[Jan-2022] Verified 350-701 dumps Q&As - 350-701 dumps with Correct Answers
The Best CCNP Security Study Guide for the 350-701 Exam
NEW QUESTION 135
Refer to the exhibit.
Which command was used to generate this output and to show which ports are authenticating with dot1x or mab?
- A. show authentication sessions
- B. show authentication method
- C. show authentication registrations
- D. show dot1x all
Answer: A
NEW QUESTION 136
A network administrator is using the Cisco ESA with AMP to upload files to the cloud for analysis. The network is congested and is affecting communication. How will the Cisco ESA handle any files which need analysis?
- A. The file is queued for upload when connectivity is restored.
- B. AMP calculates the SHA-256 fingerprint, caches it, and periodically attempts the upload.
- C. The ESA immediately makes another attempt to upload the file.
- D. The file upload is abandoned.
Answer: D
Explanation:
The appliance will try once to upload the file; if upload is not successful, for example because of connectivity problems, the file may not be uploaded. If the failure was because the file analysis server was overloaded, the upload will be attempted once more.
The appliance will try once to upload the file; if upload is not successful, for example because of connectivity problems, the file may not be uploaded. If the failure was because the file analysis server was overloaded, the upload will be attempted once more.
Reference:
In this question, it stated "the network is congested" (not the file analysis server was overloaded) so the appliance will not try to upload the file again.
The appliance will try once to upload the file; if upload is not successful, for example because of connectivity problems, the file may not be uploaded. If the failure was because the file analysis server was overloaded, the upload will be attempted once more.
In this question, it stated "the network is congested" (not the file analysis server was overloaded) so the In this question, it stated "the network is congested" (not the file analysis server was overloaded) so the appliance will not try to upload the file again.
NEW QUESTION 137
An organization is trying to improve their Defense in Depth by blocking malicious destinations prior to a connection being established. The solution must be able to block certain applications from being used within the network Which product should be used to accomplish this goal?
- A. Cisco Firepower
- B. Cisco Umbrella
- C. AMP
- D. ISE
Answer: B
Explanation:
Reference:
NEW QUESTION 138
Which portion of the network do EPP solutions solely focus on and EDR solutions do not?
- A. server farm
- B. core
- C. perimeter
- D. East-West gateways
Answer: C
NEW QUESTION 139
Which method is used to deploy certificates and configure the supplicant on mobile devices to gain access to network resources?
- A. MAC authentication bypass
- B. Simple Certificate Enrollment Protocol
- C. BYOD on boarding
- D. Client provisioning
Answer: C
NEW QUESTION 140
Which two capabilities of Integration APIs are utilized with Cisco DNA center? (Choose two)
- A. Application monitors for power utilization of devices and IoT sensors
- B. Upgrade software on switches and routers
- C. Connect to Information Technology Service Management Platforms
- D. Create new SSIDs on a wireless LAN controller
- E. Automatically deploy new virtual routers
Answer: A,C
Explanation:
Integration API (Westbound)
Integration capabilities are part of Westbound interfaces. To meet the need to scale and accelerate operations in modern data centers, IT operators require intelligent, end-to-end work flows built with open APIs. The Cisco DNA Center platform provides mechanisms for integrating Cisco DNA Assurance workflows and data with thirdparty IT Service Management (ITSM) solutions.
Integration API (Westbound)
Integration capabilities are part of Westbound interfaces. To meet the need to scale and accelerate operations in modern data centers, IT operators require intelligent, end-to-end work flows built with open APIs. The Cisco DNA Center platform provides mechanisms for integrating Cisco DNA Assurance workflows and data with thirdparty IT Service Management (ITSM) solutions.
Reference:
-> Therefore answer D is correct.
Westbound-Integration APIs
Cisco DNA Center platform can power end-to-end IT processes across the value chain by integrating various domains such as ITSM, IPAM, and reporting. By leveraging the REST-based Integration Adapter APIs, bidirectional interfaces can be built to allow the exchange of contextual information between Cisco DNA Center and the external, third-party IT systems. The westbound APIs provide the capability to publish the network data, events and notifications to the external systems and consume information in Cisco DNA Center from the connected systems.
Therefore the most suitable choice is Integration APIs can monitor for power utilization of devices and IoT sensors -> Answer C is correct.
Integration API (Westbound)
Integration capabilities are part of Westbound interfaces. To meet the need to scale and accelerate operations in modern data centers, IT operators require intelligent, end-to-end work flows built with open APIs. The Cisco DNA Center platform provides mechanisms for integrating Cisco DNA Assurance workflows and data with thirdparty IT Service Management (ITSM) solutions.
-> Therefore answer D is correct.
