1. Which two statements about content filters on the Cisco ESA are true?

(Choose two)

a. Each content filter requires one or more actions

b. Each content filter requires one or more condition.
c. They can be applied before or after message filters
d. After you create a content filter, you can create an encryption profile to encrypt messages that
match the filter.
e. They are applied to the message after antispam and antivirus scanning is performed

2. Which two descriptions of a Cisco FirePOWER NGIPS deployment that uses an inline Pair
Interface in tap mode are true? (Choose two.)

a. Transit traffic can be dropped

b. All the Cisco ASA engine features are available
c. Two physical interfaces are bridged internally
d. The deployment is available in transparent mode only
e. More than two interfaces can be bridged

I am know C is correct.

Here is the information I have for Interface mode Inline Pair with Tap.

2 Physical interfaces internally bridged

Available in Routed or Transparent Deployment modes
Most of ASA features (NAT, Routing, L3/L4 ACL etc) are not available for flows going through
an Inline Pair
Few ASA engine checks are applied along with full Snort engine checks to a copy of the actual
traffic
Actual traffic cannot be dropped

Inline Pair with Tap can be deployed in Routed or Transparent.

Discarding, b is incorrect, d is incorrect, e is incorrect.

Therefore, I guess “a” should be “Transit traffic can be dropped”.

Then “a” is correct.

3. A question about inline pair tap interfaces:

A. Two interfaces in bridge mode

B. Can be more than two interfaces in bridge mode
C. They can drop traffic
D. They cannot drop traffic

4. Which Cisco CWS traffic-redirection option is most appropriate for roaming users?

A. AnyConnect
B. CWS connector
C. WSAv connector
D. Cisco ASA

5. Which two features of Cisco Email Security can protect your organization against email
threats?(choose two)

a. Time-based one-time passwords

b. Data loss prevention
c. Heuristic-based filtering
d. Geolocation-based filtering
e. NetFlow

6. A network engineer is configuring URL Filtering on the Cisco ASA with Firewall services.
Which two port requirements on the Firepower Management Center must be validated to allow
communication with the cloud service? (Choose two.)

a. outbound port TCP/443

b. inbound port TCP/80
c. inbound port TCP/443
d. outbound port TCP/80
e. bidirectional port TCP/443

A FireSIGHT System uses ports 443/HTTPS and 80/HTTP in order to communicate with the
cloud service. Port 443/HTTPS must be opened bidirectionally, and inbound access to port
80/HTTP must be allowed on the FireSIGHT Management Center.
https://www.cisco.com/c/en/us/support/docs/security/firesight-management-center/117956-
technote-sourcefire-00.html#anc4

7. An engineer must evaluate the security gaps with their current WSA. What additional
protection does AMP offer for WSA?

a. point in time detection

b. roaming user protection
c. data loss prevention
d. restricted bandwidth

8. Which two field can be used to create a new email alert within the Cisco Firepower
Management center under Policies > Actions > Alerts tab? (Choose two.)

A. Device
B. Source
C. Destination
D. From
E. Relay Host

9. Which description of a correlation policy configuration in the Cisco Firepower Management

Center is true?

A. Correlation policy priorities override whitelist priorities.

B. The system displays correlation policies that are created on all of the domains in a multi-
domain deployment.
C. You cannot add a host profile qualification to a correlation rule that is triggered by a malware
event.
D. Deleting a response group deletes the responses of that group.

10. Which Statement about decrypting traffic on the cisco Firepower appliance is true?

A. the Decrypt-Resign option cannot be used with a local PKI

B. The Decrypt-Resign option can be used with a well-known/public PKI
C. Using the Decrypt-Known Key options requires that you upload the public/private key pair
from servers to the appliance
D. The Decrypt-Known-Key option requires only that the public key be uploaded to the
appliance
11. When you view a FireAmp Analysis Overview to mitigate a malware issue, where do you
look for information about servers.. Attempted to download additional files?

