2/2/25, 1:14 PM SNCF Training » SNCF All Questions of Part 3

Question 1

An engineer is configuring a Cisco Secure Firewall Threat Defense device managed by Cisco Secure Firewall
Management Center. The device must have SSH enabled and be accessible from the inside interface for remote
administration. Which type of policy must the engineer configure to accomplish this?

A. prefilter
B. identity
C. access control
D. platform settings

Question 2

Remote users who connect via Cisco AnyConnect to the corporate network behind a Cisco FTD device report that they
get no audio when calling between remote users using their softphones. These same users can call internal users on
the corporate network without any issues. What is the cause of this issue?

A. Split tunneling is enabled for the Remote Access VPN on FTD.

B. The hairpinning feature is not available on FTD.
C. The Enable Spoke to Spoke Connectivity through Hub option is not selected on FTD.
D. FTD has no NAT policy that allows outside to outside communication.

Question 3 An engineer is configuring multiple Cisco FTD appliances for use in the network. Which rule must the
engineer follow while defining interface objects in Cisco FMC for use with interfaces across multiple devices?

A. Two security zones can contain the same interface.

B. Interface groups can contain interfaces from many devices.
C. An interface cannot belong to a security zone and an interface group.
D. Interface groups can contain multiple interface types.

Question 4 An engineer is troubleshooting a device that cannot connect to a web server. The connection is initiated
from the Cisco FTD inside interface and attempting to reach [Link] over the non-standard port of 9443 The host
the engineer is attempting the connection from is at the IP address of [Link]. In order to determine what is
happening to the packets on the network, the engineer decides to use the FTD packet capture tool Which capture
configuration should be used to gather the information needed to troubleshoot this issue?

Option A

[Link] 1/24
2/2/25, 1:14 PM SNCF Training » SNCF All Questions of Part 3

Option B

Option C

[Link] 2/24
2/2/25, 1:14 PM SNCF Training » SNCF All Questions of Part 3

Option D

A. Option A
B. Option B
C. Option C
D. Option D
[Link] 3/24
2/2/25, 1:14 PM SNCF Training » SNCF All Questions of Part 3

Question 5

A security engineer must create a malware and file policy on a Cisco Secure Firewall Threat Defense device. The
solution must ensure that PDF, DOCX, and XLSX files are not sent to Cisco Secure Malware Analytics. What must be
configured to meet the requirements?

A. local malware analysis

B. dynamic analysis
C. Spero analysis
D. capacity handling

Question 6

An engineer must investigate a connectivity issue from an endpoint behind a Cisco FTD device and a public DNS server.
The endpoint cannot perform name resolution queries. Which action must the engineer perform to troubleshoot the
issue by simulating real DNS traffic on the Cisco FTD while verifying the Snort verdict?

A. Use the Capture w/Trace wizard in Cisco FMC.

B. Run the system support firewall-engine-debug command from the FTD CLI.
C. Create a Custom Workflow in Cisco FMC.
D. Perform a Snort engine capture using tcpdump from the FTD CLI.

Question 7 A network engineer is deploying a Cisco Firepower 4100 appliance and must configure a multi-instance
environment for high availability. Drag and drop the actions from the left into sequence on the right for this
configuration.

Note: You just need to click on one of the boxes on the right to match it with the corresponding box on the left.

Add a MAC pool prefix and view the

MAC addresses for the container 1 5 4
instance interfaces
3 2

Configure interfaces
1 5 4

3 2

Add a high-availability pair

1 5 4

3 2

Add a resource profile for container

instances 1 5 4

3 2

[Link] 4/24
2/2/25, 1:14 PM SNCF Training » SNCF All Questions of Part 3

Add a Standalone Firepower Threat

Defense for Cisco Secure Firewall 1 5 4
Management Center
3 2

Question 8 A Cisco Secure Firewall Threat Defense device is configured in inline IPS mode to inspect all traffic that
passes through the interfaces in the inline set. Which setting in the inline set configuration must be selected to allow
traffic to pass through uninterrupted when VDB updates are being applied?

A. Strict TCP Enforcement

B. Tap Mode
C. Propagate Link State
D. Snort Fail Open

Question 9

Cisco SecureX is classified as which type of threat detection and response solution?

A. MDR
B. NDR
C. EDR
D. XDR

Question 10

An engineer is configuring a custom intrusion rule on Cisco FMC. The engineer needs the rule to search the payload or
stream for the string “|44 78 97 13 2 0A|”. Which keyword must the engineer use with this string to create an
argument for packet inspection?

A. metadata
B. protected_content
C. content
D. data

Question 11

A network engineer must configure IPS mode on a Secure Firewall Threat Defense device to inspect traffic and act as
an IDS. The engineer already configured the passive-interface on the Secure Firewall Threat Defense device and SPAN
on the switch. What must be configured next by the engineer?

