Cisco FMC and ISE Integration Quiz

Questions and Answers

Which connector is required for the integration of Cisco ISE with Cisco FMC for Rapid Threat Containment?

• pxGrid (correct)
• FTD RTC
• ISEGrid
• FMC RTC

What is the maximum SHA level of filtering supported by Threat Intelligence Director?

• SHA-512
• SHA-4096
• SHA-1024
• SHA-256 (correct)

Which protocol is essential for exchanging threat details during rapid threat containment on Cisco FMC?

• SNMP v3
• BFD
• pxGrid (correct)
• SGT

Which statement about correlation policy configuration in Cisco Firepower Management Center is correct?

Adding a host profile qualification is permitted for rules triggered by malware events. (B)

What happens to existing connections if the master unit fails in Cisco FTD clustering?

All connections are maintained by the newly elected master unit. (A)

What is a key feature of self-signed certificates in Cisco FMC configuration with ISE?

They facilitate pxGrid node operation. (A)

Which statement about the functionality of Cisco FMC in high availability scenarios is true?

Failover does not affect ongoing connections. (D)

What is the function of the FMC when it comes to automated device registration?

It tracks and manages device registrations automatically. (C)

What is the correct action to take when traffic is being automatically allowed without inspection?

Modify the rule action from trust to allow (B)

What configuration should be implemented in Cisco FMC to analyze files for viruses on a sandbox system?

Dynamic analysis (B)

In the context of network discovery policies, what adjustment can help reduce misleading events caused by NAT devices performing multiple OS updates?

Exclude load balancers and NAT devices (A)

If an administrator notices failed deployment messages in Cisco FMC when configuring SNORT inspection policies, what could be a potential cause?

Insufficient system resources (A)

What characterizes an 'Allow' rule in Cisco FMC?

It detects prohibited files and blocks them (C)

Which strategy should be avoided when configuring network discovery policies to minimize event overload?

Including all types of network devices (C)

When implementing dynamic analysis in Cisco FMC, which aspect is most critical?

Evaluating files in a controlled environment (B)

What is the consequence of modifying the rule action from trust to allow in Cisco FMC?

Non-prohibited traffic may flow without restriction (B)

Which option correctly describes the maintenance of VPN connections during the election of a new master unit?

Only existing connections are maintained. (C)

Which statements are true about bridge-group interfaces in Cisco FTD? (Select two)

Bridge groups are supported in both transparent and routed firewall modes. (A), Each directly connected network must be on the same subnet. (C)

Which command is used on an FTD unit to associate it with an FMC manager at the IP address 10.0.0.10?

configure manager add 10.0.0.10 Cisco123 (C)

Which two actions can be used in an access control policy rule? (Select two)

Monitor (A), Block with Reset (D)

Which two routing options are valid with Cisco Firepower Threat Defense? (Select two)

BGPv6 (A), ECMP with up to three equal cost paths across a single interface (D)

What is expected when a new master unit is elected in the context of VPN connections?

Established connections will remain active. (B)

Which statement regarding bridge groups is incorrect?

Only two bridge groups can be configured. (B)

Which command format is correct for adding an FTD unit to an FMC?

configure manager add 10.0.0.10 Cisco123 (B)

What is the primary concern when security is prioritized over connectivity in Cisco Firepower?

It enables most rules to be activated. (B)

Which approach should be taken to enable inspection for traffic when using Cisco Firepower?

Redirect interesting traffic to the intrusion engine. (C)

In a scenario where a network analysis policy (NAP) is utilized, what is its primary function?

To preprocess and decode traffic. (D)

In order to ensure minimal downtime during an upgrade of Cisco FMC managed devices, what should be prioritized?

Maintaining a current configuration backup. (D)

What should be done to handle protocol anomalies using Snort rule sets on Cisco Firepower?

Modify the network analysis policy for packet processing. (C)

When managing a hospital network's Cisco FMC devices, what is a critical step in the disaster recovery process?

Performing regular backups of critical configurations. (C)

Which of the following states should be avoided when using Cisco Firepower for maximum detection?

Monitoring network anomalies only in labs. (C)

What is an effect of having no rules active in a Cisco Firepower setup?

Acts as a default template for future configurations. (C)

What is the primary role of Integrated Routing and Bridging (IRB)?

To enable multiple physical interfaces to be part of the same VLAN (D)

Where can thresholding settings be configured?

Globally, within the network analysis policy (D)

Which of the following accurately describes how access control policies operate on a Cisco Firepower system?

