Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

← Network Security practice sets

350-701 Network Security • Complete Question Bank

350-701 Network Security — All Questions With Answers

Complete 350-701 Network Security question bank — all 0 questions with answers and detailed explanations.

58
Questions
Free
No signup
Certifications/350-701/Practice Test/Network Security/All Questions
Question 1mediummultiple choice
Open the full VLAN trunking answer →

A network engineer is troubleshooting an issue where users on VLAN 10 cannot access the internet, but they can reach internal resources. The firewall is configured with a default route pointing to the ISP router. The engineer notices that NAT is configured but traffic is not being translated. Which configuration is most likely missing?

Question 2hardmultiple choice
Read the full Network Security explanation →

A security engineer is implementing Cisco Identity Services Engine (ISE) for 802.1X authentication. The requirement is to allow full network access for corporate devices that pass posture assessment, while providing limited access for guest devices. The engineer configures an authorization policy with conditions based on identity group and posture status. However, guest devices are still getting full access. What is the most likely cause?

Question 3easymultiple choice
Read the full VPN explanation →

A company wants to deploy a site-to-site VPN between two branch offices using Cisco IOS routers. The security policy requires that all traffic between the sites must be encrypted and authenticated using strong encryption. The engineer chooses IPsec with IKEv2. Which IPsec transform set configuration provides the strongest encryption and authentication?

Question 4mediummultiple choice
Read the full Network Security explanation →

An engineer is configuring Cisco Firepower Threat Defense (FTD) with a pre-filter policy to block traffic from known malicious IP addresses before it reaches the access control policy. The pre-filter rules are configured to block traffic from the malicious IPs. However, the engineer notices that some traffic from those IPs is still being allowed. What is the most likely reason?

Question 5hardmultiple choice
Read the full Network Security explanation →

A network administrator is configuring Cisco ASA with FirePOWER services. The administrator wants to inspect SSL traffic but is concerned about certificate pinning in modern applications. Which action should the administrator take to ensure that SSL inspection does not break applications that use certificate pinning?

Question 6mediummultiple choice
Study the full ACL explanation →

An engineer applies the ACL shown in the exhibit to the inbound direction of interface GigabitEthernet0/0. The goal is to block all traffic from host 10.1.1.100 to the 192.168.0.0/16 network. However, traffic from 10.1.1.100 to 192.168.1.1 is still being permitted. What is the most likely reason?

Exhibit

Refer to the exhibit.

ip access-list extended BLOCK_TRAFFIC
 deny ip host 10.1.1.100 192.168.0.0 0.0.255.255
 permit ip any any
!
interface GigabitEthernet0/0
 ip access-group BLOCK_TRAFFIC in
Question 7mediummulti select
Read the full Network Security explanation →

Which TWO are valid methods for implementing Network Admission Control (NAC) in a Cisco environment?

Question 8hardmulti select
Read the full Network Security explanation →

Which THREE are characteristics of Cisco Stealthwatch?

Question 9hardmultiple choice
Read the full wireless explanation →

A multinational company has deployed a Cisco Firepower 4100 series device as the perimeter firewall. The network consists of multiple internal segments: a corporate LAN (192.168.1.0/24), a data center (10.10.0.0/16), and a guest wireless network (172.16.0.0/16). The firewall is configured with the following access control policy rules:

1. Allow from any to any (for testing, but currently enabled) 2. Allow from corporate LAN to data center (destination ports TCP/443, TCP/8443) 3. Block from guest wireless to data center 4. Allow from any to internet (destination any)

Recently, the security team discovered that a host in the guest network (172.16.5.50) is communicating with a server in the data center (10.10.10.100) on TCP port 443. The security team wants to immediately block this traffic without affecting other legitimate communications. Which action should be taken first?

Question 10mediummulti select
Read the full Network Security explanation →

A security engineer is configuring Cisco TrustSec on a network. Which TWO actions are required to enable TrustSec on a Cisco switch?

