Cisco Expert

300-710

SNCF (Securing Networks with Cisco Firepower)

The Securing Networks with Cisco Firepower (300-710 SNCF) is a concentration exam for the CCNP Security certification, focusing on Cisco Firepower Next-Generation Firewall (NGFW) and Next-Generation Intrusion Prevention System (NGIPS). This expert-level exam validates skills in deploying, configuring, managing, and troubleshooting Cisco Firepower Threat Defense (FTD) and Firepower Management Center (FMC).

The exam covers Firepower deployment models including routed, transparent, and inline modes, configuration of Firepower policies including access control, NAT, VPN, and SSL, management using Firepower Management Center and Firepower Device Manager, traffic control including application visibility and control (AVC), URL filtering, and file policies, and threat detection and analysis using intrusion policies, network analysis policies, file analysis, and malware protection with Advanced Malware Protection (AMP).

This certification is designed for security engineers, firewall administrators, network security specialists, and security operations personnel responsible for deploying and managing Cisco Firepower solutions. It provides deep technical expertise in one of Cisco's core security platforms.

Updated Feb 2024 Cybersecurity

Questões

Simulados

83%

Nota de Aprovação

Visualizações

Total de Tentativas

Nota Média

Taxa de Aprovação

Discussões

Simulados Flash Cards Tópicos do Exame Folha de Resumo

€5.00

300-710 Practice Exam 1

Comprehensive 50-question practice exam for Cisco SNCF 300-710 covering Firepower deployment, configuration, management, traffic control, and threat detection.

50 Q 90 minutos 83%

Test Drive

€5.00

300-710 Practice Exam 2

Comprehensive 50-question practice exam for Cisco SNCF 300-710 covering Firepower deployment, configuration, management, traffic control, and threat detection.

50 Q 90 minutos 83%

Test Drive

€5.00

300-710 Practice Exam 3

Comprehensive 50-question practice exam for SNCF covering deployment modes, routing and configuration, management and troubleshooting, traffic control and policy, and threat detection and analysis.

50 Q 90 minutos 83%

Test Drive

€5.00

300-710 Practice Exam 4

SNCF practice exam covering FTD hardware deployment, VPN configuration, FMC management, malware policies, and Talos threat intelligence across 50 advanced questions.

50 Q 90 minutos 83%

Test Drive

€5.00

300-710 Practice Exam 5

Comprehensive 50-question practice exam covering FTD virtual appliance sizing, HA failover, syslog/eStreamer integration, DNS policies, SI feeds, Snort 3 architecture, and encrypted visibility engine.

50 Q 90 minutos 83%

Test Drive

€5.00

300-710 Practice Exam 6

Comprehensive 50-question practice exam covering all SNCF domains including deployment, configuration, management and troubleshooting, traffic control and policy, and threat detection and analysis.

50 Q 90 minutos 83%

Test Drive

Desbloquear Todo o Conteúdo para 300-710

6 Simulado(s) + Flash Cards — acesso por 3 meses

€39.99 €26.99 Economize 30%

ou incluído com assinatura Mensal / Pacote de Conteúdo

300-710 Cheat Sheet

Guia de referência rápida - 6 seções

Acesso Gratuito

300-710 SNCF Exam Details

Detail	Value
Exam Code	300-710 SNCF
Full Name	Securing Networks with Cisco Firepower
Duration	90 minutes
Number of Questions	55-65 questions
Passing Score	~825 / 1000 (approximate)
Question Format	Multiple choice, multiple response, drag-and-drop
Exam Fee	$330 USD
Certification	CCNP Security (concentration exam)

Domain Weight Breakdown

Domain	Weight
1.0 Deployment	15%
2.0 Configuration	30%
3.0 Management and Troubleshooting	30%
4.0 Integration	25%

Certification Path & Prerequisites

The 300-710 SNCF is a concentration exam for the CCNP Security certification. To earn CCNP Security, you must pass the core exam (350-701 SCOR) plus one concentration exam such as the 300-710. This exam focuses specifically on Cisco Firepower Threat Defense (FTD) and Firepower Management Center (FMC), covering deployment, configuration, management, and integration of next-generation firewall and IPS technologies.

