Welcome to Certsleader, your ultimate source for top-quality 350-701 dumps tailored for Cisco 350-701 exam. Our comprehensive resources are designed to help you excel in your exam preparations and achieve your certification goals. Whether you are a beginner looking to start a career in Cisco or an experienced professional seeking to advance your skills, Certsleader has the right tools to support your journey.
Why Certsleader is Your Best Choice:
Expertly Curated Content: Our study materials are meticulously crafted and verified by a panel of IT experts, ensuring they are accurate, relevant, and up-to-date with the latest industry standards.
Real Exam Questions: Our resources include authentic 350-701 exam questions and detailed answers, allowing you to familiarize yourself with the exam format and question types, and practice effectively.
Comprehensive Study Guides: Each certification guide is designed to provide in-depth knowledge and understanding of the subject matter, helping you to grasp even the most complex concepts.
Convenient Access: Our study materials are available in easy-to-download PDF files, making it convenient for you to study anytime, anywhere, and on any device.
Guaranteed Success
At Certsleader, we are committed to your success. Our practice questions answers are designed to improve your knowledge and help you pass your exams on the first attempt with high scores. In the rare event that you do not succeed, we offer a full refund, taking responsibility for your satisfaction.
Start Your Journey with Certsleader
Join thousands of satisfied learners who have successfully passed their certification exams with Certsleader. Explore our study materials, download your PDF files, and take the first step towards a rewarding IT career today.
Cisco 350-701 Sample Questions
Question # 1
What is the difference between EPP and EDR?
A. EPP focuses primarily on threats that have evaded front-line defenses that entered theenvironment. B. Having an EPP solution allows an engineer to detect, investigate, and remediatemodern threats. C. EDR focuses solely on prevention at the perimeter. D. Having an EDR solution gives an engineer the capability to flag offending files at the firstsign of malicious behavior.
Answer: D
Explanation: EPP and EDR are two types of endpoint security solutions that have different
goals and capabilities. EPP stands for endpoint protection platform, which is a suite of
technologies that work together to prevent, detect, and remediate security threats on
endpoints. EPP solutions use techniques such as antivirus, firewall, application control, and
patch management to block known and unknown malware and malicious activity. EDR
stands for endpoint detection and response, which is a solution that provides real-time
visibility into endpoint activities and enables security teams to detect, investigate, and
respond to advanced threats that may have bypassed EPP defenses. EDR solutions use
techniques such as behavioral analysis, threat intelligence, and incident response to flag
offending files at the first sign of malicious behavior, contain and isolate compromised
endpoints, and remediate the damage caused by the attack. Therefore, the correct answer
is D, as having an EDR solution gives an engineer the capability to flag offending files at
the first sign of malicious behavior. The other options are incorrect because:
A is false, as EPP focuses primarily on threats that have evaded front-line
defenses that entered the environment, not EDR.
B is false, as having an EPP solution allows an engineer to detect, investigate, and
remediate modern threats, not EDR.
C is false, as EDR focuses on detection and response at the endpoint level, not
prevention at the perimeter. References:
EPP vs. EDR: Why You Need Both - CrowdStrike
Question # 2
Cisco Umbrella is a cloud-delivered network security service that provides DNSlayer security, secure web gateway, cloud-delivered firewall, cloud access securitybroker, and threat intelligence3. It does not offer data security features such asDLP, data inspection, and data blocking4.Cisco AppDynamics Cloud Monitoring is a cloud-native application performancemanagement solution that helps you monitor, troubleshoot, and optimize yourcloud applications. It does not offer user security, data security, or app securityfeatures as a CASB solution.Cisco Stealthwatch is a network traffic analysis solution that provides visibility andthreat detection across your network, endpoints, and cloud. It does not offer datasecurity features such as DLP, data inspection, and data blocking.References: 3: Cisco Umbrella Packages - Cisco Umbrella 1: Cisco Cloudlock - Cisco 2:Cisco Cloudlock Cisco Cloudlock: Secure Cloud Data 4: Easy to Deploy & Simple toManage CASB Solution - Cisco Umbrella : Cisco AppDynamics Cloud Monitoring : CiscoStealthwatch - Cisco
A. signature-based endpoint protection on company endpoints B. macro-based protection to keep connected endpoints safe C. continuous monitoring of all files that are located on connected endpoints D. email integration to protect endpoints from malicious content that is located in email E. real-time feeds from global threat intelligence centers
Answer: C,E
Explanation: A next-generation endpoint security solution is a modern approach of
combining user and system behavior analytics with AI and machine learning to provide
endpoint security12. These solutions are specifically designed to detect unknown malware
and zero-day threats, which other non-next-generation solutions might fail to detect3. Two
key deliverables that help justify the implementation of a next-generation endpoint security
solution are:
Continuous monitoring of all files that are located on connected endpoints. This
feature allows the solution to scan and analyze all files on the endpoints,
regardless of their origin or type, and identify any malicious or suspicious
behavior. This helps to prevent malware from infecting the endpoints or spreading
to other devices on the network4.