A. intrusion policy on the Secure Firewall Threat Defense device

B. active interface on the Secure Firewall Threat Defense device
C. DHCP on the switch
D. active SPAN port on the switch

Question 12

A network engineer is planning on deploying a Cisco Secure Firewall Threat Defense Virtual appliance in transparent
mode. Which two virtual environments support this configuration? (Choose two)

A. KVM
B. ESXi

[Link] 5/24
2/2/25, 1:14 PM SNCF Training » SNCF All Questions of Part 3
C. GCP
D. OSI
E. AWS

Question 13

What is the result when two users modify a VPN policy at the same time on a Cisco Secure Firewall Management
Center managed device?

A. The first user locks the configuration when selecting edit on the policy
B. Both users can edit the policy and the last saved configuration persists
C. The changes from both users will be merged together into the policy
D. The system prevents modifications to the policy by multiple users

Question 14

Cisco Security Analytics and Logging SaaS licenses come with how many days of data retention by default?

A. 120
B. 365
C. 90
D. 60

Question 15

A Cisco FMC administrator wants to configure fastpathing of trusted network traffic to increase performance. In which
type of policy would the administrator configure this feature?

A. Identity policy
B. Prefilter policy
C. Intrusion policy
D. Network Analysis policy

Question 16

An organization is installing a new Cisco FTD appliance in the network. An engineer is tasked with configuring access
between two network segments within the same IP subnet. Which step is needed to accomplish this task?

A. Permit BPDU packets to prevent loops.

B. Assign an IP address to the Bridge Virtual Interface.
C. Add a separate bridge group for each segment.
D. Specify a name for the bridge group.

Question 17

[Link] 6/24
2/2/25, 1:14 PM SNCF Training » SNCF All Questions of Part 3
An engineer is configuring two new Cisco FTD devices to replace the existing high availability firewall pair in a highly
secure environment. The information exchanged between the FTD devices over the failover link must be encrypted.
Which protocol supports this on the Cisco FTD?

A. SSL
B. MACsec
C. IPsec
D. SSH

Question 18

An engineer must configure the firewall to monitor traffic within a single subnet without increasing the hop count of
that traffic. How would the engineer achieve this?

A. Configure Cisco Firepower as a transparent firewall.

B. Configure Cisco Firepower in FXOS monitor only mode.
C. Set up Cisco Firepower as managed by Cisco FDM.
D. Set up Cisco Firepower in intrusion prevention mode.

Question 19

Which file format can standard reports from Cisco Secure Firewall Management Center be downloaded in?

A. xls
B. doc
C. csv
D. ppt

Question 20

A security engineer must configure a Cisco FTD appliance to inspected traffic coming from the internet. The internet
traffic will be mirrored from the Cisco Catalyst 9300 Switch. Which configuration accomplishes the task?

A. Set interface configuration mode to passive

B. Set the firewall mode to transparent
C. Set interface configuration mode to none
D. Set the firewall mode to routed

Question 21

A security engineer needs to configure a network discovery policy on a Cisco FMC appliance and prevent excessive
network discovery events from overloading the FMC database. Which action must be taken to accomplish this task?

A. Monitor only the default IPv4 and IPv6 network ranges.

B. Change the network discovery method to TCP/SYN.
C. Exclude load balancers and NAT devices in the policy.
D. Configure NetFlow exporters for monitored networks.

Question 22

An engineer is configuring a custom application detector for HTTP traffic and wants to import a file that was provided
by a third party. Which type of files are advanced application detectors creates and uploaded as?

A. Perl script
[Link] 7/24
2/2/25, 1:14 PM SNCF Training » SNCF All Questions of Part 3
B. NBAR protocol
C. LUA script
D. Python program

Question 23 Which action must be taken on the Cisco FMC when a packet bypass is configured in case the Snort
engine is down or a packet takes too long to process?

A. Configure Fastpath rules to bypass inspection

B. Add a Bypass Threshold policy for failures
C. Enable Automatic Application Bypass
D. Enable Inspect Local Router Traffic

Question 24

When using Cisco Threat Response, which phase of the Intelligence Cycle publishes the results of the investigation?

A. analysis
B. direction
C. processing
D. dissemination

Question 25

An engineer defines a new rule while configuring an Access Control Policy. After deploying the policy, the rule is not
working as expected and the hit counters associated with the rule are showing zero. What is causing this error?

A. The wrong source interface for Snort was selected in the rule.
B. Logging is not enabled for the rule.
C. An incorrect application signature was used in the rule.
D. The rule was not enabled after being created.

Question 26

A network administrator wants to block traffic to a known malware site at [Link] and all subdomains
while ensuring no packets from any internal client are sent to that site. Which type of policy must the network
administrator use to accomplish this goal?

