[2025年03月05日] 更新された350-701試験PDF問題集にはFast2test合格保証付き
あなたを合格させるCisco試験には350-701試験問題集
質問 # 209
A network engineer has been tasked with adding a new medical device to the network. Cisco ISE is being used as the NAC server, and the new device does not have a supplicant available. What must be done in order to securely connect this device to the network?
- A. Use MAB with profiling
- B. Use 802.1X with posture assessment.
- C. Use 802.1X with profiling.
- D. Use MAB with posture assessment.
正解:A
解説:
Explanation
As the new device does not have a supplicant, we cannot use 802.1X.
MAC Authentication Bypass (MAB) is a fallback option for devices that don't support 802.1x. It is virtually always used in deployments in some way shape or form. MAB works by having the authenticator take the connecting device's MAC address and send it to the authentication server as its username and password. The authentication server will check its policies and send back an Access-Accept or Access-Reject just like it would with 802.1x.
Cisco ISE Profiling Services provides dynamic detection and classification of endpoints connected to the network. Using MAC addresses as the unique identifier, ISE collects various attributes for each network endpoint to build an internal endpoint database. The classification process matches the collected attributes to prebuilt or user-defined conditions, which are then correlated to an extensive library of profiles. These profiles include a wide range of device types, including mobile clients (iPads, Android tablets, Chromebooks, and so on), desktop operating systems (for example, Windows, Mac OS X, Linux, and others), and numerous non-user systems such as printers, phones, cameras, and game consoles.
Once classified, endpoints can be authorized to the network and granted access based on their profile. For example, endpoints that match the IP phone profile can be placed into a voice VLAN using MAC Authentication Bypass (MAB) as the authentication method. Another example is to provide differentiated network access to users based on the device used. For example, employees can get full access when accessing the network from their corporate workstation but be granted limited network access when accessing the network from their personal iPhone.
質問 # 210
Which two behavioral patterns characterize a ping of death attack? (Choose two.)
- A. The attack is fragmented into groups of 8 octets before transmission.
- B. Publicly accessible DNS servers are typically used to execute the attack.
- C. Malformed packets are used to crash systems.
- D. Short synchronized bursts of traffic are used to disrupt TCP connections.
- E. The attack is fragmented into groups of 16 octets before transmission.
正解:A、C
質問 # 211
Which VPN provides scalability for organizations with many remote sites?
- A. GRE over IPsec
- B. DMVPN
- C. SSL VPN
- D. site-to-site iPsec
正解:B
質問 # 212
Which API method and required attribute are used to add a device into DNAC with the native API?
- A. lastSyncTime and pid
- B. GET and serialNumber
- C. POST and name
- D. userSudiSerialNos and devicelnfo
正解:C
質問 # 213
A network administrator needs to find out what assets currently exist on the network. Third-party systems need to be able to feed host data into Cisco Firepower. What most be configured to accomplish this?
- A. a File Analysis policy to send file data into Cisco Firepower
- B. a Network Analysis policy to receive NelFlow data from the host
- C. a Threat Intelligence policy to download the data from the host
- D. a Network Discovery policy to receive data from the host
正解:D
質問 # 214
Which PKI enrollment method allows the user to separate authentication and enrollment actions and also provides an option to specify HTTP/TFTP commands to perform file retrieval from the server?
- A. url
- B. profile
- C. selfsigned
- D. terminal
正解:B
解説:
A trustpoint enrollment mode, which also defines the trustpoint authentication mode, can be performed via 3 main methods:
1. Terminal Enrollment - manual method of performing trustpoint authentication and certificate enrolment using copy-paste in the CLI terminal.
2. SCEP Enrollment - Trustpoint authentication and enrollment using SCEP over HTTP.
3. Enrollment Profile - Here, authentication and enrollment methods are defined separately. Along with terminal and SCEP enrollment methods, enrollment profiles provide an option to specify HTTP/TFTP commands to perform file retrieval from the Server, which is defined using an authentication or enrollment url under the profile.
A trustpoint enrollment mode, which also defines the trustpoint authentication mode, can be performed via 3 main methods:
1. Terminal Enrollment - manual method of performing trustpoint authentication and certificate enrolment using copy-paste in the CLI terminal.
