Practice 350-701 Network Security questions with full explanations on every answer.
Start practicing
Network Security — choose a session length
Free · No account required
Click any question to see the full explanation and answer options, or start a focused practice session above.
An engineer is configuring a Cisco ASA and needs to ensure that traffic from the outside interface to a web server on the DMZ is allowed. The inside interface is security level 100 and the DMZ is level 50. The outside interface is level 0. Which statement about the default traffic flow is true?
2A network administrator is configuring NAT on a Cisco ASA to allow internal users to access the internet using a single public IP address. The internal network uses RFC 1918 addresses. Which type of NAT should be configured?
3An engineer is configuring a Modular Policy Framework (MPF) on a Cisco ASA to inspect HTTP traffic and apply QoS. The engineer creates a class-map to match HTTP traffic using the 'match port tcp 80' command. However, the policy is not being applied correctly. What is the most likely reason?
4A company uses Cisco Firepower Threat Defense (FTD) managed by FMC. They need to create an access control policy that allows traffic from specific source IPs to a web server, but blocks all other traffic. How should the rule base be ordered?
5A security administrator is investigating an alert from an IPS that detected a SQL injection attempt. The alert was triggered by a signature that looks for specific patterns in the traffic. What type of detection method is this?
6A Cisco Firepower administrator configures an access control policy with a rule that trusts traffic from a specific source network. What is the effect of the trust action on the traffic?
7An engineer is deploying a Cisco FTD in inline mode and wants to inspect SSL/TLS traffic using the 'decrypt-resign' action. What must be configured on the client devices to avoid certificate errors?
8A company is deploying Cisco AnyConnect SSL VPN and wants to enforce different access policies based on the endpoint's antivirus status. Which feature should be used?
9A Cisco ASA is configured with a site-to-site VPN using IKEv2. Which component defines the encryption and authentication algorithms for the IPsec tunnel?
10A security analyst is tuning Snort rules to reduce false positives. The analyst identifies a rule that triggers on a common benign application. Which action should be taken to suppress alerts for that specific traffic without disabling the rule entirely?
11An engineer configures a Cisco FTD in a high-availability pair with active/standby failover. The primary unit fails, and the standby takes over. After the primary recovers, what must be done to ensure it resumes as active?
12A company uses Cisco Firepower with FMC and wants to block access to social media websites for all users. Which feature should be used to create this policy?
13A Cisco FTD is deployed in inline mode and configured with an access control policy. The policy includes rules with actions: Trust, Allow, Block, and Interactive Block. Which two statements about these actions are correct? (Choose two.)
14An engineer is configuring a Cisco ASA to support a DMZ segment. Which three of the following are best practices for DMZ design? (Choose three.)
15A network engineer is configuring site-to-site IPsec VPN on a Cisco ASA using IKEv2. Which two components are required for IKEv2 configuration? (Choose two.)
16An administrator configures a Cisco ASA with an interface named 'inside' at security level 100 and 'outside' at security level 0. Which statement about traffic flow is true?
17A network engineer is configuring NAT on a Cisco ASA for internal servers to be accessible from the internet. One server (10.1.1.10) must always be reachable via a fixed public IP (203.0.113.10). Which NAT type should be used?
18An engineer is configuring an access control policy on Cisco FMC for FTD. The policy must allow HTTP traffic from the inside zone to the outside zone, but block all other traffic. Which rule configuration is correct?
19Which Snort rule action causes the FTD to drop a packet and generate an alert?
20A Cisco FTD device is deployed in inline mode and configured with an SSL policy to decrypt traffic. The policy uses 'Decrypt - Known Key' for traffic to an internal server. What is required for this decryption to work?
21An organization needs to inspect traffic between two internal zones (e.g., HR and IT) on a Cisco FTD. Which deployment mode is appropriate?
22An administrator is configuring a site-to-site IKEv2 VPN between two Cisco ASAs. Which configuration component defines the encryption and authentication algorithms for the IPsec SA?
23What is the primary difference between signature-based and anomaly-based intrusion detection?
24An organization deploys Cisco FTD in a high-availability pair using active/standby. If the active unit fails, what happens to existing connections?
25A Cisco FMC administrator needs to create a file policy to detect malware in HTTP downloads. The policy should allow the file to be delivered if it is known clean, block if known malicious, and allow but capture for analysis if unknown. Which combination of actions is required?