Candidates should have a solid understanding of TCP/IP networking, firewall concepts, IPS/IDS principles, and at least 3-5 years of hands-on experience with Cisco security products. Knowledge of the legacy Cisco ASA platform is helpful for understanding migration scenarios, but the exam focuses primarily on the FTD platform managed through FMC.

Tip: The exam heavily tests FMC-based management workflows. Focus on understanding the policy hierarchy, rule evaluation order, and how different policy types interact within the Firepower system.

Firepower Threat Defense (FTD) Deployment Modes

Mode	Description	Use Case
Routed Mode	FTD acts as a Layer 3 hop (router/firewall). Each interface is on a different subnet. Supports NAT, dynamic routing, VPN.	Most common deployment; perimeter firewall, inter-VLAN routing
Transparent Mode	FTD acts as a Layer 2 bridge (bump-in-the-wire). Interfaces share the same subnet. Uses BVI (Bridge Virtual Interface) for management IP.	Inserting firewall without re-addressing; stealth inspection
Inline (IPS)	Inline interface pair passes traffic through the sensor. Traffic is inspected and can be blocked in real time. No IP addresses on inline interfaces.	Dedicated IPS deployment; inline threat detection
Inline Tap	Copies traffic for inspection but does not block. FTD receives a copy of inline traffic. Generates events but cannot enforce drops.	Monitoring and evaluation without impacting traffic flow
Passive (SPAN)	Receives mirrored traffic from a SPAN port or network TAP. Purely monitoring; cannot drop or modify traffic.	IDS-only mode; traffic analysis and alerting

Tip: Routed mode is the default and most feature-rich. Transparent mode cannot perform NAT or dynamic routing. Inline and passive modes are used when FTD acts purely as an IPS/IDS without firewall functions.

Firepower Management Center (FMC)

FMC is the centralized management platform for FTD devices. It provides a web-based GUI for policy configuration, event monitoring, reporting, and system administration. FMC communicates with managed FTD devices over a secure sftunnel connection (TCP port 8305).

FMC Capability	Description
Device Registration	Add FTD devices using IP/hostname and a shared registration key. NAT ID used when FMC or device is behind NAT.
Policy Deployment	Policies configured in FMC are pushed to FTD devices. Changes require explicit deployment (not automatic).
Event Logging	Connection events, intrusion events, malware events, and file events are stored on FMC for analysis.
Dashboard & Reporting	Real-time dashboards, custom reports, context explorer for network visibility.
Multi-Domain Management	Supports multiple administrative domains with role-based access control for MSSP or large enterprise deployments.

FTD Device Registration Process

Configure management interface IP on FTD (DHCP or static via CLI: configure network ipv4 manual <ip> <mask> <gw>)
Set the FMC manager on FTD: configure manager add <FMC_IP> <reg_key>
If behind NAT, use NAT ID: configure manager add DONTRESOLVE <reg_key> <nat_id>
In FMC, navigate to Devices > Device Management > Add Device
Enter device IP/hostname, registration key (must match), and assign an access control policy
FMC and FTD establish a secure sftunnel connection over TCP 8305
Initial deployment pushes policies and configurations to the device

Interface Configuration

Interface Type	Description
Routed Interface	Assigned an IP address; acts as a Layer 3 gateway. Named and assigned a security zone.
BVI (Bridge Virtual Interface)	Management IP for transparent mode. Bridge group members share the same subnet.
Inline Pair	Two interfaces grouped for inline IPS. Traffic enters one and exits the other.
Passive Interface	Receives mirrored/SPAN traffic for monitoring only.
EtherChannel	Link aggregation of multiple physical interfaces for bandwidth and redundancy.
Sub-interface	VLAN-tagged logical interfaces on a physical trunk port (802.1Q).

Security Zones: Logical groupings of interfaces used in access control policies. Every interface must be assigned to a security zone to be referenced in policy rules. Common zones: Inside, Outside, DMZ.

Routing & NAT on FTD

Routing: FTD supports static routes, OSPF, BGP, EIGRP (via FlexConfig), and RIP. Routes are configured under Devices > Device Management > Routing. In routed mode, FTD participates in routing decisions like any Layer 3 device.

