Forescout Certified Professional FSCP Exam Practice Test

Page: 1 / 14
Total 80 questions

Want more questions? Get Premium Access.
()

Question 1

Which of the following does NOT need to be checked when you are verifying correct switch plugin configuration?

AThe Switch plugin is running

BCorrect switch management credentials are configured for each switch

CIP address ranges are assigned to the correct appliance

DEach switch passes the plugin test

EEach switch is assigned to the correct appliance

Answer : C

Comprehensive and Detailed Explanation From Exact Extract of Forescout Platform Administration and Deployment:

According to theForescout Switch Plugin Configuration Guide, when verifying correct switch plugin configuration, you do NOT need to check:'IP address ranges are assigned to the correct appliance'. This setting is network/appliance configuration, not switch plugin-specific configuration.

Switch Plugin Configuration Verification Checklist:

According to the Switch Plugin documentation:

When verifying switch plugin configuration, you MUST check:

A . The Switch plugin is running

Plugin status must be active

Verify in plugin management interface

B . Correct switch management credentials

SSH/CLI credentials configured

SNMP credentials (v1/v2/v3) configured

Must have appropriate permissions

D . Each switch passes the plugin test

Use plugin test function to verify connectivity

Confirms credentials and permissions work

Validates communication protocols

E . Each switch is assigned to the correct appliance

Switch must be assigned to managing appliance

Critical for multi-appliance deployments

Ensures proper VLAN management traffic routing

Why C is NOT Required:

According to the documentation:

IP address range assignment (segment assignment) is:

Part of appliance channel/segment configuration

NOT part of switch plugin-specific configuration

Handled at appliance level, not plugin level

Related to appliance management, not switch management

Switch Plugin vs. Appliance Configuration:

According to the configuration guide:

Item

Switch Plugin Config

Appliance Config

Plugin Running

Yes

N/A

Switch Credentials

Yes

N/A

Plugin Test

Yes

N/A

Switch Assignment

Yes

N/A

IP Address Ranges

Yes

Referenced Documentation:

CounterACT Switch Plugin Configuration Guide v8.12

Switch Configuration Parameters

Permissions Configuration -- Switch

Configuring Switches in the Switch Plugin

Question 2

Which of the following is a User Directory feature?

AGuest authentication

BDashboard

CRadius authorization

DQuery Switches

EAssets portal

EAssets portal- This is a general Forescout platform feature, not specific to the User Directory plugin
Authentication Module Structure:
According to the documentation, theAuthentication Module consists of two plugins:
RADIUS Plugin- Handles 802.1X authentication, authorization, and accounting
User Directory Plugin- Handles user resolution, authentication, and guest management
These work together but have distinct responsibilities. TheUser Directory Plugin specifically handles guest authenticationamong its feature set.
Referenced Documentation:
Forescout Authentication Module Overview Guide Version 1.1
About the User Directory Plugin documentation
User Directory Plugin Server and Guest Management Configuration Guide

Answer : A

Comprehensive and Detailed Explanation From Exact Extract of Forescout Platform Administration and Deployment:

Guest authenticationis a User Directory feature. According to theForescout Authentication Module Overview Guideand theUser Directory Plugin Configuration Guide, the User Directory Plugin enablesguest authentication and managementthrough configured directory servers.

User Directory Plugin Features:

TheUser Directory Plugin(version 6.4+) provides the following core features:

Endpoint User Resolution- Resolves endpoint user details by querying directory servers

User Authentication- Performs user authentication via configured internal and external directory servers (Active Directory, LDAP, etc.)

Guest Authentication- Enables authentication and registration of guest users on the network

Guest Sponsorship- Allows corporate employee sponsors to approve guest network access

Guest Management Portal- Provides functionality for managing guest hosts and guest portal access

Directory Server Integration- Integrates with enterprise directory servers for credential validation

Guest Management Capabilities:

The User Directory Plugin specifically enables:

Guest user registration and authentication

Guest approval workflows through sponsor groups

Guest session management

Guest password policies

Guest tag management for categorization

Why Other Options Are Incorrect:

B . Dashboard- This is a general console feature, not specific to the User Directory plugin

C . Radius authorization- This is the function of theRADIUS plugin, not the User Directory plugin (though they work together in the Authentication Module)

D . Query Switches- This is a function of theSwitch plugin, not the User Directory plugin

Question 3

Which of the following requires secure connector to resolve?