26Which Cisco FTD feature provides application visibility and control (AVC) to identify and block applications like Facebook or Skype?
27An administrator configures a Cisco ASA with a DMZ interface at security level 50. Traffic from the inside (level 100) to the DMZ (level 50) is allowed by default. What additional configuration is needed to allow traffic from the DMZ to the inside?
28A security engineer is tuning Snort rules on a Cisco FTD to reduce false positives. Which action should be taken if a rule is generating alerts for legitimate traffic?
29An organization uses Cisco AnyConnect SSL VPN with DTLS enabled. What is the primary benefit of DTLS?
30A network architect is designing a DMZ for a web server that must be accessible from the internet. The server should not initiate connections to the internal network. Which firewall rule best achieves this?
31An administrator is configuring Dynamic Access Policies (DAP) on a Cisco ASA for AnyConnect VPN. Which two attributes can be used to create DAP rules? (Choose two.)
32A Cisco FTD is configured with an access control policy that includes an intrusion policy. Which three actions can be set in an access control rule regarding intrusion inspection? (Choose three.)
33An organization is planning to deploy Cisco FTD in a high-availability pair. Which two statements about active/active failover are true? (Choose two.)
34A security administrator is configuring URL filtering on Cisco FTD. Which three categories are commonly used in URL filtering policies? (Choose three.)
35An engineer is configuring a Cisco ASA for site-to-site IKEv2 VPN with a VTI. Which two statements about VTI are true? (Choose two.)
36An engineer is configuring an ASA to allow inbound HTTP traffic from the outside to a server on the DMZ. The outside interface has security level 0 and the DMZ interface has security level 50. Which set of commands correctly implements the required access and NAT?
37A security administrator is configuring a Cisco FTD device using FMC. The goal is to block traffic from a specific country and allow all other traffic. Which action should be taken in the access control policy?
38On a Cisco ASA, which table holds information about translated addresses for active connections?
39An engineer is tuning Snort signatures on a Cisco FTD to reduce false positives. A rule triggers on legitimate traffic that matches a known exploit pattern but is actually benign. Which tuning technique would be most appropriate to suppress the alerts without completely disabling the rule?
40A company uses Cisco AnyConnect for remote access VPN. They want to allow only specific Active Directory groups to access the corporate network. Which feature on the ASA or FTD should be configured to enforce this?
41A Cisco FTD is deployed in inline mode and is configured with a file policy to detect malware. When a file is transferred, the FTD computes a SHA-256 hash and checks it against AMP cloud. The cloud returns 'unavailable' for the hash. What action will the FTD take by default?
42Which type of VPN on Cisco ASA is typically used for site-to-site connectivity and encrypts all traffic between two sites?
43An organization has a Cisco ASA with two interfaces: inside (security 100) and outside (security 0). They want to allow traffic from inside to outside without NAT for a specific subnet. Which configuration achieves this?
44A security analyst is monitoring the Cisco FMC and notices a high number of false positives from an intrusion rule that detects SQL injection attempts. The legitimate web application frequently generates similar patterns. Which course of action would reduce false positives while maintaining detection for actual attacks?
45Which of the following is a characteristic of a stateful firewall like Cisco ASA?
46A Cisco FTD is configured with SSL/TLS inspection using the 'decrypt-known-key' method. Which traffic can be decrypted with this method?
47A network engineer is deploying a Cisco FTD in active/standby high availability. Which statement is true about the configuration synchronization?
48A security administrator is deploying a Cisco ASA in a DMZ architecture. The inside interface is security 100, outside interface is security 0, and DMZ interface is security 50. Which TWO statements about traffic flow are correct?
49A company is designing a network segmentation strategy using firewalls. Which THREE considerations are important for a defense-in-depth approach?
50A Cisco FTD is configured with an access control policy that includes a rule to allow traffic from a specific source subnet. However, traffic is being blocked. Which TWO possible causes should be checked?
51Which interface security level is assigned to the inside interface on a Cisco ASA by default?
52An engineer wants to configure NAT on a Cisco ASA such that multiple internal hosts share a single public IP address when accessing the internet. Which NAT type should be used?
53A Cisco FTD device managed by FMC is processing traffic. An access control rule is configured with the action 'Interactive Block'. What behavior does this action trigger?