Westbound-Integration APIs
Cisco DNA Center platform can power end-to-end IT processes across the value chain by integrating various domains such as ITSM, IPAM, and reporting. By leveraging the REST-based Integration Adapter APIs, bidirectional interfaces can be built to allow the exchange of contextual information between Cisco DNA Center and the external, third-party IT systems. The westbound APIs provide the capability to publish the network data, events and notifications to the external systems and consume information in Cisco DNA Center from the connected systems.
Therefore the most suitable choice is Integration APIs can monitor for power utilization of devices and IoT
-> Therefore answer D is correct.
Westbound-Integration APIs
Cisco DNA Center platform can power end-to-end IT processes across the value chain by integrating various domains such as ITSM, IPAM, and reporting. By leveraging the REST-based Integration Adapter APIs, bidirectional interfaces can be built to allow the exchange of contextual information between Cisco DNA Center and the external, third-party IT systems. The westbound APIs provide the capability to publish the network data, events and notifications to the external systems and consume information in Cisco DNA Center from the connected systems.
Therefore the most suitable choice is Integration APIs can monitor for power utilization of devices and IoT sensors -> Answer C is correct.
NEW QUESTION 141
Which two deployment modes does the Cisco ASA FirePower module support? (Choose two)
- A. transparent mode
- B. routed mode
- C. active mode
- D. inline mode
- E. passive monitor-only mode
Answer: C,D
Explanation:
You can configure your ASA FirePOWER module using one of the following deployment models:
You can configure your ASA FirePOWER module in either an inline or a monitor-only (inline tap or passive) deployment.
You can configure your ASA FirePOWER module using one of the following deployment models:
You can configure your ASA FirePOWER module in either an inline or a monitor-only (inline tap or passive) deployment.
Reference:
modules-sfr.html
You can configure your ASA FirePOWER module using one of the following deployment models:
You can configure your ASA FirePOWER module in either an inline or a monitor-only (inline tap or passive) deployment.
modules-sfr.html
NEW QUESTION 142
What is a characteristic of a bridge group in ASA Firewall transparent mode''
- A. It is a Layer 3 segment and includes one port and customizable access rules.
- B. It includes multiple interfaces and access rules between interfaces are customizable
- C. It has an IP address on its BVI interface and is used for management traffic.
- D. It allows ARP traffic with a single access rule.
Answer: B
Explanation:
NEW QUESTION 143
What is a characteristic of Cisco ASA Netflow v9 Secure Event Logging?
- A. It tracks flow-create, flow-teardown, and flow-denied events.
- B. Its events match all traffic classes in parallel.
- C. It tracks the flow continuously and provides updates every 10 seconds.
- D. It provides stateless IP flow tracking that exports all records of a specific flow.
Answer: A
Explanation:
Explanation The ASA and ASASM implementations of NetFlow Secure Event Logging (NSEL) provide a stateful, IP flow tracking method that exports only those records that indicate significant events in a flow. The significant events that are tracked include flow-create, flow-teardown, and flow-denied (excluding those flows that are denied by EtherType ACLs). Reference: https://www.cisco.com/c/en/us/td/docs/security/asa/asa92/configuration/general/asa-general-cli/ monitor-nsel.html The ASA and ASASM implementations of NetFlow Secure Event Logging (NSEL) provide a stateful, IP flow tracking method that exports only those records that indicate significant events in a flow.
The significant events that are tracked include flow-create, flow-teardown, and flow-denied (excluding those flows that are denied by EtherType ACLs).
Explanation The ASA and ASASM implementations of NetFlow Secure Event Logging (NSEL) provide a stateful, IP flow tracking method that exports only those records that indicate significant events in a flow. The significant events that are tracked include flow-create, flow-teardown, and flow-denied (excluding those flows that are denied by EtherType ACLs). Reference: https://www.cisco.com/c/en/us/td/docs/security/asa/asa92/configuration/general/asa-general-cli/ monitor-nsel.html
NEW QUESTION 144
Refer to the exhibit.
A network administrator configures command authorization for the admin5 user. What is the admin5 user able to do on HQ_Router after this configuration?
- A. add subinterfaces
- B. set the IP address of an interface
- C. complete all configurations
- D. complete no configurations
Answer: D
Explanation:
Explanation The user "admin5" was configured with privilege level 5. In order to allow configuration (enter global configuration mode), we must type this command: (config)#privilege exec level 5 configure terminal Without this command, this user cannot do any configuration. Note: Cisco IOS supports privilege levels from 0 to 15, but the privilege levels which are used by default are privilege level 1 (user EXEC) and level privilege 15 (privilege EXEC)
NEW QUESTION 145
Which two services must remain as on-premises equipment when a hybrid email solution is deployed?
(Choose two.)
