1. Regarding MARS Appliance rules, which three statements are correct? (Choose three.)
A. There are three types of rules: System Inspection Rules, User Inspection Rules, and Drop Rules.
B. Rules can be saved as reports.
C. Rules can be deleted.
D. Rules trigger incidents.
E. Rules can be defined using a seed file.
F. Rules can be created using a query.
Answer:ADF
2. Which action enables the MARS Appliance to ignore false positive events by either dropping the events
completely, or by just logging them to the database?
A. Creating System Inspection Rules using the Drop operation
B. Creating Drop Rules
C. Inactivating the Rules
D. Inactivating events
E. Deleting the false positive events from the Incidents > False Positives screen
F. Deleting the false positive events from the Management > Event Management screen
Answer:B
3. Which of the following is a supported mitigation feature on the MARS Appliance?
A. Generating and pushing configuration commands to Layer 3 devices
B. Generating and pushing configuration commands to Layer 2 devices
C. Automatically dropping all suspected traffic at the nearest firewall
D. Automatically dropping all suspected traffic at the nearest IPS appliance
Answer:B
4. Which browser plug-in is required to view the charts and graphs on the MARS Appliance?
A. Macromedia Flash Player
B. Sun Microsystems Java
C. Microsoft PowerPoint
D. Adobe SVG Viewer
TestInside 642-567
Answer:D
5. A MARS Appliance cannot access certain devices through the default gateway. Troubleshooting has determined
that this is a MARS configuration issue. Which additional MARS configuration will be required to correct this
issue?
A. Use the MARS GUI to enable a dynamic routing protocol.
B. Use the MARS GUI to add a static route.
C. Use the MARS GUI to configure multiple default gateways.
D. Use the MARS CLI to enable a dynamic routing protocol.
E. Use the MARS CLI to add a static route.
F. Use the MARS CLI to configure multiple default gateways.
Answer:E
6. When adding a device to the MARS Appliance, what is the reporting IP address of the device?
A. the source IP address that sends syslog information to the MARS Appliance
B. the IP address MARS uses to access the device via SNMP
C. the IP address MARS uses to access the device via Telnet or SSH
D. the pre-NAT IP address of the device
E. the highest loopback IP address configured on the Cisco reporting device
Answer:A
7. What enables the MARS Appliance to profile network usage and detect statistically significant anomalous
behavior from a computed baseline?
A. MARS Global Controller
B. VMS
C. Netflow
D. CiscoWorks
E. MARS custom parser
Answer:C
8. Which is a benefit of using the dollar variable (like $TARGET01) when creating queries in MARS?
TestInside 642-567
A. The dollar variable enables multiple queries to reference the same common 5-tuples information using a
variable.
B. The dollar variable ensures that the probes and attacks that are reported are happening to the same host.
C. The dollar variable allows matching of any unknown reporting device.
D. The dollar variable allows matching of any event type groups.
E. The dollar variable enables the same query to be applied to different reports.
Answer:B
9. What will happen if you try to run a MARS query that will take a long time to complete?
A. After submitting the query, the MARS GUI screen will be locked up until the query completes.
B. The query will be automatically saved as a rule.
C. The query will be automatically saved as a report.
D. You will be prompted to "Submit Batch" to run the query in batch mode.
E. You will be prompted to "Submit Inline" to run the query immediately.
Answer:D
10. The MARS Appliance (running release 3.4.1) supports which protocol for data archiving and restoring?
A. NFS
B. TFTP
C. FTP
D. secured FTP
Answer:A
11. When restoring archived data to a MARS Appliance, which is the best practice to follow?
A. Use HTTPS to protect the data transfer.
B. Use secured FTP to protect the data transfer.
C. Use "mode 5" restore from the MARS CLI to provide enhanced security during the data transfer.
D. Use the Admin > System Maintenance > Data Archiving on the MARS GUI to perform restore operations
online.