They interrupt traffic inspection when configurations change (C)

Which function does Cisco AMP Threat Grid primarily serve?

Automated malware analysis (A)

What is a consequence of deploying configuration changes in a Cisco Firepower system?

Traffic inspection can be interrupted temporarily (A)

In an intrusion policy configuration, thresholds can be set for which of the following?

Per IPS shared object, standard text, or preprocessor rule (B)

Which of the following methods is NOT a way access control policies can operate?

Conducting user authentication via biometrics (B)

What is a primary reason for configuring thresholds in network analysis?

To define how often events from specific sources are logged (A)

What impact does daylight saving time (DST) have on scheduled tasks in the system?

Tasks scheduled for 2:00 AM during standard time will run at 3:00 AM during DST. (D)

What should be done to resolve the issue of SI events not updating in the Cisco FTD device?

Redeploy configurations to the affected devices to allocate additional memory. (B)

What is the primary function of configuring the system clock settings to use NTP?

To synchronize the device time with external time servers. (A)

Which rule type is necessary to limit access to a specific website while preventing access to others?

An access control policy rule allowing traffic only on specific ports. (A)

If a task is scheduled for 2:00 AM during standard time, when will it run during daylight saving time?

3:00 AM during daylight saving time. (D)

In what situation is it suggested to replace the Cisco FTD devices?

If the devices are consistently unable to process traffic due to memory limitations. (A)

Which IP address should be allowed in the access control rule to fix access to a specific website?

172.1.1.50 only for port 443. (D)

What is a potential consequence of not properly configuring NTP on the Cisco Firepower Management Center?

Scheduled tasks may run at unexpected times. (C)

Flashcards

What is the connector used to integrate FMC with Cisco ISE for Rapid Threat Containment?

pxGrid is a protocol used to integrate Cisco ISE and FMC, enabling Rapid Threat Containment (RTC) by sharing data and coordinating actions between the two platforms. It allows for rapid response to security threats and provides a unified security posture across the network.

What is the maximum SHA level supported by Threat Intelligence Director for threat analysis?

Cisco Threat Intelligence Director supports SHA-256 as the highest level of cryptographic hashing for analyzing threat intelligence feeds and data. It supports Secure Hash Algorithm (SHA) up to SHA-256, ensuring a higher level of security and integrity in handling threat information.

What protocol is used to exchange threat information for Rapid Threat Containment on Cisco FMC?

pxGrid is a protocol that allows for communication and data exchange between Cisco security devices, enabling features like Rapid Threat Containment. It provides a network for secure communication, ensuring that threat information can be rapidly shared among various devices.

What is the impact of enabling Cisco FTD clustering on high availability?

Enabling Cisco FTD clustering offers high availability and redundancy for your security infrastructure. If the master unit (primary controller) in the cluster fails, the standby unit seamlessly takes over, ensuring failover and minimal downtime.

Why can't we add host profile qualifications to a correlation rule triggered by a malware event?

You cannot add host profile qualifications to a correlation rule that is triggered by a malware event. Correlation rules are powerful ways to define conditions based on various event types (like malware, intrusion, or security events). However, host profile qualifications are not applicable when the rule is specifically triggered by a malware event.

Which description of a correlation policy configuration in Cisco FMC is true?

A correlation policy configuration in Cisco Firepower Management Center (FMC) allows you to define actions (e.g., blocking, alerting) based on specific security events. While the system displays correlation policies created across multiple domains, deleting a response group only affects the responses associated with that group.

What is IRB?

A Cisco feature that allows multiple physical interfaces to be part of the same VLAN, enabling Layer 2 switching between interfaces including subinterfaces.

What is thresholding in Cisco Firepower?

A feature that allows administrators to set limits on how frequently events from specific sources or destinations are logged and displayed within a specified time period.

How do Access Control Policies use Security Intelligence?

Access Control Policies (ACPs) can operate based on Security Intelligence data, which allows for blocking traffic based on known malicious patterns.

What can happen during configuration changes in Cisco Firepower?

When changes are deployed to the system, the intrusion detection system (SNORT) can restart, causing temporary interruptions in traffic inspection.

What is the main function of Cisco AMP Threat Grid?

The primary function of Cisco AMP Threat Grid is to analyze malware in real time. It uses cloud-based technology to identify and classify threats.

What is a Network Analysis Policy in Cisco Firepower?