NAT Type	Description	Use Case
Auto NAT (Object NAT)	Defined within a network object. One-to-one mapping per object. Simpler to configure.	Static NAT for servers, dynamic PAT for outbound
Manual NAT (Twice NAT)	Defined as a separate rule referencing source and destination objects. More flexible; can match on both source and destination.	Policy NAT, complex translation scenarios

NAT Rule Processing Order: Section 1 (Manual NAT - before Auto NAT) > Section 2 (Auto NAT) > Section 3 (Manual NAT - after Auto NAT). Within each section, rules are evaluated top-down.

Tip: NAT is configured in FMC under Devices > NAT. Remember that FTD processes NAT rules before access control rules when determining the translated address, but the access control policy evaluates the original (pre-NAT) source IP and post-NAT destination IP.

Platform Settings

Platform settings policies configure device-level settings that are not part of access control. These include:

SSH Access: Define which hosts/networks can SSH to the FTD management interface
HTTPS Access: Configure HTTPS access for Firepower Device Manager (FDM) if applicable
NTP: Time synchronization for accurate event timestamps and certificate validation
DNS: Name resolution for security intelligence feeds, URL filtering, and updates
Syslog: External logging configuration for sending events to a SIEM or syslog server
SNMP: Enable SNMP for device monitoring via network management systems
Banner: Login banner text displayed to administrators connecting to the device

Access Control Policy (ACP)

The ACP is the primary policy on FTD that determines how traffic is handled. It processes rules top-down with a first-match action. Rules can match on zones, networks, ports, applications, URLs, users, and more.

Rule Action	Behavior	Inspection
Allow	Permits traffic to pass	Can apply intrusion policy, file policy, and logging
Trust	Permits traffic with no further inspection	Bypasses deep inspection (Snort) entirely; only prefilter applies
Monitor	Logs the traffic match but does not enforce	Continues to evaluate subsequent rules for enforcement
Block	Drops the traffic silently	No further inspection; traffic is dropped immediately
Block with Reset	Drops the traffic and sends a TCP RST	Notifies the client that the connection was refused
Interactive Block	Displays a warning page to the user (HTTP/HTTPS)	User can click through to continue; used for URL warnings

Tip: Trust rules bypass Snort inspection entirely, which improves performance but sacrifices deep inspection. Use Trust only for traffic you are confident does not need IPS, malware, or file inspection (e.g., backup replication between trusted data centers).

Access Control Policy Processing Order

Traffic through FTD is evaluated in a specific order:

1. Prefilter Policy - Early handling of tunneled traffic (GRE, IP-in-IP), fastpath rules for trusted traffic, and encapsulated traffic actions
2. Security Intelligence - Blacklist/whitelist based on IP, URL, or DNS reputation feeds before rule evaluation
3. SSL/TLS Policy - Decrypt, block, or do not decrypt encrypted traffic before inspection
4. Identity Policy - User-to-IP mapping via Active Directory or captive portal for user-based rules
5. Access Control Rules - Top-down rule evaluation with match criteria and actions
6. Default Action - Applied when no rule matches (Block All, Trust All, Network Discovery, or Intrusion Prevention)

Prefilter Policy

Prefilter is the first policy to evaluate traffic. It handles traffic before the Snort engine processes it, making it useful for early filtering and performance optimization.

Prefilter Action	Description
Fastpath	Bypasses all further inspection (Snort, ACP, file, malware). Traffic is forwarded at the hardware level for maximum throughput.
Analyze	Allows the traffic to continue to access control rules for normal processing.
Block	Drops the traffic immediately without further evaluation.

Prefilter can match on tunneled traffic (GRE, IP-in-IP, PPTP, etc.) and apply actions to the outer or inner headers. It is also used to rezone traffic based on tunnel characteristics.

SSL/TLS Inspection Policy

SSL/TLS policies allow FTD to inspect encrypted traffic by decrypting it, analyzing the contents, and re-encrypting before forwarding. Without SSL inspection, Snort cannot see the payload of encrypted traffic.