Question # 3
An engineer is trying to decide whether to use Cisco Umbrella, Cisco CloudLock, CiscoStealthwatch, or Cisco AppDynamics Cloud Monitoring for visibility into data transfers aswell as protection against data exfiltration Which solution best meets these requirements?
A. Cisco CloudLock B. Cisco AppDynamics Cloud Monitoring C. Cisco Umbrella D. Cisco Stealthwatch
Answer: A
Explanation:
Cisco CloudLock is a cloud-native cloud access security broker (CASB) that helps you
move to the cloud safely. It protects your cloud users, data, and apps. CloudLock’s simple,
open, and automated approach uses APIs to manage the risks in your cloud app
ecosystem. With CloudLock you can more easily combat data breaches while meeting
compliance regulations1.
Cisco CloudLock provides the following features that meet the requirements of visibility into
data transfers as well as protection against data exfiltration:
User security: Cloudlock uses advanced machine learning algorithms to detect
anomalies based on multiple factors. It also identifies activities outside allowed
countries and spots actions that seem to take place at impossible speeds across
distances1.
Data security: Cloudlock’s data loss prevention (DLP) technology continuously
monitors cloud environments to detect and secure sensitive information. It
provides countless out-of-the-box policies as well as highly tunable custom
policies. It also supports inline and out-of-band data inspection and blocking
capabilities to protect sensitive data12.
App security: The Cloudlock Apps Firewall discovers and controls cloud apps
connected to your corporate environment. You can see a crowd-sourced
Community Trust Rating for individual apps, and you can ban or allowlist them
based on risk1.
The other solutions do not provide the same level of visibility and protection as Cisco
CloudLock: Cisco Umbrella is a cloud-delivered network security service that provides DNSlayer security, secure web gateway, cloud-delivered firewall, cloud access security
broker, and threat intelligence3. It does not offer data security features such as
DLP, data inspection, and data blocking4.
Cisco AppDynamics Cloud Monitoring is a cloud-native application performance
management solution that helps you monitor, troubleshoot, and optimize your
cloud applications. It does not offer user security, data security, or app security
features as a CASB solution.
Cisco Stealthwatch is a network traffic analysis solution that provides visibility and
threat detection across your network, endpoints, and cloud. It does not offer data
security features such as DLP, data inspection, and data blocking.
An engineer needs to detect and quarantine a file named abc424400664 zip based on theMD5 signature of the file using the Outbreak Control list feature within Cisco AdvancedMalware Protection (AMP) for Endpoints The configured detection method must work onfiles of unknown disposition Which Outbreak Control list must be configured to providethis?
A. Blocked Application B. Simple Custom Detection C. Advanced Custom Detection D. Android Custom Detection
Answer: B
Explanation:
Simple Custom Detection is a feature of Cisco AMP for Endpoints that allows
administrators to block specific files based on their SHA-256 or MD5 hashes. This feature can be used to detect and quarantine files of unknown disposition, such as
abc424400664.zip, by adding their hashes to a custom list in the AMP portal. The list can
then be applied to a policy that is assigned to the endpoints. Simple Custom Detection
works on files of any type, size, or platform, unlike the other options that are either
platform-specific (Android Custom Detection), size-limited (Blocked Application), or
Services Engine with Integrated Security Information and Event Management and Threat
Defense Platforms At-a-Glance - Cisco 3: A Visibility-Driven Approach to Next-Generation
Firewalls
Question # 6
An organization uses Cisco FMC to centrally manage multiple Cisco FTD devices. Thedefault managementport conflicts with other communications on the network and must be changed. What mustbe done to ensurethat all devices can communicate together?
