larger cover

Add To My Wish List

Register your product to gain access to bonus material or receive a coupon.

CCNP Security Cisco Secure Firewall and Intrusion Prevention System Official Cert Guide Premium Edition eBook and Practice Test

Premium Edition eBook

  • Your Price: $63.99
  • List Price: $79.99
  • About Premium Edition eBooks
  • The Premium Edition eBook and Practice Test is a digital-only certification preparation product combining an eBook with enhanced Pearson Test Prep practice tests.

    Your purchase will deliver:

    • Link to download the Pearson Test Prep exam engine
    • Access code for question database
    • eBook in the following formats, accessible from your Account page after purchase:

    EPUB The open industry format known for its reflowable content and usability on supported mobile devices.

    PDF The popular standard, which reproduces the look and layout of the printed page.

    This eBook requires no passwords or activation to read. We customize your eBook by discreetly watermarking it with your name, making it uniquely yours.

    eBook FAQ

    eBook Download Instructions

Also available in other formats.

  • Description
  • Sample Content
  • Updates
  • Copyright 2022
  • Pages: 656
  • Edition: 1st
  • Premium Edition eBook
  • ISBN-10: 0-13-667789-4
  • ISBN-13: 978-0-13-667789-5

CCNP Security Cisco Secure Firewall and Intrusion Prevention System Official Cert Guide, Premium Edition eBook and Practice Test

The CCNP Security Cisco Secure Firewall and Intrusion Prevention System Official Cert Guide, Premium Edition eBook and Practice Test is a digital-only certification preparation product combining an eBook with enhanced Pearson IT Certification Practice Test. The Premium Edition eBook and Practice Test contains the following items:

* The CCNP Security Cisco Secure Firewall and Intrusion Prevention System Premium Edition Practice Test, including four full practice exams and enhanced practice test features
* PDF and EPUB formats of the CCNP Security Cisco Secure Firewall and Intrusion Prevention System Official Cert Guide from Cisco Press, which are accessible via your PC, tablet, and smartphone

About the Premium Edition Practice Test

This Premium Edition contains an enhanced version of the Pearson IT Certification Practice Test (PCPT) software with four full practice exams. In addition, it contains all the chapter-opening assessment questions from the book. This integrated learning package

* Enables you to focus on individual topic areas or take complete, timed exams
* Includes direct links from each question to detailed tutorials to help you understand the concepts behind the questions
* Provides unique sets of exam-realistic practice questions
* Tracks your performance and provides feedback on a module-by-module basis, laying out a complete assessment of your knowledge to help you focus your study where it is needed most

Pearson Test Prep online system requirements:
Browsers: Chrome version 73 and above, Safari version 12 and above, Microsoft Edge 44 and above.
Devices: Desktop and laptop computers, tablets running Android v8.0 and above or iPad OS v13 and above, smartphones running Android v8.0 and above or iOS v13 and above with a minimum screen size of 4.7.

Pearson Test Prep offline system requirements:
Windows 10, Windows 8.1; Microsoft .NET Framework 4.5 Client; Pentium-class 1 GHz processor (or equivalent); 512 MB RAM; 650 MB disk space plus 50 MB for each downloaded practice exam; access to the Internet to register and download exam databases.

About the Premium Edition eBook
CCNP Security Cisco Secure Firewall and Intrusion Prevention System Official Cert Guide covers the objectives for the CCNP Security concentration exam that focuses on Cisco Secure Firewall and IPS (formerly known as Cisco Firepower). Long-time Cisco security insider Nazmul Rajib shares preparation hints and test-taking tips, helping you identify areas of weakness and improve both your conceptual knowledge and hands-on skills. Material is presented in a concise manner, focusing on increasing your understanding and retention of exam topics.

CCNP Security Cisco Secure Firewall and Intrusion Prevention System Official Cert Guide presents you with an organized test preparation routine through the use of proven series elements and techniques. Do I Know This Already? quizzes open each chapter and enable you to decide how much time you need to spend on each section. Exam topic lists make referencing easy. Chapter-ending Exam Preparation Tasks help you drill on key concepts you must know thoroughly.