54In a Snort intrusion detection rule, which part specifies the action to take when the rule matches?
55An organization wants to deploy Cisco Firepower in a high-availability pair with active/standby failover. Which management solution allows this configuration?
56Which deployment mode allows a Cisco Firepower NGFW to inspect traffic without being in the direct forwarding path?
57A network engineer is configuring a site-to-site VPN between two Cisco ASAs using IKEv2. Which component defines the encryption and hash algorithms for Phase 2?
58An engineer observes that the Cisco ASA connection table shows a consistent number of entries for UDP traffic, but the xlate table shows no entries. What is the most likely reason?
59Which Cisco Firepower feature uses SHA-256 hashes to determine the disposition of files and block malware?
60On a Cisco ASA, which command applies a policy-map globally to all interfaces?
61A Cisco FTD device is configured with an SSL decryption rule using 'Decrypt - Known Key'. In which scenario is this action appropriate?
62In Cisco ASA modular policy framework, what is the function of a class-map?
63A security analyst is tuning Snort IPS rules to reduce false positives. Which TWO strategies are effective?
64An engineer is configuring a Cisco AnyConnect SSL VPN for remote access. Which TWO features are commonly used to control access based on endpoint security posture?
65A company wants to deploy a DMZ segment accessible from the internet. Which THREE considerations are critical for firewall zone design and security?
66An engineer is configuring a Cisco ASA to allow traffic from the inside (security level 100) to the outside (security level 0). They create an access list permitting HTTP traffic from inside to outside and apply it to the inside interface inbound. What is the expected behavior?
67A network administrator is configuring site-to-site IPsec VPN between two Cisco ASAs using IKEv2. They want to ensure that only specific subnets are encrypted, using Virtual Tunnel Interface (VTI). Which configuration element is essential for VTI?
68A Cisco FTD device is deployed in inline mode and is configured with an access control policy that includes an Intrusion Policy set to 'Balanced Security and Connectivity' and a File Policy with Malware & File blocking enabled. Traffic from a host inside to an external server is allowed by an access control rule. The administrator notices that a file download (PDF) is being blocked even though the file has a good reputation. What is the most likely cause?
69An organization is deploying Cisco Firepower Threat Defense (FTD) in a high-availability (HA) pair in active/standby mode. Which statement about state synchronization is true?
70A security analyst is reviewing Snort rule output and sees an alert with the following details: action: alert, protocol: tcp, src: any, dst: any, content: 'malicious'. What type of detection is this rule using?
71A company uses Cisco Firepower Management Center (FMC) to manage multiple FTD devices. They want to create an access control policy that allows traffic from a specific user group (Active Directory) to access a web server on the internet, but blocks all other traffic from that group to the internet. Which identity source should be configured in FMC?
72An engineer is configuring Dynamic Access Policy (DAP) on an ASA for AnyConnect VPN. They want to assign different access policies based on the client's anti-virus status and device posture. What must be configured to obtain this information?
73A Cisco FTD sensor is deployed in passive mode (IDS) and is receiving traffic via a network tap. The access control policy is configured with an intrusion policy set to 'Security over Connectivity'. However, the administrator notices that the sensor is not generating alerts for some attacks that were identified by a previous inline sensor. What is the most likely reason?
74Which NAT type on a Cisco ASA translates both the source and destination IP addresses and is typically used to allow external hosts to access internal servers?
75A network architect is designing a DMZ for a web server farm. The ASA firewall will have three interfaces: inside (level 100), DMZ (level 50), and outside (level 0). They want to allow HTTP traffic from the internet to the DMZ web servers and also allow the web servers to initiate connections to the inside for database updates. What is the minimal ACL configuration to achieve this?
76A Cisco FTD administrator is configuring SSL/TLS inspection. They want to inspect encrypted traffic to an external website that uses a certificate signed by a public CA. Which SSL/TLS inspection action should be used to decrypt this traffic?
77An organization is deploying Cisco AnyConnect VPN with split tunneling. They want to ensure that only traffic destined for the corporate network goes through the VPN tunnel, while internet-bound traffic goes directly. Which configuration element on the ASA controls this?
78Which Cisco Firepower management option is used for on-box management of a single FTD device, without a separate management center?
