350-701 Practice Exam Questions with Answers Implementing and Operating Cisco Security Core Technologies (SCOR 350-701) Certification

 DoS attacks are categorized as flood attacks or crash attacks. Flood attacks are the more common form of DoS attacks. They occur when the attacked system is overwhelmed by large amounts of traffic that the server is unable to handle. The system eventually stops. Some examples of flood attacks are ICMP flood, SYN flood, and UDP flood. Crash attacks are less frequent and they exploit flaws in the targeted system. The result is that the system crashes. Some examples of crash attacks are Ping of Death, Teardrop, and Land. References:

What is a denial-of-service (DoS) attack? | Cloudflare

What is a Denial of Service (DoS) attack? | Norton

What is a Denial of Service (DoS) Attack? | Cobalt

What is a denial of service attack (DoS) - Palo Alto Networks

Explanation

Private Network Monitoring (PNM) provides visibility and threat detection for the on-premises network, delivered from the cloud as a SaaS solution. It is the perfect solution for organizations who prefer SaaS products and desire better awareness and security in their on-premises environments while reducing capital expenditure and

operational overhead. It works by deploying lightweight software in a virtual machine or server that can

consume a variety of native sources of telemetry or extract metadata from network packet flow. It encrypts this metadata and sends it to the Stealthwatch Cloud analytics platform for analysis. Stealthwatch Cloud consumes metadata only. The packet payloads are never retained or transferred outside the network.

This lab focuses on how to configure a Stealthwatch Cloud Private Network Monitoring (PNM) Sensor, in order to provide visibility and effectively identify active threats, and monitors user and device behavior within onpremises networks.

The Stealthwatch Cloud PNM Sensor is an extremely flexible piece of technology, capable of being utilized in a number of different deployment scenarios. It can be deployed as a complete Ubuntu based virtual appliance on different hypervisors (e.g. –VMware, VirtualBox). It can be deployed on hardware running a number of different Linux-based operating systems.

Dual-SSID BYOD is the term for when an endpoint is associated to a provisioning WLAN that is shared with guest access, and the same guest portal is used as the BYOD portal. This flow is a unique capability of ISE where the user does not have to log in twice, as ISE can take the user information from the 802.1X session and direct the user to the BYOD flow. Once the endpoint is onboarded, it is reconnected to the secured WLAN for full network access. This flow is different from single-SSID BYOD, where the endpoint associates to a secure WLAN, gets onboarded, and then reconnects to the same WLAN12. References: 1: ISE BYOD: Dual vs. Single SSID Onboarding - Cisco Community 2: Cisco ISE BYOD Prescriptive Deployment Guide - Cisco Community

AES encryption is a symmetric block cipher algorithm that uses a single key to encrypt and decrypt data. It is more secure than 3DES, which is an older and slower algorithm that encrypts and decrypts a key three times in sequence. AES can use different key sizes, such as 128, 192, or 256 bits, depending on the security level required. The longer the key, the more rounds of encryption and decryption are performed, making it harder to break. AES encryption is based on a substitution-permutation network, which consists of a series of operations that transform the input data into the output data using the key. References :=

https://www.simplilearn.com/tutorials/cryptography-tutorial/aes-encryption

https://en.wikipedia.org/wiki/Advanced_Encryption_Standard

To implement external authentication against Active Directory, the Cisco ISE server needs to communicate with the domain controller using either RADIUS or LDAP protocols. RADIUS is used for network access control, while LDAP is used for identity management and directory services. Both protocols require the appropriate ports to be opened and firewall rules to be configured to allow the traffic between the ISE server and the domain controller.

The ISE account does not need to be a domain administrator in Active Directory to perform JOIN operations. It only needs to have the permissions to create computer objects and reset passwords in the domain. This can be achieved by delegating the rights to a specific OU or using a service account with limited privileges.

Active Directory supports user and machine authentication by using various methods, not only MSCHAPv2. MSCHAPv2 is a challenge-response authentication protocol that is commonly used with RADIUS and VPN connections. However, Active Directory also supports other protocols such as Kerberos, NTLM, EAP, and PEAP, depending on the scenario and the client capabilities.

SHA-2 is a family of hash functions that includes SHA-256, SHA-384, and SHA-512. SHA-2 is part of the Next Generation Encryption (NGE) suite of cryptographic algorithms that Cisco recommends for strong security and good performance. SHA-2 is believed to be quantum-computer resistant, meaning that it would not be easily broken by a hypothetical quantum-computer. SHA-2 is also more secure than older hash functions such as MD5 and SHA-1, which have been shown to have weaknesses and collisions. SHA-2 is widely used in various protocols and functions, such as digital signatures, integrity verification, and key derivation. References: 1

https://sec.cloudapps.cisco.com/security/center/resources/next_generation_cryptography

https://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/116055-technote-ios-crypto.html

The crypto isakmp identity hostname command is required to define the identity used by the router when participating in the Internet Key Exchange protocol. This command is needed when you specify preshared keys for authentication. The ip name-server command is required to specify the IP address of the DNS server that can resolve the FQDN of the remote peer. This command is needed when you use the crypto isakmp key command with the hostname option instead of the address option. The other commands are not required or correct for this scenario. References: 1, 2, 3

 To enable CWA for wireless guest access, the ISE engineer needs to configure the following steps on the ISE server:

Create a guest portal with the desired settings and appearance.

Create an authorization profile that references the guest portal and the DACL name for the Airespace ACL configured on the WLC. The DACL name must match the name of the ACL on the WLC exactly. The authorization profile also needs to have the common tasks of Web Redirection and Web Authentication enabled.

Create an authorization policy that matches the unauthenticated devices based on the MAC address or other criteria and applies the authorization profile created in the previous step.

The DACL name is required for the WLC to apply the correct ACL to the guest endpoints and redirect them to the guest portal. Without the DACL name, the WLC will not know which ACL to use and may grant full guest access to the endpoints. Therefore, the correct answer is D.

References :=

Some possible references are:

Central Web Authentication (CWA) for guests with ISE

Understand And Troubleshoot Central Web-Authentication (CWA) In Guest Anchor Set-Up

Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Release 17.3.0 - Guest Access

Explanation

Explanation

Cryptographic algorithms defined for use with IPsec include:

+ HMAC-SHA1/SHA2 for integrity protection and authenticity.

+ TripleDES-CBC for confidentiality

+ AES-CBC and AES-CTR for confidentiality.

+ AES-GCM and ChaCha20-Poly1305 providing confidentiality and authentication together efficiently.

Cisco FTDv in AWS can be deployed in two different deployment models: single-instance and cluster. In both models, the FTDv can be configured in routed mode and managed by either an FMCv installed in AWS or a physical FMC appliance on premises. The FTDv can also use Geneve encapsulation for traffic interfaces to support AWS Gateway Load Balancer (GWLB) integration. The following table summarizes the supported deployment model configurations for FTDv in AWS:

Table

Deployment Model

Management Mode

Traffic Mode

Geneve Encapsulation

Single-instance

FMCv in AWS

Routed

Optional

Single-instance

FMC on premises

Routed

Optional

Cluster

FMCv in AWS

Routed

Required

Cluster

FMC on premises

Routed

Required

References :=

Deploy the Threat Defense Virtual on AWS - Cisco

Deploy a Threat Defense Virtual Cluster on AWS - Cisco

Configure Geneve Interfaces in Secure FTDv - Cisco

Deployment of Cisco Secure FTDv and FMCv instances in AWS - Terraform

Solved: FTD virtual appliance in AWS - Cisco Community

Explanation

Malware means “malicious software”, is any software intentionally designed to cause damage to a computer, server, client, or computer network. The most popular types of malware includes viruses, ransomware and spyware. Virus Possibly the most common type of malware, viruses attach their malicious code to clean code and wait to be run.

Ransomware is malicious software that infects your computer and displays messages demanding a fee to be paid in order for your system to work again.

Spyware is spying software that can secretly record everything you enter, upload, download, and store on your computers or mobile devices. Spyware always tries to keep itself hidden.

An exploit is a code that takes advantage of a software vulnerability or security flaw.

Exploits and malware are two risks for endpoints that are not up to date. ARP spoofing and eavesdropping are attacks against the network while denial-of-service attack is based on the flooding of IP packets.

 The destination command is required to complete the flow record and specify the IP address of the Stealthwatch collector that will receive the NetFlow data. The transport udp 2055 command is also needed, but it is part of the flow exporter configuration, not the flow record. The match ipv4 ttl and cache timeout active 60 commands are optional and can be used to customize the flow record, but they are not mandatory. The flow record defines the fields that are collected and exported for each flow, such as source and destination IP addresses, ports, protocols, etc. The flow exporter defines the destination, source, transport protocol, and port for sending the NetFlow data. The flow monitor binds the flow record and the flow exporter together and applies them to an interface. The following is an example of a complete NetFlow configuration for sending data to Stealthwatch:

flow exporter EXPORTER description Export NetFlow to Stealthwatch destination 1.1.1.1 export-protocol netflow-v9 source Vlan100 transport udp 2055 ! flow record RECORD description NetFlow record match datalink mac source address input match datalink mac destination address input match datalink vlan input match ipv4 ttl match ipv4 tos match ipv4 protocol match ipv4 source address match ipv4 destination address match transport source-port match transport destination-port match interface input collect interface output collect counter bytes long collect counter packets long collect timestamp absolute first collect timestamp absolute last ! flow monitor IPv4_NETFLOW record RECORD exporter EXPORTER cache timeout active 60 ! interface <> ip flow monitor IPv4_NETFLOW input ! References : Configuring and Troubleshooting NetFlow for Stealthwatch, Cisco NetFlow Configuration, Building a Better Monitoring Solution with Flexible Netflow

The function of the crypto is a kmp key cisc406397954 address 0.0.0.0 0.0.0.0 command when establishing an IPsec VPN tunnel is to configure the pre-shared authentication key. This command specifies the key that will be used to authenticate the Internet Key Exchange (IKE) phase 1 negotiation between the IPsec peers. The key is associated with the address 0.0.0.0 0.0.0.0, which means that it will apply to any peer that initiates or responds to the IKE negotiation. This is a common configuration for dynamic IPsec VPN scenarios, such as Dynamic Multipoint VPN (DMVPN) or Easy VPN, where the IP addresses of the peers are not known in advance. However, this is also a less secure configuration, as it exposes the VPN server to potential brute-force attacks from any source. A more secure configuration would be to specify the exact IP address or subnet of the peer, or to use certificates instead of pre-shared keys.

 To configure a flow-export action on a Cisco ASA, you need to use the flow-export event-type command and the policy-map command. The flow-export event-type command specifies the type of events that trigger the export of NetFlow Security Event Logging (NSEL) records to a collector. The policy-map command creates or modifies a policy map that can be applied to one or more interfaces to specify a service policy. A service policy consists of a traffic class and one or more actions to be applied to the traffic class. One of the actions can be a flow-export action that matches the NSEL events and sends them to a collector. The other commands are not required for configuring a flow-export action. The access-list command creates or modifies an access list that can be used to filter traffic or match traffic classes, but it is not mandatory for a flow-export action. The flow-export template timeout-rate command specifies how often the ASA sends the template to the collector, but it is not part of the flow-export action configuration. The access-group command applies an access list to an interface, but it is not related to the flow-export action. References:

Cisco ASA 5500 Series Configuration Guide using the CLI, 8.4 and 8.6 - Configuring Network Secure Event Logging (NSEL)

Solved: Flow-Export problem - Cisco Community

How to configure NetFlow on Cisco ASA firewalls - Auvik Support

Configuring Cisco’s ASA for NSEL Export to the StealthWatch System

The command that results in these messages when attempting to troubleshoot an iPsec VPN connection is debug crypto isakmp. This command displays debug information about the Internet Key Exchange (IKE) protocol, which is used to establish security associations (SAs) for IPsec VPNs. The messages in the exhibit show various steps and statuses of the IKE negotiation process, such as creating and deleting peer structures, receiving and sending packets, and checking the compatibility of the security policies and proposals. The other commands are either invalid (debug crypto ipsec endpoint and debug crypto isakmp connection) or display different information (debug crypto ipsec shows the details of the IPsec encryption and decryption operations). References: 

https://www.cisco.com/c/en/us/training-events/training-certifications/training/training-services/courses/implementing-and-operating-cisco-security-core-technologies-scor.html

https://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/5409-ipsec-debug-00.html

Explanation

Cisco Cloudlock is a cloud-native cloud access security broker (CASB) that helps you move to the cloud safely. It protects your cloud users, data, and apps. Cisco Cloudlock provides visibility and compliance checks, protects data against misuse and exfiltration, and provides threat protections against malware like ransomware.

Explanation

You can configure your ASA FirePOWER module using one of the following deployment models:

You can configure your ASA FirePOWER module in either an inline or a monitor-only (inline tap or

passive) deployment.

Explanation

Cisco‘s Group Encrypted Transport VPN (GETVPN) introduces the concept of a trusted group to eliminate

point-to-point tunnels and their associated overlay routing. All group members (GMs) share a common security

association (SA), also known as a group SA. This enables GMs to decrypt traffic that was encrypted by any

other GM.

GETVPN provides instantaneous large-scale any-to-any IP connectivity using a group IPsec security paradigm.

One of the key capabilities of endpoint security is to prevent phishing attacks by ensuring that antivirus and anti malware software is up to date. This helps to detect and block malicious attachments or links that may be embedded in phishing emails. Antivirus and anti malware software can also scan the endpoint for any signs of compromise or infection that may have resulted from a successful phishing attack. Additionally, endpoint security can provide data loss prevention (DLP) features that can prevent sensitive data from being exfiltrated by attackers who have gained access to the endpoint through phishing. References :=

Some possible references are:

Endpoint Security and Phishing: What to Know

Protect Against Spear Phishing with Endpoint Security

Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0 (source book)

Explanation

SQL injection usually occurs when you ask a user for input, like their username/userid, but the user gives

(“injects”) you an SQL statement that you will unknowingly run on your database. For example:

Look at the following example, which creates a SELECT statement by adding a variable (txtUserId) to a select

string. The variable is fetched from user input (getRequestString):

txtUserId = getRequestString(“UserId”);

txtSQL = “SELECT * FROM Users WHERE UserId = ” + txtUserId;

If user enter something like this: “100 OR 1=1” then the SzQL statement will look like this:

SELECT * FROM Users WHERE UserId = 100 OR 1=1;

The SQL above is valid and will return ALL rows from the “Users” table, since OR 1=1 is always TRUE. A

hacker might get access to all the user names and passwords in this database.

Dynamic ARP Inspection (DAI) is a security feature that validates ARP packets in a network. DAI allows a network administrator to intercept, log, and discard ARP packets with invalid MAC address to IP address bindings. This capability protects the network from certain “man-in-the-middle” attacks. DAI determines the validity of an ARP packet based on valid IP to MAC address bindings from the DHCP snooping binding database. DAI also supports static ARP ACLs for hosts with static IP addresses. DAI checks all ARP packets on untrusted interfaces, and only forwards the packets that have valid bindings. DAI can also rate-limit the ARP packets on untrusted interfaces to prevent DoS attacks. The other options are incorrect because:

B. In a typical network, DAI should be configured to make all ports as untrusted except for the ports connecting to trusted hosts or switches, which are trusted.

C. DAI does not associate a trust state with each switch, but with each interface on the switch.

D. DAI intercepts all ARP requests and responses on untrusted ports only, not on trusted ports. References :=

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst4500/12-2/25ew/configuration/guide/conf/dynarp.html

https://study-ccna.com/dynamic-arp-inspection-dai/

Explanation

Explanation

Talos Threat Source is a regular intelligence update from Cisco Talos, highlighting the biggest threats each week and other security news.

