Cisco 300-710 Practice Test - Questions Answers, Page 28

To configure URL filtering for a Cisco FTD device in Cisco FMC, and to meet the requirements of the question, the engineer must do the following:

On the HTTP Responses tab of the access control policy editor, set the Interactive Block Response Page to system-provided. This will enable the system to display a warning page to the users when they try to access a blocked URL, and give them the option to continue or cancel.The system-provided page is a default page that contains a generic message and a logo1.

Configure an access control rule that matches an URL object for http://www.badadultsite.com; and set the action to Interactive Block. This will apply the interactive block action to the specific URL that is defined in the URL object.The interactive block action will trigger the interactive block response page that was configured in the previous step1.

The other options are incorrect because:

On the HTTP Responses tab of the access control policy editor, setting the Block Response Page to Custom will not affect the interactive block action.The block response page is used when the action is set to Block, not Interactive Block1.

Configuring the default action for the access control policy to Interactive Block will apply the interactive block action to all URLs that are not matched by any access control rule.This will not meet the requirement of blocking no other websites1.

Configuring an access control rule that matches the Adult URL category and sets the action to Interactive Block will apply the interactive block action to all URLs that belong to the Adult category.This will not meet the requirement of blocking only http://www.badadultsite.com1.

To determine if a host is infected with malware, the network administrator can look at the Indications of Compromise (IOC) feature in Cisco FMC. The IOC feature analyzes network and endpoint data collected by Firepower sensors and AMP for Endpoints connectors, and identifies hosts that exhibit signs of compromise or infection. The IOC feature uses predefined rules based on Cisco Talos intelligence and other sources to detect IOCs on hosts.One of these rules is CnC Connected, which indicates that a host has communicated with a command-and-control (CnC) server that is known to be associated with malware activity2.

To view the IOC information for a host, the network administrator can navigate to Analysis > Hosts > Indications of Compromise in Cisco FMC, and select a host from the table. The IOC Details page will show the IOC events for that host, including the CnC Connected event, along with other information such as severity, timestamp, source, destination, protocol, and rule name.The network administrator can also view more details about each IOC event by clicking on it2.

The other options are incorrect because:

Analysis > Files > Malware Events shows information about files that have been detected as malware by Firepower sensors or AMP for Endpoints connectors.This does not show information about hosts that are infected with malware or have communicated with CnC servers3.

Analysis > Hosts > Host Attributes shows information about hosts that have been discovered by Firepower sensors, such as IP address, MAC address, operating system, applications, users, vulnerabilities, and so on.This does not show information about IOCs or CnC connections on hosts4.

Analysis > Files > Network File Trajectory shows information about files that have traversed your network and have been detected by Firepower sensors or AMP for Endpoints connectors. This allows you to track where a file came from, where it went, and what happened to it along the way.This does not show information about hosts that are infected with malware or have communicated with CnC servers5.

A custom application detector is a user-defined script that can detect web applications, clients, and application protocols based on patterns in network traffic. Custom application detectors are written in LUA, which is a lightweight and embeddable scripting language.LUA scripts can use predefined functions and variables provided by the Firepower System to access packet data and metadata, and to specify the detection criteria and the application information1.

To import a custom application detector file that was provided by a third party, you need to follow these steps1:

In the FMC web interface, navigate to Objects > Object Management > Application Detectors.

Click Import.

Browse to the location of the LUA script file and select it.

Click Upload.

Review the detector details and click Save.

The other options are incorrect because:

Perl script is not a supported format for custom application detectors. Perl is a general-purpose programming language that is not embedded in the Firepower System.

NBAR protocol is not a file type, but a feature of Cisco IOS routers that can classify and monitor network traffic based on application types. NBAR protocols are predefined and cannot be imported as custom application detectors.

Python program is not a supported format for custom application detectors. Python is a general-purpose programming language that is not embedded in the Firepower System.