79A security engineer is tuning an IPS to reduce false positives. They notice that legitimate traffic is triggering a signature for a worm that uses a specific HTTP GET request. The engineer wants to disable the signature for that specific traffic pattern but keep it enabled for other traffic. What is the best approach?
80A Cisco FTD device is configured with an access control policy that has multiple rules. The first rule is 'Allow' for all traffic from the internal network to the internet. The second rule is 'Block' for traffic from a specific internal host to any destination. However, the administrator notices that the specific host can still access the internet. What is the most likely cause?
81A security administrator is configuring a Cisco Firepower system for network discovery and wants to identify hosts and services on the network. Which two actions must be configured to enable network discovery? (Choose two.)
82A company is using Cisco ASA with AnyConnect VPN. They want to implement Dynamic Access Policy (DAP) to enforce access based on device compliance. Which two attributes can DAP use to evaluate endpoint posture? (Choose two.)
83A network engineer is configuring a Cisco ASA to use the Modular Policy Framework (MPF) for advanced traffic inspection. Which three components are part of the MPF? (Choose three.)
84Which two actions are valid actions in a Cisco Firepower access control rule? (Choose two.)
85A security analyst is investigating a potential intrusion and suspects that the IPS is missing some attacks (false negatives). Which two factors can contribute to false negatives in signature-based IPS? (Choose two.)
86An engineer configures a Cisco ASA firewall with three interfaces: inside (security level 100), outside (security level 0), and DMZ (security level 50). Traffic from the inside network to the DMZ network is sourced from 10.1.1.0/24 and destined to 192.168.1.0/24. The inside interface is configured with IP 10.1.1.1, DMZ interface with IP 192.168.1.1. An ACL on the inside interface permits IP traffic from 10.1.1.0/24 to 192.168.1.0/24. What happens when a packet from 10.1.1.10 to 192.168.1.10 arrives at the inside interface?
87A network administrator is configuring site-to-site VPN between two Cisco ASA firewalls using IKEv2. The administrator wants to ensure that the VPN tunnel uses the most secure encryption algorithm available. Which encryption algorithm should be selected in the IKEv2 proposal?
88Which statement accurately describes the difference between signature-based and anomaly-based intrusion detection?
89An engineer is configuring Cisco Firepower Threat Defense (FTD) in inline NGFW mode. The access control policy must block all traffic from geolocation 'North Korea' and allow all other traffic. Which type of rule should be used and in what order should it be placed?
90In Cisco Firepower Management Center (FMC), which action in an access control rule will send a TCP RST to the source and destination and log the event?
91A Cisco ASA is configured with dynamic PAT to translate internal addresses to a single outside IP address. A user on the inside initiates a connection to an external web server. The ASA creates a connection entry. Which table is checked first when a return packet arrives from the web server?
92An FTD device is deployed in passive mode. Which statement about its traffic processing is true?
93A Cisco ASA has three interfaces: inside (100), outside (0), and DMZ (50). A static NAT rule is configured to map the DMZ server 10.1.1.10 to outside address 200.1.1.10. An ACL on the outside interface permits traffic to 200.1.1.10. A host on the internet sends a packet to 200.1.1.10. What happens when the packet hits the outside interface?
94Which of the following is a benefit of using Dynamic Access Policy (DAP) for AnyConnect SSL VPN?
95An engineer configures a Cisco ASA in a DMZ architecture. The DMZ hosts web servers that need to be accessible from the internet. Which security level should be assigned to the DMZ interface to ensure proper traffic flow without additional ACLs for return traffic?
96In Cisco Firepower, a file policy is configured with a rule that detects malware. The action is set to 'Malware Cloud Lookup'. What happens if the SHA-256 hash of a file is unknown to the AMP cloud?
97Which component of a Snort rule specifies the action to take when the rule conditions are matched?
98An engineer wants to configure high availability on a pair of Cisco Firepower Threat Defense (FTD) devices. Which HA mode supports active/standby failover with stateful replication of connection information?
99In Cisco Firepower, an access control policy has multiple rules. Rule 1: Allow HTTP from any to any. Rule 2: Block HTTP from 10.0.0.0/8 to any. A packet from 10.0.0.1 to 192.168.1.1 with destination port 80 is inspected. What action is taken?
100Which of the following is a characteristic of a 'false negative' in intrusion detection?
