Home > Share your FIREWALL Experience

Share your FIREWALL Experience

January 3rd, 2011 Go to comments

Cisco has made changes for the Security exams by replacing the old CCSP with the new CCNP Security Certification with 4 modules: Secure, Firewall, IPS and VPN. In fact, the old CCSP and the new CCNP Security are very similar. Many candidates have requested us to put up materials for these new exams but it is a time-consuming work. In the mean time, we created the “Share your experience” for the FIREWALL exam. We really hope anyone who read securitytut, 9tut, digitaltut, certprepare, networktut and voicetut contribute to these sections as your experience is invaluable for CCNP Security learners to complete their goals.

Please share with us your experience after taking the FIREWALL 642-617 exam, your materials, the way you learned, your recommendations…

Comments (50) Comments
Comment pages
1 5 6 7 586
  1. Anonymous
    February 17th, 2020

    NEW QUESTION 490
    Which action do you take on a Cisco router to limit the management traffic to only one interface?

    A. Filter incoming connections by applying an extended ACL on a loopback interface.
    B. Filter incomingsdagement Plan Protection feature.
    D. Add an interface by using the management-interface command.

    Answer: C

  2. RCV
    February 17th, 2020

    Exam 300-206 Dual SSD? Single SSD?

  3. SecGuy
    February 17th, 2020

    Passed today,

    Two new questions :

    1) primary function of HTTPS in Cisco IOS XE -> redirect requests to HTTP :
    https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/https/configuration/xe-16-5/https-xe-16-5-book/HTTPS–HTTP_Server_and_Client_with_SSL_3-0.html

    2) Configuration of ASDM : http server enable

    Question about MKA ; response was protecting traffic between switch & endpoint.

    In Gon file, question about traffic reaching FW, I answered with both capture commands (packet-capture is incorrect because it simulates traffic only).

    Good luck for all !

  4. RCV
    February 17th, 2020

    Hi Congratulations!
    help me today I will take the exam. Lab, D&D, Spot are the same?
    Are there these questions about ISE dual a single SSD?
    Thanks in advance

  5. Anonymous
    February 17th, 2020

    Yes, D&D and Labs are the same.
    No question about ISE SSD.

  6. RCV
    February 17th, 2020

    Thanks ,
    Which two verification commands do you run on the perimeter firewall to confirm that the packets reach the
    firewall?
    answer: show capture capin
    capture capin inteface inside
    Correct?

    D&D
    Trustsec D&D – ISE and ASA ?
    Register with iSE
    ASA downloads PAC
    Device authenticates using Trustsec
    Devices sends SGT to upstream switches
    Receives petition and lookup for SGT

    D&D NTP ?
    Step 1 ntp authenticate
    Step 2 ntp trusted-key key_id
    Step 3 ntp authentication-key key_id md5 key
    Step 4 ntp server ip_address [ key key_id ] [ source interface_name ] [ prefer ]

    A. AsaV in front-end
    B. VSG in front-end
    C. AsaV in Back-end
    D. VSG in back-end
    Correct Answer: A e D
    really thank you

  7. SecGuy
    February 17th, 2020

    Correct for first questions, just for the last question ;
    There was only one answer to choose and it was about protecting multitenant datacenter in the perimeter. really don’t know the correct answer (ASAv or VSG..)

  8. RCV
    February 17th, 2020

    There was only one answer to choose and it was about protecting multitenant datacenter in the perimeter. really don’t know the correct answer (ASAv or VSG..) I think ASV in front- end

  9. 300-206
    February 17th, 2020

    hi guys

    how to verify my conf. in LAB in 300-206 exam

  10. RCV
    February 17th, 2020

    NAT ?

  11. scubasteve
    February 17th, 2020

    @RCV

    https**//www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Data_Center/VMDC/2-2/design_guide/vmdcDesign22/VMDC_2-2_DG_2.html#wp1358647

    @SecGuy

    Congratulations, what was your score?

  12. RCV
    February 17th, 2020

    @scubasteve thanks !