2. SCEP Enrollment - Trustpoint authentication and enrollment using SCEP over HTTP.
3. Enrollment Profile - Here, authentication and enrollment methods are defined separately. Along with terminal and SCEP enrollment methods, enrollment profiles provide an option to specify HTTP/TFTP commands to perform file retrieval from the Server, which is defined using an authentication or enrollment url under the profile.
Reference:
A trustpoint enrollment mode, which also defines the trustpoint authentication mode, can be performed via 3 main methods:
1. Terminal Enrollment - manual method of performing trustpoint authentication and certificate enrolment using copy-paste in the CLI terminal.
2. SCEP Enrollment - Trustpoint authentication and enrollment using SCEP over HTTP.
3. Enrollment Profile - Here, authentication and enrollment methods are defined separately. Along with terminal and SCEP enrollment methods, enrollment profiles provide an option to specify HTTP/TFTP commands to perform file retrieval from the Server, which is defined using an authentication or enrollment url under the profile.
質問 # 215
Which two solutions help combat social engineering and phishing at the endpoint level? (Choose two.)
- A. Cisco Umbrella
- B. Cisco DNA Center
- C. Cisco TrustSec
- D. Cisco Duo Security
- E. Cisco ISE
正解:A、D
質問 # 216
An administrator is configuring N I P on Cisco ASA via ASDM and needs to ensure that rogue NTP servers cannot insert themselves as the authoritative time source Which two steps must be taken to accomplish this task? (Choose two)
- A. Set the NTP DNS hostname
- B. Set the authentication key
- C. Configure the NTP stratum
- D. Specify the NTP version
- E. Choose the interface for syncing to the NTP server
正解:B、E
質問 # 217
Refer to the exhibit.
An organization is using DHCP Snooping within their network. A user on VLAN 41 on a new switch is complaining that an IP address is not being obtained. Which command should be configured on the switch interface in order to provide the user with network connectivity?
- A. ip dhcp snooping trust
- B. ip dhcp snooping limit 41
- C. ip dhcp snooping verify mac-address
- D. ip dhcp snooping vlan 41
正解:A
解説:
Explanation
https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12-2SX/configuration/guide/book/snoodhcp
質問 # 218
Which function is included when Cisco AMP is added to web security?
- A. multifactor, authentication-based user identity
- B. threat prevention on an infected endpoint
- C. detailed analytics of the unknown file's behavior
- D. phishing detection on emails
正解:C
質問 # 219
Refer to the exhibit.
Which type of authentication is in use?
- A. external user and relay mail authentication
- B. POP3 authentication
- C. LDAP authentication for Microsoft Outlook
- D. SMTP relay server authentication
正解:A
解説:
Explanation The TLS connections are recorded in the mail logs, along with other significant actions that are related to messages, such as filter actions, anti-virus and anti-spam verdicts, and delivery attempts. If there is a successful TLS connection, there will be a TLS success entry in the mail logs. Likewise, a failed TLS connection produces a TLS failed entry. If a message does not have an associated TLS entry in the log file, that message was not delivered over a TLS connection. Reference: https://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/118844-technoteesa-00.html The exhibit in this Qshows a successful TLS connection from the remote host (reception) in the mail log.
The TLS connections are recorded in the mail logs, along with other significant actions that are related to messages, such as filter actions, anti-virus and anti-spam verdicts, and delivery attempts. If there is a successful TLS connection, there will be a TLS success entry in the mail logs. Likewise, a failed TLS connection produces a TLS failed entry. If a message does not have an associated TLS entry in the log file, that message was not delivered over a TLS connection.
Reference:
Explanation The TLS connections are recorded in the mail logs, along with other significant actions that are related to messages, such as filter actions, anti-virus and anti-spam verdicts, and delivery attempts. If there is a successful TLS connection, there will be a TLS success entry in the mail logs. Likewise, a failed TLS connection produces a TLS failed entry. If a message does not have an associated TLS entry in the log file, that message was not delivered over a TLS connection. Reference: https://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/118844-technoteesa-00.html The exhibit in this Qshows a successful TLS connection from the remote host (reception) in the mail log.
質問 # 220
Which two risks is a company vulnerable to if it does not have a well-established patching solution for endpoints? (Choose two.)
- A. exploits
- B. malware
- C. denial-of-service attacks
- D. eavesdropping
- E. ARP spoofing
正解:A、B
質問 # 221
Drag and drop the capabilities from the left onto the correct technologies on the right.
