210-260 CCNA Security – IINS Exam Questions with Answers – Q166 to Q180

210-260 CCNA Security – IINS Exam Questions with Answers – Q166 to Q180

Question 166.
How can FirePOWER block malicious email attachments?
A. It forwards email requests to an external signature engine.
B. It scans inbound email messages for known bad URLs.
C. It sends the traffic through a file policy.
D. It sends an alert to the administrator to verify suspicious email messages.
Correct Answer: C
Section: (none)


A file policy is a set of configurations that the system uses to perform advanced malware protection and file control, as part of your overall access control configuration.
A file policy, like its parent access control policy, contains rules that determine how the system handles files that match the conditions of each rule. You can configure separate file rules to take different actions for different file types, application protocols, or directions of transfer.
You can associate a single file policy with an access control rule whose action is Allow, Interactive Block, or Interactive Block with reset. The system then uses that file policy to inspect network traffic that meets the conditions of the access control rule.

Source: http://www.cisco.com/c/en/us/td/docs/security/firesight/541/firepower-module-user-guide/asa-firepowermodule-user guide-v541/AMP-Config.html

Question 167.
You have been tasked with blocking user access to websites that violate company policy, but the sites use dynamic IP addresses. What is the best practice for URL filtering to solve the problem?
A. Enable URL filtering and create a blacklist to block the websites that violate company policy
B. Enable URL filtering and create a whitelist to allow only the websites the company policy allow users to access
C. Enable URL filtering and use URL categorization to allow only the websites the company policy allow users to access
D. Enable URL filtering and use URL categorization to block the websites that violate company policy
E. Enable URL filtering and create a whitelist to block the websites that violate company policy
Correct Answer: D
Section: (none)


Answer: D
Confidence level: 100%

Remember: A whitelist does not block URLs, and a blacklist will not always work when a URL uses dynamic IP addresses.


Each website defined in the URL filtering database is assigned one of approximately 60 different URL categories. There are two ways to make use of URL categorization on the firewall:
Block or allow traffic based on URL category —You can create a URL Filtering profile that specifies an action for each URL category and attach the profile to a policy. Traffic that matches the policy would then be subject to the URL filtering settings in the profile. For example, to block all gaming websites you would set the block action for the URL category games in the URL profile and attach it to the security policy rule(s) that allow web access. See Configure URL Filtering for more information.
Match traffic based on URL category for policy enforcement —If you want a specific policy rule to apply only to web traffic to sites in a specific category, you would add the category as match criteria when you create the policy rule. For example, you could use the URL category streaming-media in a QoS policy to apply bandwidth controls to all websites that are categorized as streaming media. See URL Category as Policy Match Criteria for more information.
By grouping websites into categories, it makes it easy to define actions based on certain types of websites.

Source: https://www.paloaltonetworks.com/documentation/70/pan-os/pan-os/url-filtering/url-categories

Question 168.
Which technology can be used to rate data fidelity and to provide an authenticated hash for data?
A. Signature updates
B. File reputation
C. Network blocking
D. File analysis
Correct Answer: B
Section: (none)


Answer: B
Confidence level: 100%

Note: Most of the dumps indicate A is the correct answer, but answer B has been verified by securitytut users who have received perfect scores.

Question 169.
Which type of encryption technology has the broadest platform support to protect operating systems?
A. software
B. hardware
C. middleware
D. file-level
Correct Answer: A
Section: (none)


Much commercial and free software enables you to encrypt files in an end-user workstation or mobile device. The following are a few examples of free solutions:
+ GPG: GPG also enables you to encrypt files and folders on a Windows, Mac, or Linux system. GPG is free.
+ The built-in MAC OS X Disk Utility: D isk Utility enables you to create secure disk images by encrypting files with AES 128-bit or AES 256-bit encryption.
+ TrueCrypt: A free encryption tool for Windows, Mac, and Linux systems.
+ AxCrypt: A f ree Windows-only file encryption tool.
+ BitLocker: Full disk encryption feature included in several Windows operating systems.
+ Many Linux distributions such as Ubuntu: A llow you to encrypt the home directory of a user with built-in utilities.
+ MAC OS X FileVault: Supports full disk encryption on Mac OS X systems. The following are a few examples of commercial file encryption software:
+ Symantec Endpoint Encryption
+ PGP Whole Disk Encryption
+ McAfee Endpoint Encryption (SafeBoot)
+ Trend Micro Endpoint Encryption

