Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

HomeCertifications350-701Exam Questions

Cisco · Free Practice Questions · Last reviewed May 2026

350-701 Exam Questions and Answers

36real exam-style questions organised by domain, each with the correct answer highlighted and a plain-English explanation of why it's right — and why the others are wrong.

90 exam questions
120 min time limit
Pass: Variable
6 exam domains
OverviewDomain BlueprintStudy GuideAll QuestionsSample by Domain
1. Endpoint Protection and Detection2. Secure Network Access, Visibility and Enforcement3. Security Concepts4. Network Security5. Cloud Security6. Content Security
1

Domain 1: Endpoint Protection and Detection

All Endpoint Protection and Detection questions
Q1
mediumFull explanation →

A security administrator notices that several endpoints in the finance department are exhibiting unusual network behavior, including connections to known malicious IP addresses. The administrator has deployed Cisco Secure Endpoint (formerly AMP for Endpoints) with TETRA and has enabled the built-in firewall. What is the best course of action to quickly identify the root cause and contain the threat?

A

Disable the built-in firewall on the endpoints to allow full traffic inspection by the TETRA engine.

B

Use the Cisco Secure Endpoint console to review the TETRA engine's real-time traffic analysis and isolate the affected endpoints.

TETRA provides real-time traffic analysis; the console allows immediate visibility and isolation.

C

Wait for the weekly threat report from Cisco Talos to identify the malware family and then apply a signature update.

D

Uninstall the Cisco Secure Endpoint connector and reinstall it with a fresh policy.

Why: Option B is correct because Cisco Secure Endpoint with TETRA provides real-time traffic analysis and endpoint isolation capabilities directly from the console. The TETRA engine inspects network flows using behavioral analysis and machine learning, and the administrator can immediately isolate affected endpoints to prevent lateral movement while reviewing the root cause.
Q2
easyFull explanation →

An organization wants to prevent malware from executing on endpoints by using a file reputation service. Which Cisco technology provides cloud-based file reputation and analysis for endpoint protection?

A

Cisco Stealthwatch

B

Cisco Identity Services Engine (ISE)

C

Cisco Firepower NGFW

D

Cisco Secure Endpoint (AMP for Endpoints)

Cisco Secure Endpoint provides cloud-based file reputation and analysis.

Why: Cisco Secure Endpoint (formerly AMP for Endpoints) is the correct answer because it provides cloud-based file reputation and analysis through its Advanced Malware Protection (AMP) cloud. This service uses global threat intelligence and machine learning to analyze file behavior, assign reputation scores, and block or quarantine malicious files on endpoints in real time.
Q3
hardFull explanation →

A security engineer is troubleshooting an issue where a known malicious file (SHA-256: 3a7c...f9e) is not being detected by Cisco Secure Endpoint on a Windows 10 endpoint. The file was downloaded from the internet. The policy has the 'File Reputation' setting set to 'Use cloud lookup', and the 'Exploit Prevention' module is enabled. The endpoint is connected to the internet and can reach the AMP cloud. What is the most likely reason for the missed detection?

A

The endpoint was offline when the file was first written to disk, so the cloud lookup was skipped.

If the endpoint was offline during file download, the initial cloud lookup is skipped, and the file is allowed.

B

Windows Defender Real-time Protection is interfering with the AMP connector.

C

The Exploit Prevention module is blocking the cloud lookup process.

D

The AMP cloud license has expired for the organization.

Why: Option A is correct because Cisco Secure Endpoint's 'File Reputation' with 'Use cloud lookup' requires the endpoint to be online at the moment the file is written to disk. If the endpoint was offline during that critical window, the connector cannot perform the SHA-256 cloud lookup against the AMP cloud, and the file is not evaluated for maliciousness. The file remains undetected until a subsequent scan or event triggers a new lookup, which may not happen automatically.
Q4
hardFull explanation →

A security analyst is investigating an alert from Cisco Secure Endpoint indicating that an endpoint has been infected with ransomware. The analyst wants to determine the initial infection vector. Which feature of Cisco Secure Endpoint should the analyst use to trace the chain of events leading to the infection?

A

Orbital Advanced Search

Orbital Advanced Search provides retrospective analysis to trace the attack chain.