A. SSL policy
B. DNS policy
C. Prefilter policy
D. Access Control policy with URL filtering

Question 27

An engineer is attempting to add a new FTD device to their FMC behind a NAT device with a NAT ID of ACME001 and a
password of Cisco388267669. Which command set must be used in order to accomplish this?

A. configure manager add DONTRESOLVE <FMC IP> AMCE001 <registration key>

B. configure manager add <FMC IP> <registration key> ACME001
C. configure manager add ACME001 <registration key> <FMC IP>
D. configure manager add <FMC IP> ACME0O1 <registration key>

[Link] 8/24
2/2/25, 1:14 PM SNCF Training » SNCF All Questions of Part 3
Question 28

An engineer wants to perform a packet capture on the Cisco FTD to confirm that the host using IP address
[Link] has the MAC address of 0042.8935.603 to help troubleshoot a connectivity issue. What is the
correct tcpdump command syntax to ensure that the MAC address appears in the packet capture output?

A. -w [Link] -s 1518 host [Link] mac

B. -nm src [Link]
C. -w [Link] -s 1518 host [Link] ether
D. -ne src [Link]

Question 29 Refer to the exhibit.

An engineer is modifying an access control policy to add a rule to inspect all DNS traffic that passes through the
firewall. After making the change and deploying the policy, they see that DNS traffic is not being inspected by the
Snort engine. What is the problem?

A. The rule is configured with the wrong setting for the source port.
B. The rule must specify the security zone that originates the traffic.
C. The rule must define the source network for inspection as well as the port.
D. The action of the rule is set to trust instead of allow.

Question 30 An administrator needs to configure Cisco FMC to send a notification email when a data transfer larger
than 10 MB is initiated from an internal host outside of standard business hours. Which Cisco FMC feature must be
configured to accomplish this task?

A. correlation policy
B. intrusion policy
C. file and malware policy
D. application detector

[Link] 9/24
2/2/25, 1:14 PM SNCF Training » SNCF All Questions of Part 3
Question 31 An organization is implementing Cisco FTD using transparent mode in the network. Which rule in the
default Access Control Policy ensures that this deployment does not create a loop in the network?

A. ARP inspection is enabled by default.

B. ARP packets are allowed by default.
C. STP BPDU packets are allowed by default.
D. Multicast and broadcast packets are denied by default.

Question 32 The security engineer reviews the syslog server events of an organization and sees many outbound
connections to malicious sites initiated from hosts running Cisco Secure Endpoint. The hosts are on a separate network
from the Cisco FTD device. Which action blocks the connections?

A. Add the IP addresses of the malicious sites to the access control policy on the Cisco FMC
B. Add a Cisco Secure Endpoint policy with the Tetra and Spero engines enabled
C. Modify the access control policy on the Cisco FMC to block malicious outbound connections
D. Modify the policy on Cisco Secure Endpoint to enable DFC

Question 33

A security engineer is adding three Cisco FTD devices to a Cisco FMC. Two of the devices have successfully registered
to the Cisco FMC. The device that is unable to register is located behind a router that translates all outbound traffic to
the router’s WAN IP address. Which two steps are required for this device to register to the Cisco FMC? (Choose two)

A. Remove the IP address defined for the device in the Cisco FMC.
B. Configure a NAT ID on both the Cisco FMC and the device.
C. Add the port number being used for PAT on the router to the device’s IP address in the Cisco FMC.
D. Reconfigure the Cisco FMC to use the device’s hostname instead of IP address.
E. Reconfigure the Cisco FMC lo use the device’s private IP address instead of the WAN address.

Question 34

An engineer must deploy a Cisco FTD device. Management wants to examine traffic without requiring network changes
that will disrupt end users. Corporate security policy requires the separation of management traffic from data traffic
and the use of SSH over Telnet for remote administration. How must the device be deployed to meet these
requirements?

A. in transparent mode with a management interface

B. in routed mode with a bridge virtual interface
C. in transparent made with a data interface
D. in routed mode with a diagnostic interface

Question 35

An engineer has been tasked with performing an audit of network objects to determine which objects are duplicated
across the various firewall models (Cisco Secure Firewall Threat Defense, Cisco Secure Firewall ASA, and Meraki MX
Series) deployed throughout the company. Which tool will assist the engineer in performing that audit?