- A. DLP
- B. antispam
- C. encryption
- D. antivirus
- E. DDoS
Answer: A,C
NEW QUESTION 146
Which two conditions are prerequisites for stateful failover for IPsec? (Choose two)
- A. Only the IKE configuration that is set up on the active device must be duplicated on the standby device; the IPsec configuration is copied automatically
- B. The active and standby devices must run the same version of the Cisco IOS software and must be the same type of device
- C. The IPsec configuration that is set up on the active device must be duplicated on the standby device
- D. Only the IPsec configuration that is set up on the active device must be duplicated on the standby device; the IKE configuration is copied automatically.
- E. The active and standby devices can run different versions of the Cisco IOS software but must be the same type of device.
Answer: B,C
Explanation:
Explanation
Stateful failover for IP Security (IPsec) enables a router to continue processing and forwarding IPsec packets after a planned or unplanned outage occurs. Customers employ a backup (secondary) router that automatically takes over the tasks of the active (primary) router if the active router loses connectivity for any reason. This failover process is transparent to users and does not require adjustment or reconfiguration of any remote peer.
Stateful failover for IPsec requires that your network contains two identical routers that are available to be either the primary or secondary device. Both routers should be the same type of device, have the same CPU and memory, and have either no encryption accelerator or identical encryption accelerators.
Prerequisites for Stateful Failover for IPsec
Complete, Duplicate IPsec and IKE Configuration on the Active and Standby Devices This document assumes that you have a complete IKE and IPsec configuration. The IKE and IPsec configuration that is set up on the active device must be duplicated on the standby device. That is, the crypto configuration must be identical with respect to Internet Security Association and Key Management Protocol (ISAKMP) policy, ISAKMP keys (preshared), IPsec profiles, IPsec transform sets, all crypto map sets that are used for stateful failover, all access control lists (ACLs) that are used in match address statements on crypto map sets, all AAA configurations used for crypto, client configuration groups, IP local pools used for crypto, and ISAKMP profiles. Reference: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_vpnav/configuration/15-mt/sec-vpnavailability-15-mt-book/sec-state-fail-ipsec.html Although the prerequisites only stated that "Both routers should be the same type of device" but in the "Restrictions for Stateful Failover for IPsec" section of the link above, it requires "Both the active and standby devices must run the identical version of the Cisco IOS software" so answer E is better than answer B.
This document assumes that you have a complete IKE and IPsec configuration.
The IKE and IPsec configuration that is set up on the active device must be duplicated on the standby device.
That is, the crypto configuration must be identical with respect to Internet Security Association and Key Management Protocol (ISAKMP) policy, ISAKMP keys (preshared), IPsec profiles, IPsec transform sets, all crypto map sets that are used for stateful failover, all access control lists (ACLs) that are used in match address statements on crypto map sets, all AAA configurations used for crypto, client configuration groups, IP local pools used for crypto, and ISAKMP profiles.
Reference:
Although the prerequisites only stated that "Both routers should be the same type of device" but in the Complete, Duplicate IPsec and IKE Configuration on the Active and Standby Devices This document assumes that you have a complete IKE and IPsec configuration. The IKE and IPsec configuration that is set up on the active device must be duplicated on the standby device. That is, the crypto configuration must be identical with respect to Internet Security Association and Key Management Protocol (ISAKMP) policy, ISAKMP keys (preshared), IPsec profiles, IPsec transform sets, all crypto map sets that are used for stateful failover, all access control lists (ACLs) that are used in match address statements on crypto map sets, all AAA configurations used for crypto, client configuration groups, IP local pools used for crypto, and ISAKMP profiles. Reference: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_vpnav/configuration/15-mt/sec-vpnavailability-15-mt-book/sec-state-fail-ipsec.html Although the prerequisites only stated that "Both routers should be the same type of device" but in the "Restrictions for Stateful Failover for IPsec" section of the link above, it requires "Both the active and standby devices must run the identical version of the Cisco IOS software" so answer E is better than answer B.
NEW QUESTION 147
An organization is implementing URL blocking using Cisco Umbrell
a. The users are able to go to some sites
but other sites are not accessible due to an error. Why is the error occurring?
- A. Client computers do not have the Cisco Umbrella Root CA certificate installed.
- B. IP-Layer Enforcement is not configured.
- C. Client computers do not have an SSL certificate deployed from an internal CA server.