E. To avoid problems, only restore to a same or higher-end MARS Appliance.
Answer:E
TestInside 642-567
12. Which three statements are correct about the MARS Global Controller? (Choose three.)
A. The Global Controller can correlate events from different Local Controllers into a common session.
B. One Global Controller can support multiple Local Controllers.
C. Each zone can have one Local Controller.
D. All Local Controllers events are propagated to the Global Controller for correlations.
E. The Global Controller and the Local Controllers can be running different MARS OS versions.
F. Based on a selected Local Controller, incidents on the Global Controller can be viewed.
Answer:BCF
13. What are three benefits in deploying MARS Appliances using the Global and Local Controllers' architecture?
(Choose three.)
A. A Global Controller can provide a summary of all Local Controllers information (network topologies, incidents,
queries, and reports result).
B. A Global Controller can provide a central point for creating rules and queries, which are applied to multiple
Local Controllers simultaneously.
C. The architecture provides redundancy in case one of the MARS Local Controllers failed within a zone.
D. Users can seamlessly navigate to any Local Controllers from the Global Controller GUI.
E. A Global Controller can correlate events from multiple Local Controllers to perform global sessionizations.
Answer:ABD
14. Which two of the following are required to enable MARS level 3 operations? (Choose two.)
A. Global Controller
B. vulnerability scanning
C. Netflow
D. SNMP community string
E. username and password to log in to the device
Answer:DE
15. When configuring Cisco ACS users and groups, and the user configuration has an attribute configured
differently from the same attribute in the group profile, what will the result be?
A. The user setting will override the group setting.
TestInside 642-567
B. The group setting will be applied.
C. The specific user cannot be placed into a group to avoid conflicts.
D. A unique group must be configured and the user placed into that group.
Answer:A
16. When the maximum limit of 100 unauthorized non-responsive endpoints per NAD is reached, the router stops
processing RADIUS requests for NAC to prevent DoS attacks on the ACS server. What then happens to legitimate
users attempting access?
A. Users without CTA will be denied access.
B. Users with CTA will still receive posture validation tokens.
C. Users will have default network access (whatever is permitted by the access list [ACL] of the router interface).
D. All users will be denied access and placed into an "unknown" status.
Answer:C
17. When issuing the show eou all command on a Cisco router acting as a NAD, you do not see any EOUoUDP
sessions in the displayed output. Which, most likely, is the problem?
A. No clients have attempted access.
B. Clients are not configured to use EOUoUDP.
C. All NAC sessions have timed out.
D. The router is not properly configured.
Answer:D
18. Which command can you use to verify operation between a Network Admission Control (NAC) agent and a
Network Access Device (NAD)?
A. show eapoupd all
B. show eou all
C. show nac all
D. show nac access-list all
Answer:B
19.Refer to the exhibit. You are troubleshooting a problem with a clientless host. It is showing up as 'unknown' or
TestInside 642-567
URL redirection is not working. You have determined that the problem lies in the Cisco ACS configuration.
Which two parameters must be changed in order to correct this behavior? (Choose two)
A. Check "Assign IP ACL."
B. Change the dropdown to "Healthy."
C. Check the "[0900\001] cisco-av-pair" box.
D. Change the redirect statement to
http://192.168.1.2/healthy.htm.
E. Increase the status-query timer to 20 to help prevent a query timeout.
Answer:AC
20. You have installed the Cisco Trust Agent (CTA) on remote PCs for posture validation. However, CTA is not
communicating properly with the validation server. What is a probable cause for this communication issue?
A. The redirect URL is not properly configured for remediation before allowing network access.
B. Incorrect credentials are being passed to the policy validation server.
C. A personal firewall is not configured to pass EAPoUDP.
D. The control services applet is not properly configured.
Answer:C
21. Refer to the partial output sample from a Cisco Trust Agent (CTA) ctad.ini configuration file. Which of the
following is true based on the values shown?
