Visit here for our full Cisco 350-701 exam dumps and practice test questions.
Question 161:
Which Cisco solution provides visibility and control over networked IoT devices by classifying them and applying automated segmentation policies?
A) Cisco ISE with Device Sensor and TrustSec
B) Cisco Umbrella
C) Cisco Secure Endpoint
D) Cisco Threat Grid
Answer: A
Explanation:
Cisco Identity Services Engine (ISE), when combined with Device Sensor and TrustSec capabilities, provides robust visibility, profiling, and segmentation for IoT devices within enterprise networks. The Device Sensor component actively collects device attributes such as DHCP fingerprints, MAC Organizationally Unique Identifiers (OUIs), HTTP user agents, and other contextual information from endpoints as they connect to the network. By analyzing these characteristics, ISE can accurately identify device types, including IoT devices like IP cameras, medical monitors, or building automation systems, and determine the appropriate access policies for each device category.
Once identified, ISE leverages Cisco TrustSec to enforce policy-based segmentation through Security Group Tags (SGTs). These tags are dynamically assigned to devices and propagated across the network, allowing access control decisions to be applied consistently on switches, routers, and firewalls without relying on VLAN proliferation. For example, IP cameras can be restricted to communicate only with specific monitoring servers, while HVAC devices can be segmented to limit exposure to the rest of the corporate network. This fine-grained approach reduces attack surfaces and helps enforce the principles of least privilege across the enterprise.
Option B, Cisco Umbrella, focuses on DNS-layer security and threat blocking, but it does not provide device profiling or dynamic segmentation. Option C, Cisco Secure Endpoint, is aimed at malware prevention for traditional endpoints and does not address IoT device visibility or network access control. Option D, Cisco Threat Grid, provides sandbox-based malware analysis but is unrelated to IoT identification or segmentation.
ISE’s integration with Cisco DNA Center, Stealthwatch (Secure Network Analytics), and SecureX further enhances visibility and enforcement. Behavioral anomalies—such as an IoT thermostat initiating outbound SSH sessions—can trigger automated responses, including quarantining or restricted access. This continuous monitoring and adaptive enforcement exemplify Cisco’s Zero Trust approach for IoT, ensuring that devices are continuously verified and compliant before they gain network access.
Therefore, A is correct because Cisco ISE, combined with Device Sensor and TrustSec, enables enterprises to identify IoT devices, apply dynamic segmentation, and enforce granular access control policies, protecting the network from untrusted or potentially compromised devices while maintaining operational efficiency and scalability.
Question 162:
Which feature of Cisco Secure Firewall prevents evasion by inspecting fragmented packets and reassembling them before policy enforcement?
A) Packet Tracer
B) Stateful Inspection
C) Stream Reassembly and Normalization
D) QoS Policing
Answer: C
Explanation:
Cisco Secure Firewall uses Stream Reassembly and Normalization to ensure that all network traffic is accurately analyzed before applying security policies. Stream reassembly reconstructs fragmented or out-of-order packets into complete data streams, enabling the firewall to view the full context of the traffic as it would appear to the target host. This is crucial because attackers often exploit IP fragmentation, TCP segment overlaps, or packet-order manipulation to evade detection. Without reassembly, malicious payloads split across multiple fragments could bypass intrusion prevention rules.
Normalization complements reassembly by adjusting anomalies within the traffic stream. This includes correcting overlapping TCP segments, normalizing inconsistent flags, and handling sequence manipulation or other irregularities. These techniques are common evasion tactics used to confuse deep packet inspection engines or bypass Snort/IPS signatures. By normalizing the traffic, the firewall ensures that the content is analyzed in a form that accurately represents what the endpoint would receive, preventing attackers from hiding exploits within malformed packets.
Option A (troubleshooting tools) assists in diagnostics but does not enforce security. Option B (Stateful Inspection) tracks session state but does not handle fragmented or anomalous packets. Option D (QoS Policing) manages bandwidth and prioritization, unrelated to content inspection or IPS accuracy.
Within the SCOR Network Security domain, stream reassembly and normalization are essential concepts for defending against evasive attacks. They allow intrusion prevention systems to detect malicious payloads reliably, even when adversaries attempt to hide them using packet fragmentation, reordering, or TCP anomalies. The combination of reassembly and normalization ensures that inspection engines operate on a complete, standardized traffic stream, increasing detection accuracy and minimizing false negatives.
Therefore, C is correct, because Cisco Secure Firewall’s stream reassembly and normalization reconstruct and standardize traffic before inspection, eliminating evasion attempts caused by fragmented packets or manipulated TCP streams and enhancing overall intrusion prevention effectiveness.
