Cisco 300-710 Exam

The Capture w/Trace wizard in Cisco FMC allows you to capture packets on an FTD device and trace their path through the Snort engine. This can help you troubleshoot connectivity issues from an endpoint behind an FTD device and a public DNS server, as well as verify the Snort verdict for the DNS traffic. The Capture w/Trace wizard lets you specify the source and destination IP addresses, ports, and protocols for the packets you want to capture and trace, as well as the FTD device and interface where you want to perform the capture. You can also apply filters to limit the capture size and duration.After you start the capture, you can ping the DNS server from the endpoint and then view the captured packets and their Snort verdicts in the FMC web interface2.

To use the Capture w/Trace wizard in Cisco FMC, you need to follow these steps2:

In the FMC web interface, navigate to Troubleshooting > Capture/Trace.

Click New Capture.

Choose an FTD device from the Device drop-down list.

Choose an interface from the Interface drop-down list.

Enter the source and destination IP addresses, ports, and protocols for the packets you want to capture and trace. For example, if you want to capture DNS queries from an endpoint with IP address 10.1.1.100 to a DNS server with IP address 8.8.8.8, you can enter these values:

Source IP: 10.1.1.100

Source Port: any

Destination IP: 8.8.8.8

Destination Port: 53

Protocol: UDP

Optionally, apply filters to limit the capture size and duration. For example, you can set the maximum number of packets to capture, the maximum capture file size, or the maximum capture time.

Click Start.

Ping the DNS server from the endpoint and wait for some packets to be captured.

Click Stop to stop the capture.

Click View Capture to see the captured packets and their Snort verdicts.

The other options are incorrect because:

Performing a Snort engine capture using tcpdump from the FTD CLI will not allow you to trace the path of the packets through the Snort engine or verify their Snort verdicts.Tcpdump is a command-line tool that can capture packets on an FTD device, but it does not provide any information about how Snort processes those packets or what actions Snort takes on them2.

Creating a Custom Workflow in Cisco FMC will not help you troubleshoot a connectivity issue from an endpoint behind an FTD device and a public DNS server. A Custom Workflow is a user-defined set of pages that display event data in different formats, such as tables, charts, maps, and so on.A Custom Workflow does not allow you to capture or trace packets on an FTD device3.

Running the system support firewall-engine-debug command from the FTD CLI will not allow you to simulate real DNS traffic on the FTD device or verify the Snort verdict for that traffic. The firewall-engine-debug command is a diagnostic tool that can generate synthetic packets and send them through the Snort engine on an FTD device.The synthetic packets are not real network traffic and do not affect any connections or policies on the FTD device4.

When reconfiguring an existing Cisco FTD from transparent mode to routed mode, an additional action that must be taken to maintain communication between the two network segments is to update the IP addressing so that each segment is a unique IP subnet. This is because in routed mode, the FTD device acts as a router hop in the network and requires each interface to be on a different subnet.In transparent mode, the FTD device acts as a layer 2 firewall and does not require different subnets for each interface1.

The other options are incorrect because:

Configuring a NAT rule so that traffic between the segments is exempt from NAT is not necessary to maintain communication between the two network segments. NAT is used to translate IP addresses between different networks, but it does not affect the routing of packets.Moreover, NAT is optional in routed mode and can be disabled if not needed2.

Deploying inbound ACLs on each interface to allow traffic between the segments is not required to maintain communication between the two network segments. ACLs are used to control access to network resources based on source and destination addresses, protocols, and ports. They do not affect the routing of packets.Furthermore, ACLs are optional in routed mode and can be configured as needed3.

Assigning a unique VLAN ID for the interface in each segment is not relevant to maintain communication between the two network segments. VLANs are used to create logical groups of hosts that share the same broadcast domain, regardless of their physical location or connection. They do not affect the routing of packets.Besides, VLANs are not supported in routed mode and can only be used in transparent mode4.

The Analysis > Hosts > Vulnerabilities page in Cisco FMC displays information about the hosts on the network and their associated vulnerabilities. The administrator can filter the hosts by impact level, which indicates how likely an attack is to succeed against a host. An impact level of 2 means that the host was attacked and is potentially vulnerable, but no exploit was confirmed. The administrator can click on a host to view more details, such as its IP address, operating system, applications, protocols, and intrusion events.The administrator can also view the details of each vulnerability, such as its CVE ID, description, severity, and recommended actions3

A low-impact attack indicates that the host is not vulnerable to those attacks.A low-impact attack is an attack that does not exploit any known vulnerability on the target host or does not match any signature or anomaly rule on the FTD device5. A low-impact attack does not mean that the attack is not dangerous to the network or that the host is not within the administrator's environment. It simply means that the attack did not succeed in compromising or affecting the host.

The other options are incorrect because:

All attacks are not listed as low until manually categorized.The FTD device automatically assigns an impact level to each attack based on various factors, such as vulnerability information, threat score, and confidence rating5. The impact level can be high, medium, or low, depending on how likely and how severe the attack is.

The attacks are not necessarily harmless to the network.A low-impact attack may still cause some damage or disruption to the network, such as consuming bandwidth, generating noise, or distracting attention from other attacks6.A low-impact attack may also indicate that the attacker is probing or scanning the network for potential vulnerabilities or weaknesses7.

The host is not necessarily outside the administrator's environment. A low-impact attack can target any host on the network, regardless of its location or ownership. A low-impact attack does not imply that the host is external or irrelevant to the administrator's environment.