TestInside 642-567
[ServerCertDNVerification]
TotalRules=2
Rule1=CN*"server", ISSUER-CN*"Finance"
Rule2=CN="Finance posture Cert", OU*"Finance", ISSUER-CN*"ACME"
A. Both Rule1 and Rule2 must be matched to allow the connection.
B. If either rule accepts the certificate, then the connection is permitted.
C. The issuer common name field in the Rule1 certificate must match "FINANCE" exactly.
D. The organizational unit in the certificate must match "Finance" exactly.
E. Certificates must be issued from both "Finance" and "ACME" to pass security posture validation.
F. Connections will not be permitted without the addition of a Distinguished Name (DN) field variable.
Answer:B
22. Once you have installed the Cisco Trust Agent (CTA), you want to verify that the agent is operating properly
and communicating with the antivirus policy server. Which could you do to verify that status?
A. Issue the show eou all command on the intermediate NAD device.
B. From the endpoint device, ping the AV server. If this is successful, CTA is installed correctly.
C. If an "unhealthy user" pop-up window on the endpoint device is not displayed, the agent is working properly.
D. Check CTA activity logs for security posture validation messages.
Answer:A
23. You have an external database configured for use in your NAC deployment. When the ACS forwards the
credentials to the external database and does not receive a result in return, what action will the ACS take?
A. return a posture token of "unknown"
B. put the requesting device in the default group
C. automatically redirect the request to a remediation server
D. reject policy validation requests
Answer:D
24. A Cisco Secure ACS evaluates a posture validation request using a NAC database that has 10 local policies
and one external policy, but the external NAC servers associated with the external policy are not online. The 10
local policies all return security posture tokens (SPTs). The offline external policy is not returned because it is
TestInside 642-567
offline at the time of the request. What action will the ACS take?
A. The ACS will return the redirect URL token until it can validate the security posture.
B. The ACS will reject the posture validation request.
C. The ACS will return the valid SPTs with a posture validation of "checkup."
D. The ACS will check the application posture tokens (APTs) to determine the security posture status before
returning a posture token.
Answer:B
25. Refer to the exhibit. Network Admission Control (NAC) has been configured on router NAC1; however, end
systems are not being properly validated for the correct security posture when accessing external networks. You
have determined that the proper intercept ACL has not been applied. What would the correct intercept ACL and
admission statement to apply be to correct this problem?
A. access-list 199 permit ip any 192.168.1.0 0.0.0.255
ip admission name bluemoon eapoudp list 199
B. access-list 10 permit upd any 192.168.150.0 0.0.0.255
ip admission name nac1 eapoudp list 10
C. access-list 101 permit ip any 192.50.0.0 0.0.0.255
ip admission name greentree eapoudp list 101
D. access-list nac1 permit udp any any
ip admission name nac1 eapoudp list 1
TestInside 642-567
Answer:C
26. What is specified when the command ip radius source-interface is entered in the global configuration mode of
a Cisco switch acting as a NAD?
A. the interface for all outgoing RADIUS packets
B. that all interfaces are sources for RADIUS authentication requests
C. that Layer 2 packets received are converted and passed to the RADIUS server as Layer 3 IP packets
D. the interface where the sourced RADIUS packets should be received at the switch
Answer:A
27. What information will be displayed with the debug eou eap command when issued on a Cisco Catalyst switch
acting as a NAD?
A. EAPoUPD packets
B. EAPoUPD posture validation information
C. all EOU and EAP packets
D. EAP state machine EOU messages
Answer:A
28.Refer to the exhibit. The ACS server has the downloadable access list called "Checkup ACL" configured. If the
host shown is granted access to the network, which access list (ACL) will be sent to the NAD and where will it be
placed in the ACL? (Choose two.)