A. Manually change the management port on Cisco FMC and all managed Cisco FTD
devices B. Set the tunnel to go through the Cisco FTD C. Change the management port on Cisco FMC so that it pushes the change to allmanaged Cisco FTD devices D. Set the tunnel port to 8305
Answer: A
Explanation: The FMC and managed devices communicate using a two-way, SSL encrypted communication channel, which by default is on port 8305.Cisco strongly
recommends that you keep the default settings for the remote management port, but if
themanagement port conflicts with other communications on your network, you can choose
a different port. If you change the management port, you must change it for all devices in
your deployment that need to communicate with each other.
Which configuration method provides the options to prevent physical and virtual endpoint
devices that are in the same base EPG or uSeg from being able to communicate with each
other with Vmware VDS or Microsoft vSwitch?
A. inter-EPG isolation B. inter-VLAN security C. intra-EPG isolation D. placement in separate EPGs
Answer: C
Explanation: Intra-EPG Isolation is an option to prevent physical or virtual endpoint devices that are in the same base EPG or microsegmented (uSeg) EPG from
communicating with each other. By default, endpoint devices included in the same EPG are
allowed to communicate with one another.
Question # 8
Which role is a default guest type in Cisco ISE?
A. Monthly B. Yearly C. Contractor D. Full-Time
Answer: C,D
Explanation:
To add switches into the fabric, administrators can use PowerOn Auto Provisioning
(POAP) or Seed IP methods. POAP is a feature that automates the process of upgrading
software images and installing configuration files on Cisco switches that are being
deployed in the network for the first time. Seed IP is a method that allows administrators to
specify the IP address of a switch that is already part of the fabric, and then use it to
discover and add other switches that are connected to it. Both methods enable
administrators to control how switches are added into DCNM for private cloud
An engineer is implementing DHCP security mechanisms and needs the ability to addadditional attributes to profiles that are created within Cisco ISE Which action accomplishesthis task?
A. Define MAC-to-lP address mappings in the switch to ensure that rogue devices cannotget an IP address B. Use DHCP option 82 to ensure that the request is from a legitimate endpoint and sendthe information to Cisco ISE C. Modify the DHCP relay and point the IP address to Cisco ISE. D. Configure DHCP snooping on the switch VLANs and trust the necessary interfaces
Answer: B
Explanation: DHCP option 82 is a feature that allows the network access device (NAD) to
insert additional information into the DHCP request packet from the endpoint. This
information can include the switch ID, port number, VLAN ID, and other attributes that can
help Cisco ISE to identify and profile the endpoint. Cisco ISE can use DHCP option 82 to
assign the endpoint to the appropriate identity group, policy, and authorization profile.
DHCP option 82 is also useful to prevent rogue DHCP servers from assigning IP addresses
to endpoints, as Cisco ISE can verify the legitimacy of the DHCP request based on the
option 82 data. To use DHCP option 82, the NAD must be configured to enable this feature
and send the option 82 data to Cisco ISE. Cisco ISE must also be configured to accept and
parse the option 82 data from the NAD. For more details on how to configure DHCP option
82 on Cisco ISE and NAD, see the references below. References:
Configuring the DHCP Probe
Securing Your Network From DHCP Risks
Can we use ISE as DHCP/DNS server to prevent guest traffic using …
Question # 10
Which threat intelligence standard contains malware hashes?