A feature that allows for customized security rules to be applied to different traffic types. This is useful for tailoring security measures based on specific network requirements.

VPN connections during master unit election

In Cisco FTD, when a new master unit is elected, only existing VPN connections are maintained, ensuring seamless transition without disruption.

What firewall mode supports bridge-group interfaces in FTD?

Bridge-group interfaces in Cisco FTD allow transparent firewall mode, where traffic is not routed through the FTD but is inspected for security.

Command to associate FTD with FMC

The command to associate an FTD unit with an FMC manager is configure manager add followed by the manager's IP address and registration key.

Valid actions in FTD access control policy

In access control policy rules in Cisco FTD, Block with Reset and Monitor are valid actions. 'Block with Reset' completely stops traffic and resets TCP connection, while 'Monitor' logs traffic without blocking it.

Routing options in Cisco FTD

Cisco Firepower Threat Defense (FTD) supports Equal Cost Multipath (ECMP) routing, allowing up to three equal cost paths across multiple interfaces or a single interface.

BFD packets with FTD bridge-group members

In Cisco FTD, Bidirectional Forwarding Detection (BFD) echo packets are allowed through the FTD when using bridge-group members, ensuring network connectivity and fault detection.

BVI IP address subnet separation

In Cisco FTD, the BVI IP address for bridge-group interfaces must be in a separate subnet from the connected network to avoid IP address conflicts.

BGP protocols supported by FTD

Cisco Firepower Threat Defense (FTD) supports both BGPv4 and BGPv6 routing protocols, allowing for complex network routing configurations.

No Rules Active FMC Configuration

A Cisco Firepower Management Center (FMC) configuration where all intrusion prevention rules are disabled. This is typically used as a baseline configuration for testing or creating a new deployment.

Maximum Detection FMC Configuration

A Cisco Firepower Management Center (FMC) configuration focused on maximizing detection of potential threats, even if this results in a higher number of false positives. It is often used for testing or in environments with high security demands.

Security over Connectivity FMC Configuration

A Cisco Firepower Management Center (FMC) configuration prioritizing security over network performance. It implements a broader range of intrusion prevention rules, accepting the risk of some false positives.

Redirecting Traffic to the Firepower Engine

The process of directing traffic to Cisco Firepower for inspection. This is how IPS rules are applied.

Network Analysis Policy (NAP)

A network analysis policy governs how traffic is decoded and preprocessed for further evaluation. This helps systems recognize and respond to abnormal network behavior.

Integrating Intrusion Policy with Access Control Rules

A feature in Cisco Firepower that enables the application of intrusion prevention rules to specific traffic flows. This ensures that security is applied only to the traffic you want to protect.

Correlation Policy in FMC

A Cisco Firepower Management Center (FMC) configuration that allows the system to identify and respond to security events, such as intrusion attempts or malware infections. This allows for proactive threat mitigation through blocking traffic, triggering alerts, or other automated responses.

Disaster Recovery for FMC Managed Devices

A security measure focused on minimizing network downtime by storing backup configurations of Cisco FMC managed devices. This allows the system to restore a full configuration quickly in case of a failure.

Allow rule

This type of rule applies only to traffic that matches the rule, but allows all traffic except prohibited files, malware, intrusions, and exploits, which are then blocked. This rule also enforces identity requirements and rate limiting.

Selective Allow rule configurations

When you want to configure an Allow rule to only perform specific actions, such as file inspection or intrusion inspection, you have the option to selectively configure these actions.

Sandbox system

A security appliance that provides a virtualized sandbox environment to analyze suspicious files and mitigate threats.

Dynamic analysis

The process of running a suspicious file in a controlled environment to observe its behavior and determine if it is malicious.

Local malware analysis

This setting lets you analyze files for malware directly on the Cisco FMC device without relying on a sandbox system. This can provide faster malware detection, but may not be as thorough as dynamic analysis.

Network discovery policy

A feature in Cisco FMC that allows you to see which devices are on your network by analyzing network traffic and device behavior.

Excluding load balancers and NAT devices from network discovery

Devices like load balancers and NAT devices can generate a high volume of network traffic, especially during updates, potentially overwhelming the Cisco FMC with events. Excluding them from network discovery can reduce this load.

SNORT inspection policy deployment failures

When configuring SNORT inspection policies in the Cisco FMC, it's possible to encounter deployment failures. This can be caused by various factors such as network connectivity issues, incorrect configuration, or insufficient resources. Checking the Cisco FMC logs and reviewing the deployment process to troubleshoot the specific error message is important for resolving these issues.