Well regarded for its level of detail, assessment features, and challenging review questions and exercises, this official study guide helps you master the concepts and techniques that will enable you to succeed on the exam the first time. It helps you master the topics on the CCNP Security concentration exam that focuses on the Cisco Secure Firewall and IPS (formerly known as Cisco Firepower). Use it to deepen your knowledge of

* Configurations
* Integrations
* Deployments
* Management
* Troubleshooting, and more

Table of Contents

Introduction xxv
Part I General Deployment
Chapter 1 Introduction to Cisco Secure Firewall and IPS 2
Do I Know This Already? Quiz 3
Foundation Topics 4
Evolution of Next-Generation Firewall 4
Cisco Secure Firewall Solutions 8
Product Evolution and Lifecycle 11
Software and Hardware Architecture 14
Scalability and Resiliency 18
    Clustering 18
    Multi-Instance 19
    High Availability 20
    Resiliency in Connectivity 21
Summary 22
Exam Preparation Tasks 22
Chapter 2 Deployment of Secure Firewall Virtual 24
Do I Know This Already? Quiz 24
Foundation Topics 26
Cisco Secure Firewall on a Virtual Platform 26
    Hosting Environment Settings 27
    Virtual Resource Allocation 28
    Software Package Selection 28
Best Practices 30
Configuration 31
    Virtual Network for Management Traffic 32
    Virtual Network for Data Traffic 33
    Virtual Machine Creation for Secure Firewall 35
System Initialization and Validation 41
Summary 45
Exam Preparation Tasks 46
Chapter 3 Licensing and Registration 48
Do I Know This Already? 48
Foundation Topics 50
Cisco Licensing Architecture 50
    Direct Cloud Access 52
    On-Premises Server 52
    Offline Access 53
Cisco Secure Firewall Licenses 54
    Feature License 54
    Export-Controlled License 55
    Evaluation License 56
Validation of Licensing 59
Device Registration 61
    Best Practices for Registration 61
    Configurations on Threat Defense 62
    Configurations on Management Center 63
    Management Communication over the Internet 65
Validation of Registration 67
Summary 68
Exam Preparation Tasks 69
Chapter 4 Firewall Deployment in Routed Mode 70
Do I Know This Already? Quiz 70
Foundation Topics 72
Routed Mode Essentials 72
Best Practices for Routed Mode Configuration 73
Fulfilling Prerequisites 73
    Enabling the Routed Firewall Mode 75
Configuration of the Routed Interface 75
    Configuring Interfaces with Static IP Addresses 76
    Configuring Interfaces with Automatic IP Addresses 80
Validation of Interface Configuration 82
Summary 88
Exam Preparation Tasks 89
Chapter 5 Firewall Deployment in Transparent Mode 90
Do I Know This Already? Quiz 90
Foundation Topics 92
Transparent Mode Essentials 92
Best Practices for Transparent Mode Configuration 93
Fulfilling Prerequisites 94
    Enabling the Transparent Firewall Mode 95
Configuring Transparent Mode in a Layer 2 Network 96
    Configuring the Physical and Virtual Interfaces 96
    Verifying the Interface Status 103
    Verifying Basic Connectivity and Operations 104
Deploying a Threat Defense Between Layer 3 Networks 108
    Selecting a Default Action 108
    Adding an Access Control Rule for a Routing Protocol 111
    Creating an Access Control Rule for the SSH Protocol 113
    Verifying Access Control Lists 115
Integrated Routing and Bridging (IRB) 118
Summary 118
Exam Preparation Tasks 118
Chapter 6 IPS-Only Deployment in Inline Mode 120
Do I Know This Already? Quiz 120
Foundation Topics 122
Inline Mode Essentials
    Inline Mode Versus Passive Mode 123
    Inline Mode Versus Transparent Mode 125
Best Practices for Inline Mode 125
Inline Mode Configuration 126
    Fulfilling Prerequisites 126
    Interface Setup 127
    Inline Set Configuration 129
Verification 132
    Event Analysis in IPS-Only Mode 135
Summary 136
Exam Preparation Tasks 136
Chapter 7 Deployment in Detection-Only Mode 138
Do I Know This Already? Quiz 139
Foundation Topics 141
Detection-Only Mode Essentials 141
    Passive Monitoring Technology 141
    Interface Modes: Inline, Inline Tap, and Passive 142
Best Practices for Detection-Only Deployment 143
Inline Tap Mode 145
    Configuration of Inline Tap Mode 145
    Verification of Inline Tap Configuration 147
Passive Interface Mode 149
    Configuration of Passive Interface Mode 149
        Configuring Passive Interface Mode on a Threat Defense 150
        Configuring a SPAN Port on a Switch 151