Microsegmentation is a technology that limits communication between nodes on the same network segment to individual applications by creating secure zones across cloud and data center environments. Microsegmentation isolates application workloads from one another and secures them individually with granular firewall policies based on a zero-trust security approach1. Microsegmentation can reduce the attack surface, prevent the lateral movement of threats, and strengthen regulatory compliance1.

Serverless infrastructure is a technology that allows developers to run code without provisioning or managing servers2. Serverless infrastructure does not limit communication between nodes on the same network segment to individual applications, but rather abstracts away the underlying infrastructure from the application logic.

SaaS deployment is a technology that delivers software applications over the internet as a service3. SaaS deployment does not limit communication between nodes on the same network segment to individual applications, but rather provides access to software applications from any device and location.

Machine-to-machine firewalling is a technology that controls the communication between machines or devices on a network. Machine-to-machine firewalling does not limit communication between nodes on the same network segment to individual applications, but rather applies rules to the traffic between machines or devices based on their IP addresses, ports, protocols, or other criteria.

References :=

What Is Micro-Segmentation? - Cisco

What is serverless?

What is SaaS?

[Machine-to-Machine Firewalling]

Explanation

The syntax of this command is shown below:

snmp-server group [group-name {v1 | v2c | v3 [auth | noauth | priv]}] [read read-view] [write write-view] [notify notify-view] [access access-list]

The command above restricts which IP source addresses are allowed to access SNMP functions on the router. You could restrict SNMP access by simply applying an interface ACL to block incoming SNMP packets that don’t come from trusted servers. However, this would not be as effective as using the global SNMP commands shown in this recipe. Because you can apply this method once for the whole router, it is much simpler than applying ACLs to block SNMP on all interfaces separately. Also, using interface ACLs would block not only SNMP packets intended for this router, but also may stop SNMP packets that just happened to be passing through on their way to some other destination device.

 Cisco Cloudlock is a cloud-native cloud access security broker (CASB) that helps you move to the cloud safely. It protects your cloud users, data, and apps. Cloudlock’s simple, open, and automated approach uses APIs to manage the risks in your cloud app ecosystem. Cloudlock integrates with cloud applications like Dropbox and Office 365 by providing visibility, compliance, threat protection, and data security. Cloudlock can detect and prevent data exfiltration by applying data loss prevention (DLP) policies, encrypting sensitive data, and alerting or blocking unauthorized activities. Cloudlock also supports cloud app discovery and risk assessment, user and entity behavior analytics (UEBA), and cloud app firewall12. References: 1: Cisco Cloudlock - Cisco 2: Cisco Cloudlock Privacy Data Sheet

Explanation

In explicit proxy mode, users are configured to use a web proxy and the web traffic is sent directly to the Cisco WSA. In contrast, in transparent proxy mode the Cisco WSA intercepts user's web traffic redirected from other network devices, such as switches, routers, or firewalls.

Cisco Stealthwatch is a network security and visibility platform that provides an agentless solution to monitor network traffic and detect threats, including those in encrypted traffic. Stealthwatch uses Encrypted Traffic Analytics (ETA), a technology that leverages network telemetry and machine learning to identify malicious patterns and behaviors in encrypted traffic without decryption. ETA can also assess the cryptographic strength and compliance of the encryption protocols used in the network. Stealthwatch integrates with other Cisco security products, such as Cisco Identity Services Engine (ISE) and Cisco Advanced Malware Protection (AMP), to provide contextual information and threat intelligence for faster and more effective response. Stealthwatch is the only Cisco platform that offers ETA as a solution to provide visibility across the network, including encrypted traffic analytics, to detect malware in encrypted traffic without the need for decryption. References :=

Some possible references are:

Cisco Secure Network Analytics (Stealthwatch) - Cisco, Cisco

Encrypted Traffic Analytics > Security | Cisco Press, Cisco Press

Solutions - Encrypted Traffic Analytics with the New Cisco Network and Secure Network Analytics At-a-Glance - Cisco, Cisco

Cisco Encrypted Traffic Analytics White Paper, Cisco

To enable a separated email transfer flow from the Internet and from the LAN, the engineer must use the two-interface deployment mode on the Cisco WSA. This mode allows the WSA to have two separate network interfaces, one for the Internet traffic and one for the LAN traffic. This way, the WSA can apply different policies and settings for each interface, and isolate the email flows from each other. The two-interface mode also provides better performance and security than the single-interface mode, which uses only one network interface for both Internet and LAN traffic12. The other deployment modes, such as multi-context, transparent, or single-interface, do not support a separated email transfer flow from the Internet and from the LAN. References:

Two-interface mode, section “Deployment”.

WSA network configuration, section “Interfaces”.

Cisco ASA NetFlow v9 Secure Event Logging (NSEL) is a security logging mechanism that is built on NetFlow Version 9 technology and provides stateful, IP flow tracking for significant events in a flow. NSEL requires a collector to receive and process the exported data records. To configure NSEL, you need to define a flow-export event type under a policy using the Modular Policy Framework (MPF). The event type specifies which events to export, such as flow-create, flow-denied, flow-teardown, flow-update, or all. You also need to configure the NSEL collectors, the template timeout intervals, and the flow-update interval. Optionally, you can disable the redundant syslog messages and reset the runtime counters.

The other statements are false because:

To view bandwidth usage for NetFlow records, the QoS feature is not required. You can use a NetFlow collector or analyzer to view the bandwidth usage and other statistics from the exported data records.

A sysopt command cannot be used to enable NSEL on a specific interface. NSEL is enabled globally on all interfaces by default when you configure a flow-export event type under a policy.

NSEL cannot be used without a collector configured. NSEL exports data records to the configured collectors using NetFlow over UDP. If no collector is configured, the data records are discarded.

Explanation

We choose “Chat and Instant Messaging” category in “URL Category”:

To block certain URLs we need to choose URL Reputation from 6 to 10.

Explanation

Symmetric encryption uses a single key that needs to be shared among the people who need to receive the message while asymmetric encryption uses a pair of public key and a private key to encrypt and decrypt messages when communicating.

Asymmetric encryption takes relatively more time than the symmetric encryption.

Diffie Hellman algorithm is an asymmetric algorithm used to establish a shared secret for a symmetric key

algorithm. Nowadays most of the people uses hybrid crypto system i.e, combination of symmetric and

asymmetric encryption. Asymmetric Encryption is used as a technique in key exchange mechanism to share secret key and after the key is shared between sender and receiver, the communication will take place using symmetric encryption. The shared secret key will be used to encrypt the communication.

Triple DES (3DES), a symmetric-key algorithm for the encryption of electronic data, is the successor of DES (Data Encryption Standard) and provides more secure encryption then DES.

Note: Although “requires secret keys” option in this question is a bit unclear but it can only be assigned to

Symmetric algorithm.

Network telemetry is a technology for gaining network insight and facilitating efficient and automated network management. It encompasses various techniques for remote data generation, collection, correlation, and consumption1. Network telemetry can be used for various purposes, such as network performance monitoring, security analysis, troubleshooting, and optimization. One of the applications of network telemetry is Layer 2 device discovery, which allows network operators to discover and map the physical topology of the network, including switches, routers, hosts, and links. Layer 2 device discovery can be achieved by using protocols such as Link Layer Discovery Protocol (LLDP) or Cisco Discovery Protocol (CDP), which enable network devices to advertise their identity, capabilities, and neighbors to other devices on the same network segment. To enable Layer 2 device discovery, network telemetry must be enabled on the network devices, so that they can send and receive LLDP or CDP packets. This feature requires network telemetry to be enabled, because without it, the network devices would not be able to exchange information about their topology and configuration. Therefore, the correct answer is C. Layer 2 device discovery. References: 1: RFC 9232: Network Telemetry Framework - Internet Engineering Task Force

 Multi-factor authentication (MFA) is an authentication method that requires the user to provide two or more verification factors to gain access to a resource such as an application, online account, or a VPN. MFA is a core component of a strong identity and access management (IAM) policy1. MFA is important to implement inside of an organization because it can prevent brute force attacks from being successful. A brute force attack is a type of cyberattack that tries to guess the user’s password or PIN by trying different combinations until it finds the correct one. This can be done manually or with automated tools. MFA can stop brute force attacks by requiring an additional factor of authentication that the attacker does not have, such as a phone, a token, a biometric, or a location. MFA can also reduce the risk of other types of attacks that rely on stealing or compromising the user’s credentials, such as phishing, keylogging, or credential stuffing. References := 1: What is Multi-Factor Authentication (MFA)? | OneLogin

Device compliance checks are a feature of Cisco Identity Services Engine (ISE) that allows you to verify the posture of endpoints before allowing them to access your network. Posture is the state of the endpoint in terms of security, such as the presence of anti-virus software, firewall, patches, and so on. A posture agent, such as the AnyConnect ISE Posture Agent, runs on the endpoint and collects posture information, which is then sent to the ISE server for evaluation. Based on the posture policy, the ISE server can grant or deny network access, or apply remediation actions to the endpoint. One of the benefits of conducting device compliance checks is that it validates if anti-virus software is installed on the endpoint, which can prevent malware infections and protect your network from threats. The other options are not benefits of device compliance checks, as they are not related to the posture of the endpoint. References:

Compliance - Cisco

Device Compliance - Cisco

Explanation

Explanation

Cisco Advanced Phishing Protection provides sender authentication and BEC detection capabilities. It uses advanced machine learning techniques, real-time behavior analytics, relationship modeling, and telemetry to protect against identity deception-based threats.

Explanation

Explanation

The Application Visibility and Control (AVC) engine lets you create policies to control application activity on the network without having to fully understand the underlying technology of each application. You can configure application control settings in Access Policy groups. You can block or allow applications individually or according to application type. You can also apply controls to particular application types.

The correct answer is to enable two-factor authentication through a RADIUS server, and then join the cluster via the SEG CLI. Two-factor authentication is a security feature that requires users to provide two forms of identification before accessing the SEG, such as a username and password, and a one-time code or token. This adds an extra layer of protection against unauthorized access and phishing attacks. The SEG supports two-factor authentication through external RADIUS servers, which can be configured on the System Administration > Users page in the web interface, or the userconfig command in the CLI. See User Guide for AsyncOS 14.0 for Cisco Secure Email Gateway - GD (General Deployment) (Section: Two-Factor Authentication) for more details.

To join a cluster, the SEG must communicate with other cluster members using either SSH or CCS (Cluster Communication Service). The cluster communication port and method can be configured on the Network > Cluster Communication page in the web interface, or the clusterconfig command in the CLI. See User Guide for AsyncOS 14.0 for Cisco Secure Email Gateway - GD (General Deployment) (Section: Cluster Communication) for more details.

If two-factor authentication is enabled on the SEG, it cannot join a cluster using the web interface, because the web interface does not support two-factor authentication for cluster operations. Therefore, the SEG must join the cluster using the CLI, and provide a pre-shared key that matches the cluster’s admin passphrase. The pre-shared key can be configured using the clusterconfig > prepjoin command in the CLI. See User Guide for AsyncOS 14.0 for Cisco Secure Email Gateway - GD (General Deployment) (Section: Creating and Joining a Cluster) for more details.

The other options are incorrect because they either use the wrong authentication server (TACACS+ instead of RADIUS), or the wrong communication method (GUI instead of CLI). References:

User Guide for AsyncOS 14.0 for Cisco Secure Email Gateway - GD (General Deployment)

Configure an Email Security Appliance (ESA) Cluster - Cisco

A connector is a feature that enables a Cisco ISR to use the default bypass list automatically for web filtering. A connector is a software component that runs on the ISR and communicates with the Cloud Web Security service. The connector intercepts the web traffic from the branch users and redirects it to the Cloud Web Security service for scanning and policy enforcement. The connector also maintains a default bypass list, which contains the domains and URLs that are not redirected to the Cloud Web Security service. The default bypass list is updated automatically by the Cloud Web Security service and can be customized by the administrator. The default bypass list helps to improve the performance and reliability of the web filtering solution by avoiding unnecessary redirections of trusted or sensitive web traffic12. References: 1: Security Configuration Guide: Cloud Web Security, Cisco IOS Release 15M&T - Cisco Integrated Services Routers Generation 2 with Cisco Cloud Web Security Solution [Support] - Cisco 2: Security Configuration Guide: Cloud Web Security, Cisco IOS Release 15M&T - Configuring Cloud Web Security on Integrated Services Routers Generation 2 [Support] - Cisco

The Web Security Appliance (WSA) supports different authentication protocols and schemes to acquire end-user credentials. The most common protocols are NTLMSSP and Kerberos, which are both supported by Active Directory realms. NTLMSSP is a challenge-response authentication protocol that uses a hash of the user’s password to authenticate. Kerberos is a ticket-based authentication protocol that uses a trusted third-party (the Key Distribution Center) to issue tickets to the user and the service. Both protocols are more secure and widely supported than Basic authentication, which sends the user’s credentials in clear text. CHAP, TACACS+, and RADIUS are not supported by the WSA for end-user authentication, although they can be used for external authentication of administrators or for credential encryption. References: 1, 2, 3

https://www.cisco.com/c/en/us/products/collateral/security/web-security-appliance/guide-c07-742373.html

https://frontegg.com/blog/authentication

Explanation

Explanation

… we will showcase Cisco Threat Intelligence Director (CTID) an exciting feature on Cisco’s Firepower

Management Center (FMC) product offering that automates the operationalization of threat intelligence. TID has the ability to consume threat intelligence via STIX over TAXII and allows uploads/downloads of STIX and simple blacklists. Reference: https://blogs.cisco.com/developer/automate-threat-intelligence-using-cisco-threat-intelligencedirector

Workload security models refer to the ways of protecting applications, services, and capabilities that run on a cloud resource. There are different types of cloud deployment models, such as public, private, hybrid, and multicloud, and different types of cloud service models, such as IaaS, PaaS, and SaaS. However, these are not workload security models, but rather ways of describing the cloud environment and the level of abstraction. Workload security models are more focused on the location and ownership of the workloads, and how they are secured. The two main workload security models are off-premises and on-premises. Off-premises workload security model means that the workloads are hosted and managed by a third-party cloud service provider, such as AWS, Azure, or GCP. The cloud service provider is responsible for the security of the underlying infrastructure, such as the physical servers, network devices, storage systems, and hypervisors. The customer is responsible for the security of the workloads themselves, such as the guest operating systems, applications, data, and users. The customer can use various tools and techniques to secure their workloads, such as encryption, firewalls, identity and access management, vulnerability scanning, and logging and monitoring. On-premises workload security model means that the workloads are hosted and managed by the customer on their own data center or private cloud. The customer is responsible for the security of both the infrastructure and the workloads, and has full control and visibility over them. The customer can use similar tools and techniques as the off-premises model, but also has to deal with the physical security, network security, and compliance requirements of their own environment. References:

What Is Workload Security? On-Premises, Cloud, Kubernetes, and More

What is Cloud Workload Security? - CyberArk

What is Cloud Workload Protection? | Workload Security | VMware

What is Cloud Workload Security? - Check Point Software

Introduction To Classic Security Models - GeeksforGeeks

When a Cisco WSA receives a web request, it evaluates it against the policies in the policy table. Each policy type has a predefined, global policy, which maintains default actions for that policy type. If the web request does not match any user-defined policy, the WSA applies the global policy. The global policy can be configured to allow, block, or redirect the web request based on various criteria. The global policy acts as a catch-all policy for any web request that is not explicitly handled by a user-defined policy. References :=

User Guide for AsyncOS 11.0 for Cisco Web Security Appliances - Create Policies to Control Internet Requests

User Guide for AsyncOS 12.7 for Cisco Web Security Appliances - LD (Limited Deployment) - Acquire End-User Credentials

