When using the "Assign to VLAN action," why might it be useful to have a policy to record the original VLAN?
Select one:
Since CounterACT reads the startup config to find the original VLAN, network administrators making changes to switch running configs could overwrite this VLAN information
Since CounterACT reads the running config to find the original VLAN, network administrators saving configuration changes to switches could overwrite this VLAN information
Since CounterACT reads the running config to find the original VLAN, network administrators making changes to switch running configs could overwrite this VLAN information
Since CounterACT reads the running config to find the original VLAN, any changes to switch running configs could overwrite this VLAN information
Since CounterACT reads the startup config to find the original VLAN, network administrators saving configuration changes to switches could overwrite this VLAN information
According to the Forescout Switch Plugin documentation, the correct answer is: "Since CounterACT reads the running config to find the original VLAN, any changes to switch running configs could overwrite this VLAN information".
Why Recording Original VLAN is Important:
According to the documentation:
When CounterACT assigns an endpoint to a quarantine VLAN:
Reading Original VLAN - CounterACT reads the switch running configuration to determine the original VLAN
Temporary Change - The endpoint is moved to the quarantine VLAN
Restoration Issue - If network administrators save configuration changes to the running config, CounterACT's reference to the original VLAN may be overwritten
Solution - Recording the original VLAN in a policy ensures you have a backup reference
Why Option D is the Most Accurate:
Option D states the key issue clearly: "any changes to switch running configs could overwrite this VLAN information." This is the most comprehensive and accurate statement because it acknowledges that ANY changes (not just those by administrators specifically) could cause the issue.
What is required for CounterAct to parse DHCP traffic?
Must see symmetrical traffic
The enterprise manager must see DHCP traffic
DNS client must be running
DHCP classifier must be running
Plugin located in Network module
Comprehensive and Detailed Explanation From Exact Extract of Forescout Platform Administration and Deployment:
According to the Forescout DHCP Classifier Plugin Configuration Guide Version 2.1, the DHCP Classifier Plugin must be running for CounterACT to parse DHCP traffic. The documentation explicitly states:
"For endpoint DHCP classification, the DHCP Classifier Plugin must be running on a CounterACT device capable of receiving the DHCP client requests."
DHCP Classifier Plugin Function:
The DHCP Classifier Plugin is a component of the Forescout Core Extensions Module. According to the official documentation:
"The DHCP Classifier Plugin extracts host information from DHCP messages. Hosts communicate with DHCP servers to acquire and maintain their network addresses. CounterACT extracts host information from DHCP message packets, and uses DHCP fingerprinting to determine the operating system and other host configuration information."
How the DHCP Classifier Plugin Works:
According to the configuration guide:
Plugin is Passive - "The plugin is passive, and does not intervene with the underlying DHCP exchange"
Inspects Client Requests - "It inspects the client request messages (DHCP fingerprint) to propagate DHCP information about the connected client to CounterACT"
Extracts Properties - Extracts properties like:
Operating system fingerprint
Device hostname
Vendor/device class information
Other host configuration data
DHCP Traffic Detection Methods:
The DHCP Classifier Plugin can detect DHCP traffic through multiple methods:
Direct Monitoring - The CounterACT device monitors DHCP broadcast messages from the same IP subnet
Mirrored Traffic - Receives mirrored traffic from DHCP directly
Replicated Messages - Receives DHCP requests forwarded/replicated from network devices
DHCP Relay Configuration - Receives explicitly relayed DHCP requests from DHCP relays
Plugin Requirements:
According to the documentation:
"No plugin configuration is required."
However, the plugin must be running on at least one CounterACT device for DHCP parsing to occur.
Why Other Options Are Incorrect:
A. Must see symmetrical traffic - While symmetrical network monitoring helps, it's not the requirement; the specific requirement is that the DHCP Classifier Plugin must be running
B. The enterprise manager must see DHCP traffic - Any CounterACT device capable of receiving DHCP traffic can parse it, not just the Enterprise Manager
C. DNS client must be running - DNS services are not required for DHCP parsing; they are separate services
E. Plugin located in Network module - The DHCP Classifier Plugin is part of the Core Extensions Module, not the Network module
DHCP Classifier Plugin as Part of Core Extensions Module:
According to the documentation:
"DHCP Classifier Plugin: Extracts host information from DHCP messages."
The DHCP Classifier Plugin is installed with and part of the Forescout Core Extensions Module, which includes multiple components:
Advanced Tools Plugin
CEF Plugin
DHCP Classifier Plugin
DNS Client Plugin
Device Classification Engine
And others
Referenced Documentation:
Forescout DHCP Classifier Plugin Configuration Guide Version 2.1
About the DHCP Classifier Plugin documentation
Port Mirroring Information Based on Specific Protocols
Forescout Platform Base Modules
Which of the following is true regarding CounterACT 8 FLEXX Licensing?
CounterACT 8 can be installed on all CTxx and 51xx models.
Disaster Recovery is used for member appliances.
For member appliances, HA and Failover Clustering are part of Resiliency licensing.
Changing the licensing of the deployment from Per Appliance Licensing to FLEXX Licensing can be done through the Customer Portal.
Failover Clustering is used with EM and RM.
Comprehensive and Detailed Explanation From Exact Extract of Forescout Platform Administration and Deployment:
According to the Forescout Licensing and Sizing Guide and Failover Clustering Licensing Requirements documentation, the correct statement is: For member appliances, HA and Failover Clustering are part of Resiliency licensing.