Question 163:
What is the purpose of Cisco Duo in a Zero Trust access architecture?
A) Provides endpoint sandboxing
B) Enforces multifactor authentication and device trust before access
C) Performs DNS-layer filtering
D) Conducts NetFlow telemetry analysis
Answer: B
Explanation:
Cisco Duo is a cloud-based multi-factor authentication (MFA) and device trust platform that plays a critical role in Cisco’s Zero Trust security framework. Its primary purpose is to ensure that both the user’s identity and the health of the device are verified before granting access to corporate resources, whether those resources are on-premises or hosted in the cloud. By enforcing identity verification and device compliance, Duo helps organizations reduce the risk of unauthorized access and potential breaches.
When a user attempts to log in, Duo first validates the primary credentials through identity sources such as Active Directory, LDAP, or SAML-based identity providers. Once the primary credentials are confirmed, Duo prompts the user for a second verification factor. This can include a push notification to a mobile device, a time-based one-time password (TOTP), a hardware token, or biometric authentication such as fingerprint or facial recognition. This multi-factor process adds a strong layer of protection beyond passwords alone.
In addition to verifying identity, Duo performs device posture checks. These checks assess the security state of the device attempting to connect, including factors such as the operating system version, presence of encryption, device health, and compliance with policies like screen lock enforcement. Devices that do not meet security requirements can be blocked or quarantined until they are compliant. This ensures that only trusted and healthy devices gain access to sensitive corporate applications.
Options A, C, and D are incorrect in this context because sandboxing is provided by Threat Grid, DNS filtering and cloud-based security by Umbrella, and network telemetry analysis by Stealthwatch. Duo is focused on authentication and device trust, not malware analysis, DNS security, or flow-based threat detection.
Duo integrates seamlessly with VPNs, cloud applications, and a range of identity providers, enabling adaptive authentication. Organizations can enforce contextual access policies, such as blocking access from unrecognized geolocations, requiring device registration, or applying step-up authentication based on risk scores. This adaptive, policy-driven approach aligns with the Zero Trust principle of “never trust, always verify.”
Within Cisco’s Zero Trust Access architecture, Duo supports the Workforce pillar, ensuring that users and devices are continuously verified before granting access. It complements Cisco ISE, which handles network-based access and posture enforcement, and Secure Workload, which protects workloads and applications in hybrid environments.
Therefore, B is correct, because Cisco Duo validates both user identity and device trust, providing strong, adaptive multi-factor authentication that enables organizations to enforce continuous verification in line with Zero Trust security principles.
Question 164:
Which Cisco technology uses Security Group Tags (SGTs) to enforce identity-based network segmentation?
A) Cisco Stealthwatch
B) Cisco TrustSec
C) Cisco AMP for Endpoints
D) Cisco Umbrella
Answer: B
Explanation:
Cisco TrustSec is a network security architecture that enables identity-based segmentation using Security Group Tags (SGTs). Instead of relying solely on IP addresses or VLANs for access control, TrustSec embeds a user or device’s security identity directly into network traffic, allowing policies to be applied based on roles, departments, or device types. This approach supports consistent and scalable policy enforcement across the entire network.
When a user or device authenticates through Cisco Identity Services Engine (ISE), an SGT is assigned based on predefined attributes such as role, department, or device type. Network devices that support TrustSec—such as Cisco Catalyst switches, routers, and firewalls—use Security Group Access Control Lists (SGACLs) to enforce policies dynamically. Because policies are tied to SGTs rather than IP addresses, access rules follow the user or device across different subnets, VLANs, and VPN connections. This reduces complexity and VLAN proliferation while ensuring that segmentation is consistent across wired, wireless, and remote environments.
Option A, Stealthwatch, provides network visibility and behavioral analytics but does not enforce access policies. Option C, Cisco Secure Endpoint, focuses on endpoint threat protection rather than network segmentation. Option D, Cisco Umbrella, delivers DNS-layer security and web filtering, but does not manage identity-based access control.
TrustSec supports micro-segmentation, a key component of Zero Trust architectures, by allowing fine-grained policies to restrict lateral movement within the network. For example, sensitive devices like payment systems or medical equipment can be segmented from general office devices, reducing the risk of internal threats or compromised hosts spreading across the network.
Integration with Cisco ISE and other enforcement points allows TrustSec to automatically adapt to changes in user roles or device posture. If a user’s department changes or a device becomes non-compliant, TrustSec can update access dynamically without requiring manual reconfiguration of VLANs or firewall rules.
