300-740 Cisco Designing and Implementing Secure Cloud Access for Users and Endpoints (SCAZT) Free Practice Exam Questions (2025 Updated)

Rule 1 is a “deny all” rule placed at the top of the access control policy. Because Cisco firewalls process rules sequentially from top to bottom, Rule 1 is blocking all traffic—including RDP (Rule 2) and HTTPS (Rule 3). To allow specific traffic, the “deny all” catch-all rule should be placed last so that the specific allow rules are evaluated first.

SCAZT Section 3 (Network and Cloud Security, Pages 69–74) discusses rule hierarchy and clearly states that allow rules must precede any general deny policies to ensure intended traffic is matched correctly. This best practice is essential when dealing with multi-cloud access control.

In Cisco Secure Endpoint (formerly AMP for Endpoints), isolating an infected machine is the most immediate action to contain the threat. Isolation cuts the endpoint off from all network communication except to the management console, allowing the analyst to investigate further while preventing lateral movement or data exfiltration.

According to SCAZT Section 6: Threat Response (Pages 114–117), isolation is a recommended first response in the event of malware detection.

Zero Trust is based on the concept of “never trust, always verify.” It ensures that no user or device is inherently trusted, even if they are inside the corporate network. Cisco’s Zero Trust Architecture implements continuous trust verification for every access request, using identity, device posture, and behavior analysis.

SCAZT Section 1 (Cloud Security Architecture, Pages 13–17) describes how Cisco’s Zero Trust model authenticates and authorizes access before permitting resource interaction.

Automation of containment and response actions—such as isolating compromised endpoints and applying predefined security policies—is a critical capability of Cisco’s XDR and SecureX platform. According to SCAZT Section 6: Threat Response (Pages 112–117), automating threat containment allows security teams to rapidly limit the blast radius of incidents and improve mean time to respond (MTTR), without relying solely on manual intervention.

According to the SCAZT documentation, web application firewalls (WAFs) designed to protect against zero-day Distributed Denial of Service (DDoS) attacks leverage adaptive and behavioral-based algorithms. These algorithms dynamically analyze traffic patterns, baseline normal behavior, and detect anomalies that could indicate novel or zero-day attacks. Unlike signature-based detection, adaptive and behavioral methods adjust in real-time to emerging threats, learning from ongoing traffic without relying on pre-defined rules. This proactive approach enables rapid detection and mitigation of unknown DDoS vectors, critical for cloud and network security where threats evolve constantly.

According to the SCAZT guide, the “Always-on” deployment mode for Cisco Secure DDoS (including integration with Secure Web Application Firewall solutions) provides continuous protection for both volumetric and application-layer attacks. This deployment model ensures that all traffic flows through the scrubbing and WAF infrastructure without requiring traffic redirection only during attack events. It provides real-time mitigation and immediate detection, which is essential to address both volumetric attacks (e.g., SYN floods) and Layer 7 (application-layer) attacks such as HTTP floods and injection-based threats.

While “Hybrid” and “On-demand” modes are useful for specific use cases, only “Always-on” offers continuous and comprehensive protection required for environments that demand consistent uptime and threat prevention.

The Remote Desktop Protocol (RDP) uses TCP port 3389. Cisco Umbrella includes a cloud-delivered firewall that can be used to block outbound traffic by port. In this case, since the RDP communication needs to be prevented regardless of application name resolution, the best approach is to use a Firewall policy in Umbrella to block port 3389 traffic across the tunnel.

Rule 3 allows all traffic (including SSH) from 10.1.0.0/30 during the hours of 18:00–08:00, which directly conflicts with Rule 1 that is intended to deny SSH at those same hours. Since firewall rules are evaluated top-down and Rule 3 allows traffic during the exact period where SSH should be blocked, deleting Rule 3 will allow Rule 1 to apply correctly.

This behavior is explained in SCAZT Section 3 (Network and Cloud Security, Pages 72–75), where rule precedence and time-based evaluation logic are discussed.