    Verification of Passive Interface Configuration 152
Event Analysis in Detection-Only Mode 153
Summary 154
Exam Preparation Tasks 154
Part II Basic Security Operations
Chapter 8 Capturing Traffic for Advanced Analysis 156
Do I Know This Already? Quiz 157
Foundation Topics 158
Packet Capture Essentials 158
Best Practices for Capturing Traffic 160
Capturing of Packets Using Secure Firewall 162
    Configuration 162
    Verification 165
    Packet Capture versus Packet Tracer 169
Summary 170
Exam Preparation Tasks 170
Chapter 9 Network Discovery Policy 172
Do I Know This Already? Quiz 172
Foundation Topics 174
Network Discovery Essentials 174
    Application Detectors 175
    Network Discovery Operations 176
Best Practices for Network Discovery 178
Fulfilling Prerequisites 179
Configurations 180
    Reusable Objects 181
    Network Discovery Policy 183
Verification 186
    Analyzing Application Discovery 186
    Analyzing Host Discovery 186
    Undiscovered New Hosts 188
Summary 191
Exam Preparation Tasks 191
Chapter 10 Access Control Policy 194
Do I Know This Already? Quiz 194
Foundation Topics 196
Access Control Policy Essentials 196
    Policy Editor 196
    Rule Editor 198
Best Practices for Access Control Policy 199
Access Control Policy Configuration 200
    Fulfilling Prerequisites 201
    Creating Rules 202
Verification 208
Summary 222
Exam Preparation Tasks 222
Chapter 11 Prefilter Policy 224
Do I Know This Already? Quiz 224
Foundation Topics 226
Prefilter Policy Essentials 226
    Prefilter Policy: Rules and Actions 226
    Bypassing Deep Packet Inspection 227
Best Practices for a Prefilter Policy 230
Enabling Bypass Through a Prefilter Policy 230
    Fulfilling Prerequisites 230
    Configuring a Rule in a Prefilter Policy 230
    Invoking a Prefilter Policy into an Access Control Policy 235
Establishing Trust Through an Access Control Policy 237
Verification 240
Managing Encapsulated Traffic Inspection 242
Summary 245
Exam Preparation Tasks 245
Chapter 12 Security Intelligence 248
Do I Know This Already? Quiz 249
Foundation Topics 251
Security Intelligence Essentials 251
Best Practices for Security Intelligence 256
Fulfilling Prerequisites 257
Automatic Blocking Using Cisco Intelligence Feed 259
    Verifying the Action of Cisco Intelligence Feed 262
    Overriding the Cisco Intelligence Feed Outcome 265
Instant Blocking Using Context Menu 267
    Adding an Address to the Block List 267
    Deleting an Address from the Block List 268
Manual Blocking Using Custom List 269
    Enabling Security Intelligence in Monitor-Only Mode 272
Threat Intelligence Director 274
    Enabling Threat Intelligence Director 276
    Adding Sources and Importing Indicators 277
Summary 280
Exam Preparation Tasks 281
Chapter 13 Domain Name System (DNS) Policy 282
Do I Know This Already? Quiz 282
Foundation Topics 284
DNS Policy Essentials 284
    Domain Name System (DNS) 284
    Blocking of a DNS Query Using a Secure Firewall 285
    DNS Rule Actions 287
        Actions That Can Interrupt DNS Queries 288
        Actions That Allow DNS Queries 292
    Sources of Intelligence 293
Best Practices for Blocking DNS Queries 295
Fulfilling Prerequisites 296
Configuring DNS Policy 297
    Add a New Rule to a DNS Policy 298
    Invoke the DNS Policy 301
Verification 302
Summary 307
Exam Preparation Tasks 307
Chapter 14 URL Filtering 310
Do I Know This Already? Quiz 310
Foundation Topics 312
URL Filtering Essentials 312
    Category and Reputation 312
    URL Database 314
Fulfilling Prerequisites 315
Best Practices for URL Filtering Configuration 317
Enabling URL Filtering 322
    Blocking URLs of a Certain Category 323
    Verifying the Operation of a URL Filtering Rule 325
    Allowing a Specific URL 329
    Analyzing the Default Category Override 331
    Handling Uncategorized URLs 335
    Investigating the Uncategorized URLs 338
Summary 340
Exam Preparation Tasks 341
Part III Advanced Configurations
Chapter 15 Network Analysis and Intrusion Policies 342
Do I Know This Already? Quiz 343
Foundation Topics 345
Intrusion Prevention System Essentials 345
    Network Analysis Policy 346
    Intrusion Policy 346
    System-Provided Variable Sets 352
    System-Provided Base Policies 353
Best Practices for Intrusion Policy Deployment 356
Configuring a Network Analysis Policy 359
Configuring an Intrusion Policy 364
    Creating a Policy with a Default Ruleset 364
    Incorporating Intrusion Rule Recommendations 365
