Login / Register   My Cart (0)
  • Home
  • Articles
  • Apr-2024 350-701 Study Material, Preparation Guide and PDF Download [Q241-Q266]

Apr-2024 350-701 Study Material, Preparation Guide and PDF Download [Q241-Q266]

Share

Apr-2024 350-701 Study Material, Preparation Guide and PDF Download

Free 350-701 Certification Sample Questions with Online Practice Test

NEW QUESTION # 241
A Cisco FTD engineer is creating a new IKEv2 policy called s2s00123456789 for their organization to allow for additional protocols to terminate network devices with. They currently only have one policy established and need the new policy to be a backup in case some devices cannot support the stronger algorithms listed in the primary policy. What should be done in order to support this?

  • A. Change the integrity algorithms to SHA* to support all SHA algorithms in the primary policy
  • B. Change the encryption to AES* to support all AES algorithms in the primary policy
  • C. Make the priority for the primary policy 10 and the new policy 1
  • D. Make the priority for the new policy 5 and the primary policy 1

Answer: D

Explanation:
All IKE policies on the device are sent to the remote peer regardless of what is in the selected policy section. The first IKE Policy matched by the remote peer will be selected for the VPN connection. Choose which policy is sent first using the priority field. Priority 1 will be sent first. Reference: https://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/215470- site-to-site-vpn-configuration-on-ftd-ma.html The first IKE Policy matched by the remote peer will be selected for the VPN connection. Choose which policy is sent first using the priority field. Priority 1 will be sent first.
All IKE policies on the device are sent to the remote peer regardless of what is in the selected policy section. The first IKE Policy matched by the remote peer will be selected for the VPN connection. Choose which policy is sent first using the priority field. Priority 1 will be sent first. Reference: https://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/215470- site-to-site-vpn-configuration-on-ftd-ma.html


NEW QUESTION # 242
Which two request of REST API are valid on the Cisco ASA Platform? (Choose two)

  • A. get
  • B. push
  • C. connect
  • D. options
  • E. put

Answer: A,E

Explanation:
ExplanationThe ASA REST API gives you programmatic access to managing individual ASAs through a Representational State Transfer (REST) API. The API allows external clients to perform CRUD (Create, Read, Update, Delete) operations on ASA resources; it is based on the HTTPS protocol and REST methodology.All API requests are sent over HTTPS to the ASA, and a response is returned.Request StructureAvailable request methods are:GET - Retrieves data from the specified object.PUT - Adds the supplied information to the specified object; returns a 404 Resource Not Found error if the object does not exist.POST - Creates the object with the supplied information.DELETE - Deletes the specified object Reference: https://www.cisco.com/c/en/us/td/docs/security/asa/api/qsg-asa-api.html


NEW QUESTION # 243
Drag and drop the capabilities from the left onto the correct technologies on the right.

Answer:

Explanation:


NEW QUESTION # 244
Which Cisco platform onboards the endpoint and can issue a CA signed certificate while also automatically configuring endpoint network settings to use the signed endpoint certificate, allowing the endpoint to gain network access?

  • A. Cisco TACACS+
  • B. Cisco NAC
  • C. Cisco ISE
  • D. Cisco WSA

Answer: C


NEW QUESTION # 245
Refer to the exhibit.

A network engineer is testing NTP authentication and realizes that any device synchronizes time with this router and that NTP authentication is not enforced What is the cause of this issue?

  • A. The router was not rebooted after the NTP configuration updated.
  • B. NTP authentication is not enabled.
  • C. The hashing algorithm that was used was MD5. which is unsupported.
  • D. The key was configured in plain text.

Answer: B

Explanation:
The cause of this issue is that NTP authentication is not enabled on the router. The commands shown in the exhibit only define the authentication key and mark it as trusted, but they do not enable NTP authentication globally or on a per-peer basis. To enable NTP authentication globally, the command ntp authenticate must be used. To enable NTP authentication on a per-peer basis, the command ntp server ip-address key key-id or ntp peer ip-address key key-id must be used, where key-id is the same as the one defined by the ntp authentication-key command. Without enabling NTP authentication, any device can synchronize time with this router, regardless of whether it has the same authentication key or not.
The other options are incorrect because:
* The key was configured in plain text, but this is not the cause of the issue. Although it is recommended to use the ntp authentication-key key-id md5 key [encrypted] command to encrypt the key, using plain text does not prevent NTP authentication from working, as long as the same key is configured on both the router and the peer.
* The hashing algorithm that was used was MD5, which is supported by NTP. MD5 is the default algorithm for NTP authentication and it can be used with any key length from 1 to 16 characters. Other algorithms, such as SHA and SHA1, are also supported by NTP if the OpenSSL library is installed, but they are not required for NTP authentication to work.
* The router was not rebooted after the NTP configuration updated, but this is not necessary for NTP authentication to take effect. NTP authentication is applied immediately after the configuration
* commands are entered, and no reboot is required.
References:
* Configuring NTP
* Authentication Support
* NTP Authentication Explained


NEW QUESTION # 246
Which type of attack is social engineering?