Therefore, B is correct, because Cisco TrustSec uses Security Group Tags to implement scalable, identity-driven segmentation and consistently enforce network access policies across the enterprise. This approach simplifies management, enhances security, and aligns with the principles of Zero Trust by ensuring that access is always based on verified identity and role rather than network location.
Question 165:
Which VPN type allows users to connect securely to a corporate network via a web browser without installing client software?
A) IPsec Site-to-Site VPN
B) SSL Clientless VPN
C) GRE Tunnel
D) DMVPN
Answer: B
Explanation:
The SSL Clientless VPN provides remote users with secure access to internal corporate applications and resources using only a standard web browser. Supported by Cisco Secure Firewall (ASA and FTD platforms), this VPN type leverages HTTPS (TCP port 443) to establish an encrypted tunnel between the user’s browser and the VPN gateway, ensuring confidentiality and integrity of data in transit. Because it operates entirely over standard web protocols, users do not need to install any VPN client software, making it an ideal solution for BYOD devices, contractors, or temporary access scenarios.
Unlike IPsec VPNs or Cisco AnyConnect SSL client-based solutions, which require dedicated client software and configuration, the clientless model simplifies deployment and reduces administrative overhead. Once authenticated, users gain browser-based access to web applications, file shares, internal portals, and certain network services, depending on policies configured on the firewall. Administrators can control which applications are available based on user role, location, or device posture, providing granular access control aligned with corporate security policies.
Option A, site-to-site VPN, is designed to connect entire networks rather than individual remote users. Option C, PPTP, is an outdated and unencrypted tunneling protocol that does not provide secure access. Option D, DMVPN, is a dynamic IPsec VPN solution for connecting branch routers and is not intended for browser-based remote access. These alternatives differ significantly from SSL clientless VPN in purpose and deployment model.
The SSL clientless VPN can integrate with Cisco Identity Services Engine (ISE) for centralized authentication and policy enforcement. Multi-factor authentication solutions such as Cisco Duo can also be incorporated, enhancing security by verifying both user identity and device posture before granting access. This approach aligns with Zero Trust principles by ensuring that only authenticated, authorized, and compliant users can reach corporate resources.
Administrators benefit from reduced endpoint management complexity since users can connect from unmanaged devices without installing software. The solution also provides detailed logging and reporting for compliance and auditing, as all activity passes through the Secure Firewall gateway.
Therefore, B is correct, because SSL Clientless VPN allows secure, browser-based remote access to internal applications without the need for client software. It combines strong encryption, granular access control, and integration with identity and authentication services, providing a flexible and user-friendly solution for organizations that need to support remote or temporary users securely. This makes it a key component of secure remote access strategies in modern enterprise networks.
Question 166:
Which Cisco solution detects data exfiltration and insider threats by analyzing network telemetry for unusual traffic patterns?
A) Cisco Umbrella
B) Cisco Stealthwatch
C) Cisco AMP for Endpoints
D) Cisco Threat Grid
Answer: B
Explanation:
Cisco Stealthwatch, now known as Cisco Secure Network Analytics, is a comprehensive network visibility and behavior analysis platform designed to detect insider threats, data exfiltration, and other advanced security incidents. Unlike traditional signature-based detection tools, Stealthwatch relies on continuous monitoring of network telemetry, including NetFlow, IPFIX, and metadata from encrypted traffic, to establish a baseline of normal network behavior. By comparing ongoing activity against this baseline, it can identify anomalies that may indicate malicious behavior, such as unusually large data transfers, connections to unexpected external destinations, or access occurring outside normal business hours.
Option A, Cisco Umbrella, focuses on DNS-layer protection and threat blocking. Option C, AMP for Endpoints, is primarily concerned with file-based malware detection on endpoints. Option D, Threat Grid, provides sandboxing for analyzing suspicious files. None of these solutions provide the network-centric behavioral analytics that Stealthwatch offers.
The core of Stealthwatch’s detection capability lies in its Security Analytics Engine, which assigns threat scores to hosts based on deviations from baseline behavior. High-risk events are prioritized, enabling security teams to focus on the most critical threats. For example, a workstation suddenly transferring large volumes of sensitive data to an unusual external server would trigger an alert with a high threat score. These insights provide organizations with the ability to detect stealthy, “low and slow” attacks that may bypass traditional perimeter defenses.
Integration with Cisco Identity Services Engine (ISE) enhances enforcement capabilities. When Stealthwatch identifies a compromised or high-risk host, it can automatically trigger actions such as quarantining the device or restricting network access, reducing dwell time and preventing further compromise. Furthermore, through Cisco SecureX, telemetry from Stealthwatch can be correlated with events from other Cisco security solutions, creating a unified threat detection and response framework. This integration enables automated workflows, such as blocking suspicious domains, updating firewall policies, or initiating endpoint remediation.