DNSSEC (Domain Name System Security Extensions) is a technology that protects DNS from cache poisoning and spoofing attacks by digitally signing DNS data with cryptographic keys. DNSSEC ensures the integrity and authenticity of DNS responses, preventing attackers from redirecting traffic to malicious domains. Cisco Umbrella supports DNSSEC by performing validation on queries sent from Umbrella resolvers to upstream authorities. This means that Umbrella will only accept DNS responses that are signed and verified by the authoritative servers for each domain. To enable DNSSEC validation, the organization needs to configure Cisco Umbrella and use DNSSEC for domain authentication to authoritative servers. This will ensure that Umbrella resolvers will reject any forged or tampered DNS responses and provide secure DNS resolution for the organization’s network. References :=

Some possible references are:

Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0, Module 2: Network Security, Lesson 2.5: Implement DNS Security

What is DNSSEC and Why Is It Important? - Cisco Umbrella

DNSSEC General Availability – Cisco Umbrella

The debug crypto isakmp sa command shows the status of the Internet Security Association and Key Management Protocol (ISAKMP) security associations (SAs). The output of this command indicates that the ISAKMP negotiation failed after several retransmissions. The most likely cause of this failure is a mismatch in the authentication key between the two peers. The authentication key is specified by the crypto isakmp key command and must be the same on both routers. If the authentication key is different, the ISAKMP messages cannot be decrypted and verified by the peers, resulting in an error. To fix this problem, the network administrator should verify and correct the authentication key on both routers and clear the existing ISAKMP SAs with the clear crypto isakmp sa command. References: 1, 2, 3, 4

 Cisco NBAR2 is a classification engine that recognizes and classifies a wide variety of protocols and applications based on their deep packet inspection (DPI) signatures. NBAR2 enables the platform to identify and output various applications within the network traffic flows, such as web, email, voice, video, and so on. NBAR2 also supports custom protocols and applications, allowing the platform to classify traffic based on user-defined criteria. NBAR2 helps the platform to apply the appropriate quality of service (QoS), security, and policy for each application or protocol. References :=

Some possible references are:

Cisco NBAR2

Classifying Network Traffic Using NBAR

Next Generation NBAR (NBAR2)

two-factor authentication. Two-factor authentication (2FA) is a security measure that requires users to provide two pieces of evidence to verify their identity before accessing SaaS-based applications1. These pieces of evidence can be something the user knows (such as a password or a PIN), something the user has (such as a smartphone or a token), or something the user is (such as a fingerprint or a face scan)1. 2FA enhances the security of SaaS-based applications by making it harder for attackers to compromise login credentials and gain unauthorized access to sensitive data and resources2. The other options are not correct because they are not sufficient to secure SaaS-based applications. Modular policy framework (MPF) is a feature of Cisco ASA that allows administrators to create and apply security policies to traffic flows3. However, MPF alone cannot protect SaaS-based applications from web-based threats or data breaches. Application security gateway (ASG) is a device that provides firewall, intrusion prevention, and content filtering services for web applications4. However, ASG cannot prevent credential theft or account takeover attacks that target SaaS-based applications. End-to-end encryption (E2EE) is a method of encrypting data in transit and at rest, so that only the sender and the receiver can decrypt it. However, E2EE cannot prevent unauthorized access to SaaS-based applications if the encryption keys are compromised or stolen. References:

1: What is Two-Factor Authentication (2FA)?

2: How to Secure Your SaaS Applications

3: Modular Policy Framework Overview

4: What is an Application Security Gateway?

: What is End-to-End Encryption?

To add a device into Cisco DNA Center with the native API, the POST method and the name attribute are required. The POST method is used to create a new resource on the server, such as a device. The name attribute is used to specify the hostname or IP address of the device to be added. The POST method requires a JSON body that contains the device information, such as the name, type, role, credentials, and other optional parameters. The Cisco DNA Center API documentation provides an example of the JSON body and the response for adding a device1. The Cisco DNA Center Platform User Guide also explains how to use the native API to add devices2. References := 1: Cisco DNA Center API Documentation - Add Device 2: Cisco DNA Center Platform User Guide, Release 2.3.5 - Manage Devices Using the Native API

 The Python script of the Cisco DNA Center API in the exhibit uses the requests module to send a GET request to the /dna/intent/api/v1/network-device endpoint, which returns a list of network devices managed by Cisco DNA Center. The script also uses HTTPBasicAuth to provide the username and password for authentication. The script then parses the JSON response and prints the hostname, type, management IP address, and software version of each device in a table format using the prettytable module. Therefore, the result of this script is to receive information about a switch or switches from Cisco DNA Center. References:

Python Scripting APIs in Cisco DNA Center Let You Improve Effectiveness, Topic: Network device’s script, simple and easy to create

Intro to Cisco DNA Center REST API with Python, Module 2: Using Python to Retrieve a Network Device List

Cisco DNA Center API Call Python Script Example, Topic: Cisco DNA CENTER SANDBOX Call DNA Center API Call Python Script Example

Sandboxing is a feature that is leveraged by advanced antimalware capabilities to be an effective endpoint protection platform. Sandboxing allows an endpoint protection platform to isolate suspect files in a safe environment and analyze their behavior and impact without affecting the rest of the system. Sandboxing can help detect and prevent unknown or zero-day malware that may evade traditional signature-based detection methods. Sandboxing can also provide valuable threat intelligence and forensic data for further investigation and response.

Big data, storm centers, and blocklisting are not features that are leveraged by advanced antimalware capabilities to be an effective endpoint protection platform. Big data refers to the large volume, variety, and velocity of data that can be used for various purposes, such as analytics, machine learning, or business intelligence. Storm centers are centralized hubs that monitor and respond to cyber incidents and threats. Blocklisting is a method of preventing access to malicious or unwanted domains, IP addresses, or files by adding them to a list of blocked entities. References:

Endpoint Protection Platform (EPP) Definition

Cisco Advanced Malware Protection (AMP) for Endpoints

Cisco AMP for Endpoints: Sandboxing

 Cisco Advanced Malware Protection (AMP) for Endpoints is a cloud-based solution that provides endpoint protection against malware and advanced threats. It can be deployed in different architectures depending on the customer’s needs and preferences. One of the deployment options is the private cloud, which is designed to keep data within a network perimeter. In this option, the customer hosts the AMP for Endpoints console and the AMP cloud on their own infrastructure, and the endpoints connect to the private cloud for analysis and policy enforcement. This option provides more control and privacy over the data, but also requires more resources and maintenance from the customer. The other deployment options are the public cloud, which uses the Cisco-hosted AMP cloud and console, and the hybrid cloud, which uses a combination of the public and private clouds123 References: 1: Protecting Against Malware Threats with Cisco AMP for Endpoints (SSFAMP) course overview 2: Cisco Secure Endpoint (Formerly AMP for Endpoints) - Cisco 3: Cisco Advanced Malware Protection for Endpoints - Zones

 Split tunneling is a feature that allows VPN users to access both the corporate network and the internet at the same time. By using split tunneling, only the traffic destined for the 10.0.0.0/24 network will be encrypted and sent through the VPN tunnel, while the rest of the traffic will be sent directly to the internet. This reduces the VPN bandwidth load on the headend Cisco ASA and ensures that bandwidth is available for VPN users needing access to corporate resources. Split tunneling can be configured on the ASA by using the split-tunnel-network-list value command under the group-policy attributes. The network list should include the 10.0.0.0/24 network as the only entry. References: Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0, Module 5: Secure Connectivity, Lesson 5.1: Implementing Site-to-Site VPNs on Cisco Routers and ASA Firewalls, Topic 5.1.3: Configuring Site-to-Site VPNs on Cisco ASA Firewalls, Subtopic 5.1.3.2: Configuring Split Tunneling.

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_8021x/configuration/xe-3se/3850/sec-user-8021x-xe-3se-3850-book/config-ieee-802x-pba.html

 The Atomic ARP engine is a signature engine that defines basic Layer 2 ARP signatures and provides more advanced detection of the ARP spoof tools dsniff and ettercap. ARP spoofing is an attack that involves sending spoofed ARP messages over a local area network to associate the attacker’s MAC address with the IP address of the target. The Atomic ARP engine inspects the Layer 2 ARP protocol and compares the ARP requests and replies with the MAC address table to detect any anomalies or inconsistencies. The Atomic ARP engine can also detect gratuitous ARP messages, which are unsolicited ARP replies that can be used to poison the ARP cache of other hosts. The Atomic ARP engine is different from other IPS engines because most engines are based on Layer 3 IP protocol. References := 

https://www.cisco.com/c/en/us/td/docs/security/ips/6-1/configuration/guide/cli/cliguide/cli_signature_engines.html

https://security.stackexchange.com/questions/71023/can-suricata-ips-detect-and-prevent-arp-poisoning-attacks

Explanation

The Stealthwatch Cloud Private Network Monitoring (PNM) Sensor is an extremely flexible piece of technology,

capable of being utilized in a number of different deployment scenarios. It can be deployed as a complete

Ubuntu based virtual appliance on different hypervisors (e.g. –VMware, VirtualBox). It can be deployed on

hardware running a number of different Linux-based operating systems.

The Cisco WSA can enforce bandwidth restrictions for web applications by using the Application Visibility and Control (AVC) engine. The AVC engine allows the WSA to identify and control application activity on the network, and to apply bandwidth limits to certain application types or individual applications. The WSA dynamically creates a scavenger class QoS policy and applies it to each client that connects through the WSA. The scavenger class QoS policy assigns a low priority to the application traffic and limits the bandwidth usage based on the configured settings. This way, the WSA can prevent congestion and ensure fair allocation of bandwidth among different applications and users. References:

User Guide for AsyncOS 11.8 for Cisco Web Security Appliances - GD (General Deployment) - Managing Access to Web Applications

WSA - limit bandwidth - Cisco Community

 Cisco ISE supports two types of WebAuth for BYOD: central WebAuth and local WebAuth. Central WebAuth is the default method and it uses the ISE portal to authenticate the users and redirect them to the BYOD portal. Local WebAuth is an alternative method that uses the network access device (NAD) portal to authenticate the users and then redirects them to the ISE BYOD portal. Both methods require the configuration of a guest component on ISE, which is used to create the BYOD portal and the guest user accounts. The guest component also provides the self-service onboarding and registration features for the BYOD users. The dual component is not related to BYOD, but rather to the dual-SSID method, which uses two separate SSIDs for provisioning and access. The null WebAuth component is not a valid option for BYOD. References :=

Some possible references are:

Cisco ISE BYOD Prescriptive Deployment Guide

Configure Single SSID Wireless BYOD on Windows and ISE

Cisco ISE for BYOD and Secure Unified Access, 2nd Edition

Cisco Stealthwatch - rapidly collects and analyzes netflow and telementy data to deliver in-depth visibility and understanding of network traffic

Cisco ISE – obtains contextual identity and profiles for all users and device

Cisco TrustSec – software defined segmentation that uses SGTs

Cisco Umbrella – secure internet gateway ion the cloud that provides a security solution

Cisco Secure Workload (formerly Tetration) is a solution that provides visibility, segmentation, and security for cloud applications. It can monitor application communications, detect abnormal application behavior, and identify vulnerabilities within the applications. Cisco Secure Workload can also enforce granular policies to control the traffic between applications and prevent unauthorized access. References: Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0, Module 6: Cloud and Content Security, Lesson 6.2: Cisco Cloud Security Solutions, Topic 6.2.2: Cisco Secure Workload

Explanation

Explanation

The traditional use of the pull model, where the client requests data from the network does not scale when what you want is near real-time data. Moreover, in some use cases, there is the need to be notified only when some data changes, like interfaces status, protocol neighbors change etc.

Model-Driven Telemetry is a new approach for network monitoring in which data is streamed from network devices continuously using a push model and provides near real-time access to operational statistics.

Applications can subscribe to specific data items they need, by using standard-based YANG data models over NETCONF-YANG. Cisco IOS XE streaming telemetry allows to push data off of the device to an external collector at a much higher frequency, more efficiently, as well as data on-change streaming.

 The API key is used for HTTP authentication when working with APIs, including https://api.amp.cisco.com/v1/computers. It ensures that the user or system making the API request is authenticated and authorized to access the resources requested. The image you sent shows a Python code snippet that imports the requests module, assigns a client ID and an API key to variables, and uses them to make an API call. The API key is passed as a header parameter in the requests.get() function, which is a common way of implementing HTTP authentication. The other options are not correct because they do not describe the role of the API key. The client ID is a different parameter that identifies the user or system making the request, but it does not authenticate them. HTTP authorization is a process of granting or denying access to resources based on the user’s identity and permissions, but it is not the same as authentication. Importing requests is a Python statement that loads the requests module, which is a library for making HTTP requests, but it has nothing to do with the API key. References :=

Some possible references are:

Cisco AMP for Endpoints API

requests - HTTP for Humans

HTTP authentication - MDN Web Docs

create an application control blocked applications list. This option allows you to specify a list of files that you want to prevent from running on the endpoints that have the AMP connector installed. The files are identified by their SHA-256 hashes, and you can upload them individually or in a batch. The files are not quarantined, but they are blocked from execution and reported as events in the AMP console1. This option is different from the simple custom detection list, which is used to detect and quarantine specific files that are considered malicious2. The advanced custom detection list is also used to detect and quarantine files, but it allows you to specify more criteria such as file size, file name, and file path3. The IP block and allow lists are used to control the network traffic to and from the endpoints, not the file execution4. References: 1: Configure Application Control on the AMP for Endpoints Portal 2: Configure a Simple Custom Detection List on the AMP for Endpoints Portal 3: [Configure an Advanced Custom Detection List on the AMP for Endpoints Portal] 4: [Configure IP Block and Allow Lists on the AMP for Endpoints Portal]

To collect full metadata information about the traffic going through their AWS cloud services, the organization needs to send VPC Flow Logs to Cisco Stealthwatch Cloud and configure Cisco Stealthwatch Cloud to ingest AWS information. VPC Flow Logs is a feature that enables the organization to capture information about the IP traffic going to and from network interfaces in their VPC. Flow log data can be published to Amazon CloudWatch Logs, Amazon S3, or Amazon Kinesis Data Firehose1. Cisco Stealthwatch Cloud is a SaaS-based network and cloud security solution that provides behavioral analytics across the network to help the organization improve threat detection and achieve a stronger security posture2. By sending VPC Flow Logs to Cisco Stealthwatch Cloud, the organization can leverage the rich network flow metadata to perform various types of flow analysis, such as troubleshooting connectivity issues, monitoring the traffic patterns, detecting anomalous or malicious activity, and verifying compliance3. To send VPC Flow Logs to Cisco Stealthwatch Cloud, the organization needs to create a flow log for their VPC, subnet, or network interface, and specify Cisco Stealthwatch Cloud as the destination4. To configure Cisco Stealthwatch Cloud to ingest AWS information, the organization needs to add their AWS account as a data source in the Cisco Stealthwatch Cloud portal, and grant the necessary permissions for Cisco Stealthwatch Cloud to access their VPC Flow Logs5. By doing so, the organization can view and analyze the flow log data in the Cisco Stealthwatch Cloud dashboard, and receive valuable security alerts and insights based on the network behavior6.

References := 1: Logging IP traffic using VPC Flow Logs - Amazon Virtual Private Cloud 2: Cisco Secure Cloud Analytics (Stealthwatch Cloud) - Cisco 3: Cisco Secure Cloud Analytics - AWS VPC Flow Logs: A New Tool for Your … 4: Publish flow logs to Cisco Stealthwatch Cloud - Amazon Virtual Private Cloud 5: AWS Data Source Setup - Cisco Stealthwatch Cloud 6: AWS Workload Protection - Cisco Stealthwatch Cloud

Explanation

In its essence, FlexVPN is the same as DMVPN. Connections between devices are still point-to-point GRE tunnels, spoke-to-spoke connectivity is still achieved with NHRP redirect message, IOS routers even run the same NHRP code for both DMVPN and FlexVPN, which also means that both are Cisco’s proprietary technologies.

