Cisco 300-710 Practice Test - Questions Answers, Page 2

List of questions
Question 11

Which two dynamic routing protocols are supported in Firepower Threat Defense without using FlexConfig? (Choose two.)
EIGRP
OSPF
static routing
IS-IS
BGP
Reference: https://www.cisco.com/c/en/us/td/docs/security/firepower/660/fdm/fptd-fdm-configguide-660/fptd- fdm-routing.html
Question 12

Which policy rule is included in the deployment of a local DMZ during the initial deployment of a Cisco NGFW through the Cisco FMC GUI?
a default DMZ policy for which only a user can change the IP addresses.
deny ip any
no policy rule is included
permit ip any
Question 13

What are two application layer preprocessors? (Choose two.)
CIFS
IMAP
SSL
DNP3
ICMP
Reference:
https://www.cisco.com/c/en/us/td/docs/security/firepower/60/configuration/guide/fpmc-configguide-v60/Application_Layer_Preprocessors.html
Question 14

An engineer is tasked with deploying an internal perimeter firewall that will support multiple DMZs Each DMZ has a unique private IP subnet range. How is this requirement satisfied?
Deploy the firewall in transparent mode with access control policies.
Deploy the firewall in routed mode with access control policies.
Deploy the firewall in routed mode with NAT configured.
Deploy the firewall in transparent mode with NAT configured.
Reference: https://www.cisco.com/c/en/us/td/docs/security/asa/asa96/configuration/general/asa-96-general-config/intro-fw.html
Question 15

An engineer must configure high availability for the Cisco Firepower devices. The current network topology does not allow for two devices to pass traffic concurrently. How must the devices be implemented in this environment?
in active/active mode
in a cluster span EtherChannel
in active/passive mode
in cluster interface mode
Question 16

When deploying a Cisco ASA Firepower module, an organization wants to evaluate the contents of the traffic without affecting the network. It is currently configured to have more than one instance of the same device on the physical appliance Which deployment mode meets the needs of the organization?
inline tap monitor-only mode
passive monitor-only mode
passive tap monitor-only mode
inline mode
https://www.cisco.com/c/en/us/td/docs/security/asa/asa910/configuration/firewall/asa-910-firewall-config/access-sfr.htmlInline tap monitor-only mode (ASA inline)βIn an inline tap monitor-only deployment, a copy of thetraffic is sent to the ASA FirePOWER module, but it is not returned to the ASA. Inline tap mode letsyou see what the ASA FirePOWER module would have done to traffic, and lets you evaluate thecontent of the traffic, without impacting the network.
However, in this mode, the ASA does apply itspolicies to the traffic, so traffic can be dropped due to access rules, TCP normalization, and so forth.
Question 17

An organization has a Cisco FTD that uses bridge groups to pass traffic from the inside interfaces to the outside interfaces. They are unable to gather information about neighbouring Cisco devices or use multicast in their environment. What must be done to resolve this issue?
Create a firewall rule to allow CDP traffic.
Create a bridge group with the firewall interfaces.
Change the firewall mode to transparent.
Change the firewall mode to routed.
"In routed firewall mode, broadcast and multicast traffic is blocked even if you allow it in an access rule..." "The bridge group does not pass CDP packets packets..."
https://www.cisco.com/c/en/us/td/docs/security/asa/asa913/configuration/general/asa-913-general-config/intro-fw.htmlPassing Traffic Not Allowed in Routed ModeIn routed mode, some types of traffic cannot pass through the ASA even if you allow it in an accessrule. The bridge group, however, can allow almost any traffic through using either an access rule (forIP traffic) or an EtherType rule (for non-IP traffic):
IP trafficβIn routed firewall mode, broadcast and "multicast traffic is blocked even if you allow it in an access rule," including unsupported dynamic routing protocols and DHCP (unless you configure DHCP relay). Within a bridge group, you can allow this traffic with an access rule (using an extended ACL).
Non-IP trafficβAppleTalk, IPX, BPDUs, and MPLS, for example, can be configured to go through using an EtherType rule.
Note
"The bridge group does not pass CDP packets packets, or any packets that do not have a valid EtherType greater than or equal to 0x600. An exception is made for BPDUs and IS-IS, which are supported. "
Question 18

A network engineer implements a new Cisco Firepower device on the network to take advantage of its intrusion detection functionality. There is a requirement to analyze the traffic going across the device, alert on any malicious traffic, and appear as a bump in the wire How should this be implemented?
Specify the BVl IP address as the default gateway for connected devices.
Enable routing on the Cisco Firepower
Add an IP address to the physical Cisco Firepower interfaces.
Configure a bridge group in transparent mode.
Traditionally, a firewall is a routed hop and acts as a default gateway for hosts that connect to one of its screened subnets. A transparent firewall, on the other hand, is a Layer 2 firewall that acts like a "bump in the wire," or a "stealth firewall," and is not seen as a router hop to connected devices.
However, like any other firewall, access control between interfaces is controlled, and all of the usual firewall checks are in place. Layer 2 connectivity is achieved by using a "bridge group" where you group together the inside and outside interfaces for a network, and the ASA uses bridging techniques to pass traffic between the interfaces. Each bridge group includes a Bridge Virtual Interface (BVI) to which you assign an IP address on the network. You can have multiple bridge groups for multiple networks. In transparent mode, these bridge groups cannot communicate with each other.
https://www.cisco.com/c/en/us/td/docs/security/asa/asa97/configuration/general/asa-97-generalconfig/intro-fw.html
Question 19

Which two conditions must be met to enable high availability between two Cisco FTD devices?
(Choose two.)
same flash memory size
same NTP configuration
same DHCP/PPoE configuration
same host name
same number of interfaces
https://www.cisco.com/c/en/us/support/docs/security/firepower-management-center/212699-configure-ftd-high-availability-on-firep.htmlConditionsIn order to create an HA between 2 FTD devices, these conditions must be met:
Same model
Same version (this applies to FXOS and to FTD - (major (first number), minor (second number), and maintenance (third number) must be equal)) Same number of interfaces Same type of interfaces Both devices as part of same group/domain in FMC Have identical Network Time Protocol (NTP) configuration Be fully deployed on the FMC without uncommitted changes Be in the same firewall mode: routed or transparent.
Note that this must be checked on both FTD devices and FMC GUI since there have been cases where the FTDs had the same mode, but FMC does not reflect this.
Does not have DHCP/Point-to-Point Protocol over Ethernet (PPPoE) configured in any of the interface Different hostname (Fully Qualified Domain Name (FQDN)) for both chassis. In order to check the chassis hostname navigate to FTD CLI and run this command
Question 20

An engineer is building a new access control policy using Cisco FMC. The policy must inspect a unique IPS policy as well as log rule matching. Which action must be taken to meet these requirements?
Configure an IPS policy and enable per-rule logging.
Disable the default IPS policy and enable global logging.
Configure an IPS policy and enable global logging.
Disable the default IPS policy and enable per-rule logging.
Question