Resiliency Licensing for Member Appliances:
According to the Failover Clustering Licensing Requirements documentation:
"To begin working with Failover Clustering, you need a license for the feature. The license required depends on which licensing mode your deployment is using."
When using FLEXX licensing with member appliances:
High Availability (HA) - Part of Resiliency licensing
Failover Clustering - Part of Resiliency licensing (called "eyeRecover License")
Disaster Recovery - Separate from member appliance resiliency
Resiliency License Components:
According to the documentation:
"When using Flexx licensing, Failover Clustering functionality is supported by the Forescout Platform eyeRecover license (Forescout CounterACT Resiliency license)."
The Resiliency license covers:
For Member Appliances:
High Availability (HA) Pairing
Failover Clustering
For Enterprise Manager:
HA Pairing for EM
FLEXX Licensing Model:
According to the Licensing and Sizing Guide:
"Flexx Licensing: Licenses are independent of hardware appliances, providing an intuitive and flexible way to license, deploy and manage Forescout products across your extended enterprise."
Why Other Options Are Incorrect:
A. Can be installed on all CTxx and 51xx models - FLEXX is for 5100/4100 series and later; CT series supports per-appliance licensing only
B. Disaster Recovery is used for member appliances - Disaster Recovery is separate; member appliances use HA/Failover Clustering from Resiliency license
D. Changing via Customer Portal - Changes from per-appliance to FLEXX must be done through official Forescout channels, not self-service Customer Portal
E. Failover Clustering is used with EM and RM - Failover Clustering is for member appliances; EM has separate HA capability
Referenced Documentation:
Failover Clustering Licensing Requirements v8.4.4 and v9.1.2
Forescout Licensing and Sizing Guide
Switch from Per-Appliance to Flexx Licensing
Which of the following is the SMB protocol version required to manage Windows XP or Windows Vista endpoints?
SMB V3.1.1
SMB V1.0
SMB is not required for XP or Vista
SMB V2.0
SMB V3.0
Comprehensive and Detailed Explanation From Exact Extract of Forescout Platform Administration and Deployment:
According to the Forescout HPS Inspection Engine Configuration Guide and Microsoft SMB Protocol documentation, the SMB protocol version required to manage Windows XP or Windows Vista endpoints is SMB V1.0.
SMB Version Timeline:
According to the Microsoft documentation and Forescout requirements:
Windows Version
SMB Support
Windows XP
SMB 1.0 only
Windows Vista
SMB 1.0 and SMB 2.0
Windows 7
SMB 1.0, SMB 2.0, and SMB 2.1
Windows 8/Server 2012
SMB 2.0, SMB 2.1, and SMB 3.0
Windows 10
SMB 2.1 and SMB 3.x
Windows XP and Vista SMB Requirements:
According to Forescout documentation:
The documentation explicitly states:
"When you require SMB signing, Remote Inspection can no longer be used to manage endpoints that cannot work with SMB signing, for example: Old Windows XP/Server 2003 systems"
This indicates that Windows XP requires SMB support, specifically SMB 1.0, which doesn't support modern SMB signing requirements.
SMB Version Negotiation:
According to the official documentation:
When a Forescout CounterACT appliance connects to an endpoint:
Version Negotiation - Both client and server advertise their supported SMB versions
Highest Common Version Selected - The highest version supported by BOTH is used
Fallback Behavior - If SMB 2.0 is available on Vista but not supported by CounterACT, it falls back to SMB 1.0
For Windows XP (SMB 1.0 only) and Windows Vista (SMB 1.0/2.0):
Minimum Required: SMB 1.0
Maximum Supported: SMB 2.0 (Vista only)
Port Requirements for SMB 1.0:
According to the Forescout documentation:
For Windows XP and Vista endpoints using SMB 1.0:
text
Port 139/TCP must be available
(Port 445/TCP is used for Windows 7 and above)
Historical Context:
According to the documentation:
SMB 1.0 was the original protocol used by Windows 2000, NT, and earlier versions
Windows Vista SP1 and Windows Server 2008 introduced SMB 2.0
SMB 1.0 is considered legacy and insecure (no encryption, subject to security vulnerabilities)
Microsoft recommends disabling SMB 1.0 in modern networks
However, for legacy Windows XP and early Vista systems, SMB 1.0 is the only option.
Why Other Options Are Incorrect:
A. SMB V3.1.1 - This is the latest version, introduced with Windows Server 2016 and Windows 10; not supported on XP or Vista
C. SMB is not required for XP or Vista - Incorrect; SMB is essential for Windows manageability and script execution
D. SMB V2.0 - While Vista supports SMB 2.0, Windows XP does NOT; only SMB 1.0 works on both
E. SMB V3.0 - This requires Windows 8/Server 2012 or later; not supported on XP or Vista
Legacy Endpoint Management Considerations:
According to the documentation:
For legacy endpoints requiring SMB 1.0:
Cannot require SMB signing (not supported in SMB 1.0)
Must allow unencrypted SMB communication
Should be isolated on network segments with security controls
Represents security risk due to SMB 1.0 vulnerabilities
Referenced Documentation:
Forescout HPS Inspection Engine - About SMB documentation
Operational Requirements - Port requirements
Microsoft - SMB Protocol Versions and Requirements
Microsoft - Detect, Enable, and Disable SMBv1, SMBv2, and SMBv3 in Windows
Copyright © 2021-2025 CertsTopics. All Rights Reserved