  13. scubasteve
    February 17th, 2020

    @SecGuy

    The TrustSec D&D, how many options?

  14. SecGuy
    February 17th, 2020

    D&D trustsec, 5 options.
    My response was ASAv in front-end too.
    I got 95X.

  15. RCV
    February 17th, 2020

    Should they be put in order? or drag vs ISE or ASAr?

    1)Register with iSE
    2)downloads PAC
    3)Device authenticates using Trustsec
    4)Devices sends SGT to upstream switches
    5)Receives petition and lookup for SGT
    or DRAG

    ISE
    Register with iSE
    downloads PAC ( ASA download fron ISE)
    Device authenticates using Trustsec ( ISE)
    Devices sends SGT to upstream switches ( ASA)
    Receives petition and lookup for SGT (ASA)
    Thanks

  16. MeDave
    February 17th, 2020

    My friend is looking for the 210-260 IINS , drop me a email if you have the latest accurate dump. Thanks.

    medave775 *at* gmail.com

  17. Ras
    February 17th, 2020

    Can anyone please help if gon 166 question is still enough to pass 300-206? Will seat for exam on Saturday.

  18. Danny
    February 17th, 2020

    @Secguy thanks for the feedback…..did u use the gon jan file ? what else did u use to prepare….i have my exam in 4 hours….are there any other wrong answer in Gon file?

  19. Tan
    February 17th, 2020

    same query like Ras… Is it enough to attend 300-206 exam if i follow Gon suggestions of 166 question?

  20. SecGuy
    February 17th, 2020

    @Danny,
    Gon file is sufficient, I had only 2 new questions.

  21. SecGuy
    February 17th, 2020

    @Danny, you have to review Gon file including 61Q.

  22. Chuck
    February 17th, 2020

    @RCV,
    That’s a D&D and the question is about how to configure RBAC. Not sure what’s RBAC word in here as the questions are about configuring trustsec. I used the cisco trustsec configuration for ASA to answer this D&D

  23. 300-206
    February 17th, 2020

    @RCV
    yes NAT
    is there any marks on verifying and testing?

  24. Danny
    February 17th, 2020

    Thanks i am doing both Gon jan 166Q and Gon Feb 61 Q….and your comments about Trustsec DND and 2 new questions…

    can someone please tell me the correct answer for this question:
    Which command must you configure on a Cisco IOS XR or XE device to enable cisco Prime infra to perform event triggered backups? Logging level or Logging ?

  25. RCV
    February 17th, 2020

    Passing!
    RCV:
    No new questions

    I had a problem with the de Nat / Pat lab.
    I was unable to see the translator. I have tried through CLI from ASA, commands show Nat and Show xlate and also through ASDM, monitoring.

  26. Danny
    February 17th, 2020

    Which command must you configure on a Cisco IOS XR or XE device to enable cisco Prime infra to perform event triggered backups? Logging tap level or Logging ?

  27. 300-206
    February 17th, 2020

    VSG in back-end is the correct answer

  28. Chunky
    February 17th, 2020

    Good luck Danny!! Good luck all!!

  29. Anonymous
    February 17th, 2020

    Which statement about SenderBase reputation scoring on an ESA Device is true?
    A. Application traffic from known bad sites can be throttled or blocked
    B. Sender reputation scores can be assigned to domains IP address and MAC address
    C. Mail with scores in the medium range can be automatically routed for antimalware scanning
    D. A high score indicates that a message is very likely to be spam
    E. You can configure a custom score threshold for whitelisting messages
    F. By default all messages with a score below zero are dropped or throttled
    which one is correct??

  30. Anonymous
    February 17th, 2020

    A network engineer must manage and push configuration to a cisco networking environment,
    in which 10 cisco ASA with IPS modules reside. Which solution accomplishes this task?
    A. Cisco adaptive security device manager to push configuration to each of the IPS units
    B. FireSIGHT manager to bundle and push configurations to the ips installed on an SSD within the
    cisco ASA 5500 series ASA
    C. Cisco security manager 4.5 or later pushing configuration bundles to each of the IPS units
    D. Cisco IPS manager express and pushing configuration to the IPS units

    which one is the correct ??

