
D. log-attacker-packets
E. deny-packet-internal
F. request-block-drop-connection
Answer: ACD
QUESTION 126
Which configuration option causes an ASA with IPS module to drop traffic matching IPS
signatures and to block all traffic if the module fails?
Answer: B
QUESTION 127
Which Cisco IPS CLI command shows the most fired signature?
A. show statistics virtual-sensor

B. show event alert
C. show alert
D. show version
Answer: A
QUESTION 128
Which IPS engine detects ARP spoofing?
A. Atomic ARP Engine

B. Service Generic Engine
C. ARP Inspection Engine
D. AIC Engine
Answer: A
QUESTION 129
Which two options are characteristics of router-based IPS? (Choose two.)
A. It supports custom signatures

B. It supports virtual sensors.
C. It supports multiple VRFs.
D. It uses configurable anomaly detection.
E. Signature definition files have been deprecated.
Answer: CE
QUESTION 130
An IPS is configured to fail-closed and you observe that all packets are dropped. What is a
possible reason for this behavior?
A. Mainapp is unresponsive.
B. The global correlation update failed.
C. The IPS span session failed.
D. The attack drop file is misconfigured.
Answer: A
QUESTION 131
What can you use to access the Cisco IPS secure command and control channel to make
configuration changes?
A. SDEE
B. the management interface
C. an HTTP server
D. Telnet
Answer: B
QUESTION 132
Which Cisco technology provides spam filtering and email protection?
A. IPS
B. ESA
C. WSA
D. CX
Answer: B
QUESTION 133
You ran the ssh generate-key command on the Cisco IPS and now administrators are unable to
connect. Which action can be taken to correct the problem?
A. Replace the old key with a new key on the client.

B. Run the ssh host-key command.
C. Add the administrator IP addresses to the trusted TLS host list on the IPS.
D. Run the ssh authorized-keys command.
Answer: A
QUESTION 134
Which command allows the administrator to access the Cisco WSA on a secure channel on port
8443?
A. strictssl
B. adminaccessconfig
C. ssl
D. ssh
Answer: A
QUESTION 135
Which command can change the HTTPS SSL method on the Cisco ESA?
A. sslconfig
B. strictssl
C. sshconfig
D. adminaccessconfig
Answer: A
QUESTION 136
When you configure the Cisco ESA to perform blacklisting, what are two items you can disable to
enhance performance? (Choose two.)
A. spam scanning
B. antivirus scanning
C. APT detection
D. rootkit detection
Answer: AB
QUESTION 137
Which Cisco ESA predefined sender group uses parameter-matching to reject senders?
A. BLACKLIST
B. WHITELIST
C. SUSPECTLIST
D. UNKNOWNLIST
Answer: A
QUESTION 138
Which command disables SSH access for administrators on the Cisco ESA?
A. interfaceconfig
B. sshconfig
C. sslconfig
D. systemsetup
Answer: A
QUESTION 139
When you create a new server profile on the Cisco ESA, which subcommand of the ldapconfig
command configures spam quarantine end-user authentication?
A. isqauth
B. isqalias
C. test
D. server
Answer: A
QUESTION 140
Which three administrator actions are used to configure IP logging in Cisco IME? (Choose three.)
A. Select a virtual sensor.
B. Enable IP logging.
C. Specify the host IP address.
D. Set the logging duration.
E. Set the number of packets to capture.
F. Set the number of bytes to capture.
Answer: ACD
QUESTION 141
Which centralized reporting function of the Cisco Content Security Management Appliance
aggregates data from multiple Cisco ESA devices?
A. message tracking
B. web tracking
C. system tracking
D. logging
Answer: A
QUESTION 142
What is a value that Cisco ESA can use for tracing mail flow?
A. the FQDN of the source IP address

B. the FQDN of the destination IP address
C. the destination IP address
D. the source IP address
Answer: A
QUESTION 143
What are three features of the Cisco Security Intellishield Alert Manager Service? (Choose three.)
A. validation of alerts by security analysts

B. custom notifications
C. complete threat and vulnerability remediation
D. vendor-specific threat analysis
E. workflow-management tools
F. real-time threat and vulnerability mitigation
Answer: ABE
QUESTION 144
When you deploy a sensor to send connection termination requests, which additional traffic-
monitoring function can you configure the sensor to perform?
A. Monitor traffic as it flows to the sensor.
B. Monitor traffic as it flows through the sensor.
C. Monitor traffic from the Internet only.
D. Monitor traffic from both the Internet and the intranet.
Answer: B
QUESTION 145
Which IPS feature allows you to aggregate multiple IPS links over a single port channel?
A. UDLD
B. ECLB
C. LACP
D. PAgP
Answer: B
QUESTION 146
Which Cisco IPS deployment mode is best suited for bridged interfaces?
A. inline interface pair mode

B. inline VLAN pair mode
C. inline VLAN group mode
D. inline pair mode
Answer: B
QUESTION 147
When a Cisco IPS is deployed in fail-closed mode, what are two conditions that can result in
traffic being dropped? (Choose two.)
A. The signature engine is undergoing the build process.

B. The SDF failed to load.
C. The built-in signatures are unavailable.
D. An ACL is configured.
Answer: AB
QUESTION 148
If inline-TCP-evasion-protection-mode on a Cisco IPS is set to asymmetric mode, what is a side
effect?
A. Packet flow is normal.

B. TCP requests are throttled.
C. Embryonic connections are ignored.
D. Evasion may become possible.
Answer: D
QUESTION 149
Which sensor deployment mode does Cisco recommend when interface capacity is limited and
you need to increase sensor functionality?
A. inline interface pair mode

B. inline VLAN pair mode
C. inline VLAN group mode
D. VLAN group mode
Answer: C
QUESTION 150
Which role does Passive Identity Management play in the Cisco Cloud Web Security
architecture?
A. It provides user-level information that is received from Active Directory.

B. It enables the administrator to control web access for users and user groups.
C. It defines a standard for exchanging authentication and authorization data.
D. It controls content that passes into and out of the network.
Answer: A
QUESTION 151
Which two statements about Cisco ESA clusters are true? (Choose two.)
A. A cluster must contain exactly one group.

B. A cluster can contain multiple groups.
C. Clusters are implemented in a client/server relationship.
D. The cluster configuration must be managed by the cluster administrator.
E. The cluster configuration can be created and managed through either the GUI or the CLI.
Answer: BE
QUESTION 152
Which two statements about devices within a Cisco ESA cluster are true? (Choose two.)
A. Clustered systems must consist of devices in the same hardware series.