    Enabling or Disabling an Intrusion Rule 368
    Setting Up a Variable Set 369
Policy Deployment 371
Verification 373
Summary 379
Exam Preparation Tasks 379
Chapter 16 Malware and File Policy 380
Do I Know This Already? Quiz 380
Foundation Topics 382
File Policy Essentials 382
    File Type Detection 382
    Malware Analysis 382
Best Practices for File Policy Configuration 386
Fulfilling Prerequisites 387
Configuring a File Policy 390
    Creating a File Policy 390
    Deploying a File Policy 396
Verification 398
    Analyzing File Events 399
    Analyzing Malware Events 404
        The Management Center Is Unable to Communicate with the Cloud 404
        The Management Center Performs a Cloud Lookup 408
        The Threat Defense Blocks Malware 409
    Overriding a Malware Disposition 412
    Network Trajectory 413
Summary 414
Exam Preparation Tasks 414
Chapter 17 Network Address Translation (NAT) 416
Do I Know This Already? Quiz 417
Foundation Topics 418
NAT Essentials 418
    NAT Techniques 420
    NAT Rule Types 422
Best Practices for NAT Deployment 423
Fulfilling Prerequisites 425
Configuring NAT 427
    Masquerading a Source Address (Source NAT for Outbound Connection) 427
        Configuring a Dynamic NAT Rule 427
        Verifying the Configuration 433
        Verifying the Operation: Inside to Outside 434
        Verifying the Operation: Outside to Inside 441
    Connecting to a Masqueraded Destination (Destination NAT for Inbound Connection) 446
        Configuring a Static NAT Rule 446
        Verifying the Operation: Outside to DMZ 449
Summary 457
Exam Preparation Tasks 457
Chapter 18 Traffic Decryption Policy 460
Do I Know This Already? Quiz 460
Foundation Topics 462
Traffic Decryption Essentials 462
    Overview of SSL and TLS Protocols 462
    Decryption Techniques on Secure Firewall 466
Best Practices for Traffic Decryption 467
Configuring a Decryption Policy 468
    PKI Objects 468
        Internal CAs Object 469
        Internal Certs Object 469
    SSL Policy 470
    File Policy 474
    Access Control Policy 474
Verification 476
Summary 480
Exam Preparation Tasks 480
Chapter 19 Virtual Private Network (VPN) 482
Do I Know This Already? Quiz 483
Foundation Topics 484
VPN Essentials 484
    Site-to-Site VPN 485
    Remote-Access VPN 488
IPsec Essentials 489
    Mode of Operation 490
    Security Association and Key Exchange 492
        IKEv1 492
        IKEv2 494
    Authentication 495
Site-to-Site VPN Deployment 496
    Prerequisites 496
    Configurations 499
        Access Control Policy 503
        NAT Policy 504
    Verification 507
Remote-Access VPN Deployment 513
    Prerequisites 513
    Configuration 516
        AnyConnect File 517
        RADIUS Server Group 518
        Certificate Enrollment 518
        Network and IP Address Pool 521
        Remote-Access VPN Policy 522
    Verification 527
Summary 534
Exam Preparation Tasks 535
Chapter 20 Quality of Service (QoS) 536
Do I Know This Already? Quiz 536
Foundation Topics 538
Quality of Service Essentials 538
Best Practices for Enabling QoS 541
Fulfilling Prerequisites 541
Configuring QoS Policy 542
Verification 546
    Analyzing QoS Events and Statistics 550
Summary 554
Exam Preparation Tasks 554
Chapter 21 System Logging (Syslog) 556
Do I Know This Already? Quiz 557
Foundation Topics 558
Secure Firewall Logging Essentials 558
Best Practices for Logging 560
Prerequisites 560
Sending Syslog from Threat Defense 564
    Add a Syslog Server on Platform Settings 564
    Enable Logging on Access Control Policy 568
    Verification 568
Sending Syslog from Management Center 569
    Create Syslog Alerts 569
    Verification 572
    Correlate Events to Send Syslog Alerts 574
Troubleshooting Logs 578
Summary 581
Exam Preparation Tasks 581
Part IV Conclusion
Chapter 22 Final Preparation 582
Getting Ready for the Exam 582
    Tools for Final Review 582
Exam Day 583
Practice Tests 583
    Pearson Cert Practice Test Engine and Questions on the Website 583
    Accessing the Pearson Test Prep Software Online 584
    Accessing the Pearson Test Prep Software Offline 584
    Customizing Your Exams 585
    Updating Your Exams 585
    Premium Edition 586
Chapter-Ending Review Tools 586
Summary 586
Part V Appendixes
Appendix A Answers to the Do I Know This Already? Questions 588
Appendix B CCNP Security Cisco Secure Firewall and Intrusion Prevention System Official Cert Guide Updates 598
Glossary 601

