Cisco · Free Practice Questions · Last reviewed May 2026
36real exam-style questions organised by domain, each with the correct answer highlighted and a plain-English explanation of why it's right — and why the others are wrong.
A security administrator notices that several endpoints in the finance department are exhibiting unusual network behavior, including connections to known malicious IP addresses. The administrator has deployed Cisco Secure Endpoint (formerly AMP for Endpoints) with TETRA and has enabled the built-in firewall. What is the best course of action to quickly identify the root cause and contain the threat?
Disable the built-in firewall on the endpoints to allow full traffic inspection by the TETRA engine.
Use the Cisco Secure Endpoint console to review the TETRA engine's real-time traffic analysis and isolate the affected endpoints.
TETRA provides real-time traffic analysis; the console allows immediate visibility and isolation.
Wait for the weekly threat report from Cisco Talos to identify the malware family and then apply a signature update.
Uninstall the Cisco Secure Endpoint connector and reinstall it with a fresh policy.
An organization wants to prevent malware from executing on endpoints by using a file reputation service. Which Cisco technology provides cloud-based file reputation and analysis for endpoint protection?
Cisco Stealthwatch
Cisco Identity Services Engine (ISE)
Cisco Firepower NGFW
Cisco Secure Endpoint (AMP for Endpoints)
Cisco Secure Endpoint provides cloud-based file reputation and analysis.
A security engineer is troubleshooting an issue where a known malicious file (SHA-256: 3a7c...f9e) is not being detected by Cisco Secure Endpoint on a Windows 10 endpoint. The file was downloaded from the internet. The policy has the 'File Reputation' setting set to 'Use cloud lookup', and the 'Exploit Prevention' module is enabled. The endpoint is connected to the internet and can reach the AMP cloud. What is the most likely reason for the missed detection?
The endpoint was offline when the file was first written to disk, so the cloud lookup was skipped.
If the endpoint was offline during file download, the initial cloud lookup is skipped, and the file is allowed.
Windows Defender Real-time Protection is interfering with the AMP connector.
The Exploit Prevention module is blocking the cloud lookup process.
The AMP cloud license has expired for the organization.
A security analyst is investigating an alert from Cisco Secure Endpoint indicating that an endpoint has been infected with ransomware. The analyst wants to determine the initial infection vector. Which feature of Cisco Secure Endpoint should the analyst use to trace the chain of events leading to the infection?
Orbital Advanced Search
Orbital Advanced Search provides retrospective analysis to trace the attack chain.
TETRA traffic analysis
Windows Event Viewer integration
Device Flow Correlation
A company is deploying Cisco Secure Endpoint and wants to ensure that endpoints are protected against zero-day exploits. Which two features should be enabled to provide this protection? (Choose two.)
File Reputation
Exploit Prevention
Exploit Prevention protects against exploit techniques used by zero-day attacks.
Malware Analytics (sandboxing)
Sandboxing analyzes unknown files for malicious behavior.
Application Control
Device Control
A network administrator is configuring endpoint protection policies for a large enterprise. The requirement is to allow only approved software to run on endpoints, while blocking all other executables. Which Cisco Secure Endpoint feature should be configured? (Choose two.)
Exploit Prevention
Malware Analytics
Application Control
Application Control allows whitelisting approved software.
Lockdown Mode
Lockdown Mode prevents execution of unapproved executables.
File Reputation
Want more Endpoint Protection and Detection practice?
Practice this domainA network administrator is configuring Cisco ISE to enforce access control based on user authentication. The company requires that only users who authenticate via Active Directory are allowed access to the corporate wireless network. Which policy should be configured in ISE to accomplish this?
Profiling policy
Authentication policy
Authorization policy
Authorization policy defines what access is granted after authentication.
Policy set
A company uses Cisco ISE for network access control. Users connecting via wired 802.1X are successfully authenticated but cannot reach the internet. The administrator checks the authorization policy and notices that the correct dACL is being applied. What is the most likely cause of the issue?
The switchport is configured as dynamic desirable
The RADIUS server is not sending the dACL attribute in the Access-Accept
If the dACL is not included in the RADIUS response, the switch will not apply it.
The switch port MTU is set to 1500 bytes
ISE is out of licenses for endpoint devices
An organization is implementing TrustSec to enforce micro-segmentation. The Security Group Tag (SGT) is assigned to a user via ISE after authentication. However, traffic from this user to a server with SGT 5 is being dropped. The administrator checks the SGACL configuration on the switch and finds the following: 'permit ip source 2 destination 5'. What is the most likely reason for the traffic being dropped?
