400-251 | Cisco 400-251 Item Pool 2020
Want to know Ucertify 400-251 Exam practice test features? Want to lear more about Cisco CCIE Security Written Exam certification experience? Study High quality Cisco 400-251 answers to Renew 400-251 questions at Ucertify. Gat a success with an absolute guarantee to pass Cisco 400-251 (CCIE Security Written Exam) test on your first attempt.
Check 400-251 free dumps before getting the full version:
NEW QUESTION 1
Refer to the exhibit.
There is no ICMP connectivity from VPN PC to Server 1 and Server2. What could be the possible cause?
- A. The destination port configuration missing in the access rule
- B. The server network has incorrect mask in the access rule
- C. The VLAN tags configuration missing in the access rule
- D. The action is incorrect in the access rule
- E. The source network is incorrect in the access rule
- F. The zone configuration missing in the access rule
NEW QUESTION 2
Which two statements about the Cognitive Threat Analytics feature of Cisco AMP for Web Security are true? (Choose two.)
- A. It can locate and identify indicators of prior malicious activity on the network and preserve information for forensic analysis.
- B. It can identify potential data exfiltration.
- C. It uses a custom virtual appliance to perform reputation-based evaluation and blocking of incoming files.
- D. It can perform file analysis by sandboxing known malware and comparing unknown files to a local repository of threats.
- E. It can identify anomalous traffic passing through the Web gateway by comparing it to an established baseline of expected activity.
- F. It can identify anomalous traffic within the network by comparing it to an established baseline of expected activity.
NEW QUESTION 3
Refer to the exhibit.
Which effect of this configuration is true?
- A. The downloadable ACL and AV pair ACL are merged after three connection attempts are made to the RADIUS server.
- B. The downloadable ACL and AV pair ACL are merged immediately when the RADIUS server is activated.
- C. For all users, entries in a downloadable ACL are given priority over entries in an AC pair ACL.
- D. The downloadable ACL and AV pair ACL entries are merged together,one ACE at a time.
- E. A downloadable ACL is applied after an AV pair ACL.
NEW QUESTION 4
How many report templates does the Cisco Firepower Management Center support?
- A. 5
- B. 10
- C. 50
- D. 80
- E. 100
- F. Unlimited
NEW QUESTION 5
Drag LDAP queries used by ESA to query LDAP server on the left to its functionality on the right.
- A. Mastered
- B. Not Mastered
1-5, 2-1, 3-4, 4-2, 5-3
NEW QUESTION 6
In which three configurations can SSL VPN be implemented? (Choose three)
- A. CHAP
- B. WebVPN
- C. thin-client .
- D. L2TP over IPsec
- E. PVC tunnel mode
- F. interactive mode
- G. Cisco AnyConnect tunnel mode
- H. clientless
NEW QUESTION 7
Which two statements about Cisco AMP for Web Security are true? (Choose two)
- A. It can detect and block malware and other anomalous traffic before it passes through the Web gateway.
- B. It can identify anomalous traffic passing through the Web gateway by comparing it to an established baseline of expected activity
- C. It can perform file analysis by sandboxing known malware and comparing unknown files to a local repository of threats
- D. It continues monitoring files after they pass the Web gateway
- E. It can prevent malicious data exfiltration by blocking critical files from exiting through the Web gateway
- F. It can perform reputation-based evaluation and blocking by uploading of incoming files to a cloud-based threat intelligence network
NEW QUESTION 8
Which two statements about Cisco URL Filtering on Cisco IOS Software are true? (Choose two)
- A. It supports Websense and N2H2 filtering at the same time,
- B. It supports local URL lists and third-party URL filtering servers.
- C. By default, it uses ports 80 and 22.
- D. It supports HTTP and HTTPS traffic.
- E. BY default, it allows all URLs when the connection to the filtering server is down.
- F. It requires minimal CPU time.
NEW QUESTION 9
Which two statements about Cisco VSG are true? (Choose two.)
- A. Because it is deployed at Layer 2, it can be inserted without significant reengineering of the network.