A. Cisco Firepower Device Manager

B. Cisco Defense Orchestrator
C. Cisco SecureX
D. Cisco Secure Firewall Management Center

Question 36
[Link] 10/24
2/2/25, 1:14 PM SNCF Training » SNCF All Questions of Part 3
A network engineer is planning on replacing an Active/Standby pair of physical Cisco Secure Firewall ASAs with a pair
of Cisco Secure Firewall Threat Defense Virtual appliances. Which two virtual environments support the current High
Availability configuration? (Choose two)

A. Azure
B. KVM
C. AWS
D. ESXi
E. Openstack

Question 37

Which two considerations must be made when deleting and re-adding devices while managing them via Cisco FMC
(Choose two)

A. There is no option to re-apply NAT and VPN policies during registration is available, so users need to re-apply the
policies after registration is completed.
B. Before re-adding the device In Cisco FMC, the manager must be added back.
C. An option to re-apply NAT and VPN policies during registration is available, so users do not need to re-apply the
polices after registration is completed.
D. The Cisco FMC web interface prompts users to re-apply access control policies.
E. Once a device has been deleted, It must be reconfigured before it is re-added to the Cisco FMC.

Question 38 A company is deploying a Cisco Secure IPS device configured in inline mode with a single interface set
that contains four interface pairs. Which two configurations must be implemented to allow the IPS device to uniquely
identify packet flows and prevent the reporting of duplicate traffic and false positives? (Choose two)

A. Reassign the interface pairs to separate inline sets

B. Modify the security zones used by the Cisco Secure IPS device
C. Reconfigure access rules to drop all but the first occurrence of the packet
D. Set the source SPAN ports to tx only on the switches connected to the IPS interfaces
E. Change the MTU for the inline set to at least 1518

Question 39

Network users are experiencing intermittent issues with internet access. An engineer identified that the issue is being
caused by NAT exhaustion. How must the engineer change the dynamic NAT configuration to provide internet access
for more users without running out of resources?

A. Configure fallthrough to interface PAT on the Advanced tab.

B. Convert the dynamic auto NAT rule to dynamic manual NAT.
C. Add an identity NAT rule to handle the overflow of users.
D. Define an additional static NAT for the network object in use.

Question 40

When a Cisco FTD device is configured in transparent firewall mode, on which two interface types can an IP address be
configured? (Choose two)

A. Subinterface
B. BVI
C. Physical
D. EtherChannel

[Link] 11/24
2/2/25, 1:14 PM SNCF Training » SNCF All Questions of Part 3
E. Diagnostic

Question 41

An administrator configures new threat intelligence sources and must validate that the feeds are being downloaded and
that the intelligence is being used within the Cisco Secure Firewall system. Which action accomplishes the task?

A. Look at the connection security intelligence events

B. View the threat intelligence observables to see the downloaded data
C. Use the source status indicator to validate the usage
D. Look at the access control policy to validate that the intelligence is being used

Question 42

With Cisco FTD software, which interface mode must be configured to passively receive traffic that passes through the
appliance?

A. tap
B. ERSPAN
C. firewall
D. IPS-only

Question 43

A network administrator must create an EtherChannel interface on a Cisco Secure Firewall Threat Defense 9300
appliance registered with Cisco Secure Firewall Management Center for High Availability. Where must the administrator
create the EtherChannel interface?

A. Cisco Secure Firewall Management Center CLI

B. Cisco Secure Firewall Management Center GUI
C. Firepower extensible Operating System (FXOS) CLI
D. Cisco Secure Firewall Threat Defense CLI

Question 44 What is the role of realms in the Cisco ISE and Cisco FMC integration?

A. Cisco Secure Firewall VDC

B. Cisco ISE context
C. TACACS+ database
D. AD definition

Question 45

An administrator is configuring a transparent Cisco FTD device to receive ERSPAN traffic from multiple switches on a
passive port, but the FTD is not processing the traffic. What is the problem?

A. The switches were not set up with a monitor session ID that matches the flow ID defined on the FTD.
B. The FTD must be configured with an ERSPAN port, not a passive port.
C. The FTD must be in routed mode to process ERSPAN traffic.
D. The switches do not have Layer 3 connectivity to the FTD device for GRE traffic transmission.

Question 46

[Link] 12/24
2/2/25, 1:14 PM SNCF Training » SNCF All Questions of Part 3
Which two statements are valid regarding the licensing model used on Cisco Secure Firewall Threat Defense Virtual
appliances? (Choose two)

A. All licenses support a maximum of 250 VPN peers.

B. Licenses can be used on both physical and virtual appliances
C. All licenses support up to 16 vCPUs
D. All licenses require 500G of available storage for the VM
E. Licenses can be used on any supported cloud platform

Question 47

Which two features can be used with Cisco Secure Firewall Threat Defense remote access VPN? (Choose two)

A. use of license utilization for zero-touch network deployment

B. SSL remote access VPN supports port sharing with other Cisco FTD features using SSL port 443
C. enable Duo two-factor authentication using LDAPS
D. support for Cisco Secure Firewall 4100 Series in cluster mode
E. support for Rapid Threat Containment using RADIUS dynamic authorization

Question 48

A consultant is working on a project where the customer is upgrading from a single Cisco Firepower 2130 managed by
FDM to a pair of Cisco Firepower 2130s managed by FMC for high availability. The customer wants the configuration of
the existing device being managed by FDM to be carried over to FMC and then replicated to the additional device being
added to create the high availability pair. Which action must the consultant take to meet this requirement?

