Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

← Content Security practice sets

350-701 Content Security • Complete Question Bank

350-701 Content Security — All Questions With Answers

Complete 350-701 Content Security question bank — all 0 questions with answers and detailed explanations.

93
Questions
Free
No signup
Certifications/350-701/Practice Test/Content Security/All Questions
Question 1mediummultiple choice
Read the full Content Security explanation →

A company uses Cisco Umbrella to enforce web security. After deploying a new policy that blocks all social media sites, users report that they cannot access a corporate Salesforce instance that uses a social login feature. Which Umbrella setting should be adjusted to resolve the issue without weakening the policy?

Question 2hardmultiple choice
Read the full Content Security explanation →

An engineer is troubleshooting a Cisco WSA that is failing to block malware downloads from a specific cloud storage website. The URL filtering policy is set to block the 'Cloud Storage' category, and the Web Reputation score is set to block scores below -5.0. Users can still download files. What is the most likely cause?

Question 3easymultiple choice
Read the full Content Security explanation →

A network administrator wants to block access to a specific URL category on the Cisco WSA but allow access to all other categories. Which action should be taken in the Access Policy?

Question 4mediummultiple choice
Read the full Content Security explanation →

An organization is using Cisco ESA to protect against email-borne threats. They notice that some phishing emails are not being caught by the anti-spam engine. The emails contain malicious URLs that are rewritten by the ESA. Which feature should be verified to ensure the rewritten URLs are properly analyzed?

Question 5hardmultiple choice
Read the full DNS explanation →

A company is deploying Cisco Umbrella to enforce security policies for remote users. They want to ensure that DNS requests from roaming clients are routed through Umbrella's DNS resolvers. However, some users are bypassing Umbrella by using third-party DNS servers like Google (8.8.8.8). Which configuration should be applied to prevent this?

Question 6easymultiple choice
Read the full Content Security explanation →

A network administrator needs to configure Cisco WSA to decrypt HTTPS traffic for inspection. What is the first step that must be completed?

Question 7mediummultiple choice
Read the full Content Security explanation →

An organization is using Cisco ESA and wants to ensure that outgoing emails containing credit card numbers are blocked before leaving the network. Which feature should be configured?

Question 8hardmultiple choice
Read the full Content Security explanation →

During a security audit, it is discovered that some malware downloads were not blocked by the Cisco WSA even though the Web Reputation score was set to block scores below -5.0. The logs show that the downloads came from sites with a reputation score of -6.2. What is the most likely reason the downloads were not blocked?

Question 9mediummulti select
Read the full Content Security explanation →

Which TWO actions are best practices when configuring a Cisco WSA to block malicious websites? (Choose two.)

Question 10hardmulti select
Read the full DNS explanation →

Which THREE features are available in Cisco Umbrella to protect against DNS-based threats? (Choose three.)

Question 11easymulti select
Read the full Content Security explanation →

Which TWO benefits does the Cisco ESA provide for email security? (Choose two.)

Question 12hardmultiple choice
Read the full Content Security explanation →

A user in the Engineering group reports that they cannot access a banking website (https://www.examplebank.com). The website is categorized as 'Financial' by the WSA. Based on the exhibit, what is the most likely cause?

Exhibit

Refer to the exhibit.

ciscowsa# show accesspolicy detail PolicyName: Engineering
  Policy: Engineering
  Identification Profiles: Engineering_IP
  User Identification: Transparent
  
  Web Reputation:
    Action: Block
    Threshold: -6.0
  
  URL Filtering:
    Category: Malware
      Action: Block
    Category: Phishing
      Action: Block
    Category: Social Networking
      Action: Monitor
  
  Malware Scanning:
    Action: Scan
    File Types: exe, dll, zip, jar
  
  HTTPS Decryption:
    Action: Decrypt
    Bypass Categories: Financial, Health
Question 13mediummultiple choice
Read the full Content Security explanation →

An email administrator sees the above log entry in the Cisco ESA. What will happen to the email?