- B. According to Cisco best practices, the VSG should use the same VLAN for VSM-VEM control traffic and management traffic.
- C. It uses optional IP-to-virtual machine mappings to simplify management of virtual machines.
- D. It uses the Cisco VSG user agent to register with the Cisco Prime Network Services Controller.
- E. It can be integrated with VMWare vCenter to provide transparent provisioning of policies and profiles.
- F. It has built-in intelligence for redirecting traffic and fast-path offload.
NEW QUESTION 10
Which description of SaaS is true?
- A. a service offering on-demand licensed applications for end users
- B. a service offering that allowing developers to build their own applications
- C. a service offering on-demand software downloads
- D. a service offering a software environment in which applications can be build and deployed.
NEW QUESTION 11
Which three VSA attributes are present in a RADIUS WLAN Access-Accept packet? (Choose three)
- A. Tunnel-Private-Group-ID
- B. Tunnel-Type
- C. SSID
- D. EAP-Message
- E. LEAP Session-Key
- F. Authorization-Algorithm-Type
NEW QUESTION 12
Your customer wants to implement Cisco Firepower IPS and 1 secure policy.
However, a monitoring period of 2 weeks is applied against real traffic without causing an outage before going in to fu of the default policies as a base and set the policy action to ensure.
Which two policies to achieve these requirements are true?
- A. Set IPs policy to trust
- B. Set IPs policy to Monitor
- C. Base the IPS policy on the default Advanced Security over Connection
- D. Base the IPS policy on the default Balanced Security and Connection
- E. Base the IPS policy on the default Connectivity over Security
- F. Base the IPS policy on the default Security over Connectivity
- G. Set IPS Policy to No Drop
NEW QUESTION 13
Which two statements about Cisco ASA authentication using LDAP are true? (Choose two.)
- A. It is a closed standard that manages directory-information services over distributed networks.
- B. It can combine AD attributes and LDAP attributes to configure group policies on the Cisco ASA.
- C. It uses attribute maps to map the AD memberOf attribute to the Cisco ASAGroup-Policy attribute.
- D. It can assign a group policy to a user based on access credentials.
- E. It uses AD attribute maps to assign users to group policies configured under the WebVPN context.
- F. The Cisco ASA can use more than one AD memberOf attribute to match a user to multiple group policies.
NEW QUESTION 14
Which of the following is the correct statement regarding enabling SMTP encryption on ESA?
- A. Enabling TLS is an optional step
- B. TLS can be enabled only for receiving
- C. Enabling TLS for delivery goes under the "Destination Controls" menu of mail policies
- D. It only allows to use the self-signed certificates
- E. TLS can be enabled only for delivery
- F. It allows to import certificate from CA
NEW QUESTION 15
What are three technologies that can be used to trace the source of an attack in a network environment with multiple exit/entry points? (Choose three.)
- A. ICMP Unreachable messages
- B. Sinkholes
- C. A honey pot
- D. Remotely-triggered destination-based black holing
- E. Traffic scrubbing
NEW QUESTION 16
Which two statements about the Cisco AnyConnect VPN Client are true? (Choose two.)
- A. It can use an SSL tunnel and a DTLS tunnel simultaneously.
- B. It enables users to manage their own profiles.
- C. It can be configured to download automatically without prompting the user.
- D. By default, DTLS connections can fall back to TLS.
- E. To improve security, keepalives are disabled by default.
NEW QUESTION 17
How is the Cisco IronPort email data loss prevention licensed?
- A. It is a per-site license
- B. It comes free with Iron Port Email server
- C. It is a per-enterprise license
- D. It is a per-server license
- E. It is a per-user license
NEW QUESTION 18
All your remote users use AnyConnect VPN to connect into your corporate network, with an ASA providing the VPN service. Authentication is through ISE using RADIUS as the protocol. ISE uses Active Directory as
the Identity Source. You want to be able to assign different policies to users depending on their group membership in Active Directory. Which is one possible way of doing that?
