WSA

Cisco Web Security Appliance

Explanation
The integration between Cisco Identity Services Engine (ISE) and a Mobile Device Management (MDM) solution is a cornerstone of a secure BYOD (Bring Your Own Device) strategy. The primary benefit is posture assessment and compliance enforcement.

Here's how it works:
A user connects to the network with their mobile device.

Cisco ISE, acting as the network policy manager, identifies the device and queries the integrated MDM system (like VMware Workspace ONE, Microsoft Intune, or Jamf) for the device's compliance status.

The MDM provides attributes about the device, such as:

Is the device jailbroken or rooted?

Is a passcode enabled?

Is the operating system up to date?

Are specific security applications installed and running?

Based on this compliance information received from the MDM, ISE makes an authorization decision. It can grant full network access, place the device in a quarantine VLAN for remediation, or deny access entirely.

This ensures that only compliant and secure devices are allowed onto the corporate network.

Why the other options are incorrect:

B. It provides the ability to update other applications on the mobile device:
The MDM itself manages application updates. ISE's role is to check the state of the device (which may include app versions), not to perform the updates.

C. It provides the ability to add applications to the mobile device through Cisco ISE:
ISE is a policy and authentication server, not an application distribution platform. Application deployment is handled by the MDM.

D. It provides network device administration access:
This refers to managing network infrastructure like switches and routers, typically using TACACS+. This is unrelated to the function of integrating with an MDM for endpoint compliance.

Reference:
The purpose of the MDM integration is clearly defined in the Cisco ISE documentation.

The Cisco Identity Services Engine Administrator Guide explains that the MDM integration allows ISE to "query the MDM server for mobile device attributes" and use these as conditions in authorization policies to "check for device compliance." This directly confirms that the benefit is providing compliance checks for network access.

Explanation for Each Option:

A. transparent mode (Incorrect):
Transparent mode is a deployment option for the Cisco ASA itself, where it acts as a Layer 2 bridge. However, the Firepower module does not support transparent mode as a distinct deployment; it operates within the ASA’s context, making this option incorrect. (Reference: Cisco ASA Transparent Mode Guide.)

B. routed mode (Incorrect):
Routed mode is another ASA deployment option where it acts as a Layer 3 device. The Firepower module does not support routed mode as a standalone deployment; its modes (inline, passive) are specific to its integration with ASA, rendering this option incorrect. (Reference: Cisco ASA Routed Mode Configuration.)

C. inline mode (Correct):
The Cisco ASA Firepower module supports inline mode, where it is placed directly in the traffic path between the ASA interfaces. This allows real-time inspection and blocking of traffic, making it a valid deployment mode for the Firepower module. (Reference: Cisco Firepower Inline Mode Guide.)

D. active mode (Correct):
Active mode is a deployment option for the Firepower module, where it actively enforces security policies (e.g., intrusion prevention, file inspection) on traffic passing through the ASA. This is a standard mode for operational use, making it a correct choice. (Reference: Cisco Firepower Active Mode Configuration.)

E. passive monitor-only mode (Incorrect):
Passive monitor-only mode is supported by the Firepower module, where it analyzes a copy of traffic without affecting it (e.g., via SPAN ports). However, the question asks for two modes, and "active mode" is a more precise term for active enforcement, while "passive" is less commonly listed as a primary mode in this context. (Reference: Cisco Firepower Passive Mode Guide.)

Additional Notes:
Configuring Firepower module deployment modes is a key topic in the 350-701 SCOR exam under network security. As of 4:10 PM PKT, October 03, 2025, inline and active modes are critical for ASA integration.

ntp server 192.168.1.110 primary key 1

Explanation for Each Option:

A. NTP (Incorrect):
Network Time Protocol (NTP) is used to synchronize time across network devices, but it does not provide data about traffic patterns or security events. Cisco Stealthwatch does not collect or analyze NTP data, making this option incorrect. (Reference: Cisco NTP Configuration Guide.)

B. syslog (Incorrect):
Syslog is a protocol for sending system logs (e.g., error messages) from network devices, which can be used for monitoring. However, Stealthwatch primarily relies on flow data for analysis, not syslog, rendering this option incorrect for its core data type. (Reference: Cisco Syslog Overview.)