Stealthwatch is also capable of monitoring hybrid and cloud environments, ensuring visibility across distributed networks and remote users. Its machine-learning models continuously adapt to evolving network patterns, providing real-time detection of internal and external threats that would otherwise remain hidden.
Therefore, B is correct, because Cisco Stealthwatch leverages behavioral analytics and network telemetry to detect both insider and external threats, uncovering compromised hosts, data exfiltration, and anomalous activity that traditional signature-based solutions might miss. This makes it a critical tool in enterprise threat detection and network security monitoring strategies.
Question 167:
Which cryptographic algorithm is asymmetric and used primarily for secure key exchange in VPNs?
A) AES
B) SHA-256
C) Diffie-Hellman
D) MD5
Answer: C
Explanation:
The Diffie-Hellman (DH) algorithm is a foundational asymmetric key-exchange protocol widely used in IPsec, SSL/TLS, and other secure communications to establish a shared secret between two parties over an untrusted network. Unlike symmetric algorithms such as AES, where the same key must be securely exchanged beforehand, DH allows each peer to independently compute a common session key without directly transmitting it. This approach ensures that even if an attacker is eavesdropping on the key exchange, they cannot derive the shared secret, thereby preserving confidentiality.
Option A, AES, is a symmetric encryption algorithm used to encrypt data once a key is established. Option B, SHA-256, is a cryptographic hash function used for integrity and digital signatures. Option D, MD5, is an outdated hash function with known vulnerabilities. None of these perform the key-exchange function that DH provides.
In IPsec VPN deployments, Diffie-Hellman is critical during the Internet Key Exchange (IKE) phase. The two peers negotiate a DH group, such as Group 14 or Group 19, which specifies the size of the prime modulus and generator used for key computation. Larger groups provide stronger cryptographic strength but may require more computational resources. Implementing DH with Perfect Forward Secrecy (PFS) ensures that each session generates a unique key, so even if a long-term key is compromised, past communications remain secure. This is vital for protecting sensitive information in transit and mitigating long-term exposure risks.
DH’s asymmetric nature also facilitates secure establishment of session keys in SSL/TLS, ensuring that web traffic can be encrypted without sharing private keys. It is a core element of modern secure protocols, enabling safe communications over public networks.
Therefore, C is correct, because Diffie-Hellman provides secure, asymmetric key exchange that allows VPN peers or TLS clients and servers to establish shared session keys safely. This guarantees confidentiality, supports Perfect Forward Secrecy, and underpins the encryption of data in transit, making it an essential component of secure communications.
Question 168:
What is the function of Cisco Secure Workload (Tetration) in a hybrid cloud environment?
A) Provides DNS-layer protection
B) Offers workload segmentation, visibility, and policy enforcement across on-prem and cloud data centers
C) Serves as a VPN gateway
D) Acts as an email security appliance
Answer: B
Explanation:
Cisco Secure Workload, formerly known as Cisco Tetration, is a comprehensive security platform designed to provide granular visibility, microsegmentation, and policy enforcement across hybrid data center environments, including both on-premises and cloud workloads. Unlike traditional perimeter-based defenses, Secure Workload focuses on the east-west traffic within a network, monitoring how applications and workloads communicate with each other to prevent lateral movement of threats and enforce least-privilege access policies.
The platform continuously collects telemetry from software agents installed on workloads or from network sensors, capturing rich data on process execution, network connections, and application dependencies. By analyzing this information, Secure Workload automatically builds an application dependency map, allowing administrators to see which services and workloads interact, the frequency and nature of their communications, and potential security risks. This level of visibility is critical for understanding the operational context of each workload and ensuring that only necessary interactions are permitted.
Option A, Cisco Umbrella, provides DNS-layer protection but does not offer visibility or segmentation at the workload level. Option C, VPN gateways, secure remote access but do not monitor internal workload communication. Option D, email security appliances, protect messaging but are not involved in application-level policy enforcement or microsegmentation. These options do not address the specific need for workload-level enforcement and visibility that Secure Workload provides.
Once application dependencies are mapped, administrators can define intent-based microsegmentation policies. These policies enforce strict access controls, ensuring that workloads can communicate only with authorized peers and services. This approach reduces the attack surface significantly, as even if a workload is compromised, an attacker cannot move laterally to other sensitive systems. Secure Workload also integrates with Cisco SecureX, Stealthwatch, and ISE, providing a unified, Zero Trust-aligned framework that spans identity, network, and workload security domains.