Exhibit

Refer to the exhibit.

log: "Message 12345 from 192.0.2.10 to user@domain.com: DLP violation: Credit card pattern detected. Policy: 'Block Credit Cards' Action: Quarantine"
Question 14mediummultiple choice
Read the full DNS explanation →

A multinational company has recently deployed Cisco Umbrella for DNS-layer security across all offices. The security team receives reports that users in the Asia-Pacific region cannot access a critical cloud-based CRM application (crm.company.com). The CRM is hosted by a third-party provider and uses a custom domain. The Umbrella dashboard shows that DNS requests for crm.company.com are being blocked with the reason 'Cisco Umbrella Intelligence Feed: Blocked Domain'. The domain is not part of any standard security category. The IT team has verified that the domain is legitimate and necessary for business operations. What should the administrator do to restore access while maintaining security?

Question 15hardmultiple choice
Read the full Content Security explanation →

A university is using Cisco WSA to filter web traffic for its students and staff. The WSA is configured with transparent proxy mode and uses Active Directory for authentication. Recently, the IT department received complaints that some users cannot access certain educational websites that are correctly categorized as 'Education'. The WSA policy has a default rule that blocks all categories except those explicitly allowed. The 'Education' category is set to 'Allow'. However, affected users are shown a block page with the reason 'Web Reputation: Low Reputation'. The Web Reputation threshold is set to -5.0. The IT team checked the reputation scores of the blocked sites and found they are around -4.5. What is the most likely reason for the block?

Question 16mediummultiple choice
Read the full Content Security explanation →

A company is deploying Cisco Web Security Appliance (WSA) to enforce acceptable use policies. Users report that some legitimate websites are being blocked incorrectly. The security team wants to allow these sites while still blocking known malware sites. Which action should the administrator take?

Question 17hardmultiple choice
Read the full Content Security explanation →

A network administrator is troubleshooting an issue where users cannot send emails with attachments larger than 10 MB through the Cisco Email Security Appliance (ESA). The ESA is configured with a mail flow policy that has a maximum message size of 20 MB. What is the most likely cause of the issue?

Question 18easymultiple choice
Read the full DNS explanation →

A company uses Cisco Umbrella to protect its remote users. The security team notices that some users are able to bypass Umbrella by using a different DNS resolver. Which deployment method ensures that all DNS traffic is forced through Umbrella?

Question 19hardmultiple choice
Read the full Content Security explanation →

A security engineer is configuring Cisco Web Security Appliance (WSA) to block access to social media sites during business hours. The company wants to allow access to LinkedIn for the HR department. Which policy configuration approach should the engineer use?

Question 20mediummulti select
Read the full Content Security explanation →

A company is deploying Cisco Email Security Appliance (ESA) to protect against phishing attacks. The security team wants to implement two security features to detect malicious URLs in emails. Which two features should be enabled? (Choose two.)

Question 21hardmultiple choice
Read the full Content Security explanation →

A network administrator configures the above policy on a Cisco Firepower Threat Defense (FTD) device. Users report that they cannot access the login page at https://www.example.com/login. What is the most likely cause?

Exhibit

Refer to the exhibit.

policy-map type inspect http OUTSIDE_INSPECT
  match request header host header-value ".*malicious.*"
  reset
  match request body regex ".*malware.*"
  reset
  match request uri regex ".*evil.*"
  reset
!
class-map type inspect http match-all HTTP_CLASS
  match request header host header-value ".*example.com.*"
  match request uri regex ".*login.*"
!
policy-map type inspect http INSIDE_INSPECT
  class HTTP_CLASS
  inspect
!
Question 22hardmultiple choice
Read the full DNS explanation →

You are a security engineer for a multinational corporation with 5,000 employees. The company uses Cisco Umbrella for DNS-layer security, Cisco Web Security Appliance (WSA) for proxy services in the data center, and Cisco Email Security Appliance (ESA) for email security. Recently, the security team has received multiple reports of users receiving phishing emails that bypass the ESA. The emails contain links to malicious websites that are also not blocked by Umbrella or WSA. Upon investigation, you find that the phishing emails use newly registered domains (less than 24 hours old) and the malicious websites are hosted on cloud infrastructure with frequently changing IP addresses. The company's current security policies rely on signature-based detection and static blocklists. Which action should you take to most effectively mitigate these threats?