B

TETRA traffic analysis

C

Windows Event Viewer integration

D

Device Flow Correlation

Why: Orbital Advanced Search is the correct feature because it provides deep forensic visibility into endpoint activity, allowing the analyst to perform advanced queries across files, processes, registry keys, and network connections. This enables tracing the chain of events—such as a malicious email attachment, exploit, or drive-by download—that led to the ransomware infection, by correlating timestamps and process parent-child relationships.
Q5
mediumFull explanation →

A company is deploying Cisco Secure Endpoint and wants to ensure that endpoints are protected against zero-day exploits. Which two features should be enabled to provide this protection? (Choose two.)

A

File Reputation

B

Exploit Prevention

Exploit Prevention protects against exploit techniques used by zero-day attacks.

C

Malware Analytics (sandboxing)

Sandboxing analyzes unknown files for malicious behavior.

D

Application Control

E

Device Control

Why: Exploit Prevention (B) is correct because it uses exploit-specific signatures and behavioral monitoring to block common exploitation techniques (e.g., heap spray, ROP, SEH overwrite) without relying on known malware signatures, making it effective against zero-day exploits. Malware Analytics (C) is correct because it detonates suspicious files in a sandboxed environment to analyze behavior and detect previously unknown threats, providing protection against zero-day malware before signatures are available.
Q6
mediumFull explanation →

A network administrator is configuring endpoint protection policies for a large enterprise. The requirement is to allow only approved software to run on endpoints, while blocking all other executables. Which Cisco Secure Endpoint feature should be configured? (Choose two.)

A

Exploit Prevention

B

Malware Analytics

C

Application Control

Application Control allows whitelisting approved software.

D

Lockdown Mode

Lockdown Mode prevents execution of unapproved executables.

E

File Reputation

Why: Application Control (C) is correct because it allows administrators to define a whitelist of approved software, blocking all other executables from running on endpoints. Lockdown Mode (D) is correct because it enforces a strict policy where only pre-approved applications can execute, effectively preventing any unapproved software from running. Together, these features provide comprehensive control over executable files in a large enterprise environment.

Want more Endpoint Protection and Detection practice?

Practice this domain
2

Domain 2: Secure Network Access, Visibility and Enforcement

All Secure Network Access, Visibility and Enforcement questions
Q1
easyFull explanation →

A network administrator is configuring Cisco ISE to enforce access control based on user authentication. The company requires that only users who authenticate via Active Directory are allowed access to the corporate wireless network. Which policy should be configured in ISE to accomplish this?

A

Profiling policy

B

Authentication policy

C

Authorization policy

Authorization policy defines what access is granted after authentication.

D

Policy set

Why: Option C is correct because authorization policies in Cisco ISE define the access permissions granted to authenticated users, such as allowing or denying network access. In this scenario, after a user authenticates via Active Directory (handled by the authentication policy), the authorization policy evaluates conditions (e.g., AD group membership) to enforce the required access control for the corporate wireless network.
Q2
mediumFull explanation →

A company uses Cisco ISE for network access control. Users connecting via wired 802.1X are successfully authenticated but cannot reach the internet. The administrator checks the authorization policy and notices that the correct dACL is being applied. What is the most likely cause of the issue?

A

The switchport is configured as dynamic desirable

B

The RADIUS server is not sending the dACL attribute in the Access-Accept

If the dACL is not included in the RADIUS response, the switch will not apply it.

C

The switch port MTU is set to 1500 bytes

D

ISE is out of licenses for endpoint devices

Why: The most likely cause is that the RADIUS server (ISE) is not sending the dACL attribute in the Access-Accept packet. Even though the authorization policy applies a dACL, if the RADIUS message does not include the dACL name (e.g., Cisco-AV-Pair = "ip:inacl#100=...") or the switch does not receive it, the switch cannot enforce the filter, leaving the user authenticated but with no internet access due to default deny-all behavior.
Q3
hardFull explanation →

An organization is implementing TrustSec to enforce micro-segmentation. The Security Group Tag (SGT) is assigned to a user via ISE after authentication. However, traffic from this user to a server with SGT 5 is being dropped. The administrator checks the SGACL configuration on the switch and finds the following: 'permit ip source 2 destination 5'. What is the most likely reason for the traffic being dropped?

