Introducing The New!
Surepassexam Collection
Get Unlimited Access to all
Surepassexam's PREMIUM files
Q1. Enabling what security mechanism can prevent an attacker from gaining network topology information from CDP?
A. MACsec
B. Flex VPN
C. Control Plane Protection
D. Dynamic Arp Inspection
Answer: A
Q2. Which two features are supported when configuring clustering of multiple Cisco ASA appliances? (Choose two.)
A. NAT
B. dynamic routing
C. SSL remote access VPN
D. IPSec remote access VPN
Answer: A,B
Q3. To which port does a firewall send secure logging messages?
A. TCP/1500
B. UDP/1500
C. TCP/500
D. UDP/500
Answer: A
Q4. What are two enhancements of SSHv2 over SSHv1? (Choose two.)
A. VRF-aware SSH support
B. DH group exchange support
C. RSA support
D. keyboard-interactive authentication
E. SHA support
Answer: A,B
Q5. hich option must be configured on a transparent Cisco ASA adaptive security appliance for it to be managed over Layer 3 networks?
A. Static routes
B. Routed interface
C. Security context
D. BVI
Answer: D
Q6. On an ASA running version 9.0, which command is used to nest objects in a pre-existing group?
A. object-group
B. network group-object
C. object-group network
D. group-object
Answer: D
Q7. Prior to a software upgrade, which Cisco Prime Infrastructure feature determines if
the devices being upgraded have sufficient RAM to support te new software ?
A. Software Upgrade Report
B. Image Management Report
C. Upgrade Analysis Report
D. Image Analysis Report
Answer: C
Q8. Your company is replacing a high-availability pair of Cisco ASA 5550 firewalls with the newer Cisco ASA 5555-X models. Due to budget constraints, one Cisco ASA 5550 will be replaced at a time.
Which statement about the minimum requirements to set up stateful failover between these two firewalls is true?
A. You must install the USB failover cable between the two Cisco ASAs and provide a 1 Gigabit Ethernet interface for state exchange.
B. It is not possible to use failover between different Cisco ASA models.
C. You must have at least 1 Gigabit Ethernet interface between the two Cisco ASAs for state exchange.
D. You must use two dedicated interfaces. One link is dedicated to state exchange and the other link is for heartbeats.
Answer: B
Q9. If you disable PortFast on switch ports that are connected to a Cisco ASA and globally turn on BPDU filtering, what is the effect on the switch ports?
A. The switch ports are prevented from going into an err-disable state if a BPDU is received.
B. The switch ports are prevented from going into an err-disable state if a BPDU is sent.
C. The switch ports are prevented from going into an err-disable state if a BPDU is received and sent.
D. The switch ports are prevented from forming a trunk.
Answer: C
Q10. Which action is considered a best practice for the Cisco ASA firewall?
A. Use threat detection to determine attacks
B. Disable the enable password
C. Disable console logging D. Enable ICMP permit to monitor the Cisco ASA interfaces
E. Enable logging debug-trace to send debugs to the syslog server
Answer: A
Q11. CORRECT TEXT
You are the network security engineer for the Secure-X network. The company has recently detected Increase of traffic to malware Infected destinations. The Chief Security Officer deduced that some PCs in the internal networks are infected with malware and communicate with malware infected destinations.
The CSO has tasked you with enable Botnet traffic filter on the Cisco ASA to detect and deny further connection attempts from infected PCs to malware destinations. You are also required to test your configurations by initiating connections through the Cisco ASA and then display and observe the Real-Time Log Viewer in ASDM.
To successfully complete this activity, you must perform the following tasks:
* Download the dynamic database and enable use of it.
. Enable the ASA to download of the dynamic database
. Enable the ASA to download of the dynamic database.
. Enable DNS snooping for existing DNS inspection service policy rules..
. Enable Botnet Traffic Filter classification on the outside interface for All Traffic.
. Configure the Botnet Traffic Filter to drop blacklisted traffic on the outside interface. Use the default Threat Level settings
NOTE: The database files are stored in running memory; they are not stored in flash memory.
NOTE: DNS is enabled on the inside interface and set to the HQ-SRV (10.10.3.20).
NOTE: Not all ASDM screens are active for this exercise.
. Verify that the ASA indeed drops traffic to blacklisted destinations by doing the following:
. From the Employee PC, navigate to http://www.google.com to make sure that access to the Internet is working.
. From the Employee PC, navigate to http://bot-sparta.no-ip.org. This destination is classified as malware destination by the Cisco SIO database.
. From the Employee PC, navigate to http://superzarabotok-gid.ru/. This destination is classified as malware destination by the Cisco SIO database.
. From Admin PC, launch ASDM to display and observe the Real-Time Log Viewer.
You have completed this exercise when you have configured and successfully tested Botnet traffic filter on the Cisco ASA.
Answer: See the explanation for detailed answer to this sim question.
Q12. Which option is the default logging buffer size In memory of the Cisco ASA adaptive security appliance?
A. 8KB
B. 32KB
C. 2KB
D. 16KB
E. 4KB
Answer: E
Explanation:
http://www.cisco.com/c/en/us/td/docs/security/asa/asa91/configuration/general/asa_91_gen eral_c onfig/ monitor_syslog.html
Q13. When you install a Cisco ASA AIP-SSM, which statement about the main Cisco ASDM home page is true?
A. It is replaced by the Cisco AIP-SSM home page.
B. It must reconnect to the NAT policies database.
C. The administrator can manually update the page.
D. It displays a new Intrusion Prevention panel.
Answer: D
Q14. What are three ways to add devices in Cisco Prime Infrastructure? (Choose three.)
A. Use an automated process.
B. Import devices from a CSV file.
C. Add devices manually.
D. Use RADIUS.
E. Use the Access Control Server.
F. Use Cisco Security Manager.
Answer: A,B,C
Q15. To which interface on a Cisco ASA 1000V firewall should a security profile be applied when a VM sits behind it?
A. outside
B. inside
C. management
D. DMZ
Answer: B