SSL Action	Description
Decrypt - Resign	FTD acts as a man-in-the-middle. Decrypts traffic using a CA certificate, inspects it, then re-encrypts with a new certificate signed by the internal CA. Used for outbound traffic.
Decrypt - Known Key	FTD uses the server's private key to decrypt inbound traffic. Used for inspecting traffic destined to internal servers you own.
Do Not Decrypt	Traffic passes encrypted without inspection. Used for sensitive traffic (banking, healthcare) or certificate-pinned applications.
Block	Drops the encrypted connection entirely.
Block with Reset	Drops the connection and sends a TCP RST to the client.

Tip: Decrypt - Resign requires a CA certificate trusted by client machines. Deploy the internal CA certificate to all endpoints via Group Policy or MDM. Without this, users will see certificate warnings.

Identity Policy

Identity policies map IP addresses to user identities, enabling user-based and group-based access control rules. FMC integrates with identity sources to obtain this mapping.

Identity Source	Description
Cisco ISE / ISE-PIC	Passive identity via pxGrid integration. Receives user-to-IP mappings from ISE authentication sessions.
User Agent (Deprecated)	Legacy Windows agent that monitors AD login events. Replaced by ISE-PIC.
Captive Portal	Active authentication via browser-based login page. Users authenticate directly through FTD.
Remote Access VPN	User identity obtained during VPN authentication (RADIUS attributes).

Security Intelligence

Security Intelligence provides reputation-based filtering before access control rules are evaluated. It uses Cisco Talos threat intelligence feeds to block known malicious IPs, URLs, and DNS domains at the earliest stage.

IP-based SI: Blocks connections to/from known malicious IP addresses (e.g., CnC servers, attackers, bogon networks)
URL-based SI: Blocks HTTP/HTTPS requests to malicious URLs before URL filtering rules are applied
DNS-based SI: Blocks DNS queries for known malicious domains using Cisco Umbrella or custom lists (applied via DNS policy)
Custom Lists: Administrators can create custom blacklists and whitelists to override Talos feeds
Global Whitelist/Blacklist: Override all other SI decisions; whitelist entries are never blocked

Tip: Security Intelligence is extremely efficient because it blocks traffic before deep packet inspection. Always enable SI feeds from Talos for the best first-line defense against known threats.

File & Malware Policy

File policies inspect files traversing the network to detect and block malware. They can be applied to access control rules with an Allow action.

File Rule Action	Description
Detect Files	Logs file type and generates events but does not block. Used for visibility.
Block Files	Blocks specific file types regardless of malware disposition (e.g., block all .exe downloads).
Malware Cloud Lookup	Computes SHA-256 hash and queries Cisco AMP cloud for disposition. Logs result but does not block.
Block Malware	Queries AMP cloud and blocks files with a malicious disposition. This is the recommended action.

Malware Disposition	Meaning
Clean	File is known to be safe
Malware	File is known to be malicious
Unknown	File hash not found in the cloud; may require dynamic analysis (Threat Grid sandbox)
Custom Detection	Matches a custom SHA-256 list defined by the administrator
Unavailable	Cloud lookup failed (connectivity issue); file is allowed by default

DNS Policy

DNS policies inspect DNS traffic to block queries to malicious domains. DNS rules apply Security Intelligence DNS-based feeds and custom domain lists. DNS policy actions include:

Whitelist: Always allow DNS resolution for the matched domain
Block (Drop): Silently drop the DNS query with no response to the client
Block (Domain Not Found): Respond with NXDOMAIN to the client
Block (Sinkhole): Respond with a sinkhole IP address; used to identify infected internal hosts attempting to reach CnC domains
Monitor: Log the DNS query but take no enforcement action

Tip: DNS sinkhole is a powerful technique for identifying compromised hosts. When a client resolves a malicious domain to the sinkhole IP, any subsequent connection attempt to that IP reveals the infected host in connection events.

Snort IPS Engine

Snort is the core inspection engine in Cisco Firepower. It performs deep packet inspection (DPI) for intrusion detection and prevention, application identification, and file/malware inspection. FTD runs Snort inline with traffic, analyzing packets against rulesets in real time.