A. The current FDM configuration will be converted automatically into FMC when the device registers.
B. The FTD configuration must be converted to ASA command format, which can then be migrated to FMC.
C. The current FDM configuration must be migrated to FMC using the Secure Firewall Migration Tool.
D. The current FDM configuration must be configured by hand into FMC before the devices are registered.

Question 49

An engineer is configuring URL filtering for a Cisco FTD device in Cisco FMC. Users must receive a warning when they
access [Link] with the option of continuing to the website if they choose to. No other websites
should be blacked. Which two actions must the engineer lake to meet these requirements? (Choose two)

A. Configure the default action for the access control policy to Interactive Block.
B. Configure an access control rule that matches an URL object for [Link] and set the action
Interactive Block.
C. On the HTTP Responses tab of the access control policy editor, set the Interactive Block Response Page to system
provided.
D. Configure an access control rule that matches the Adult URL category and set the action to Interactive Block.
E. On the HTTP Responses tab of the access control policy editor, set the Block Response Page to Custom.

Question 50 An engineer is setting up a remote access VPN on a Cisco FTD device and wants to define which traffic
gets sent over the VPN tunnel. Which named object type in Cisco FMC must be used to accomplish this task?

A. split tunnel
B. access list
C. crypto map
D. route map

[Link] 13/24
2/2/25, 1:14 PM SNCF Training » SNCF All Questions of Part 3
Question 51

A network administrator is configuring a site-to-site IPsec VPN to a router sitting behind a Cisco FTD. The administrator
has configured an access policy to allow traffic to this device on UDP 500, 4500, and ESP VPN traffic is not working.
Which action resolves this issue?

A. Modify the NAT policy to use the interface PAT.

B. Enable IPsec inspection on the access policy.
C. Set the allow action in the access policy to trust.
D. Change the access policy to allow all ports.

Question 52 An administrator is adding a QoS policy to a Cisco FTD deployment. When a new rule is added to the
policy and QoS is applied on “Interfaces in Destination Interface Objects”, no interface objects are available. What is
the problem?

A. The network segments that the interfaces are on do not have contiguous IP space.
B. QoS is available only on routed interfaces, and this device is in transparent mode.
C. The FTD is out of available resources for use, so QoS cannot be added.
D. A conflict exists between the destination interface types that is preventing QoS from being added.

Question 53

An engineer must configure a Cisco FMC dashboard in a multidomain deployment. Which action must the engineer take
to edit a report template from an ancestor domain?

A. Copy it to the current domain.

B. Assign themselves ownership of it
C. Change the document attributes.
D. Add it as a separate widget

Question 54

A network administrator is troubleshooting access to a website hosted behind a Cisco FTD device. External clients
cannot access the web server via HTTPS. The IP address configured on the web server is [Link]. The
administrator is running the command capture CAP interface outside match ip any [Link]
[Link] but cannot see any traffic in the capture. Why is this occurring?

A. The access policy is blocking the traffic

B. The FTD has no route to the web server
C. The capture must use the public IP address of the web server.
D. The packet capture shows only blocked traffic

Question 55 Drag and drop the steps to restore an automatic device registration failure on the standby Cisco FMC
from the left into the correct order on the right. Not all options are used.

[Link] 14/24
2/2/25, 1:14 PM SNCF Training » SNCF All Questions of Part 3

Note: Please type the corresponding numbers of each item on the left to the blank below so that they match the
corresponding textboxes on the right from top to bottom. For example: 3216 (which means 3 for 'Step 1', 2 for 'Step
2', 1 for 'Step 3' and 6 for 'Step 4'). Please type your answer here:

Question 56

An engineer is configuring a new dashboard within Cisco Secure Firewall Management Center and is having trouble
implementing a custom widget. When a custom analysis widget is configured, which option is mandatory for the
system to display the information?

A. title
B. table
C. filter
D. results

Question 57

An organization created a custom application that is being flagged by Cisco Secure Endpoint. The application must be
exempt from being flagged. What is the process to meet the requirement?

A. Configure the custom application to use the information-store paths

B. Precalculate the hash value of the custom application and add it to the allowed applications
C. Modify the custom detection list to exclude the custom application
D. Add the custom application to the DFC list and update the policy

Question 58

A network administrator is reviewing a weekly scheduled attacks risk report and notices a host that is flagged for an
Impact 2 attack. Where should the administrator look within Cisco FMC to find out more relevant information about this
host and attack?