  • A. malware
  • B. MITM
  • C. trojan
  • D. phishing

Answer: D

Explanation:
Phishing is a form of social engineering. Phishing attacks use email or malicious web sites to solicit personal, often financial, information. Attackers may send email seemingly from a reputable credit card company or financial institution that requests account information, often suggesting that there is a problem.


NEW QUESTION # 247
A network administrator is configuring a switch to use Cisco ISE for 802.1X. An endpoint is failing authentication and is unable to access the network. Where should the administrator begin troubleshooting to verify the authentication details?

  • A. RADIUS Live Logs
  • B. Context Visibility
  • C. Accounting Reports
  • D. Adaptive Network Control Policy List

Answer: A

Explanation:
How To Troubleshoot ISE Failed Authentications & Authorizations
Check the ISE Live Logs
Login to the primary ISE Policy Administration Node (PAN).
Go to Operations > RADIUS > Live Logs
(Optional) If the event is not present in the RADIUS Live Logs, go to Operations > Reports > Reports > Endpoints and Users > RADIUS Authentications Check for Any Failed Authentication Attempts in the Log


NEW QUESTION # 248
Drag and drop the exploits from the left onto the type of security vulnerability on the right.

Answer:

Explanation:


NEW QUESTION # 249
Drag and drop the features of Cisco ASA with Firepower from the left onto the benefits on the right.

Answer:

Explanation:


NEW QUESTION # 250
An engineer needs behavioral analysis to detect malicious activity on the hosts, and is configuring the organization's public cloud to send telemetry using the cloud provider's mechanisms to a security device. Which mechanism should the engineer configure to accomplish this goal?

  • A. mirror port
  • B. VPC flow logs
  • C. Flow
  • D. NetFlow

Answer: D

Explanation:
https://www.cisco.com/c/en/us/products/collateral/data-center-analytics/tetration-analytics/q-and-a-c67-737402.html


NEW QUESTION # 251
An organization received a large amount of SPAM messages over a short time period. In order to take action on the messages, it must be determined how harmful the messages are and this needs to happen dynamically.
What must be configured to accomplish this?

  • A. Configure the Cisco WSA to receive real-time updates from Talos.
  • B. Configure the Cisco ESA to receive real-time updates from Talos
  • C. Configure the Cisco ESA to modify policies based on the traffic seen.
  • D. Configure the Cisco WSA to modify policies based on the traffic seen.

Answer: C

Explanation:
Explanation
https://www.cisco.com/c/en/us/td/docs/security/esa/esa120/user_guide/b_ESA_Admin_Guide_12_0/b_ESA_Adm


NEW QUESTION # 252
Which attack type attempts to shut down a machine or network so that users are not able to access it?

  • A. smurf
  • B. bluesnarfing
  • C. IP spoofing
  • D. MAC spoofing

Answer: A

Explanation:
Explanation
Explanation
Denial-of-service (DDoS) aims at shutting down a network or service, causing it to be inaccessible to its intended users.
The Smurf attack is a DDoS attack in which large numbers of Internet Control Message Protocol (ICMP) packets with the intended victim's spoofed source IP are broadcast to a computer network using an IP broadcast address.


NEW QUESTION # 253
Refer to the exhibit.

An engineer is implementing a certificate based VPN. What is the result of the existing configuration?

  • A. The OU of the IKEv2 peer certificate is set to MANGLER
  • B. The OU of the IKEv2 peer certificate is used as the identity when matching an IKEv2 authorization policy.
  • C. Only an IKEv2 peer that has an OU certificate attribute set to MANGLER establishes an IKEv2 SA successfully
  • D. The OU of the IKEv2 peer certificate is encrypted when the OU is set to MANGLER

Answer: B


NEW QUESTION # 254
An organization is implementing URL blocking using Cisco Umbrell
a. The users are able to go to some sites
but other sites are not accessible due to an error. Why is the error occurring?