Snort Component	Function
Packet Decoder	Decodes protocols at each layer (Ethernet, IP, TCP/UDP) for analysis
Preprocessors / Inspectors	Normalize traffic, reassemble fragments, handle protocol anomalies (HTTP, FTP, SMB, DNS, etc.)
Detection Engine	Matches packets against Snort rules (SIDs). Uses pattern matching and stateful analysis.
Output Modules	Generates intrusion events, logs, and alerts sent to FMC for analysis

Network Analysis Policy (NAP)

The NAP controls how Snort preprocessors handle and normalize traffic before intrusion rules are applied. It defines settings for protocol decoding, stream reassembly, and anomaly detection.

TCP Stream Reassembly: Reassembles TCP segments to detect attacks that span multiple packets
IP Defragmentation: Reassembles fragmented IP packets to prevent evasion via fragmentation
HTTP Normalization: Decodes URL encoding, handles chunked transfers, normalizes headers to detect obfuscated attacks
Protocol Anomaly Detection: Identifies non-RFC-compliant traffic that may indicate an attack or evasion attempt
Inline Normalization: Actively modifies packets to remove ambiguities before inspection (available in inline mode only)

Tip: The NAP and Intrusion Policy are paired. When you assign an intrusion policy to an access control rule, the associated NAP processes the traffic first. Mismatched NAP and intrusion policy settings can lead to false positives or missed detections.

Intrusion Policy

Intrusion policies define which Snort rules (SIDs) are enabled and their actions. Cisco provides several base policies that can be customized.

Base Policy	Description
Connectivity Over Security	Fewest enabled rules; minimizes false positives; prioritizes traffic flow
Balanced Security and Connectivity	Recommended default; moderate rule coverage with manageable performance impact
Security Over Connectivity	Most aggressive; enables maximum rules including older vulnerabilities; higher performance cost
Maximum Detection	All rules enabled; for lab/testing only; significant performance impact in production
No Rules Active	Blank slate; administrator must manually enable desired rules

Rule State	Action
Generate Events	Rule triggers an alert/event but does not drop traffic (IDS behavior)
Drop and Generate Events	Rule triggers an alert AND drops the offending traffic inline (IPS behavior)
Disabled	Rule is not evaluated; no performance impact and no detection for this signature

Variable Sets

Variable sets define network and port variables used in Snort rules. Proper configuration ensures rules fire correctly by identifying HOME_NET (your internal networks) and EXTERNAL_NET (everything else).

Variable	Default Value	Purpose
$HOME_NET	any	Your protected network ranges (e.g., 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16)
$EXTERNAL_NET	any	External/untrusted networks (typically set to !$HOME_NET)
$HTTP_SERVERS	$HOME_NET	Web servers to protect with HTTP-specific rules
$DNS_SERVERS	$HOME_NET	DNS servers to monitor for DNS-based attacks
$SMTP_SERVERS	$HOME_NET	Mail servers to protect with email-specific rules

Tip: Always customize $HOME_NET to reflect your actual internal subnets. Leaving it as "any" causes rules to fire in both directions, increasing false positives and reducing detection accuracy.

Custom Snort Rules

Administrators can write custom Snort rules (local rules) to detect specific threats not covered by Cisco Talos rulesets. Custom rules use standard Snort rule syntax:

# Snort Rule Structure:

action protocol src_ip src_port -> dst_ip dst_port (options;)

# Example: Detect a specific string in HTTP traffic

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"Custom - Suspicious User Agent"; content:"BadBot/1.0"; http_header; sid:1000001; rev:1;)

action: alert, drop, pass, reject
content: Pattern to match in packet payload (case-sensitive by default)
sid: Unique Snort ID; custom rules should use SIDs above 1000000
flow: Specifies direction (e.g., to_server, established) for stateful matching
pcre: Perl-compatible regular expression for advanced pattern matching

Event Analysis & Correlation

FMC provides comprehensive event analysis tools for investigating intrusion, connection, malware, and file events.

Event Type	Description
Intrusion Events	Triggered by Snort rules matching traffic. Shows SID, classification, priority, source/destination, impact flag.
Connection Events	Log every connection processed by the ACP. Shows action taken, application detected, bytes transferred, user.
File Events	Logged when file policy detects a file transfer. Shows file type, name, size, SHA-256, and disposition.
Malware Events	Triggered when AMP cloud returns a malware or retrospective disposition for a file.

