Ensurepass

Implementing Cisco Threat Control Solutions (SITCS)

 

QUESTION 121

Which method does Cisco recommend for collecting streams of data on a sensor that has been virtualized?

 

A.

VACL capture

B.

SPAN

C.

the Wireshark utility

D.

packet capture

 

Correct Answer: D

 

 

QUESTION 122

Which configur
ation mode enables a virtual sensor to monitor the session state for unidirectional traffic?

 

A.

asymmetric mode

B.

symmetric mode

C.

loose mode

D.

strict mode

 

Correct Answer: A

 

 

QUESTION 123

Over the period of one day, several Atomic ARP engine alerts fired on the same IP address. You observe that each time an alert fired, requests on the IP address exceeded replies by the same number. Which configuration could cause this behavior?

 

A.

The reply-ratio parameter is enabled.

B.

MAC flip is enabled.

C.

The inspection condition is disabled.

D.

The IPS is misconfigured.

 

Correct Answer: A

 

 

QUESTION 124

Which type of signature is generated by copying a default signature and modifying its behavior?

 

A.

meta

B.

custom

C.

atomic

D.

normalized

 

Correct Answer: B

 

 

QUESTION 125

Which two conditions must you configure in an event action override to implement a risk rating of 70 or higher and terminate the connection on the IPS? (Choose two.)

 

A.

Configure the event action override to send a TCP reset.

B.

Set the risk rating range to 70 to 100.

C.

Configure the event action override to send a block-connection request.

D.

Set the risk rating range to 0 to 100.

E.

Configure the event action override to send a block-host request.

 

Correct Answer: AB

 

 

QUESTION 126

Which two conditions must you configure in an event action rule to match all IPv4 addresses in the victim range and filter on the complete subsignature range? (Choose two.)

 

A.

Disable event action override.

B.

Leave the victim address range unspecified.

C.

Set the subsignature ID-range to the default.

D.

Set the deny action percentage to 100.

E.

Set the deny action percentage to 0.

Correct Answer: BC

 

 

QUESTION 127

If learning accept mode is set to “auto” and the knowledge base is loaded only when explicitly requested on the IPS, which statement about the knowledge base is true?

 

A.

The knowledge base is set to load dynamically.

B.

The knowledge base is set to “save only.”

C.

The knowledge base is set to “discarded.”

D.

The knowledge base is set to load statically.

 

Correct Answer: B

 

 

QUESTION 128

In which way are packets handled when the IPS internal zone is set to “disabled”?

 

A.

All packets are dropped to the external zone.

B.

All packets are dropped to the internal zone.

C.

All packets are ignored in the internal zone.

D.

All packets are sent to the default external zone.

 

Correct Answer: D

 

 

QUESTION 129

Which three statements about threat ratings are true? (Choose three.)

 

A.

A threat rating is equivalent to a risk rating that has been lowered by an alert rating.

B.

The largest threat rating from all actioned events is added to the risk rating.

C.

The smallest threat rating from all actioned events is subtracted from the risk rating.

D.

The alert rating for deny-attacker-inline is 45.

E.

Unmitigated events do not cause a threat rating modification.

F.

The threat rating for deny-attacker-inline is 50.

 

Correct Answer: ADE

 

 

QUESTION 130

An IPS is configured to fail-closed and you observe that all packets are dropped. What is a possible reason for this behavior?

 

A.

Mainapp is unresponsive.

B.

The global correlation update failed.

C.

The IPS span session failed.

D.

The attack drop file is misconfigured.

 

Correct Answer: A

 

Free VCE & PDF File for Cisco 300-207 Real Tests

Instant Access to Free VCE Files: CCNA | CCNP | CCIE …
Instant Access to Free PDF Files: CCNA | CCNP | CCIE …

Comments are closed.