  • A. IP-Layer Enforcement is not configured.
  • B. Client computers do not have the Cisco Umbrella Root CA certificate installed.
  • C. Client computers do not have an SSL certificate deployed from an internal CA server.
  • D. Intelligent proxy and SSL decryption is disabled in the policy

Answer: B

Explanation:
Other features are dependent on SSL Decryption functionality, which requires the Cisco Umbrella root certificate. Having the SSL Decryption feature improves:
Custom URL Blocking-Required to block the HTTPS version of a URL.
...
Umbrella's Block Page and Block Page Bypass features present an SSL certificate to browsers that make connections to HTTPS sites. This SSL certificate matches the requested site but will be signed by the Cisco Umbrella certificate authority (CA). If the CA is not trusted by your browser, an error page may be displayed.
Typical errors include "The security certificate presented by this website was not issued by a trusted certificate authority" (Internet Explorer), "The site's security certificate is not trusted!" (Google Chrome) or "This Connection is Untrusted" (Mozilla Firefox). Although the error page is expected, the message displayed can be confusing and you may wish to prevent it from appearing.
To avoid these error pages, install the Cisco Umbrella root certificate into your browser or the browsers of your users-if you're a network admin.


NEW QUESTION # 255
Which two solutions help combat social engineering and phishing at the endpoint level? (Choose two.)

  • A. Cisco Umbrella
  • B. Cisco ISE
  • C. Cisco TrustSec
  • D. Cisco DNA Center
  • E. Cisco Duo Security

Answer: A,E

Explanation:
Cisco Umbrella and Cisco Duo Security are two solutions that help combat social engineering and phishing at the endpoint level. Cisco Umbrella is a cloud-based security platform that provides DNS-layer security, web filtering, and threat intelligence to protect users from malicious websites and domains. Cisco Duo Security is a multi-factor authentication (MFA) solution that verifies the identity of users and the health of their devices before granting access to applications. Both solutions help prevent attackers from compromising endpoints and stealing credentials or data through phishing or other social engineering techniques. References:
* Cisco Umbrella
* Cisco Duo Security
* Implementing and Operating Cisco Security Core Technologies (SCOR) - Module 3: Cloud and Content Security


NEW QUESTION # 256
Which algorithm is an NGE hash function?

  • A. SHA-2
  • B. HMAC
  • C. SHA-1
  • D. MD5

Answer: A


NEW QUESTION # 257
What is a benefit of using telemetry over SNMP to configure new routers for monitoring purposes?

  • A. Telemetry uses a push method which makes it faster than SNMP
  • B. Telemetry uses push and pull which makes it more secure than SNMP
  • C. Telemetry uses push and pull, which makes it more scalable than SNMP
  • D. Telemetry uses a pull mehod, which makes it more reliable than SNMP

Answer: A

Explanation:
SNMP polling can often be in the order of 5-10 minutes, CLIs are unstructured and prone to change which can often break scripts. The traditional use of the pull model, where the client requests data from the network does not scale when what you want is near real-time data. Moreover, in some use cases, there is the need to be notified only when some data changes, like interfaces status, protocol neighbors change etc. Model-Driven Telemetry is a new approach for network monitoring in which data is streamed from network devices continuously using a push model and provides near real-time access to operational statistics. Referfence: https://developer.cisco.com/docs/ios-xe/#!streaming-telemetry-quick-start-guide/streaming telemetry The traditional use of the pull model, where the client requests data from the network does not scale when what you want is near real-time data.
Moreover, in some use cases, there is the need to be notified only when some data changes, like interfaces status, protocol neighbors change etc.
SNMP polling can often be in the order of 5-10 minutes, CLIs are unstructured and prone to change which can often break scripts. The traditional use of the pull model, where the client requests data from the network does not scale when what you want is near real-time data. Moreover, in some use cases, there is the need to be notified only when some data changes, like interfaces status, protocol neighbors change etc. Model-Driven Telemetry is a new approach for network monitoring in which data is streamed from network devices continuously using a push model and provides near real-time access to operational statistics. Referfence: https://developer.cisco.com/docs/ios-xe/#!streaming-telemetry-quick-start-guide/streaming telemetry


NEW QUESTION # 258
Drag and drop the exploits from the left onto the type of security vulnerability on the right.

Answer:

Explanation:


NEW QUESTION # 259
Which technology provides a combination of endpoint protection endpoint detection, and response?

  • A. Cisco AMP
  • B. Cisco Talos
  • C. Cisco Threat Grid
  • D. Cisco Umbrella

Answer: A


NEW QUESTION # 260
A customer has various external HTTP resources available including Intranet Extranet and Internet, with a proxy configuration running in explicit mode. Which method allows the client desktop browsers to be configured to select when to connect direct or when to use the proxy?