A

The PAC on the switch has expired

B

SXP is not configured between ISE and the switch

C

The CTRL protocol is not enabled on the switch

D

The SGACL defaults to deny if no explicit permit is found for the source-destination SGT pair

TrustSec applies an implicit deny; the permit rule exists but perhaps the order or condition is not matched.

Why: The SGACL on the switch explicitly permits traffic from source SGT 2 to destination SGT 5. However, TrustSec SGACLs operate with an implicit deny at the end of the access list. Since the administrator only configured a single permit entry and no explicit permit for the specific source-destination SGT pair being tested, the traffic is dropped by the implicit deny. Option D correctly identifies this default behavior.
Q4
mediumFull explanation →

A company is deploying Cisco ISE for guest access. They want to provide a self-service portal where guests can register their devices and receive a temporary username and password. Which ISE component is used to accomplish this?

A

BYOD Portal

B

Mobile Device Management (MDM)

C

Guest Portal

Guest Portal provides self-service registration and temporary credentials for guests.

D

Profiler Service

Why: C is correct because the Guest Portal in Cisco ISE is specifically designed to provide a self-service registration page where guests can create their own accounts, receive temporary credentials, and gain network access. This portal handles the entire guest lifecycle, including sponsor approval if required, and can deliver the username/password via SMS, email, or on-screen display.
Q5
hardFull explanation →

An engineer is troubleshooting a Cisco ISE deployment where some endpoints are not being profiled correctly. The administrator notices that the endpoints are not sending DHCP requests. Which profiling probe should be primarily used to identify these endpoints?

A

NetFlow probe

NetFlow probe analyzes traffic flows and can profile endpoints based on IP and port information.

B

DHCP probe

C

HTTP probe

D

DNS probe

Why: The correct answer is A (NetFlow probe) because when endpoints do not send DHCP requests, the DHCP probe cannot collect any data. The NetFlow probe analyzes network traffic flows to identify endpoints based on IP addresses, ports, and protocols, even without DHCP activity. This allows Cisco ISE to profile endpoints by observing their communication patterns, such as HTTP or DNS traffic, which still occur even if DHCP is not used.
Q6
easyFull explanation →

A network administrator wants to implement 802.1X on a Cisco switch port for a device that does not support 802.1X. Which feature should be configured to allow the device to connect?

A

802.1X with EAP-MSCHAPv2

B

Downloadable ACL (dACL)

C

Web Authentication (WA)

D

MAC Authentication Bypass (MAB)

MAB allows non-802.1X devices to authenticate using their MAC address.

Why: MAC Authentication Bypass (MAB) is the correct feature because it allows a device that does not support 802.1X supplicant software to authenticate by using its MAC address as the identity. The switch acts as a proxy, sending the MAC address as the username and password to the RADIUS server, which can then grant or deny access based on the MAC address in its database.

Want more Secure Network Access, Visibility and Enforcement practice?

Practice this domain
3

Domain 3: Security Concepts

All Security Concepts questions
Q1
mediumFull explanation →

A network security engineer is deploying Cisco Firepower Threat Defense (FTD) in a data center. The requirement is to inspect traffic between two internal VLANs while allowing the firewall to enforce access control policies based on source and destination zones. Which deployment mode should the engineer use?

A

Routed mode

B

Inline mode

C

Transparent mode

Transparent mode operates at layer 2, allowing inspection between VLANs without IP renumbering.

D

Hybrid mode

Why: Transparent mode (Layer 2 mode) is correct because the requirement specifies inspecting traffic between two internal VLANs without routing. In transparent mode, the FTD acts as a bridge, forwarding frames based on MAC addresses while enforcing access control policies based on source and destination zones. This allows the firewall to inspect inter-VLAN traffic without requiring IP address changes or acting as a default gateway.
Q2
hardFull explanation →

A security architect is designing a zero-trust architecture for a remote workforce using Cisco SD-WAN. The company requires that all traffic between branch sites and the data center is encrypted and authenticated, and that no device can access resources unless it has a valid certificate. Which technology should be used to enforce device identity?

A

802.1X with EAP-TLS

B

Network Access Control (NAC)

C

Cisco TrustSec

TrustSec uses SGTs to enforce access based on device identity and is a key component of zero trust.