Question 23mediummulti select
Read the full Content Security explanation →

Which TWO actions are recommended best practices for securing web traffic using Cisco Umbrella?

Question 24hardmultiple choice
Read the full Content Security explanation →

Refer to the exhibit. An administrator sees that the file invoice_2024.exe was blocked by both Cisco AMP and ESA. However, a user claims the attachment was delivered. What is the most likely cause?

Exhibit

Refer to the exhibit.

Malware Event: 2024-03-15 10:23:45 UTC
File Name: invoice_2024.exe
SHA256: a1b2c3d4e5f6...
Score: 100 (Cisco AMP)
Disposition: Malicious

Syslog from ESA:
Mar 15 10:23:45 mail.esa.cisco.com CEF:0|Cisco|Email Security Appliance|13.0|ESA|EMAIL_MALWARE|5|act=blocked dvc=10.1.1.10 dst=192.168.1.100 msg=Attachment blocked: invoice_2024.exe cn1Label=AMP Verdict cn1=100 cs4Label=File SHA256 cs4=a1b2c3d4e5f6...
Question 25easymultiple choice
Read the full Content Security explanation →

A company with 500 employees uses Cisco Web Security Appliance (WSA) as a proxy. They have a policy to block access to social media sites during working hours (9 AM - 5 PM) for all users except the marketing team. The marketing team must have unrestricted access at all times. The WSA is configured with a time-based access policy that blocks the 'Social Networking' category from 9 AM to 5 PM, and an identity policy that identifies the marketing team by Active Directory group. However, marketing users report that they are blocked from social media during working hours. What is the most likely cause?

Question 26mediumdrag order
Read the full DNS explanation →

Drag and drop the steps to implement Cisco Umbrella (formerly OpenDNS) for DNS-layer security in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 27mediummatching
Read the full VPN explanation →

Match each VPN type to its characteristic.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Connects entire networks over the internet

Allows individual users to connect securely

Uses web browser for clientless access

Provides encrypted tunnels using IPsec

Dynamic multipoint VPN for hub-and-spoke topologies

Question 28mediummultiple choice
Read the full Content Security explanation →

A company uses Cisco WSA to proxy web traffic. After configuring a decryption policy to inspect HTTPS traffic to a specific external site, users report they can still access the site without any warning or interruption. Which action should the administrator take to ensure HTTPS inspection is applied?

Question 29easymultiple choice
Read the full Content Security explanation →

A network administrator is configuring Cisco Email Security Appliance (ESA) to prevent outgoing spam. The company wants to ensure that all outgoing emails contain a legal disclaimer and that any email with more than 20 recipients is delayed. Which two features should be combined?

Question 30hardmultiple choice
Read the full Content Security explanation →

An enterprise is deploying a hybrid email security solution using Cisco Email Security Appliance (ESA) on-premises and Cisco Cloud Email Security (CES). The organization wants to use the cloud for spam filtering while the on-premises ESA handles DLP and encryption for sensitive data. Inbound emails should be processed by the cloud first, then sent to the on-premises ESA. Which architecture correctly implements this requirement?

Question 31mediummultiple choice
Read the full Content Security explanation →

A company uses Cisco WSA in transparent mode. They want to bypass proxy processing for all traffic to a specific internal server (10.0.0.5) to reduce latency. They create an access policy with a custom URL category and add the server's IP to the 'Proxy Bypass' list. However, traffic to that server is still being proxied. What is the most likely cause?

Question 32easymultiple choice
Read the full Content Security explanation →

An administrator wants to prevent confidential data (e.g., credit card numbers) from being sent via email using Cisco ESA. Which feature should be enabled and configured with the appropriate dictionary?

Question 33hardmultiple choice
Read the full Content Security explanation →

While troubleshooting an issue where Cisco ESA occasionally fails to process inbound messages, the administrator checks the listener settings and sees that the 'Pool of listeners' option is configured. The mail logs show 'Connection refused' errors during peak hours. What is the most likely cause?