B. Clustered devices can communicate via either SSH or Cluster Communication Service.
C. Clustered devices can communicate only with Cluster Communication Service.
D. In-the-cloud devices must be in a separate cluster from on-premise devices.
E. Clustered devices can run different versions of AsyncOS.
Answer: AB
QUESTION 153
What is a primary difference between the web security features of the Cisco WSA and the Cisco
ASA NGFW?
A. Cisco WSA provides URL filtering, while Cisco ASA NGFW does not.
B. Cisco ASA NGFW provides caching services, while Cisco WSA does not.
C. Cisco WSA provides web reputation filtering, while Cisco ASA NGFW does not.
D. Cisco ASA NGFW provides application visibility and control on all ports, while Cisco WSA does
not.
Answer: D
QUESTION 154
Which Cisco ASA configuration command drops traffic if the Cisco ASA CX module fails?
A. no fail-open
B. fail-close
C. fail-close auth-proxy
D. auth-proxy
Answer: B
QUESTION 155
Which Cisco Cloud Web Security Connector feature allows access by all of an organization's
users while applying Active Directory group policies?
A. a company authentication key

B. a group authentication key
C. a PAC file
D. proxy forwarding
E. a user authentication key
Answer: A
QUESTION 156
Which Cisco ESA component receives connections from external mail servers?
A. MTA
B. public listener
C. private listener
D. recipient access table
E. SMTP incoming relay agent
Answer: B
QUESTION 157
What is the function of the Cisco Context Adaptive Scanning Engine in Cisco Hybrid Email
Security services?
A. It uses real-time traffic threat assessment to identify suspicious email senders and messages.
B. It provides a preventive defense against viruses by scanning messages before they enter the
network.
C. It analyzes message content and attachments to protect an organization's intellectual property.
D. It protects against blended threats by using human-like logic to review and evaluate traffic.
Answer: D
QUESTION 158
The Web Cache Communication Protocol (WCCP) is a content-routing protocol that can facilitate
the redirection of traffic flows in real time. Your organization has deployed WCCP to redirect web
traffic that traverses their Cisco Adaptive Security Appliances (ASAs) to their Cisco Web Security
Appliances (WSAs).
The simulator will provide access to the graphical user interfaces of one Cisco ASA and one
Cisco WSA that are participating in a WCCP service. Not all aspects of the GUIs are
implemented in the simulator. The options that have been implemented are sufficient to
determine the best answer to each of the questions that are presented.
Your task is to examine the details available in the simulated graphical user interfaces and select
the best answer.
How many Cisco ASAs and how many Cisco WSAs are participating in the WCCP service?
A. One Cisco ASA or two Cisco ASAs configured as an Active/Standby failover pair, and one Cisco WSA.
B. One Cisco ASA or two Cisco ASAs configured as an Active/Active failover pair, and one Cisco WSA.
C. One Cisco ASA or two Cisco ASAs configured as an Active/Standby failover pair, and two Cisco WSAs.
D. One Cisco ASA or two Cisco ASAs configured as an Active/Active failover pair, and two Cisco WSAs.
E. Two Cisco ASAs and one Cisco WSA.
F. Two Cisco ASAs and two Cisco WSAs.
Answer: A
Explanation:
We can see from the output that the number of routers (ASA's) is 1, so there is a single ASA or
an active/ standby pair being used, and 1 Cache Engine. If the ASA's were in a active/active role
it would show up as 2 routers.
QUESTION 159
Appliances (WSAs).
the best answer.
What traffic is not redirected by WCCP?
A. Traffic destined to public address space

B. Traffic sent from public address space
C. Traffic destined to private address space
D. Traffic sent from private address space
Answer: B
Explanation:
From the screen shot below we see the WCCP-Redirection ACL is applied, so all traffic from the
Private IP space to any destination will be redirected.
QUESTION 160
Appliances (WSAs).
the best answer.
Between the Cisco ASA configuration and the Cisco WSA configuration, what is true with respect
to redirected ports?
A. Both are configured for port 80 only.

B. Both are configured for port 443 only.
C. Both are configured for both port 80 and 443.
D. Both are configured for ports 80, 443 and 3128.
E. There is a configuration mismatch on redirected ports.
Answer: C
Explanation:
This can be seen from the WSA Network tab shown below:
QUESTION 161
Appliances (WSAs).
the best answer.
Which of the following is true with respect to the version of WCCP configured on the Cisco ASA
and the Cisco WSA?
A. Both are configured for WCCP v1.

B. Both are configured for WCCP v2.
C. Both are configured for WCCP v3.
D. There is a WCCP version mismatch between the Cisco WSA and the Cisco ASA.
Answer: B
Explanation:
ASA version shows as version 2.0:
WSA also shows version 2 is being used:
QUESTION 162
What are two features of the Cisco ASA NGFW? (Choose two.)
A. It can restrict access based on qualitative analysis.

B. It can restrict access based on reputation.
C. It can reactively protect against Internet threats.
D. It can proactively protect against Internet threats.
Answer: BD
QUESTION 163
Which three statements about Cisco CWS are true? (Choose three.)
A. It provides protection against zero-day threats.
B. Cisco SIO provides it with threat updates in near real time.
C. It supports granular application policies.
D. Its Roaming User Protection feature protects the VPN from malware and data breaches.
E. It supports local content caching.
F. Its Cognitive Threat Analytics feature uses cloud-based analysis and detection to block threats
outside the network.
Answer: ABC
QUESTION 164
Refer to the exhibit. What are two facts about the interface that you can determine from the given
output? (Choose two.)
A. A Cisco Flexible NetFlow monitor is attached to the interface.

B. A quality of service policy is attached to the interface.
C. Cisco Application Visibility and Control limits throughput on the interface.
D. Feature activation array is active on the interface.
Answer: AB
QUESTION 165
What are the two policy types that can use a web reputation profile to perform reputation-based
processing? (Choose two.)
A. profile policies
B. encryption policies
C. decryption policies
D. access policies
Answer: CD
QUESTION 166
Which three pieces of information are required to implement transparent user identification using
Context Directory Agent? (Choose three.)
A. the server name of the global catalog domain controller

B. the server name where Context Directory Agent is installed
C. the backup Context Directory Agent
D. the primary Context Directory Agent
E. the shared secret
F. the syslog server IP address
Answer: BDE
QUESTION 167
Which method does Cisco recommend for collecting streams of data on a sensor that has been
virtualized?
A. VACL capture
B. SPAN
C. the Wireshark utility
D. packet capture
Answer: D
QUESTION 168
Which configuration mode enables a virtual sensor to monitor the session state for unidirectional
traffic?
A. asymmetric mode
B. symmetric mode
C. loose mode
D. strict mode
Answer: A
QUESTION 169
Over the period of one day, several Atomic ARP engine alerts fired on the same IP address.
You observe that each time an alert fired, requests on the IP address exceeded replies by the
same number. Which configuration could cause this behavior?
A. The reply-ratio parameter is enabled.

B. MAC flip is enabled.
C. The inspection condition is disabled.
D. The IPS is misconfigured.
Answer: A
QUESTION 170
Which type of signature is generated by copying a default signature and modifying its behavior?
A. meta
B. custom
C. atomic
D. normalized
Answer: B
QUESTION 171
Which two conditions must you configure in an event action override to implement a risk rating of
70 or higher and terminate the connection on the IPS? (Choose two.)
A. Configure the event action override to send a TCP reset.

B. Set the risk rating range to 70 to 100.
C. Configure the event action override to send a block-connection request.
D. Set the risk rating range to 0 to 100.
E. Configure the event action override to send a block-host request.
Answer: AB
QUESTION 172
Which two conditions must you configure in an event action rule to match all IPv4 addresses in
the victim range and filter on the complete subsignature range? (Choose two.)
A. Disable event action override.