A. Threat root cause section

B. Startup section
C. Involved IP Addresses section
D. Dropped Files section

12. What is a purpose of the network analysis policy on a cisco Firepower NGIPS?

A. it specifies the outer-header criteria used to process traffic without using advanced inspection
B. it examines packets for attacks by using intrusion rules
C. it governs how traffic is preprocessed before inspection
D. it defines the rules for encrypting traffic

13. Which two Cisco ASA commands show if traffic is being redirected to the cisco Firepower
Module? (Choose two)

A. Show service-policy inspect scan safe

B. show module sfr
C. show service-policy sfr
D. show service-policy
E. show module sfr detail

14. Which two statements about Cisco AMP for Web Security are true? (Choose two)

A. It can block critical files from exiting through the web gateway
B. it compares unknown files to a local threat repository
C. it can detect and block malware before it passes through the web gateway
D. it can perform file analysis by sandboxing suspected malware
E. it continues monitoring files after they pass the web gateway

15. Which is a feature of Cisco AMP? (Choose two)

A. Spero Analysis
B. Network Analysis
C. Dynamic Analysis
D. Intrusion Analysis
E. User Analysis

16. Which two feature of cisco trust anchor?

A. image signing
B. DDOS mitigation
C. SYN flood mitigation
D. flood mitigation
E. secure boot

17. You are troubleshooting the proxy connections going through a Cisco WSA. Which CLI tool
do you use to monitor a log file in real time?

A. grep
B. nslookup
C. dig
D. tail

18. Which action controls the amount of URI text that is stored in Cisco WSA logs files?

A. Configure the datasecurityconfig command

B. Configure the advancedproxyconfig command with the HTTPS subcommand
C. Configure a small log-entry size.
D. Configure a maximum packet size.

19. Which SSL decryption policy can be used to protect HTTPS servers from external traffic?

A. Decrypt Re-sign
B. Block
C. Decrypt Known Key
D. Enable SSL Decryption
20. Which capability is exclusive to a Cisco AMP public cloud instance as compared to a private
cloud instance?

A. RBAC
B. ETHOS detection engine
C. SPERO detection engine
D. TETRA detection engine

21.

ASA# Show service-policy sfr

Global policy:
service-policy: global_policy
class-map: SFR
SFR: car status UP, mode fail-open monitor-only
Packet input 0, packet output 44715478687, drop 0, reset-drop 0

Refer to exhibit. Which two descriptions of the configurations of the Cisco FirePOWER Services
module are true? (Choose two)

A. The module is operating in IPS mode

B. Traffic is blocked if the module fails
C. The module is operating in IDS mode
D. Traffic continues to flow if the module fails
E. The module tails to receive redirected traffic

22. Which cisco WSA feature supports access control using URL categories?

A. User session restrictions

B. Transparent user identification
C. Web usage controls
D. SOCKS proxy services
23.

ASAv1# sh run scansafe

!
scansafe general-options
server primary ip 172.16.1.2 port 8080
server secondary ip 172.16.1.3 port 8080
retry-count 10
!

Refer to exhibit. Which tool do you use to verify whether a primary server established a
connection to Cisco CWS on a Cisco ASA ?

A. Telnet
B. Tcp ping
C. ping
D. traceroute

24. Which two tasks you must perform when you implement CWS on a Cisco ASA or ASAv?
(choose two)

A. Define the primary and secondary CWS proxy

B. Enable the ScanSafe feature
C. Create a new RSA key
D. Browse to whoami.scansafe.net to verify that web redirection is operating normally
E. Create an authentication license key

25. Which two Cisco technologies must you use to enable transparent user identification on a
Cisco WSA? (Choose two)

A. Cisco Prime Infrastructure

B. Cisco CDA
C. Cisco CSM
D. Cisco ACS
E. Cisco ISE
26. Which type of Cisco IPS deployment are you using if you are monitoring traffic with a
SPAN port?

A. tap mode deployment

B. passive deployment
C. bypass deployment
D. inline deployment

27. Which function is the primary function of Cisco AMP threat Grid?

A. automated email encryption

B. applying a real-time URI blacklist
C. automated malware analysis
D. monitoring network traffic

28. What is the primary benefits of deploying an ESA in hybrid mode?

A. It provides the lowest total cost of ownership by reducing the need for physical appliances.
B. You can fine-tune its settings to provide the optimum balance security and performance for
you environment.
C. It provides email security while supporting the transition to the cloud.
D. It provides maximum protection and control of outbound messages.

29. Which technology does the Cisco AMP Spero detection engine use to identify threats?

A. fuzzy hashes
B. machine learning
C. dynamic analysis
D. Static analysis.

30. Which function is the primary function of Cisco AMP threat Grid? (choose two)

A. It analyzes copies of packets from the packet flow

B. The device is deployed in a passive configuration
C. If a rule is triggered the device generates an intrusion event.
D. The packet flow traverses the device
E. If a rule is triggered the device drops the packet
31. Which two statements about ESA clusters are true? (Choose two.)

A. When a new appliance is added to the cluster it inherited the policy settings, content filters,
and outbreak quarantine settings of the cluster.
B. Each machine in the cluster can be a member of only one machine group
C. They can be managed from the CLI or with a GUI
D. They are deployed and managed using a peer-to-peer architecture.
E. They are deployed and managed using a master-slave architecture.