By combining continuous monitoring, automated mapping, and policy enforcement, Cisco Secure Workload enables organizations to implement robust, scalable microsegmentation across complex hybrid environments. It provides actionable insights, reduces risk, and supports compliance with internal security standards and regulatory requirements.
Therefore, B is correct, because Cisco Secure Workload delivers comprehensive workload visibility, microsegmentation, and security policy enforcement, effectively preventing lateral threat propagation and aligning with Zero Trust security principles across hybrid data center environments.
Question 169:
Which Cisco tool automates security policy deployment and integrates with ISE, Stealthwatch, and Firepower through APIs?
A) Cisco Threat Grid
B) Cisco SecureX Orchestration
C) Cisco DNA Spaces
D) Cisco AnyConnect
Answer: B
Explanation:
Cisco SecureX Orchestration is a centralized platform designed to automate security operations and policy enforcement across Cisco and third-party security solutions. It provides a low-code, drag-and-drop interface that allows security teams to quickly build automated workflows, reducing manual intervention in threat detection, investigation, and remediation. By connecting tools such as Cisco ISE, Stealthwatch, Secure Firewall (Firepower), and Umbrella, SecureX Orchestration enables a unified, consistent response to security events across the enterprise.
The platform leverages APIs and webhooks to integrate deeply with Cisco products as well as third-party solutions, creating a flexible framework for automation. Security teams can construct playbooks that automatically trigger actions based on specific conditions—for example, blocking a malicious domain in Umbrella when it is detected by Secure Endpoint, quarantining a compromised host identified by Stealthwatch, or dynamically updating ISE access policies to restrict a user or device exhibiting suspicious behavior. These automated workflows not only accelerate response times but also reduce human error and enforce consistent security practices across the organization.
Option A, Cisco Threat Grid, provides malware sandboxing and analysis but does not orchestrate multi-platform responses. Option C focuses on location analytics, which does not directly enforce security policies. Option D refers to VPN clients, which secure connectivity but do not automate security operations or workflow integration. None of these alternatives provide the comprehensive automation and orchestration capabilities that SecureX Orchestration delivers.
SecureX Orchestration also supports integration with SIEM and SOAR platforms, enabling organizations to combine threat intelligence, telemetry, and policy enforcement in a centralized framework. This capability aligns with the Zero Trust principle of continuous verification and automated mitigation, ensuring that threats are quickly contained and that response actions are consistently applied across the enterprise. By providing a single interface to orchestrate complex security operations, SecureX Orchestration enhances visibility, reduces operational overhead, and accelerates incident response.
Therefore, B is correct, because Cisco SecureX Orchestration enables centralized, automated policy management and incident response across Cisco’s security ecosystem through API-based workflows, ensuring faster, more consistent, and more efficient security operations.
Question 170:
In Cisco email security, which feature detects and blocks messages containing malicious URLs before the user can click them?
A) Advanced Phishing Protection
B) URL Reputation Filtering
C) AMP File Reputation
D) DomainKeys Identified Mail (DKIM)**
Answer: B
Explanation:
Cisco Secure Email Gateway (formerly ESA) provides comprehensive protection against email-borne threats, and one of its key capabilities is URL Reputation Filtering. This feature examines all links embedded within incoming email messages and evaluates them against Cisco Talos’ global threat intelligence. By comparing URLs to known malicious domains or newly observed suspicious sites, the gateway can block access to phishing pages, malware distribution portals, or command-and-control servers before a user ever clicks on a link. This proactive approach is often called “pre-click protection” because it prevents exposure at the earliest point in the attack chain.
When a suspicious URL is detected, Cisco Secure Email Gateway can take several protective actions. It may rewrite the URL to redirect users to a safe warning page, block the message entirely, or flag it for administrator review. This capability is particularly important in defending against phishing campaigns, business email compromise (BEC), and other social-engineering attacks that attempt to trick users into revealing credentials or installing malware. By stopping the threat before it reaches the endpoint, URL Reputation Filtering reduces the risk of compromise and supports a layered security strategy.
Option A, behavioral detection, identifies unusual patterns or anomalies in email traffic but does not specifically analyze URLs for malicious reputation. Option C, attachment scanning, focuses on file-based threats rather than links embedded in email content. Option D, DKIM, provides cryptographic validation of the sender’s identity to prevent spoofing, but it does not assess the safety of URLs. None of these options provide the same level of pre-click, URL-specific protection as URL Reputation Filtering.