How does the Firepower Management Center handle DST transitions?

The local device time in the Firepower Management Center is based on the configured time zone and adjusts automatically for daylight saving time (DST). However, scheduled tasks spanning DST transitions do not adjust their execution time accordingly.

How do you fix an issue where the Firepower Threat Defense (FTD) device is unable to load all Security Intelligence (SI) events?

If the Firepower Threat Defense (FTD) device cannot load all Security Intelligence (SI) events, it may result in traffic not being blocked as expected. To fix this, redeploy the configuration to allocate more memory specifically to the SI module.

How do you allow access to a specific website while preventing access to all other websites?

To allow access to a specific website (172.1.1.50) on port 80 while blocking access to other websites, create an Access Control Policy rule. This rule should allow traffic on port 80 only from the specified IP address.

How are tasks impacted by daylight saving time in the Firepower Management Center?

The Firepower Management Center automatically adjusts its local time display for daylight saving time (DST), where appropriate. However, recurring tasks that span the transition dates from DST to standard time and back do not adjust for the transition. This means that a task scheduled for 2:00 AM during standard time, will run at 3:00 AM during DST, and vice versa.

How do you configure the system clock settings to use NTP in Firepower Management Center?

To configure the system clock settings to use NTP, ensure that the NTP server is reachable and configured. Then, you can select the NTP option under system configuration. After making the change, verify that the system clock is synchronized with the NTP server for accurate timekeeping.

What is the workaround if the Firepower Threat Defense (FTD) device is unable to load all Security Intelligence (SI) event entries?

Redeploying configurations to affected devices can help to ensure that the SI module receives enough memory to correctly load all SI event entries. This can be necessary when the FTD device is unable to load all of the SI event entries, preventing traffic from being blocked as expected.

What is the purpose of access control policy rules?

Access control policy rules govern traffic flow based on specific criteria, such as the source and destination IP addresses, ports, and protocols. These rules are an effective way to selectively allow or block access to individual websites without impacting other web communication.

What are Security Intelligence (SI) events and why are they important?

Security Intelligence (SI) events are valuable for identifying and responding to security threats. They contain information about known malware, vulnerabilities, and malicious actors. The Firepower Management Center uses these events to block malicious traffic and enhance overall security posture. Ensure that the FTD device has enough memory to handle all SI event entries.

Study Notes

Cisco 300-710 Exam Notes

• Vendor: Cisco
• Exam Code: 300-710
• Exam Name: Securing Networks with Cisco Firepower (SNCF)
• Version: 23.111

CLI Commands

• QUESTION 1: system support ssl-client-hello-tuning is used to control special handling of ClientHello messages.
• QUESTION 2: configure high-availability suspend at the CLI temporarily stops high-availability on the primary Cisco FTD unit. Choosing "disable" permanently breaks high availability.
• QUESTION 3: system generate-troubleshoot all generates troubleshooting files on an FTD.

Troubleshooting Files

• Cisco FTDs use sudo sf_troubleshoot.pl or system generate-troubleshoot all to create troubleshooting logs. Detailed instructions are provided on the PassLeader documents.

Packet Capture

• QUESTION 4: Troubleshooting files generated with packet captures often require a specific file size command option. If packets exceed 32 MB, you might encounter issues.
• Packet capture file management should be considered when troubleshooting configurations.

Port Objects

• QUESTION 5: Port objects in Cisco FMC have a crucial role: representing protocols beyond just TCP, UDP, and ICMP.

Widgets

• QUESTION 6: Within the Cisco Firepower Management Center, widgets are managed on the dashboard.

Port Requirements & Communication

• QUESTION 7: To validate communication with a cloud service, certain port requirements on the Firepower Management Center must be verified. The required ports are TCP 443 and TCP 80.

HTTPS Certificates

• QUESTION 8: The maximum bit size for HTTPS certificates supported by Cisco FMC is 4096.

Multidomain Environment Limitations

• QUESTION 9: Limitations exist for dashboards in Cisco FMC's multidomain environment. Child domains primarily can view dashboards from ancestor domains, but cannot modify them

Description

Test your knowledge on the integration of Cisco Identity Services Engine (ISE) with Cisco Firepower Management Center (FMC) for Rapid Threat Containment. This quiz covers key protocols, filtering levels, and configuration policies relevant to network security. Perfect for IT professionals working with Cisco systems!