C. SNMP (Incorrect):
Simple Network Management Protocol (SNMP) is used to manage and monitor network devices by collecting performance metrics. While useful, Stealthwatch focuses on flow-based data (NetFlow/IPFIX) for traffic analysis and threat detection, not SNMP, making this option incorrect. (Reference: Cisco SNMP Configuration Guide.)

D. NetFlow (Correct):
Cisco Stealthwatch collects and analyzes NetFlow (and IPFIX) data from routers, switches, and firewalls to provide visibility into network traffic patterns, detect anomalies, and identify threats. This flow-based data includes details like source/destination IP, ports, and bytes transferred, making it the primary data type used. (Reference: Cisco Stealthwatch NetFlow Analysis Guide.)

Additional Notes:
Understanding data collection in Stealthwatch is a key topic in the 350-701 SCOR exam under network security. As of 2:35 PM PKT, October 03, 2025, NetFlow is central to its functionality.

Explanation
Dynamic ARP Inspection (DAI) is a security feature that protects against ARP spoofing (ARP poisoning) attacks.

A. ...based on valid IP to MAC address bindings from the DHCP snooping binding database:
This is the core function and defining characteristic of DAI. It uses the trusted database of IP-to-MAC address mappings built by the DHCP Snooping feature. When an ARP packet is received on an untrusted port, DAI compares the information in the packet (sender IP and sender MAC) against the DHCP Snooping binding table. If the ARP packet contains a valid binding, it is allowed. If it contains a spoofed or invalid binding (e.g., an attacker claiming to have another host's IP address), the packet is dropped.

Why the other options are incorrect:

B. In a typical network, make all ports as trusted except for the ports connecting to switches, which are untrusted:
This is backwards. The correct practice is the opposite. In a typical network, you configure all access ports connected to end-users as untrusted. You configure ports connected to other switches, routers, and trusted infrastructure (like DHCP servers) as trusted. Trusted ports are not subject to DAI validation.

C. DAI associates a trust state with each switch:
This is incorrect. DAI associates a trust state with each port or interface on a switch, not with the entire switch itself. This granular control is what allows it to inspect traffic from untrusted user ports while allowing traffic from trusted infrastructure ports to pass through unchecked.

D. DAI intercepts all ARP requests and responses on trusted ports only:
This is incorrect. DAI does not intercept or inspect ARP packets on trusted ports. That is the definition of a trusted port—it is trusted to send valid ARP messages, so DAI bypasses inspection on these ports. DAI intercepts and inspects ARP packets on untrusted ports.

Reference:
This information is based on the official Cisco configuration and security guides for switch features.

Cisco IOS Security Configuration Guide: "Configuring Dynamic ARP Inspection": This document explicitly states, "Dynamic ARP inspection determines the validity of an ARP packet based on valid IP-to-MAC address bindings stored in a trusted database, the DHCP snooping binding database."

Cisco Learning Materials (CCNA Security, CCNP Security): These resources consistently explain the dependency of DAI on the DHCP Snooping binding table and the correct configuration of trusted and untrusted ports.

In summary, the fundamental characteristic of DAI is its reliance on the DHCP Snooping database to validate ARP packets on untrusted ports, making option A the correct choice.

Explanation for Each Option:

A. Cisco Umbrella (Correct):
Cisco Umbrella is a cloud-delivered security service that provides DNS-layer protection, blocking malicious domains and phishing sites before they reach endpoints. By filtering out social engineering attempts and phishing links at the network level, it helps safeguard users, making it an effective solution for combating these threats at the endpoint, especially for remote or mobile devices. (Reference: Cisco Umbrella Datasheet, Phishing Protection.)

B. Cisco ISE (Incorrect):
Cisco Identity Services Engine (ISE) focuses on network access control, authentication, and policy enforcement based on user and device identity. While it can enhance security posture, it is not primarily designed to detect or prevent social engineering and phishing attacks at the endpoint level, which require proactive threat blocking rather than access management, making this option incorrect. (Reference: Cisco ISE User Guide.)