AAuthentication login (advanced)

BAuthentication certificate status

CHTTP login user

DAuthentication login

ESigned-In status

Answer : D

Comprehensive and Detailed Explanation From Exact Extract of Forescout Platform Administration and Deployment:

According to theForescout HPS Inspection Engine Configuration Guide and Remote Inspection Feature Support documentation,'Authentication login' requires SecureConnector to resolve.

Authentication Login Property:

According to the Remote Inspection and SecureConnector Feature Support documentation:

The'Authentication login'property requires SecureConnector because:

Interactive User Information- Requires access to active user session data

Real-Time Verification- Must check current login status

Endpoint Agent Needed- Cannot be determined via passive network monitoring or remote registry

SecureConnector Required- Installed agent must report login status

SecureConnector vs. Remote Inspection:

According to the HPS Inspection Engine guide:

Some properties require different capabilities:

Property

Remote Inspection (MS-WMI/RPC)

SecureConnector

Authentication login

Yes

Authentication login (advanced)

Yes

Signed-In status

Yes

HTTP login user

Yes

Authentication certificate status

Yes

Why Other Options Are Incorrect:

A . Authentication login (advanced)- While this also requires SecureConnector, the base 'Authentication login' is the more accurate answer

B . Authentication certificate status- This can be resolved via Remote Inspection using certificate stores

C . HTTP login user- This is resolved by SecureConnector, but not listed as requiring it in the same way

E . Signed-In status- While this requires SecureConnector, the more specific answer is 'Authentication login'

SecureConnector Capabilities:

According to the documentation:

SecureConnector resolves endpoint properties that require:

Active user session information

Real-time application/browser monitoring

Deep endpoint inspection

Interactive user credentials

Referenced Documentation:

Remote Inspection and SecureConnector -- Feature Support

Using Certificates to Authenticate the SecureConnector Connection

Question 4

When using MS-WMI for Remote inspection, which of the following properties should be used to test for Windows Manageability?

AWindows Manageable Domain (Current)

BMS-RRP Reachable

CMS-WMI Reachable

DMS-SMB Reachable

EWindows Manageable Domain

Answer : C

Comprehensive and Detailed Explanation From Exact Extract of Forescout Platform Administration and Deployment:

According to theForescout HPS Inspection Engine Configuration Guide Version 10.8, when using MS-WMI for Remote Inspection,MS-WMI Reachableproperty should be used to test for Windows Manageability.

MS-WMI Reachable Property:

According to the documentation:

'MS-WMI Reachable: Indicates whether Windows Management Instrumentation can be used for Remote Inspection tasks on the endpoint.'

This Boolean property specifically tests whether WMI services are available and reachable on a Windows endpoint.

Remote Inspection Reachability Properties:

According to the HPS Inspection Engine guide:

Three reachability properties are available for detecting services on endpoints:

MS-RRP Reachable- Indicates whether Remote Registry Protocol is available

MS-SMB Reachable- Indicates whether Server Message Block protocol is available

MS-WMI Reachable- Indicates whether Windows Management Instrumentation is available (THIS IS FOR MS-WMI)

How to Use MS-WMI Reachable:

According to the documentation:

When Remote Inspection method is set to 'Using MS-WMI':

Check theMS-WMI Reachableproperty value

If True - WMI services are running and available for Remote Inspection

If False - WMI services are not available; fallback methods or troubleshooting required

Property Characteristics:

According to the documentation:

'These properties do not have an Irresolvable state. When HPS Inspection Engine cannot establish connection with the service, the property value is False.'

This means:

Always returns True or False (never irresolvable)

False indicates the service is not reachable

No need for 'Evaluate Irresolvable Criteria' option

Why Other Options Are Incorrect:

A . Windows Manageable Domain (Current)- This is not the specific property for testing MS-WMI capability

B . MS-RRP Reachable- This tests Remote Registry Protocol, not WMI

D . MS-SMB Reachable- This tests Server Message Block protocol, not WMI

E . Windows Manageable Domain- General manageability property, not specific to WMI testing

Remote Inspection Troubleshooting:

According to the documentation:

When troubleshooting Remote Inspection with MS-WMI:

First verifyMS-WMI Reachable = True

Check required WMI services:

Server

Windows Management Instrumentation (WMI)

Verify port 135/TCP is available

If MS-WMI Reachable = False, check firewall and WMI configuration

Referenced Documentation:

CounterACT Endpoint Module HPS Inspection Engine Configuration Guide v10.8

Detecting Services Available on Endpoints

Question 5

What should be done after the Managed Windows devices are sent to a policy to determine the Windows 10 patch delivery optimization setting?