  31. RCV
    February 17th, 2020

    Which statement about SenderBase reputation scoring on an ESA Device is true?
    A. Application traffic from known bad sites can be throttled or blocked
    B. Sender reputation scores can be assigned to domains IP address and MAC address
    C. Mail with scores in the medium range can be automatically routed for antimalware scanning
    D. A high score indicates that a message is very likely to be spam
    E. You can configure a custom score threshold for whitelisting messages
    F. By default all messages with a score below zero are dropped or throttled
    I think “F”


    A network engineer must manage and push configuration to a cisco networking environment,
    in which 10 cisco ASA with IPS modules reside. Which solution accomplishes this task?
    A. Cisco adaptive security device manager to push configuration to each of the IPS units
    B. FireSIGHT manager to bundle and push configurations to the ips installed on an SSD within the
    cisco ASA 5500 series ASA
    C. Cisco security manager 4.5 or later pushing configuration bundles to each of the IPS units
    D. Cisco IPS manager express and pushing configuration to the IPS units
    I think “C”

  32. RCV
    February 17th, 2020

    RCV:
    D&D NTP/trusted Sec/QOS
    Lab NAT /PAT
    Syslog Server
    Packet tracer
    Read
    Gon Feb 61 Q and the question Up this page

  33. 300-206
    February 18th, 2020

    B. FireSIGHT manager to bundle and push configurations to the ips installed on an SSD within the
    cisco ASA 5500 series ASA

    the correct answer

  34. 300-206
    February 18th, 2020

    F. By default all messages with a score below zero are dropped or throttled

    correct

  35. Danny
    February 18th, 2020

    Hi Guys, i passed with 9XX…..thank you everyone for their invaluable contribution Gon Freecs, Chnuky, Chuck, SecGuy, scubasteve, RCV…..you guys are the best…..you guys rock…..

    everything is from Gon feb and some new questions posted by Chuck….just read those questions last minute…….

  36. RCV
    February 18th, 2020

    congratulations! Good luck to all

  37. Moraes
    February 18th, 2020

    I have taken it with 9xx today.

    D&D for NTP; Routed mode and Transparent mode; QoS policing; trustsec

    This question When you configure a Botnet Traffic Filter on a Cisco firewall. What are two optional tasks? (Choose two)
    A. Enable the use of dynamic databases.
    B. Add static entries to the database.
    C. Enable DNS snooping.
    D. Enable traffic classification and actions.
    E. Block traffic manually based on its syslog information.
    Correct Answer: BE

    An engineer has found that threat detection has been turned on by default on a Cisco ASA. Which two security
    events are monitored? (Choose two)
    A. Concurrent NAT interface overload addresses
    B. Denial of service attack occurrences
    C. Packet allowed by the inspection engine
    D. Number of times the rates were exceeded
    E. Total number of malformed packets received
    Correct Answer: BD

    Refer to the exhibit. which two verification commands do you run on the perimeter firewall to
    confirm that the packets reach the firewall?
    ASA-Per# show access-list acl_web
    .
    .
    Access-list acl_web line 6 extended
    permit tcp 10.10.1.0 255.255.255.0
    host 172.16.31.8 eq www (hitcnt=0)
    0x9726335c
    ASA-Per# sh run access-group
    .
    .
    Access-group acl_web global

    A. ASA-Per# packet-tracer input outside tcp 10.10.1.100 49000 172.16.31.8 www
    B. ASA-Per# capture capin interface inside match tcp 10.10.1.100 host 172.16.31.8 eq www
    C. ASA-Per# show logging
    D. ASA-Per# show capture capin
    E. ASA-Per# packet-tracer input inside tcp 10.10.1.100 49000 172.16.31.8 www
    Answer: BE

    SPOTO and Gon Freco are enough to pass

  38. scubasteve
    February 18th, 2020

    Passed today.

    Question change.