Online Elements
Appendix C Memory Tables
Appendix D Memory Tables Answer Key
Appendix E Study Planner

9780136589709   TOC   4/21/2022

Cisco Press Promotional Mailings & Special Offers

I would like to receive exclusive offers and hear about products from Cisco Press and its family of brands. I can unsubscribe at any time.


Pearson Education, Inc., 221 River Street, Hoboken, New Jersey 07030, (Pearson) presents this site to provide information about Cisco Press products and services that can be purchased through this site.

This privacy notice provides an overview of our commitment to privacy and describes how we collect, protect, use and share personal information collected through this site. Please note that other Pearson websites and online products and services have their own separate privacy policies.

Collection and Use of Information

To conduct business and deliver products and services, Pearson collects and uses personal information in several ways in connection with this site, including:

Questions and Inquiries

For inquiries and questions, we collect the inquiry or question, together with name, contact details (email address, phone number and mailing address) and any other additional information voluntarily submitted to us through a Contact Us form or an email. We use this information to address the inquiry and respond to the question.

Online Store

For orders and purchases placed through our online store on this site, we collect order details, name, institution name and address (if applicable), email address, phone number, shipping and billing addresses, credit/debit card information, shipping options and any instructions. We use this information to complete transactions, fulfill orders, communicate with individuals placing orders or visiting the online store, and for related purposes.


Pearson may offer opportunities to provide feedback or participate in surveys, including surveys evaluating Pearson products, services or sites. Participation is voluntary. Pearson collects information requested in the survey questions and uses the information to evaluate, support, maintain and improve products, services or sites; develop new products and services; conduct educational research; and for other purposes specified in the survey.

Contests and Drawings

Occasionally, we may sponsor a contest or drawing. Participation is optional. Pearson collects name, contact information and other information specified on the entry form for the contest or drawing to conduct the contest or drawing. Pearson may collect additional personal information from the winners of a contest or drawing in order to award the prize and for tax reporting purposes, as required by law.


If you have elected to receive email newsletters or promotional mailings and special offers but want to unsubscribe, simply email

Service Announcements

On rare occasions it is necessary to send out a strictly service related announcement. For instance, if our service is temporarily suspended for maintenance we might send users an email. Generally, users may not opt-out of these communications, though they can deactivate their account information. However, these communications are not promotional in nature.

Customer Service

We communicate with users on a regular basis to provide requested services and in regard to issues relating to their account we reply via email or phone in accordance with the users' wishes when a user submits their information through our Contact Us form.

Other Collection and Use of Information

Application and System Logs

Pearson automatically collects log data to help ensure the delivery, availability and security of this site. Log data may include technical information about how a user or visitor connected to this site, such as browser type, type of computer/device, operating system, internet service provider and IP address. We use this information for support purposes and to monitor the health of the site, identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents and appropriately scale computing resources.