D

IPsec VPN

Why: Cisco TrustSec uses Security Group Tags (SGTs) and device identity based on certificates to enforce access control in a zero-trust architecture. It integrates with SD-WAN to ensure that only devices with valid certificates can communicate, meeting the requirement for encrypted and authenticated traffic between branch sites and the data center.
Q3
easyFull explanation →

An engineer is troubleshooting a Cisco ASA firewall and notices that traffic from a specific subnet is being dropped. The engineer wants to verify if the drop is due to an access control list (ACL) or an inspection policy. Which command should be used to see the reason for packet drops?

A

show access-list

B

show asp drop

Displays packet drop counters with reasons, including ACL and inspection drops.

C

show conn

D

show service-policy

Why: The 'show asp drop' command displays packet drop statistics from the Accelerated Security Path (ASP) on a Cisco ASA. It provides a detailed breakdown of why packets are dropped, including drops due to ACLs, inspection policies, or other security checks. This makes it the correct tool to differentiate between ACL and inspection policy drops.
Q4
mediumFull explanation →

Which TWO of the following are valid approaches to mitigate ARP spoofing attacks on a switched network?

A

Enable BPDU Guard on all switchports

B

Enable Dynamic ARP Inspection (DAI) on VLANs

DAI validates ARP packets and drops invalid ones.

C

Enable IP Source Guard on untrusted ports

IP Source Guard filters traffic based on IP-MAC binding, preventing spoofing.

D

Enable Port Security on all access ports

E

Enable DHCP Snooping globally

Why: Dynamic ARP Inspection (DAI) is a security feature that validates ARP packets in a network. It relies on a DHCP snooping binding database to map IP addresses to MAC addresses, and it drops ARP packets that have invalid IP-to-MAC bindings, thereby preventing ARP spoofing attacks on a switched network.
Q5
hardFull explanation →

Which THREE of the following are key principles of the Cisco Zero Trust security model?

A

Never trust, always verify

Core principle of zero trust.

B

Continuous monitoring and validation

Constant verification of trust is essential.

C

Implicit trust for internal traffic

D

Perimeter-based security

E

Least privilege access

Users and devices get only minimum required access.

Why: Option A is correct because 'Never trust, always verify' is the foundational principle of the Cisco Zero Trust security model, which mandates that no user, device, or network segment is trusted by default, regardless of its location relative to the network perimeter. This principle eliminates implicit trust and requires authentication and authorization for every access request, aligning with the Zero Trust architecture defined in NIST SP 800-207.
Q6
mediumFull explanation →

Refer to the exhibit. An engineer has configured IP Source Guard and DHCP Snooping. A host with MAC 00:11:22:33:44:55 on Gi0/0 is assigned IP 192.168.1.10 via DHCP. However, the host cannot ping its default gateway 192.168.1.1. What is the most likely cause?

A

The DHCP snooping database is not updated because interface Gi0/1 is not trusted

Gi0/1 is not configured as trust, so DHCP replies from the server are dropped, and the host may not have a valid lease. However, the static binding exists, but dynamic bindings fail.

B

The static IP source binding is configured on the wrong VLAN

C

ARP inspection is not enabled, so the switch drops ARP replies

D

The 'ip verify source' command is missing the 'port-security' keyword

Why: The host cannot ping its default gateway because DHCP Snooping marks interface Gi0/1 as untrusted by default. Since the DHCP server is connected to Gi0/1, the switch drops DHCP replies from that interface, preventing the DHCP snooping binding database from being updated with the host's IP address. Without a valid binding, IP Source Guard on Gi0/0 drops all IP traffic from the host, including pings to the gateway.

Want more Security Concepts practice?

Practice this domain
4

Domain 4: Network Security

All Network Security questions
Q1
mediumFull explanation →

A network engineer is troubleshooting an issue where users on VLAN 10 cannot access the internet, but they can reach internal resources. The firewall is configured with a default route pointing to the ISP router. The engineer notices that NAT is configured but traffic is not being translated. Which configuration is most likely missing?

A

An ACL to match the traffic to be translated

The ACL defines interesting traffic for NAT; without it, no packets are matched for translation.

