Topic 1: Deployment
What are the minimum requirements to deploy a managed device inline?
A.
inline interfaces, security zones, MTU, and mode
B.
passive interface, MTU, and mode
C.
inline interfaces, MTU, and mode
D.
passive interface, security zone, MTU, and mode
inline interfaces, MTU, and mode
Which two conditions must be met to enable high availability between two Cisco FTD
devices? (Choose two.)
A.
same flash memory size
B.
same NTP configuration
C.
same DHCP/PPoE configuration
D.
same host name
E.
same number of interfaces
same NTP configuration
same number of interfaces
Conditions
In order to create an HA between 2 FTD devices, these conditions must be met:
Same model
Same version (this applies to FXOS and to FTD - (major (first number), minor (second
number), and maintenance (third number) must be equal))
Same number of interfaces
Same type of interfaces
Both devices as part of same group/domain in FMC
Have identical Network Time Protocol (NTP) configuration
Be fully deployed on the FMC without uncommitted changes
Be in the same firewall mode: routed or transparent.
Note that this must be checked on both FTD devices and FMC GUI since there have been
cases where the FTDs had the same mode, but FMC does not reflect this.
Does not have DHCP/Point-to-Point Protocol over Ethernet (PPPoE) configured in any of
the interface
Different hostname (Fully Qualified Domain Name (FQDN)) for both chassis. In order to
check the chassis hostname navigate to FTD CLI and run this command
Which two deployment types support high availability? (Choose two.)
A.
transparent
B.
routed
C.
clustered
D.
intra-chassis multi-instance
E.
virtual appliance in public cloud
transparent
routed
What is the difference between inline and inline tap on Cisco Firepower?
A.
Inline tap mode can send a copy of the traffic to another device.
B.
Inline tap mode does full packet capture.
C.
Inline mode cannot do SSL decryption
D.
Inline mode can drop malicious traffic
Inline tap mode can send a copy of the traffic to another device.
An organization has a Cisco FTD that uses bridge groups to pass traffic from the inside
interfaces to the outside interfaces. They are unable to gather information about
neighbouring Cisco devices or use multicast in their environment. What must be done to
resolve this issue?
A.
Create a firewall rule to allow CDP traffic.
B.
Create a bridge group with the firewall interfaces
C.
Change the firewall mode to transparent
D.
Change the firewall mode to routed
Change the firewall mode to transparent
Explanation: "In routed firewall mode, broadcast and multicast traffic is blocked even if
you allow it in an access rule..." "The bridge group does not pass CDP packets packets..."
https://www.cisco.com/c/en/us/td/docs/security/asa/asa913/configuration/general/asa-913-
general-config/intro-fw.html
Passing Traffic Not Allowed in Routed Mode
In routed mode, some types of traffic cannot pass through the ASA even if you allow it in an
access rule. The bridge group, however, can allow almost any traffic through using either
an access rule (for IP traffic) or an EtherType rule (for non-IP traffic):
IP traffic—In routed firewall mode, broadcast and "multicast traffic is blocked even if you allow it in an access rule," including unsupported dynamic routing protocols and DHCP
(unless you configure DHCP relay). Within a bridge group, you can allow this traffic with an
access rule (using an extended ACL).
Non-IP traffic—AppleTalk, IPX, BPDUs, and MPLS, for example, can be configured to go
through using an EtherType rule.
Note
"The bridge group does not pass CDP packets packets, or any packets that do not have a
valid EtherType greater than or equal to 0x600. An exception is made for BPDUs and ISIS,
which are supported. "
When deploying a Cisco ASA Firepower module, an organization wants to evaluate the
contents of the traffic without affecting the network. It is currently configured to have more
than one instance of the same device on the physical appliance Which deployment mode
meets the needs of the organization?
A.
inline tap monitor-only mode
B.
passive monitor-only mode
C.
passive tap monitor-only mode
D.
inline mode
inline tap monitor-only mode
Inline tap monitor-only mode (ASA inline)—In an inline tap monitor-only deployment, a copy
of the traffic is sent to the ASA FirePOWER module, but it is not returned to the ASA. Inline
tap mode lets you see what the ASA FirePOWER module would have done to traffic, and
lets you evaluate the content of the traffic, without impacting the network. However, in this
mode, the ASA does apply its policies to the traffic, so traffic can be dropped due to access
rules, TCP normalization, and so forth.
Which interface type allows packets to be dropped?
A.
passive
B.
inline
C.
ERSPAN
D.
TAP
inline
Which firewall design allows a firewall to forward traffic at layer 2 and layer 3 for the same
subnet?
A.
Cisco Firepower Threat Defense mode
B.
transparent mode
C.
routed mode
D.
integrated routing and bridging
transparent mode
Which protocol establishes network redundancy in a switched Firepower device
deployment?
A.
STP
B.
HSRP
C.
GLBP
D.
VRRP
STP
Reference:
https://www.cisco.com/c/en/us/td/docs/security/firepower/620/configuration/guide/fpmcconfig-guide-v62/firepower_threat_defense_high_availability.html
Within an organization's high availability environment where both firewalls are passing traffic, traffic must be segmented based on which department it is destined for. Each department is situated on a different LAN. What must be configured to meet these requirements?
A.
span EtherChannel clustering
B.
redundant interfaces
C.
high availability active/standby firewalls
D.
multi-instance firewalls
multi-instance firewalls
Which policy rule is included in the deployment of a local DMZ during the initial deployment
of a Cisco NGFW through the Cisco FMC GUI?
A.
a default DMZ policy for which only a user can change the IP addresses.
B.
deny ip any
C.
no policy rule is included
D.
permit ip any
no policy rule is included
With Cisco Firepower Threat Defense software, which interface mode must be configured
to passively receive traffic that passes through the appliance?
A.
inline set
B.
passive
C.
routed
D.
inline tap
passive
| Page 2 out of 22 Pages |
| Previous |