One of the main reasons why a user would choose an on-premises ESA versus the CES solution is to have more control over the sensitive data that flows through the email system. With an on-premises ESA, the user can ensure that the data is stored and processed within their own network and data center, and that they comply with any regulatory or organizational requirements for data security and privacy. With a CES solution, the user would have to trust Cisco to handle the data in their cloud infrastructure, and to adhere to the service level agreements and security policies that are agreed upon. Some users may not be comfortable with this level of outsourcing, especially if they have strict data governance or compliance needs12. References: 1: Physical ESA vs Cloud ESA - Cisco Community 2: Cisco Email Security Appliance - Data Sheet

Explanation

Explanation

Customers must manage applications and data in PaaS.

Explanation

The ASA and ASASM implementations of NetFlow Secure Event Logging (NSEL) provide a stateful, IP flow tracking method that exports only those records that indicate significant events in a flow.

The significant events that are tracked include flow-create, flow-teardown, and flow-denied (excluding those flows that are denied by EtherType ACLs).

MDM stands for Mobile Device Management, which is a system that performs compliance checks and remote wiping on mobile devices. MDM allows administrators to enforce security policies, monitor device status, and remotely manage devices in case of loss, theft, or compromise. MDM can also integrate with other Cisco security solutions, such as ISE, AMP, and Umbrella, to provide enhanced protection and visibility for mobile devices. References:

Mobile Device Management (MDM) - Cisco

Implementing and Operating Cisco Security Core Technologies (SCOR) - Module 5: Secure Network Access

VMware APIC is a platform that integrates with Cisco ACI to provide enhanced visibility, policy integration and deployment, and security policies with access lists. VMware APIC is a virtual appliance that runs on VMware vSphere and communicates with the Cisco APIC controller. VMware APIC allows administrators to create and manage Cisco ACI policies for VMware virtual machines and networks. VMware APIC also provides a unified view of the physical and virtual network topology, health, and statistics. VMware APIC supports the following modes of Cisco ACI and VMware integration:

VMware VDS: When integrated with Cisco ACI, the VMware vSphere Distributed Switch (VDS) enables administrators to configure VM networking in the ACI fabric.

Cisco ACI Virtual Edge: Cisco ACI Virtual Edge is a distributed service that provides Layer 4 to Layer 7 services for applications running on VMware vSphere.

Cisco Application Virtual Switch (AVS): Cisco AVS is a distributed virtual switch that provides policy-based network services for VMware vSphere environments. References:

Cisco ACI with VMware VDS Integration

Cisco ACI and VMware NSX-T Data Center Integration

Cisco ACI and VMware: The Perfect Pair

Setting the Record Straight: Confusion about ACI on VMware Technologies

The Cloudlock Apps Firewall is a feature of Cisco Cloudlock, which is a cloud-native cloud access security broker (CASB) that helps organizations move to the cloud safely. The Cloudlock Apps Firewall mitigates security concerns from an application perspective by discovering and controlling cloud apps that are connected to a company’s corporate environment, such as Google G Suite or Microsoft Azure Active Directory (AD). These cloud apps are authorized through OAuth to access corporate data and resources via APIs, and may pose risks such as data exfiltration, account compromise, or malicious behavior. The Cloudlock Apps Firewall provides visibility into the app ecosystem, including the app name, category, risk level, access scopes, and number of users. It also allows administrators to ban or allowlist apps based on their risk profile and compliance requirements. Additionally, the Cloudlock Apps Firewall leverages a crowd-sourced Community Trust Rating for each app, which reflects the feedback from other Cloudlock customers on the app’s security and functionality. References :=

Cisco Content Security Products

Cisco Cloudlock - Cisco

Shadow IT Control with Apps Firewall - Cisco

Test scor q151 - q200

Explanation

Explanation

Cisco Firepower NGFW Virtual (NGFWv) is the virtualized version of Cisco’s Firepower next generation firewall.

The Cisco NGFW virtual appliance is available in the AWS and Azure marketplaces. In AWS, it can be

deployed in routed and passive modes. Passive mode design requires ERSPAN, the Encapsulated Remote Switched Port Analyzer, which is currently not available in Azure.

In passive mode, NGFWv inspects packets like an Intrusion Detection System (IDS) appliance, but no action can be taken on the packet.

In routed mode NGFWv acts as a next hop for workloads. It can inspect packets and also take action on the packet based on rule and policy definitions.

The login block-for command sets a limit on the maximum number of failed login attempts allowed within a defined period of time. If this limit is exceeded, no further logins are allowed for the specified period of time. This feature is designed to protect the router from denial-of-service and dictionary attacks. The syntax of the command is as follows:

login block-for attempts within

The  parameter specifies the duration of the quiet period in seconds. The  parameter specifies the number of failed attempts that trigger the quiet period. The  parameter specifies the time window in seconds for counting the failed attempts.

In this question, the command login block-for 100 attempts 4 within 60 means that if four failures occur in 60 seconds, the router goes to quiet mode for 100 seconds. During the quiet period, no login attempts are accepted, and the router responds with the message “Login disabled for seconds due to too many failed login attempts.” After the quiet period expires, the router resumes normal login operations.

The other options are incorrect because they do not match the command syntax or the expected behavior of the login block-for feature.

References :=

Some possible references for this question are:

User Security Configuration Guide - Cisco IOS Login Enhancements-Login Block

Configuring Login Block

Restrict login attempts : login block-for command

When applied to a router, which command would help mitigate brute-force password attacks against the router?

Northbound and southbound APIs are two types of interfaces that enable communication between different layers of the SDN architecture. Northbound APIs relay information between the controller and the applications or policy engines, while southbound APIs relay information between the controller and the network devices.

Northbound APIs allow applications to request network services or resources from the controller, such as bandwidth, latency, security, or routing. The controller then translates these requests into network configurations and applies them to the network devices via the southbound APIs. Northbound APIs typically use RESTful API methods such as GET, POST, and DELETE to communicate with the controller.

Southbound APIs allow the controller to program the network devices to perform forwarding and other functions. The controller can use different protocols or standards to communicate with the network devices, depending on their capabilities and vendor-specific features. Some common examples of southbound APIs are CLI, SNMP, RESTCONF, NETCONF, OpenFlow, and OpFlex.

The Cisco WSA supports two main authentication protocols: LDAP and NTLM. LDAP is a protocol for accessing and managing directory information over a network. NTLM is a Windows proprietary protocol that uses a challenge-response mechanism for authentication. The Cisco WSA can use both LDAP and NTLM to authenticate users and apply policies based on their identity. The Cisco WSA does not support WCCP, TLS, or SSL as authentication protocols, although it can use them for other purposes, such as traffic redirection or encryption. References:

User Guide for AsyncOS 11.0 for Cisco Web Security Appliances, Chapter: Acquire End-User Credentials

Cisco Web Security Appliance Best Practices Guidelines, Section: Active authentication

Cisco WSA Authentication, Blog post by Kareem CCIE

Authentication and Authorization, PDF document by Cisco

Explanation

Device sensor is a feature of access devices. It allows to collect information about connected endpoints. Mostly,

information collected by Device Sensor can come from the following protocols:

+ Cisco Discovery Protocol (CDP)

+ Link Layer Discovery Protocol (LLDP)

+ Dynamic Host Configuration Protocol (DHCP)

The mechanism that the engineer should configure to accomplish the goal of sending telemetry using the cloud provider’s mechanisms to a security device is VPC flow logs. VPC flow logs are a feature of Google Cloud that capture and record information about the network flows sent from and received by the virtual machines (VMs) inside a VPC network1. VPC flow logs can provide network telemetry data such as source and destination IP addresses, ports, protocols, bytes sent and received, and connection state1. VPC flow logs can be exported to Cloud Logging, Pub/Sub, or Cloud Storage for further analysis by security devices or tools1. VPC flow logs can help the engineer to perform behavioral analysis to detect malicious activity on the hosts, such as network scans, port sweeps, brute force attacks, data exfiltration, or lateral movement2.

The other options are not correct mechanisms to send telemetry using the cloud provider’s mechanisms to a security device. Option A is incorrect because mirror port is not a feature of Google Cloud, but rather a network device configuration that copies traffic from one port to another for monitoring purposes3. Option B is incorrect because flow is not a specific mechanism, but rather a generic term that refers to a sequence of packets between a source and a destination4. Option C is incorrect because NetFlow is not a feature of Google Cloud, but rather a network protocol developed by Cisco that collects and aggregates information about network flows5. NetFlow is not compatible with VPC flow logs, which use a different format6. References:

VPC flow logs overview

When to use 5 telemetry types in security threat monitoring

What is a Mirror Port?

What is a Network Flow?

What is NetFlow?

Exporting VPC flow logs to Pub/Sub

 A private cloud is a cloud deployment model that is dedicated to a single organization and provides exclusive access to its resources and services. A private cloud can be hosted on-premises or off-premises by a third-party provider, but in either case, the organization has full control and visibility over the security, privacy, and compliance of its data and applications. A private cloud can also leverage the security features and best practices of the public cloud service provider, if applicable, while maintaining a higher degree of isolation and customization. A private cloud is the most secure deployment model when considering risks to cloud adoption, as it minimizes the exposure of sensitive data to external threats, reduces the dependency on the security posture of the cloud service provider, and enables the organization to meet its specific security and regulatory requirements123. References: 1: Best Practices to Manage Risks in the Cloud - ISACA 2: Security in the Microsoft Cloud Adoption Framework for Azure 3: Five challenges to cloud adoption and how to overcome them - PwC Middle East

Trusted Automated Exchange of Indicator Information (TAXII) is a standard that defines how to exchange cyber threat intelligence (CTI) over HTTPS. CTI includes indicators of compromise (IOCs), such as malware hashes, IP addresses, URLs, and domains, that can be used to detect and respond to cyberattacks. TAXII enables the sharing of CTI in a secure, automated, and interoperable way among different organizations and tools. Structured Threat Information Expression (STIX) is a standard that defines how to represent and structure CTI in a common language. STIX and TAXII are often used together to facilitate the exchange of CTI. Advanced Persistent Threat (APT) is not a standard, but a term used to describe a sophisticated and stealthy cyberattack that persists over a long period of time, often targeting specific organizations or sectors. Open Command and Control (OpenC2) is a standard that defines how to communicate and execute cyber defense actions across different technologies and domains. OpenC2 enables the orchestration and automation of cyber defense actions, such as blocking, isolating, or redirecting malicious traffic or devices. References :=

Some possible references are:

[Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0], Module 4: Content Security, Lesson 4.3: Cisco Umbrella, Topic 4.3.1: Cisco Umbrella Investigate

350-701 SCOR - Cisco, Exam Topics, 4.0 Content Security, 4.3 Describe the components, capabilities, and benefits of Cisco Umbrella, 4.3.a Investigate

TAXII - OASIS Cyber Threat Intelligence Technical Committee, Overview, Introduction

STIX - OASIS Cyber Threat Intelligence Technical Committee, Overview, Introduction

OpenC2 - OASIS Open Command and Control Technical Committee, Overview, Introduction

What is an Advanced Persistent Threat (APT)? | Fortinet, Definition, What is an APT?

A serverless application is one that does not require the developer to manage the underlying infrastructure or servers. Instead, the application code is executed by a cloud provider in response to events or triggers, such as HTTP requests, database changes, or messages. The cloud provider automatically provisions, scales, and manages the resources needed to run the code, and charges only for the time and resources consumed by the execution. A serverless application runs from an ephemeral, event-triggered, and stateless container that is fully managed by a cloud provider. This means that the container is created on demand when an event occurs, and is destroyed when the execution is completed. The container does not store any persistent state or data, and is isolated from other containers. The cloud provider handles the load balancing, fault tolerance, security, and monitoring of the container. A serverless application can leverage various cloud services, such as databases, storage, messaging, analytics, and machine learning, to perform complex tasks and functionalities. Serverless computing is a cloud-native development model that enables developers to focus on the business logic and deliver faster and more scalable applications. References:

Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0, Module 8: Cloud and Virtual Network Security, Lesson 8.1: Cloud Computing Concepts

What is serverless? - Red Hat

Serverless computing and applications | Microsoft Azure

Cisco Tetration, which is a hybrid-cloud workload protection platform that uses machine learning, behavior analysis, and algorithmic approaches to secure compute instances in both the on-premises data center and the public cloud1. Cisco Tetration can process behavior baselines, monitor for deviations, and review for malicious processes in data center traffic and servers while performing software vulnerability detection. It can also provide zero-trust microsegmentation, proactive identification of security incidents, and reduction of the attack surface1. The other options are not correct because they do not offer the same level of workload protection as Cisco Tetration. Cisco ISE is an identity and access control platform that provides secure network access, endpoint compliance, and device administration2. Cisco AMP for Network is a network-based malware prevention solution that detects and blocks malicious files and URLs before they reach the endpoints3. Cisco AnyConnect is a VPN client that provides secure remote access, endpoint visibility, and posture enforcement4. References:

1: Cisco Secure Workload Platform Data Sheet

2: Cisco Identity Services Engine Data Sheet

3: Cisco Advanced Malware Protection for Networks Data Sheet

4: Cisco AnyConnect Secure Mobility Client Data Sheet

Explanation

Explanation

Cisco Cloudlock: Secure your cloud users, data, and applications with the cloud-native Cloud Access Security Broker (CASB) and cloud cybersecurity platform.

Explanation

Zero Trust is a security framework requiring all users, whether in or outside the organization’s network, to be authenticated, authorized, and continuously validated for security configuration and posture before being granted or keeping access to applications and data. Zero Trust assumes that there is no traditional network edge; networks can be local, in the cloud, or a combination or hybrid with resources anywhere as well as workers in any location.

The Zero Trust model uses microsegmentation — a security technique that involves dividing perimeters into small zones to maintain separate access to every part of the network — to contain attacks.

Explanation

Advanced Malware Protection (AMP) for Endpoints offers a variety of lists, referred to as Outbreak Control, that allow you to customize it to your needs. The main lists are: Simple Custom Detections, Blocked Applications, Allowed Applications, Advanced Custom Detections, and IP Blocked and Allowed Lists.

A Simple Custom Detection list is similar to a blocked list. These are files that you want to detect and

quarantine.

Allowed applications lists are for files you never want to convict. Some examples are a custom application that is detected by a generic engine or a standard image that you use throughout the company Reference: https://docs.amp.cisco.com/AMP%20for%20Endpoints%20User%20Guide.pdf

Cisco Security Intelligence is a feature that allows you to block or monitor traffic based on IP addresses or domain names that are known to be malicious or suspicious. Cisco Security Intelligence requires a Protect license on the Cisco Next Generation Intrusion Prevention System (NGIPS), which is part of the Firepower Threat Defense (FTD) software. A Protect license allows you to perform intrusion detection and prevention, file control, and Security Intelligence filtering1. The other license options (control, malware, and URL filtering) do not enable Cisco Security Intelligence on the NGIPS. References:

Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0, section “Security Intelligence”

Firepower Management Center Configuration Guide, Version 6.0, section “Licensing the Firepower System”

Explanation

The RADIUS Change of Authorization (CoA) feature provides a mechanism to change the attributes of an

authentication, authorization, and accounting (AAA) session after it is authenticated.

single methods of authentication can be compromised more easily than MFA. MFA, or multi-factor authentication, is a security process that requires users to provide two or more factors to verify their identity and access resources. MFA reduces the risk of unauthorized access by making it harder for attackers to compromise all the factors needed, especially if they are different in nature, such as something you know (password), something you have (token), and something you are (biometric).