B

A NAT pool with available public IP addresses

C

Port Address Translation (PAT) configuration

D

A route map to apply NAT based on destination

Why: For NAT to translate traffic, the firewall must know which traffic to translate. An ACL is used to match the source IP addresses (or networks) that should be translated. Without an ACL applied to the NAT rule, the firewall has no criteria to identify traffic from VLAN 10 for translation, so packets are forwarded without NAT, causing internet access to fail while internal routing works.
Q2
hardFull explanation →

A security engineer is implementing Cisco Identity Services Engine (ISE) for 802.1X authentication. The requirement is to allow full network access for corporate devices that pass posture assessment, while providing limited access for guest devices. The engineer configures an authorization policy with conditions based on identity group and posture status. However, guest devices are still getting full access. What is the most likely cause?

A

The guest devices are not passing the certificate validation

B

The authorization rule for corporate devices is placed above the guest rule, and guest devices are matching the corporate rule first

ISE uses first-match; if guest devices match an earlier rule, they get the associated permissions.

C

MAC Authentication Bypass (MAB) is not enabled for the guest devices

D

The RADIUS attributes for dACL are not being sent correctly

Why: Cisco ISE authorization policies are evaluated in top-down order, and the first matching rule is applied. If the corporate device rule is placed above the guest rule, guest devices that do not meet the posture condition may still match the corporate rule if the condition is not restrictive enough (e.g., if the identity group condition is broad or the posture check is not enforced as a required match). This results in guest devices receiving full access instead of the intended limited access.
Q3
easyFull explanation →

A company wants to deploy a site-to-site VPN between two branch offices using Cisco IOS routers. The security policy requires that all traffic between the sites must be encrypted and authenticated using strong encryption. The engineer chooses IPsec with IKEv2. Which IPsec transform set configuration provides the strongest encryption and authentication?

A

transform-set ESP-AES128 ESP-SHA-HMAC

B

transform-set ESP-AES256 ESP-SHA256-HMAC

AES-256 and SHA-256 provide strong encryption and authentication.

C

transform-set ESP-DES ESP-MD5-HMAC

D

transform-set ESP-3DES ESP-SHA-HMAC

Why: Option B is correct because it specifies AES-256 encryption, which is the strongest symmetric cipher available in IPsec transform sets, combined with ESP-SHA256-HMAC for integrity and authentication. IKEv2 supports these modern algorithms, and this configuration meets the requirement for strong encryption and authentication.
Q4
mediumFull explanation →

An engineer is configuring Cisco Firepower Threat Defense (FTD) with a pre-filter policy to block traffic from known malicious IP addresses before it reaches the access control policy. The pre-filter rules are configured to block traffic from the malicious IPs. However, the engineer notices that some traffic from those IPs is still being allowed. What is the most likely reason?

A

A pre-filter rule with a lower priority (higher number) is matching the traffic first and allowing it

Pre-filter rules are evaluated in order; if a rule with a lower priority (higher number) matches first, it could allow traffic that should be blocked.

B

The pre-filter rules are configured with the wrong source interface

C

The access control policy is overriding the pre-filter policy

D

The default action for the pre-filter policy is set to 'Allow'

Why: Pre-filter rules are evaluated in order of priority (lower numbers first). If a rule with a higher priority number (lower priority) is configured to allow traffic, it will be matched before a lower-numbered (higher priority) block rule if the allow rule appears earlier in the sequence. This causes the traffic to be permitted before reaching the intended block rule, which is why some malicious IP traffic is still allowed.
Q5
hardFull explanation →

A network administrator is configuring Cisco ASA with FirePOWER services. The administrator wants to inspect SSL traffic but is concerned about certificate pinning in modern applications. Which action should the administrator take to ensure that SSL inspection does not break applications that use certificate pinning?

A

Configure SSL inspection to bypass all traffic to avoid any issues

B

Install a custom root CA on all clients and configure the ASA to use that CA

C

Create an SSL decryption rule to exclude traffic from applications known to use certificate pinning

Excluding pinned applications prevents the ASA from interfering with certificate validation.