Source: Cisco Official Certification Guide, Encrypting Endpoint Data at Rest, p.501

Question 170.
A proxy firewall protects against which type of attack?
A. cross-site scripting attack
B. DDoS attacks
C. port scanning
D. Worm traffic
Correct Answer: A
Section: (none)


Answer: A
Confidence level: 100%

Note: There has been some debate on this question recently. If you google “proxy protection DDoS”, you will find a number of results. However, if you read more carefully you will see that the majority of these refer to proxy servers, not firewalls.

One of the biggest threats from XSS is injection attacks (SQL injection/buffer overflow), and this is one of the types of attacks that proxy firewalls are designed to protect against.


Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications. XSS
enables attackers to inject client-side scripts into web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same-origin policy. Cross-site scripting carried out on websites accounted for roughly 84% of all security vulnerabilities documented by Symantec as of 2007.

Source: https://en.wikipedia.org/wiki/Cross-site_scripting

A proxy firewall is a network security system that protects network resources by filtering messages at the application layer. A proxy firewall may also be called an application firewall or gateway firewall. Proxy firewalls are considered to be the most secure type of firewall because they prevent direct network contact with other systems.

Source: http://searchsecurity.techtarget.com/definition/proxy-firewall

Question 171.
What is the benefit of a web application firewall?
A. It blocks known vulnerabilities without patching applications.
B. It simplifies troubleshooting.
C. It accelerates web traffic.
D. It supports all networking protocols.
Correct Answer: A
Section: (none)


A Web Application Firewall (or WAF) filters, monitors, and blocks HTTP traffic to and from a web application. A WAF is differentiated from a regular firewall in that a WAF is able to filter the content of specific web applications while regular firewalls serve as a safety gate between servers. By inspecting HTTP traffic, it can prevent attacks stemming from web application security flaws, such as SQL injection, Cross-Site Scripting (XSS) and security misconfigurations.

Source: https://en.wikipedia.org/wiki/Web_application_firewall

Question 172.
Which feature of the Cisco Email Security Appliance can mitigate the impact of snowshoe spam and sophisticated phishing attacks?
A. contextual analysis
B. holistic understanding of threats
C. graymail management and filtering
D. signature-based IPS
Correct Answer: A
Section: (none)


Snowshoe spamming is a strategy in which spam is propagated over several domains and IP addresses to weaken reputation metrics and avoid filters. The increasing number of IP addresses makes recognizing and capturing spam difficult, which means that a certain amount of spam reaches their destination email inboxes. Specialized spam trapping organizations are often hard pressed to identify and trap snowshoe spamming via conventional spam filters.
The strategy of snowshoe spamming is similar to actual snowshoes that distribute the weight of an individual over a wide area to avoid sinking into the snow. Likewise, snowshoe spamming delivers its weight over a wide area to remain clear of filters.

Source: https://www.techopedia.com/definition/1713/snowshoe-spamming

Snowshoe spam, as mentioned above, is a growing concern as spammers distribute spam attack origination across a broad range of IP addresses in order to evade IP reputation checks. The newest AsyncOS 9 for ESA enables enhanced anti-spam scanning through contextual analysis and enhanced automation, as well as automatic classification, to provide a stronger defense against snowshoe campaigns and phishing attacks.