A. advanced persistent threat B. open command and control C. structured threat information expression D. trusted automated exchange of indicator information
Answer: D
Explanation:
The threat intelligence standard that contains malware hashes is trusted automated
exchange of indicator information (TAXII). TAXII is a protocol that enables the exchange of
cyber threat information in a standardized and automated manner. It supports various types
of threat intelligence, such as indicators of compromise (IOCs), observables, incidents,
tactics, techniques, and procedures (TTPs), and campaigns. Malware hashes are one
example of IOCs that can be shared using TAXII. Malware hashes are cryptographic
signatures that uniquely identify malicious files or programs. They can be used to detect
and block malware infections on endpoints or networks. TAXII uses STIX (structured threat
information expression) as the data format for representing threat intelligence. STIX is a
language that defines a common vocabulary and structure for describing cyber threat
information. STIX allows threat intelligence producers and consumers to share information
in a consistent and interoperable way. STIX defines various objects and properties that can
be used to represent different aspects of cyber threat information, such as indicators,
observables, incidents, TTPs, campaigns, threat actors, courses of action, and
relationships. Malware hashes can be expressed as observables in STIX, which are
concrete items or events that are observable in the operational domain. Observables can
have various types, such as file, process, registry key, URL, IP address, domain name, etc.
Each observable type has a set of attributes that describe its properties. For example, a file
observable can have attributes such as name, size, type, hashes, magic number, etc. A
hash attribute can have a type (such as MD5, SHA1, SHA256, etc.) and a value (such as
the hexadecimal representation of the hash). A file observable can have one or more hash
attributes to represent different hashing algorithms applied to the same file. For example, a
file observable can have both MD5 and SHA256 hashes to increase the confidence and
accuracy of identifying the file The other options are incorrect because they are not threat intelligence standards that
contain malware hashes. Option A is incorrect because advanced persistent threat (APT) is
not a standard, but a term that describes a stealthy and sophisticated cyberattack that aims
to compromise and maintain access to a target network or system over a long period of
time. Option B is incorrect because open command and control (OpenC2) is not a standard
that contains malware hashes, but a language that enables the command and control of
cyber defense components, such as sensors, actuators, and orchestrators. Option C is
incorrect because structured threat information expression (STIX) is not a standard that
contains malware hashes, but a data format that represents threat intelligence. STIX uses
TAXII as the transport protocol for exchanging threat intelligence, including malware
hashes. References:
TAXII
STIX
Malware Hashes
Question # 11
What are two functions of IKEv1 but not IKEv2? (Choose two)
A. NAT-T is supported in IKEv1 but rot in IKEv2. B. With IKEv1, when using aggressive mode, the initiator and responder identities arepassed cleartext C. With IKEv1, mode negotiates faster than main mode D. IKEv1 uses EAP authentication E. IKEv1 conversations are initiated by the IKE_SA_INIT message
Answer: B,C
Explanation: IKEv1 has two modes of operation: main mode and aggressive mode. Main
mode uses six messages to establish the IKE SA, while aggressive mode uses only three
messages. Therefore, aggressive mode is faster than main mode, but less secure, as it
exposes the identities of the peers in cleartext. This makes it vulnerable to man-in-themiddle attacks. IKEv2 does not have these modes, but uses a single four-message
exchange to establish the IKE SA. IKEv2 also encrypts the identities of the peers, making it
more secure than IKEv1 aggressive mode.
IKEv1 uses EAP authentication only for remote access VPNs, not for site-to-site VPNs.
IKEv2 supports EAP authentication for both types of VPNs. EAP authentication allows the
use of various authentication methods, such as certificates, tokens, or passwords.
IKEv1 conversations are initiated by the ISAKMP header, which contains the security
parameters and the message type. IKEv2 conversations are initiated by the IKE_SA_INIT
message, which contains the security parameters, the message type, and the message ID.
The message ID is used to identify and order the messages in the IKEv2 exchange.
NAT-T is supported by both IKEv1 and IKEv2. NAT-T stands for Network Address
Translation-Traversal, and it is a mechanism that allows IKE and IPsec traffic to pass
through a NAT device. NAT-T detects the presence of NAT and encapsulates the IKE and
IPsec packets in UDP headers, so that they can be translated by the NAT
device. References:
IKEv1 vs IKEv2 – What is the Difference?