Correlation Policies: Allow administrators to define rules that trigger responses when specific conditions are met across events. For example, trigger an alert when a host generates more than 10 intrusion events in 60 seconds. Responses can include syslog alerts, email notifications, SNMP traps, or remediation actions via ISE (quarantine, VLAN change).

High Availability (HA)

FTD supports Active/Standby failover for stateful high availability. Two FTD units form an HA pair where the active unit handles all traffic and the standby unit monitors health and takes over if the active fails.

HA Concept	Description
Failover Link	Dedicated link between HA peers for hello messages, configuration sync, and failover state. Can be a physical or logical interface.
Stateful Failover Link	Passes active connection state (TCP/UDP sessions, NAT translations, VPN tunnels) to the standby unit for seamless failover.
Monitored Interfaces	Health of data interfaces is monitored. If a threshold of monitored interfaces fails on the active, standby takes over.
Preemption	Optional. If enabled, the original primary unit automatically becomes active again after recovering from a failure.

Tip: Both HA units must be the same model, run the same software version, and have identical interface configurations. FMC manages the HA pair as a single logical device after registration.

Clustering

FTD clustering groups multiple FTD units (up to 16 for Firepower 9300/4100) into a single logical device for scalability and redundancy. Unlike HA, clustering provides Active/Active load sharing across all units.

Control Unit: One unit elected as the control node; manages cluster configuration and centralized functions
Data Units: Remaining units handle traffic. All units forward traffic simultaneously.
Cluster Control Link (CCL): Dedicated high-bandwidth link for inter-unit communication, state sync, and health monitoring
Spanned EtherChannel: Recommended for load distribution; traffic is load-balanced across all cluster members
Supported Platforms: Firepower 4100 and 9300 series (hardware clustering); FTDv does not support clustering

Software Updates & Rule Updates

Update Type	Description	Frequency
Snort Rule Updates (SRU)	New and modified Snort rules from Cisco Talos. Applied through FMC and deployed to managed devices.	Daily or as needed
VDB (Vulnerability Database)	Updates application detectors and vulnerability mappings for host profiling and impact assessment.	Periodically (weeks)
Geolocation Database (GeoDB)	Updates IP-to-country/region mappings for geolocation-based rules and dashboards.	Monthly
Software Patches / Upgrades	FMC and FTD software upgrades. FMC must be upgraded before managed devices.	As released
URL Filtering Updates	Cloud-based URL category and reputation data from Cisco Talos for URL filtering policies.	Continuous (cloud-based)

Update Order: Always upgrade FMC first, then FTD devices. Verify compatibility using the Cisco compatibility matrix. Schedule rule updates during maintenance windows if auto-deploy is enabled.

Backup & Restore

FMC Backup: Backs up FMC configuration, policies, events, and network maps. Performed via System > Tools > Backup/Restore.
FTD Backup: Backs up device-specific configuration. Initiated from FMC under Device Management or from FTD CLI.
Backup Types: Full backup includes all configuration and event data. Configuration-only backup excludes events for smaller file size.
Remote Storage: Backups can be stored locally on FMC or copied to a remote server via SCP/SFTP.
Restore: Restoring FMC re-establishes communication with managed devices. Restore requires the same software version as the backup.

Health Monitoring

FMC includes a health monitoring framework that tracks the status of all managed devices and the FMC itself. Health policies define which modules are monitored and their alerting thresholds.

Health Module	Monitors
CPU Usage	Snort process, system CPU, per-core utilization
Memory Usage	System RAM, Snort memory, swap usage
Disk Usage	Storage utilization for logs, events, and malware storage
Interface Status	Link state, throughput, errors, and packet drops per interface
Snort Process	Snort engine health, restarts, and processing failures
Cluster/HA Status	Failover state, peer connectivity, synchronization status

Cisco SecureX Integration

Cisco SecureX is a cloud-native security platform that connects the Cisco Security portfolio for unified visibility, automation, and threat response. FMC integrates with SecureX to share threat intelligence and enable cross-product investigation.