32. What is a feature of Cisco Hybrid Email Security?

A. Cisco Registered Envelope Service.

B. Layer 4 traffic monitoring.
C. Application visibility and control.
D. Roaming user protection.

33. Which description of the Cisco ASA Connector in a Cisco CWS solution is true?

A. enables the ASA to download information from CWS

B. deploys a VPN connection to the CWS cloud
C. permits the IP addresses required by CWS in the ASA access policy
D. securely redirects specified traffic to the CWS cloud for inspection

34. An engineer must evaluate the security gaps with their current WSA. What additional
protection does AMP offer for WSA?

A. point in time detection

B. roaming user protection
C. data loss prevention
D. restricted bandwidth

35. What is the function of the Cisco Context Adaptive Scanning Engine in Cisco Hybrid Email
Security services?

A. It uses real-time traffic threat assessment to identify suspicious email senders and messages.
B. It provides a preventive defense against viruses by scanning messages before they enter the
network.
C. It analyzes message content and attachments to protect an organization’s intellectual property.
D. It protects against blended threats by using human-like logic to review and evaluate traffic.
36. Which two Snort actions are available by default creating Snort rules, regardless of
deployment mode? (Choose two)

A. activate
B. sdrop
C. drop
D. pass
E. reject

37. Which type of interface is needed to pass untagged VLAN traffic from one network to
another on a Cisco Firepower appliance 8130?

A. logical switched
B. logical routed
C. hybrid
D. physical routed

DRAG AND DROP

ESA—————–>dynamic threat control for email

WSA—————->dynamic threat control for web traffic
AMP—————->endpoint control
StealthWatch—->network forensic
Firepower——–>real-time threat management
ISE——————>user and device identity management
————————————————————–
CIP————————————> supports industrial automation application
Transport & network layer—> detects attacks that exploit a checksum validation
DNP3———————————> used in transportation industries
Application layer ————––> occurs after the selection of the access control rules

NEW QUESTION 473

What are two analysis methods of file inspection on Network-based Cisco advanced malware
protection? (Choose two.)

A. Spero analysis
B. Network analysis
C. User analysis
D. Dynamic analysis
E. Intrusion analysis
NEW QUESTION 474
Which description of a passive interface on a Cisco Firepower NGFW is true?

A. Receives traffic that is specified on an NGIPS.

B. Inaccessible when disable.
C. Effected by firewall mode.
D. Retransmits received traffic.

NEW QUESTION 475

An engineer is deploying AMP for the first time and cannot afford any interrupted to network
traffic. Which policy types does NOT disrupted the network?

A. Protect
B. Server
C. Audit
D. tnage

NEW QUESTION 476

Which Cisco Advanced Malware Protection for Endpoints analysis tool records file activity
within a specific host?

A. Device trajectory
B. Prevalence
C. File trajectory
D. File analysis

NEW QUESTION 477

Which two tasks must you perform when impalement CWS on a cisco ASA or ASAV? (Choose
two.)

A. Create a new RSA key.

B. Enable the ScanSafe feature.
C. Browse to whoami.scansade.net to verify that web redirection is operating normally.
D. Create an authenticating license key.
E. Define the primary and secondary CWS proxy.
NEW QUESTION 478
Which two statements about content filters on the Cisco ESA are true? (Choose two.)

A. After you create a content filter, you can create an encryption profile to encrypt messages that
match the filter.
B. Each content filter requires one or more actions.
C. They can be applied before a after message filters.
D. They are applied to the message after antispam and antivirus scanning is performed.
E. Each content filter requires one or more conditions

NEW QUESTION 479

Which two features does Cisco trust Anchor support? (Choose two.)

A. Secure boot
B. Image signing
C. Flood attack detection
D. SYN flood detection
E. DDoS mitigation

NEW QUESTION 480

For which domain will the Cisco Email Security Appliance allow to 500 recipient per messages?

A. Orange public
B. Violet public and blue public
C. Violet public blue and green public
D. Red public and orange public
E. Red public
F. Violet public

NEW QUESTION 481

Which capacity is exclusive to a Cisco AMP public cloud instance as compared to a private
cloud instance?

A. RBAC
B. SPERO
C. TETRA detection engine
D. ETHOS detection engine
NEW QUESTION 482
An engineer is using the reporting feature on a WSA, which option must they consider about the
reporting capabilities?

