Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

Certifications›350-701›Objectives›Security Concepts
Objective 1.0

Security Concepts

350-701 Practice Questions

Use this page to practise Security Concepts questions for this certification. Focus on how the exam tests security concepts in scenario format — understanding the why behind each answer builds more durable knowledge than memorising options.

Full Practice Test →All Objectives

What this objective tests

350-701 Security Concepts — Key Topics

Security Concepts questions on this certification test your ability to deploy and manage security concepts concepts in scenario-based situations.

  • Core Security Concepts concepts and how they apply in real-world cloud scenarios.
  • How to deploy security concepts correctly and verify the outcome.
  • Troubleshooting security concepts issues by interpreting error output and system state.
  • Cloud best practices and Security Concepts design trade-offs tested by this certification.

Common exam traps

Where candidates lose marks on Security Concepts

  • ⚠Selecting the most expensive service when a simpler managed option meets the requirement.
  • ⚠Forgetting that cloud resources must be explicitly secured — defaults are rarely secure.
  • ⚠Choosing a global service fix when the issue is region-specific.
  • ⚠Overlooking cost implications of cross-region data transfer in architecture questions.

350-701 Security Concepts — Practice Questions

30 questions from this objective

Question 2mediummultiple choice
Open the full VLAN trunking answer →

A network security engineer is deploying Cisco Firepower Threat Defense (FTD) in a data center. The requirement is to inspect traffic between two internal VLANs while allowing the firewall to enforce access control policies based on source and destination zones. Which deployment mode should the engineer use?

Question 3hardmultiple choice
Study the full SD-WAN breakdown →

A security architect is designing a zero-trust architecture for a remote workforce using Cisco SD-WAN. The company requires that all traffic between branch sites and the data center is encrypted and authenticated, and that no device can access resources unless it has a valid certificate. Which technology should be used to enforce device identity?

Question 4easymultiple choice
Study the full ACL explanation →

An engineer is troubleshooting a Cisco ASA firewall and notices that traffic from a specific subnet is being dropped. The engineer wants to verify if the drop is due to an access control list (ACL) or an inspection policy. Which command should be used to see the reason for packet drops?

Question 5mediummulti select
Full question →

Which TWO of the following are valid approaches to mitigate ARP spoofing attacks on a switched network?

Question 6hardmulti select
Full question →

Which THREE of the following are key principles of the Cisco Zero Trust security model?

Question 7mediummultiple choice
Read the full DHCP explanation →

Refer to the exhibit. An engineer has configured IP Source Guard and DHCP Snooping. A host with MAC 00:11:22:33:44:55 on Gi0/0 is assigned IP 192.168.1.10 via DHCP. However, the host cannot ping its default gateway 192.168.1.1. What is the most likely cause?

Exhibit

Refer to the exhibit.

interface GigabitEthernet0/0
 ip address 192.168.1.1 255.255.255.0
 ip verify source
!
interface GigabitEthernet0/1
 ip address 192.168.2.1 255.255.255.0
 ip verify source
!
ip dhcp snooping vlan 1-100
ip dhcp snooping information option
ip dhcp snooping
!
ip source binding 00:11:22:33:44:55 vlan 10 192.168.1.10 interface GigabitEthernet0/0
!
Question 8hardmultiple choice
Full question →

Refer to the exhibit. An engineer is analyzing an intrusion policy on Cisco Firepower Management Center (FMC). The network uses Windows servers and clients. A flood of HTTP traffic is being detected as a potential attack, but it is legitimate. Which preprocessor configuration change would most likely reduce false positives without losing detection of real attacks?

Exhibit

Refer to the exhibit.

! Cisco FMC intrusion policy snippet
preprocessor global_sensitivity: sensitivity_level high
preprocessor frag3: frag3_engine policy=first, bind_to=0.0.0.0
preprocessor stream5_global: track_tcp yes, track_udp yes
preprocessor stream5_tcp: policy=windows, use_static_footprint_sizes yes
preprocessor http_inspect: global iis_unicode_map unicode.map 1252
preprocessor http_inspect: default_inspect_http_profiles
preprocessor smtp: ports 25 465 587
!
Question 9easymultiple choice
Read the full DNS explanation →

A company is implementing Cisco Umbrella to provide DNS-layer security. They want to block access to known malicious domains while allowing all other traffic. Which policy configuration should be used?

Question 10mediummultiple choice
Full question →

An engineer is configuring Cisco ISE for guest access. The requirement is that guests must accept an acceptable use policy (AUP) before being granted network access. Which portal type should be used?

Question 11mediummulti select
Read the full VPN explanation →

Which TWO of the following are valid methods for authenticating VPN users in a Cisco AnyConnect deployment?

Question 12hardmulti select
Full question →

Which THREE of the following are common indicators of a DDoS attack at the network layer?

