Firewall & Intrusion Prevention 2
Question 1
Question 2
Explanation
The ASAv on AWS supports the following features:
+ Support for Amazon EC2 C5 instances, the next generation of the Amazon EC2 Compute Optimized instance family.
+ Deployment in the Virtual Private Cloud (VPC)
+ Enhanced networking (SR-IOV) where available
+ Deployment from Amazon Marketplace
+ Maximum of four vCPUs per instance
+ User deployment of L3 networks
+ Routed mode (default)
Note: The Cisco Adaptive Security Virtual Appliance (ASAv) runs the same software as physical Cisco ASAs to deliver proven security functionality in a virtual form factor. The ASAv can be deployed in the public AWS cloud. It can then be configured to protect virtual and physical data center workloads that expand, contract, or shift their location over time.
Question 3
Question 4
Question 5
Explanation
The ASA and ASASM implementations of NetFlow Secure Event Logging (NSEL) provide a stateful, IP flow tracking method that exports only those records that indicate significant events in a flow.
The significant events that are tracked include flow-create, flow-teardown, and flow-denied (excluding those flows that are denied by EtherType ACLs).
Question 6
Question 7
Explanation
The Firepower System uses network discovery and identity policies to collect host, application, and user data for traffic on your network. You can use certain types of discovery and identity data to build a comprehensive map of your network assets, perform forensic analysis, behavioral profiling, access control, and mitigate and respond to the vulnerabilities and exploits to which your organization is susceptible.
You can configure your network discovery policy to perform host and application detection.
Question 8
Question 9
Explanation
The purpose of above commands is to redirect traffic that matches the ACL “redirect-acl” to the Cisco FirePOWER (SFR) module in the inline (normal) mode. In this mode, after the undesired traffic is dropped and any other actions that are applied by policy are performed, the traffic is returned to the ASA for further processing and ultimate transmission.
The command “service-policy global_policy global” applies the policy to all of the interfaces.
Question 10
Explanation
Cisco Firepower deployments can take advantage of platform settings policies. A platform settings policy is a shared set of features or parameters that define the aspects of a managed device that are likely to be similar to other managed devices in your deployment, such as time settings and external authentication. Examples of these platform settings policies are time and date settings, external authentication, and other common administrative features.
A shared policy makes it possible to configure multiple managed devices at once, which provides consistency in your deployment and streamlines your management efforts. Any changes to a platform settings policy affects all the managed devices where you applied the policy. Even if you want different settings per device, you must create a shared policy and apply it to the desired device.
For example, your organization’s security policies may require that your appliances have a “No Unauthorized Use” message when a user logs in. With platform settings, you can set the login banner once in a platform settings policy.
Therefore the answer should be “Platform Settings Policy”, not “Platform Service Policy” but it is the best answer here so we have to choose it.
Question 11
Which two tasks allow NetFlow on a Cisco ASA 5500 Series firewall? (Choose two)
A. Enable NetFlow Version 9.
B. Create an ACL to allow UDP traffic on port 9996.
C. Apply NetFlow Exporter to the outside interface in the inbound direction.
D. Create a class map to match interesting traffic.
E. Define a NetFlow collector by using the flow-export command.
Answer: D E
Explanation
In order to configure NetFlow on Cisco ASA 5500 Series firewall, we need the following minimum steps:
1. Configuring NSEL Collectors:
flow-export destination interface-name ipv4-address | hostname udp-port
For example: hostname (config)# flow-export destination inside 209.165.200.225 2002
The destination keyword indicates that a NSEL collector is being configured. The interface-name argument is the name of the ASA and ASA Services Module interface through which the collector is reached. The ipv4-address argument is the IP address of the machine running the collector application. The hostname argument is the destination IP address or name of the collector. The udp-port argument is the UDP port number to which NetFlow packets are sent.
