300-740 Designing and Implementing Secure Cloud Access for Users and Endpoints (SCAZT) Questions and Answers

Policy-Based Routing (PBR) enables routing decisions based on criteria such as source IP, destination IP, or application. To send SaaS traffic (e.g., Office 365, Salesforce) directly to the internet rather than over a site-to-site VPN, PBR must be configured at each site firewall. According to SCAZT Section 1 (Cloud Security Architecture, Pages 18–20), this approach enables secure local internet breakout—commonly used in direct internet access (DIA) architectures.

When integrating Cisco Cloudlock with SaaS platforms like Salesforce, two core authorizations are required: network access and API authorization. In the scenario, Cloudlock has been authorized in Salesforce, and its IP has been allow-listed. However, if access is still denied, the most likely cause is that Salesforce has not been configured to accept traffic from Cloudlock’s IP range — a process handled from the Salesforce admin panel.

To resolve the issue, network access must be explicitly granted to Cloudlock from within Salesforce. This ensures that Salesforce accepts requests initiated by Cloudlock for monitoring and enforcement.

MITRE ATT&CK is a globally accessible knowledge base that catalogs adversarial tactics and techniques based on real-world observations. According to SCAZT Section 6: Threat Response (Page 113), this framework enables security professionals to map and anticipate adversarial behavior throughout the attack lifecycle. It supports threat modeling, detection engineering, and incident response.

Cisco Secure Endpoint (formerly AMP for Endpoints) includes an “Inbox” tab where detected threats and flagged endpoints are listed. When Duo Trusted Endpoints integration is in place, an endpoint may be denied access if it fails posture checks. The correct workflow includes reviewing the machine’s status in Cisco Secure Endpoint and marking the incident as “Resolved” in the Inbox tab to restore authentication.

This process is described in SCAZT Section 2 (User and Device Security, Pages 44–46) for enforcing endpoint trust with Secure Endpoint and Duo Trusted Endpoints integration.

Automation of containment and response actions—such as isolating compromised endpoints and applying predefined security policies—is a critical capability of Cisco’s XDR and SecureX platform. According to SCAZT Section 6: Threat Response (Pages 112–117), automating threat containment allows security teams to rapidly limit the blast radius of incidents and improve mean time to respond (MTTR), without relying solely on manual intervention.

A drive-by compromise occurs when malicious code is automatically downloaded and executed simply by visiting a compromised website—often through malicious advertising scripts (malvertising). According to SCAZT Section 4: Application and Data Security (Pages 85–87), ad blockers help prevent drive-by downloads by blocking these third-party ad scripts and redirections, which are commonly used in such attacks.

VPNs and private browsing modes (e.g., Incognito) do not provide protection against malicious content hosted on web pages.

To preserve the user for investigation while immediately revoking access, the correct approach is to disable the user in the Duo Admin Panel. This action blocks authentication without deleting logs or user data. Simultaneously, resetting the password from Active Directory ensures any potentially compromised credentials are revoked.

According to SCAZT (Section 2: User and Device Security, Pages 40–44), disabling user accounts in Duo offers secure containment during security incidents while maintaining data for forensic review.

Based on the Cisco Tetration segmentation policy and the requirement to allow only web server communication (HTTP/HTTPS):

Rule 1 allows HTTP (port 80) — required

Rule 2 allows HTTPS (port 443) — required

Rule 3 allows SSH — not needed for web communication

Rule 4 allows UDP port 68 (DHCP) — not relevant to application-layer web server traffic

Therefore, Rules 3 and 4 are unnecessary and should be deleted for policy optimization, which aligns with zero-trust and least-privilege access design as outlined in SCAZT Section 4 (Application and Data Security, Pages 86–90).

In the provided screenshot of Cisco Secure Firewall Management Center (FMC), the rule labeled "Block Facebook" is intended to block access to Facebook and Facebook Apps. However, the rule lacks correct zone configurations, which is why the block is ineffective.