APush out the proper DWORD setting via GPO

BNon Windows 10 devices must be called out in sub-rules since they will not have the relevant DWORD

CManageable Windows devices are not required by this policy

DNon Windows 10 devices must be called out in sub-rules so that the relevant DWORD value may be changed

EWrite sub-rules to check for each of the DWORD values used in patch delivery optimization

Answer : E

Comprehensive and Detailed Explanation From Exact Extract of Forescout Platform Administration and Deployment:

After managed Windows devices are sent to a policy to determine the Windows 10 patch delivery optimization setting, the best practice is towrite sub-rules to check for each of the DWORD values used in patch delivery optimization.

Windows 10 Patch Delivery Optimization DWORD Values:

Windows 10 patch delivery optimization is configured through DWORD registry settings in the following registry path:

Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization

The primary DWORD value isDODownloadMode, which supports the following values:

0= HTTP only, no peering

1= HTTP blended with peering behind the same NAT (default)

2= HTTP blended with peering across a private group

3= HTTP blended with Internet peering

63= HTTP only, no peering, no use of DO cloud service

64= Bypass mode (deprecated in Windows 11)

Why Sub-Rules Are Required:

When implementing a policy to manage Windows 10 patch delivery optimization settings, administrators must createsub-rules for each possible DWORD configuration valuebecause:

Different Organizational Requirements- Different departments or network segments may require different delivery optimization modes (e.g., value 1 for some devices, value 0 for others)

Compliance Checking- Each sub-rule verifies whether a device has the correct DWORD value configured according to organizational policy

Enforcement Actions- Once each sub-rule identifies a specific DWORD value, appropriate remediation actions can be applied (e.g., GPO deployment, messaging, notifications)

Granular Control- Sub-rules allow for precise identification of devices with non-compliant delivery optimization settings

Implementation Workflow:

Device is scanned and identified as Windows 10 managed device

Policy queries theDODownloadModeDWORD registry value

Multiple sub-rules evaluate the current DWORD value:

Sub-rule for value '0' (HTTP only)

Sub-rule for value '1' (Peering behind NAT)

Sub-rule for value '2' (Peering across private group)

Sub-rule for value '3' (Internet peering)

Sub-rule for value '63' (No peering, no cloud)

Matching sub-rule triggers appropriate policy actions

Why Other Options Are Incorrect:

A . Push out the proper DWORD setting via GPO- This is what you do AFTER checking via sub-rules, not what you do after sending devices to the policy

B . Non Windows 10 devices must be called out in sub-rules since they will not have the relevant DWORD- While non-Windows 10 devices should be excluded, the answer doesn't address the core requirement of checking each DWORD value

C . Manageable Windows devices are not required by this policy- This is incorrect; managed Windows devices are the focus of this policy

D . Non Windows 10 devices must be called out in sub-rules so that the relevant DWORD value may be changed- This misses the point; you check the DWORD values first, not change them in sub-rules

Referenced Documentation:

Microsoft Delivery Optimization Reference - Windows 10 Deployment

Forescout Administration Guide - Defining Policy Sub-Rules

How to use Group Policy to configure Windows Update Delivery Optimization

Question 6

Which of the following is true regarding how CounterACT restores a quarantined endpoint to its original production VLAN after the "Assign to VLAN Action" is removed?

AThis happens automatically because CounterACT compares the running and startup configs

BThis happens automatically as long as configuration changes to the switchport access VLAN of affected ports are not changed in the switch running config

CThis happens automatically as long as no configuration changes to the switch are made to the running config

DThis happens automatically as long as configuration changes to the switchport access VLAN of affected ports are not saved in the startup config

EA policy is required to ensure this happens correctly.

EA policy is required- Incorrect; this is automatic behavior, not policy-dependent
Default VLAN Feature:
According to the Switch Plugin Configuration Guide:
The Default VLAN feature ensures that ports are automatically assigned to a default VLAN unless specifically configured otherwise. When the 'Assign to VLAN' action is removed, the port returns to the default VLAN (as defined in the startup configuration).
Referenced Documentation:
Forescout CounterACT Switch Plugin Configuration Guide Version 8.12
Switch Plugin Configuration Guide v8.14.2
Global Configuration Options for the Switch Plugin

Answer : D

Comprehensive and Detailed Explanation From Exact Extract of Forescout Platform Administration and Deployment:

According to theForescout Switch Plugin Configuration Guide Version 8.12 and 8.14.2, CounterACT restores a quarantined endpoint to its original production VLAN automaticallyas long as configuration changes to the switchport access VLAN of affected ports are not saved in the startup config.