Threat Response: Investigate observables (IPs, domains, hashes) across all connected Cisco products from a single console
Ribbon: Browser-based widget that enables pivoting from FMC events directly into SecureX investigations
Orchestration: Automate response workflows (e.g., when FMC detects malware, automatically quarantine host via ISE)
Cisco Threat Intelligence Director (TID): Ingest STIX/TAXII threat intelligence feeds into FMC for use in Security Intelligence and access control

External Logging & API

Integration	Description
Syslog	Send connection, intrusion, and health events to external SIEM or syslog collectors. Configured per access control rule or globally in platform settings.
SNMP	SNMPv2c/v3 for device monitoring. FMC and FTD can send SNMP traps and respond to polling from NMS platforms.
eStreamer	Cisco's Event Streamer protocol for streaming Firepower events to third-party SIEM/analytics platforms in real time.
FMC REST API	RESTful API (HTTPS) for programmatic access to FMC. Supports CRUD operations on policies, objects, devices, and deployments.
pxGrid	Integration with Cisco ISE via pxGrid for sharing user/device context, adaptive network control, and rapid threat containment.

Tip: The FMC REST API uses token-based authentication. Generate tokens via POST to /api/fmc_platform/v1/auth/generatetoken. Tokens expire after 30 minutes (default) and can be refreshed up to 3 times before re-authentication is required.

FTD vs ASA: Feature Comparison

Cisco Firepower Threat Defense (FTD) is the next-generation firewall platform that combines the former ASA firewall engine with the Snort IPS engine into a unified image. Understanding the differences is critical for migration and deployment decisions.

Feature	Cisco FTD	Cisco ASA (Classic)
IPS/IDS Engine	Built-in Snort (native NGIPS)	Requires separate FirePOWER module (ASA with FirePOWER Services)
Management	FMC (centralized) or FDM (local, single device)	ASDM (local GUI), CLI, or CSM
Application Visibility	Native application detection (OpenAppID + Snort)	Limited; requires FirePOWER module for full visibility
URL Filtering	Integrated URL filtering with Talos categories/reputation	Basic (requires Cisco Cloud Web Security or module)
Malware Protection	Integrated AMP (file inspection, cloud lookup, Threat Grid)	Not available natively; requires FirePOWER module
SSL Decryption	Inline SSL/TLS inspection with policy-based actions	Limited SSL inspection via FirePOWER module
Security Intelligence	IP, URL, and DNS-based SI with Talos feeds	IP-based only (via Botnet Traffic Filter)
VPN	Site-to-site and Remote Access (AnyConnect). RA VPN configuration improved in recent versions.	Mature VPN support with extensive features
Multi-Context Mode	Not supported (use FMC multi-domain instead)	Supported (virtual firewalls within single chassis)
CLI Access	Limited diagnostic CLI; most config via FMC/FDM	Full CLI configuration with extensive command set

Tip: FTD is Cisco's strategic direction for firewalling. ASA is in maintenance mode. New deployments should use FTD. Existing ASA deployments can migrate using the Cisco Firepower Migration Tool.

Snort 2 vs Snort 3

Snort 3 is the next-generation inspection engine available in FTD 7.0+ and represents a major architectural improvement over Snort 2.

Feature	Snort 2	Snort 3
Architecture	Single-threaded per instance; multiple instances for parallel processing	Multi-threaded; more efficient resource utilization
Rule Syntax	Classic Snort rule format	Enhanced syntax with sticky buffers, improved Lua scripting
Configuration	Preprocessor-based (snort.conf)	Inspector-based with Lua configuration files
HTTP Inspection	HTTP preprocessor	HTTP/2 support, improved HTTP inspector
Performance	Good; limited by single-threaded model	Better throughput; improved memory management
Elephant Flows	Can cause latency issues with large flows	Improved handling of elephant flows with flow offload
Rule Groups	Individual rule enable/disable	Lightweight rule overrides with rule group recommendations

Tip: FTD 7.0+ defaults to Snort 3 for new deployments. You can switch between Snort 2 and Snort 3 per device, but this causes a brief traffic interruption. Snort 3 is required for newer features like TLS 1.3 decryption and HTTP/2 inspection.