To understand the concept of MFA and why it is important for authentication security, you can refer to the following sections of the source book:

Section 1.1.1: Describe the concepts of identity and access management

Section 1.1.1.1: Describe the concepts of identity principles

Section 1.1.1.2: Describe the concepts of authentication

Section 1.1.1.3: Describe the concepts of authorization

Section 1.1.1.4: Describe the concepts of accounting

Section 1.1.1.5: Describe the concepts of identity stores

Section 1.1.1.6: Describe the concepts of MFA

Explanation

A data breach is the intentional or unintentional release of secure or private/confidential information to an

untrusted environment.

When your credentials have been compromised, it means someone other than you may be in possession of your account information, such as your username and/or password.

Explanation

The following are restrictions for Flexible NetFlow:

+ Traditional NetFlow (TNF) accounting is not supported.

+ Flexible NetFlow v5 export format is not supported, only NetFlow v9 export format is supported.

+ Both ingress and egress NetFlow accounting is supported.

+ Microflow policing feature shares the NetFlow hardware resource with FNF.

+ Only one flow monitor per interface and per direction is supported.

 In a PaaS model, the cloud provider is responsible for managing and maintaining the underlying infrastructure, such as the hypervisor, the virtual machine, and the network. The tenant only needs to focus on developing and deploying the application, which runs on the cloud platform. The tenant is responsible for ensuring the security and availability of the application, as well as applying any patches or updates to the application code or configuration12. References :=

Shared responsibility in the cloud

Best practices for secure PaaS deployments

 A security application that notifies a controller within a software-defined network architecture about a specific security threat is using a northbound API. A northbound API is an interface that enables communication between the SDN controller and the applications or management systems that use the network services1. A security application can use a northbound API to send alerts, requests, or commands to the SDN controller, which can then take appropriate actions on the network devices or policies2. For example, a security application can use a northbound API to inform the SDN controller about a malicious traffic pattern, and the SDN controller can then block or redirect the traffic using a southbound API3.

 1: What is Software-Defined Networking (SDN)? | VMware Glossary 2: Intent-Based Networking’s Next Evolution: The DNA Center Platform - Cisco Blogs 3: Cisco SDN Security: Securing the Software Defined Network - Cisco

Intra-EPG Isolation is an option to prevent physical or virtual endpoint devices that are in the same base EPG or microsegmented (uSeg) EPG from communicating with each other. By default, endpoint devices included in the same EPG are allowed to communicate with one another.

The zero-trust model is a modern security strategy that assumes breach and verifies each request as though it originates from an open network. The main concept behind the zero-trust model is “never trust, always verify”, which means that users and devices should not be trusted by default, even if they are connected to a permissioned network such as a corporate LAN and even if they were previously verified12

One of the principles of the zero-trust model is to verify explicitly, which means to always authenticate and authorize based on all available data points, including user identity, location, device health, service or workload, data classification, and anomalies13 To achieve this, the zero-trust model recommends using multifactor authentication (MFA), which is a method of verifying a user’s identity by requiring two or more pieces of evidence, such as something the user knows (e.g., password, PIN), something the user has (e.g., token, smart card), or something the user is (e.g., fingerprint, face scan). MFA provides a higher level of security than using only a single factor, such as a password, which can be easily compromised or guessed. MFA also reduces the risk of unauthorized access to corporate applications and resources, which may contain sensitive or confidential information.

Therefore, the recommendation in a zero-trust model before granting access to corporate applications and resources is to use multifactor authentication, as it ensures that only verified and authorized users and devices can access the data they need, and nothing more13

References := 1: Zero Trust Model - Modern Security Architecture | Microsoft Security 2: Zero trust security model - Wikipedia 3: What is Zero Trust? | Microsoft Learn : Multifactor Authentication (MFA) | Cisco

sfr {fail-open | fail-close [monitor-only]} <- There's a couple different options here. The first one is fail-open which means that if the Firepower software module is unavailable, the ASA will continue to forward traffic. fail-close means that if the Firepower module fails, the traffic will stop flowing. While this doesn't seem ideal, there might be a use case for it when securing highly regulated environments. The monitor-only switch can be used with both and basically puts the Firepower services into IDS-mode only. This might be useful for initial testing or setup.

Explanation

Cisco Cognitive Threat Analytics helps you quickly detect and respond to sophisticated, clandestine attacks that are already under way or are attempting to establish a presence within your environment. The solution automatically identifies and investigates suspicious or malicious web-based traffic. It identifies both potential and confirmed threats, allowing you to quickly remediate the infection and reduce the scope and damage of an attack, whether it’s a known threat campaign that has spread across multiple organizations or a unique threat you’ve never seen before.

Detection and analytics features provided in Cognitive Threat Analytics are shown below:

+ Data exfiltration: Cognitive Threat Analytics uses statistical modeling of an organization’s network to identify anomalous web traffic and pinpoint the exfiltration of sensitive data. It recognizes data exfiltration even in HTTPS-encoded traffic, without any need for you to decrypt transferred content

+ Command-and-control (C2) communication: Cognitive Threat Analytics combines a wide range of data, ranging from statistics collected on an Internet-wide level to host-specific local anomaly scores. Combining these indicators inside the statistical detection algorithms allows us to distinguish C2 communication from benign traffic and from other malicious activities. Cognitive Threat Analytics recognizes C2 even in HTTPSencoded or anonymous traffic, including Tor, without any need to decrypt transferred content, detecting a broad

range of threats

…

Retrospective detection is a feature of Cisco Advanced Malware Protection (AMP) for Endpoints that performs correlation of telemetry, files, and intrusion events that are flagged as possible active breaches. Retrospective detection allows AMP to continuously analyze file activity across the network and identify malicious behavior that was previously undetected. Retrospective detection can also trigger alerts and remediation actions when a file’s disposition changes from clean to malicious12. References: 1: Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0, Module 4: Endpoint Protection and Detection, Lesson 4.1: Cisco AMP for Endpoints Overview, Topic 4.1.3: Retrospective Detection 2: Cisco AMP for Endpoints User Guide, Chapter: Retrospective Detection, URL: 3

Explanation

Explanation

Other features are dependent on SSL Decryption functionality, which requires the Cisco Umbrella root

certificate. Having the SSL Decryption feature improves:

Custom URL Blocking—Required to block the HTTPS version of a URL.

…

Umbrella’s Block Page and Block Page Bypass features present an SSL certificate to browsers that make

connections to HTTPS sites. This SSL certificate matches the requested site but will be signed by the Cisco Umbrella certificate authority (CA). If the CA is not trusted by your browser, an error page may be displayed.

Typical errors include “The security certificate presented by this website was not issued by a trusted certificate authority” (Internet Explorer), “The site’s security certificate is not trusted!” (Google Chrome) or “This

Connection is Untrusted” (Mozilla Firefox). Although the error page is expected, the message displayed can be confusing and you may wish to prevent it from appearing.

To avoid these error pages, install the Cisco Umbrella root certificate into your browser or the browsers of your users—if you’re a network admin.

 Firepower NGIPS inline deployment mode is a mode where the NGIPS device is placed in the traffic path and can take actions such as blocking, modifying, or redirecting traffic based on the policies and rules. In this mode, the NGIPS device must have inline interface pairs configured, which are pairs of physical or logical interfaces that act as a single logical interface. The inline interface pairs are connected to the network devices on both sides of the NGIPS device, and the traffic flows through the NGIPS device from one interface to the other. The NGIPS device can inspect and modify the traffic as it passes through the inline interface pairs12. References := 1: Firepower Management Center Configuration Guide, Version 6.6 - Device Management Basics 2: Configure FTD Interfaces in Inline-Pair Mode

 ICMP is a protocol that is used to send diagnostic messages between hosts on a network. It is not designed to carry any data, but it can be abused by attackers to exfiltrate data from a compromised host. By encrypting the payload in an ICMP packet, the attacker can hide the data from network monitoring tools and firewalls that may not inspect ICMP traffic. The attacker can then use another tool to decrypt the data from the ICMP packets on a remote host. This technique is known as ICMP tunneling and it is a form of protocol tunneling (MITRE T1572: Protocol Tunneling1). References:

1: https://attack.mitre.org/techniques/T1572/

2: https://www.cynet.com/attack-techniques-hands-on/how-hackers-use-icmp-tunneling-to-own-your-network/

3: https://digital-security.quodagis.fr/ressources/ressource/exfiltration-de-donnees-les-techniques-icmp-et-dns-tunneling-855

Explanation

Cisco Hybrid Email Security is a unique service offering that facilitates the deployment of your email security

infrastructure both on premises and in the cloud. You can change the number of on-premises versus cloud

users at any time throughout the term of your contract, assuming the total number of users does not change.

This allows for deployment flexibility as your organization’s needs change.

SQL injection attacks are a type of code injection technique that exploit the use of dynamic SQL queries in web applications. Attackers can inject malicious SQL statements into user input fields, such as login forms, search boxes, or URLs, and execute them on the underlying database. This can result in unauthorized access, data theft, data corruption, or denial of service.

To prevent SQL injection attacks, web developers should use the following techniques:

Use prepared statements and parameterized queries: Prepared statements are SQL queries that are precompiled and executed with user-supplied parameters. Parameterized queries are SQL queries that use placeholders for user input and bind them to actual values at runtime. Both techniques separate the SQL code from the user input, making it impossible for attackers to inject SQL commands into the query. For example, in Java, PreparedStatement is a class that implements parameterized queries. In PHP, PDO and mysqli are extensions that support prepared statements.

Block SQL code execution in the web application database login: Web applications should use a dedicated database user account with limited privileges to connect to the database. This account should only have the permissions necessary to perform the required operations, such as select, insert, update, or delete. It should not have the permissions to execute arbitrary SQL commands, such as create, drop, alter, grant, or revoke. This way, even if an attacker manages to inject SQL code into the query, the database will reject it due to insufficient privileges.

A simple custom detection list is a feature of AMP for Endpoints that allows you to specify a list of file hashes (MD5, SHA-1, or SHA-256) that you want to detect, block, and quarantine on your endpoints. You can create a simple custom detection list from the Outbreak Control section of the AMP for Endpoints console, and apply it to a policy that is assigned to your endpoints. When the AMP connector on the endpoint encounters a file that matches the hash in the list, it will perform the action that you specified, such as blocking the file execution, sending an alert, or quarantining the file. A simple custom detection list is useful when you want to quickly and easily block specific files that are known to be malicious or unwanted, without having to create a complex signature or rule12 References := 1: Configure a Simple Custom Detection List on the AMP for Endpoints Portal 2: Create an Advanced Custom Detection List in Cisco Secure Endpoint

The function of Cisco Cloudlock for data security is data loss prevention (DLP). Cisco Cloudlock is a cloud-native cloud access security broker (CASB) that helps you move to the cloud safely. It protects your cloud users, data, and apps. Cloudlock’s simple, open, and automated approach uses APIs to manage the risks in your cloud app ecosystem1. One of the key features of Cloudlock is its DLP technology, which continuously monitors cloud environments to detect and secure sensitive information. It provides countless out-of-the-box policies as well as highly tunable custom policies. You can use Cloudlock’s DLP to prevent data breaches, comply with regulations, and enforce data governance across SaaS, PaaS, and IaaS platforms2. References: 1: Cisco Cloudlock - Cisco2: Cloudlock: Cloud User Security - Cisco Umbrella.

Dynamic ARP Inspection (DAI) is a security feature that validates ARP packets on untrusted interfaces by comparing the MAC address to IP address bindings in the DHCP snooping database or an ARP access-list. If the ARP packet contains invalid or spoofed information, it is dropped and logged. DAI also inspects ARP packets on trusted interfaces, but it does not drop them if they are invalid. Instead, it forwards them to the destination without validation. This allows the switch to support devices that use static IP addresses or have legitimate reasons to send ARP packets with different MAC address to IP address bindings. However, this also means that if a spoofed ARP packet is received on a trusted interface, it will bypass the DAI validation and be forwarded to the destination. This could allow an attacker to poison the ARP cache of other devices and perform a man-in-the-middle attack. Therefore, the correct answer is option B. The switch drops the packet after validation by using the IP & MAC Binding Table. References:

Understanding and Configuring Dynamic ARP Inspection

DAI (Dynamic ARP Inspection)

Dynamic ARP Inspection (DAI) Explanation & Configuration

Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0

 Grafana is an open source tool that displays graphs and counters for data streamed from network devices. Cisco uses Grafana to create graphical visualizations of network telemetry on Cisco IOS XE devices, which support model-driven telemetry. Model-driven telemetry is a new approach for network monitoring in which data is streamed from network devices continuously using a push model and provides near real-time access to operational statistics. Applications can subscribe to specific data items they need, by using standard-based YANG data models over NETCONF-YANG. Cisco IOS XE streaming telemetry allows to push data off of the device to an external collector at a much higher frequency, more efficiently, as well as data on-change streaming. Grafana uses the data from InfluxDB database to build dashboards and graphs. InfluxDB is a time-series database that stores the telemetry data received from the network devices. Telegraf is an agent that collects the telemetry data from the network devices and pushes it to InfluxDB. The TIG software stack refers to the three open-source software components that enable receiving, storing, and visualization the telemetry data: Telegraf, InfluxDB, and Grafana. References :=

Enterprise Streaming Telemetry and You: Getting Started with Model Driven Telemetry - Cisco Blogs

Explore Model-Driven Telemetry - Cisco Blogs

Telemetry Configuration Guide for Cisco 8000 Series Routers, IOS XR Release 7.8.x - Dial-Out Telemetry Session from Router to Destination

Free 350-701 Implementing and Operating Cisco Security Core Technologies Practice Test Questions

To enable malware file scanning for the Secure Internet Gateway (SIG), you need to enable Intelligent Proxy, which is a feature of Cisco Umbrella that provides selective proxying of web requests based on the risk level of the domain1. Intelligent Proxy allows SIG to inspect the content of potentially malicious web requests and block or allow them based on the configured policies2. Intelligent Proxy also enables SSL decryption, which is necessary to scan encrypted web traffic for malware3. Enabling IP Layer enforcement, activating the Advanced Malware Protection license, and activating SSL decryption are not required prerequisites to enable malware file scanning for the SIG, although they may provide additional security benefits45. References: 1: Intelligent Proxy - Cisco Umbrella 2: Cisco Umbrella SIG Advantage - Cisco Umbrella 3: [SSL Decryption - Cisco Umbrella] 4: [IP Layer Enforcement - Cisco Umbrella] 5: [Advanced Malware Protection - Cisco Umbrella]

Explanation

All IKE policies on the device are sent to the remote peer regardless of what is in the selected policy section.

The first IKE Policy matched by the remote peer will be selected for the VPN connection. Choose which policy is sent first using the priority field. Priority 1 will be sent first.

Southbound APIs are used to communicate between the SDN Controller and the switches and routers of the network. They can be open-source or proprietary. They facilitate control over the network and enable the SDN Controller to dynamically make changes according to real-time demands and needs. OpenFlow and OpFlex are two examples of southbound APIs. OpenFlow, which was developed by the Open Networking Foundation (ONF), is the first and probably most well-known southbound interface. OpenFlow defines the way the SDN Controller should interact with the forwarding plane to make adjustments to the network, so it can better adapt to changing business requirements. With OpenFlow, entries can be added and removed to the internal flow-table of switches and routers to make the network more responsive to real-time traffic demands. OpFlex, which was proposed by Cisco, is another southbound interface that uses a declarative model to communicate policies and state between the controller and the network devices. OpFlex allows the network devices to retain some intelligence and autonomy, while still being managed by the controller. OpFlex is designed to be flexible and extensible, and can support different types of network devices and services. Services running over the network, external application APIs, and applications running over the network are not southbound APIs, as they do not directly communicate between the controller and the network devices. Therefore, the correct answer is B and E. References :=

Some possible references are:

What are SDN Southbound APIs? - Where they are used. - SDxCentral

SDN North-bound and South-bound APIs and Interfaces

Cisco Application Centric Infrastructure Fundamentals

Explanation

Explanation

The following are the prerequisites to integrate Active Directory with Cisco ISE.