The PAC on the switch has expired
SXP is not configured between ISE and the switch
The CTRL protocol is not enabled on the switch
The SGACL defaults to deny if no explicit permit is found for the source-destination SGT pair
TrustSec applies an implicit deny; the permit rule exists but perhaps the order or condition is not matched.
A company is deploying Cisco ISE for guest access. They want to provide a self-service portal where guests can register their devices and receive a temporary username and password. Which ISE component is used to accomplish this?
BYOD Portal
Mobile Device Management (MDM)
Guest Portal
Guest Portal provides self-service registration and temporary credentials for guests.
Profiler Service
An engineer is troubleshooting a Cisco ISE deployment where some endpoints are not being profiled correctly. The administrator notices that the endpoints are not sending DHCP requests. Which profiling probe should be primarily used to identify these endpoints?
NetFlow probe
NetFlow probe analyzes traffic flows and can profile endpoints based on IP and port information.
DHCP probe
HTTP probe
DNS probe
A network administrator wants to implement 802.1X on a Cisco switch port for a device that does not support 802.1X. Which feature should be configured to allow the device to connect?
802.1X with EAP-MSCHAPv2
Downloadable ACL (dACL)
Web Authentication (WA)
MAC Authentication Bypass (MAB)
MAB allows non-802.1X devices to authenticate using their MAC address.
Want more Secure Network Access, Visibility and Enforcement practice?
Practice this domainA network security engineer is deploying Cisco Firepower Threat Defense (FTD) in a data center. The requirement is to inspect traffic between two internal VLANs while allowing the firewall to enforce access control policies based on source and destination zones. Which deployment mode should the engineer use?
Routed mode
Inline mode
Transparent mode
Transparent mode operates at layer 2, allowing inspection between VLANs without IP renumbering.
Hybrid mode
A security architect is designing a zero-trust architecture for a remote workforce using Cisco SD-WAN. The company requires that all traffic between branch sites and the data center is encrypted and authenticated, and that no device can access resources unless it has a valid certificate. Which technology should be used to enforce device identity?
802.1X with EAP-TLS
Network Access Control (NAC)
Cisco TrustSec
TrustSec uses SGTs to enforce access based on device identity and is a key component of zero trust.
IPsec VPN
An engineer is troubleshooting a Cisco ASA firewall and notices that traffic from a specific subnet is being dropped. The engineer wants to verify if the drop is due to an access control list (ACL) or an inspection policy. Which command should be used to see the reason for packet drops?
show access-list
show asp drop
Displays packet drop counters with reasons, including ACL and inspection drops.
show conn
show service-policy
Which TWO of the following are valid approaches to mitigate ARP spoofing attacks on a switched network?
Enable BPDU Guard on all switchports
Enable Dynamic ARP Inspection (DAI) on VLANs
DAI validates ARP packets and drops invalid ones.
Enable IP Source Guard on untrusted ports
IP Source Guard filters traffic based on IP-MAC binding, preventing spoofing.
Enable Port Security on all access ports
Enable DHCP Snooping globally
Which THREE of the following are key principles of the Cisco Zero Trust security model?
Never trust, always verify
Core principle of zero trust.
Continuous monitoring and validation
Constant verification of trust is essential.
Implicit trust for internal traffic
Perimeter-based security
Least privilege access
Users and devices get only minimum required access.
Refer to the exhibit. An engineer has configured IP Source Guard and DHCP Snooping. A host with MAC 00:11:22:33:44:55 on Gi0/0 is assigned IP 192.168.1.10 via DHCP. However, the host cannot ping its default gateway 192.168.1.1. What is the most likely cause?
The DHCP snooping database is not updated because interface Gi0/1 is not trusted
Gi0/1 is not configured as trust, so DHCP replies from the server are dropped, and the host may not have a valid lease. However, the static binding exists, but dynamic bindings fail.
The static IP source binding is configured on the wrong VLAN
ARP inspection is not enabled, so the switch drops ARP replies
The 'ip verify source' command is missing the 'port-security' keyword
Want more Security Concepts practice?
Practice this domainA network engineer is troubleshooting an issue where users on VLAN 10 cannot access the internet, but they can reach internal resources. The firewall is configured with a default route pointing to the ISP router. The engineer notices that NAT is configured but traffic is not being translated. Which configuration is most likely missing?
An ACL to match the traffic to be translated
The ACL defines interesting traffic for NAT; without it, no packets are matched for translation.