B. Leave the victim address range unspecified.
C. Set the subsignature ID-range to the default.
D. Set the deny action percentage to 100.
E. Set the deny action percentage to 0.
Answer: BC
QUESTION 173
If learning accept mode is set to "auto" and the knowledge base is loaded only when explicitly
requested on the IPS, which statement about the knowledge base is true?
A. The knowledge base is set to load dynamically.

B. The knowledge base is set to "save only."
C. The knowledge base is set to "discarded."
D. The knowledge base is set to load statically.
Answer: B
QUESTION 174
In which way are packets handled when the IPS internal zone is set to "disabled"?
A. All packets are dropped to the external zone.

B. All packets are dropped to the internal zone.
C. All packets are ignored in the internal zone.
D. All packets are sent to the default external zone.
Answer: D
QUESTION 175
Which type of server is required to communicate with a third-party DLP solution?
A. an HTTPS server
B. an HTTP server
C. an ICAP-capable proxy server
D. a PKI certificate server
Answer: C
QUESTION 176
Which feature does Acceptable Use Controls use to implement Cisco AVC?
A. ISA
B. Cisco Web Usage Controls
C. Cisco WSA
D. Cisco ESA
Answer: B
QUESTION 177
You have configured a VLAN pair that is connected to a switch that is unable to pass traffic. If the
IPS is configured correctly, which additional configuration must you perform to enable the switch
to pass traffic?
A. Configure access ports on the switch.

B. Configure the trunk port on the switch.
C. Enable IP routing on the switch.
D. Enable ARP inspection on the switch.
Answer: A
QUESTION 178
You ran the ssh generate-key command on the Cisco IPS and now administrators are unable to
connect. Which action can be taken to correct the problem?
A. Replace the old key with a new key on the client.

B. Run the ssh host-key command.
C. Add the administrator IP addresses to the trusted TLS host list on the IPS.
D. Run the ssh authorized-keys command.
Answer: A
QUESTION 179
Which piece of information is required to perform a policy trace for the Cisco WSA?
A. the URL to trace

B. the source IP address of the trace
C. authentication credentials to make the request
D. the destination IP address of the trace
Answer: A
QUESTION 180
What is a valid search parameter for the Cisco ESA find event tool?
A. Envelope Origination
B. Envelope Type
C. Message ID
D. Download Type
Answer: C
QUESTION 181
Which website can be used to validate group information about connections that flow through
Cisco CWS?
A. whoami.scansafe.net
B. policytrace.scansafe.net
C. whoami.scansafe.com
D. policytrace.scansafe.com
Answer: B
QUESTION 182
What are three arguments that can be used with the show content-scan command in Cisco IOS
software? (Choose three)
A. session
B. data
C. verbose
D. buffer
E. summary
F. statistics
Answer: AEF
QUESTION 183
In addition to the CLI, what is another option to manage a Cisco IPS?
A. SDEE
B. Cisco SDM
C. Cisco IDM
D. Cisco ISE
Answer: C
QUESTION 184
What is the function of the Web Proxy Auto-Discovery protocol?
A. It enables a web client to discover the URL of a configuration file.

B. It enables a web client to download a script or configuration file that is named by a URL.
C. It enables a web client's traffic flows to be redirected in real time.
D. It enables web clients to dynamically resolve hostname records.
Answer: A
QUESTION 185
What is a difference between a Cisco Content Security Management virtual appliance and a
physical appliance?
A. The virtual appliance requires an additional license to run on a host.

B. The physical appliance requires an additional license to activate its adapters.
C. Migration between virtual appliances of varying sizes is possible, but physical appliances must be
of equal size.
D. The physical appliance is configured with a DHCP-enabled management port to receive an IP
address automatically, but you must assign the virtual appliance an IP address manually in your
management subnet.
Answer: A
QUESTION 186
Which Cisco Web Security Appliance feature enables the appliance to block suspicious traffic on
all of its ports and IP addresses?
A. Layer 4 Traffic Monitor

B. Secure Web Proxy
C. explicit forward mode
D. transparent mode
Answer: A
QUESTION 187
Which feature of the Cisco Hybrid Email Security services enables you to create multiple email
senders on a single Cisco ESA?
A. Virtual Gateway
B. Sender Groups
C. Mail Flow Policy Connector
D. Virtual Routing and Forwarding
E. Email Marketing Connector
Answer: A
QUESTION 188
Which option is a benefit of Cisco Email Security virtual appliance over the Cisco ESA appliance?
A. reduced space and power requirements

B. outbound message protection
C. automated administration
D. global threat intelligence updates from Talos
Answer: A
QUESTION 189
Which option is a benefit of Cisco hybrid email security?
A. on-premises control of outbound data

B. advanced malware protection
C. email encryption
D. message tracking
Answer: A
QUESTION 190
Which technology is used to improve business-critical application performance?
A. Application Visibility and Control

B. Intrusion Prevention Services
C. Advanced Malware Protection
D. TrustSec
Answer: A
QUESTION 191
Which option is a benefit of deploying Cisco Application Visibility and Control?
A. It ensures bandwidth availability and performance of mission-critical applications in a data- and

media-rich environment.
B. It performs deep packet inspection of mission-critical applications in a data- and media-rich
environment.
C. It encrypts mission-critical applications in a data- and media-rich environment.
D. It securely tunnels mission-critical applications in a data- and media-rich environment.
Answer: A
QUESTION 192
Which solution must a customer deploy to prioritize traffic to a cloud-based contact management
application while still allowing employees access to the Internet for business and personal use?
A. Cisco Application Visibility and Control

B. Cisco Intrusion Prevention Services
C. Cisco NetFlow
D. policy-based routing
Answer: A
QUESTION 193
Which three categories of the seven major risk management categories are covered in the Cyber
Risk Reports? (Choose three.)
A. vulnerability
B. risk rating
C. legal
D. confidence level
E. geopolitical
F. global reputation
Answer: ACE
QUESTION 194
Which option describes a customer benefit of the Cisco Security IntelliShield Alert Manager?
A. It provides access to threat and vulnerability information for Cisco related products only.
B. It consolidates vulnerability information from an internal Cisco source, which allows security
personnel to focus on remediation and proactive protection versus research.
C. It provides effective and timely security intelligence via early warnings about new threats and
technology vulnerabilities.
D. It enhances the efficiency of security staff with accurate, noncustomizable threat intelligence,
critical remediation information, and easy-to-use workflow tools.
Answer: C
QUESTION 195
Which two options are known limitations in deploying an IPS sensor in promiscuous mode versus
inline mode? (Choose two).
A. It is less effective in stopping email viruses and automated attackers such as worms.
B. It requires less of an operational response because the attacks are blocked automatically without
operational team support.
C. Sensors in this deployment cannot stop the trigger packet and are not guaranteed to stop a
connection.
D. A sensor failure affects network functionality.
E. It does not see the same traffic.
Answer: AC
QUESTION 196
Which option describes how the native VLAN is set up on an IPS sensor when VLAN groups are
used in an inline deployment of the sensor?
A. The sensor looks at the native VLAN setup on the switch to determine the correct native VLAN to
use.
B. The sensor does not care about VLANs.
C. A default VLAN variable must be associated with each physical interface on the sensor.
D. There is no way to set this, so you need to tag all traffic.
E. ISL links are only supported.
Answer: C
QUESTION 197
Using the Cisco WSA GUI, where should an operator navigate to determine the running software
image on the Cisco WSA?
A. Systems Administration > System Upgrade