Question 11hardmultiple choice
Read the full Network Security explanation →

Refer to the exhibit. An engineer configured 802.1X on two switch ports. On Gi1/0/1, a VoIP phone and a PC are connected via a hub. On Gi1/0/2, only a single PC is connected. Which port will successfully authenticate both devices, and what is the issue with the other port?

Exhibit

Refer to the exhibit.

interface GigabitEthernet1/0/1
 switchport access vlan 10
 switchport mode access
 authentication host-mode multi-auth
 authentication port-control auto
 dot1x pae authenticator
 dot1x timeout tx-period 3
 spanning-tree portfast

interface GigabitEthernet1/0/2
 switchport access vlan 20
 switchport mode access
 authentication host-mode single-host
 authentication port-control auto
 dot1x pae authenticator
 dot1x timeout tx-period 30
 spanning-tree portfast
Question 12easymultiple choice
Read the full Network Security explanation →

A large enterprise uses Cisco Firepower Threat Defense (FTD) as its next-generation firewall. The network team recently deployed a new application that uses HTTPS for all communications. Users report that the application is slow and sometimes fails to load pages. The security team suspects that SSL inspection might be causing the issue. The FTD is configured with an SSL policy that decrypts all HTTPS traffic using a self-signed certificate. The internal CA is not trusted by the application servers. Which action should the engineer take to resolve the performance and connectivity issues while maintaining security visibility?

Question 13mediumdrag order
Review the full routing breakdown →

Drag and drop the steps to configure a Cisco IOS router as a Zone-Based Firewall (ZBF) in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 14mediumdrag order
Read the full DHCP explanation →

Drag and drop the steps to configure a Cisco router as a DHCP server in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 15mediummatching
Read the full Network Security explanation →

Match each Cisco ASA feature to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Modular Policy Framework for traffic inspection

High availability with active/standby or active/active

Graphical management interface

Command-line interface for configuration

VPN client for remote access

Question 16mediummatching
Read the full Network Security explanation →

Match each encryption algorithm to its type.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Symmetric block cipher

Asymmetric public-key algorithm

Hash function

Symmetric block cipher (legacy)

Key exchange algorithm

Question 17easymultiple choice
Read the full VPN explanation →

A network engineer is troubleshooting an IPsec VPN tunnel that fails to establish. The configuration includes a crypto map with a matching access list. Which command should be used to verify the security associations and error counters for the IPsec phase?

Question 18mediummultiple choice
Read the full Network Security explanation →

A company is deploying a new ASA firewall in a DMZ design. They need to allow web traffic from the internet to a web server in the DMZ, while also permitting outbound traffic from the DMZ to the internet for software updates. Which access control approach best meets these requirements with minimal risk?

Question 19hardmultiple choice
Read the full VPN explanation →

An engineer is designing a FlexVPN deployment with multiple hub routers and spoke routers. The spokes need to establish tunnels to the closest hub based on latency. Which feature should be configured to achieve dynamic hub selection?

Question 20mediummultiple choice
Read the full DNS explanation →

A security administrator is reviewing firewall logs and notices that an internal user is generating excessive outbound DNS queries to a known malicious domain. The company uses Cisco Umbrella for DNS-layer security. How should the administrator investigate and block this traffic?

Question 21hardmultiple choice
Review the full routing breakdown →

A network administrator is configuring IKEv2 on a Cisco router and wants to ensure that the router does not initiate connections but only responds to incoming IKEv2 requests. Which configuration command should be applied?

Question 22easymultiple choice
Read the full Network Security explanation →

A Cisco ASA firewall is configured with multiple contexts. The administrator needs to allow traffic from a context to pass through the management context for management purposes. Which type of interface should be used for this inter-context communication?

Question 23mediummultiple choice
Read the full VPN explanation →

A network engineer is trying to establish a site-to-site IPsec VPN between two Cisco routers. The IKEv2 proposal uses AES-256 encryption and SHA-256 hash. On the remote router, the configuration shows only AES-128 and SHA-1. What will happen during IKEv2 negotiation?

Question 24hardmultiple choice
Read the full Network Security explanation →

A company uses Cisco Firepower Threat Defense (FTD) managed by FMC. They want to enable URL filtering based on user identity from an Active Directory (AD) source. Which configuration steps are required on the FMC?