- D. Intelligent proxy and SSL decryption is disabled in the policy
Answer: A
Explanation:
Explanation Explanation Other features are dependent on SSL Decryption functionality, which requires the Cisco Umbrella root certificate. Having the SSL Decryption feature improves: Custom URL Blocking-Required to block the HTTPS version of a URL. ... Umbrella's Block Page and Block Page Bypass features present an SSL certificate to browsers that make connections to HTTPS sites. This SSL certificate matches the requested site but will be signed by the Cisco Umbrella certificate authority (CA). If the CA is not trusted by your browser, an error page may be displayed. Typical errors include "The security certificate presented by this website was not issued by a trusted certificate authority" (Internet Explorer), "The site's security certificate is not trusted!" (Google Chrome) or "This Connection is Untrusted" (Mozilla Firefox). Although the error page is expected, the message displayed can be confusing and you may wish to prevent it from appearing. To avoid these error pages, install the Cisco Umbrella root certificate into your browser or the browsers of your users-if you're a network admin. Reference: https://docs.umbrella.com/deployment-umbrella/docs/rebrand-cisco-certificate-import-information Explanation Other features are dependent on SSL Decryption functionality, which requires the Cisco Umbrella root certificate. Having the SSL Decryption feature improves:
Custom URL Blocking-Required to block the HTTPS version of a URL.
...
Umbrella's Block Page and Block Page Bypass features present an SSL certificate to browsers that make connections to HTTPS sites. This SSL certificate matches the requested site but will be signed by the Cisco Umbrella certificate authority (CA). If the CA is not trusted by your browser, an error page may be displayed.
Typical errors include "The security certificate presented by this website was not issued by a trusted certificate authority" (Internet Explorer), "The site's security certificate is not trusted!" (Google Chrome) or "This Connection is Untrusted" (Mozilla Firefox). Although the error page is expected, the message displayed can be confusing and you may wish to prevent it from appearing.
To avoid these error pages, install the Cisco Umbrella root certificate into your browser or the browsers of your users-if you're a network admin.
Explanation Explanation Other features are dependent on SSL Decryption functionality, which requires the Cisco Umbrella root certificate. Having the SSL Decryption feature improves: Custom URL Blocking-Required to block the HTTPS version of a URL. ... Umbrella's Block Page and Block Page Bypass features present an SSL certificate to browsers that make connections to HTTPS sites. This SSL certificate matches the requested site but will be signed by the Cisco Umbrella certificate authority (CA). If the CA is not trusted by your browser, an error page may be displayed. Typical errors include "The security certificate presented by this website was not issued by a trusted certificate authority" (Internet Explorer), "The site's security certificate is not trusted!" (Google Chrome) or "This Connection is Untrusted" (Mozilla Firefox). Although the error page is expected, the message displayed can be confusing and you may wish to prevent it from appearing. To avoid these error pages, install the Cisco Umbrella root certificate into your browser or the browsers of your users-if you're a network admin. Reference: https://docs.umbrella.com/deployment-umbrella/docs/rebrand-cisco-certificate-import-information
NEW QUESTION 148
How does Cisco Stealthwatch Cloud provide security for cloud environments?
- A. It assigns Internet-based DNS protection for clients and servers.
- B. It delivers visibility and threat detection.
- C. It facilitates secure connectivity between public and private networks.
- D. It prevents exfiltration of sensitive data.
Answer: B
Explanation:
Explanation/Reference: https://www.content.shi.com/SHIcom/ContentAttachmentImages/SharedResources/FBLP/Cisco/ Cisco-091919-Simple-IT-Whitepaper.pdf
NEW QUESTION 149
An engineer configured a new network identity in Cisco Umbrella but must verify that traffic is being routed through the Cisco Umbrella network. Which action tests the routing?
- A. Enable the Intelligent Proxy to validate that traffic is being routed correctly.
- B. Browse to http://welcome.umbrella.com/ to validate that the new identity is working
- C. Add the public IP address that the client computers are behind to a Core Identity
- D. Ensure that the client computers are pointing to the on-premises DNS servers.
Answer: A
NEW QUESTION 150
What is the result of running thecrypto isakmp key ciscXXXXXXXX address 172.16.0.0command?
- A. authenticates the IP address of the 172.16.0.0/32 peer by using the key ciscXXXXXXXX
- B. secures all the certificates in the IKE exchange by using the key ciscXXXXXXXX
- C. authenticates the IKEv2 peers in the 172.16.0.0/16 range by using the key ciscXXXXXXXX
- D. authenticates the IKEv1 peers in the 172.16.0.0/16 range by using the key ciscXXXXXXXX
Answer: A
NEW QUESTION 151
Why would a user choose an on-premises ESA versus the CES solution?
- A. Sensitive data must remain onsite.
- B. ESA is deployed inline.
- C. Demand is unpredictable.
- D. The server team wants to outsource this service.
Answer: B
NEW QUESTION 152
......
350-701 certification guide Q&A from Training Expert TorrentVCE: https://www.torrentvce.com/350-701-valid-vce-collection.html
350-701 Certification Overview Latest 350-701 PDF Dumps: https://drive.google.com/open?id=1eWdW60gJDeDGDg0rr8UxdKAxhzvtoXVT