B. Systems Administration > Feature Keys
C. Systems Administration > General
D. Admin > System Info
Answer: A
QUESTION 198
When a user receives an encrypted email from a Cisco ESA, which technology is used to retrieve
the key to open the email?
A. trusted certificate authority

B. private certificate authority
C. Cisco Registered Envelope Service
D. Simple Certificate Enrollment Protocol
Answer: C
QUESTION 199
Which four methods are used to deploy transparent mode traffic redirection? (Choose four.)
A. PAC files
B. Web Cache Communication Protocol
C. policy-based routing
D. Microsoft GPO
E. Layer 4 switch
F. DHCP server
G. Layer 7 switch
H. manual browser configuration
Answer: BCEG
QUESTION 200
When centralized message tracking is enabled on the Cisco ESA, over which port does the
communication to the SMA occur by default?
A. port 2222/TCP
B. port 443/TCP
C. port 25/TCP
D. port 22/TCP
Answer: D
QUESTION 201
Which platform has message tracking enabled by default?
A. C670
B. C370
C. Virtual ESA
D. It is not enabled by default on any platform.
Answer: D
QUESTION 202
Which two options are the correct URL and credentials used to access the Cisco Web Security
Appliance for the first time? (Choose two.)
A. admin/password
B. http://192.168.1.1:8080
C. ironport/ironport
D. http://192.168.42.42:8080
E. admin/ironport
F. http://192.168.42.42:8443
Answer: DE
QUESTION 203
Which interface on the Cisco Email Security Appliance has HTTP and SSH enabled by default?
A. data 1
B. data 2
C. management 1
D. all interfaces
Answer: A
QUESTION 204
Lab Simulation
Answer:
Review the explanation part for full solution.
We need to create a policy map named inside-policy and send the traffic to the CXSC blade:
ASA-FW# config t
ASA-FW(config)# policy-map inside-policy
ASA-FW(config-pmap)# policy-map inside-policy
ASA-FW(config-pmap)# class class-default
ASA-FW(config-pmap-c)# cxsc fail-close auth-proxy
ASA-FW(config-pmap-c)# exit
ASA-FW(config-pmap)# exit
The fail-close is needed as per instructions that if the CX module fails, no traffic should be
allowed. The auth-proxy keyword is needed for active authentication.
Next, we need to apply this policy map to the inside interface:
ASA-FW(config)#service-policy inside-policy interface inside.
Finally, verify that the policy is active:
ASA-FW# show service-policy interface inside

Interface inside:
Service-policy: inside-policy
Class-map: class-default
Default QueueingCXSC: card status Up, mode fail-close, auth-proxy enabled Packet input 181,
packet output 183, drop 0, reset-drop 0, proxied 0
Configuration guidelines can be found at this reference link:

http://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_config/m
odules_cx.pdf
QUESTION 205
Lab Simulation
Answer: Review the explanation part for full solution.
We need to define the parameter map, specifying port 8080 for http and https and define the
servers and the license:
Branch-ISR#config t
Branch-ISR(config)#parameter-map type content-scan global
Branch-ISR(config-profile)#server scansafe primary name proxy-
a.scansafe.net port http 8080 https 8080
Branch-ISR(config-profile)#server scansafe secondary name proxy-
b.scansafe.net port http 8080 https 8080
Branch-ISR(config-profile)#license 0 0123456789abcdef
If the CWS proxy servers are not available, we traffic should be denied. This is done by the
following configuration:
Branch-ISR(config-profile)#server scansafe on-failure block-all
Now we need to apply this to the fastethernet 0/1 interface outbound:
Branch-ISR(config)#interface Fastethernet 0/1

Branch-ISR(config-if)#content-scan outbound
Branch-ISR(config-if)#exit
Branch-ISR(config)#exit
Finally, we can verify out configuration by using the "show content-scan summary command:
Branch-ISR#show content-scan summary

Primary: 72.37.244.203(Up)*
Secondary: 70.39.231.99 (Up)
Interfaces: Fastethernet0/1
QUESTION 206
Hotspot Questions (QUESTION 206 - QUESTION 209)
For which domains will the Cisco Email Security Appliance allow up to 5000 recipients per
message?
A. violet.public
B. violet.public and blue.public
C. violet.public, blue.public and green.public
D. red.public
E. orange.public
F. red.public and orange.public
Answer: E
Explanation:
Here we see that the TRUSTED policy is being throttled to 5000 recipients per message.
By looking at the HAT policy we see that the TRUSTED policy applies to the WHITELIST sender
group.
By clicking on the WHITELIST sender group we can see that orange.public is listed as the
sender.
QUESTION 207
What is the maximum number of recipients per hour that the Cisco Email Security Appliance will
accept from the green.public domain?
A. 0
B. 1
C. 20
D. 25
E. 50
F. 5000
G. Unlimited
Answer: C
Explanation:
From the instructions we know that the green.public domain has been assigned a reputation
score of 2.
From below we know that a reputation score of 2 belongs to the SUSPECTLIST, which has a
policy of “THROTTLED”:
By clicking on the THROTTLED policy we see that the max recipients per hour has been set to
20:
QUESTION 208
What is the maximum message size that the Cisco Email Security Appliance will accept
from the violet.public domain?
A. 1 KB
B. 100 KB
C. 1 MB
D. 10 MB
E. 100 MB
F. Unlimited
Answer: D
Explanation:
From the instructions we know that the reputation score for the violet.public domain has been set
to 8. From the HAT table shown below we know that a score of 8 belongs to the UNKNOWNLIST
group, which is assigned the ACCEPTED policy.
By clicking on the ACCEPTED policy we see that max message size has been set to the default
value of 10M:
QUESTION 209
The Cisco Email Security Appliance will reject messages from which domains?
A. red.public
B. red.public and orange.public
C. red.public, orange.public and yellow.public
D. orange.public
E. violet.public
F. violet.public and blue.public
G. None of the listed domains
Answer: F
Explanation:
The BLOCKED policy rejects messages as shown below:
The BLOCKED policy is assigned to the BLACKLIST sender group, and here we see that no
senders have been applied to this group:
QUESTION 210
Refer to the exhibit, which description of the result of this configuration is true?
R01(config)#ip wccp web-cache redirect-list 80 password-local
A. Traffic denied in prefix-list 80 is redirected to the Cisco WSA

B. The default "cisco" password is configured on the Cisco WSA
C. Traffic permitted in access-list 80 is redirected to the Cisco WSA
D. Traffic using TCP port 80 is redirected to the Cisco WSA
Answer: C
QUESTION 211
For which task can PRSM be used?
A. To configure Cisco ASA CX firewalls

B. To monitor Cisco intelliShield
C. To monitor CWS traffic
D. To configure Cisco ESA
Answer: A
QUESTION 212
Which command applies WCCP redirection on the inside interface of a cisco asa 5500-x firewall?
A. wccp interface inside 90 redirect in
B. web-cache interface inside 90 redirect in
C. wccp interface inside redirect out
D. wccp web-cache
Answer: A
QUESTION 213
Which IPS signature engine inspects the IP protocol packets and the Layer TCP?
A. String TCP
B. Atomic TCP
C. Service HTTP
D. Atomic IP
Answer: D
QUESTION 214
Which statement about the Cisco CWS web filtering policy behavior is true?
A. Rules are comprised of three criteria and an action.