A NAT pool with available public IP addresses
Port Address Translation (PAT) configuration
A route map to apply NAT based on destination
A security engineer is implementing Cisco Identity Services Engine (ISE) for 802.1X authentication. The requirement is to allow full network access for corporate devices that pass posture assessment, while providing limited access for guest devices. The engineer configures an authorization policy with conditions based on identity group and posture status. However, guest devices are still getting full access. What is the most likely cause?
The guest devices are not passing the certificate validation
The authorization rule for corporate devices is placed above the guest rule, and guest devices are matching the corporate rule first
ISE uses first-match; if guest devices match an earlier rule, they get the associated permissions.
MAC Authentication Bypass (MAB) is not enabled for the guest devices
The RADIUS attributes for dACL are not being sent correctly
A company wants to deploy a site-to-site VPN between two branch offices using Cisco IOS routers. The security policy requires that all traffic between the sites must be encrypted and authenticated using strong encryption. The engineer chooses IPsec with IKEv2. Which IPsec transform set configuration provides the strongest encryption and authentication?
transform-set ESP-AES128 ESP-SHA-HMAC
transform-set ESP-AES256 ESP-SHA256-HMAC
AES-256 and SHA-256 provide strong encryption and authentication.
transform-set ESP-DES ESP-MD5-HMAC
transform-set ESP-3DES ESP-SHA-HMAC
An engineer is configuring Cisco Firepower Threat Defense (FTD) with a pre-filter policy to block traffic from known malicious IP addresses before it reaches the access control policy. The pre-filter rules are configured to block traffic from the malicious IPs. However, the engineer notices that some traffic from those IPs is still being allowed. What is the most likely reason?
A pre-filter rule with a lower priority (higher number) is matching the traffic first and allowing it
Pre-filter rules are evaluated in order; if a rule with a lower priority (higher number) matches first, it could allow traffic that should be blocked.
The pre-filter rules are configured with the wrong source interface
The access control policy is overriding the pre-filter policy
The default action for the pre-filter policy is set to 'Allow'
A network administrator is configuring Cisco ASA with FirePOWER services. The administrator wants to inspect SSL traffic but is concerned about certificate pinning in modern applications. Which action should the administrator take to ensure that SSL inspection does not break applications that use certificate pinning?
Configure SSL inspection to bypass all traffic to avoid any issues
Install a custom root CA on all clients and configure the ASA to use that CA
Create an SSL decryption rule to exclude traffic from applications known to use certificate pinning
Excluding pinned applications prevents the ASA from interfering with certificate validation.
Use a decryption policy that decrypts the traffic but does not re-encrypt
An engineer applies the ACL shown in the exhibit to the inbound direction of interface GigabitEthernet0/0. The goal is to block all traffic from host 10.1.1.100 to the 192.168.0.0/16 network. However, traffic from 10.1.1.100 to 192.168.1.1 is still being permitted. What is the most likely reason?
The deny entry should be placed after the permit entry
The ACL should be applied outbound instead of inbound
The ACL is applied to the wrong direction; it should be 'out'
The traffic from 10.1.1.100 is entering through a different interface
If the traffic does not enter via GigabitEthernet0/0, the ACL will not be applied to it.
Want more Network Security practice?
Practice this domainA company is migrating a web application to AWS and wants to protect against DDoS attacks at the application layer. Which Cisco security solution should they deploy?
Cisco Umbrella
Cisco WAF (Web Application Firewall)
Cisco WAF protects web applications from application-layer DDoS attacks.
Cisco Firepower NGFW
Cisco Stealthwatch
An organization uses AWS with a VPC and wants to inspect all traffic between instances in the same subnet using Cisco Firepower. What must be implemented?
Configure VPC Endpoints to route traffic through Firepower
AWS Traffic Mirroring to send traffic to a Firepower appliance
Traffic Mirroring copies packets to Firepower for east-west inspection.
Use AWS Security Groups and log to Firepower
Deploy Firepower as a transparent bridge in the subnet
A company is implementing cloud security posture management (CSPM). Which Cisco product provides CSPM capabilities?
Cisco Tetration
Cisco Firepower
Cisco ISE
Cisco Cloudlock
Cloudlock provides CSPM and CASB capabilities.
A security architect is designing a hybrid cloud with AWS and on-premises data center. They need to enforce consistent security policies across both environments. Which approach is most effective?
Deploy separate Cisco Firepower instances in AWS and on-prem, each with independent policies
Use Cisco Secure Cloud Analytics (Stealthwatch) with AWS Cloud integration
Provides unified visibility and policy enforcement across hybrid environments.
