Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

Certifications›350-701›Objectives›Network Security
Objective 2.0

Network Security

350-701 Practice Questions

Use this page to practise Network Security questions for this certification. Focus on how the exam tests network security in scenario format — understanding the why behind each answer builds more durable knowledge than memorising options.

Full Practice Test →All Objectives

What this objective tests

350-701 Network Security — Key Topics

Network Security questions on this certification test your ability to deploy and manage network security concepts in scenario-based situations.

  • Core Network Security concepts and how they apply in real-world cloud scenarios.
  • How to deploy network security correctly and verify the outcome.
  • Troubleshooting network security issues by interpreting error output and system state.
  • Cloud best practices and Network Security design trade-offs tested by this certification.

Common exam traps

Where candidates lose marks on Network Security

  • ⚠Selecting the most expensive service when a simpler managed option meets the requirement.
  • ⚠Forgetting that cloud resources must be explicitly secured — defaults are rarely secure.
  • ⚠Choosing a global service fix when the issue is region-specific.
  • ⚠Overlooking cost implications of cross-region data transfer in architecture questions.

350-701 Network Security — Practice Questions

30 questions from this objective

Question 2mediummultiple choice
Open the full VLAN trunking answer →

A network engineer is troubleshooting an issue where users on VLAN 10 cannot access the internet, but they can reach internal resources. The firewall is configured with a default route pointing to the ISP router. The engineer notices that NAT is configured but traffic is not being translated. Which configuration is most likely missing?

Question 3hardmultiple choice
Full question →

A security engineer is implementing Cisco Identity Services Engine (ISE) for 802.1X authentication. The requirement is to allow full network access for corporate devices that pass posture assessment, while providing limited access for guest devices. The engineer configures an authorization policy with conditions based on identity group and posture status. However, guest devices are still getting full access. What is the most likely cause?

Question 4easymultiple choice
Read the full VPN explanation →

A company wants to deploy a site-to-site VPN between two branch offices using Cisco IOS routers. The security policy requires that all traffic between the sites must be encrypted and authenticated using strong encryption. The engineer chooses IPsec with IKEv2. Which IPsec transform set configuration provides the strongest encryption and authentication?

Question 5mediummultiple choice
Full question →

An engineer is configuring Cisco Firepower Threat Defense (FTD) with a pre-filter policy to block traffic from known malicious IP addresses before it reaches the access control policy. The pre-filter rules are configured to block traffic from the malicious IPs. However, the engineer notices that some traffic from those IPs is still being allowed. What is the most likely reason?

Question 6hardmultiple choice
Full question →

A network administrator is configuring Cisco ASA with FirePOWER services. The administrator wants to inspect SSL traffic but is concerned about certificate pinning in modern applications. Which action should the administrator take to ensure that SSL inspection does not break applications that use certificate pinning?

Question 7mediummultiple choice
Study the full ACL explanation →

An engineer applies the ACL shown in the exhibit to the inbound direction of interface GigabitEthernet0/0. The goal is to block all traffic from host 10.1.1.100 to the 192.168.0.0/16 network. However, traffic from 10.1.1.100 to 192.168.1.1 is still being permitted. What is the most likely reason?

Exhibit

Refer to the exhibit.

ip access-list extended BLOCK_TRAFFIC
 deny ip host 10.1.1.100 192.168.0.0 0.0.255.255
 permit ip any any
!
interface GigabitEthernet0/0
 ip access-group BLOCK_TRAFFIC in
Question 8mediummulti select
Full question →

Which TWO are valid methods for implementing Network Admission Control (NAC) in a Cisco environment?

Question 9hardmulti select
Full question →

Which THREE are characteristics of Cisco Stealthwatch?

Question 10hardmultiple choice
Read the full wireless explanation →

A multinational company has deployed a Cisco Firepower 4100 series device as the perimeter firewall. The network consists of multiple internal segments: a corporate LAN (192.168.1.0/24), a data center (10.10.0.0/16), and a guest wireless network (172.16.0.0/16). The firewall is configured with the following access control policy rules:

1. Allow from any to any (for testing, but currently enabled) 2. Allow from corporate LAN to data center (destination ports TCP/443, TCP/8443) 3. Block from guest wireless to data center 4. Allow from any to internet (destination any)

Recently, the security team discovered that a host in the guest network (172.16.5.50) is communicating with a server in the data center (10.10.10.100) on TCP port 443. The security team wants to immediately block this traffic without affecting other legitimate communications. Which action should be taken first?

Question 11mediummulti select
Full question →

A security engineer is configuring Cisco TrustSec on a network. Which TWO actions are required to enable TrustSec on a Cisco switch?

Question 12hardmultiple choice
Full question →

Refer to the exhibit. An engineer configured 802.1X on two switch ports. On Gi1/0/1, a VoIP phone and a PC are connected via a hub. On Gi1/0/2, only a single PC is connected. Which port will successfully authenticate both devices, and what is the issue with the other port?