正解:
解説:
質問 # 222
After deploying a Cisco ESA on your network, you notice that some messages fail to reach their destinations.
Which task can you perform to determine where each message was lost?
- A. Review the log files.
- B. Perform a trace.
- C. Generate a system report.
- D. Configure the trackingconfig command to enable message tracking.
正解:D
解説:
Explanation Message tracking helps resolve help desk calls by giving a detailed view of message flow. For example, if a message was not delivered as expected, you can determine if it was found to contain a virus or placed in a spam quarantine - or if it is located somewhere else in the mail stream. Reference: https://www.cisco.com/c/en/us/td/docs/security/esa/esa12-0/user_guide/ b_ESA_Admin_Guide_12_0/b_ESA_Admin_Guide_12_0_chapter_011110.html Message tracking helps resolve help desk calls by giving a detailed view of message flow. For example, if a message was not delivered as expected, you can determine if it was found to contain a virus or placed in a spam quarantine - or if it is located somewhere else in the mail stream.
Reference:
Explanation Message tracking helps resolve help desk calls by giving a detailed view of message flow. For example, if a message was not delivered as expected, you can determine if it was found to contain a virus or placed in a spam quarantine - or if it is located somewhere else in the mail stream. Reference: https://www.cisco.com/c/en/us/td/docs/security/esa/esa12-0/user_guide/ b_ESA_Admin_Guide_12_0/b_ESA_Admin_Guide_12_0_chapter_011110.html
質問 # 223
Drag and drop the steps from the left into the correct order on the right to enable AppDynamics to monitor an EC2 instance in Amazon Web Services.
正解:
解説:
質問 # 224
Which two protocols must be configured to authenticate end users to the Web Security Appliance? (Choose two.)
- A. CHAP
- B. RADIUS
- C. Kerberos
- D. TACACS+
- E. NTLMSSP
正解:C、E
解説:
The Web Security Appliance (WSA) supports different authentication protocols and schemes to acquire end-user credentials. The most common protocols are NTLMSSP and Kerberos, which are both supported by Active Directory realms. NTLMSSP is a challenge-response authentication protocol that uses a hash of the user's password to authenticate. Kerberos is a ticket-based authentication protocol that uses a trusted third-party (the Key Distribution Center) to issue tickets to the user and the service. Both protocols are more secure and widely supported than Basic authentication, which sends the user's credentials in clear text. CHAP, TACACS+, and RADIUS are not supported by the WSA for end-user authentication, although they can be used for external authentication of administrators or for credential encryption. References: 1, 2, 3
https://www.cisco.com/c/en/us/products/collateral/security/web-security-appliance/guide-c07-742373.html
https://frontegg.com/blog/authentication
質問 # 225
Refer to the exhibit.
A network administrator configures command authorization for the admm5 user. What is the admin5 user able to do on HQ_Router after this configuration?
- A. add subinterfaces
- B. set the IP address of an interface
- C. complete all configurations
- D. complete no configurations
正解:D
質問 # 226
An administrator configures a Cisco WSA to receive redirected traffic over ports 80 and 443 The organization requires that a network device with specific WSA integration capabilities be configured to send the traffic to the WSA to proxy the requests and increase visibility, while making this invisible to the users What must be done on the Cisco WSA to support these requirements?
- A. Use PAC keys to allow only the required network devices to send the traffic to the Cisco WSA
- B. Configure transparent traffic redirection using WCCP in the Osco WSA and on the network device
- C. Configure active traffic redirection using WPAD m the Cisco WSA and on the network device
- D. Use the Layer 4 setting in the Cisco WSA to receive explicit forward requests from the network device
正解:B
質問 # 227
An organization has two systems in their DMZ that have an unencrypted link between them for communication.
The organization does not have a defined password policy and uses several default accounts on the systems.
The application used on those systems also have not gone through stringent code reviews. Which vulnerability would help an attacker brute force their way into the systems?
- A. lack of input validation
- B. lack of file permission
- C. missing encryption
- D. weak passwords
正解:D
質問 # 228
......
最新でリアルな350-701試験問題集解答:https://jp.fast2test.com/350-701-premium-file.html
350-701試験問題集でCisco練習テスト問題:https://drive.google.com/open?id=1zI5lw8_dlJqqneZ_1mvk4I-Xu1fk9zND