NEW QUESTION 1
Who or what calculates the signature fidelity rating in a Cisco IPS?

• A. the signature author
• B. Cisco Professional Services
• C. the administrator
• D. the security policy

Answer: A

NEW QUESTION 2
A network engineer may use which three types of certificates when implementing HTTPS decryption services on the ASA CX? (Choose three.)

• A. Self Signed Server Certificate
• B. Self Signed Root Certificate
• C. Microsoft CA Server Certificate
• D. Microsoft CA Subordinate Root Certificate
• E. LDAP CA Server Certificate
• F. LDAP CA Root Certificate
• G. Public Certificate Authority Server Certificate
• H. Public Certificate Authority Root Certificate

Answer: BDF

NEW QUESTION 3
Which IPS engine detects ARP spoofing?

• A. Atomic ARP Engine
• B. Service Generic Engine
• C. ARP Inspection Engine
• D. AIC Engine

Answer: A

NEW QUESTION 4
What is a primary difference between the web security features of the Cisco WSA and the Cisco ASA NGFW?

• A. Cisco WSA provides URL filtering, while Cisco ASA NGFW does not.
• B. Cisco ASA NGFW provides caching services, while Cisco WSA does not.
• C. Cisco WSA provides web reputation filtering, while Cisco ASA NGFW does not.
• D. Cisco ASA NGFW provides application visibility and control on all ports, while Cisco WSA does not.

Answer: D

NEW QUESTION 5
CORRECT TEXT

Answer:

Explanation: We need to create a policy map named inside-policy and send the traffic to the CXSC blade:
ASA-FW# config t
ASA-FW(config)# policy-map inside-policy
ASA-FW(config-pmap)# policy-map inside-policy ASA-FW(config-pmap)# class class-default
ASA-FW(config-pmap-c)# cxsc fail-close auth-proxy ASA-FW(config-pmap-c)# exit
ASA-FW(config-pmap)# exit
The fail-close is needed as per instructions that if the CX module fails, no traffic should be allowed. The auth-proxy keyword is needed for active authentication.
Next, we need to apply this policy map to the inside interface: ASA-FW(config)#service-policy inside-policy interface inside. Finally, verify that the policy is active:
ASA-FW# show service-policy interface inside Interface inside:
Service-policy: inside-policy Class-map: class-default
Default QueueingCXSC: card status Up, mode fail-close, auth-proxy enabled Packet input 181, packet output 183, drop 0, reset-drop 0, proxied 0
Configuration guidelines can be found at this reference link:

NEW QUESTION 6
Which Cisco technology is a modular security service that combines a stateful inspection firewall with next-generation application awareness, providing near real-time threat protection?

• A. Cisco ASA 5500 series appliances
• B. Cisco ASA CX Context-Aware Security
• C. WSA
• D. Internet Edge Firewall / IPS

Answer: B

NEW QUESTION 7
Refer to the exhibit.

Which four rows exhibit the correct WCCP service to protocol assignments? (Choose four.)

• A. Row 1
• B. Row 2
• C. Row 3
• D. Row 4
• E. Row 5
• F. Row 6
• G. Row 7
• H. Row 8

Answer: BDFH

NEW QUESTION 8
When learning accept mode is set to auto, and the action is set to rotate, when is the KB created and used?

• A. It is created every 24 hours and used for 24 hours.
• B. It is created every 24 hours, but the current KB is used.
• C. It is created every 1 hour and used for 24 hours.
• D. A KB is created only in manual mode.

Answer: A

NEW QUESTION 9
What three alert notification options are available in Cisco IntelliShield Alert Manager? (Choose three.)

• A. Alert Summary as Text
• B. Complete Alert as an HTML Attachment
• C. Complete Alert as HTML
• D. Complete Alert as RSS
• E. Alert Summary as Plain Text
• F. Alert Summary as MMS

Answer: ABC

NEW QUESTION 10
Which command verifies that the correct CWS license key information was entered on the Cisco ASA?

• A. sh run scansafe server
• B. sh run scansafe
• C. sh run server
• D. sh run server scansafe

Answer: B

NEW QUESTION 11
Which option is a benefit of Cisco Email Security virtual appliance over the Cisco ESA appliance?

• A. reduced space and power requirements
• B. outbound message protection
• C. automated administration
• D. global threat intelligence updates from Talos

Answer: A

NEW QUESTION 12
Which Cisco Web Security Appliance deployment mode requires minimal change to endpoint devices?

• A. Transparent Mode
• B. Explicit Forward Mode
• C. Promiscuous Mode
• D. Inline Mode

Answer: A

NEW QUESTION 13
A network security design engineer is considering using a Cisco Intrusion Detection System in the DMZ of the network. Which option is the drawback to using IDS in the DMZ as opposed to using Intrusion Prevention System?

• A. IDS has impact on the network (thatis, latency and jitter).
• B. Response actions cannot stop triggered packet or guarantee to stop a connection techniques.
• C. Response actions cannot stop malicious packets or cannot guarantee to stop any DOS attack

Answer: B

NEW QUESTION 14
Which three features does Cisco CX provide? (Choose three.)

• A. HTTPS traffic decryption and inspection
• B. Application Visibility and Control
• C. Category or reputation-based URL filtering
• D. Email virus scanning
• E. Application optimization and acceleration
• F. VPN authentication

Answer: ABC

NEW QUESTION 15
Which three statements about threat ratings are true? (Choose three.)

• A. A threat rating is equivalent to a risk rating that has been lowered by an alert rating.
• B. The largest threat rating from all actioned events is added to the risk rating.
• C. The smallest threat rating from all actioned events is subtracted from the risk rating.
• D. The alert rating for deny-attacker-inline is 45.
• E. Unmitigated events do not cause a threat rating modification.
• F. The threat rating for deny-attacker-inline is 50.

Answer: ADE

NEW QUESTION 16
Which Cisco ASA configuration command drops traffic if the Cisco ASA CX module fails?

• A. no fail-open
• B. fail-close
• C. fail-close auth-proxy
• D. auth-proxy

Answer: B

NEW QUESTION 17
Refer to the following. Which description of the result of this configuration is true?
Router(config)#line vty 5 15
Router(config-line)#access-class 23 in

• A. Only clients denied in access list 23 can manage the router.
• B. Only telnet access (TCP) is allowed on the VTY lines of this router
• C. Only clients permitted in access list 23 can manage the router
• D. Only SSH access (TCP 23) is allowed on the VTY lines of this router.

Answer: C