A. Analysis > Lookup > Whois

B. Analysis > Correlation > Correlation Events
C. Analysis > Hosts > Host Attributes
D. Analysis > Hosts > Vulnerabilities

[Link] 15/24
2/2/25, 1:14 PM SNCF Training » SNCF All Questions of Part 3
Question 59 While configuring FTD, a network engineer wants to ensure that traffic passing though the appliance
does not require routing or VLAN rewriting. Which interface mode should the engineer implement to accomplish this
task?

A. transparent
B. passive
C. inline set
D. inline tap

Question 60

An engineer plans to reconfigure an existing Cisco FTD from transparent mode to routed mode. Which additional action
must be taken to maintain communication between the two network segments?

A. Assign a unique VLAN ID for the interface in each segment.

B. Deploy inbound ACLs on each interface to allow traffic between the segments.
C. Update the IP addressing so that each segment is a unique IP subnet.
D. Configure a NAT rule so that traffic between the segments is exempt from NAT.

Question 61 Encrypted Visibility Engine (EVE) is enabled under which tab on an access control policy in Cisco Secure
Firewall Management Center?

A. Network Analysis Policy

B. SSL
C. Advanced
D. Security Intelligence

Question 62

An engineer is creating an URL object on Cisco FMC. How must it be configured so that the object will match for HTTPS
traffic in an access control policy?

A. Define the path to the individual webpage that uses HTTPS.

B. Use the subject common name from the website certificate.
C. Specify the protocol to match (HTTP or HTTPS).
D. Use the FQDN including the subdomain for the website.

Question 63 An organization is configuring a new Cisco Firepower High Availability deployment. Which action must be
taken to ensure that failover is as seamless as possible to end users?

A. Set up a virtual failover MAC address between chassis.

B. Use a dedicated stateful link between chassis.
C. Load the same software version on both chassis.
D. Set the same FQDN for both chassis.

Question 64

A network engineer is deploying a pair of Cisco Secure Firewall Threat Defense devices managed by Cisco Secure
Firewall Management Center for High Availability. Internet access is a high priority for the business and therefore they
have invested in internet circuits from two different ISPs. The requirement from the customer is that internet access
must be available to their users even if one of the ISPs is down. Which two features must be deployed to achieve this
requirement? (Choose two)

[Link] 16/24
2/2/25, 1:14 PM SNCF Training » SNCF All Questions of Part 3

A. Redundant interfaces
B. BGP
C. SLA Monitor
D. Route Tracking
E. Etherchannel interfaces

Question 65

A software development company hosts the website [Link] for contractors to share code for
projects they are working on with internal developers. The web server is on premises and is protected by a Cisco
Secure Firewall Threat Defense appliance. The network administrator is worried about someone trying to transmit
infected files to internal users via this site. Which type of policy must be associated with an access control policy to
enable Cisco Secure Firewall Malware Defense to detect and block malware?

A. prefilter policy
B. network discovery policy
C. SSL policy
D. file policy

Question 66

When an engineer captures traffic on a Cisco Secure Firewall Threat Defense device to troubleshoot a connectivity
problem, they receive a large amount of output data in the GUI tool. The engineer found that viewing the captures this
way is time-consuming and difficult to sort and filter. Which file type must the engineer export the data in so that it can
be reviewed using a tool built for this type of analysis?

A. NetFlow v5
B. IPFIX
C. PCAP
D. NetFlow v9

Question 67

What must be implemented on Cisco Firepower to allow multiple logical devices on a single physical device to have
access to external hosts?

A. Add one shared management interface on all logical devices.

B. Add at least two container instances from the same module.
C. Set up a duster control link between all logical devices.
D. Define VLAN subinterfaces for each logical device.

Question 68

A network administrator is configuring a BVI interface on a routed FTD. The administrator wants to isolate traffic on the
interfaces connected to the bridge group and not have the FTD route this traffic using the routing table. What must be
configured?

A. IP routing must be removed from the physical interfaces connected to the BVI
B. A new VRF must be created for the BVI interface
C. An IP address must be configured on the BVI
D. The BVI interface must be configured for transparent mode

Question 69
[Link] 17/24
2/2/25, 1:14 PM SNCF Training » SNCF All Questions of Part 3
A company is deploying Cisco Secure Firewall Threat Defense with IPS. What must be implemented in inline mode to
pass the traffic without inspection during spikes and ensure that network traffic is kept?

A. Increase the MTU to 9000

B. Set the Snort Failsafe option
C. Select Propagate Link State
D. Change the interface mode to Routed

Question 70

A network administrator reviews the attack risk report and notices several Low-Impact attacks. What does this type of
attack indicate?