Question 13hardmultiple choice
Full question →

A financial company has a data center with Cisco FTD firewalls in a high-availability pair. They use Cisco ISE for network access control and Cisco Stealthwatch for network visibility. Recently, they deployed a new web application that is accessed by both internal employees and external customers. The application uses HTTPS on port 443. After deployment, the security team notices that the FTD is dropping some HTTPS sessions that appear legitimate. The drops are inconsistent and seem to occur only during peak hours. The FTD logs show the drop reason as 'TCP state violation'. The team has verified that the web server and clients are configured correctly. The Stealthwatch reports show no anomalies. What is the most likely cause and solution?

Question 14easymultiple choice
Full question →

A security engineer is configuring a Cisco ASA to block traffic from a specific IP address. Which access control entry (ACE) should be applied to the inbound direction of the outside interface?

Question 15mediummultiple choice
Read the full DNS explanation →

A company is deploying Cisco Umbrella to protect against DNS-based threats. Which deployment method provides the most comprehensive coverage for all devices on the network without requiring per-device configuration?

Question 16hardmultiple choice
Full question →

An engineer is troubleshooting traffic drops on a Cisco Firepower Threat Defense (FTD) device. The traffic is allowed by the access control policy but is being dropped. Which feature should the engineer check to identify the cause of the drop?

Question 17mediumdrag order
Full question →

Drag and drop the steps to configure 802.1X port-based authentication on a Cisco switch in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 18mediumdrag order
Review the full routing breakdown →

Drag and drop the steps to recover a lost password on a Cisco IOS router in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 19mediummatching
Full question →

Match each protocol to its default port number.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

443

22

53

25

161

Question 20mediummatching
Full question →

Match each Cisco security solution to its primary use case.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Next-generation firewall and IPS

DNS-layer security and web filtering

Endpoint threat detection and response

Network access control and policy enforcement

Network traffic analysis and anomaly detection

Question 21easymultiple choice
Open the full VLAN trunking answer →

A network engineer is configuring a new firewall to enforce security policies between two internal VLANs. The goal is to allow only HTTP traffic from the finance VLAN to the HR VLAN, while blocking all other traffic. Which type of firewall rule should be applied to achieve this requirement with minimal administrative overhead?

Question 22mediummultiple choice
Full question →

A company is implementing a Zero Trust architecture. The security team needs to ensure that all traffic between workloads in a private cloud is encrypted and mutually authenticated. Which solution best meets these requirements?

Question 23hardmultiple choice
Full question →

During a security audit, a penetration tester discovers that a Cisco ASA firewall is configured with a rule that permits traffic from the inside interface with a source IP address in the RFC 1918 range to the outside interface. The rule uses the 'inspect' command for HTTP and FTP. Which potential vulnerability does this configuration introduce?

Question 24easymultiple choice
Full question →

A security administrator is tasked with implementing a solution that provides single sign-on (SSO) for users accessing multiple enterprise applications. The solution must support SAML 2.0 and integrate with the existing Microsoft Active Directory. Which component is essential for this architecture?

Question 25mediummultiple choice
Open the full VLAN trunking answer →

A network engineer is troubleshooting an issue where users on a specific VLAN cannot access the internet through a Cisco ASA firewall. The ASA has a default route pointing to the ISP router. The security policy includes an ACL that permits all traffic from the inside interface to the outside interface. What is the most likely cause of the problem?

Question 26hardmultiple choice
Full question →

A security engineer is evaluating a web application firewall (WAF) rule set. The application uses a custom REST API that accepts JSON payloads. Which WAF rule is most effective at preventing SQL injection attacks while minimizing false positives?

Question 27easymultiple choice
Full question →

An organization wants to restrict administrative access to Cisco network devices based on the time of day and source IP address. Which technology should be used?

Question 28mediummultiple choice
Read the full wireless explanation →

A company deploys Cisco ISE for network access control. They want to enforce that only employees with a valid certificate and a compliant posture can access the corporate Wi-Fi. Which policy combination should be used?

Question 29hardmultiple choice
Read the full NAT/PAT explanation →

A security engineer is analyzing logs from a Cisco ASA. They notice that a specific internal host is generating a high volume of outbound TCP SYN packets to multiple external IP addresses on port 443, but no SYN-ACK responses are received. What is the most likely explanation?

Question 30mediummulti select
Review the full routing breakdown →

Which TWO of the following are best practices for securing Cisco routers against unauthorized access? (Choose two.)

Question 31hardmulti select
Full question →

Which THREE of the following are valid characteristics of a next-generation firewall (NGFW) compared to a traditional stateful firewall? (Choose three.)

More Security Concepts questions available in the full practice test.

Continue Practising →

Next objective

Network Security

→

All 350-701 Objectives

  • 1.Security Concepts
  • 2.Network Security
  • 3.Cloud Security
  • 4.Content Security