Source: http://blogs.cisco.com/security/cisco-email-security-stays-ahead-of-current-threats-by-adding-strongersnowshoe-spam defense-amp-enhancements-and-more

Question 173.
Which NAT type allows only objects or groups to reference an IP address?
A. Static NAT
B. Dynamic NAT
C. Dynamic PAT
D. Identity NAT
Correct Answer: B
Section: (none)


Answer: B
Confidence level: 100%

Note: A lot of people are claiming that Dynamic PAT is the correct answer. This is also wrong. When using dynamic PAT, you can also configure an inline host address or specify the interface address to be assigned to an IP.


Adding Network Objects for Mapped Addresses
For dynamic NAT, you must use an object or group for the mapped addresses. Other NAT types have the
option of using inline addresses, or you can create an object or group according to this section.

* Dynamic NAT:
+ You cannot use an inline address; you must configure a network object or group.
+ The object or group cannot contain a subnet; the object must define a range; the group can include hosts and ranges.
+ If a mapped network object contains both ranges and host IP addresses, then the ranges are used for
dynamic NAT, and then the host IP addresses are used as a PAT fallback.

* Dynamic PAT (Hide):
+ Instead of using an object, you can optionally configure an inline host address or specify the interface address.
+ If you use an object, the object or group cannot contain a subnet; the object must define a host, or for a PAT
pool, a range; the group (for a PAT pool) can include hosts and ranges.

* Static NAT or Static NAT with port translation:
+ Instead of using an object, you can configure an inline address or specify the interface address (for static
+ If you use an object, the object or group can contain a host, range, or subnet.

* Identity NAT
+ Instead of using an object, you can configure an inline address.
+ If you use an object, the object must match the real addresses you want to translate.

Source: http://www.cisco.com/c/en/us/td/docs/security/asa/asa90/configuration/guide/asa_90_cli_config/ nat_objects.html#61711

Question 174.
Which feature allows a dynamic PAT pool to select the next address in the PAT pool instead of the next port of an existing address?
A. next IP
B. round robin
C. dynamic rotation
D. NAT address rotation
Correct Answer: B
Section: (none)


The round-robin keyword enables round-robin address allocation for a PAT pool. Without round robin, by default all ports for a PAT address will be allocated before the next PAT address is used. The round-robin method assigns an address/port from each PAT address in the pool before returning to use the first address again, and then the second address, and so on.

Source: http://www.cisco.com/c/en/us/td/docs/security/asa/asa90/configuration/guide/asa_90_cli_config/ nat_objects.html#61711

Question 175.
Your security team has discovered a malicious program that has been harvesting the CEO’s email messages and the company’s user database for the last 6 months. What are two possible types of attacks your team discovered? (Choose two.)
A. social activism
B. Polymorphic Virus
C. advanced persistent threat
D. drive-by spyware
E. targeted malware
Correct Answer: CE
Section: (none)


An Advanced Persistent Threat (APT) is a prolonged, aimed attack on a specific target with the intention to compromise their system and gain information from or about that target. The target can be a person, an organization or a business.

Source: https://blog.malwarebytes.com/cybercrime/malware/2016/07/explained-advanced-persistent-threat-apt/

One new malware threat has emerged as a definite concern, namely, targeted malware. Instead of blanketing the Internet with a worm, targeted attacks concentrate on a single high-value target.

Source: http://crissp.poly.edu/wissp08/panel_malware.htm

Question 176.
Refer to the exhibit.ccna-security-iins-exam-questions-answers-q166-q180-176
What are two effects of the given command? (Choose two.)
A. It configures authentication to use AES 256.
B. It configures authentication to use MD5 HMAC.
C. It configures authorization use AES 256.
D. It configures encryption to use MD5 HMAC.
E. It configures encryption to use AES 256.
Correct Answer: BE
Section: (none)


To define a transform set — an acceptable combination of security protocols and algorithms — use the crypto ipsec transform-set global configuration command.
ESP Encryption Transform
+ esp-aes 256: ESP with the 256-bit AES encryption algorithm.
ESP Authentication Transform
+ esp-md5-hmac: ESP with the MD5 (HMAC variant) authentication algorithm. (No longer recommended)