Question 25easymultiple choice
Read the full Network Security explanation →

An administrator is configuring a Cisco ASA 5500-X to perform SSL inspection for outbound traffic. The users must be able to access HTTPS websites without certificate errors. Which configuration step is essential for the ASA to perform decryption?

Question 26mediummulti select
Read the full VPN explanation →

Which TWO are best practices for securing Cisco ASA remote access VPN? (Choose two.)

Question 27hardmulti select
Read the full Network Security explanation →

Which TWO are valid considerations for deploying Cisco Firepower NGIPS with inline mode? (Choose two.)

Question 28mediummulti select
Read the full Network Security explanation →

Which THREE are valid components of an IKEv2 exchange? (Choose three.)

Question 29mediummultiple choice
Read the full VPN explanation →

A company has deployed Cisco AnyConnect VPN for remote access. They want to enforce that only company-managed devices with compliant antivirus and disk encryption can connect. Which solution should be added to the ASA?

Question 30easymultiple choice
Read the full VPN explanation →

An engineer is troubleshooting a site-to-site IPsec VPN between two Cisco routers. The tunnel is not establishing. Which command would verify that IKE phase 1 negotiations have completed successfully?

Question 31easymultiple choice
Read the full Network Security explanation →

A network administrator is configuring 802.1X authentication on Cisco switches for wired endpoints. Which protocol is used between the client (supplicant) and the switch (authenticator)?

Question 32mediummultiple choice
Open the full VLAN trunking answer →

A company wants to provide both corporate and guest wireless access using the same access points. They require that guest users be placed into a separate VLAN and have internet-only access. Which Cisco solution should be used?

Question 33easymultiple choice
Read the full VPN explanation →

An administrator is troubleshooting authentication failures for VPN users. The RADIUS server is reachable via ping, but users receive 'AAA authentication failed'. Which command should be used to test communication with the RADIUS server?

Question 34hardmultiple choice
Read the full Network Security explanation →

A security engineer is configuring a Cisco Firepower Threat Defense (FTD) device managed by FMC. They want to create a rule that blocks access to social media applications regardless of port or protocol. Which policy should be used?

Question 35hardmultiple choice
Read the full DNS explanation →

A security team suspects that malware is exfiltrating data by encoding it in DNS queries. Which Cisco security solution is specifically designed to analyze DNS traffic for malicious activity?

Question 36mediummultiple choice
Review the full OSPF breakdown →

A network engineer is configuring OSPF on a Cisco router and needs to enable authentication between neighbors. The authentication type should be MD5. Which configuration step is required?

Question 37hardmultiple choice
Read the full Network Security explanation →

In a Cisco TrustSec deployment, security group tags (SGTs) are used to represent user and device roles. These tags must be propagated across the network. Which protocol is used to carry SGT information in Ethernet frames?

Question 38mediummulti select
Read the full Network Security explanation →

Which TWO of the following are valid methods for deploying Cisco Firepower Threat Defense (FTD) in high availability?

Question 39hardmulti select
Read the full Network Security explanation →

Which THREE of the following are features of Cisco Identity Services Engine (ISE) that can be used to enforce network access control?

Question 40easymulti select
Read the full VPN explanation →

Which TWO of the following are required to configure a site-to-site IPsec VPN on a Cisco IOS router?

Question 41mediummultiple choice
Read the full NAT/PAT explanation →

Refer to the exhibit. An ASA is configured with the above access-list and NAT rule. A web server is reachable from the internet via the public IP 203.0.113.10. However, internal users from the inside network cannot access the web server using its public IP address. What is the most likely cause?

Exhibit

configure terminal
access-list OUTSIDE extended permit tcp any host 203.0.113.10 eq www
access-list OUTSIDE extended permit udp any host 203.0.113.10 eq domain
nat (inside,outside) source dynamic any interface
Question 42hardmultiple choice
Study the full ACL explanation →

Refer to the exhibit. An engineer has configured the ACL on the GigabitEthernet0/0 interface. Which of the following is true about the effect of this ACL?