Question 34mediummultiple choice
Read the full Content Security explanation →

A company is deploying Cisco Cloud Web Security (CWS) using an on-premises connector. They want to authenticate users via Active Directory and apply granular policies based on user identity. Which authentication method should be configured on the connector?

Question 35easymultiple choice
Read the full Content Security explanation →

An administrator wants to block the download of executable files (.exe) via HTTP using Cisco WSA. Which approach is most effective?

Question 36hardmultiple choice
Study the full AAA explanation →

A company uses Cisco WSA with multiple authentication realms (LDAP, RADIUS, and local). They want to require multi-factor authentication (MFA) for external users but allow single sign-on (SSO) for internal corporate users. Which configuration approach should be used?

Question 37mediummulti select
Read the full Content Security explanation →

Which TWO actions can be configured in a Cisco ESA DLP policy to respond to a violation involving outbound credit card numbers? (Choose two.)

Question 38mediummulti select
Read the full Content Security explanation →

Which THREE steps should the administrator take to troubleshoot slow web browsing when using Cisco WSA? (Choose three.)

Question 39hardmulti select
Read the full Content Security explanation →

Which THREE components are part of a Cisco Cloud Web Security (CWS) deployment with on-premises connectors? (Choose three.)

Question 40easymultiple choice
Read the full Content Security explanation →

A company uses Cisco Web Security Appliance (WSA) to filter web traffic. The security team wants to block access to a specific category of websites (e.g., 'Social Networking') for all users except the HR department. Which WSA feature should be used to achieve this policy?

Question 41mediummultiple choice
Read the full Content Security explanation →

An organization is migrating from on-premises Cisco ESA to Cisco Cloud Email Security (CES). They need to ensure that email encryption policies remain consistent after migration. What is the best approach to migrate the encryption policies?

Question 42hardmultiple choice
Read the full Content Security explanation →

A network administrator notices that users in the finance department are unable to access a legitimate business web application that uses custom port 8443. The WSA is configured with a decryption policy that decrypts all traffic on port 443. What is the most likely cause of the issue?

Question 43easymultiple choice
Read the full Content Security explanation →

A company wants to allow employees to access webmail services but block any upload of attachments that contain malware. Which feature of Cisco WSA should be configured?

Question 44mediummultiple choice
Read the full Content Security explanation →

During a security audit, it is discovered that some users are bypassing the proxy by using HTTPS tunnels over port 443. The WSA is configured with an explicit proxy mode. What additional configuration is needed to prevent such bypass?

Question 45hardmultiple choice
Read the full Content Security explanation →

An administrator is troubleshooting an issue where emails sent to a specific external domain are being delayed by up to 30 minutes. The Cisco ESA is configured with multiple mail exchangers (MX) for delivery. The logs show that the ESA is attempting delivery to the primary MX, which is unresponsive, and failing over to the secondary MX after 30 minutes. What change should be made to reduce the delivery delay?

Question 46easymultiple choice
Read the full Content Security explanation →

A company wants to prevent users from downloading executable files (.exe) from the internet via the WSA. Which policy type should be configured?

Question 47mediummultiple choice
Read the full Content Security explanation →

An organization uses Cisco ESA and wants to implement a policy that automatically encrypts emails containing credit card numbers before delivery. What feature should be used?

Question 48hardmultiple choice
Read the full DNS explanation →

A network administrator is configuring Cisco Umbrella for web security. They want to ensure that all DNS requests from branch offices are sent to Umbrella for policy enforcement, but they have limited control over the branch routers. What is the most effective deployment method?

Question 49easymulti select
Read the full Content Security explanation →

Which TWO of the following are valid methods for deploying Cisco Web Security Appliance in a network? (Choose two.)

Question 50mediummulti select
Read the full Content Security explanation →

Which THREE of the following are capabilities of Cisco Email Security Appliance (ESA) for content filtering? (Choose three.)

Question 51hardmulti select
Read the full Content Security explanation →

Which TWO of the following are correct about Cisco Umbrella's multi-layered security approach? (Choose two.)