Source: http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/a1/sec-a1-cr-book/sec-crc3.html#wp2590984165

Question 177.
In which three cases does the ASA firewall permit inbound HTTP GET requests during normal operations? (Choose three).
A. when a matching TCP connection is found
B. when the firewall requires strict HTTP inspection
C. when the firewall receives a FIN packet
D. when matching ACL entries are configured
E. when the firewall requires HTTP inspection
F. when matching NAT entries are configured
Correct Answer: ADF
Section: (none)


Question 178.
If a switch port goes directly into a blocked state only when a superior BPDU is received, what mechanism must be in use?
A. STP root guard
B. Loop guard
C. STP BPDU guard
D. Etherchannel guard
Correct Answer: A
Section: (none)


Answer: A
Confidence level: 100%

Remember: The phrase “only superior BPDUs” is the key to the correct answer. BPDU guard will block a port if *ANY* BPDU is received.


Root guard allows the device to participate in STP as long as the device does not try to become the root. If root guard blocks the port, subsequent recovery is automatic. Recovery occurs as soon as the offending device ceases to send superior BPDUs.

Source: http://www.cisco.com/c/en/us/support/docs/lan-switching/spanning-tree-protocol/10588-74.html

Question 179.
Which Auto NAT policies are processed first ?
A. Dynamic with longest prefix
B. Dynamic with shortest prefix
C. Static with longest prefix
D. Static with shortest prefix
Correct Answer: C
Section: (none)


All packets processed by the ASA are evaluated against the NAT table. This evaluation starts at the top (Section 1) and works down until a NAT rule is matched. Once a NAT rule is matched, that NAT rule is applied to the connection and no more NAT policies are checked against the packet.
+ Section 1 – Manual NAT policies: These are processed in the order in which they appear in the configuration.
+ Section 2 – Auto NAT policies: These are processed based on the NAT type (static or dynamic) and the prefix (subnet mask) length in the object.
+ Section 3 – After-auto manual NAT policies: These are processed in the order in which they appear in the configuration.
Source: http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generationfirewalls/116388-technote-nat-00.html

Question 180.

Given the new additional connectivity requirements and the topology diagram, use ASDM to accomplish the required ASA configurations to meet the requirements.

New additional connectivity requirements: Currently, the ASA configurations only allow on the Inside and DMZ networks to access any hosts on the Outside. Your task is to use ASDM to configure the ASA to also allow any host only on the Outside to HTTP to
the DMZ server. The hosts on the Outside will need to use the public IP address when HTTPing to the DMZ server.
Currently, hosts on the ASA higher security level interfaces are not able to ping any hosts on the lower security level interfaces. Your task in this simulation is to use ASDM to enable the ASA to dynamically allow the echoreply responses back through the ASA.
Once the correct ASA configurations have been configured:
You can test the connectivity to from the Outside PC browser. You can test the pings to the Outside (www.cisco.com) by opening the inside PC command prompt window. In this simulation, only testing pings towww.cisco.comwill work.

To access ASDM, click the ASA icon in the topology diagram.
To access the Firefox Browser on the Outside PC, click the Outside PC icon in the topology diagram.
To access the Command prompt on the Inside PC, click the Inside PC icon in the topology diagram.

After you make the configuration changes in ASDM, remember to click Apply to apply the configuration changes.
Not all ASDM screens are enabled in this simulation, if some screen is not enabled, try to use different methods to configure the ASA to meet the requirements.
In this simulation, some of the ASDM screens may not look and function exactly like the real ASDM.
Correct Answer:
Section: (none)

Follow the explanation part to get answer on this sim question.
First, for the HTTP access we need to creat a NAT object. Here I called it HTTP but it can be given any name.
Then, create the firewall rules to allow the HTTP access:
You can verify using the outside PC to HTTP into
For step two, to be able to ping hosts on the outside, we edit the last service policy shown below:
And then check the ICMP box only as shown below, then hit Apply.
After that is done, we can ping www.cisco.com again to verify:

About the author


Leave a Comment