From the firewall access rules provided, Rule 1 allows traffic from 20.1.1.10 (GCP VM) to 20.1.1.1 using HTTPS. However, this destination is not the actual mail server—the mail server resides at 192.168.200.10 (inside network). Therefore:

A: Rule 1 must be updated to reflect the correct destination: 192.168.200.10. Without this change, traffic is not permitted to the mail server.

D: NAT (Network Address Translation) is needed to translate the external address (e.g., 20.1.1.10) to access internal addresses (like 192.168.200.10). As per SCAZT and Cisco firewall policies, NAT enables proper packet delivery from public to private zones.

Rule 2, which denies all other traffic, is correctly placed after the specific allow rule. Therefore, moving it (Option B) would not help, and Options C and E are unrelated to resolving the immediate firewall access and routing issue.

Policy-Based Routing (PBR) enables routing decisions based on criteria such as source IP, destination IP, or application. To send SaaS traffic (e.g., Office 365, Salesforce) directly to the internet rather than over a site-to-site VPN, PBR must be configured at each site firewall. According to SCAZT Section 1 (Cloud Security Architecture, Pages 18–20), this approach enables secure local internet breakout—commonly used in direct internet access (DIA) architectures.

Cisco Telemetry Broker (CTB) is designed to act as an intermediary that filters, enriches, and routes telemetry data—such as NetFlow, Syslog, and SNMP—across various tools. It optimizes resource usage by preventing overload and ensures only relevant telemetry is forwarded to appropriate analytics platforms.

The SCAZT guide (Section 5: Visibility and Assurance, Pages 93–95) describes CTB’s role in applying filters and transformations to raw telemetry data to enhance visibility and reduce noise.

MITRE ATT&CK is a globally accessible knowledge base that catalogs adversarial tactics and techniques based on real-world observations. According to SCAZT Section 6: Threat Response (Page 113), this framework enables security professionals to map and anticipate adversarial behavior throughout the attack lifecycle. It supports threat modeling, detection engineering, and incident response.

After Cloudlock is integrated with Salesforce, full visibility into objects and data requires that Cloudlock has the “View All Data” permission enabled on the connected Salesforce account. This permission allows the Cloudlock API connection to access all user data, regardless of individual field-level or sharing rules. Without it, Cloudlock will be limited in its visibility scope.

As per SCAZT (Section 4: Application and Data Security, Pages 86–89), integration with SaaS platforms like Salesforce must include enabling comprehensive data visibility to perform effective risk analysis and policy enforcement.

Based on the Cisco Tetration segmentation policy and the requirement to allow only web server communication (HTTP/HTTPS):

Rule 1 allows HTTP (port 80) — required

Rule 2 allows HTTPS (port 443) — required

Rule 3 allows SSH — not needed for web communication

Rule 4 allows UDP port 68 (DHCP) — not relevant to application-layer web server traffic

Therefore, Rules 3 and 4 are unnecessary and should be deleted for policy optimization, which aligns with zero-trust and least-privilege access design as outlined in SCAZT Section 4 (Application and Data Security, Pages 86–90).

According to the MITRE ATT&CK framework and the SCAZT documentation, one of the most effective mitigation techniques against exploitation is to keep systems updated with the latest patches. Exploitation typically targets known vulnerabilities in operating systems and applications. Timely patching significantly reduces the risk of successful exploitation, especially zero-day vulnerabilities once disclosed.

Cisco Extended Detection and Response (XDR) leverages telemetry from Cisco Secure Endpoint, Secure Email, Secure Network Analytics, and other sources to correlate threat detections with contextual data, such as asset value and business impact. This allows Cisco XDR to prioritize threats not only by the risk of the detection but also by the importance of the affected asset—essentially assessing the risk to business. This dynamic and context-aware prioritization method enables security teams to address the most impactful threats first.

To preserve the user for investigation while immediately revoking access, the correct approach is to disable the user in the Duo Admin Panel. This action blocks authentication without deleting logs or user data. Simultaneously, resetting the password from Active Directory ensures any potentially compromised credentials are revoked.

According to SCAZT (Section 2: User and Device Security, Pages 40–44), disabling user accounts in Duo offers secure containment during security incidents while maintaining data for forensic review.