Question 52easymultiple choice
Read the full Content Security explanation →

A company uses Cisco Web Security Appliance (WSA) in explicit proxy mode. Users report that some HTTPS websites fail to load. The administrator checks the logs and sees that the WSA is not generating any certificate for those sites. What is the most likely cause?

Question 53mediummultiple choice
Read the full Content Security explanation →

An administrator configures Cisco Email Security Appliance (ESA) to add a disclaimer to all outgoing emails using a content filter. The filter is enabled and matches all outgoing mail. However, some users report that the disclaimer is missing from their sent emails. Which action should the administrator take to troubleshoot?

Question 54hardmultiple choice
Read the full Content Security explanation →

A security engineer deploys Cisco Advanced Malware Protection (AMP) for Endpoints with cloud-based detection. After installation, a sample malware is executed on a test endpoint, but the AMP console shows no detection or trajectory data. The endpoint shows a 'Connected' status. What is the most likely reason for the lack of detection?

Question 55easymultiple choice
Read the full Content Security explanation →

An organization is using Cisco Firepower Threat Defense (FTD) with URL filtering to block access to social media sites during work hours. After implementation, users can still access Facebook and Twitter. The access control policy is configured correctly with a URL category condition. What should the administrator verify first?

Question 56mediummultiple choice
Read the full Content Security explanation →

A company uses Cisco Web Security Appliance (WSA) with transparent proxy mode. Recently, they enabled NTLM authentication. Some users are intermittently prompted for credentials while browsing. What is the most likely cause of this behavior?

Question 57hardmultiple choice
Read the full Content Security explanation →

An administrator configures Cisco Email Security Appliance (ESA) with an outbreak filter to handle a new ransomware variant. The outbreak filter is set to 'Quarantine' for messages with a threat score above 70. After deployment, some legitimate emails with a threat score of 75 are quarantined. The administrator wants to reduce false positives without compromising security. Which configuration change should be made?

Question 58easymultiple choice
Read the full Content Security explanation →

A company wants to use Cisco Umbrella to block access to malicious domains. They have deployed the Umbrella roaming client on all endpoints. However, traffic from a specific application is still reaching a known malicious domain. What is the most likely reason?

Question 59mediummultiple choice
Read the full Content Security explanation →

A security analyst notices that a Cisco Firepower Threat Defense (FTD) device is not applying file policies to detect malware in HTTP traffic. The access control policy has an HTTPS decryption rule that decrypts traffic from external sources. The file policy is associated with the same rule. What is the missing configuration?

Question 60hardmultiple choice
Read the full Content Security explanation →

A company using Cisco Web Security Appliance (WSA) in explicit proxy mode has enabled HTTPS decryption with a custom CA certificate. A user reports that a specific banking website displays a certificate error message. The administrator verifies that the WSA is generating a certificate for that site. What is the most likely cause of the error?

Question 61mediummulti select
Read the full Content Security explanation →

Which TWO of the following are best practices when configuring Cisco Email Security Appliance (ESA) anti-spam filters? (Choose two.)

Question 62hardmulti select
Read the full Content Security explanation →

Which THREE of the following are valid considerations when deploying Cisco Advanced Malware Protection (AMP) for Networks on a Firepower system? (Choose three.)

Question 63easymulti select
Read the full Content Security explanation →

Which THREE of the following are true regarding HTTPS decryption on Cisco Web Security Appliance (WSA)? (Choose three.)

Question 64easymultiple choice
Read the full Content Security explanation →

A security engineer is configuring Cisco WSA to block access to a new social media site that is not in any predefined URL category. Which action should the engineer take to ensure the site is blocked for all users?

Question 65mediummultiple choice
Read the full Content Security explanation →

An administrator notices that some users receive spam messages even though the ESA policy is set to 'Quarantine' for suspected spam. The messages are not found in the user's spam quarantine. What is the most likely cause?

Question 66hardmultiple choice
Read the full Content Security explanation →

A Cisco WSA appliance is configured with explicit proxy mode. Users report that they cannot access external HTTPS websites, but HTTP works fine. The proxy logs show 'SSL handshake failed' errors. What is the most likely reason?