B. By default, the schedule is set to office hours.
C. At least one rule applies to a web request.
D. In the evaluation of a rule set, the best match wins.
Answer: A
QUESTION 215
How are HTTP requests handled by the Cisco WSA?
A. A transparent request has a destination IP address of the configured proxy.

B. The URI for an implicit request doest not contain the DNS host.
C. An explict request has a destination IP address of the intended web server.
D. The URI for an explicit request contains the host with the protocol information.
Answer: D
QUESTION 216
Which option describes what occurs with asymmetric routing when an IPS normalization engine is
enable?
A. It allows the return packets back to the source path.

B. It must see a valud SYN/ACK before it lets a flow pass, otherwise the IPS normalization engine
assumes that is is encountering a fragmentation attack, and it drops the retun packets
C. It must see a valid ACK/ACK before it lets a flow pass.
D. It must see a valid SYN/ACK before it lets a flow pass, otherwise the IPS normalization engine
assumes that it is in encountering an evasion attack and drops the return packets.
Answer: D
QUESTION 217
Which statement about the Cisco ASA CX role in inspecting SSL traffic is true?
A. To decrypt traffic, the Cisco ASA CX must accept the websites' certificates as Trusted Root CAs.
B. If the administrator elects to decrypt traffic, the Cisco ASA CX acts as a man-in--me-middle.
C. Either all traffic is decrypted, or no traffic is decrypted by the Cisco ASA CX.
D. The traffic is encrypted, so the Cisco ASA CX cannot determine the content of the traffic.
Answer: B
QUESTION 218
When https traffic is scanned, which component of the full URL does CWS log?
A. only path
B. only host Y
C. host and query
D. path and query
Answer: B
QUESTION 219
Using the Cisco WSA GUI, where should an operator navigate to determine the running sotfware
image on the Cisco WSA?
A. Systems Administration > Feature Keys

B. Systems Administration > System Upgrade
C. Admin > System info
D. Systems Administration > General
Answer: B
QUESTION 220
Which step is required when you configure URL filtering to Cisco Cloud Web Security?
A. configure URL filtering policies in Cisco ScanCenter

B. install the ASA FirePOWER module on the Cisco ASA.
C. Implement Next Generation IPS instrusion rules.
D. Configure URL filtering criteria in the Cisco ASA FirePOWER access rules.
Answer: A
QUESTION 221
Which action cloud reduce the security of the management interface of the Cisco ESA appliance?
A. Assing delegated administrator roles to engineers who manage the mail policies.
B. create a network access list to allow all connections to the management interface
C. Display a login banner indicating that all appliance use is logged and reviewed
D. configure a web UI session timeout of 30 minutes for connected users.
Answer: A
QUESTION 222
A security engineer is configuring user identity for the Cisco ASA connector for Cisco CWS. How
many AAA server groups must the engineer configure?
A. 1
B. 3
C. 4
D. 2
Answer: D
QUESTION 223
Which option represents the cisco event aggregation product?
A. CVSS system
B. IntelliShield
C. ASA CX Event Viewer
D. ASDM 7.5
Answer: C
QUESTION 224
Which statement about the default configuration of an IPS sensor's management security settings
is true?
A. There is no login banner

B. The web server port is TCP 80
C. Telnet and SSH are enable
D. User accounts lock after three attempts
Answer: A
QUESTION 225
Which information does the show scansafe statistics command provide?
A. ESA message tracking

B. PRSM events
C. AV statistics
D. Cisco CWS activity
Answer: D
QUESTION 226
On which plateforms can you run CWS connector? (choose two)
A. Cisco ASA Firewall
B. Cisco IPS module
C. Standalone deployment
D. Cisco ISR router
E. Cisco Firepower NGIPS
Answer: AD
QUESTION 227
Refer to the exhibit, which description of the result of this configuration is true?
Router(config)#line vty 5 15
Router(config-line)#access-class 23 in
A. Only clients denied in access list 23 can manage the router.

B. Only telnet access (TCP) is allowed on the VTY lines of this router
C. Only clients permitted in access list 23 can manage the router
D. Only SSH access (TCP 23) is allowed on the VTY lines of this router.
Answer: C
QUESTION 228
What does the anomaly detection Cisco IOS IPS component detection ?
A. ARP Spoofing
B. Worm-infected hosts
C. Signature changes
D. Network Congestion
Answer: B
QUESTION 229
Refer to the exhibit. The security engineer has configured cisco cloud web security redirection on
a cisco ASA firewall. Which statement describes what can be determined from exhibit?
A. In case of issues, the next step should be to perform debugging on the cisco ASA.
B. The URL visited by the user was LAB://testgroup.
C. This out has been obtained by browsing to whoami.scansafe.net
D. The IP address of the Scansafe tower is 209.165.200.241
Answer: C
QUESTION 230
Refer to the exhibit. How is the "cisco" password stored?
Router (config) #username admin secret cisco

Router (config) #no service password-encryption
A. As MD5 hash
B. As Type 0
C. As Type 7
D. As Clear Text
Answer: A
QUESTION 231
Refer to the exhibit. What type of password is "cisco"?
Router(config)#service password-encryption
Router(config)#username admin password cisco
A. Enhanced
B. CHAP
C. Type 7
D. Type 0
Answer: C
QUESTION 232
When does the Cisco ASA send traffic to the Cisco ASA IPS module for analysis?
A. before firewall policy are applied

B. after outgoing VPN traffic is encrypted
C. after firewall policies are applied
D. before incoming VPN traffic is decrypted.
Answer: C
QUESTION 233
Which technique is deployed to harden network devices?
A. port-by-port router ACLs

B. infrastructure ACLs
C. transmit ACLs
D. VLAN ACLs
Answer: B
QUESTION 234
Refer to the exhibit. Which option describe the result of this configuration on a Cisco ASA
firewall?
asafwl (config) #http server enable

asafw1(config)#http 10.10.10.1 255.255.255.255 inside
A. The firewall allows command-line access from 10.10.10.1

B. The firewall allows ASDM access from a client on 10.10.10.1
C. The management IP address of the firewall is 10.10.10.1
D. The inside interface IP address of the firewall is 10.10.10.1
Answer: B
QUESTION 235
Which Option of SNMPv3 ensure authentication but no encryption?
A. priv
B. no auth
C. no priv
D. authNoPriv
Answer: D
Explanation:
SNMPv1, SNMPv2c, and SNMPv3 each represent a different security model. The security model
combines with the selected security level to determine the security mechanism applied when the
SNMP message is processed.
The security level determines the privileges required to view the message associated with an
SNMP trap. The privilege level determines whether the message needs to be protected from
disclosure or authenticated. The supported security level depends upon which security model is
implemented. SNMP security levels support one or more of the following privileges:
SNMPv3 provides for both security models and security levels. A security model is an
authentication strategy that is set up for a user and the role in which the user resides. A security
level is the permitted level of security within a security model. A combination of a security model
and a security level determines which security mechanism is employed when handling an SNMP
packet.
QUESTION 236
Which commands are required to configure SSH on router? (Choose two)
A. configure domain name using ip domain-name command