(-> Therefore we only need to let the firewall know the IP address that the NetFlow “Collector” will be running on. We don’t need to apply the NetFlow Exporter to any interface -> Answer C is not correct)
2. Defines the class map that identifies traffic for which NSEL events need to be exported.
3. Defines the policy map to apply flow-export actions to the defined classes.
4. Adds or edits the service policy globally.
An example of configuring NetFlow is shown below (using minimum configuration):
| ASA(config)# flow-export destination inside 10.254.254.234 2055 //Note: “inside” is the interface name of ASA through which the collector is reached ASA(config)# policy-map global_policy ASA(config-pmap)# class class-default ASA(config-pmap-c)# flow-export event-type all destination 10.254.254.234 ASA(config)# service-policy global_policy global |
Question 12
A mall provides security services to customers with a shared appliance. The mall wants separation of management on the shared appliance. Which ASA deployment mode meets these needs?
A. routed mode
B. transparent mode
C. multiple context mode
D. multiple zone mode
Answer: C
Question 13
What is a characteristic of Firepower NGIPS inline deployment mode?
A. ASA with Firepower module cannot be deployed.
B. It cannot take actions such as blocking traffic.
C. It is out-of-band from traffic.
D. It must have inline interface pairs configured.
Answer: D
Question 14
An engineer wants to generate NetFlow records on traffic traversing the Cisco ASA. Which Cisco ASA command must be used?
A. flow-export destination inside 1.1.1.1 2055
B. ip flow monitor input
C. ip flow-export destination 1.1.1.1 2055
D. flow exporter
Answer: A
Explanation
The syntax of this command is: flow-export destination interface-name ipv4-address | hostname udp-port
This command is used on Cisco ASA to configure Network Secure Event Logging (NSEL) collector to which NetFlow packets are sent. The destination keyword indicates that a NSEL collector is being configured.
+ The interface-name argument is the name of the ASA and ASA Services Module interface through which the collector is reached.
+ The ipv4-address argument is the IP address of the machine running the collector application.
+ The hostname argument is the destination IP address or name of the collector.
+ The udp-port argument is the UDP port number to which NetFlow packets are sent.
You can configure a maximum of five collectors. After a collector is configured, template records are automatically sent to all configured NSEL collectors.
Question 15
How many interfaces per bridge group does an ASA bridge group deployment support?
A. up to 2
B. up to 4
C. up to 8
D. up to 16
Answer: B
Explanation
Each of the ASAs interfaces need to be grouped into one or more bridge groups. Each of these groups acts as an independent transparent firewall. It is not possible for one bridge group to communicate with another bridge group without assistance from an external router.
As of 8.4(1) upto 8 bridge groups are supported with 2-4 interface in each group. Prior to this only one bridge group was supported and only 2 interfaces.
Up to 4 interfaces are permitted per bridge–group (inside, outside, DMZ1, DMZ2)
Question 16
Which two application layer preprocessors are used by Firepower Next Generation Intrusion Prevention System? (Choose two)
A. packet decoder
B. SIP
C. modbus
D. inline normalization
E. SSL
Answer: B E
Explanation
Application layer protocols can represent the same data in a variety of ways. The Firepower System provides application layer protocol decoders that normalize specific types of packet data into formats that the intrusion rules engine can analyze. Normalizing application-layer protocol encodings allows the rules engine to effectively apply the same content-related rules to packets whose data is represented differently and obtain meaningful results.
FirePower uses many preprocessors, including DNS, FTP/Telnet, SIP, SSL, SMTP, SSH preprocessors.
Q11: could be correct answers CE or DE?
Q11: is it not D and E?
Q11: D and E seems to be more correct
Q11: BDE
sorry Q11: its ADE
Agree, is it D E? Can anyone confirm?
Should be E and D.
Q9 why D and not B???
Q11: D,E: https://www.cisco.com/c/en/us/td/docs/security/asa/asa90/configuration/guide/asa_90_cli_config/monitor_nsel.html
why it’s not B ?
as we can see in the commands only inside ip addresses are mentioned not DMZ can somebody explain ?
Q11, I agree on D,E, as seen on Ivan link.