A. The attacks are not dangerous to the network.

B. All attacks are listed as low until manually categorized.
C. The host is not within the administrator’s environment.
D. The host is not vulnerable to those attacks.

Question 71

Refer to the exhibit.

[Link] 18/24
2/2/25, 1:14 PM SNCF Training » SNCF All Questions of Part 3

An engineer is analyzing a Network Risk Report from Cisco FMC. Which application must the engineer take immediate
action against to prevent unauthorized network use?

A. TOR
[Link] 19/24
2/2/25, 1:14 PM SNCF Training » SNCF All Questions of Part 3
B. Kerberos
C. YouTube
D. Chrome

Question 72

A company is deploying intrusion protection on multiple Cisco FTD appliances managed by Cisco FMC. Which system-
provided policy must be selected if speed and detection are priorities?

A. Security Over Connectivity

B. Maximum Detection
C. Balanced Security and Connectivity
D. Connectivity Over Security

Question 73

A security engineer must configure policies for a recently deployed Cisco FTD. The security policy for the company
dictates that when five or more connections from external sources are initiated within 2 minutes, there is cause for
concern. Which type of policy must be configured in Cisco FMC to generate an alert when this condition is triggered?

A. correlation
B. access control
C. intrusion
D. application detector

Question 74 A company is deploying Cisco Secure Endpoint private cloud. The Secure Endpoint private cloud instance
has already been deployed by the server administrator. The server administrator provided the hostname of the private
cloud instance to the network engineer via email. What additional information does the network engineer require from
the server administrator to be able to make the connection to Secure Endpoint private cloud in Cisco Secure Firewall
Management Centre?

A. Username and password to the Secure Endpoint private cloud instance

B. SSL certificate for the Secure Endpoint private cloud instance
C. Internet access for the Secure End point private cloud to reach the Secure Endpoint public cloud
D. IP address and port number for the connection proxy

Question 75 Drag and drop the configuration steps from the left into the sequence on the right to enable external
authentication on Cisco FMC to a RADIUS server.

Note: You just need to click on one of the boxes on the right to match it with the corresponding box on the left.

Select Users and External

Authentication Step 2 Step 3 Step 4

Step 1

Add External Authentication Object

Step 2 Step 3 Step 4

Step 1

[Link] 20/24
2/2/25, 1:14 PM SNCF Training » SNCF All Questions of Part 3

Select Authentication Method and

RADIUS Step 2 Step 3 Step 4

Step 1

Configure the primary and secondary

servers end user roles Step 2 Step 3 Step 4

Step 1

Question 76

An administrator is configuring the interface of a Cisco Secure Firewall Threat Defense firewall device in a passive IPS
deployment. The device and interface have been identified. Which set of configuration steps must the administrator
perform next to complete the implementation?

A. Modify the interface to retransmit received traffic. Associate the interface with a security zone. Set the MTU
parameter
B. Modify the interface to retransmit received traffic. Associate the interface with a security zone. Enable the interfa
Set the MTU parameter
C. Set the interface mode to passive. Associate the interface with a security zone. Enable the interface. Set the MTU
parameter
D. Set the interface mode to passive. Associate the interface with a security zone. Set the MTU parameter. Reset the
interface

Question 77

An engineer is troubleshooting HTTP traffic to a web server using the packet capture tool on Cisco FMC. When
reviewing the captures, the engineer notices that there are a lot of packets that are not sourced from or destined to
the web server being captured. How can the engineer reduce the strain of capturing packets for irrelevant traffic on the
Cisco FTD device?

A. Use the host filter in the packet capture to capture traffic to or from a specific host.
B. Use the -c option to restrict the packet capture to only the first 100 packets.
C. Use an access-list within the packet capture to permit only HTTP traffic to and from the web server.
D. Redirect the packet capture output to a .pcap file that can be opened with Wireshark.

Question 78

An external vendor is reporting that they are unable to access an ordering website hosted behind a Cisco Secure
Firewall Threat Defense device. The administrator of the device wants to verify that the access policy and NAT policy
are configured correctly to allow traffic from the public IP of the external vendor to TCP port 443 on the web server.
Which two Cisco Secure Firewall Management Center tools must the administrator use to verify which rules the traffic
from the external vendor is matching? (Choose two)

A. Packet Capture
B. Packet Tracer
C. Generate Troubleshooting File
D. File Download
E. Threat Defense CLI

Question 79

[Link] 21/24
2/2/25, 1:14 PM SNCF Training » SNCF All Questions of Part 3
A network administrator notices that SI events are not being updated. The Cisco FTD device is unable to load all of the
SI event entries and traffic is not being blocked as expected. What must be done to correct this issue?