B. generate a key using crypto key generate rsa
C. Configure a DHCP host for the router using dhcpname#configure terminal
D. Generate enterprise CA self-sign certificate
Answer: AB
Answer: A
QUESTION 237
An enginner manages a Cisco Intrusion Prevention System via IME. A new user must be able to
tune signatures, but must not be able to create new users. Which role for the new user is correct?
A. viewer
B. service
C. operator
D. administrator
Answer: C
Explanation:
http://www.cisco.com/c/en/us/td/docs/security/ips/7-0/command/reference/cmdref/crIntro.html
QUESTION 238
Which two pieces of information are required to implement transparent user identification using
context Directory Agent? (Choose two)
A. the backup context Directory Agent

B. the shared secret
C. the server name where Context Directory Agent is installed
D. the server name of the global catalog domaint controller
E. the syslog server IP address
Answer: BC
QUESTION 239
Which settings are required when deploying Cisco IPS in high-availability mode using
EtherChannel load balancy?
A. ECLB IPS appliances must be in on-a-stick mode, ECLB IPS solution maintains state if a sensor
goes down, and TCP flow is forced through the same IPS appliance.
B. ECLB IPS appliances must not be in on-a-stick mode, ECLB IPS solution maintains state if a
sensor goes down, and TCP flow is forced through the same IPS appliance flow
C. ECLB IPS appliances must be in on-a-stick mode, ECLB IPS solution does not maintain state if a
sensor goes down, and TCP flow is forced through a different IPS appliance.
D. ECLB IPS appliances must not be in on-a-stick mode, ECLB IPS solution does not maintain state
if a sensor goes down, and TCP flow is forced through a different IPS appliance.
Answer: C
Explanation:
http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/products_configuration_example09186
a0080671a8d.shtml
QUESTION 240
Which Cisco technology secures the network through malware filtering, category-base control,
and reputation-based control?
A. Cisco WSA
B. Cisco IPS
C. Cisco ASA 5500 series appliances
D. Cisco remote-access VPNs
Answer: A
QUESTION 241
Which option describes the role of the Learning Accept Mode for anomaly detection?
A. It creates a knowledge base of the network traffic

B. It detects ongoing attacks and adds them to a database.
C. It configures the anomaly detection zones.
D. It identifies incomplete connections and flags them.
Answer: A
Explanation:
http://www.cisco.com/c/en/us/td/docs/security/security_management/cisco_security_manager/sec
urity_manager/4-0/user/guide/CSMUserGuide_wrapper/ipsanom.html
QUESTION 242
Which description of an advantage of utilizing IPS virtual sensors is true?
A. Different configurations can be applied to different sets of traffic.

B. The persistent store is unlimited for the IPS virtual sensor.
C. The virtual sensor does not require 802.1q headers for inbound traffic.
D. Asymmetric traffic can be split between multiple virtual sensors
Answer: A
Explanation:
http://www.cisco.com/c/en/us/td/docs/security/ips/7-
0/configuration/guide/cli/cliguide7/cli_virtual_sensors.pdf
QUESTION 243
Elliptic curve cryptography is a stronger more efficient cryptography method meant to replace
which current encryption technology?
A. 3DES
B. RSA
C. DES
D. AES
Answer: B
QUESTION 244
Which action is possible when a signature is triggered on the Cisco IOS IPS?
A. Deny all packets with the same source address

B. Send an email via SMTP to the administrator
C. Deny all packets with the same port destination
D. Send an SNMP alert to a monitoring system
Answer: A
QUESTION 245
Which signature engine is responsible for ICMP inspection on Cisco IPS?
A. AIC Engine
B. Fixed Engine
C. Service Engine
D. Atomic IP Engine
Answer: D
QUESTION 246
A network security design engineer is considering using a Cisco Intrusion Detection System in the
DMZ of the network. Which option is the drawback to using IDS in the DMZ as opposed to using
Intrusion Prevention System?
A. Sensors, when placed in-line, can impact network functionality during sensor failure.
B. IDS has impact on the network (thatis, latency and jitter).
C. Response actions cannot stop triggered packet or guarantee to stop a connection techniques.
D. Response actions cannot stop malicious packets or cannot guarantee to stop any DOS attack.
Answer: C
QUESTION 247
Which three statements about threat ratings are true? (Choose three.)
A. A threat rating is equivalent to a risk rating that has been lowered by an alert rating.
B. The largest threat rating from all actioned events is added to the risk rating.
C. The smallest threat rating from all actioned events is subtracted from the risk rating.
D. The alert rating for deny-attacker-inline is 45.
E. Unmitigated events do not cause a threat rating modification.
F. The threat rating for deny-attacker-inline is 50.
Answer: ADE
QUESTION 248
Which two configuration steps are required for implementing SSH for management access to a
Cisco router? (Choose two.)
A. Configuring the SSH version with the ip ssh version 2 command.

B. Generating RSA key pairs with the crypto key generate rsa command.
C. Enabling AAA for authentication, authorization, and accounting with the aaa new-
model command.
D. Enabling SSH transport with the transport input ssh command.
E. Configuring a domain name with the ip domain-name [name] command.
Answer: DE
Explanation:
http://www.cisco.com/c/en/us/support/docs/security-vpn/secure-shell- ssh/4145ssh.html
QUESTION 249
Which Cisco IOS command uses the default class map to limit SNMP inspection to traffic from
10.1.1.0 to 192.168.1.0?
A. hostname(config)# access-list inspect extended permit ip 10.1.1.0.0.0.0.255

192.168.1.0.0.0.0.255
hostname(config)# class-map inspection_default
hostname(config-cmap)# match access-list inspect
B. hostname(config)# access-list inspect extended permit ip 10.1.1.0 255.255.255.0
192.168.1.0 255.255.255.0
C. hostname(config)# access-list inspect extended permit ip 10.1.1.0 255.255.255.0
192.168.1.0 255.255.255.0
D. hostname(config)# access-list inspect extended permit ip 10.1.1.0.0.0.255
192.168.1.0.0.0.255
Answer: C
Explanation:
http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/inspect_overv
iew.html
QUESTION 250
Drag and drop the terms on the left onto the correct definition for the promiscuous IPS risk rating
calculation on the right.
Answer:
QUESTION 251
Drag and drop the steps on the left into the correct order on the right to configure a Cisco ASA
NGFW with multiple security contexts.
Answer:
QUESTION 252
Drag and drop the steps on the left into the correct order of initial Cisco IOS IPS configuration on
the right.
Answer:
QUESTION 253
Which detection method is also known as machine learning on Network-based Cisco Advanced
Malware Protection?
A. custom file detection

B. hashing
C. Spero engine
D. dynamic analysis
Answer: C
Explantation:
http://www.cisco.com/c/en/us/products/collateral/security/fireamp-private-cloud-virtual-
appliance/datasheet-c78-733180.html
QUESTION 254
Which policy is used to capture host information on the Cisco Next Generation Intrusion
Prevention System?
A. network discovery
B. correlation
C. intrusion
D. access control
Answer: C
QUESTION 255
With Cisco FirePOWER Threat Defense software, which interface mode do you configure for an
IPS deployment, where traffic passes through the appliance but does not require VLAN rewriting?
A. inline set
B. passive
C. inline tap
D. routed
E. transparent
Answer: D
QUESTION 256
How does the WSA policy trace tool make a request to the Proxy to emulate a client request?
A. explicitly
B. transparently
C. via WCCP
D. via policy-based routing
Answer: C
QUESTION 257
With Cisco AMP for Endpoints, which option shows a list of all files that have been executed in
your environment?
A. vulnerable software
B. file analysis
C. detections
D. prevalence
E. threat root cause
Answer: B
QUESTION 258
When the WSA policy trace tool is used to make a request to the proxy, where is the request
logged?
A. proxy logs
B. access logs
C. authentication logs
D. The request is not logged
Answer: D
QUESTION 259
When using Cisco FirePOWFR Services for ASA, how is traffic directed form based Cisco ASA to
the Cisco POWER Services?
A. SPAN port on a Cisco Catalyst switch.