The Capture w/Trace wizard in Cisco FMC allows you to capture packets on an FTD device and trace their path through the Snort engine. This can help you troubleshoot connectivity issues from an endpoint behind an FTD device and a public DNS server, as well as verify the Snort verdict for the DNS traffic. The Capture w/Trace wizard lets you specify the source and destination IP addresses, ports, and protocols for the packets you want to capture and trace, as well as the FTD device and interface where you want to perform the capture. You can also apply filters to limit the capture size and duration.After you start the capture, you can ping the DNS server from the endpoint and then view the captured packets and their Snort verdicts in the FMC web interface2.

To use the Capture w/Trace wizard in Cisco FMC, you need to follow these steps2:

In the FMC web interface, navigate to Troubleshooting > Capture/Trace.

Click New Capture.

Choose an FTD device from the Device drop-down list.

Choose an interface from the Interface drop-down list.

Enter the source and destination IP addresses, ports, and protocols for the packets you want to capture and trace. For example, if you want to capture DNS queries from an endpoint with IP address 10.1.1.100 to a DNS server with IP address 8.8.8.8, you can enter these values:

Source IP: 10.1.1.100

Source Port: any

Destination IP: 8.8.8.8

Destination Port: 53

Protocol: UDP

Optionally, apply filters to limit the capture size and duration. For example, you can set the maximum number of packets to capture, the maximum capture file size, or the maximum capture time.

Click Start.

Ping the DNS server from the endpoint and wait for some packets to be captured.

Click Stop to stop the capture.

Click View Capture to see the captured packets and their Snort verdicts.

The other options are incorrect because:

Performing a Snort engine capture using tcpdump from the FTD CLI will not allow you to trace the path of the packets through the Snort engine or verify their Snort verdicts.Tcpdump is a command-line tool that can capture packets on an FTD device, but it does not provide any information about how Snort processes those packets or what actions Snort takes on them2.

Creating a Custom Workflow in Cisco FMC will not help you troubleshoot a connectivity issue from an endpoint behind an FTD device and a public DNS server. A Custom Workflow is a user-defined set of pages that display event data in different formats, such as tables, charts, maps, and so on.A Custom Workflow does not allow you to capture or trace packets on an FTD device3.

Running the system support firewall-engine-debug command from the FTD CLI will not allow you to simulate real DNS traffic on the FTD device or verify the Snort verdict for that traffic. The firewall-engine-debug command is a diagnostic tool that can generate synthetic packets and send them through the Snort engine on an FTD device.The synthetic packets are not real network traffic and do not affect any connections or policies on the FTD device4.

Integrated routing and bridging (IRB) is a feature that allows you to route between different bridge groups on a Cisco FTD device. A bridge group is a logical interface that acts as a container for one or more physical or logical interfaces that belong to the same layer 2 broadcast domain. You can assign an IP address to a bridge group interface (BVI) and enable routing protocols on it, just like a regular routed interface. However, when you run a dynamic routing protocol on a Cisco FTD device in IRB mode, you can only use nonbridge interfaces as routing peers.You cannot use bridge group interfaces or bridge group member interfaces as routing peers2.This is because the routing protocol packets are sent and received on the nonbridge interfaces, and the bridge group interfaces are used only for forwarding data traffic3.

To ensure that VoIP traffic in a contact center is not impacted by performance issues after deploying an access control policy on a Cisco Secure Firewall Threat Defense (FTD) device, the engineer should configure the access control rule with the 'trust' action. The 'trust' action allows traffic to bypass inspection and policy enforcement, ensuring that critical VoIP traffic is not delayed or degraded.

Steps:

In FMC, navigate to Policies > Access Control > Access Control Policy.

Create a new rule or edit an existing rule.

Set the source and destination for the VoIP traffic.

Set the action to 'trust' to ensure the VoIP traffic is not inspected.

By configuring the rule with the 'trust' action, the VoIP traffic will be prioritized, maintaining the quality and performance required for the contact center operations.