Free 300-710 Sample Questions — Securing Networks with Cisco Firepower (300-710 SNCF)

A company has many Cisco FTD devices managed by a Cisco FMC. The security model requires that access control rule logs be collected for analysis. The security engineer is concerned that the Cisco FMC will not be able to process the volume of logging that will be generated. Which configuration addresses concern this?

• A. Send Cisco FTD connection events directly to a SIEM system and forward security events from Cisco FMC to the SIEM system for storage and analysis
• B. Send Cisco FTD connection events and security events directly to SIEM system for storage and analysis
• C. Send Cisco FTD connection events and security events to a cluster of Cisco FMC devices for storage and analysis
• D. Send Cisco FTD connection events and security events to Cisco FMC and configure it to forward logs to SIEM for storage and analysis

The security engineer reviews the syslog server events of an organization and sees many outbound connections to malicious sites initiated from hosts running Cisco Secure Endpoint. The hosts are on a separate network from the Cisco FTD device. Which action blocks the connections?

• A. Modify the policy on Cisco Secure Endpoint to enable DFC
• B. Modify the access control policy on the Cisco FMC to block malicious outbound connections
• C. Add the IP addresses of the malicious sites to the access control policy on the Cisco FMC
• D. Add a Cisco Secure Endpoint policy with the Tetra and Spero engines enabled

Network users experience issues when accessing a server on a different network segment. An engineer investigates the issue by performing packet capture on Cisco Secure Firewall Threat Defense. The engineer expects more data and suspects that not all the traffic was collected during a 15-minute capture session. Which action must the engineer take to resolve the issue?

• A. Forward the captured data to an FTP server
• B. Increase the amount of RAM allocated for the capture
• C. Ensure that the allocated memory is sufficient
• D. Provide a file name to save the data

An engineer must change the mode of a Cisco Secure Firewall Threat Defense (FTD) firewall in the Cisco Secure Firewall Management Center (FMC) inventory. The engineer must take these actions: • Register Secure FTD with Secure FMC. • Change the firewall mode. • Deregister the Secure FTD device from Secure FMC. How must the engineer take the actions?

• A. Access the Secure FTD CLI from the console port
• B. Configure the management IP address
• C. Reload the Secure FTD device
• D. Erase the Secure FTD configuration

What is the role of the casebook feature in Cisco Threat Response?

• A. pulling data via the browser extension
• B. alert prioritization
• C. sharing threat analysis
• D. triage automation with alerting

An engineer is troubleshooting an intermittent connectivity issue on a Cisco Secure Firewall Threat Defense appliance and must collect 24 hours' worth of data. The engineer started a packet capture, however it stops prematurely during this time period. The engineer notices that the packet capture buffer size is set to the default of 32 MB. Which buffer size is the maximum that the engineer must set to enable the packet capture to run successfully?

• A. 64 MB
• B. 1 GB
• C. 10 GB
• D. 100 GB

What is the RTC workflow when the infected endpoint is identified?

• A. Cisco ISE instructs Cisco AMP to contain the infected endpoint
• B. Cisco ISE instructs Cisco FMC to contain the infected endpoint
• C. Cisco FMC instructs Cisco ISE to contain the infected endpoint
• D. Cisco AMP instructs Cisco FMC to contain the infected endpoint

An engineer must configure high availability for the Cisco Firepower devices. The current network topology does not allow for two devices to pass traffic concurrently. How must the devices be implemented in this environment?

• A. in active/active mode
• B. in a cluster span EtherChannel
• C. in active/passive mode
• D. in cluster interface mode

An administrator is working on a migration from Cisco ASA to the Cisco FTD appliance and needs to test the rules without disrupting the traffic. Which policy type should be used to configure the ASA rules during this phase of the migration?

• A. Prefilter
• B. Intrusion
• C. Access Control
• D. Identity

A network administrator is implementing an active/passive high availability Cisco FTD pair. When adding the high availability pair, the administrator cannot select the secondary peer. What is the cause?