D

Use a decryption policy that decrypts the traffic but does not re-encrypt

Why: Option C is correct because certificate pinning hardcodes the expected certificate or public key within an application. If the ASA decrypts and re-encrypts the traffic using a different certificate (even one signed by a trusted CA), the pinned certificate will not match, causing the application to reject the connection. By creating an SSL decryption rule that excludes traffic from applications known to use certificate pinning, the administrator avoids breaking those applications while still inspecting other SSL traffic.
Q6
mediumFull explanation →

An engineer applies the ACL shown in the exhibit to the inbound direction of interface GigabitEthernet0/0. The goal is to block all traffic from host 10.1.1.100 to the 192.168.0.0/16 network. However, traffic from 10.1.1.100 to 192.168.1.1 is still being permitted. What is the most likely reason?

A

The deny entry should be placed after the permit entry

B

The ACL should be applied outbound instead of inbound

C

The ACL is applied to the wrong direction; it should be 'out'

D

The traffic from 10.1.1.100 is entering through a different interface

If the traffic does not enter via GigabitEthernet0/0, the ACL will not be applied to it.

Why: Option D is correct because ACLs process traffic only on the interface and direction to which they are applied. If the ACL is applied inbound on GigabitEthernet0/0 but the traffic from host 10.1.1.100 to 192.168.1.1 enters through a different interface (e.g., GigabitEthernet0/1), the ACL will never evaluate that traffic, allowing it to pass. This is a fundamental behavior of interface-based ACL filtering in Cisco IOS.

Want more Network Security practice?

Practice this domain
5

Domain 5: Cloud Security

All Cloud Security questions
Q1
mediumFull explanation →

A company is migrating a web application to AWS and wants to protect against DDoS attacks at the application layer. Which Cisco security solution should they deploy?

A

Cisco Umbrella

B

Cisco WAF (Web Application Firewall)

Cisco WAF protects web applications from application-layer DDoS attacks.

C

Cisco Firepower NGFW

D

Cisco Stealthwatch

Why: A Web Application Firewall (WAF) is the correct solution because it specifically inspects and filters HTTP/HTTPS traffic at the application layer (Layer 7), protecting against DDoS attacks such as HTTP floods, SQL injection, and cross-site scripting. Cisco WAF (often delivered via Cisco Secure Web Application or integrated with AWS WAF) can rate-limit requests, block malicious payloads, and enforce positive security models to mitigate application-layer DDoS. This directly addresses the requirement to protect a web application migrating to AWS against Layer 7 attacks.
Q2
hardFull explanation →

An organization uses AWS with a VPC and wants to inspect all traffic between instances in the same subnet using Cisco Firepower. What must be implemented?

A

Configure VPC Endpoints to route traffic through Firepower

B

AWS Traffic Mirroring to send traffic to a Firepower appliance

Traffic Mirroring copies packets to Firepower for east-west inspection.

C

Use AWS Security Groups and log to Firepower

D

Deploy Firepower as a transparent bridge in the subnet

Why: AWS Traffic Mirroring captures and forwards network traffic from Elastic Network Interfaces (ENIs) to a security appliance, such as a Cisco Firepower instance, for inspection. This allows the organization to monitor all traffic between instances within the same subnet without requiring changes to the routing table or placing the Firepower inline, which is not possible in a VPC without a gateway appliance. Option B is correct because Traffic Mirroring is the native AWS feature designed for out-of-band traffic inspection.
Q3
easyFull explanation →

A company is implementing cloud security posture management (CSPM). Which Cisco product provides CSPM capabilities?

A

Cisco Tetration

B

Cisco Firepower

C

Cisco ISE

D

Cisco Cloudlock

Cloudlock provides CSPM and CASB capabilities.

Why: Cisco Cloudlock is the correct answer because it is Cisco's cloud-native cloud security posture management (CSPM) solution. It continuously monitors cloud infrastructure (e.g., AWS, Azure, GCP) for misconfigurations, compliance violations, and security risks, providing automated remediation and visibility into cloud security posture. This directly aligns with the CSPM use case described in the question.
Q4
mediumFull explanation →

A security architect is designing a hybrid cloud with AWS and on-premises data center. They need to enforce consistent security policies across both environments. Which approach is most effective?

A

Deploy separate Cisco Firepower instances in AWS and on-prem, each with independent policies

B

Use Cisco Secure Cloud Analytics (Stealthwatch) with AWS Cloud integration

Provides unified visibility and policy enforcement across hybrid environments.