+ Use the Network Time Protocol (NTP) server settings to synchronize the time between the Cisco ISE server

and Active Directory. You can configure NTP settings from Cisco ISE CLI.

+ If your Active Directory structure has multidomain forest or is divided into multiple forests, ensure that trust

relationships exist between the domain to which Cisco ISE is connected and the other domains that have user

and machine information to which you need access. For more information on establishing trust relationships,

refer to Microsoft Active Directory documentation.

+ You must have at least one global catalog server operational and accessible by Cisco ISE, in the domain to

which you are joining Cisco ISE.

Time synchronization is one of the features that can be configured for managed devices in the device platform settings of the Firepower Management Center (FMC). Time synchronization ensures that the FMC and its managed devices have the same date and time settings, which is important for accurate event logging and reporting. The FMC can act as a Network Time Protocol (NTP) server for its managed devices, or it can use an external NTP server as a time source1. The FMC can also synchronize its time with the system clock of the device where it is installed2. References := 1: Firepower Management Center Device Configuration Guide, 7.1 - Platform Settings 2: Firepower Management Center Configuration Guide, Version 6.6 - Device Management Basics

Before identifying the URL during HTTPS inspection in Cisco Secure Firewall Threat Defense software, the default action is to "pass." This means that the traffic is allowed through without inspection until the URL can be identified, at which point appropriate security policies can be applied based on the URL categorization and reputation.

The service password-encryption command is used to encrypt all passwords in the router configuration file, such as the enable password, the console password, the vty password, and the username password. This command prevents credentials from being seen if the router configuration was compromised, for example, by an attacker who gained access to the router or the backup files. The encryption used by this command is a weak algorithm that can be easily reversed, but it provides some level of protection against casual observers1.

The other commands are not used to encrypt passwords in the router configuration file. The username privilege 15 password and the username password commands are used to create local user accounts with or without administrative privileges, respectively. These commands store the passwords in clear text unless the service password-encryption command is enabled2. The service password-recovery command is used to enable or disable the password recovery mechanism on the router. This command does not affect the encryption of passwords in the configuration file3.

References := 1: Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0, Module 1: Security Concepts, Lesson 1.2: Securing Network Devices, Topic 1.2.1: Device Hardening, page 1-14. 2: Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0, Module 1: Security Concepts, Lesson 1.2: Securing Network Devices, Topic 1.2.2: Management Plane Security, page 1-17. 3: Cisco IOS Configuration Fundamentals Command Reference, Release 12.2, Chapter: service password-recovery, page 1.

Mobile device management (MDM) is a toolset that provides a workforce with mobile productivity tools and applications while keeping corporate data secure1. One of the essential capabilities of an MDM solution is the unified management of mobile devices, Macs, and PCs from a centralized dashboard2. This allows IT and security departments to manage all of a company’s devices, regardless of their operating system, and perform tasks such as provisioning, configuration, update, lock, wipe, and troubleshoot2. Another important capability of an MDM solution is the enforcement of device security policies from a centralized dashboard3. This enables IT and security departments to protect the device’s applications, data, and content, and ensure compliance with organizational and regulatory standards3. For example, an MDM solution can set minimum password strength, encrypt data, restrict access, and detect threats3.

 1: What is Mobile Device Management (MDM)? | IBM 2: 5 Essential Capabilities of an MDM Solution | Macworld 3: What is device management? | Microsoft Learn

The Southbound API is used to communicate between Controllers and network devices.

FlexVPN and DMVPN are both Cisco technologies that use point-to-point GRE tunnels to create dynamic VPN networks. However, they differ in some aspects, such as:

FlexVPN is a newer solution that requires newer hardware and IOS versions, while DMVPN is more widely supported on older devices1.

FlexVPN is based on IKEv2, which is a more robust and efficient protocol than IKEv1, which is used by DMVPN (although DMVPN can also use IKEv2)2.

FlexVPN uses static or virtual access interfaces for GRE tunnels, while DMVPN uses a single multipoint GRE interface. This allows more flexibility and visibility for FlexVPN tunnels2.

FlexVPN does not require NHRP registration for spokes to communicate with the hub, while DMVPN does. This simplifies the configuration and reduces the overhead of NHRP3.

FlexVPN has only one standard mode of operation, while DMVPN has three phases with different characteristics and configurations2.

References := 1: what is the difference between dmvpn and flexvpn 2: Cisco FlexVPN DMVPN, Part 1 - Overview and Design 3: DMVPN to FlexVPN Soft Migration Configuration Example

To achieve the goal of excluding some servers from the VPN tunnel and accessing them directly, the engineer must modify the group policy that is applied to the remote access VPN users. The group policy contains the settings for split tunneling, which is a feature that allows the VPN client to route some traffic through the VPN tunnel and some traffic directly to the internet. Split tunneling can be configured based on the destination IP address, the application, or the domain name of the traffic. By modifying the group policy, the engineer can specify which servers or networks should be excluded from the VPN tunnel and accessed directly by the VPN client. This can improve the performance and efficiency of the VPN connection, as well as reduce the load on the VPN gateway and the corporate network. However, split tunneling also introduces some security risks, such as exposing the VPN client to internet threats, bypassing the corporate firewall and security policies, and leaking sensitive data. Therefore, the engineer must carefully evaluate the trade-offs and best practices of using split tunneling for remote access VPNs. References :=

Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0, Module 3: Secure Connectivity, Lesson 3.1: Implementing and Troubleshooting Remote Access VPN, Topic 3.1.4: Configure and Verify Remote Access VPN, Subtopic 3.1.4.2: Configure and Verify Split Tunneling

VPN Split Tunneling: What It Is & Pros and Cons

Cisco ASA - Enable Split Tunnel for Remote VPN Clients

 To add switches into the fabric, administrators can use PowerOn Auto Provisioning (POAP) or Seed IP methods. POAP is a feature that automates the process of upgrading software images and installing configuration files on Cisco switches that are being deployed in the network for the first time. Seed IP is a method that allows administrators to specify the IP address of a switch that is already part of the fabric, and then use it to discover and add other switches that are connected to it. Both methods enable administrators to control how switches are added into DCNM for private cloud management. References:

POAP, section “PowerOn Auto Provisioning (POAP)”.

Seed IP, section “Add Switches”.

https://www.cisco.com/c/en/us/td/docs/security/ise/1-4-1/admin_guide/b_ise_admin_guide_141/b_ise_admin_guide_141_chapter_01110.html

Explanation

Explanation

When supporting personal devices on a corporate network, you must protect network services and enterprise

data by authenticating and authorizing users (employees, contractors, and guests) and their devices. Cisco ISE

provides the tools you need to allow employees to securely use personal devices on a corporate network.

Guests can add their personal devices to the network by running the native supplicant provisioning (Network

Setup Assistant), or by adding their devices to the My Devices portal.

Because native supplicant profiles are not available for all devices, users can use the My Devices portal to add

these devices manually; or you can configure Bring Your Own Device (BYOD) rules to register these devices.

DNS tunneling is a technique that uses the DNS protocol to exfiltrate data or establish command and control channels between a compromised host and an attacker-controlled server. DNS tunneling can bypass network security controls that allow outbound DNS traffic without inspection or filtering. To stop DNS tunneling, two recommended approaches are:

Enforce security over port 53. This means applying firewall rules, access control lists, or other mechanisms to restrict outbound DNS traffic to only authorized DNS servers and domains. Additionally, DNS traffic should be inspected and analyzed for anomalies, such as unusually large or frequent queries, non-standard encoding, or suspicious domains. This can help detect and block DNS tunneling attempts.

Use Cisco Umbrella. Cisco Umbrella is a cloud-based security service that provides DNS security, web filtering, and threat intelligence. Cisco Umbrella can prevent DNS tunneling by blocking malicious domains, enforcing policies based on content categories, and applying machine learning to identify and stop emerging threats. Cisco Umbrella can also provide visibility and reporting on DNS activity and security events.

References :=

Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0, Module 5: Securing the Cloud, Lesson 5.2: DNS Security

What Is DNS Tunneling? - Palo Alto Networks

An Introduction to DNS Tunneling Detection & Data Exfiltration via DNS - Vercara

 The dot1x system-auth-control command enables 802.1X globally on a Cisco switch. This command allows the switch to act as an authenticator for 802.1X clients connected to the switch ports. The switch will then communicate with a RADIUS server to authenticate the clients and grant or deny access to the network. The other commands are not related to enabling 802.1X globally. The dot1x pae authenticator command enables 802.1X authentication on a specific interface. The authentication port-control aut command enables automatic port-based authentication on an interface. The aaa new-model command enables the AAA framework for authentication, authorization, and accounting. References :=

https://www.cisco.com/c/en/us/support/docs/smb/switches/cisco-small-business-300-series-managed-switches/smb5635-configure-global-802-1x-properties-on-a-switch-through-the-c.html

https://www.cisco.com/c/en/us/td/docs/routers/nfvis/switch_command/b-nfvis-switch-command-reference/802_1x_commands.html

Explanation

The purpose of above commands is to redirect traffic that matches the ACL “redirect-acl” to the Cisco

FirePOWER (SFR) module in the inline (normal) mode. In this mode, after the undesired traffic is dropped and

any other actions that are applied by policy are performed, the traffic is returned to the ASA for further

processing and ultimate transmission.

The command “service-policy global_policy global” applies the policy to all of the interfaces.

Stateful failover means that the connection state information is replicated from the active ASA to the standby ASA, so that in the event of a failover, the connections are preserved and do not need to be reestablished. Stateless failover means that the connection state information is not replicated, so that in the event of a failover, the connections are dropped and need to be reestablished by the end hosts. Stateful failover provides a smoother transition and less disruption to the network traffic, while stateless failover is simpler and less resource-intensive. References:

Failover for High Availability - Cisco

Failover Types / ASA Failover Addresses / Failover Requirements | Cisco …

 Cisco Cloudlock is a cloud-native security solution that secures public, private, hybrid, and community clouds. It provides visibility, compliance, threat protection, and data security for cloud applications and environments. Cisco Cloudlock integrates with various cloud platforms and services, such as AWS, Azure, Google Cloud, Office 365, Salesforce, Dropbox, and more. Cisco Cloudlock monitors user activities, configurations, and sensitive data across the cloud, and alerts or blocks any violations of policies or regulations. Cisco Cloudlock also leverages user and entity behavior analytics (UEBA) to detect and respond to anomalous or malicious behaviors in the cloud. Cisco Cloudlock helps organizations protect their cloud assets and data, while enabling them to embrace the benefits of cloud computing. References :=

Cloud and Application Security - Cisco

Cloud Security Products and Solutions - Cisco

What Is Cloud Security? - Cisco

[Cisco Cloudlock: Cloud-Native CASB and Cloud Cybersecurity Platform]

Explanation

Explanation

NetFlow is typically used for several key customer applications, including the following:

…

Billing and accounting. NetFlow data provides fine-grained metering (for instance, flow data includes details such as IP addresses, packet and byte counts, time stamps, type of service (ToS), and application ports) for highly flexible and detailed resource utilization accounting. Service providers may use the information for billing based on time of day, bandwidth usage, application usage, quality of service, and so on. Enterprise customers may use the information for departmental charge back or cost allocation for resource utilization.

Container orchestration is the automated process of organizing the functions of modular, containerized components that create the infrastructure of an application1. Container orchestration tools, such as Kubernetes, provide a framework for managing containers and microservices architecture at scale2. A feature of container orchestration is the ability to deploy Kubernetes clusters in air-gapped sites, which are isolated from the internet and other networks for security reasons3. Cisco Container Platform (CCP) is a solution that simplifies the deployment and management of Kubernetes clusters in any environment, including air-gapped sites4. CCP provides a data plane that runs on the Kubernetes nodes and handles the container networking, storage, and security. CCP also provides a control plane that runs on a separate management cluster and provides a web-based user interface and API for cluster operations. CCP supports the deployment of Amazon Elastic Container Service (ECS) and Amazon Elastic Kubernetes Service (EKS) clusters on the data plane, but not on air-gapped sites. References: 1: What Is Container Orchestration? | AppDynamics 2: What is container orchestration? - Red Hat 3: Container orchestration for microservices - Azure Architecture Center 4: Cisco Container Platform Data Sheet : Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0, Module 5: Cloud and Network Security, Lesson 5.3: Cisco Cloud Security Solutions, Topic 5.3.2: Cisco Container Platform : Cisco Container Platform User Guide, Release 5.1, Chapter: Deploying Amazon ECS Clusters

Traffic storm control is a feature that prevents LAN ports from being disrupted by a broadcast, multicast, or unicast traffic storm on physical interfaces. Traffic storm control monitors the level of each traffic type for which it is enabled in 1-second intervals and compares it with the configured threshold, which is a percentage of the total available bandwidth of the port. When the ingress traffic reaches the threshold, traffic storm control drops the traffic until the end of the interval. Traffic storm control uses the Individual/Group bit in the packet destination address to determine if the packet is unicast or broadcast. This bit is set to 0 for unicast addresses and 1 for multicast or broadcast addresses. Traffic storm control does not use the source address to classify the traffic type. References := Configuring Traffic Storm Control - Cisco, Understanding Cisco Traffic Storm Control - NetCraftsmen

 Dynamic ARP Inspection (DAI) is a security feature that protects ARP (Address Resolution Protocol) from an attack like ARP poisoning. ARP poisoning is a technique where an attacker sends forged ARP responses to trick hosts into associating IP addresses with the attacker’s MAC address. This allows the attacker to intercept, modify, or drop traffic between the victims, creating a “man-in-the-middle” scenario. DAI can prevent this attack by validating ARP packets on untrusted interfaces, using information from the DHCP snooping database and/or an ARP access-list. If the ARP packet contains invalid MAC address to IP address bindings, it will be dropped and logged. DAI can also rate-limit ARP packets to mitigate ARP flooding attacks. DAI is configured on a per-VLAN basis and requires DHCP snooping to be enabled on the same VLANs. References :=

Some possible references are:

Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0, Module 2: Network Security, Lesson 2.4: Implement Layer 2 Security

Understanding and Configuring Dynamic ARP Inspection

DAI (Dynamic ARP Inspection)

Cisco Stealthwatch Cloud is a cloud-delivered and SaaS-based solution that provides visibility and threat detection across the AWS network. It does not require any software agents to be installed on the AWS instances, and it relies on AWS VPC flow logs to collect network traffic metadata. Cisco Stealthwatch Cloud analyzes the flow logs using machine learning and behavioral modeling to detect anomalies and threats, such as data exfiltration, lateral movement, reconnaissance, and compromised instances. Cisco Stealthwatch Cloud also provides contextual information and actionable alerts to help users respond to incidents and remediate issues.

Cisco Umbrella is a cloud-delivered and SaaS-based solution that provides DNS-layer security and web filtering for internet traffic. It does not provide visibility and threat detection for internal AWS network traffic, and it requires software agents to be installed on the endpoints or network devices to enforce policies and redirect DNS requests.

NetFlow collectors are devices or software applications that collect and analyze NetFlow records, which are generated by network devices to capture information about IP traffic flows. NetFlow collectors can provide visibility and threat detection for network traffic, but they are not cloud-delivered or SaaS-based solutions. They also require NetFlow exporters to be configured on the network devices, which may not be supported by AWS.