C. Cisco DNA Center (Incorrect):
Cisco DNA Center is a network management and assurance platform that automates and optimizes network operations. It provides visibility and policy enforcement but lacks specific features to combat social engineering or phishing at the endpoint level, focusing instead on infrastructure management rather than endpoint threat protection, rendering this option unsuitable. (Reference: Cisco DNA Center Overview.)

D. Cisco TrustSec (Incorrect):
Cisco TrustSec is a security architecture that uses software-defined segmentation to enforce access policies based on identity and context. While it improves overall security, it does not directly address social engineering or phishing attacks at the endpoint, which require detection and blocking of malicious content rather than network segmentation, making this option incorrect. (Reference: Cisco TrustSec Solution Guide.)

E. Cisco Duo Security (Correct):
Cisco Duo Security provides multifactor authentication (MFA) and endpoint visibility, helping to combat social engineering and phishing by verifying user identities and detecting compromised devices. Its phishing-resistant MFA and user behavior monitoring add layers of protection, making it an effective solution for securing endpoints against these human-targeted attacks. (Reference: Cisco Duo Security Datasheet, Phishing Resistance.)

Additional Notes:
Combating social engineering and phishing at the endpoint level is a key focus in the 350-701 SCOR exam under endpoint security. As of 09:05 AM PKT, October 02, 2025, Cisco Umbrella and Duo remain critical tools. For details, refer to Cisco Umbrella and Duo documentation (cisco.com) and the 350-701 Exam Blueprint (Section 2.0 Endpoint Security.

Explanation
This question is about a specific policy type within the Cisco Firepower Management Center (FMC) used for managing Firepower Threat Defense (FTD) devices.

A Platform Service Policy (also referred to as a "Policy Assignment" for device settings) is a policy that contains configurations for the underlying operating system and platform-level settings of the managed FTD device. These are settings that are often standardized across many devices in a deployment.

Examples of settings configured in a Platform Service Policy include:

SSH and Telnet access settings

SNMP configuration

Syslog settings

DHCP server settings

User accounts

Interface parameters (like enabling passive FTP)
Because these are foundational settings that are often identical for groups of firewalls (e.g., all internal firewalls, all DMZ firewalls), a single Platform Service Policy can be created and then shared across multiple managed devices, which is exactly what the question describes.

Why the other options are incorrect:

A. Group Policy:
This is a term primarily used in Cisco ASA for Remote Access VPNs. A Group Policy defines connection parameters for groups of remote access users (like IP pools, split-tunneling rules). It is not used for defining device-level platform settings in FMC.

B. Access Control Policy:
This is the core policy that defines the firewall rules—what traffic is allowed, blocked, or trusted. It controls traffic flow and inspection, but it does not define the underlying platform services of the managed device itself.

C. Device Management Policy:
This is not a standard policy type in FMC. While you manage devices, the specific policy for platform-level services is the "Platform Service Policy."

Reference:
The function of the Platform Service Policy is defined in the FMC configuration guide.

The Cisco Firepower Management Center Configuration Guide explains that you use Platform Settings policies to "configure the underlying platform settings for the devices in your deployment" and that you can "assign the same policy to multiple devices," which promotes configuration consistency. This directly matches the description in the question.

Explanation for Each Option:

A. local WebAuth (Incorrect):
Local WebAuth in Cisco ISE allows authentication via a local portal on the switch or access point, but it is not a standard component for Bring Your Own Device (BYOD) onboarding. BYOD typically relies on centralized authentication and guest portal integration, making this option unsuitable. (Reference: Cisco ISE WebAuth Configuration Guide.)

B. central WebAuth (Correct):
Central WebAuth (CWA) in Cisco ISE is a key component for BYOD, enabling centralized authentication and authorization through a web portal hosted on the ISE server. It redirects devices to the portal for credential entry or certificate provisioning, essential for onboarding personal devices, making this a correct choice. (Reference: Cisco ISE BYOD Deployment Guide, CWA.)

C. null WebAuth (Incorrect):
Null WebAuth is not a standard Cisco ISE component. It may refer to a minimal or no-authentication setup, but it is not used for BYOD onboarding, which requires active authentication and policy enforcement, rendering this option incorrect. (Reference: Cisco ISE Authentication Methods.)