C

Use AWS CloudTrail and AWS Config for on-premises resources

D

Establish a site-to-site VPN and use AWS Security Groups for both environments

Why: Option B is correct because Cisco Secure Cloud Analytics (Stealthwatch) integrates with AWS Cloud via API to ingest flow logs, VPC logs, and NetFlow, enabling centralized visibility and consistent policy enforcement across hybrid environments. This approach avoids policy fragmentation by applying a unified security analytics layer that can detect anomalies and enforce responses in both AWS and on-premises networks without requiring separate policy management.
Q5
hardFull explanation →

After deploying a Cisco Cloudlock policy, a user reports that a sanctioned application (Salesforce) is being blocked for file downloads. What is the most likely cause?

A

The Salesforce API token has expired

B

The file being downloaded contains sensitive data flagged by DLP

C

The user's browser is not configured with the corporate proxy

D

The Cloudlock policy for Salesforce is set to 'Block' due to misconfiguration

A misconfigured policy can block sanctioned applications.

Why: Option D is correct because Cloudlock policies are configured to enforce actions such as 'Allow', 'Block', or 'Monitor' on sanctioned applications like Salesforce. If a policy is misconfigured to 'Block' for file downloads, Cloudlock will intercept the API call and deny the download regardless of the file's content. This is a common administrative error when setting granular controls for cloud app activities.
Q6
easyFull explanation →

An enterprise wants to prevent data exfiltration from its SaaS applications to unauthorized personal cloud storage. Which Cisco solution should be deployed?

A

Cisco Umbrella

B

Cisco Cloudlock

Cloudlock as a CASB can prevent data exfiltration to unauthorized cloud storage.

C

Cisco Duo

D

Cisco Firepower NGFW

Why: Cisco Cloudlock is the correct solution because it is a cloud-native CASB (Cloud Access Security Broker) specifically designed to protect SaaS applications like Office 365 and Salesforce. It provides data loss prevention (DLP) policies that can detect and block the exfiltration of sensitive data to unauthorized personal cloud storage services by inspecting API traffic and user activities in real time.

Want more Cloud Security practice?

Practice this domain
6

Domain 6: Content Security

All Content Security questions
Q1
mediumFull explanation →

A company uses Cisco Umbrella to enforce web security. After deploying a new policy that blocks all social media sites, users report that they cannot access a corporate Salesforce instance that uses a social login feature. Which Umbrella setting should be adjusted to resolve the issue without weakening the policy?

A

Create a bypass code for users to access Salesforce

B

Disable the Social Networking category under Content Categories

C

Configure Intelligent Proxy to inspect Salesforce traffic

D

Add Salesforce to the Application Settings allowed list

This allows the Salesforce application even if the social networking category is blocked.

Why: Option D is correct because the social login feature for Salesforce is being blocked by the Social Networking content category in Cisco Umbrella. By adding Salesforce to the Application Settings allowed list, you permit the specific application traffic while keeping the broader social media policy intact. This granular control ensures that only the required Salesforce instance bypasses the block, without weakening the overall security posture.
Q2
hardFull explanation →

An engineer is troubleshooting a Cisco WSA that is failing to block malware downloads from a specific cloud storage website. The URL filtering policy is set to block the 'Cloud Storage' category, and the Web Reputation score is set to block scores below -5.0. Users can still download files. What is the most likely cause?

A

The file type is not configured for malware inspection

Malware inspection only applies to specified file types; if not included, downloads pass through.

B

HTTPS proxy decryption is not configured

C

The L4 Traffic Monitor is not enabled

D

The users are not authenticated

Why: The Cisco WSA can block malware downloads only if it inspects the file content. If the file type is not configured for malware inspection, the WSA will allow the download even if the URL category and reputation score are set to block. This is because malware inspection requires explicit configuration of file types (e.g., .exe, .zip) to scan for threats, and without it, the WSA bypasses deep content analysis.
Q3
easyFull explanation →

A network administrator wants to block access to a specific URL category on the Cisco WSA but allow access to all other categories. Which action should be taken in the Access Policy?