Question 67easymultiple choice
Read the full Content Security explanation →

A company wants to prevent sensitive data such as credit card numbers from being sent via email. Which Cisco ESA feature should be enabled?

Question 68mediummultiple choice
Read the full Content Security explanation →

A network administrator is troubleshooting why users in the marketing department cannot access a specific cloud storage site through the Cisco WSA. The access policy for marketing is set to 'Monitor' for the File Sharing category, but the site is blocked. What is the most likely reason?

Question 69hardmultiple choice
Read the full Content Security explanation →

During an email security audit, it is discovered that encrypted emails sent between two partners are being silently dropped by the Cisco ESA. The ESA uses a policy that decrypts incoming S/MIME messages for scanning. What is the most likely cause of the dropped messages?

Question 70easymultiple choice
Read the full DNS explanation →

A company is deploying Cisco Umbrella for web security. They want to enforce that all DNS requests from remote users using VPN are filtered. Which deployment method should be used?

Question 71mediummultiple choice
Read the full Content Security explanation →

An administrator is configuring DLP on the Cisco ESA to block social security numbers (SSNs) in outgoing email. The policy is set to 'Drop' for SSN matches, but some emails containing SSNs are still being delivered. What step should the administrator take to troubleshoot?

Question 72hardmultiple choice
Read the full Content Security explanation →

A Cisco WSA receives intermittent complaints that legitimate websites are being blocked. The access policy uses reputation scoring and URL filtering. The administrator checks the logs and finds that the blocked requests have a web reputation score of -2.0. What action should be taken to allow these legitimate sites while still blocking malicious ones?

Question 73easymulti select
Read the full DNS explanation →

Which TWO are valid methods for integrating Cisco Umbrella with an existing network to provide DNS-layer security?

Question 74mediummulti select
Read the full Content Security explanation →

Which THREE considerations must be taken when deploying SSL decryption on a Cisco WSA in explicit proxy mode?

Question 75hardmulti select
Read the full Content Security explanation →

Which THREE symptoms indicate that a Cisco ESA is experiencing a mail loop?

Question 76mediummultiple choice
Read the full Content Security explanation →

A user in the marketing group reports that they cannot access twitter.com. The access policy summary is shown in the exhibit. What is the most likely reason?

Exhibit

Refer to the exhibit.

```
# show accesspolicy summary

Policy Name: Marketing-Policy
User/Group: marketing_group
URL Category: Social Networking -> Block
Action: Monitor

Policy Name: Default-Policy
User/Group: Everyone
URL Category: Social Networking -> Monitor
Action: Monitor

# show urlfiltering categories
Social Networking: facebook.com, twitter.com, instagram.com
```
Question 77hardmultiple choice
Read the full Content Security explanation →

An administrator reviewed the log entry from the Cisco ESA exhibit. The DLP policy is set to 'Continue (with disclaimer)' for credit card matches. How should the policy be changed to prevent this data leakage?

Exhibit

Refer to the exhibit.

```
! Cisco ESA Mail Flow Policy
! Policy: Outbound_Finance
! DLP: Enabled
! DLP Policy: PCI-DSS
! Action: Continue (with disclaimer)
! Encryption: None
! (DLP rules: credit card numbers, SSN)

! Log entry:
From: user@finance.company.com
To: vendor@external.com
Subject: Updated pricing
DLP verdict: CC_NUMBERS - credit card: 4111-1111-1111-1111
Policy action: Continue (with disclaimer)
Delivery: Delivered
```
Question 78hardmultiple choice
Read the full NAT/PAT explanation →

A multinational company has recently deployed Cisco WSA with explicit proxy for 10,000 users across two data centers. The WSA is configured with multiple identities based on IP subnets and authentication via LDAP. Users in the R&D department (subnet 192.168.10.0/24) are configured with an access policy that blocks all social media, but they can access web-based email like Gmail. The administrator receives complaints that R&D users cannot access a critical partner's HTTPS website (https://portal.partner.com) that is not categorized. The access policy for R&D has a default action of 'Monitor' for uncategorized URLs, but the site is blocked. The web reputation score for the site is +1.5 (low risk). The global web reputation threshold is set to -1.0. The administrator checks the access logs and sees that the request is denied with the reason 'URL is blocked by policy'. The R&D policy has an explicit 'Deny' action for the URL category 'Uncategorized URLs' set to 'Block', but the default action for the policy is 'Monitor'. The identity matching is correct. What is the most likely cause and solution?