Configuring NSEL
_Configuring NSEL Collectors_
flow-export destination command -> Adds, edits, or deletes an NSEL collector to which NetFlow packets are sent. (E)
_Configuring Flow-Export Actions Through Modular Policy Framework_
class-map flow_export_class command -> Defines the class map that identifies traffic for which NSEL events need to be exported (D)
@bobo77, Q9 is D because DMZ network is included in the redirect-acl.
q11 DE?
https://www.cisco.com/c/en/us/td/docs/security/asa/special/netflow/guide/asa_netflow.html
yes q11 is wrong here. @securitytut could you modify to DE?
thanks
Which two tasks allow NetFlow on a Cisco ASA 5500 Series firewall? (Choose two)
A. Enable NetFlow Version 9.
B. Create an ACL to allow UDP traffic on port 9996.
C. Apply NetFlow Exporter to the outside interface in the inbound direction.
D. Create a class map to match interesting traffic.
E. Define a NetFlow collector by using the flow-export command.
Answer: C E
Correct ANS shuild be – D E
https://www.cisco.com/c/en/us/td/docs/security/asa/special/netflow/asa_netflow.html
Please review “Configure NSEL Collectors (CLI)” section Step-1 &2
Q11 I can confirm that D and E should be the answer.
@securitytut please update this question.
@all: Thanks for your detection, we updated Q11!
Question 1
Which statement about the configuration of Cisco ASA NetFlow v9 Secure Event Logging is true?
A. To view bandwidth usage for NetFlow records, the QoS feature must be enabled.
B. A sysopt command can be used to enable NSEL on a specific interface.
C. NSEL can be used without a collector configured.
D. A flow-export event type must be defined under a policy.
Answer: D
————————————————————————————————————-
Question 2
Which feature is supported when deploying Cisco ASAv within AWS public cloud?
A. multiple context mode
B. user deployment of Layer 3 networks
C. IPv6
D. clustering
Answer: B
————————————————————————————————————–
Question 3
Which statement describes a traffic profile on a Cisco Next Generation Intrusion Prevention System?
A. It allows traffic if it does not meet the profile.
B. It defines a traffic baseline for traffic anomaly deduction.
C. It inspects hosts that meet the profile with more intrusion rules.
D. It blocks traffic if it does not meet the profile.
Answer: B
—————————————————————————————————————–
Question 4
Which statement about IOS zone-based firewalls is true?
A. An unassigned interface can communicate with assigned interfaces
B. Only one interface can be assigned to a zone.
C. An interface can be assigned to multiple zones.
D. An interface can be assigned only to one zone.
Answer: D
—————————————————————————————————————–
Question 5
What is a characteristic of Cisco ASA Netflow v9 Secure Event Logging?
A. It tracks flow-create, flow-teardown, and flow-denied events.
B. It provides stateless IP flow tracking that exports all records of a specific flow.
C. It tracks the flow continuously and provides updates every 10 seconds.
D. Its events match all traffic classes in parallel.
Answer: A
——————————————————————————————————————
Question 6
Which CLI command is used to register a Cisco FirePower sensor to Firepower Management Center?
A. configure system add
B. configure manager add host
C. configure manager delete
D. configure manager add
Answer: D
——————————————————————————————————————-
Question 7
Which policy is used to capture host information on the Cisco Firepower Next Generation Intrusion Prevention System?
A. Correlation
B. Intrusion
C. Access Control
D. Network Discovery
Answer: D
——————————————————————————————————————
Question 8
Which ASA deployment mode can provide separation of management on a shared appliance?
A. DMZ multiple zone mode
B. transparent firewall mode
C. multiple context mode
D. routed mode
Answer: C
——————————————————————————————————————-
Question 10
Which policy represents a shared set of features or parameters that define the aspects of a managed device that are likely to be similar to othermanaged devices in a deployment?
A. Group Policy
B. Access Control Policy
C. Device Management Policy
D. Platform Service Policy
Answer: D
———————————————————————————————————————
Question 11
Which two tasks allow NetFlow on a Cisco ASA 5500 Series firewall? (Choose two)
A. Enable NetFlow Version 9.
B. Create an ACL to allow UDP traffic on port 9996.
C. Apply NetFlow Exporter to the outside interface in the inbound direction.
D. Create a class map to match interesting traffic.
E. Define a NetFlow collector by using the flow-export command.
Answer: D E