Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Free Resources

Difficulty IndexLearn — Free ChaptersIT GlossaryFree Tools & LabsStudy GuidesCareer RoadmapsBrowse by VendorCisco Command ReferenceCCNA Scenarios

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

← Network Security practice sets

350-701 Network Security • Complete Question Bank

350-701 Network Security — All Questions With Answers

Complete 350-701 Network Security question bank — all 0 questions with answers and detailed explanations.

125
Questions
Free
No signup
Certifications/350-701/Practice Test/Network Security/All Questions
Question 1easymultiple choice
Read the full Network Security explanation →

An engineer is configuring a Cisco ASA and needs to ensure that traffic from the outside interface to a web server on the DMZ is allowed. The inside interface is security level 100 and the DMZ is level 50. The outside interface is level 0. Which statement about the default traffic flow is true?

Question 2mediummultiple choice
Read the full NAT/PAT explanation →

A network administrator is configuring NAT on a Cisco ASA to allow internal users to access the internet using a single public IP address. The internal network uses RFC 1918 addresses. Which type of NAT should be configured?

Question 3hardmultiple choice
Study the full QoS explanation →

An engineer is configuring a Modular Policy Framework (MPF) on a Cisco ASA to inspect HTTP traffic and apply QoS. The engineer creates a class-map to match HTTP traffic using the 'match port tcp 80' command. However, the policy is not being applied correctly. What is the most likely reason?

Question 4mediummultiple choice
Read the full Network Security explanation →

A company uses Cisco Firepower Threat Defense (FTD) managed by FMC. They need to create an access control policy that allows traffic from specific source IPs to a web server, but blocks all other traffic. How should the rule base be ordered?

Question 5easymultiple choice
Read the full Network Security explanation →

A security administrator is investigating an alert from an IPS that detected a SQL injection attempt. The alert was triggered by a signature that looks for specific patterns in the traffic. What type of detection method is this?

Question 6mediummultiple choice
Read the full Network Security explanation →

A Cisco Firepower administrator configures an access control policy with a rule that trusts traffic from a specific source network. What is the effect of the trust action on the traffic?

Question 7hardmultiple choice
Read the full Network Security explanation →

An engineer is deploying a Cisco FTD in inline mode and wants to inspect SSL/TLS traffic using the 'decrypt-resign' action. What must be configured on the client devices to avoid certificate errors?

Question 8mediummultiple choice
Read the full VPN explanation →

A company is deploying Cisco AnyConnect SSL VPN and wants to enforce different access policies based on the endpoint's antivirus status. Which feature should be used?

Question 9easymultiple choice
Read the full VPN explanation →

A Cisco ASA is configured with a site-to-site VPN using IKEv2. Which component defines the encryption and authentication algorithms for the IPsec tunnel?

Question 10mediummultiple choice
Read the full Network Security explanation →

A security analyst is tuning Snort rules to reduce false positives. The analyst identifies a rule that triggers on a common benign application. Which action should be taken to suppress alerts for that specific traffic without disabling the rule entirely?

Question 11hardmultiple choice
Read the full Network Security explanation →

An engineer configures a Cisco FTD in a high-availability pair with active/standby failover. The primary unit fails, and the standby takes over. After the primary recovers, what must be done to ensure it resumes as active?

Question 12mediummultiple choice
Read the full Network Security explanation →

A company uses Cisco Firepower with FMC and wants to block access to social media websites for all users. Which feature should be used to create this policy?

Question 13mediummulti select
Read the full Network Security explanation →

A Cisco FTD is deployed in inline mode and configured with an access control policy. The policy includes rules with actions: Trust, Allow, Block, and Interactive Block. Which two statements about these actions are correct? (Choose two.)

Question 14hardmulti select
Read the full Network Security explanation →

An engineer is configuring a Cisco ASA to support a DMZ segment. Which three of the following are best practices for DMZ design? (Choose three.)

Question 15easymulti select
Read the full VPN explanation →

A network engineer is configuring site-to-site IPsec VPN on a Cisco ASA using IKEv2. Which two components are required for IKEv2 configuration? (Choose two.)

Question 16easymultiple choice
Read the full Network Security explanation →

An administrator configures a Cisco ASA with an interface named 'inside' at security level 100 and 'outside' at security level 0. Which statement about traffic flow is true?