Question # 12
A network administrator is setting up Cisco FMC to send logs to Cisco Security Analyticsand Logging (SaaS). The network administrator is anticipating a high volume of loggingevents from the firewalls and wants lo limit the strain on firewall resources. Which methodmust the administrator use to send these logs to Cisco Security Analytics and Logging?
A. SFTP using the FMCCLI B. syslog using the Secure Event Connector C. direct connection using SNMP traps D. HTTP POST using the Security Analytics FMC plugin
Answer: B
Explanation: The Secure Event Connector is a component of the Security Analytics and
Logging (SaaS) solution that enables the FMC to send logs to the cloud-based service. The
Secure Event Connector uses syslog to forward events from the FMC and the managed
devices to the cloud. This method reduces the load on the firewall resources, as the events
are sent in batches and compressed before transmission. The Secure Event Connector
also provides encryption, authentication, and reliability for the log data. The other methods
are not supported by the Security Analytics and Logging (SaaS)
solution12 References := 1: Cisco Security Analytics and Logging (On Premises)
Question # 13
Which open standard creates a framework for sharing threat intelligence in a machine digestible format?
A. OpenC2 B. OpenlOC C. CybOX D. STIX
Answer: D
Explanation: The open standard that creates a framework for sharing threat intelligence in
a machine-digestible format is STIX (Structured Threat Information Expression). STIX is a language and serialization format that enables the exchange of cyber threat information
across organizations, tools, and platforms. STIX defines a common vocabulary and data
model for representing various types of threat intelligence, such as indicators, observables,
incidents, campaigns, threat actors, courses of action, and more. STIX also supports the
expression of context, relationships, confidence, and handling of the threat information.
STIX aims to improve the speed, accuracy, and efficiency of threat detection, analysis, and
response.
STIX is often used in conjunction with TAXII (Trusted Automated Exchange of Indicator
Information), which is a protocol and transport mechanism that enables the secure and
automated communication of STIX data. TAXII defines how to request, send, receive, and
store STIX data using standard methods and formats, such as HTTPS, JSON, and XML.
TAXII supports various exchange models, such as hub-and-spoke, peer-to-peer, or
subscription-based. TAXII enables the interoperability and scalability of threat intelligence
sharing among different systems and organizations.
References:
Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0,
Which two actions does the Cisco identity Services Engine posture module provide thatensures endpoint security?(Choose two.)
A. The latest antivirus updates are applied before access is allowed. B. Assignments to endpoint groups are made dynamically, based on endpoint attributes. C. Patch management remediation is performed. D. A centralized management solution is deployed. E. Endpoint supplicant configuration is deployed.
Answer: A,C
Explanation:
The Cisco Identity Services Engine (ISE) posture module provides a service that allows
you to check the compliance of endpoints with corporate security policies. This service
consists of three main components: client provisioning, posture policy, and authorization
policy. Client provisioning ensures that the endpoints receive the appropriate posture
agent, such as the AnyConnect ISE Posture Agent or the Network Admission Control
(NAC) Agent. Posture policy defines the conditions and requirements that the endpoints
must meet to be considered compliant, such as having the latest antivirus updates or
patches installed. Authorization policy determines the level of network access granted to
the endpoints based on their posture assessment results, such as allowing full access,
limited access, or quarantine.
The two actions that the Cisco ISE posture module provides that ensure endpoint security
are:
The latest antivirus updates are applied before access is allowed. This action
prevents malware infections and protects the network from potential threats. The
posture policy can include predefined or custom conditions that check the antivirus
status of the endpoints, such as the product name, version, definition date, and
scan result. If the endpoint does not meet the antivirus requirement, the posture
agent can trigger a remediation action, such as launching the antivirus update or
scan, before allowing network access.
Patch management remediation is performed. This action ensures that the
endpoints have the latest security patches installed and are not vulnerable to
known exploits. The posture policy can include predefined or custom conditions
that check the patch status of the endpoints, such as the operating system, service
pack, hotfix, or update. If the endpoint does not meet the patch requirement, the
posture agent can trigger a remediation action, such as redirecting the endpoint to
a patch management server or launching the patch installation, before allowing
How does the Cisco WSA enforce bandwidth restrictions for web applications?