A. permit ip any 10.0.0.0 0.0.0.255
B. permit ip host 172.16.10.111 10.0.0.0 0.0.0.255
C. permit ip 172.16.0.0 0.0.255.255 10.0.0.0 0.0.0.255
D. The access control entry will be placed before the existing static ACL entries.
TestInside 642-567
E. The access control entry will be placed after the existing static ACL entries.
F. Extended IP ACL 102 will be replaced with the named ACL, "Checkup ACL."
Answer:BD
29. What is the default SSL port number you will need to know when confirming the installation of a Trend Micro
OfficeScan Server when both the OfficeScan and Policy Servers are installed on the same IIS virtual web site?
A. 1682
B. 1918
C. 4343
D. 8080
Answer:C
30. Refer to the exhibit. The network represents which type of Cisco Clean Access deployment?
A. real IP gateway in-band
B. virtual gateway in-band
C. real IP gateway out-of-band
TestInside 642-567
D. virtual gateway out-of-band
Answer:D
31. When installing the Trend AV policy server for use with a Cisco NAC deployment, which two types of web
servers can you install? (Choose two.)
A. IIS
B. Mozilla
C. Sun ONE
D. Linux
E. Apache 2.0
Answer:AE
32. Which Cisco "all-in-one" security appliance automatically detects, isolates, and cleans infected and/or
vulnerable devices that attempt to access a network?
A. Cisco Security Monitoring, Analysis and Response System (CS MARS)
B. Cisco Clean Access (CCA)
C. Security Device Manager (SDM)
D. Cisco Security Agent (CSA)
Answer:B
33. What are the three components that make up the Cisco Clean Access solution? (Choose three.)
A. Cisco Trust Agent (CTA)
B. Cisco Access Manager (CAM)
C. Cisco Security Agent (CSA)
D. Cisco Secure Access Control Server (ACS)
E. Cisco Access Server
F. Cisco Access Agent
Answer:BEF
34. Refer to the exhibit. The network represents which type of Cisco Clean Access deployment?
TestInside 642-567
A. real IP gateway in-band
B. virtual gateway in-band
C. real IP Gateway out-of-band
D. virtual gateway out-of-band
Answer:A
35. A college network administrator wants to restrict access to specific, targeted subnets by role, such as student,
administration, faculty, and guest roles. How would this be accomplished using the Clean Access Manager
(CAM)?
A. Define extended access-list templates, and apply each template to a specific user role.
B. Define IP-based traffic control policy for each role that specifies the target subnets.
C. Define a host-based traffic control policy for each role that specifies the target subnets.
D. Define a bandwidth policy for each role that specifies the target subnets.
Answer:B
36. When trying to restrict a guest role to a specific library server using a specific protocol, such as HTTP, the
administrator would create which type of policy?
TestInside 642-567
A. application-based exemption policy
B. IP-based traffic control policy
C. destination-based inclusion policy
D. role-based access policy
Answer:B
37. Cisco Clean Access (CCA) network scanning is performed by which of the following CCA components?
A. CAM
B. CAS
C. CAA
D. CTA
Answer:B
38. How does the Clean Access Manager (CAM) determine the presence of vulnerability?
A. The end-user CTA capability summary message does not match the defined role-based security policy
requirement on the CAM.
B. The CAM receives a CSA vulnerability alert from the Clean Access Server (CAS).
C. The CAS network scan report matches a defined role- or OS-based vulnerability on the CAM.
D. The CCA scan report matches a role-based vulnerability signature on the CAM.
Answer:C
39. Identify three ways an administrator can implement Cisco Clean Access (CCA) to protect a network. (Choose
three.)
A. CTA only
B. CSA only
C. CAA only
D. CAA and network scan
E. network scan only
F. end-user scan only
Answer:CDE
TestInside 642-567
40. What is the resulting action of the command eou timeout hold-period 60?
A. The EOU process will attempt to validate credentials (Accept-Reject) or EAPoUDP for a maximum of 60
seconds before quarantining the requesting client.
B. The hold timer will wait 60 seconds following a failed credential validation or an EAPoUDP association failure
before a new association can be retried.