B. WCCP on the ASA.
C. inline interface pair on the Cisco FirePOWER module.
D. service policy on the ASA.
Answer: D
QUESTION 260
In a Cisco FirePOWER instrusion policy, which two event actions can be configured on a rule?
(Choose two.)
A. drop packet
B. drop and generate
C. drop connection
D. capture trigger packet
E. generate events
Answer: CD
QUESTION 261
Which object can be used on a Cisco FirePOWER appliance, but not in an access control policy
rule on Cisco FirePOWER services running on a Cisco ASA?
A. URL
B. security intelligence
C. VLAN
D. geolocation
Answer: C
QUESTION 262
Which two appliances support logical routed interfaces? (Choose two.)
A. FirePOWER services for ASA-5500-X

B. FP-4100-series
C. FP-8000-series
D. FP-7000-series
E. FP-9300-series
Answer: AE
QUESTION 263
A system administrator wants to know if the email traffic from a remote partner will active special
treatment message filters that are created just for them . Which tool on the Cisco Email Security
gateway can you use to debug and emulate the flow that a message takes through the work
queue?
A. the trace tool

B. centralized or local message tracking
C. the CLI find event command
D. the CLI grep command
E. the message tracker interface
Answer: A
QUESTION 264
In which two places can thresholding settings be configured? (Choose two.)
A. globally, per intrusion policy

B. globally, within the network analysis policy
C. on each access control rule
D. on each IPS rule
E. per preprocessor, within the network analysis policy
Answer: BD
QUESTION 265
Which cloud-based malware detection engine uses machine-learning detection techniques in the
Cisco Advanced Malware Protection cloud?
A. third-party detections
B. Spero
C. Ethos
D. Memcache
Answer: B
QUESTION 266
Which Cisco FirePOWER setting is used to reduce thenumber of events received in a period of
time and avoid being overwhelmed?
A. thresholding
B. rate-limiting
C. limiting
D. correlation
Answer: D
QUESTION 267
Access the configuration of the Cisco Email Security Appliance using the MailFlowPolicies tab.
Within the GUI, you can navigate between the Host Access Table Overview and Mail Flow
Policies tables. You can also navigate to the individual Mail Flow Policies and Sender Groups that
are configured on the appliance.
Consider the configuration and the SenderBase Reputation Scores of the following fictitious
domains when answering the four multiple choice questions.
A. red.public, -6
B. orange.public, -4
C. yellow.public, -2
D. green .. public, 2
E. blue.public, 6
F. violet.public, 8
Answer: D
QUESTION 268
What is the function of the Web Proxy Auto Discovery protocol?
A. It enables a web client's traffic flows to be redirected in real time.

B. It enables web clients to dynamically resolve hostname records.
C. It enables a web client to download a script or configuration file that is named by a URL.
D. It enables a web client to discover the URL of a configuration file.
Answer: D
QUESTION 269
On Cisco Firepower Management Center, which policy is used to collect health modules alerts
from managed devices?
A. health policy
B. system policy
C. correlation policy
D. access control policy
E. health awareness policy
Answer: A
QUESTION 270
Your organization has subscribed to the Cisco Cloud Web Security (CWS) service.
You have been assigned the task of configuring the CWS connector on the ISR-G2 router at a
branch office. Details of the configuration requirements include:
- Content scanning should be enabled for traffic outbound from

FastEthernet0/1.
- Explicitly specify 8080 for both the http and the https ports.
- The primary CWS proxy server is proxy-a.scansafe.net.
- The secondary CWS proxy server is proxy-b.scansafe.net .
- The unencrypted license key is 0123456789abcdef
- If the CWS proxy servers are not available. web traffic from the
branch office should be denied . - After configuration. use show
commands to verify connectivity with the CWS service and scan activity
You can access the console of the ISR at the branch office using the icon on the topology display.
The enable password is Cisco!23
With Firepower Threat Defense, which two interface settings are required when configuring a
routed interface? (Choose two.)
A. Speed
B. Duplex
C. Media Type
D. Redundant Interface
E. EtherChannel
Answer: AB
QUESTION 271
Which Cisco AMP for Endpoints, what is meant by simple custom detection?
A. It is a rule for identifying a file that should be whitelisted by Cisco AMP.

B. It is a method for identifying and quarantining a specific file by its SHA-256 hash.
C. It is a feature for configuring a personal firewall.
D. It is a method for identifying and quarantining a set of files by regular expression language.
Answer: B
QUESTION 272
Which option lists the minimum requirements to deploy a managed device inline?
A. passive interface, security zone, MTU, and link mode.

B. passive interface, MTU, MDI/MDIX, and link mode.
C. inline interfaces, MTU, MDI/MDIX, and link mode.
D. inline interfaces, security zones, MTU, and link mode.
Answer: A
QUESTION 273
Which two methods are used to deploy transparent mode traffic redirection? (Choose two)
A. Microsoft GPO
B. policy-based routing
C. DHCP server
D. PAC files
E. Web Cache Communication Protocol
Answer: BE
QUESTION 274
When deploying Cisco FirePOWER appliances, which option must you configure to enable VLAN
rewriting?
A. hybrid interfaces
B. virtual switch
C. virtual router
D. inline set
Answer: B
QUESTION 275
Which policy must you edit to make changes to the Snort preprocessors?
A. access control policy

B. network discovery policy
C. intrusion policy
D. file policy
E. network analysis policy
Answer: A
QUESTION 276
Which three access control actions permit traffic to pass through the device when using Cisco
FirePOWER? (Choose three.)
A. pass
B. trust
C. monitor
D. allow
E. permit
F. inspect
Answer: BCD
QUESTION 277
Which two TCP ports can allow the Cisco Firepower Management Center to communication with
FireAMP cloud for file disposition information? (Choose two.)
A. 8080
B. 22
C. 8305
D. 32137
E. 443
Answer: DE
QUESTION 278
When creating an SSL policy on Cisco FirePOWER, which three options do you have?
A. do not decrypt
B. trust
C. allow
D. block with reset
E. block
F. encrypt
Answer: ADE
QUESTION 279
Which three operating systems are supported with Cisco AMP for Endpoints? (Choose three.)
A. Windows
B. AWS
C. Android
D. Cisco lOS
E. OSX
F. ChromeOS
Answer: ACE
QUESTION 280
Which feature requires the network discovery policy for it to work on the Cisco Next Generate
fusion Prevent-on System?
A. impact flags
B. URL filtering
C. security intelligence
D. health monitoring
Answer: A
QUESTION 281
Which CLI command is used to register a Cisco FirePOWER sensor to Firepower Management
Center?
A. configure system add <host><key>