Web Analytics

Pearson may use third party web trend analytical services, including Google Analytics, to collect visitor information, such as IP addresses, browser types, referring pages, pages visited and time spent on a particular site. While these analytical services collect and report information on an anonymous basis, they may use cookies to gather web trend information. The information gathered may enable Pearson (but not the third party web trend services) to link information with application and system log data. Pearson uses this information for system administration and to identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents, appropriately scale computing resources and otherwise support and deliver this site and its services.

Cookies and Related Technologies

This site uses cookies and similar technologies to personalize content, measure traffic patterns, control security, track use and access of information on this site, and provide interest-based messages and advertising. Users can manage and block the use of cookies through their browser. Disabling or blocking certain cookies may limit the functionality of this site.

Do Not Track

This site currently does not respond to Do Not Track signals.


Pearson uses appropriate physical, administrative and technical security measures to protect personal information from unauthorized access, use and disclosure.


This site is not directed to children under the age of 13.


Pearson may send or direct marketing communications to users, provided that

  • Pearson will not use personal information collected or processed as a K-12 school service provider for the purpose of directed or targeted advertising.
  • Such marketing is consistent with applicable law and Pearson's legal obligations.
  • Pearson will not knowingly direct or send marketing communications to an individual who has expressed a preference not to receive marketing.
  • Where required by applicable law, express or implied consent to marketing exists and has not been withdrawn.

Pearson may provide personal information to a third party service provider on a restricted basis to provide marketing solely on behalf of Pearson or an affiliate or customer for whom Pearson is a service provider. Marketing preferences may be changed at any time.

Correcting/Updating Personal Information

If a user's personally identifiable information changes (such as your postal address or email address), we provide a way to correct or update that user's personal data provided to us. This can be done on the Account page. If a user no longer desires our service and desires to delete his or her account, please contact us at and we will process the deletion of a user's account.


Users can always make an informed choice as to whether they should proceed with certain services offered by Cisco Press. If you choose to remove yourself from our mailing list(s) simply visit the following page and uncheck any communication you no longer want to receive:

Sale of Personal Information

Pearson does not rent or sell personal information in exchange for any payment of money.

While Pearson does not sell personal information, as defined in Nevada law, Nevada residents may email a request for no sale of their personal information to

Supplemental Privacy Statement for California Residents

California residents should read our Supplemental privacy statement for California residents in conjunction with this Privacy Notice. The Supplemental privacy statement for California residents explains Pearson's commitment to comply with California law and applies to personal information of California residents collected in connection with this site and the Services.

Sharing and Disclosure

Pearson may disclose personal information, as follows:

  • As required by law.
  • With the consent of the individual (or their parent, if the individual is a minor)
  • In response to a subpoena, court order or legal process, to the extent permitted or required by law
  • To protect the security and safety of individuals, data, assets and systems, consistent with applicable law
  • In connection the sale, joint venture or other transfer of some or all of its company or assets, subject to the provisions of this Privacy Notice
  • To investigate or address actual or suspected fraud or other illegal activities
  • To exercise its legal rights, including enforcement of the Terms of Use for this site or another contract
  • To affiliated Pearson companies and other companies and organizations who perform work for Pearson and are obligated to protect the privacy of personal information consistent with this Privacy Notice
  • To a school, organization, company or government agency, where Pearson collects or processes the personal information in a school setting or on behalf of such organization, company or government agency.


This web site contains links to other sites. Please be aware that we are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of each and every web site that collects Personal Information. This privacy statement applies solely to information collected by this web site.

Requests and Contact

Please contact us about this Privacy Notice or if you have any requests or questions relating to the privacy of your personal information.

Changes to this Privacy Notice

We may revise this Privacy Notice through an updated posting. We will identify the effective date of the revision in the posting. Often, updates are made to provide greater clarity or to comply with changes in regulatory requirements. If the updates involve material changes to the collection, protection, use or disclosure of Personal Information, Pearson will provide notice of the change through a conspicuous notice on this site or other appropriate way. Continued use of the site after the effective date of a posted revision evidences acceptance. Please contact us if you have questions or concerns about the Privacy Notice or any objection to any revisions.

Last Update: November 17, 2020