Exhibit

interface GigabitEthernet0/0
 ip address 10.1.1.1 255.255.255.0
 ip access-group INBOUND in
!
ip access-list extended INBOUND
 deny ip 10.0.0.0 0.255.255.255 any
 permit ip any any
!
interface Serial0/0/0
 ip address 172.16.1.1 255.255.255.252
!
router eigrp 100
 network 10.1.1.0 0.0.0.255
 network 172.16.1.0 0.0.0.3
Question 43easymultiple choice
Read the full network assurance explanation →

Refer to the exhibit. A security analyst sees this syslog message on a Cisco ASA. What does it indicate?

Exhibit

%ASA-4-106023: Deny tcp src outside:203.0.113.50/443 dst DMZ:10.10.10.10/80 by access-group "OUTSIDE"
Question 44easymultiple choice
Read the full Network Security explanation →

A network engineer is troubleshooting an issue where an endpoint is failing to authenticate via 802.1X on a Cisco switch. The switch port is in unauthorized state. Which step should the engineer take first to identify the root cause?

Question 45mediummultiple choice
Study the full ACL explanation →

A company has a site-to-site VPN between two ASA firewalls using IKEv2. The tunnel was working but after an upgrade, it fails. The engineer verifies that the pre-shared keys match, IKE proposals are compatible, and the crypto ACL is correctly defined. What is the next likely cause to investigate?

Question 46hardmultiple choice
Read the full Network Security explanation →

A company uses FMC to manage FTD devices. After deploying a new intrusion policy, the analyst sees that no events are generated for a known vulnerability, even though the policy includes a rule for it. The analyst checks and the rule is enabled and the policy is applied. What is the most likely cause?

Question 47easymultiple choice
Read the full Network Security explanation →

An administrator is configuring Cisco ISE to profile endpoints. The administrator wants to ensure that endpoints are correctly identified based on MAC address and hostname. Which of the following is a prerequisite for successful profiling?

Question 48mediummultiple choice
Read the full VPN explanation →

A remote user is unable to connect to the corporate VPN using Cisco AnyConnect. The user has internet access and can reach the ASA's public IP. The ASA administrator checks and sees that the remote access VPN configuration is correct. What is the most likely client-side issue?

Question 49hardmultiple choice
Read the full Network Security explanation →

An administrator is migrating an ASA firewall to a cloud environment and wants to use FlexConfig to push additional configuration. After applying the FlexConfig, the ASA does not show the expected commands. Which of the following is a likely reason?

Question 50mediummulti select
Read the full Network Security explanation →

A network engineer is implementing Cisco TrustSec in an enterprise network. Which two components are required for TrustSec to function correctly? (Choose two.)

Question 51hardmulti select
Read the full VPN explanation →

A company is designing a remote access VPN solution using Cisco ASA with load balancing. Which three features are essential for high availability and redundancy? (Choose three.)

Question 52mediummultiple choice
Study the full ACL explanation →

A company has a Cisco ASA firewall configured with multiple access-lists applied to the outside interface. The security team is investigating reports that legitimate HTTPS traffic to a public web server located on a DMZ is intermittently being blocked. The firewall configuration includes an ACL that permits traffic to the web server's IP address on TCP 443, but also includes a general deny rule for all other traffic. The engineer notices that the permit rule is placed after a deny rule that blocks traffic from a specific source subnet that is used by internal users for testing. The internal users report that they can access the web server, but external users sometimes experience timeouts. What is the most likely cause of the intermittent blocking?

Question 53hardmultiple choice
Study the full AAA explanation →

A university is deploying 802.1X authentication for wired access using Cisco ISE. The network consists of Cisco Catalyst switches. The authentication is working for most users, but some users in a specific building are experiencing frequent authentication failures, especially during peak hours. The switches in that building are configured with RADIUS settings pointing to ISE. ISE logs show that authentication requests are being sent but sometimes time out. The network team suspects that the issue is related to RADIUS server load balancing, as the ISE deployment includes two nodes in a distributed model. What is the most likely cause of the timeouts?