A. Replace the affected devices with devices that provide more memory.
B. Manually update the SI event entries to that the appropriate traffic is blocked.
C. Restart the affected devices in order to reset the configurations.
D. Redeploy configurations to affected devices so that additional memory is allocated to the SI module

Question 80

A security engineer must integrate an external feed containing STIX/TAXII data with Cisco FMC. Which feature must be
enabled on the Cisco FMC to support this connection?

A. Threat Intelligence Director

B. Cisco Secure Endpoint Integration
C. Security Intelligence Feeds
D. Cisco Success Network

Question 81 A network administrator must create an EtherChannel interface on a new Cisco Firepower 9300 appliance
registered with an FMC for high availability. Where must the administrator create the EtherChannel interface?

A. FXOS CLI
B. FMC GUI
C. FTD CLI
D. FMC CLI

Question 82

A security engineer is deploying Cisco Secure Endpoint to detect a zero day malware attack with an SHA-256 hash
of 47ea931f3e8dc25ec0b0885a80663e30ea013d493f8e88224b570a0464084628. What must be configured in Cisco
Secure Endpoint to enable the application to take action based on this hash?

A. transform set
B. correlation policy
C. access control rule
D. custom detection list

Question 83 What is a limitation to consider when running a dynamic routing protocol on a Cisco FTD device in IRB
mode?

A. Only link-state routing protocols are supported.

B. Only EtherChannel interfaces are supposed.
C. Only nonbridge interfaces are supported.
D. Only distance vector routing protocols are supported.

Question 84

An engineer must deploy a Cisco FTD appliance via Cisco FMC to span a network segment to detect malware and
threats. When setting the Cisco FTD interface mode, which sequence of actions meets this requirement?

A. Set to passive, and configure an access control policy with an intrusion policy and a file policy defined.
B. Set to passive, and configure an access control policy with a prefilter policy defined.

[Link] 22/24
2/2/25, 1:14 PM SNCF Training » SNCF All Questions of Part 3
C. Set to none, and configure an access control policy with a prefilter policy defined.
D. Set to none, and configure an access control policy with an intrusion policy and a file policy defined.

Question 85

Which rule action is only available in Snort 3?

A. Rewrite
B. Alert
C. Pass
D. Generate

Question 86

An engineer needs to configure remote storage on Cisco FMC. Configuration backups must be available from a secure
location on the network for disaster recovery. Reports need to back up to a shared location that auditors can access
with their Active Directory logins. Which strategy must the engineer use to meet these objectives?

A. Use NFS for both backups and reports.

B. Use SMB for backups and NFS for reports.
C. Use SMB for both backups and reports.
D. Use SSH for backups and NFS for reports.

Question 87

A network administrator is reviewing a monthly advanced malware risk report and notices a host that is listed as CnC
Connected. Where must the administrator look within Cisco FMC to further determine if this host is infected with
malware?

A. Analysis > Files > Network File Trajectory

B. Analysis > Hosts > Indications of Compromise
C. Analysis > Files > Malware Events
D. Analysis > Hosts > Host Attributes

Question 88 Network traffic coming from an organization’s CEO must never be denied. Which access control policy
configuration option should be used if the deployment engineer is not permitted to create a rule to allow all traffic?

A. Create a NAT policy just for the CEO.

B. Configure firewall bypass.
C. Configure a trust policy for the CEO.
D. Change the intrusion policy from security to balance.

Question 89

Which process should be checked when troubleshooting registration issues between Cisco FMC and managed devices to
verify that secure communication is occurring?

A. fpcollect
B. sfmgr
C. dhclient
D. sftunnel

[Link] 23/24
2/2/25, 1:14 PM SNCF Training » SNCF All Questions of Part 3
Question 90

An engineer is configuring a Cisco Secure Firewall Threat Defense device and wants to create a new intrusion rule
based on the detection of a specific pattern in the data payload for a new zero-day exploit. Which keyword type must
be used to add a line that identifies the author of the rule and the date it was created?

A. reference
B. metadata
C. gtp_info
D. content

Question 91

Which default action setting in a Cisco FTD Access Control Policy allows all traffic from an undefined application to pass
without Snort inspection?

A. Network Discovery Only

B. Intrusion Prevention
C. Trust All Traffic
D. Inherit from Base Policy

Question 92 An engineer is configuring a Cisco FTD device to place on the Finance VLAN to provide additional
protection for company financial data. The device must be deployed without requiring any changes on the end user
workstations, which currently use DHCP to obtain an IP address. How must the engineer deploy the device to meet this
requirement?

A. Deploy the device in transparent mode and enable the DHCP Server feature.
B. Deploy the device in routed mode and allow DHCP traffic in the access control policies.
C. Deploy the device in transparent mode and allow DHCP traffic in the access control policies.
D. Deploy the device in routed mode and enable the DHCP Relay feature.

[Link] 24/24