• A. The second Cisco FTD is not the same model as the primary Cisco FTD
• B. An high availability license must be added to the Cisco FMC before adding the high availability pair
• C. The failover link must be defined on each Cisco FTD before adding the high availability pair
• D. Both Cisco FTD devices are not at the same software version

What is an advantage of adding multiple inline interface pairs to the same inline interface set when deploying an asynchronous routing configuration?

• A. Allows the IPS to identify inbound and outbound traffic as part of the same traffic flow
• B. The interfaces disable autonegotiation and interface speed is hard coded set to 1000 Mbps
• C. Allows traffic inspection to continue without interruption during the Snort process restart
• D. The interfaces are automatically configured as a media-independent interface crossover

An engineer is reviewing a ticket that requests to allow traffic for some devices that must connect to a server over 8699/udp. The request mentions only one IP address, 172.16.18.15, but the requestor asked for the engineer to open the port for all machines that have been trying to connect to it over the last week. Which action must the engineer take to troubleshoot this issue?

• A. Use the context explorer to see the application blocks by protocol
• B. Filter the connection events by the source port 8699/udp
• C. Filter the connection events by the destination port 8699/udp
• D. Use the context explorer to see the destination port blocks

In which two places are thresholding settings configured? (Choose two.)

• A. on each IPS rule
• B. globally, within the network analysis policy
• C. globally, per intrusion policy
• D. on each access control rule
• E. per preprocessor, within the network analysis policy

A network administrator notices that SI events are not being updated. The Cisco FTD device is unable to load all of the SI event entries and traffic is not being blocked as expected. What must be done to correct this issue?

• A. Restart the affected devices in order to reset the configurations
• B. Redeploy configurations to affected devices so that additional memory is allocated to the SI module
• C. Replace the affected devices with devices that provide more memory
• D. Manually update the SI event entries to that the appropriate traffic is blocked

An engineer must define a URL object on Cisco FMC. What is the correct method to specify the URL without performing SSL inspection?

• A. Include all URLs from CRL Distribution Points
• B. Use Subject Common Name value
• C. Specify all subdomains in the object group
• D. Specify the protocol in the object

Which two features of Cisco AMP for Endpoints allow for an uploaded file to be blocked? (Choose two.)

• A. application blocking
• B. simple custom detection
• C. file repository
• D. exclusions
• E. application allow listing

Which command is run on an FTD unit to associate the unit to an FMC manager that is at IP address 10.0.0.10, and that has the registration key Cisco123?

• A. configure manager local 10.0.0.10 Cisco123
• B. configure manager add Cisco123 10.0.0.10
• C. configure manager local Cisco123 10.0.0.10
• D. configure manager add 10.0.0.10 Cisco123

Which two conditions are necessary for high availability to function between two Cisco FTD devices? (Choose two.)

• A. The units must be the same version
• B. Both devices can be part of a different group that must be in the same domain when configured within the FMC
• C. The units must be different models if they are part of the same series
• D. The units must be configured only for firewall routed mode
• E. The units must be the same model

An organization created a custom application that is being flagged by Cisco Secure Endpoint. The application must be exempt from being flagged. What is the process to meet the requirement?

• A. Configure the custom application to use the information-store paths
• B. Add the custom application to the DFC list and update the policy
• C. Precalculate the hash value of the custom application and add it to the allowed applications
• D. Modify the custom detection list to exclude the custom application

A security engineer sees an alert on Cisco Secure Endpoint console showing a malicious verdict for a file with the SHA-256 hash 0488537078abcdef048853abcdef048853abcdef048853abcdef048853abcdef048853. Which step will mitigate this threat?

• A. Add the hash to network block list
• B. Quarantine the file on endpoint
• C. Add the hash to custom detection list
• D. Enable firewall on infected endpoint