A. Report can be viewed for a particular domain, user, or category.

B. Report must be schedules manually.
C. Report to view system activity over a specified period of time do not exist.
D. Delete reports require a separate license.

NEW QUESTION 483

Which description of the file trajectory feature in Cisco AMP is true?

A. Tracks information about policy updates that affect each file on a network.
B. Excludes information about file transmissions across the network.
C. Blocks the malware detected in a file sent across the network.
D. Display information about the actions performed on each file on a network.

NEW QUESTION 484

A user wants to configure high availability with their Cisco Firepoer deployment, which platform
allow for clustering?

A. Virtual NGIPS
B. All platform support clustering
C. Cisco Firepower appliance
D. FirePOWERE Threat Defense for ISR

NEW QUESTION 485

Which cisco CWS traffic-redirection option is most appropriate for roaming users?

A. WSAv connector
B. CWS connector
C. Cisco ASA
D. AnyConnect
NEW QUESTION 486
Which type of Cisco IPS deployment are you using if you are monitoring traffic with a SPAN
port?

A. Bypass deployment
B. Tap mode deployment
C. Passive deployment
D. Inline deployment

NEW QUESTION 487

What are the requirements for configuring a routed interface on a Firepower 3D8140 sensor?
(Choose two.)

A. IP address
B. HA interface
C. Virtual router
D. 1Gbps interface
E. 10Gbps interface

NEW QUESTION 488

Which technology does the Cisco AMP Spero detection engineer use to identify threats?

A. Dynamic analysis
B. Static analysis
C. Fuzzy Hashes
D. Machine learning

NEW QUESTION 489

Which two characteristics represent a Cisco device operating in tap mode? (Choose two.)

A. It analyzes copies of packets from the packet flow.

B. The packet flow traverses the device.
C. The device is deployment in a passive configuration.
D. If a rule Is triggered, the device drops the packet.
E. If a rule is triggered, the device generates an intrusion event.
NEW QUESTION 490
Which two features of Cisco Email Security can protect your organization against email threats?
(Choose two.)

A. Time-based one-time passwords

B. Data loss prevention
C. NetFlow
D. Geolocation-based filtering
E. Heunstic-based filtering

NEW QUESTION 491

In the Cisco Security Appliance, which tool can be used to send a test email so a user can follow
the flow of messages will the configuration?

A. Recipient access table

B. Content filter
C. Message filter
D. Policy trace

Dump download: od.lk/fl/NjFfMTUyNjc0OV8

looks like for 5585-x how to reload the command would be: hw-module module 1 reload

Questions on exam according to Night_Wolf

https://drive.google.com/drive/folders/1NvdSVL_xUerzxmWMtWKUPiJmd3ttAo

One CWS lab:

parameter-map type content-scan global

server scansafe primary name proxy-a.scansafe.net port http 8080 https 8080
server scansafe secondary name proxy-b.scansafe.net port http 8080 https 8080
license 0 0123456789abcdef
source int fastethernet 0/1
server scansafe on-failure block-all
exit
int fast0/1
no shut
content-scan outbound

show content-scan summary

—————————————————-

1 D&D:

CIP———————————-> supports industrial automation application

Transport & network layer—>detects attacks that exploit a checksum validation
DNP3——————————> used in transportation industries
Application layer ————–> occurs after the selection of the access control rules

———————————————————–

1 ESA Simlet

———————————————————–

22 questions from this forum that were on exam:

1. Which two Snort actions are available by default creating Snort rules, regardless of
deployment mode? (Choose two)

A. activate
B. sdrop
C. drop
D. pass
E. reject

Answer: AD

2. Which type of interface is needed to pass untagged VLAN traffic from one network to another
on a Cisco Firepower appliance 8130?

A. logical switched
B. logical routed
C. hybrid
D. physical routed

Answer: D

3. When you create an email alert in Policies->Action->Alerts what are the available fields
(choose two):
1)Destination
2)Source
3)Relay host
4)From
5)Device

Answer: 3 and 4

4. Which Statement about decrypting traffic on the cisco Firepower appliance is true? !!!

A. The Decrypt-Resign option cannot be used with a local PKI

B. The Decrypt-Resign option can be used with a well-known/public PKI
C. Using the Decrypt-Known Key options requires that you upload the public/private key pair
from servers to the appliance
D. The Decrypt-Known-Key option requires only that the public key be uploaded to the
appliance

answer C

5. When you view a FireAmp Analysis Overview to mitigate a malware issue, where do you look
for infomation about servers .. attempted to download additional files?
A. Threat root cause section
B. Startup section
C. Involved IP Addresses section
D. Dropped Files section

answer C

6. You are troubleshooting the proxy connections going through a Cisco WSA. Which CLI tool
do you use to monitor a log file in real time?