  • A. PAC file
  • B. Transport mode
  • C. Forward file
  • D. Bridge mode

Answer: A

Explanation:
A Proxy Auto-Configuration (PAC) file is a JavaScript function definition that determines whether web browser requests (HTTP, HTTPS, and FTP) go direct to the destination or are forwarded to a web proxy server.
PAC files are used to support explicit proxy deployments in which client browsers are explicitly configured to send traffic to the web proxy. The big advantage of PAC files is that they are usually relatively easy to create and maintain.


NEW QUESTION # 261
What are two advantages of using Cisco Any connect over DMVPN? (Choose two.)

  • A. It allows different routing protocols to work over the tunnel
  • B. It enables VPN access for individual users from their machines
  • C. It provides spoke-to-spoke communications without traversing the hub
  • D. It allows customization of access policies based on user identity
  • E. it allows multiple sites to connect to the data center

Answer: B,D


NEW QUESTION # 262
An administrator is trying to determine which applications are being used in the network but does not want the network devices to send metadata to Cisco Firepower. Which feature should be used to accomplish this?

  • A. Packet Tracer
  • B. NetFlow
  • C. Network Discovery
  • D. Access Control

Answer: C

Explanation:
NetFlow is a network protocol developed by Cisco for the collection and monitoring of network traffic flow data generated by NetFlow-enabled routers and switches. The flows do not contain actual packet data, but rather the metadata for communications. It is a standard form of session data that details who, what, when, and where of network traffic -> Answer A is not correct. Reference: https://www.cisco.com/c/en/us/solutions/collateral/enterprise-networks/enterprise-network-security/ white-paper-c11-736595.html generated by NetFlow-enabled routers and switches. The flows do not contain actual packet data, but rather the metadata for communications. It is a standard form of session data that details who, what, when, and where of network traffic -> Answer A is not correct.
Reference:
NetFlow is a network protocol developed by Cisco for the collection and monitoring of network traffic flow data generated by NetFlow-enabled routers and switches. The flows do not contain actual packet data, but rather the metadata for communications. It is a standard form of session data that details who, what, when, and where of network traffic -> Answer A is not correct. Reference: https://www.cisco.com/c/en/us/solutions/collateral/enterprise-networks/enterprise-network-security/ white-paper-c11-736595.html


NEW QUESTION # 263
An organization has two systems in their DMZ that have an unencrypted link between them for communication.
The organization does not have a defined password policy and uses several default accounts on the systems.
The application used on those systems also have not gone through stringent code reviews. Which vulnerability would help an attacker brute force their way into the systems?

  • A. weak passwords
  • B. lack of file permission
  • C. lack of input validation
  • D. missing encryption

Answer: D

Explanation:
The version 9 export format uses templates to provide access to observations of IP packet flows in a flexible and extensible manner. A template defines a collection of fields, with corresponding descriptions of structure and semantics.


NEW QUESTION # 264
An engineer has been tasked with configuring a Cisco FTD to analyze protocol fields and detect anomalies in the traffic from industrial systems. What must be done to meet these requirements?

  • A. Configure intrusion rules for the DNP3 preprocessor
  • B. Implement pre-filter policies for the CIP preprocessor
  • C. Enable traffic analysis in the Cisco FTD
  • D. Modify the access control policy to trust the industrial traffic