Inline vs Passive Deployment

Aspect	Inline (IPS)	Passive (IDS)
Traffic Path	Traffic flows through the sensor (inline pair)	Sensor receives a copy via SPAN/TAP
Blocking Capability	Can drop malicious traffic in real time	Cannot block; detection and alerting only
Latency Impact	Adds minor latency to traffic path	No impact on production traffic
Failure Mode	Bypass (fail-open) or fail-closed depending on configuration	No impact on traffic if sensor fails
Rule Actions	Drop and Generate Events is enforced	Drop rules generate events but cannot enforce drops
Use Case	Active threat prevention in production	Monitoring, evaluation, or compliance auditing

Inline Tap Mode: A hybrid approach where traffic passes through an inline pair, but the sensor only copies packets for analysis without enforcing drops. This is useful for testing IPS rules in a production environment before enabling enforcement.

FMC vs FDM (Firepower Device Manager)

Feature	FMC	FDM
Deployment	Separate appliance (physical or virtual)	Built-in web GUI on the FTD device itself
Device Support	Manages multiple FTD devices centrally	Manages only the local FTD device
Features	Full feature set (correlation, multi-domain, eStreamer, TID)	Simplified subset; no correlation, limited reporting
HA / Clustering	Supports HA and clustering configuration	Supports basic HA only
Ideal For	Enterprise, multi-site, MSSP	Small office, branch, single device
REST API	FMC REST API	FDM REST API (different endpoints)

Access Control Rule Actions: Quick Reference

Action	Allows Traffic	Snort Inspection	File/Malware	Logging
Allow	Yes	Yes (optional)	Yes (optional)	Yes
Trust	Yes	No	No	Yes
Monitor	Continues to next rule	Depends on final action	Depends on final action	Yes
Block	No	No	No	Yes
Block with Reset	No (sends RST)	No	No	Yes
Interactive Block	Warning page	If user bypasses	If user bypasses	Yes

Malware Disposition Types

Disposition	Meaning	Action with Block Malware Rule
Clean	AMP cloud confirms file is safe	File is allowed
Malware	AMP cloud identifies file as malicious	File is blocked
Unknown	Hash not in AMP cloud database	File is allowed; may be sent to Threat Grid for sandbox analysis
Custom Detection	Matches administrator-defined SHA-256 list	File is blocked
Unavailable	Cannot reach AMP cloud for lookup	File is allowed (fail-open behavior)

Retrospective Events: If the AMP cloud later reclassifies a previously clean file as malware (or vice versa), FMC generates a retrospective malware event. This enables visibility into files that were initially allowed but are now known to be malicious, supporting incident response and threat hunting.

Tip: Enable Threat Grid (dynamic analysis) for Unknown files to get sandbox results. Threat Grid detonates files in a virtual environment and provides a detailed threat score, behavioral indicators, and network artifacts.

300-710

SNCF (Securing Networks with Cisco Firepower)

300-710 Practice Exam 1

300-710 Practice Exam 2

300-710 Practice Exam 3

300-710 Practice Exam 4

300-710 Practice Exam 5

300-710 Practice Exam 6

Desbloquear Todo o Conteúdo para 300-710

Pré-visualização (10 / 120)

Flash Cards

Idiomas Disponíveis

Tópicos do Exame

300-710 Cheat Sheet

300-710 SNCF Exam Details

Domain Weight Breakdown

Certification Path & Prerequisites

Firepower Threat Defense (FTD) Deployment Modes

Firepower Management Center (FMC)

FTD Device Registration Process

Interface Configuration

Routing & NAT on FTD

Platform Settings

Access Control Policy (ACP)

Access Control Policy Processing Order

Prefilter Policy

SSL/TLS Inspection Policy

Identity Policy

Security Intelligence

File & Malware Policy

DNS Policy

Snort IPS Engine

Network Analysis Policy (NAP)

Intrusion Policy

Variable Sets

Custom Snort Rules

Event Analysis & Correlation

High Availability (HA)

Clustering

Software Updates & Rule Updates

Backup & Restore

Health Monitoring

Cisco SecureX Integration

External Logging & API

FTD vs ASA: Feature Comparison

Snort 2 vs Snort 3

Inline vs Passive Deployment

FMC vs FDM (Firepower Device Manager)

Access Control Rule Actions: Quick Reference

Malware Disposition Types