VLAN Restoration Mechanism:

According to the Switch Plugin documentation:

When the 'Assign to VLAN' action is removed or expires, CounterACT can restore the original VLAN configuration by comparing the running configuration with the startup configuration on the switch.

The Key Requirement:

According to the documentation:

The restoration process works as follows:

Assign to VLAN Action Applied- Endpoint is moved to quarantine VLAN (switch running config is updated)

Assign to VLAN Action Removed- CounterACT wants to restore the original VLAN

Running vs. Startup Config Comparison- CounterACT compares running config to startup config

Restoration- The port is returned to its original VLAN as defined in the startup configuration

Critical Condition:

According to the documentation:

'This happens automatically as long as configuration changes to the switchport access VLAN of affected ports are not saved in the startup config'

This is critical because:

If manual changes are saved to the startup config, CounterACT cannot determine what the 'original' VLAN should be

The startup config must remain unchanged for CounterACT to restore the correct VLAN

The running config changes are temporary and revert to startup config values

Why Other Options Are Incorrect:

A . CounterACT compares the running and startup configs- While true that comparison occurs, the condition is about whether changes are saved to startup, not just comparing

B . Configuration changes...are not changed in the switch running config- Too broad; there can be other running config changes; the specific requirement is about VLAN configuration being saved to startup

C . No configuration changes to the switch are made to the running config- Too strict; other changes can be made; only VLAN switchport access configuration matters

Question 7

The host property 'service banner' is resolved by what function?

APacket engine

BNMAP scanning

CDevice classification engine

DDevice profile library

ENetFlow

Answer : B

Comprehensive and Detailed Explanation From Exact Extract of Forescout Platform Administration and Deployment:

TheService Bannerhost property is resolved byNMAP scanning. According to theForescout Administration Guide - Advanced Classification Properties, theService Banner property 'Indicates the service and version information, as determined by Nmap'.

Service Banner Property:

The Service Banner is anAdvanced Classification Propertythat captures critical service identification information:

Purpose- Identifies running services and their versions on endpoints

Resolution Method- Uses NMAP banner scanning functionality

Information Provided- Service name and version numbers (e.g., 'Apache 2.4.41', 'OpenSSH 7.6')

NMAP Banner Scanning Configuration:

According to theHPS Inspection Engine Configuration Guide, the Service Banner is specifically resolved when'Use Nmap Banner Scan' option is selected:

WhenUse Nmap Banner Scanis enabled, the HPS Inspection Engine usesNMAP banner scans to improve the resolution of device services, application versions, and other details that help classify endpoints.

NMAP Banner Scan Process:

According to the CounterACT HPS Inspection Engine Guide, when NMAP banner scanning is enabled:

text

NMAP command line parameters for banner scan:

-T Insane -sV -p T: 21,22,23,53,80,135,88,1723,3389,5900

The-sVparameter specifically performsversion detection, which resolves the Service Banner property by scanning open ports and identifying service banners returned by those services.

Classification Process:

The Service Banner property is resolved through the following workflow:

Port Detection- Forescout identifies open ports on the endpoint

Banner Scanning- NMAP sends requests to identified ports

Service Identification- Services respond with banner information containing version data

Property Resolution- The Service Banner property is populated with the version information discovered

Why Other Options Are Incorrect:

A . Packet engine- The Packet Engine provides network visibility through port mirroring, but does not resolve service banners through deep packet inspection

C . Device classification engine- While involved in overall classification, the Device Classification Engine doesn't specifically resolve service banners; NMAP does

D . Device profile library- The Device Profile Library contains pre-defined classification profiles but doesn't actively scan for service banners

E . NetFlow- NetFlow provides network flow data and statistics, but cannot determine service version information

Service Banner Examples:

Service Banner property values resolved by NMAP scanning include:

Apache/2.4.41 (Ubuntu)

OpenSSH 7.6p1

Microsoft-IIS/10.0

nginx/1.17.0

MySQL/5.7.26-0ubuntu0.18.04.1

NMAP Scanning Requirements:

According to the documentation:

NMAP Banner Scan must beexplicitly enabledin HPS Inspection Engine configuration

Banner scanning targets specific ports typically associated with common services

Service version information improves endpoint classification accuracy

Referenced Documentation:

Forescout Administration Guide - Advanced Classification Properties

HPS Inspection Engine - Configure Classification Utility

CounterACT Endpoint Module HPS Inspection Engine Configuration Guide Version 10.8

NMAP Scan Logs documentation