Question 79easymultiple choice
Read the full Content Security explanation →

A company's Cisco WSA is configured with explicit proxy mode. Users report that they can browse the internet but cannot access internal websites hosted on the company's intranet. What is the most likely cause?

Question 80mediummultiple choice
Read the full Content Security explanation →

An organization uses Cisco ESA to filter inbound email. The security team notices that some phishing emails are reaching users despite having an anti-spam policy. Further analysis reveals that the emails are sent from a domain that is gray-listed but not blocked. What should the administrator do to prevent these emails without impacting legitimate emails?

Question 81hardmultiple choice
Read the full wireless explanation →

A global company uses Cisco Umbrella to enforce security policies across roaming users. Recently, a user reported that they could not access a legitimate business application while connected to a guest Wi-Fi at an airport. The application is categorized as 'Productivity' in Umbrella. Other users outside the office can access it. What is the most likely reason?

Question 82mediummultiple choice
Read the full Content Security explanation →

A network administrator is deploying Cisco AMP for Endpoints to protect against advanced malware. They want to ensure that if a file is initially allowed but later determined to be malicious, the file is automatically blocked and quarantined on all endpoints that have executed it. Which AMP feature should be configured?

Question 83easymulti select
Read the full Content Security explanation →

Which TWO of the following are common causes of email delivery delays in Cisco Email Security Appliance (ESA)? (Select exactly two.)

Question 84hardmulti select
Read the full Content Security explanation →

Which THREE of the following are best practices for deploying Cisco Web Security Appliance (WSA) in a large enterprise environment? (Select exactly three.)

Question 85hardmultiple choice
Read the full MPLS explanation →

A financial services company recently migrated from a legacy web filter to Cisco WSA in explicit proxy mode. The company has 5000 users across three offices, each connected via MPLS. The WSA is deployed in the data center. A week after deployment, users in the remote office report that web pages load extremely slowly, while users in the main office near the data center experience normal speeds. The network team confirms there is no WAN congestion. The WSA administrator checks the logs and sees that the remote users are being authenticated via NTLM and that the WSA's CPU and memory usage are below 50%. However, the number of concurrent connections from the remote office is very high, with many connections in a TIME_WAIT state. What is the most likely cause of the slow web performance for remote users?

Question 86mediummultiple choice
Read the full Content Security explanation →

A university is using Cisco ESA to manage email for 20,000 students and staff. They have implemented anti-spam and anti-virus policies. Recently, the IT helpdesk has been receiving complaints that legitimate emails from external senders (such as admissions notifications) are being marked as spam and quarantined. The administrators check the ESA and find that these emails are being flagged with a spam score above the threshold, but the content appears to be legitimate. The sending domains are not on any blacklist. The ESA is using default anti-spam settings. What should the administrator do to reduce false positives without compromising security?

Question 87easymultiple choice
Read the full Content Security explanation →

A small business uses Cisco Umbrella to protect its 50 employees. One employee reports that they cannot access a specific website (www.example.com) that is required for their work. The administrator checks the Umbrella dashboard and sees that the domain is categorized as 'Social Networking' and is blocked by the company's policy. However, the employee argues that the website is actually a business tool. The administrator verifies that the website is indeed legitimate. What is the best course of action to restore access while maintaining security?

Question 88mediummultiple choice
Read the full NAT/PAT explanation →

A multinational corporation uses Cisco AMP for Endpoints with cloud-based file reputation. The security team notices that a file that was previously determined to be clean (disposition: clean) is now reported as malicious by a threat intelligence feed. However, AMP has not taken any action on endpoints that already executed the file. The administrator confirms that retrospective security is enabled. What should the administrator check first to ensure that the file is remediated on all affected endpoints?