- A. Configure an authorization policy in ISE to send back a RADIUS class-25 attribute with the name of the ASA Tunnel Group (Connection Profile)
- B. This is only possible when LDAP authorization is configured directly to Active Directory
- C. Configure an authentication policy in ISE to send back a RADIUS class-25 attribute with the name of theASA Group Policy
- D. Configure an authentication policy in ISE to send back a RADIUS class-25 attribute with the name of the ASA Tunel Group (Connection Profile)
- E. Configure an authorization policy in ISE to send back a RADIUS class-25 attribute with the name of the ASA Group Policy
NEW QUESTION 19
Which two event can cause a failover event on an active/standby setup? (Choose two)
- A. The active unit experiences interface failure above the threshold.
- B. The unit that was previously active recovers.
- C. The stateful failover link fails.
- D. The failover link fails.
- E. The active unit fails.
NEW QUESTION 20
Which statement about the Sender Base functionality is true?
- A. SenderBase uses DNS-based blacklist as one of the sources of information to define reputation score of sender's IP address
- B. SenderBase uses spam complaints as one of the sources of information to define reputation score of receiver's IP address of the sender and receiver
- C. ESA uses destination address reputation information from SenderBase to configure mail policies.
- D. ESA sees a high positive score from SenderBase as very likely that sender is sending spam
- E. ESA sees a high negative score from SenderBase as very unlikely that sender is sending spam
- F. ESA uses source address reputation information from SenderBase to stop spam
- G. WSA uses SenderBase information to configure URL filtering policies
NEW QUESTION 21
Which statement about the Firepower Security Intelligence feature is true?
- A. It uses user-configured ACLs to blacklist and whitelist traffic
- B. It can override custom whitelists to provide greater security against emerging threats
- C. It filters traffic after policy-based inspection is complete and before the default action is taken
- D. Blacklisted traffic is blocked without further inspection
- E. It filters traffic after policy-based inspection is completed and the default action is taken
NEW QUESTION 22
Which statement about SSL policy implementation in a Cisco Firepower system is true?
- A. Access control policy is required for the SSL policy implementation
- B. If the Cisco Firepower system cannot decrypt the traffic, it allows the connection.
- C. Access control policy is invoked first before the SSL policy tied to it
- D. Intrusion policy is mandatory to configure the SSL inspection
- E. If SSL policy is not supported by the system, then access control policy handles all the encrypted traffic.
- F. Access control policy is responsible to handle all the encrypted traffic if SSL policy is tried to it.
NEW QUESTION 23
Which three statements about SCEP are true? (Choose three.)
- A. It supports online certification revocation.
- B. Cryptographically signed and encrypted messages are conveyed using PKCS#7
- C. It supports multiple cryptographic algorithms including RSA.
- D. The certificate request format uses PKCS#10.
- E. CRL retrieval is supported through CDP(Certificate Distribution Point) queries.
- F. It supports synchronous granting.
Simple Certificate Enrollment Protocol
NEW QUESTION 24
What IOS feature can header attacks by using packet-header information to classify traffic?
- A. TTL
- B. CAR
- C. FPM
- D. TOS
- E. LLQ
NEW QUESTION 25
Which of the following correctly describes NVGRE functionality?
- A. In NVGRE network the endpoints are not responsible for the NVGRE encapsulation removal
- B. It allows to create physical layer-2 topologies on physical layer-3 network
- C. It tunnels PPP frames inside an IP packet over a physical network
- D. In NVGRE network VSID does not need to be unique
- E. It tunnels Ethernet frames inside an IP packet over a virtual network
- F. It allows to create physical layer-2 topologies on virtual layer-3 network
- G. In NVGRE network VSID is used to identify tenant’s address space
NEW QUESTION 26
Thanks for reading the newest 400-251 exam dumps! We recommend you to try the PREMIUM Surepassexam 400-251 dumps in VCE and PDF here: https://www.surepassexam.com/400-251-exam-dumps.html (448 Q&As Dumps)