A. grep
B. nslookup
C. dig
D. tail

Answer: D

7. Which action controls the amount of URI text that is stored in Cisco WSA logs files?

Configure the datasecurityconfig command

Configure the advancedproxyconfig command with the HTTPS subcommand
Configure a small log-entry size.
Configure a maximum packet size.

Answer: B
8. Which SSL decryption policy can be used to protect HTTPS servers from external traffic?

Decrypt Re-sign
Block
Decrypt Known Key
Enable SSL Decryption

Answer: C

9. Which capability is exclusive to a Cisco AMP public cloud instance as compared to a private
cloud instance?

RBAC
ETHOS detection engine
SPERO detection engine
TETRA detection engine

Answer: B

10. ASA# Show service-policy sfr

global policy:
service-policy: global_policy
class-map: SFR
SFR: car status UP, mode fail-open monitor-only
Packet input 0, packet output 44715478687, drop 0, reset-drop 0

Refer to exhibit. Which two descriptions of the configurations of the Cisco FirePOWER Services
module are true? (Choose two)

The module is operating in IPS mode

Traffic is blocked if the module fails
The module is operating in IDS mode
Traffic continues to flow if the module fails
The module tails to receive redirected traffic

Answer: CD

11. ASAv1# sh run scansafe

!
scansafe general-options
server primary ip 172.16.1.2 port 8080
server secondary ip 172.16.1.3 port 8080
retry-count 10
!
Refer to exhibit. Which tool do you use to verify whether a primary server established a
connection to Cisco CWS on a Cisco ASA ?

Telnet
Tcp ping
ping
traceroute

Answer: B

12. which Cisco CWS traffic-redirection option is most appropriate for roaming users?

AnyConnect
CWS connector
WSAv connector
Cisco ASA

Answer: A

13. which two tasks you must perform when you implement CWS on a Cisco ASA or ASAv?
(choose two)

Define the primary and secondary CWS proxy

Enable the ScanSafe feature
Create a new RSA key
Browse to whoami.scansafe.net to verify that web redirection is operating normally
Create an authentication license key

Answer: AE

14. which two Cisco technologies must you use to enable transparent user identification on a
Cisco WSA? (Choose two)

Cisco Prime Infrastructure

Cisco CDA
Cisco CSM
Cisco ACS
Cisco ISE

Answer: BE

15. which function is the primary function of Cisco AMP threat Grid?

automated email encryption

applying a real-time URI blacklist
automated malware analysis
monitoring network traffic

Answer: C

16. which two statements about content filters on the Cisco ESA are true? (Choose two)

Each content filter requires one or more actions.

Each content filter requires one or more conditions
They can be applied before or after message filters
After you create a content filter, you can create an encryption profile to encrypt messages that
match the filter.
They are applied to the message after antispam and antivirus scanning is performed

Answer: AE

17. which two routing options are valid with Cisco FirePOWER version 5.4? (Choose two)

Layer 3 routing with static routes

Layer 3 routing with RIPv1
Layer 3 routing with EIGRP
Layer 3 routing with OSPF stub area
Layer 3 routing with OSPF not-so-stubby area

Answer: BD

18. which function is the primary function of Cisco AMP threat Grid?

flood attack detection.

secure boot
image signing
DDoS mitigation
SYN flood detection

Answer: BC

19. what is the primary benefits of deploying an ESA in hybrid mode?

It provides the lowest total cost of ownership by reducing the need for physical appliances.
You can fine-tune its settings to provide the optimum balance security and performance for you
environment.
It provides email security while supporting the transition to the cloud.
It provides maximum protection and control of outbound messages.

Answer: C
20. which technology does the Cisco AMP Spero detection engine use to identify threats?

fuzzy hashes
machine learning
dynamic analysis
Static analysis.

Answer: B

21. which two statements about ESA clusters are true? (Choose two.)

When a new appliance is added to the cluster it inherited the policy settings, content filters, and
outbreak quarantine settings of the cluster.
Each machine int the cluster can be a member of only one machine group
They can be managed from the CLI or with a GUI
They are deployed and managed using a peer-to-peer architecture.
They are deployed and managed using a master-slave architecture.

Answer: BD

22. An engineer must evaluate the security gaps with their current WSA. What additional
protection does AMP offer for WSA?

a. point in time detection

b. roaming user protection
c. data loss prevention
d. restricted bandwidth

Answer: A