A. It implements a policy route to redirect application traffic to a lower-bandwidth link. B. It dynamically creates a scavenger class QoS policy and applies it to each client thatconnects through the WSA. C. It sends commands to the uplink router to apply traffic policing to the application traffic. D. It simulates a slower link by introducing latency into application traffic.
Answer: D
Explanation:
The Cisco WSA can enforce bandwidth restrictions for web applications by using the
Application Visibility and Control (AVC) engine. The AVC engine allows the WSA to identify
and control application activity on the network, and to apply bandwidth limits to certain
application types or individual applications. The WSA dynamically creates a scavenger
class QoS policy and applies it to each client that connects through the WSA. The
scavenger class QoS policy assigns a low priority to the application traffic and limits the
bandwidth usage based on the configured settings. This way, the WSA can prevent
congestion and ensure fair allocation of bandwidth among different applications and
users. References:
User Guide for AsyncOS 11.8 for Cisco Web Security Appliances - GD (General
Deployment) - Managing Access to Web Applications
WSA - limit bandwidth - Cisco Community
Question # 16
An engineer is configuring Cisco WSA and needs to deploy it in transparent mode. Whichconfiguration component must be used to accomplish this goal?
A. MDA on the router B. PBR on Cisco WSA C. WCCP on switch D. DNS resolution on Cisco WSA
Answer: C
Explanation: To deploy Cisco WSA in transparent mode, the configuration component that
must be used is WCCP on switch. WCCP stands for Web Cache Communication Protocol,
which is a protocol that allows a network device (such as a switch) to redirect web traffic to
a proxy server (such as Cisco WSA) transparently. This means that the client does not
need to configure any proxy settings on the browser, and the proxy server can intercept
and process the web requests and responses without the client’s knowledge. WCCP can
also provide load balancing and failover capabilities for multiple proxy servers.
The other options are incorrect because they are not required or relevant for transparent
mode deployment. Option A is incorrect because MDA (Multilink PPP Dial Access) is a
feature that allows multiple physical links to be aggregated into a single logical link for dialup connections. It has nothing to do with transparent mode. Option B is incorrect because
PBR (Policy-Based Routing) is a feature that allows routing decisions to be based on
criteria other than the destination IP address, such as source IP address, protocol, port,
etc. It is not necessary for transparent mode, as WCCP can handle the traffic redirection.
Option D is incorrect because DNS resolution on Cisco WSA is not a configuration
component, but a function that allows the proxy server to resolve domain names to IP
addresses. It is not specific to transparent mode, as it is also used in explicit
mode. References:
What is the difference between transparent and forward proxy mode?
User Guide for AsyncOS 12.7 for Cisco Web Security Appliances - LD (Limited
Deployment) - Acquire End-User Credentials
Cisco WSA : Is it possible to use web proxy in transparent mode without WCCP?
Question # 17
An engineer is configuring cloud logging using a company-managed Amazon S3 bucket forCisco Umbrella logs. What benefit does this configuration provide for accessing log data?
A. It is included m the license cost for the multi-org console of Cisco Umbrella B. It can grant third-party SIEM integrations write access to the S3 bucket C. No other applications except Cisco Umbrella can write to the S3 bucket D. Data can be stored offline for 30 days
Answer: B
Explanation: Using a company-managed Amazon S3 bucket for Cisco Umbrella logs
allows the administrator to have full control over the access and lifecycle of the log data.
This configuration can grant third-party SIEM integrations write access to the S3 bucket,
which can enable more advanced analysis and correlation of the log data with other
sources. This configuration also provides more flexibility in terms of how long the data can
be stored offline, as opposed to the Cisco-managed S3 bucket, which has a fixed retention
period of 30 days. References:
Enable Logging to Your Own S3 Bucket
Centralized Umbrella Log Management with Amazon’s S3 service for MSP, MSSP,
and Multi-org customers
Question # 18
An engineer is configuring IPsec VPN and needs an authentication protocol that is reliableand supports ACKand sequence. Which protocol accomplishes this goal?