B. configure manager <key> add host
C. configure manager delete
D. configure manger add <host><key>
Answer: D
Explanation:
http://www.cisco.com/c/en/us/support/docs/security/firesight-management-center/118596-
configure-firesight-00.html
QUESTION 282
Which CLI command is used to generate firewall debug messages on a Cisco FirePOWER
sensor?
A. system support ssl-debug

B. system support firewall-engine-debug
C. system support capture-traffic
D. system support platform
Answer: C
QUESTION 283
When using Cisco AMP for Networks, which feature copies a file to the Cisco AMP cloud for
analysis?
A. Spero analysis
B. dynamic analysis
C. sandbox analysis
D. malware analysis
Answer: B
QUESTION 284
With Cisco FirePOWER Threat Defense software, which interface mode do you configure to
passively receive traffic that passes the appliance?
A. transparent
B. routed
C. passive
D. inline set
E. inline tap
Answer: C
QUESTION 285
Which three routing options are valid with Cisco FirePOWER version 5.4? (Choose three.)
A. Layer 3 routing with EIGRP

B. Layer 3 routing with OSPF not-so-stubby area
C. Layer 3 routing with RiPv2
D. Layer 3 routing with RIPv1
E. Layer 3 routing with OSPF stub area
F. Layer 3 routing with static routes
Answer: DEF
QUESTION 286
Which three statements about Cisco CWS are true'? (Choose three)
A. It provides protection against zero-day threats.

B. Cisco 510 provides it with threat updates in near real time.
C. It supports granular application policies.
D. Its Roaming User Protection feature protects the VPN from malware and data breaches.
E. It supports local content caching.
F. Its Cognitive Threat Analytics feature uses cloud-based analysis and detection to block threats
outside the network.
Answer: ABC
QUESTION 287
Which Cisco Advanced Malware protection for Endpoints deployment architecture is designed to
keep data within a network perimeter?
A. cloud web services

B. network AMP
C. private cloud
D. public cloud
Answer: C
QUESTION 288
Which type of policy do you configure if you want to look for a combination of events using
Boolean logic?
A. correlation
B. application detector
C. traffic profile
D. access control
E. intrusion
Answer: A
QUESTION 289
Which interface type allows packets to be dropped?
A. passive
B. inline
C. TAP
D. either passive or inline, provided that the intrusion policy has the Drop When lnline check box
selected.
Answer: D
QUESTION 290
Which Cisco Firepower rule action displays a HTTP warning page and resets the connection of
HTTP traffic specified in the access control rule ?
A. Interactive Block with Reset

B. Block
C. Allow with Warning
D. Interactive Block
Answer: C
QUESTION 291
With Cisco AMP for Endpoints on Windows, which three engines are available in the connector?
(Choose three)
A. Ethos
B. Tetra
C. Annas
D. Spero
E. Talos
F. ClamAV
Answer: ABD
QUESTION 292
Refer to the exhibit. Which option is a result of this configuration?
A. All ingress traffic on the inside interface that matches the access list is redirected.
B. All egress traffic on the outside interface that matches the access list is redirected.
C. All TCP traffic that arrives on the inside interface is redirected.
D. All ingress and egress traffic is redirected to the Cisco FirePOWER module.
Answer: D
QUESTION 293
What are two requirements for configuring a hybrid interface in FirePOWER? (Choose two)
A. virtual network
B. virtual router
C. virtual appliance
D. virtual switch
E. virtual context
Answer: AD
QUESTION 294
Which type of policy is used to define the scope for applications that are running on hosts?
A. access control policy.

B. application awareness policy.
C. application detector policy.
D. network discovery policy.
Answer: B
QUESTION 295
When you configure the Cisco ESA to perform blacklisting, what are two items you can disable to
enhance performance? (Choose two.)
A. rootkit detection
B. spam scanning
C. APT detection
D. antivirus scanning
E. URL filtering
Answer: BD
QUESTION 296
Which protocols can be specified in a Snort rule header for analysis?
A. TCP, UDP, ICMP, and IP

B. TCP, UDP, and IP
C. TCP, UDP, and ICMP
D. TCP, UDP, ICMP, IP, and ESP
E. TCP and UDP
Answer: D

300 210

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

300 210

Uploaded by

Copyright:

Available Formats

Vendor: Cisco

Exam Code: 300-210

Exam Name: Implementing Cisco Threat Control Solutions

Order ID: ****************

PayPal Name: ****************

PayPal ID: ****************

A. Inline Mode, Permit Traffic

A. Show statistics virtual-sensor

A. clientless SSL VPN

A. Cisco AnyConnect Premium license

A. the signature author

A. It is created every 24 hours and used for 24 hours.

A. drop-exe: if (attachment-filename == "\\.exe$") OR (attachment-filetype == "exe") { drop(); }

A. sh run scansafe server

A. Configure a smart tunnel for the application.

A. Alert Summary as Text

A. It configures system polices for NAC devices.

A. Cisco Prime LAN Management

A. the IntelliShield Threat Outbreak Alert

A. Anomaly detection operational mode

A. Inline; fail open

A. sensor# configure terminal

A. SPAN does not introduce latency to network traffic.

A. Accept, Reject, Relay, TCPRefuse

A. AsyncOS version 7.7.x

A. It can protect against command-injection and directory-traversal attacks.

A. Cisco ASA 5500 Series appliances

A. It groups multiple ASAs as a single logical device.

A. url-server (DMZ) vendor smartfilter host 10.0.1.1

A. Cisco Security Intelligence Operations

A. It will not contribute to the SensorBase network.

A. This is a custom signature.

A. The maximum number of denied attackers is set to 10000.

A. It is only enabled to identify "Cisco IOS" OS using statically mapped OS fingerprinting

Finally. Log the packets for the LOWRICK event:

A. Self Signed Server Certificate

A. Voice and Video Applications

A. Web Security Manager HTTPS Proxy click Enable

A. It integrates with Cisco Integrated Service Routers.

A. Cisco Dynamic Content Analysis Engine

A. Validation of malicious traffic

A. Cisco Anti-Replay Services

A. The Telnet protocol is enabled by default

A. Web Security Manager Identity Identity Name

A. Backup Server list

A. Inline Mode, Permit Traffic

A. Show statistics virtual-sensor

A. Checking for new signatures every 4 hours

A. requires administrative privileges in order to run

A. are assigned per-Connection Profile

A. MD5 produces a 64-bit message digest

A. Outgoing Mail Reports

A. Rejected Connection Handling

A. The remote MTA has a SenderBase Reputation Score of -1.0.

A. the message tracker interface

A. show scansafe statistics

A. It provides basic device management for large-scale deployments.

A. If it is between -1 and +10, the email is accepted

A. the signature author

A. HTTPS traffic decryption and inspection

A. validation of malicious traffic

A. Request Block Host

A. Inline Mode, Permit Traffic