URL Reputation Filtering works best as part of a broader email security framework. Cisco recommends combining it with Advanced Malware Protection (AMP) for Email, which performs file-based detection and retrospective analysis, and with DMARC, DKIM, and SPF enforcement to ensure message authenticity. Together, these layers provide both identity verification and threat prevention, reducing the likelihood of successful phishing or malware campaigns.
Therefore, B is correct, because Cisco Secure Email Gateway’s URL Reputation Filtering protects users from malicious links by leveraging Cisco Talos intelligence and real-time analysis. By blocking or rewriting unsafe URLs before a user clicks, it provides proactive email security, reduces risk exposure, and forms a critical component of a multi-layered defense against phishing and malware attacks. This capability ensures that malicious URLs never reach the end user, maintaining organizational security and trust in email communications.
Question 171:
Which Cisco technology provides endpoint visibility, malware prevention, and retrospective detection by continuously monitoring file behavior after initial inspection?
A) Cisco AMP for Endpoints (Secure Endpoint)
B) Cisco Stealthwatch
C) Cisco Umbrella
D) Cisco Threat Grid
Answer: A
Explanation:
Cisco AMP for Endpoints, now called Cisco Secure Endpoint, is Cisco’s advanced endpoint protection platform that combines signatureless malware detection, behavioral analysis, and continuous monitoring. Unlike traditional antivirus software, Secure Endpoint doesn’t stop after initial file scanning—it continuously tracks file behavior and system activity, allowing retrospective detection if a file later proves malicious.
When a file is first encountered, AMP queries Cisco Talos Intelligence Cloud for its reputation. If the file is clean, execution proceeds while background monitoring continues. Should Talos later identify that same file as malware, Secure Endpoint automatically generates alerts and can quarantine or remove it from every affected endpoint.
Option B, Stealthwatch, analyzes network telemetry, not file-level behavior. C, Umbrella, provides DNS-layer security, and D, Threat Grid, performs dynamic sandboxing but doesn’t continuously monitor endpoints.
Secure Endpoint integrates with SecureX to correlate indicators across other Cisco security platforms such as Umbrella and Firepower, enabling coordinated response. It also includes exploit prevention, file trajectory visualization, and built-in EDR (Endpoint Detection and Response) capabilities for forensic investigations.
Therefore, A is correct, because Cisco Secure Endpoint (AMP for Endpoints) continuously monitors file activity to detect, contain, and remediate malware, providing both proactive and retrospective endpoint protection.
Question 172:
Which protocol is primarily used by Cisco ISE to communicate authorization and accounting information to network access devices such as switches and wireless controllers?
A) TACACS+
B) RADIUS
C) LDAP
D) SNMP
Answer: B
Explanation:
RADIUS (Remote Authentication Dial-In User Service) is the primary protocol used by Cisco Identity Services Engine (ISE) to handle authentication, authorization, and accounting (AAA) for 802.1X-enabled access devices. When a user or device attempts to connect, the network access device (NAD) forwards authentication requests to ISE using RADIUS over UDP ports 1812 (authentication) and 1813 (accounting).
ISE verifies credentials, retrieves user or device attributes, and applies dynamic authorization—such as assigning VLANs, downloadable ACLs, or Security Group Tags (SGTs)—based on policy results.
Option A, TACACS+, is used for administrative access control to network devices, not endpoint network access. C, LDAP, can serve as an identity store but is not the transport protocol. D, SNMP, is used for monitoring, not authentication.
RADIUS also supports EAP (Extensible Authentication Protocol) methods like EAP-TLS, PEAP, or EAP-FAST, enabling strong mutual authentication and certificate-based security. Integration with Cisco TrustSec allows identity-based policy enforcement using information passed through RADIUS attributes.
Therefore, B is correct, because Cisco ISE relies on the RADIUS protocol to communicate AAA information to access devices, enabling dynamic and secure network access control across wired, wireless, and VPN infrastructures.
Question 173:
In a Cisco Secure Firewall (Firepower) deployment, which feature detects and blocks attempts to exploit known software vulnerabilities?
A) Intrusion Prevention System (IPS)
B) AMP File Policy
C) URL Filtering
D) Application Visibility and Control (AVC)**
Answer: A
Explanation:
The Intrusion Prevention System (IPS) engine within Cisco Secure Firewall Threat Defense (formerly Firepower) inspects traffic for exploits targeting known vulnerabilities. Powered by the Snort or Snort 3 detection engine, it compares network traffic against a comprehensive database of signatures from Cisco Talos to identify attack patterns such as buffer overflows, SQL injections, or remote code execution attempts.