D. guest (Correct):
The guest component in Cisco ISE provides the infrastructure for managing guest and BYOD device onboarding, including self-registration portals and sponsor approval workflows. It is critical for allowing users to register their personal devices securely, making it a necessary component for BYOD. (Reference: Cisco ISE Guest and BYOD Services.)

E. dual (Incorrect):
"Dual" is not a recognized Cisco ISE component for BYOD. It might imply dual authentication methods (e.g., 802.1X and MAB), but this is a configuration option, not a standalone component. BYOD relies on CWA and guest services, making this option irrelevant. (Reference: Cisco ISE Authentication Options.)

Additional Notes:
Configuring ISE for BYOD is a key topic in the 350-701 SCOR exam under endpoint security. As of 12:05 PM PKT, October 03, 2025, CWA and guest services are foundational.

Explanation
The requirement has two key parts:

Protection for data in transit:
This means the content of the email must be encrypted while it is being transmitted over the network.

Have headers in the email message:
This implies that the email headers (To, From, Subject, etc.) should remain visible and readable for routing and identification, even though the body is secured. This combination of requirements points directly to an email encryption solution. A dedicated email encryption appliance (or its virtual equivalent) is designed to perform this exact function. Here's how it typically works:

The appliance intercepts outgoing emails that match a policy (e.g., containing sensitive keywords or destined for external domains).

It encrypts the body and any attachments of the email.

It wraps the encrypted payload into a new, secure envelope, often with a link to a secure portal for the recipient to access the message.

The original headers remain visible in the new secure message for delivery and identification purposes.

Why the other options are incorrect:

A. Provision the email appliance:
This is too vague. "Provisioning" could mean simply setting up a standard mail server, which does not inherently provide robust encryption for data in transit. It does not specifically address the encryption requirement.

C. Map sender IP addresses to a host interface:
This is a basic networking configuration for any device and is unrelated to email encryption or security.

D. Enable flagged message handling:
This typically refers to an internal function for quarantining spam or malicious emails based on content filters. It does not provide cryptographic protection for data in transit.

Reference:
This functionality is a core feature of the Cisco Secure Email Gateway's (formerly ESA) Email Encryption capability.

As per the Cisco Secure Email Gateway documentation, the encryption feature is used to "protect sensitive information in email messages" and "automatically encrypts outbound email based on policy," while ensuring the message can be delivered and identified by its headers. Deploying and configuring this feature, often via a dedicated virtual appliance or service, accomplishes the stated goal.

Explanation:
Flexible NetFlow (FNF) is a significant evolution from the original NetFlow. Its primary benefit is the ability to customize what data is collected and exported.

D) They have customized traffic identification is CORRECT.
Traditional NetFlow had a fixed set of fields it could record (e.g., source/destination IP, ports, protocol). Flexible NetFlow allows an administrator to define custom flow records. You can choose which key fields to use to identify a flow (e.g., source MAC address, VLAN ID, application name from NBAR) and which non-key fields to collect as additional information (e.g., TCP flags, packet lengths, routing information). This customization allows you to tailor flow data collection for specific purposes like security analysis, application performance monitoring, or capacity planning.

Why the other options are incorrect:

A) They are used for security is INCORRECT.
While NetFlow data is incredibly useful for security monitoring (and is a primary data source for tools like Stealthwatch), this is an application of the data, not the inherent benefit of Flexible NetFlow. Traditional NetFlow can also be used for security.

B) They are used for accounting is INCORRECT.
Similar to option A, accounting and billing are common use cases for NetFlow data, but this is not the defining benefit of the flexible version. Traditional NetFlow is also used for accounting.

C) They monitor a packet from Layer 2 to Layer 5 is INCORRECT.
This is a vague and inaccurate statement. NetFlow records are based on flows, not individual packet monitoring. More importantly, the flexibility of FNF allows it to collect data from Layer 2 (MAC address), Layer 3 (IP address), Layer 4 (ports), and even Layer 7 (application), but it does not "monitor a packet" in this way. The key benefit is the customization of which layers' data to collect, not the act of monitoring itself.

Reference:
Cisco IOS Configuration Guide, "Flexible NetFlow": The official documentation emphasizes that the key feature is the ability to "create multiple and customizable flow records to tailor the data collection to your specific requirements."