Answer: B

Explanation:
Explanation The Modbus, DNP3, and CIP SCADA preprocessors detect traffic anomalies and provide data to intrusion rules. Therefore in this question only answer A or answer C is correct. The DNP3 preprocessor detects anomalies in DNP3 traffic and decodes the DNP3 protocol for processing by the rules engine, which uses DNP3 keywords to access certain protocol fields. The Common Industrial Protocol (CIP) is a widely used application protocol that supports industrial automation applications. EtherNet/IP is an implementation of CIP that is used on Ethernet-based networks.The CIP preprocessor detects CIP and ENIP traffic running on TCP or UDP and sends it to the intrusion rules engine. You can use CIP and ENIP keywords in custom intrusion rules to detect attacks in CIP and ENIP traffic. Reference: https://www.cisco.com/c/en/us/td/docs/security/firepower/630/configuration/guide/fpmc-configguide-v63/scada_preprocessors.html Both DNP3 and CIP preprocessors can be used to detect traffic anomalies but we choose CIP as it is widely used in industrial applications. Note: + An intrusion rule is a specified set of keywords and arguments that the system uses to detect attempts to exploit vulnerabilities in your network. As the system analyzes network traffic, it compares packets against the conditions specified in each rule, and triggers the rule if the data packet meets all the conditions specified in the rule. + Preprocessor rules, which are rules associated with preprocessors and packet decoder detection options in the network analysis policy. Most preprocessor rules are disabled by default.
The Modbus, DNP3, and CIP SCADA preprocessors detect traffic anomalies and provide data to intrusion rules. Therefore in this question only answer A or answer C is correct.
The DNP3 preprocessor detects anomalies in DNP3 traffic and decodes the DNP3 protocol for processing by the rules engine, which uses DNP3 keywords to access certain protocol fields.
The Common Industrial Protocol (CIP) is a widely used application protocol that supports industrial automation applications. EtherNet/IP is an implementation of CIP that is used on Ethernet-based networks.The CIP preprocessor detects CIP and ENIP traffic running on TCP or UDP and sends it to the intrusion rules engine.
You can use CIP and ENIP keywords in custom intrusion rules to detect attacks in CIP and ENIP traffic.
Reference:
Both DNP3 and CIP preprocessors can be used to detect traffic anomalies but we choose CIP as it is widely used in industrial applications.
Note:
Explanation The Modbus, DNP3, and CIP SCADA preprocessors detect traffic anomalies and provide data to intrusion rules. Therefore in this question only answer A or answer C is correct. The DNP3 preprocessor detects anomalies in DNP3 traffic and decodes the DNP3 protocol for processing by the rules engine, which uses DNP3 keywords to access certain protocol fields. The Common Industrial Protocol (CIP) is a widely used application protocol that supports industrial automation applications. EtherNet/IP is an implementation of CIP that is used on Ethernet-based networks.The CIP preprocessor detects CIP and ENIP traffic running on TCP or UDP and sends it to the intrusion rules engine. You can use CIP and ENIP keywords in custom intrusion rules to detect attacks in CIP and ENIP traffic. Reference: https://www.cisco.com/c/en/us/td/docs/security/firepower/630/configuration/guide/fpmc-configguide-v63/scada_preprocessors.html Both DNP3 and CIP preprocessors can be used to detect traffic anomalies but we choose CIP as it is widely used in industrial applications. Note: + An intrusion rule is a specified set of keywords and arguments that the system uses to detect attempts to exploit vulnerabilities in your network. As the system analyzes network traffic, it compares packets against the conditions specified in each rule, and triggers the rule if the data packet meets all the conditions specified in the rule. + Preprocessor rules, which are rules associated with preprocessors and packet decoder detection options in the network analysis policy. Most preprocessor rules are disabled by default.


NEW QUESTION # 265
A network engineer must migrate a Cisco WSA virtual appliance from one physical host to another physical host by using VMware vMotion. What is a requirement for both physical hosts?

  • A. The hosts must have access to the same defined network.
  • B. The hosts must run Cisco AsyncOS 10.0 or greater.
  • C. The hosts must use a different datastore than the virtual appliance.
  • D. The hosts must run different versions of Cisco AsyncOS.

Answer: A

Explanation:
To migrate a Cisco WSA virtual appliance from one physical host to another physical host by using VMware vMotion, both hosts must have access to the same defined network. This is because vMotion preserves the network identity and connections of the virtual machine, and requires that the source and destination hosts have compatible CPUs and shared storage1. The hosts do not need to run the same or different versions of Cisco AsyncOS, as long as they meet the minimum requirements for the virtual appliance2. The hosts do not need to use a different datastore than the virtual appliance, as vMotion can migrate virtual machines across datastores as well3. References: 1: VMware vMotion: Live Migration of Virtual Machines and Storage 2: Cisco Secure Web Appliance Virtual - Cisco 3: Migrating to Virtual SMA from Physical - Cisco Community


NEW QUESTION # 266
......

350-701  Certification Study Guide Pass 350-701 Fast: https://www.testpassed.com/350-701-still-valid-exam.html

350-701 Dumps PDF 2024 Program Your Preparation EXAM SUCCESS: https://drive.google.com/open?id=1Gsn0qY072Ja4axNjPPM7L3cF8NqHI8RB

Related Articles

more
Cisco 350-701 Certification Practice Exam

TestPassed provides test passed dumps & test questions of all IT certifications examinations. Our advantage is that our pass rate of test passed dumps is leading.

Latest Test Passed

Useful Links

Contact Us

Our Working Time: ( GMT 0:00-15:00 )
From Monday to Saturday

Support: Contact now 

If you have any question please leave me your email address, we will reply and send email to you in 12 hours.

Copyright © 2026 TestPassed NETWORK CO.,LIMITED. All Rights Reserved. All trademarks used are properties of their respective owners. Privacy Policy