When the IPS identifies malicious traffic, it can block, reset, or alert based on configured policies. Additionally, the engine supports contextual analysis—combining vulnerability information, application type, and target OS to reduce false positives and prioritize high-impact threats.
Option B protects against malware files but not network exploit traffic. C restricts access to web categories, while D identifies and classifies applications but does not perform vulnerability analysis.
IPS also supports inline or passive modes, allowing flexibility between detection and prevention. Integration with SecureX enables unified incident response by correlating IPS alerts with endpoint or DNS telemetry.
Therefore, A is correct, because Cisco Secure Firewall’s Intrusion Prevention System inspects live traffic for exploit signatures, providing real-time protection against attacks targeting software vulnerabilities.
Question 174:
Which Cisco feature provides enhanced visibility into encrypted traffic to detect malware without decrypting the packets?
A) Encrypted Traffic Analytics (ETA)
B) SSL Decryption Proxy
C) IPS Inline Mode
D) DNS Sinkhole
Answer: A
Explanation:
Cisco Encrypted Traffic Analytics (ETA) uses advanced telemetry and machine learning to detect malware in encrypted traffic without decryption, preserving privacy while maintaining security. ETA analyzes observable metadata—such as sequence of packet lengths and times (SPLT), TLS handshake details, and flow behavior—to identify patterns indicative of malicious activity.
Option B actually decrypts and inspects SSL traffic, which introduces latency and potential privacy issues. C, IPS Inline Mode, inspects decrypted traffic, and D, DNS Sinkhole, redirects malicious DNS queries but doesn’t analyze encryption patterns.
ETA combines telemetry from Cisco Catalyst switches, NetFlow/IPFIX exporters, and Stealthwatch analytics to classify encrypted flows as benign or malicious. Leveraging machine learning models trained on global Talos intelligence, it detects anomalies like command-and-control channels hidden in HTTPS or TLS sessions.
This technology aligns with the SCOR Network Visibility and Enforcement domain, demonstrating Cisco’s ability to maintain security efficacy in a world of pervasive encryption.
Therefore, A is correct, because Cisco Encrypted Traffic Analytics detects threats hidden in encrypted flows using metadata analysis, offering high visibility without compromising data privacy or performance.
Question 175:
What is the primary benefit of using Cisco SecureX orchestration in a SOC (Security Operations Center)?
A) It replaces all manual security tools
B) It automates repetitive security workflows and integrates multi-vendor solutions
C) It only collects log data from firewalls
D) It decrypts SSL traffic for all devices
Answer: B
Explanation:
Cisco SecureX Orchestration allows security operations teams to automate repetitive processes such as incident triage, IOC enrichment, and containment actions. Using a low-code, drag-and-drop interface, analysts can create playbooks that integrate multiple Cisco and third-party tools through REST APIs—reducing manual workload and improving response speed.
Option A is incorrect; SecureX enhances, not replaces, existing tools. C is too limited, and D is unrelated to orchestration.
For example, a SecureX playbook can automatically quarantine an endpoint in ISE, block a domain in Umbrella, and update a Secure Firewall ACL—all triggered by a single detection event in AMP for Endpoints. SecureX also provides a unified dashboard showing alerts, device inventories, and investigation timelines, improving cross-platform visibility.
This orchestration capability is part of Cisco’s Security Automation and Visibility SCOR domain, emphasizing operational efficiency and unified response.
Therefore, B is correct, because SecureX Orchestration automates workflows and unifies security operations across Cisco and third-party ecosystems, enabling faster and more consistent incident response.
Question 176:
Which feature of Cisco Stealthwatch enables rapid detection of data exfiltration attempts by identifying large, unusual outbound data transfers?
A) Flow Collector
B) Host Group Mapping
C) Data Hoarding and Exfiltration Detection Engine
D) Adaptive Network Control
Answer: C
Explanation:
The Data Hoarding and Exfiltration Detection Engine within Cisco Stealthwatch detects abnormal outbound traffic patterns that may indicate data theft. By analyzing NetFlow or IPFIX telemetry, it establishes a baseline of normal data transfer volumes for each host, then alerts when anomalies—such as sudden large uploads to unfamiliar destinations—occur.
Option A refers to the device that gathers flows, B organizes endpoints into logical groups, and D is part of ISE, not Stealthwatch.
This behavioral analytics capability helps security teams uncover insider threats and advanced persistent attacks that bypass perimeter defenses. Integration with Cisco ISE allows automatic containment or policy enforcement on the offending host.
Therefore, C is correct, because Stealthwatch’s data exfiltration engine identifies suspicious outbound traffic volumes and destinations, enabling early detection of insider threats and compromised accounts.