Cisco Cloudlock is a cloud-delivered and SaaS-based solution that provides cloud security posture management (CSPM) and cloud access security broker (CASB) capabilities for cloud applications and environments. It does not provide visibility and threat detection for AWS network traffic, and it does not rely on AWS VPC flow logs. It focuses on protecting cloud data, users, and configurations from misconfigurations, compliance violations, and malicious activities. References :=

Cisco Stealthwatch Cloud for AWS

Cisco Umbrella

NetFlow

[Cisco Cloudlock]

 The Decrypt for Application Detection feature within the WSA Decryption options enhances the ability of AsyncOS to detect HTTPS applications. The HTTPS Proxy can decrypt HTTPS connections to web applications. This allows the Application Visibility and Control (AVC) engine to more accurately detect and block web applications that use HTTPS. This feature can help improve the security and performance of the network by identifying and controlling the usage of web applications that may consume bandwidth, pose security risks, or violate compliance policies.

L2TP and GRE are both tunneling protocols that can be used to create site-to-site VPNs. However, they have some differences in how they encapsulate and transport data. L2TP is a layer 2 protocol that uses IP packet encapsulation to carry PPP frames over an IP network. L2TP does not add any additional header to the IP packet, but relies on IPsec to provide encryption and authentication. GRE is a layer 3 protocol that adds its own header to the IP packet, which contains information such as the protocol type, checksum, and key. GRE can be used to carry any type of payload over an IP network, not just PPP frames. GRE also requires IPsec to provide security for the tunnel. Therefore, the correct answer is C, because GRE over IPsec adds its own header, and L2TP does not1234 References := 1: Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0 - Module 5: Secure Connectivity 2: What is the difference between L2TP vs GRE 3: GRE over IPSec vs L2TP over IPSEC 4: difference between L2TP/GRE/MPLS

 The application blocking list is an outbreak control method that allows the administrator to block certain files from executing on the endpoints based on their SHA values. This can prevent malware from running on the endpoints and causing damage. The other options are not outbreak control methods, but rather different features of AMP for endpoints. Device flow correlation is a network analysis feature that monitors connections and detects malicious activity. Simple detections and advanced custom detections are custom rules that can be created by the administrator to detect and block files based on signatures or other criteria. References:

Configure Windows Policy in AMP for Endpoints - Cisco

Prevent, Detect and Respond with Cisco AMP for Endpoints

To deploy Cisco WSA in transparent mode, the configuration component that must be used is WCCP on switch. WCCP stands for Web Cache Communication Protocol, which is a protocol that allows a network device (such as a switch) to redirect web traffic to a proxy server (such as Cisco WSA) transparently. This means that the client does not need to configure any proxy settings on the browser, and the proxy server can intercept and process the web requests and responses without the client’s knowledge. WCCP can also provide load balancing and failover capabilities for multiple proxy servers.

The other options are incorrect because they are not required or relevant for transparent mode deployment. Option A is incorrect because MDA (Multilink PPP Dial Access) is a feature that allows multiple physical links to be aggregated into a single logical link for dial-up connections. It has nothing to do with transparent mode. Option B is incorrect because PBR (Policy-Based Routing) is a feature that allows routing decisions to be based on criteria other than the destination IP address, such as source IP address, protocol, port, etc. It is not necessary for transparent mode, as WCCP can handle the traffic redirection. Option D is incorrect because DNS resolution on Cisco WSA is not a configuration component, but a function that allows the proxy server to resolve domain names to IP addresses. It is not specific to transparent mode, as it is also used in explicit mode. References:

What is the difference between transparent and forward proxy mode?

User Guide for AsyncOS 12.7 for Cisco Web Security Appliances - LD (Limited Deployment) - Acquire End-User Credentials

Cisco WSA : Is it possible to use web proxy in transparent mode without WCCP?

 The open standard that creates a framework for sharing threat intelligence in a machine-digestible format is STIX (Structured Threat Information Expression). STIX is a language and serialization format that enables the exchange of cyber threat information across organizations, tools, and platforms. STIX defines a common vocabulary and data model for representing various types of threat intelligence, such as indicators, observables, incidents, campaigns, threat actors, courses of action, and more. STIX also supports the expression of context, relationships, confidence, and handling of the threat information. STIX aims to improve the speed, accuracy, and efficiency of threat detection, analysis, and response.

STIX is often used in conjunction with TAXII (Trusted Automated Exchange of Indicator Information), which is a protocol and transport mechanism that enables the secure and automated communication of STIX data. TAXII defines how to request, send, receive, and store STIX data using standard methods and formats, such as HTTPS, JSON, and XML. TAXII supports various exchange models, such as hub-and-spoke, peer-to-peer, or subscription-based. TAXII enables the interoperability and scalability of threat intelligence sharing among different systems and organizations.

Cisco Advanced Phishing Protection (AAP) is a solution that helps organizations protect against fraudulent senders and identity deception-based attacks, such as business email compromise (BEC) and spear phishing. AAP uses advanced machine learning techniques, real-time behavior analytics, relationship modeling, and telemetry to perform two main functions12:

It determines if the email messages are malicious by assessing the threat posture of the sender and the content of the message. It also validates the reputation and authenticity of the sender by checking various indicators, such as the domain, the IP address, the SPF, DKIM, and DMARC records, the display name, the reply-to address, and the header information. AAP assigns a risk score to each email message and provides a verdict of clean, malicious, or suspicious. It also adds a banner to the email message to inform the recipient of the risk level and the recommended action.

It does a real-time user web browsing behavior analysis by monitoring the user’s interaction with the email message and the links embedded in it. It tracks the user’s clicks, mouse movements, dwell time, and other indicators to detect any signs of hesitation, confusion, or curiosity. It also analyzes the destination URL of the links and compares it with the known malicious websites. If AAP detects any anomalous or risky behavior, it intervenes with a warning message or a redirect page to educate the user and prevent them from falling victim to the phishing attack. References := 1: Cisco’s Security Innovations to Protect the Endpoint and Email 2: Cisco Advanced Phishing Protection - Cisco Video Portal

 GET VPN (Group Encrypted Transport VPN) is a tunnel-less VPN technology that uses a single security association (SA) for all routers in a group. This allows GET VPN to natively support MPLS and private IP networks, without requiring any additional encapsulation or tunneling protocols. GET VPN also supports multicast traffic without GRE, which reduces overhead and improves performance. FlexVPN is a newer VPN solution that covers all VPN types, such as site-to-site, hub and spoke, and remote access. FlexVPN uses IKEv2 for all VPN types, which offers some advantages over IKEv1, such as resiliency and fewer messages. However, FlexVPN requires newer hardware and software versions to support its features. FlexVPN also relies on GRE or static and dynamic point-to-point interfaces to support MPLS and private IP networks, which adds complexity and overhead. Therefore, a benefit of using GET VPN over FlexVPN within a VPN deployment is that GET VPN natively supports MPLS and private IP networks, without requiring any additional encapsulation or tunneling protocols. References:

Group Encrypted Transport VPN (GETVPN)

Introduction to FlexVPN

what is the difference between dmvpn and flexvpn

 Cisco Stealthwatch is the only solution that detects threats across your private network, public clouds, and encrypted traffic. It uses network telemetry and advanced behavioral analytics to monitor network activity and identify anomalies that indicate potential threats. It also leverages Cisco Encrypted Traffic Analytics (ETA) to detect malware in encrypted traffic without decryption. Cisco Stealthwatch provides visibility, threat detection, and response across your entire network and cloud environment1234 References := 1: Cisco Stealthwatch detects threats across private networks, public clouds, and encrypted traffic - Cisco Blogs 2: The XDR Solution to the Ransomware Problem - Cisco Blogs 3: Network Threat Detection and Response with Cisco Stealthwatch - Locuz 4: Cisco Secure Network Analytics (Stealthwatch) - Cisco

Network telemetry is the collection, measurement, and analysis of data related to the behavior and performance of a network1. It involves gathering information about routers, switches, servers, and applications to gain insights into how they function and how data moves through them. To correlate different sources of network telemetry data, it is important to enable Network Time Protocol (NTP) across all network infrastructure devices. NTP is a protocol that synchronizes the clocks of network devices to a common reference time source2. This ensures that the network telemetry data has consistent timestamps and can be compared and correlated accurately. NTP also helps with troubleshooting network issues, as it allows network administrators to pinpoint the exact time of events and anomalies. NTP is a core security technology that is covered in the Implementing and Operating Cisco Security Core Technologies (SCOR) course3, which helps you prepare for the Cisco CCNP Security and CCIE Security certifications and for senior-level security roles. References: 1: Network Telemetry Explained: Frameworks, Applications & Standards - Splunk 2: [Network Time Protocol (NTP) - Cisco] 3: Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0

Explanation

The command crypto isakmp key cisco address 1.2.3.4 authenticates the IP address of the 1.2.3.4 peer by using the key cisco. The address of “0.0.0.0” will authenticate any address with this key

Cisco AMP (Advanced Malware Protection) is a product that provides proactive endpoint protection and allows administrators to centrally manage the deployment. AMP uses cloud-based intelligence, sandboxing, and continuous analysis to detect and block advanced threats before they reach the endpoints. AMP also provides retrospective security, which means that it can alert and remediate endpoints if a file that was previously deemed benign is later found to be malicious. AMP can be integrated with other Cisco products, such as Firepower, Meraki, and Email Security Appliance, to provide comprehensive security across the network. AMP is available for Windows, Mac, Linux, Android, and iOS devices. References :=

Some possible references are:

Endpoint Protection Platform (EPP) Definition - Cisco: This page defines what an endpoint protection platform (EPP) is and how it differs from traditional antivirus solutions. It also explains the benefits of using Cisco Secure Endpoint, formerly known as AMP for Endpoints.

Cisco Secure Endpoint (Formerly AMP for Endpoints) - Cisco: This page provides an overview of the features and capabilities of Cisco Secure Endpoint, such as cloud-based intelligence, endpoint isolation, file trajectory, device flow correlation, and more. It also offers resources for getting started, deploying, and managing Cisco Secure Endpoint.

SCOR 350-701 Flashcards | Quizlet: This page contains flashcards for the SCOR 350-701 exam, which covers the topics of implementing and operating Cisco security core technologies. One of the flashcards is the same question as the one asked by the user, and it provides the correct answer and a brief explanation.

This is a type of Outbreak Control list that allows the administrator to create a list of files based on their SHA-256 hash values that will be detected, blocked, and quarantined by the AMP for Endpoints connectors. The Simple Custom Detection list can be applied to a policy and synchronized with the devices that have the AMP connectors installed. This way, the administrator can prevent the execution of specific files without having to quarantine them on the devices.

The other options are incorrect because:

Advanced Custom Detection is a type of Outbreak Control list that allows the administrator to create custom rules based on file attributes, such as file name, size, path, or parent process. These rules can be used to detect and block files that match certain criteria, but they cannot be used to quarantine them.

Blocked Application is a type of Outbreak Control list that allows the administrator to create a list of applications based on their SHA-256 hash values that will be blocked from running on the devices that have the AMP connectors installed. However, this list does not detect or quarantine the applications, only prevents them from executing.

Isolation is a feature of AMP for Endpoints that allows the administrator to isolate a device from the network if it is compromised by malware. This prevents the device from communicating with other devices or the internet, but does not affect the files on the device.

The intelligent proxy is a feature of Cisco Umbrella that allows it to selectively inspect and proxy web requests for domains that are classified as risky or potentially malicious. These domains may contain both safe and harmful content, and the intelligent proxy can filter out the malicious files or URLs while allowing the benign ones to pass through. The intelligent proxy can also apply SSL decryption to inspect encrypted traffic and enforce policies based on the content or destination of the web requests. To enable the intelligent proxy, an engineer needs to configure it within the Cisco Umbrella dashboard and select the categories of domains that should be proxied. The categories are based on the domain reputation and security risk, and range from High Risk to Low Risk. The engineer can also customize the list of domains to include or exclude from the intelligent proxy. By configuring the intelligent proxy, the engineer can achieve the objectives of identifying and proxying traffic that is categorized as risky domains and may contain safe and malicious content. References :=

Some possible references are:

Enable the Intelligent Proxy - Umbrella User Guide, Cisco

Manage the Intelligent Proxy - Umbrella User Guide, Cisco

Intelligent Proxy in Cisco Umbrella how it works, Cisco Learning Network

What is the Intelligent Proxy? - MSP User Guide, Cisco

Cisco Umbrella Intelligent Proxy and SSL Decryption implementation, Cisco Community

Explanation

Explanation

To let FMC manages FTD, first we need to add manager from the FTD and assign a register key of your

choice. The command configure manager add 1.1.1.2 the_registration_key_you_want, where 1.1.1.2 is the IP

address of the FMC, you need to use the same registration key in FMC when adding this FTD as a managed

device.

Explanation

Explanation

You specify primary and secondary actions that the appliance will take when it detects a possible DLP violation

in an outgoing message. Different actions can be assigned for different violation types and severities.

Primary actions include:

– Deliver

– Drop

– Quarantine

Secondary actions include:

– Sending a copy to a policy quarantine if you choose to deliver the message. The copy is a perfect clone of the

original, including the Message ID. Quarantining a copy allows you to test the DLP system before deployment in

addition to providing another way to monitor DLP violations. When you release the copy from the quarantine,

the appliance delivers the copy to the recipient, who will have already received the original message.

– Encrypting messages. The appliance only encrypts the message body. It does not encrypt the message

headers.

– Altering the subject header of messages containing a DLP violation.

– Adding disclaimer text to messages.

– Sending messages to an alternate destination mailhost.

– Sending copies (bcc) of messages to other recipients. (For example, you could copy messages with critical

DLP violations to a compliance officer’s mailbox for examination.)

– Sending a DLP violation notification message to the sender or other contacts, such as a manager or DLP

compliance officer.

 SNMP (Simple Network Management Protocol) is the most commonly used protocol for network telemetry. SNMP is a standard protocol that allows network devices to exchange management information1. SNMP agents run on network devices and collect data about their status, performance, configuration, and events. SNMP managers run on network management systems and query the agents for data or receive notifications from them. SNMP can also be used to configure or control network devices remotely2. SNMP is widely supported by various vendors and platforms, and it provides a simple and flexible way to monitor and manage networks3.

 1: What is SNMP? | Cisco 2: SNMP Basics: What is SNMP and How It Works | SolarWinds 3: Network Telemetry Explained: Frameworks, Applications & Standards | Splunk

Explanation

Explanation

Depending on your company policy, you might be able to use your mobile phones, tablets, printers, Internet radios, and other network devices on your company’s network. You can use the My Devices portal to register and manage these devices on your company’s network.

https://www.cisco.com/c/dam/en_us/about/doing_business/legal/service_descriptions/docs/Cisco_Secure_Managed_Endpoint.pdf

AES (Advanced Encryption Standard) is a symmetric encryption algorithm that uses the same key to encrypt and decrypt data. It turns plain text into a code that only the intended recipient can read. AES has different key sizes, such as 128, 192, and 256 bits. The larger the key size, the more secure and complex the encryption is. AES 256 is the most secure encryption algorithm for VPN communications, as it uses a 256-bit key that would take an enormous amount of time and computing power to crack. AES 256 is widely used by VPN providers, as it offers a high level of security and performance for VPN tunnels. AES 256 is also recommended by the U.S. government for protecting classified information. References :=

How Does a VPN Securely Encrypt Your Connection?

What Is VPN Encryption, Types, Protocols And Algorithms Explained

What is AES (Advanced Encryption Standard)?

What is VPN Encryption & How Does it Work?

