300-710 Exam Dumps - Cisco CCNP Security Questions and Answers

A correlation policy is a feature that allows you to respond in real time to threats or specific conditions on your network, using correlation rules. A correlation rule can trigger when the system generates a specific type of event, or when your network traffic deviates from its normal profile1. When a correlation rule triggers, the system generates a correlation event and can also launch a response, such as sending an alert, blocking an IP address, or scanning a host1.

In this case, the security engineer can configure a correlation rule that triggers when the system detects five or more connections from external sources within 2 minutes. The engineer can also configure a response that sends an alert to the FMC or an email recipient when this condition is triggered. The engineer can then create a correlation policy that includes this rule and activate it on the FTD device1.

The other options are incorrect because:

An application detector is a feature that allows you to detect web applications, clients, and application protocols based on patterns in network traffic. An application detector does not generate alerts based on the number of connections from external sources2.

An access control policy is a feature that allows you to control traffic flow through your network and inspect traffic for intrusions, malware, and files. An access control policy does not generate alerts based on the number of connections from external sources3.

An intrusion policy is a feature that allows you to detect and prevent malicious network activity using Snort rules. An intrusion policy does not generate alerts based on the number of connections from external sources4.

Step 1(Configure the primary unit for high availability),

Step 2(Configure the secondary unit for high availability),

Step 3(Configure the two units for high availability),

Step 4(Configure failover criteria for health monitoring)

When connectivity issues are detected between Cisco Secure Firewall Management Center (FMC) and Cisco Secure Firewall Threat Defense (FTD) devices, and initial troubleshooting indicates that heartbeats and events are not being received, the engineer can run the following commands to resolve the issue by re-establishing secure channels and checking process statuses:

manage_procs.pl:This script is used to manage and restart processes on the FTD device. Running this script can help restart any malfunctioning processes and re-establish connectivity between the FMC and FTD.

sudo stats_unified.pl:This command provides detailed statistics and status of the unified system processes. It helps in diagnosing and resolving issues related to the secure channel and event reporting.

Steps:

Access the FTD CLI.

Run the commandmanage_procs.plto restart processes.

Run the commandsudo stats_unified.plto gather detailed process statistics and verify the status.

These commands help resolve connectivity issues by ensuring that all necessary processes are running correctly and secure channels are re-established.

Reason: the command "capture-traffic" is used for SNORT Engine Captures. To capture a LINA Engine Capture, you use the "capture" command. Since the Lina Engine represents the actual physical interface of the device, "capture" is the only reasonable choice Reference:https://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/212474-working-with-firepower-threat-defense-f.html#anc10

The command is

firepower# capture DMZ interface dmz trace detail match ip host 192.168.76.14 host 192.168.76.100

firepower# capture INSIDE interface inside trace detail match ip host 192.168.76.14 host 192.168.75.14