Exhibit

Refer to the exhibit.

interface GigabitEthernet1/0/1
 switchport access vlan 10
 switchport mode access
 authentication host-mode multi-auth
 authentication port-control auto
 dot1x pae authenticator
 dot1x timeout tx-period 3
 spanning-tree portfast

interface GigabitEthernet1/0/2
 switchport access vlan 20
 switchport mode access
 authentication host-mode single-host
 authentication port-control auto
 dot1x pae authenticator
 dot1x timeout tx-period 30
 spanning-tree portfast
Question 13easymultiple choice
Full question →

A large enterprise uses Cisco Firepower Threat Defense (FTD) as its next-generation firewall. The network team recently deployed a new application that uses HTTPS for all communications. Users report that the application is slow and sometimes fails to load pages. The security team suspects that SSL inspection might be causing the issue. The FTD is configured with an SSL policy that decrypts all HTTPS traffic using a self-signed certificate. The internal CA is not trusted by the application servers. Which action should the engineer take to resolve the performance and connectivity issues while maintaining security visibility?

Question 14mediumdrag order
Review the full routing breakdown →

Drag and drop the steps to configure a Cisco IOS router as a Zone-Based Firewall (ZBF) in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 15mediumdrag order
Read the full DHCP explanation →

Drag and drop the steps to configure a Cisco router as a DHCP server in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 16mediummatching
Full question →

Match each Cisco ASA feature to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Modular Policy Framework for traffic inspection

High availability with active/standby or active/active

Graphical management interface

Command-line interface for configuration

VPN client for remote access

Question 17mediummatching
Full question →

Match each encryption algorithm to its type.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Symmetric block cipher

Asymmetric public-key algorithm

Hash function

Symmetric block cipher (legacy)

Key exchange algorithm

Question 18easymultiple choice
Read the full VPN explanation →

A network engineer is troubleshooting an IPsec VPN tunnel that fails to establish. The configuration includes a crypto map with a matching access list. Which command should be used to verify the security associations and error counters for the IPsec phase?

Question 19mediummultiple choice
Full question →

A company is deploying a new ASA firewall in a DMZ design. They need to allow web traffic from the internet to a web server in the DMZ, while also permitting outbound traffic from the DMZ to the internet for software updates. Which access control approach best meets these requirements with minimal risk?

Question 20hardmultiple choice
Read the full VPN explanation →

An engineer is designing a FlexVPN deployment with multiple hub routers and spoke routers. The spokes need to establish tunnels to the closest hub based on latency. Which feature should be configured to achieve dynamic hub selection?

Question 21mediummultiple choice
Read the full DNS explanation →

A security administrator is reviewing firewall logs and notices that an internal user is generating excessive outbound DNS queries to a known malicious domain. The company uses Cisco Umbrella for DNS-layer security. How should the administrator investigate and block this traffic?

Question 22hardmultiple choice
Review the full routing breakdown →

A network administrator is configuring IKEv2 on a Cisco router and wants to ensure that the router does not initiate connections but only responds to incoming IKEv2 requests. Which configuration command should be applied?

Question 23easymultiple choice
Full question →

A Cisco ASA firewall is configured with multiple contexts. The administrator needs to allow traffic from a context to pass through the management context for management purposes. Which type of interface should be used for this inter-context communication?

Question 24mediummultiple choice
Read the full VPN explanation →

A network engineer is trying to establish a site-to-site IPsec VPN between two Cisco routers. The IKEv2 proposal uses AES-256 encryption and SHA-256 hash. On the remote router, the configuration shows only AES-128 and SHA-1. What will happen during IKEv2 negotiation?

Question 25hardmultiple choice
Full question →

A company uses Cisco Firepower Threat Defense (FTD) managed by FMC. They want to enable URL filtering based on user identity from an Active Directory (AD) source. Which configuration steps are required on the FMC?

Question 26easymultiple choice
Full question →

An administrator is configuring a Cisco ASA 5500-X to perform SSL inspection for outbound traffic. The users must be able to access HTTPS websites without certificate errors. Which configuration step is essential for the ASA to perform decryption?

Question 27mediummulti select
Read the full VPN explanation →

Which TWO are best practices for securing Cisco ASA remote access VPN? (Choose two.)

Question 28hardmulti select
Full question →

Which TWO are valid considerations for deploying Cisco Firepower NGIPS with inline mode? (Choose two.)

Question 29mediummulti select
Full question →

Which THREE are valid components of an IKEv2 exchange? (Choose three.)

Question 30mediummultiple choice
Read the full VPN explanation →

A company has deployed Cisco AnyConnect VPN for remote access. They want to enforce that only company-managed devices with compliant antivirus and disk encryption can connect. Which solution should be added to the ASA?

Question 31easymultiple choice
Read the full VPN explanation →

An engineer is troubleshooting a site-to-site IPsec VPN between two Cisco routers. The tunnel is not establishing. Which command would verify that IKE phase 1 negotiations have completed successfully?

More Network Security questions available in the full practice test.

Continue Practising →
←

Previous objective

Security Concepts

Next objective

Cloud Security

→

All 350-701 Objectives

  • 1.Security Concepts
  • 2.Network Security
  • 3.Cloud Security
  • 4.Content Security