Explanation

Explanation

Cisco Security Manager provides a comprehensive management solution for:

– Cisco ASA 5500 Series Adaptive Security Appliances

– Cisco intrusion prevention systems 4200 and 4500 Series Sensors

– Cisco AnyConnect Secure Mobility Client

 Mobile Device Management (MDM) is a solution that allows an organization to manage, monitor, and secure mobile devices such as smartphones, tablets, and laptops. MDM provides two main advantages to an organization with regards to device management:

Asset inventory management: MDM helps an organization keep track of all the mobile devices that are connected to its network, including their location, status, configuration, and usage. MDM also enables an organization to remotely wipe or lock devices that are lost, stolen, or compromised, preventing data loss and unauthorized access. Asset inventory management helps an organization optimize its resources, reduce costs, and comply with regulations12.

Allowed application management: MDM allows an organization to control what applications can be installed and run on the mobile devices, as well as how they can access and share data. MDM can also push updates and patches to the devices, ensuring that they are always running the latest and most secure versions of the applications. Allowed application management helps an organization enhance security, productivity, and performance of the mobile devices34.

 1: 7 Advantages and Disadvantages of Mobile Device Management [2024] 2: 5 Benefits of Mobile Device Management - ESET 3: Top 10 Benefits of Mobile Device Management (MDM) - TechFunnel 4: Benefits of Mobile Device Management (MDM) for Businesses

Explanation

Explanation

The ASA and ASASM implementations of NetFlow Secure Event Logging (NSEL) provide the following major functions:

…

– Delays the export of flow-create events.

Cisco Umbrella allows you to create custom destination lists that contain specific domains or IP addresses that you want to allow or block. You can then apply these destination lists to your policies to override the default behavior of Umbrella. For example, if you want to block specific addresses using Cisco Umbrella, you can create a destination list with those addresses and set the action to block. Then, you can assign this destination list to the policy that you want to modify. This way, any request to those addresses will be blocked by Umbrella, regardless of the content category or application settings12 References := 1: Manage Policies - Umbrella User Guide 2: Understanding Destination lists supported entries and error messages - Cisco Umbrella

CoA (Change of Authorization) is a feature that allows ISE to dynamically change the authorization attributes of an endpoint after it has been authenticated. CoA can be triggered by various events, such as posture assessment, profiling, or manual intervention1. There are different types of CoA that ISE can send to the network access device (NAD) to perform different actions on the endpoint session. The CoA type that achieves the goal of forcing an endpoint to re-authenticate without disrupting its session is CoA Reauth. CoA Reauth instructs the NAD to initiate a new RADIUS authentication for the endpoint, which allows ISE to apply a new or updated policy based on the latest attributes of the endpoint2. The other CoA types do not achieve this goal, as they either disconnect the endpoint session or do not change the authorization attributes. Port Bounce causes the NAD to shut down and bring up the port where the endpoint is connected, which effectively disconnects and reconnects the endpoint session2. CoA Terminate causes the NAD to terminate the endpoint session and send an Accounting-Stop message to ISE2. CoA Session Query causes the NAD to send an Accounting-Request message to ISE with the current session information, but does not change the authorization attributes of the endpoint2. References:

Cisco Content Hub - Manage Network Devices, section “CoA Types”

Solved: COA and ISE Clarification - Cisco Community, answer by Tarik Admani

Configuring Profiler Policies [Cisco Identity Services Engine] - Cisco …, section “Change of Authorization”

Explanation

A botnet is a collection of internet-connected devices infected by malware that allow hackers to control them.

Cyber criminals use botnets to instigate botnet attacks, which include malicious activities such as credentials

leaks, unauthorized access, data theft and DDoS attacks.

Explanation

FlexVPN is an IKEv2-based VPN technology that provides several benefits beyond traditional site-to-site VPN implementations. FlexVPN is a standards-based solution that can interoperate with non-Cisco IKEv2

implementations. Therefore FlexVPN can support a multivendor environment. All of the three VPN technologies support traffic between sites (site-to-site or spoke-to-spoke).

Explanation

Explanation

How To Troubleshoot ISE Failed Authentications & Authorizations

Check the ISE Live Logs

Login to the primary ISE Policy Administration Node (PAN).

Go to Operations > RADIUS > Live Logs

(Optional) If the event is not present in the RADIUS Live Logs, go to Operations > Reports > Reports >

Endpoints and Users > RADIUS Authentications

Check for Any Failed Authentication Attempts in the Log

Explanation

The data plane of any network is responsible for handling data packets that are transported across the network.

(The data plane is also sometimes called the forwarding plane.)

Maybe this Qwants to ask about the encryption and authentication in the data plane of a SD-WAN network (but SD-WAN is not a topic of the SCOR 350-701 exam?).

In the Cisco SD-WAN network for unicast traffic, data plane encryption is done by AES-256-GCM, a symmetrickey algorithm that uses the same key to encrypt outgoing packets and to decrypt incoming packets. Each router periodically generates an AES key for its data path (specifically, one key per TLOC) and transmits this key to the vSmart controller in OMP route packets, which are similar to IP route updates.

The access control rule in the exhibit has the following characteristics:

The rule name is DMZ_Rule and it is enabled.

The action set for this rule is Trust, meaning traffic matching this rule will not be subjected to further inspection.

The source zones are not specified, meaning any zone can match this rule.

The destination zone is DMZ_Inside, meaning only traffic destined to this zone can match this rule.

Therefore, the effect of this rule is that all traffic from any zone to the DMZ_Inside zone will be permitted with no further inspection. This is the correct answer, option A.

The other options are incorrect because they do not match the configuration of the rule or the behavior of the Trust action. Option B is incorrect because traffic will be allowed through to the DMZ_Inside zone, not blocked. Option C is incorrect because traffic will not be inspected before being allowed to the DMZ_Inside zone. Option D is incorrect because traffic does not need to be trusted to be allowed to the DMZ_Inside zone. References:

Firepower Management Center Configuration Guide, Version 6.6 - Access Control Rules

Firepower Management Center Device Configuration Guide, 7.1 - Access Control Policies

How to Deploy FMC/FTD part 2 – Access Control Policies

The Cisco DNA Center API provides the ability to program and monitor networks from somewhere other than the DNAC GUI. The API is a set of RESTful web services that allow users to interact with Cisco DNA Center programmatically. The API can be used to automate tasks, integrate with third-party applications, or create custom applications. The API exposes the same functionality as the DNAC GUI, such as design, provision, policy, assurance, and platform1. The API also provides documentation, examples, and testing tools for each API call1. References :=

Cisco DNA Center User Guide, Release 2.3.3

Cisco DNA Center User Guide, Release 2.2.2

DNAC Tour Part 1: Introduction to Cisco DNA Center

Cisco DNA Center Platform User Guide, Release 2.2.2

Wired 802.1X authentication is a port-based network access control that uses the physical characteristics of the switched LAN infrastructure to authenticate devices attached to a LAN port1. Wired 802.1X authentication requires three components: a supplicant, an authenticator, and an authentication server2. The supplicant is the client device that requests access to the network. The authenticator is the switch port that controls the access to the network based on the authentication result. The authentication server is the server that validates the credentials of the supplicant and sends the authentication result to the authenticator3.

In this question, option A is correct because Cisco Identity Service Engine (ISE) is an example of an authentication server that supports wired 802.1X authentication4. Option C is correct because Cisco Catalyst switch is an example of an authenticator that supports wired 802.1X authentication5. Option B is incorrect because Cisco AnyConnect ISE Posture module is not a supplicant, but a software component that checks the compliance status of the supplicant. Option D is incorrect because Cisco ISE is not an authenticator, but an authentication server. Option E is incorrect because Cisco Prime Infrastructure is not an authentication server, but a network management tool.

 1: Wired 802.1X Deployment Guide - Cisco 2: 802.1X Authenticated Wired Access Overview | Microsoft Learn 3: About 802.1X Authentication - Aruba 4: Cisco Identity Services Engine - Products & Services - Cisco 5: Cisco Catalyst 2960-X Series Switches - Products & Services - Cisco : Cisco AnyConnect Secure Mobility Client Administrator Guide, Release 4.9 - Configure Posture [Cisco AnyConnect Secure Mobility Client] - Cisco : Cisco Prime Infrastructure - Products & Services - Cisco

Joining Cisco WSAs to an appliance group simplifies the task of patching multiple appliances. An appliance group is a collection of WSAs that share the same configuration settings and software versions. Administrators can use appliance groups to apply configuration changes and software updates to multiple WSAs at once, instead of performing these tasks individually for each appliance12. This reduces the administrative overhead and ensures consistency across the WSAs. References:

Appliance groups, section “Appliance Groups”.

What is the purpose of joining Cisco WSAs to an appliance group?

Explanation

Micro-segmentation secures applications by expressly allowing particular application traffic and, by default,

denying all other traffic. Micro-segmentation is the foundation for implementing a zero-trust security model for

application workloads in the data center and cloud.

Cisco Tetration is an application workload security platform designed to secure your compute instances across

any infrastructure and any cloud. To achieve this, it uses behavior and attribute-driven microsegmentation

policy generation and enforcement. It enables trusted access through automated, exhaustive context from

various systems to automatically adapt security policies.

To generate accurate microsegmentation policy, Cisco Tetration performs application dependency mapping to

discover the relationships between different application tiers and infrastructure services. In addition, the

platform supports “what-if” policy analysis using real-time data or historical data to assist in the validation and risk assessment of policy application pre-enforcement to ensure ongoing application availability. The

normalized microsegmentation policy can be enforced through the application workload itself for a consistent approach to workload microsegmentation across any environment, including virtualized, bare-metal, and container workloads running in any public cloud or any data center. Once the microsegmentation policy is enforced, Cisco Tetration continues to monitor for compliance deviations, ensuring the segmentation policy is up to date as the application behavior change.

Explanation

To understand DHCP snooping we need to learn about DHCP spoofing attack first.

DHCP spoofing is a type of attack in that the attacker listens for DHCP Requests from clients and answers them with fake DHCP Response before the authorized DHCP Response comes to the clients. The fake DHCP Response often gives its IP address as the client default gateway -> all the traffic sent from the client will go through the attacker computer, the attacker becomes a “man-in-the-middle”.

The attacker can have some ways to make sure its fake DHCP Response arrives first. In fact, if the attacker is “closer” than the DHCP Server then he doesn’t need to do anything. Or he can DoS the DHCP Server so that it can’t send the DHCP Response.

DHCP snooping can prevent DHCP spoofing attacks. DHCP snooping is a Cisco Catalyst feature that

determines which switch ports can respond to DHCP requests. Ports are identified as trusted and untrusted.

Only ports that connect to an authorized DHCP server are trusted, and allowed to send all types of DHCP

messages. All other ports on the switch are untrusted and can send only DHCP requests. If a DHCP response

is seen on an untrusted port, the port is shut down.

Cisco ISE and pxGrid use the IETF (Internet Engineering Task Force) standards to integrate with each other and with other interoperable security platforms. IETF is an open, international community of network designers, operators, vendors, and researchers who produce voluntary standards for the Internet. Cisco pxGrid is based on the IETF standards-track XMPP (Extensible Messaging and Presence Protocol) and RESTCONF (Representational State Transfer Configuration Protocol) technologies. These standards enable Cisco pxGrid to provide a scalable, secure, and open data-sharing platform that supports multiple security products and services. Cisco ISE uses the IETF standards-track RADIUS (Remote Authentication Dial-In User Service) and TACACS+ (Terminal Access Controller Access-Control System Plus) protocols to provide network access control and policy enforcement. Cisco ISE also supports the IETF standards-track SXP (Security Group Tag eXchange Protocol) to propagate security group tags across the network. By using the IETF standards, Cisco ISE and pxGrid can interoperate with other security platforms that support the same standards, such as Infoblox, Splunk, Rapid7, and more. References:

Cisco pxGrid - Cisco

ISE pxGrid General Information & FAQ - Cisco Community

How To: Integrate Cisco WSA using ISE and TrustSec via pxGrid

Infoblox DDI, Cisco ISE, and the pxGrid Solution Platform

Explanation

The Cisco Umbrella Multi-Org console has the ability to upload, store, and archive traffic activity logs from your organizations’ Umbrella dashboards to the cloud through Amazon S3. CSV formatted Umbrella logs are compressed (gzip) and uploaded every ten minutes so that there’s a minimum of delay between traffic from the organization’s Umbrella dashboard being logged and then being available to download from an S3 bucket.

By having your organizations’ logs uploaded to an S3 bucket, you can then download logs automatically to keep in perpetuity in backup storage.

The WSA uses a root certificate and a private key to decrypt HTTPS traffic. The root certificate must reside in the trusted store of the WSA, and it must be able to sign server certificates on the fly. The server certificates that the WSA generates must contain a SAN (Subject Alternative Name) field, which specifies the hostnames or IP addresses that the certificate is valid for. The SAN field is required by modern browsers and applications to verify the identity of the server. If the WSA does not include a SAN field in the server certificate, the browser or application may reject the connection or display a warning message.

The other options are not correct because:

A. The current date is not a criterion for the WSA to use a certificate to decrypt application traffic. The WSA checks the validity period of the certificate, which includes the start date and the end date. The current date must be within the validity period, but it does not have to be the same as the start date or the end date.

C. The root certificate that the WSA uses to decrypt HTTPS traffic does not have to reside in the trusted store of the endpoint. However, the endpoint must trust the root certificate in order to accept the server certificate that the WSA generates. This can be achieved by manually installing the root certificate on the endpoint, or by using a group policy or a certificate management system to distribute the root certificate to the endpoints.

D. The root certificate that the WSA uses to decrypt HTTPS traffic does not have to be signed by an internal CA. The WSA can generate its own self-signed root certificate, or it can use a root certificate that is signed by an external CA. However, the root certificate must be trusted by the endpoints, as explained in option C.

References := : WSA Certificate Usage for HTTPS Decryption : [User Guide for AsyncOS 12.0 for Cisco Web Security Appliances - GD (General Deployment) - Create Decryption Policies to Control HTTPS Traffic]

To force a session to be adjusted after a policy change is made, two configurations are required on Cisco ISE and on Cisco TrustSec devices: Dynamic Authorization and Change of Authorization (CoA). Dynamic Authorization allows Cisco ISE to send commands to network devices to change the authorization status of a user session. CoA is a feature that enables Cisco ISE to send a RADIUS message to a network device to reauthenticate or disconnect a user session. These two configurations enable Cisco ISE to apply the updated policy to the user session without requiring the user to log out and log in again.

According to the source book, the steps to configure Dynamic Authorization and CoA are as follows1:

On Cisco ISE, navigate to Administration > Network Resources > Network Devices and select the network device that supports TrustSec.

On the Edit Network Device page, select the Advanced TrustSec Settings tab and check the Support for CoA check box.

On the same tab, select the appropriate CoA type from the drop-down list. The options are RADIUS Disconnect, Port Bounce, and Reauth.

Click Submit to save the changes.

On the network device, enter the global configuration mode and issue the command aaa server radius dynamic-author to enable Dynamic Authorization.

Optionally, you can specify the source interface, authentication key, and port number for the Dynamic Authorization messages.

Exit the global configuration mode and save the configuration.

 1: Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0, Module 4: Secure Connectivity, Lesson 4.2: Implementing TrustSec, Topic 4.2.3: Configuring TrustSec on Cisco ISE and Network Devices, pp. 4-83 to 4-85.

 On Cisco Firepower Management Center, a health policy is used to collect health modules alerts from managed devices. A health policy is a collection of tests, or health modules, that monitor the health status of the hardware and software in the system. You can apply a health policy to one or more appliances and configure the frequency and conditions for running the health modules and generating alerts. The health monitor on the Firepower Management Center tracks the health events based on the health policy settings and displays them on the Health Monitor page and the event views. You can also use external alerting mechanisms, such as SNMP traps or syslog messages, to notify you of health events. References :=

https://www.cisco.com/c/en/us/td/docs/security/firepower/60/configuration/guide/fpmc-config-guide-v60/Health_Monitoring.html

https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/admin/710/management-center-admin-71/health-health.html