300-710 Free Practice Test

- (Exam Topic 2)
Which Cisco Firepower rule action displays an HTTP warning page?

1. A. Monitor
2. B. Block
3. C. Interactive Block
4. D. Allow with Warning

Correct Answer: C
Reference: https://www.cisco.com/c/en/us/td/docs/security/firesight/541/user-guide/FireSIGHT-System- UserGuide-v5401/AC-Rules-Tuning-Overview.html#76698

- (Exam Topic 5)
A security engineer is adding three Cisco FTD devices to a Cisco FMC. Two of the devices have successfully registered to the Cisco FMC. The device that is unable to register is located behind a router that translates all outbound traffic to the router's WAN IP address. Which two steps are required for this device to register to the Cisco FMC? (Choose two.)

1. A. Reconfigure the Cisco FMC lo use the device's private IP address instead of the WAN address.
2. B. Configure a NAT ID on both the Cisco FMC and the device.
3. C. Add the port number being used for PAT on the router to the device's IP address in the Cisco FMC.
4. D. Reconfigure the Cisco FMC to use the device's hostname instead of IP address.
5. E. Remove the IP address defined for the device in the Cisco FMC.

Correct Answer: BE

- (Exam Topic 5)
A network administrator is configuring a site-to-site IPsec VPN to a router sitting behind a Cisco FTD. The administrator has configured an access policy to allow traffic to this device on UDP 500, 4500, and ESP VPN traffic is not working. Which action resolves this issue?

1. A. Set the allow action in the access policy to trust.
2. B. Enable IPsec inspection on the access policy.
3. C. Modify the NAT policy to use the interface PAT.
4. D. Change the access policy to allow all ports.

Correct Answer: B

- (Exam Topic 3)
Which two statements about deleting and re-adding a device to Cisco FMC are true? (Choose two.)

1. A. An option to re-apply NAT and VPN policies during registration is available, so users do not need to re- apply the policies after registration is completed.
2. B. Before re-adding the device in Cisco FMC, you must add the manager back in the device.
3. C. No option to delete and re-add a device is available in the Cisco FMC web interface.
4. D. The Cisco FMC web interface prompts users to re-apply access control policies.
5. E. No option to re-apply NAT and VPN policies during registration is available, so users need to re-apply the policies after registration is completed.

Correct Answer: DE
Reference:
https://www.cisco.com/c/en/us/td/docs/security/firepower/60/configuration/guide/fpmc-config-guide- v60/Device_Management_Basics.html

- (Exam Topic 1)
An organization has a Cisco FTD that uses bridge groups to pass traffic from the inside interfaces to the outside interfaces. They are unable to gather information about neighbouring Cisco devices or use multicast in their environment. What must be done to resolve this issue?

1. A. Create a firewall rule to allow CDP traffic.
2. B. Create a bridge group with the firewall interfaces.
3. C. Change the firewall mode to transparent.
4. D. Change the firewall mode to routed.

Correct Answer: C
"In routed firewall mode, broadcast and multicast traffic is blocked even if you allow it in an access rule..." "The bridge group does not pass CDP packets packets..." https://www.cisco.com/c/en/us/td/docs/security/asa/asa913/configuration/general/asa-913-general-config/intro-f
Passing Traffic Not Allowed in Routed Mode
In routed mode, some types of traffic cannot pass through the ASA even if you allow it in an access rule. The bridge group, however, can allow almost any traffic through using either an access rule (for IP traffic) or an EtherType rule (for non-IP traffic):
IP traffic—In routed firewall mode, broadcast and "multicast traffic is blocked even if you allow it in an access rule," including unsupported dynamic routing protocols and DHCP (unless you configure DHCP relay). Within a bridge group, you can allow this traffic with an access rule (using an extended ACL).
Non-IP traffic—AppleTalk, IPX, BPDUs, and MPLS, for example, can be configured to go through using an EtherType rule.
Note
"The bridge group does not pass CDP packets packets, or any packets that do not have a valid EtherType greater than or equal to 0x600. An exception is made for BPDUs and IS-IS, which are supported. "