Use AWS CloudTrail and AWS Config for on-premises resources
Establish a site-to-site VPN and use AWS Security Groups for both environments
After deploying a Cisco Cloudlock policy, a user reports that a sanctioned application (Salesforce) is being blocked for file downloads. What is the most likely cause?
The Salesforce API token has expired
The file being downloaded contains sensitive data flagged by DLP
The user's browser is not configured with the corporate proxy
The Cloudlock policy for Salesforce is set to 'Block' due to misconfiguration
A misconfigured policy can block sanctioned applications.
An enterprise wants to prevent data exfiltration from its SaaS applications to unauthorized personal cloud storage. Which Cisco solution should be deployed?
Cisco Umbrella
Cisco Cloudlock
Cloudlock as a CASB can prevent data exfiltration to unauthorized cloud storage.
Cisco Duo
Cisco Firepower NGFW
Want more Cloud Security practice?
Practice this domainA company uses Cisco Umbrella to enforce web security. After deploying a new policy that blocks all social media sites, users report that they cannot access a corporate Salesforce instance that uses a social login feature. Which Umbrella setting should be adjusted to resolve the issue without weakening the policy?
Create a bypass code for users to access Salesforce
Disable the Social Networking category under Content Categories
Configure Intelligent Proxy to inspect Salesforce traffic
Add Salesforce to the Application Settings allowed list
This allows the Salesforce application even if the social networking category is blocked.
An engineer is troubleshooting a Cisco WSA that is failing to block malware downloads from a specific cloud storage website. The URL filtering policy is set to block the 'Cloud Storage' category, and the Web Reputation score is set to block scores below -5.0. Users can still download files. What is the most likely cause?
The file type is not configured for malware inspection
Malware inspection only applies to specified file types; if not included, downloads pass through.
HTTPS proxy decryption is not configured
The L4 Traffic Monitor is not enabled
The users are not authenticated
A network administrator wants to block access to a specific URL category on the Cisco WSA but allow access to all other categories. Which action should be taken in the Access Policy?
Set the action to 'Monitor' for the category
Set the action to 'Redirect' for the category
Set the action to 'Warn' for the category
Set the action to 'Block' for the category
Block denies access to the category.
An organization is using Cisco ESA to protect against email-borne threats. They notice that some phishing emails are not being caught by the anti-spam engine. The emails contain malicious URLs that are rewritten by the ESA. Which feature should be verified to ensure the rewritten URLs are properly analyzed?
Data Loss Prevention (DLP) policies
URL filtering and analysis settings
This ensures rewritten URLs are analyzed for malicious content.
Anti-Virus scanning engine
Encryption policies
A company is deploying Cisco Umbrella to enforce security policies for remote users. They want to ensure that DNS requests from roaming clients are routed through Umbrella's DNS resolvers. However, some users are bypassing Umbrella by using third-party DNS servers like Google (8.8.8.8). Which configuration should be applied to prevent this?
Configure Content Filtering to block Google DNS
Add a firewall rule on each client to block port 53 to all but Umbrella
Enable IP Layer Enforcement in the Umbrella dashboard
Enable DNS Policy in the Umbrella roaming client
This forces all DNS requests through Umbrella and blocks alternative DNS servers.
A network administrator needs to configure Cisco WSA to decrypt HTTPS traffic for inspection. What is the first step that must be completed?
Create a bypass list for internal sites
Configure an Access Control List (ACL) to allow decryption
Install a Certificate Authority (CA) certificate on the WSA and distribute it to clients
This allows the WSA to act as a trusted man-in-the-middle.
Configure user authentication
Want more Content Security practice?
Practice this domainThe 350-701 exam has 90 questions and must be completed in 120 minutes. Cisco passing scores vary by exam version and are not always publicly listed. Check the official Cisco exam page before booking.
CLI output interpretation, network topology analysis, routing behaviour, switching concepts, troubleshooting, and configuration questions.
The exam covers 6 domains: Endpoint Protection and Detection, Secure Network Access, Visibility and Enforcement, Security Concepts, Network Security, Cloud Security, Content Security. Questions are weighted by domain — higher-weight domains appear more on your actual exam.
No. These are original exam-style practice questions written against the official Cisco 350-701 exam objectives. They are not copied from the real exam. Courseiva focuses on genuine understanding, not memorisation of braindumps.
Courseiva tracks your accuracy per domain and routes you toward weak areas automatically. Free, no account required.