C. The EOU process will hold the client in an unknown state for 60 seconds maximum while the credential
validation process is in progress.
D. Credentials will be considered valid for 60 minutes before a revalidation occurs.
Answer:B
41. Which two actions result when the access list shown below is applied to an interface of a Cisco router
performing NAC? (Choose two.)
access-list 102 permit udp any any eq 21862
access-list 102 deny ip any any
A. EAPoUDP traffic is allowed.
B. All traffic other than UDP traffic destined to the DNS server is blocked.
C. Clientless host traffic is validated.
D. The rest of the traffic is blocked until it is validated.
E. NAD traffic is forwarded to the antivirus policy server prior to posture assessment.
Answer:AD
42. Which two functions can a Cisco Clean Access Agent (CCA) be configured to perform? (Choose two.)
A. initiate periodic AV vendor virus scans
B. check for up-to-date AV files
C. detect presence of worms and viruses before permitting an end user network access
D. perform registry, service, and application checks
E. quarantine an end user until system is remediated
Answer:BD
43. Which of the following statements is correct regarding Cisco Clean Access (CCA) network scanning?
A. A default set of the available network scan plug-ins is loaded in the CAM at the factory.
TestInside 642-567
B. The Cisco recommended list of plug-ins is selected by default.
C. Network scanning is performed on Windows-based operating systems only.
D. Network scanning is configurable by User Role.
Answer:D
44. Which command would you issue to view the current list of network admission entries on a Cisco switch
acting as a NAD?
A. show ip nac hosts
B. show ip nac eou
C. show ip admission all
D. show ip admission cache
Answer:D
45. Refer to the exhibit. When new students attempt to access the college network, the Clean Access Agent (CCA)
informs the students that their PCs violate the college security policy because they are missing some required files
and software applications on their PCs. To grant students FTP access to the files and applications on an internal
remediation server, the administrator must take which of the following courses of action?
A. Add to the Unauthenticated Role an allow policy for FTP access to the internal remediation server.
TestInside 642-567
B. Add to the Temporary Role an allow policy for FTP access to the internal remediation server.
C. Add to the Quarantine Role an allow policy for FTP access to the internal remediation server.
D. Add to the Student Role an allow policy for FTP access to the internal remediation server.
Answer:B
46. When migrating from an existing standalone CAM to a High Availability CAM solution, what IP address
should the administrator configure for the CAM1 service IP address?
A. 10.10.10.3
B. 10.10.10.4
C. 10.10.10.5 (an unused IP address)
TestInside 642-567
D. 10.10.10.252 (assigned by the system)
Answer:A
47. Which CCA out-of-band solution statement is correct?
A. All client traffic flows through the CAS while access switch VLAN management is performed out of band.
B. Access switch to CAM configuration and status change messages are communicated via a proprietary protocol.
C. The switchport access and authentication VLAN information is sent to the access switch from the CAM.
D. As a laptop device accesses the CCA network, the access switch sends the device's MAC address to the CAS.
Answer:C
48. Refer to the exhibit. From a dropdown menu, profiles are applied to each managed port. Before a profile can
be applied, where are the client access and authentication VLAN profile parameters configured?
A. controlled VLAN profile
B. access control profile
C. port profile
D. User Role profile
Answer:C
49. Which High Availability option is supported by Cisco Clean Access (CCA) solution?
A. CAA load balancing
B. CAM and CAS redundancy
C. CAA backup server
D. CAS backup network scanning
Answer:B
50. Refer to the exhibit. A network administrator is adding a CAS to a network. In the Trusted and Untrusted IP
TestInside 642-567
Address fields, which IP addresses should they specify? (Choose two.)
A. Trusted IP Address - 10.0.10.3
B. Trusted IP Address - 10.0.10.15
C. Trusted IP Address - 192.168.10.1
D. Untrusted IP Address - 10.0.10.3
E. Untrusted IP Address - 10.0.10.15
F. Untrusted IP Address - 192.168.10.1
Answer:BF