A

Set the action to 'Monitor' for the category

B

Set the action to 'Redirect' for the category

C

Set the action to 'Warn' for the category

D

Set the action to 'Block' for the category

Block denies access to the category.

Why: To block access to a specific URL category while allowing all others, the Access Policy must set the action for that category to 'Block'. The Cisco WSA evaluates URL categories in order of precedence, and a 'Block' action explicitly denies HTTP/HTTPS requests matching that category, while all other categories default to 'Allow' unless otherwise configured.
Q4
mediumFull explanation →

An organization is using Cisco ESA to protect against email-borne threats. They notice that some phishing emails are not being caught by the anti-spam engine. The emails contain malicious URLs that are rewritten by the ESA. Which feature should be verified to ensure the rewritten URLs are properly analyzed?

A

Data Loss Prevention (DLP) policies

B

URL filtering and analysis settings

This ensures rewritten URLs are analyzed for malicious content.

C

Anti-Virus scanning engine

D

Encryption policies

Why: B is correct because the URL filtering and analysis settings control how the Cisco ESA rewrites and subsequently analyzes malicious URLs. When a phishing email contains a malicious URL, the ESA can rewrite the URL to point to its own proxy for real-time analysis. If this feature is not properly configured or if the analysis settings (such as reputation scoring or time-of-click verification) are disabled, the rewritten URLs may not be inspected, allowing the threat to bypass detection.
Q5
hardFull explanation →

A company is deploying Cisco Umbrella to enforce security policies for remote users. They want to ensure that DNS requests from roaming clients are routed through Umbrella's DNS resolvers. However, some users are bypassing Umbrella by using third-party DNS servers like Google (8.8.8.8). Which configuration should be applied to prevent this?

A

Configure Content Filtering to block Google DNS

B

Add a firewall rule on each client to block port 53 to all but Umbrella

C

Enable IP Layer Enforcement in the Umbrella dashboard

D

Enable DNS Policy in the Umbrella roaming client

This forces all DNS requests through Umbrella and blocks alternative DNS servers.

Why: Option D is correct because the Umbrella roaming client's DNS Policy feature forces all DNS traffic from the endpoint to use Umbrella's DNS resolvers, even if the user manually configures a third-party DNS server like Google (8.8.8.8). This is achieved by intercepting DNS requests at the OS level and redirecting them to the Umbrella resolvers, effectively preventing bypass attempts without relying on network-level blocks.
Q6
easyFull explanation →

A network administrator needs to configure Cisco WSA to decrypt HTTPS traffic for inspection. What is the first step that must be completed?

A

Create a bypass list for internal sites

B

Configure an Access Control List (ACL) to allow decryption

C

Install a Certificate Authority (CA) certificate on the WSA and distribute it to clients

This allows the WSA to act as a trusted man-in-the-middle.

D

Configure user authentication

Why: The first step in configuring Cisco WSA for HTTPS decryption is to install a Certificate Authority (CA) certificate on the WSA and distribute it to client devices. This establishes trust because the WSA acts as a man-in-the-middle, generating a new certificate for each HTTPS session signed by this CA; without the CA certificate in the clients' trusted root store, browsers will display certificate warnings and block the connection.

Want more Content Security practice?

Practice this domain

Frequently asked questions

How many questions are on the 350-701 exam?

The 350-701 exam has 90 questions and must be completed in 120 minutes. Cisco passing scores vary by exam version and are not always publicly listed. Check the official Cisco exam page before booking.

What types of questions appear on the 350-701 exam?

CLI output interpretation, network topology analysis, routing behaviour, switching concepts, troubleshooting, and configuration questions.

How are 350-701 questions organised by domain?

The exam covers 6 domains: Endpoint Protection and Detection, Secure Network Access, Visibility and Enforcement, Security Concepts, Network Security, Cloud Security, Content Security. Questions are weighted by domain — higher-weight domains appear more on your actual exam.

Are these the actual 350-701 exam questions?

No. These are original exam-style practice questions written against the official Cisco 350-701 exam objectives. They are not copied from the real exam. Courseiva focuses on genuine understanding, not memorisation of braindumps.

Ready to practice all 90 350-701 questions?

Courseiva tracks your accuracy per domain and routes you toward weak areas automatically. Free, no account required.

Browse all 350-701 questionsTake a timed practice test