Question 54hardmultiple choice
Read the full NAT/PAT explanation →

A financial institution uses Cisco Firepower Threat Defense (FTD) for intrusion prevention and SSL decryption. The security team recently enabled SSL decryption on the FTD to inspect encrypted traffic. After the change, some internal applications that use client certificates for authentication stopped working. The FMC shows that SSL decryption is configured to inspect traffic to specific destination IPs. The applications are using a custom port (TCP 8443) for HTTPS. The administrator has already added the custom port to the SSL decryption policy. What is the most likely reason the applications are failing?

Question 55mediummultiple choice
Study the full ACL explanation →

A company's remote employees use Cisco AnyConnect to connect to the corporate network. The VPN is configured with split tunneling so that only traffic to the corporate subnet (10.0.0.0/8) goes through the tunnel, and all other traffic goes directly to the internet. Recently, several employees reported that they cannot access the corporate file server (IP 10.2.3.4) even though they can connect to the VPN. The network team checks the ASA configuration and confirms that the split tunnel ACL includes the corporate subnet. The AnyConnect client shows that it is connected. What is the most likely cause of the issue?

Question 56easymulti select
Read the full Network Security explanation →

Which two conditions must be met for Cisco Firepower Threat Defense (FTD) to perform SSL decryption?

Question 57mediummultiple choice
Read the full NAT/PAT explanation →

Refer to the exhibit. A host with IP address 10.0.0.5 sends traffic to destination 192.168.2.10. The traffic is not being translated. What is the most likely cause?

Exhibit

interface GigabitEthernet0/0
 nameif inside
 security-level 100
 ip address 10.0.0.1 255.255.255.0
!
interface GigabitEthernet0/1
 nameif outside
 security-level 0
 ip address 192.168.1.1 255.255.255.0
!
access-list INSIDE_NAT extended permit ip 10.0.0.0 0.0.0.255 192.168.3.0 0.0.0.255
nat (inside,outside) source dynamic 10.0.0.0 255.255.255.0 interface
Question 58hardmultiple choice
Study the full AAA explanation →

A large enterprise uses Cisco ISE for network access control with 802.1X authentication (PEAP-MSCHAPv2) on wired ports. Access switches are Cisco Catalyst 3850s running IOS-XE 16.9, and ISE is version 2.7 with all patches. Recently, users in the finance department report intermittent connectivity issues when connecting to the network. The issue is sporadic: a user may connect successfully one day, then fail multiple times the next day. Switch logs show frequent 'EAP timeout' errors for these users. The network team has verified that the RADIUS servers are reachable and have sufficient CPU and memory. The ISE logs show no authentication failures, only that some EAP conversations are dropped mid-exchange. What is the most likely cause of these intermittent failures?

Practice tests

Scored 10-question sessions with instant feedback and explanations.

350-701 Practice Test 1 — 10 Questions→350-701 Practice Test 2 — 10 Questions→350-701 Practice Test 3 — 10 Questions→350-701 Practice Test 4 — 10 Questions→350-701 Practice Test 5 — 10 Questions→350-701 Practice Exam 1 — 20 Questions→350-701 Practice Exam 2 — 20 Questions→350-701 Practice Exam 3 — 20 Questions→350-701 Practice Exam 4 — 20 Questions→Free 350-701 Practice Test 1 — 30 Questions→Free 350-701 Practice Test 2 — 30 Questions→Free 350-701 Practice Test 3 — 30 Questions→350-701 Practice Questions 1 — 50 Questions→350-701 Practice Questions 2 — 50 Questions→350-701 Exam Simulation 1 — 100 Questions→

Practice by domain

Each domain maps to a weighted exam section. Focus on the domain where you are weakest.

Endpoint Protection and DetectionSecure Network Access, Visibility and EnforcementSecurity ConceptsNetwork SecurityCloud SecurityContent Security

Practice by scenario

Filter questions by type — troubleshooting, exhibit, drag-and-drop, PBQ, ACLs, OSPF, and more.

Browse scenarios→

Continue studying

All Network Security setsAll Network Security questions350-701 Practice Hub