101A network security engineer is configuring Cisco ASA for remote access VPN using AnyConnect. Which two components must be configured to enable split tunneling? (Choose two.)
102An engineer is deploying Cisco Firepower Threat Defense (FTD) in inline mode and needs to decrypt SSL traffic for inspection. Which two methods are supported by FTD for SSL decryption? (Choose two.)
103Which three actions are available in a Cisco Firepower access control rule? (Choose three.)
104An engineer needs to allow inbound HTTP traffic from the internet to a web server in the DMZ on a Cisco ASA. The DMZ interface security level is 50, and the outside interface is 0. Which interface direction should the access control entry be applied?
105A network administrator is configuring a site-to-site VPN between two Cisco ASA firewalls using IKEv2. Which component defines the encryption and authentication algorithms for the IPsec SA?
106A security analyst notices a high number of false positives from an intrusion detection system (IDS) using signature-based detection. Which action would best reduce false positives while maintaining detection of real threats?
107A Cisco FTD device is deployed inline and configured with an access control policy that includes a rule to block traffic from a specific source IP address. However, traffic from that IP is still passing through. What is the most likely cause?
108On a Cisco ASA, which NAT type allows multiple internal hosts to share a single public IP address by using different source ports?
109A company uses a Cisco FMC to manage multiple FTD devices. They want to decrypt SSL/TLS traffic from internal users to external websites using a known private key. Which SSL decryption method should they use?
110A security engineer is configuring a Cisco FTD high availability pair in active/standby mode. Which statement is true about the failover configuration?
111A Cisco ASA is configured with a modular policy framework to inspect HTTP traffic. The class-map matches HTTP traffic, and the policy-map applies inspection. Which command correctly applies the policy to an interface?
112Which Cisco Firepower management option allows direct device management without a separate server, using a web interface on the FTD itself?
113An engineer wants to block traffic from a specific country on a Cisco FTD. Which feature should be used in the access control policy?
114A Cisco FTD is configured with a file policy to detect malware. The policy includes a rule to block files with a SHA-256 hash that is known to be malicious. Which component provides the SHA-256 disposition?
115Which VPN technology allows Cisco AnyConnect clients to use UDP for transport to avoid TCP overhead and improve performance?
116A Cisco FTD is deployed in a data center and needs to provide intrusion prevention and application control. Which two actions are available in an access control rule? (Choose two.)
117An engineer is tuning an IPS on a Cisco FTD to reduce false positives. Which three techniques are effective? (Choose three.)
118A company uses Cisco AnyConnect for remote access VPN. Which two components are used to enforce policies based on endpoint posture? (Choose two.)
119An engineer is configuring a Cisco ASA to allow inbound HTTPS traffic from the outside to a web server on the DMZ. The outside interface has security level 0, the DMZ interface has security level 50, and the inside has security level 100. Which set of commands correctly allows the traffic considering stateful inspection?
120A Cisco FTD device is deployed in passive mode. The security team wants to block malicious traffic without affecting legitimate traffic. Which action should be used in the access control policy rule?
121An organization is using Cisco FMC with FTD devices. They want to detect and block malware in HTTP traffic. Which policy component must be configured to inspect files and submit SHA-256 hashes to AMP cloud for disposition?
122Which of the following is a characteristic of anomaly-based intrusion detection compared to signature-based detection?
123A network security engineer is configuring site-to-site IPsec VPN between two Cisco ASA firewalls using IKEv2. Which of the following configuration elements is required to define the encryption and integrity algorithms for the IPsec SA?
124An administrator configures a Cisco ASA with the following Modular Policy Framework (MPF) commands: class-map type inspect http match any policy-map type inspect http http_policy parameters protocol-violation action reset service-policy http_policy global What is the result of this configuration?
125In a Cisco FTD deployment, which management option allows on-box management without the need for a separate FMC server?
The Network Security domain covers the key concepts tested in this area of the 350-701 exam blueprint published by Cisco. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all 350-701 domains — no account required.
The Courseiva 350-701 question bank contains 125 questions in the Network Security domain. Click any question to see the full explanation and answer breakdown.
Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.
Yes — the session launcher on this page draws questions exclusively from the Network Security domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.
Save your results, see per-domain analytics, and get readiness scores — free, for every certification.
Sign Up FreeFree forever · Every certification included