Per Cisco's best practices outlined in the Designing and Implementing Secure Cloud Access for Users and Endpoints (SCAZT) documentation and Cisco Secure Firewall documentation:

The source zone should reflect where the traffic is originating from—in this case, from internal users. Therefore, Source Zone must be set to inside (Answer: E).

The destination zone should reflect where the traffic is headed—in this case, towards the internet. So, Destination Zone must be set to outside (Answer: D).

Without properly defining source and destination zones, FMC rules may not match the traffic correctly, resulting in traffic being incorrectly allowed.

Rule 1 is a “deny all” rule placed at the top of the access control policy. Because Cisco firewalls process rules sequentially from top to bottom, Rule 1 is blocking all traffic—including RDP (Rule 2) and HTTPS (Rule 3). To allow specific traffic, the “deny all” catch-all rule should be placed last so that the specific allow rules are evaluated first.

SCAZT Section 3 (Network and Cloud Security, Pages 69–74) discusses rule hierarchy and clearly states that allow rules must precede any general deny policies to ensure intended traffic is matched correctly. This best practice is essential when dealing with multi-cloud access control.

Rule 3 allows all traffic (including SSH) from 10.1.0.0/30 during the hours of 18:00–08:00, which directly conflicts with Rule 1 that is intended to deny SSH at those same hours. Since firewall rules are evaluated top-down and Rule 3 allows traffic during the exact period where SSH should be blocked, deleting Rule 3 will allow Rule 1 to apply correctly.

This behavior is explained in SCAZT Section 3 (Network and Cloud Security, Pages 72–75), where rule precedence and time-based evaluation logic are discussed.

In Cisco Secure Firewall Management Center (FMC), access control policies are processed top-down—meaning the first matching rule is applied, and the remaining are ignored. Based on the exhibit, Rule 4 (Access Controlled Groups) is likely being shadowed by a broader rule above it that permits web traffic. To ensure restricted users are denied access to mobile phone shopping categories, Rule 4 must be moved to the top of the rule hierarchy.

Cisco SCAZT (Section 5: Visibility and Assurance, Pages 94–97) describes best practices for rule ordering and inspection logic. Moving the specific block rule (Rule 4) higher ensures it's enforced before general allow rules are evaluated.

The JSON configuration shown is missing a specific Layer 4 parameter definition for port 25 (SMTP). Although the protocol (proto: 6, which is TCP) is defined, without specifying the actual port in the l4_params array, traffic filtering will not trigger on SMTP. Therefore, the engineer must add "port": [25, 25] to the l4_params section to ensure traffic on port 25 is blocked.

The error %OPENDNS-3-DNS_RES_FAILURE indicates a failure to resolve DNS queries via Cisco Umbrella. The most common cause of this error is the router lacking DNS resolution capability. To resolve this, the router must be explicitly configured to use Cisco Umbrella’s OpenDNS servers by adding the following to global configuration:

According to the SCAZT guide (Section 1: Cloud Security Architecture, Pages 17–19), Umbrella enforces cloud-based DNS-layer protection, and upstream devices must be properly configured with working DNS name servers to perform redirection and inspection.

The flow data in the exhibit shows multiple short-duration, high-volume HTTPS connections (443/TCP) from IP 10.10.10.10 to multiple destination IPs in the 50.10.10.0/24 network. All flows are 22 seconds long and transfer exactly 1.77M of data. This uniform behavior to a large set of IP addresses strongly indicates a Denial of Service (DoS) pattern, where an internal host (10.10.10.10) is overwhelming external systems in the 50.10.10.0/24 range.

The SCAZT guide (Section 6: Threat Response, Pages 114–117) explains how Secure Cloud Analytics uses NetFlow and behavioral modeling to identify such volumetric threats. Key identifiers include:

Same connection size (1.77M)

Multiple unique peer IPs in a single external subnet

Same destination port and protocol (HTTPS)

Zero TCP connections completed, indicating unacknowledged connections

This matches the behavioral pattern of a DoS originating from an internal host.