Cisco 300-730 Practice Test - Questions Answers, Page 17

https://networklessons.com/cisco/asa-firewall/cisco-asa-anyconnect-remote-access-vpn#:~:text=The%20anyconnect%20ask%20command%20specifies,of%20the%20anyconnect%20client%20automatically.

To enforce complex passwords---for example, to require that a password contain upper- and lowercase letters, numbers, and special characters---enter the password-management command in tunnel-group general-attributes configuration mode on the ASA and perform the following steps under Active Directory. https://www.cisco.com/c/en/us/td/docs/security/asa/asa97/configuration/vpn/asa-97-vpn-config/vpn-groups.html

https://www.cisco.com/c/en/us/td/docs/security/asa/asa94/config-guides/asdm74/vpn/asdm-74-vpn-config/webvpn-troubleshooting.html

The following Clientless SSL VPN features will not work when the http-only-cookie command is

enabled:

* Java plug-ins

* Java rewriter

* Port forwarding

* File browser

* Sharepoint features that require desktop applications (for example, MS Office applications)

* AnyConnect Web launch

* Citrix Receiver, XenDesktop, and Xenon

* Other non-browser-based and browser plugin-based applications

Optimal Gateway Selection (OGS). OGS is a feature that can be used in order to determine which gateway has the lowest Round Trip Time (RTT) and connect to that gateway. One can use the OGS feature in order to minimize latency for Internet traffic without user intervention. With OGS, Cisco AnyConnect Secure Mobility Client (AnyConnect) identifies and selects which secure gateway is best for connection or reconnection. OGS begins upon first connection or upon a reconnection at least four hours after the previous disconnection.

Use the FQDN including the subdomain for the website.According to the Firepower Management Center Configuration Guide, Version 6.61, when you create a URL object, you must use the fully qualified domain name (FQDN) of the website, including any subdomains, and omit the protocol prefix (HTTP or HTTPS). For example, to match www.example.com, you must enter www.example.com as the URL object value, not http://www.example.com or https://www.example.com. The system automatically matches both HTTP and HTTPS traffic for the same FQDN. Specifying the protocol to match (HTTP or HTTPS) is not required and will result in an invalid URL object. Using the subject common name from the website certificate or defining the path to the individual webpage that uses HTTPS are not supported options for URL objects.

The correct answer is C. promiscuous mode. In promiscuous mode, the Cisco IPS appliance operates as a passive device that monitors a copy of the network traffic and analyzes it for malicious activity. The appliance does not affect the traffic flow, but it can generate alerts, logs, and reports based on the configured security policy. Promiscuous mode is useful for initial deployment and baseline analysis, as well as for monitoring low-risk segments of the network12.

The correct answer is A. Access Control policy with URL filtering. An Access Control policy is a type of policy that allows you to control how traffic is handled on your network based on various criteria, such as source and destination IP addresses, ports, protocols, applications, users, and URLs. URL filtering is a feature that enables you to block or allow traffic based on the URL category or reputation of the website. You can create custom URL objects to specify the exact URLs or domains that you want to block or allow. For example, you can create a URL object for https:/www.badsite.com and set it to block. This will prevent any traffic from reaching that site and any subdomains under it12.

The correct answer is A. Specify the trace using the -T option after the capture-traffic command. According to the document Use Firepower Threat Defense Captures and Packet Tracer, the capture-traffic command allows you to capture packets on the Snort engine domain of the FTD device. However, by default, it only shows the packet headers and does not include the Snort detection actions. To see the Snort detection actions, you need to use the -T option, which enables tracing. For example:

capture-traffic -T

This will show the packet headers along with the Snort verdicts, such as allow, block, or replace. You can also use other options to filter or save the capture output1.

B) Performing the trace within the Cisco FMC GUI instead of the Cisco FMC CLI is not a valid option, because the FMC GUI does not support packet capture or tracing on the FTD device. You can only use the FMC GUI to view and export captures that are taken on the FTD CLI1. C) Using the verbose option as a part of the capture-traffic command is not a valid option, because there is no verbose option for this command. The verbose option is only available for the capture command, which is used to capture packets on the LINA engine domain of the FTD device1. D) Using the capture command and specifying the trace option to get the required information is not a valid option, because the capture command does not have a trace option. The capture command allows you to capture packets on the LINA engine domain of the FTD device, but it does not show the Snort detection actions. The trace option is only available for the packet-tracer command, which is used to simulate a packet going through the FTD device and show its processing steps1.