Question 89hardmultiple choice
Read the full Content Security explanation →

A large enterprise uses Cisco WSA with integrated Cisco Advanced Malware Protection (AMP) to inspect web traffic. The security policy dictates that all downloaded files should be scanned by AMP. Recently, a user downloaded a PDF file from a trusted vendor site, but the download was blocked by the WSA. The administrator checks the WSA logs and sees that the file was blocked due to AMP's 'File Reputation' score of 10 (high risk). However, the vendor confirms the file is legitimate. The administrator notes that the file is digitally signed by the vendor. What is the most appropriate next step to allow the file while maintaining security?

Question 90easymultiple choice
Read the full NAT/PAT explanation →

A hospital uses Cisco ESA for email security. The compliance team requires that all emails containing protected health information (PHI) be encrypted before leaving the organization. The administrator has configured a content filter that matches emails containing patterns like 'Patient ID: [0-9]{9}' and sends them to the encryption service. However, some encrypted emails are being rejected by the recipient's mail server because the encryption is applied after the email has already been processed. What is the most likely reason for this issue?

Question 91easymulti select
Read the full Content Security explanation →

A security engineer is configuring Cisco Web Security Appliance (WSA) to block downloads of potentially malicious file types such as .exe and .scr. The engineer wants to ensure that these files are blocked even if they are hosted on trusted websites. Which TWO actions should the engineer take?

Question 92mediummultiple choice
Read the full Content Security explanation →

Refer to the exhibit. The engineer configured a file type filter for executables on access policy Policy_A. However, .exe files from trusted_sites are still being allowed. What is the most likely reason for this behavior?

Exhibit

Refer to the exhibit.

! --- show running-config excerpt from WSA ---
! access policy: Policy_A
! ...
! objects:
! custom-url-category: trusted_sites
! 
! file-type-filter:
!   file-type-category: executables
!   action: monitor
!   include-subcategories: true
! 
! access-policy: Policy_A
!   url-category: trusted_sites
!   file-reputation: use-default
!   file-type-filter: executables
!   action: allow
! ...
Question 93hardmultiple choice
Read the full NAT/PAT explanation →

A large enterprise recently migrated to Cisco Email Security Appliance (ESA) for inbound email filtering. The security team notices an increasing number of phishing emails that bypass the spam filter. Analysis shows that these emails originate from a legitimate but compromised domain (example-bank.com), use valid DKIM signatures, and have low spam scores due to carefully crafted benign text and embedded images. The team already has SenderBase enabled and uses the default spam threshold. The CEO received a convincing phishing email that led to a credential leak. Which course of action should the security team take to best mitigate this threat without causing significant false positives?

Practice tests

Scored 10-question sessions with instant feedback and explanations.

350-701 Practice Test 1 — 10 Questions→350-701 Practice Test 2 — 10 Questions→350-701 Practice Test 3 — 10 Questions→350-701 Practice Test 4 — 10 Questions→350-701 Practice Test 5 — 10 Questions→350-701 Practice Exam 1 — 20 Questions→350-701 Practice Exam 2 — 20 Questions→350-701 Practice Exam 3 — 20 Questions→350-701 Practice Exam 4 — 20 Questions→Free 350-701 Practice Test 1 — 30 Questions→Free 350-701 Practice Test 2 — 30 Questions→Free 350-701 Practice Test 3 — 30 Questions→350-701 Practice Questions 1 — 50 Questions→350-701 Practice Questions 2 — 50 Questions→350-701 Exam Simulation 1 — 100 Questions→

Practice by domain

Each domain maps to a weighted exam section. Focus on the domain where you are weakest.

Endpoint Protection and DetectionSecure Network Access, Visibility and EnforcementSecurity ConceptsNetwork SecurityCloud SecurityContent Security

Practice by scenario

Filter questions by type — troubleshooting, exhibit, drag-and-drop, PBQ, ACLs, OSPF, and more.

Browse scenarios→

Continue studying

All Content Security setsAll Content Security questions350-701 Practice Hub