    QUESTION 26
    Which type of authentication and encryption does SNMPv3 use at the authPriv security level?
    A. Username authentication without encryption
    B. MD5 or SHA authentication with DES encryption
    C. Username authentication with DES encryption
    D. MD5 or SHA authentication with DES encryption

    Correct Answer: B

    Also, I went with VSG in the back-end, because the question mentioned Intratenant.

    Good luck all.

  39. scubasteve
    February 18th, 2020

    Previous post, option D is:

    D. MD5 or SHA authentication with no encryption.

  40. Chunky
    February 18th, 2020

    @scubasteve

    Great work!!! Well done!!!

  41. ginodesilva
    February 19th, 2020

    Hi guys,

    Doing my exam this friday and am struggeling with the NAT DND. There are a lot of conflicting answers, mostly because of the terrible question. Is the answer in Gon the correct one?

    209.165.202.130 – Source address in translated packet
    209.165.200.228 – Destination address in original packet
    172.16.0.50 – Source address in original packet
    172.16.0.100 – Destination address in translated packet

    And the “old” simulations, such as Botnet, are they retired from the exam? Is NAT and the Inspect-map the only possible ones?

    Thanks in advance!

  42. scubasteve
    February 19th, 2020

    @ginodesilva

    NAT D&D is no longer on the exam. But the correct answer is below:

    209.165.202.130 – Source address in original packet
    209.165.200.228 – Destination address in original packet
    172.16.0.50 – Source address in translated packet
    172.16.0.100 – Destination address in translated packet

    Only sim left is NAT/PAT.

    Good luck in your exam.

  43. Ginodesilva
    February 19th, 2020

    @scubasteve

    Thanks for the quick response. It’s my last one…

  44. Jasek
    February 19th, 2020

    Security Levels

    SNMP offers 3 different security levels:

    noAuthNoPriv
    AuthNoPriv
    AuthPriv

    Auth stands for Authentication and Priv for Privacy (encryption).

    noAuthNoPriv = username authentication and no encryption.
    AuthNoPriv = MD5 or SHA authentication but no encryption.
    AuthPriv = MD5 or SHA authentication AND encryption.

    SNMPv1 and SNMPv2 only support noAuthNoPriv since they don’t offer any authentication or encryption. SNMPv3 supports any of the three security levels. When you decide to use noAuthNoPriv for SNMPv3 then the username will replace the community-string.

    The community-string for SNMPv1 and SNMPv2 is send in clear-text. SNMPv3 is far more secure because it doesn’t send the user passwords in clear-text but uses MD5 or SHA1 hash-based authentication, encryption is done using DES, 3DES or AES.

  45. Anonymous
    February 21st, 2020

    Hi Guys, i passed with 930…..thank you everyone for their invaluable contribution Gon Freecs, Chnuky, Chuck, SecGuy, scubasteve, RCV

  46. Ginodesilva
    February 21st, 2020

    Hi everybody,

    Passed with 965 just now. Thanks for the contributions and all the hard work!

  47. Chunky
    February 21st, 2020

    Just passed!!! Thanks all for support!!!!

  48. Ras
    February 22nd, 2020

    What is the right answer to this question? Is it A,C or C,E?

    Which two features does DNSSEC leverage for proper functionality? (Choose two.)

    A. It uses TCP to ensure reliable delivery.
    B. It uses UDP to reduce the DNS responses time.
    C. It uses EDNS to manage the larger DNS packets it requires.
    D. It uses UDP to minimize packet size.
    E. It uses AD and DO inside UDP to reduce response time.

  49. ddos
    February 23rd, 2020

    I failed it, lots of new questions that I haven’t seen in any of these materials. I was only sitting this one to renew my ccnp which is expiring in couple of weeks.
    What other options do I have that I can easily renew my ccnp?

  50. John
    February 23rd, 2020

    It not supposed to be on last day by changing questions. Is there any authentic news? Anyone can confirm? I will seat for exam after 2 hours.


  51. Note: Please do not open any suspicious links (especially short links and links that need to remove some words to open) in the comment section above as they are usually spams and may harm your computer.
Comment pages
1 5 6 7 586
Add a Comment