Question 177:
In a Cisco email security deployment, which feature rewrites suspicious URLs in received emails and re-scans them at the time of click?
A) Cisco Advanced Phishing Protection
B) Cisco AMP File Analysis
C) Cisco URL Filtering with Time-of-Click Protection
D) Cisco DMARC Verification
Answer: C
Explanation:
Cisco URL Filtering with Time-of-Click Protection enhances email security by rewriting URLs in incoming messages so that they pass through Cisco’s secure web proxy when clicked. When a user selects the link, the URL is re-evaluated in real time using updated Talos threat intelligence. If the site is later determined malicious, access is blocked—even if the message was originally delivered when the link was benign.
Option A detects phishing through heuristics, B analyzes attachments, and D validates sender authenticity but not link safety.
This capability is crucial for combating delayed-activation phishing campaigns, where attackers modify links after email delivery. Combined with AMP for Email, SPF, DKIM, and DMARC, it forms a multilayered defense.
Therefore, C is correct, because Time-of-Click URL protection dynamically re-evaluates embedded links to prevent user exposure to newly weaponized malicious sites.
Question 178:
What is the main function of the Cisco Security Intelligence Feed within Secure Firewall Threat Defense?
A) It provides dynamic, reputation-based blocking of malicious IPs and URLs
B) It performs SSL decryption
C) It generates endpoint malware signatures
D) It provides user authentication
Answer: A
Explanation:
The Cisco Security Intelligence Feed (SIF) is a dynamic threat-intelligence feature in Secure Firewall Threat Defense that blocks traffic based on real-time reputation data. SIF leverages Cisco Talos to maintain constantly updated lists of malicious IP addresses, URLs, and domains associated with spam, botnets, and command-and-control infrastructure.
Option B relates to SSL policies, C to endpoint protection, and D to identity services.
Administrators can configure Security Intelligence Objects for blacklisting or whitelisting destinations, enabling immediate blocking of known bad entities before deeper inspection. Because it operates early in the traffic pipeline, this feature conserves system resources by filtering out threats prior to detailed analysis.
Therefore, A is correct, because the Security Intelligence Feed dynamically enforces reputation-based blocking, enhancing Cisco Secure Firewall’s ability to prevent known malicious communications with minimal performance impact.
Question 179:
Which Cisco security principle ensures that each access request is continuously evaluated based on context, device posture, and user identity rather than a one-time login?
A) Defense in Depth
B) Continuous Trust Evaluation (Zero Trust Principle)
C) Principle of Least Privilege
D) Stateful Inspection
Answer: B
Explanation:
Continuous Trust Evaluation, a key principle of Zero Trust Security, mandates that user and device access be continuously validated rather than permanently trusted after authentication. Cisco implements this through solutions like Duo, ISE, and SecureX, which dynamically reassess context, device health, and behavior throughout the session.
Option A focuses on multilayered defense, C on access limitation, and D describes firewall behavior.
For example, if a device’s posture changes—such as antivirus being disabled—ISE can automatically quarantine it. Duo can challenge re-authentication when a login originates from a new location or network. This constant verification minimizes risk from compromised credentials or insider threats.
Therefore, B is correct, because Continuous Trust Evaluation ensures ongoing verification of users and devices, embodying the “never trust, always verify” foundation of Cisco’s Zero Trust architecture.
Question 180:
Which Cisco cloud-delivered solution provides visibility into SaaS usage, enforces compliance, and prevents data leakage from cloud applications?
A) Cisco Umbrella
B) Cisco Cloudlock
C) Cisco Secure Firewall
D) Cisco Stealthwatch
Answer: B
Explanation:
Cisco Cloudlock is Cisco’s Cloud Access Security Broker (CASB) that provides visibility, compliance, and data-loss prevention across SaaS platforms such as Microsoft 365, Google Workspace, and Salesforce. Operating via API integration, Cloudlock continuously monitors user activity, file sharing, and OAuth-connected applications to detect risky behavior and data exposure.
Option A, Umbrella, offers DNS-layer protection but not SaaS governance. C protects networks at the perimeter, and D focuses on flow analytics.
Cloudlock uses policy-based enforcement to block unauthorized data sharing and alert administrators of potential breaches or regulatory violations. It also leverages machine learning to identify anomalous activity, such as unusual login patterns or mass downloads.
Therefore, B is correct, because Cisco Cloudlock secures cloud applications through visibility, compliance controls, and data-loss prevention, aligning with SCOR’s Content Security and Cloud Security objectives.