A. AES-192 B. IKEv1 C. AES-256 D. ESP
Answer: B
Explanation: IKEv1 is the authentication protocol that is reliable and supports ACK and
sequence for IPsec VPN. IKEv1 is a key management protocol that is used in conjunction
with IPsec to establish secure and authenticated connections between IPsec peers. IKEv1
uses UDP port 500 and consists of two phases: phase 1 and phase 2. In phase 1, the
peers authenticate each other and negotiate a shared secret key that is used to encrypt the
subsequent messages. In phase 2, the peers negotiate the security parameters for the
IPsec tunnel, such as the encryption and authentication algorithms, the lifetime, and the
mode (transport or tunnel). IKEv1 uses ACK and sequence numbers to ensure the
reliability and integrity of the messages exchanged between the peers. ACK is an
acknowledgment message that confirms the receipt of a previous message. Sequence
number is a unique identifier that is assigned to each message to prevent replay attacks
and to detect missing or out-of-order messages. IKEv1 also supports various authentication
methods, such as pre-shared keys, digital certificates, and extended authentication
(XAUTH). References : Internet Key Exchange for IPsec VPNs Configuration Guide, Security for VPNs with IPsec Configuration Guide, IPSec Architecture
Question # 19
With regard to RFC 5176 compliance, how many IETF attributes are supported by theRADIUS CoA feature?
A. 3 B. 5 C. 10 D. 12
Answer: B
Explanation: The RADIUS CoA feature supports five IETF attributes as defined in RFC
5176. These are:
Event-Timestamp: This attribute indicates the time when the CoA request was
generated by the server.
State: This attribute contains a value that is copied from the Access-Accept
message that authorized the session.
Session-Timeout: This attribute specifies the maximum number of seconds of
service provided to the user before termination of the session or prompt.
Idle-Timeout: This attribute specifies the maximum number of consecutive
seconds of idle connection allowed to the user before termination of the session or
prompt.
Filter-Id: This attribute identifies the filter list to be applied to the user session.
The RADIUS CoA feature also supports vendor-specific attributes (VSAs) that are defined
by Cisco or other vendors. These VSAs can be used to perform additional actions such as
port shutdown, port bounce, or security and password accounting. References :=
Some possible references are:
RFC 5176: This document describes the dynamic authorization extensions to
RADIUS, including the CoA request and response codes, and the supported IETF
attributes.
RADIUS Change of Authorization - Cisco: This document provides the
configuration guide for the RADIUS CoA feature on Cisco IOS devices, including
the supported IETF and Cisco VSAs.
Supported IETF attributes in RFC 5176 - Ruckus Networks: This document lists
the supported IETF attributes and error clause values for the RADIUS CoA feature
on Ruckus devices.
Question # 20
Which Cisco security solution gives the most complete view of the relationships andevolution of Internet domains IPs, and flies, and helps to pinpoint attackers' infrastructuresand predict future threat?
A. Cisco Secure Network Analytics B. Cisco Secure Cloud Analytics C. Cisco Umbrella Investigate D. Cisco pxGrid
Answer: C
Explanation: Cisco Umbrella Investigate is a cloud-based service that provides interactive
threat intelligence on domains, IPs, and files. It helps security analysts to uncover the
attacker’s infrastructure and predict future threats by analyzing the relationships and
evolution of internet domains, IPs, and files. It also integrates with other Cisco security
solutions, such as Cisco Secure Network Analytics, Cisco Secure Cloud Analytics, and
Cisco pxGrid, to provide a holistic view of the network and cloud security posture. Cisco
Umbrella Investigate is based on the data collected by Cisco Umbrella, which processes
more than 620 billion DNS requests per day from over 190 countries. Cisco Umbrella
Investigate uses statistical and machine learning models to automatically score and classify
the data, and provides a risk score for each domain, IP, and file, along with the contributing
factors and historical context. Cisco Umbrella Investigate also allows security analysts to
query the data using a web-based console or an API, and to visualize the results using
graphs, tables, and maps. Cisco Umbrella Investigate is the most complete and interactive
threat intelligence solution that helps to prevent cyber attacks before they
happen. References :=
Some possible references are: Cisco Umbrella Investigate