Question 17mediummultiple choice
Read the full NAT/PAT explanation →

A network engineer is configuring NAT on a Cisco ASA for internal servers to be accessible from the internet. One server (10.1.1.10) must always be reachable via a fixed public IP (203.0.113.10). Which NAT type should be used?

Question 18mediummultiple choice
Read the full Network Security explanation →

An engineer is configuring an access control policy on Cisco FMC for FTD. The policy must allow HTTP traffic from the inside zone to the outside zone, but block all other traffic. Which rule configuration is correct?

Question 19easymultiple choice
Read the full Network Security explanation →

Which Snort rule action causes the FTD to drop a packet and generate an alert?

Question 20hardmultiple choice
Read the full Network Security explanation →

A Cisco FTD device is deployed in inline mode and configured with an SSL policy to decrypt traffic. The policy uses 'Decrypt - Known Key' for traffic to an internal server. What is required for this decryption to work?

Question 21mediummultiple choice
Read the full Network Security explanation →

An organization needs to inspect traffic between two internal zones (e.g., HR and IT) on a Cisco FTD. Which deployment mode is appropriate?

Question 22hardmultiple choice
Read the full VPN explanation →

An administrator is configuring a site-to-site IKEv2 VPN between two Cisco ASAs. Which configuration component defines the encryption and authentication algorithms for the IPsec SA?

Question 23easymultiple choice
Read the full Network Security explanation →

What is the primary difference between signature-based and anomaly-based intrusion detection?

Question 24mediummultiple choice
Read the full Network Security explanation →

An organization deploys Cisco FTD in a high-availability pair using active/standby. If the active unit fails, what happens to existing connections?

Question 25hardmultiple choice
Read the full Network Security explanation →

A Cisco FMC administrator needs to create a file policy to detect malware in HTTP downloads. The policy should allow the file to be delivered if it is known clean, block if known malicious, and allow but capture for analysis if unknown. Which combination of actions is required?

Question 26mediummultiple choice
Read the full Network Security explanation →

Which Cisco FTD feature provides application visibility and control (AVC) to identify and block applications like Facebook or Skype?

Question 27easymultiple choice
Read the full Network Security explanation →

An administrator configures a Cisco ASA with a DMZ interface at security level 50. Traffic from the inside (level 100) to the DMZ (level 50) is allowed by default. What additional configuration is needed to allow traffic from the DMZ to the inside?

Question 28mediummultiple choice
Read the full Network Security explanation →

A security engineer is tuning Snort rules on a Cisco FTD to reduce false positives. Which action should be taken if a rule is generating alerts for legitimate traffic?

Question 29hardmultiple choice
Read the full VPN explanation →

An organization uses Cisco AnyConnect SSL VPN with DTLS enabled. What is the primary benefit of DTLS?

Question 30mediummultiple choice
Read the full Network Security explanation →

A network architect is designing a DMZ for a web server that must be accessible from the internet. The server should not initiate connections to the internal network. Which firewall rule best achieves this?

Question 31mediummulti select
Read the full VPN explanation →

An administrator is configuring Dynamic Access Policies (DAP) on a Cisco ASA for AnyConnect VPN. Which two attributes can be used to create DAP rules? (Choose two.)

Question 32hardmulti select
Read the full Network Security explanation →

A Cisco FTD is configured with an access control policy that includes an intrusion policy. Which three actions can be set in an access control rule regarding intrusion inspection? (Choose three.)

Question 33mediummulti select
Read the full Network Security explanation →

An organization is planning to deploy Cisco FTD in a high-availability pair. Which two statements about active/active failover are true? (Choose two.)

Question 34mediummulti select
Read the full Network Security explanation →

A security administrator is configuring URL filtering on Cisco FTD. Which three categories are commonly used in URL filtering policies? (Choose three.)

Question 35hardmulti select
Read the full VPN explanation →

An engineer is configuring a Cisco ASA for site-to-site IKEv2 VPN with a VTI. Which two statements about VTI are true? (Choose two.)

Question 36mediummultiple choice
Read the full NAT/PAT explanation →

An engineer is configuring an ASA to allow inbound HTTP traffic from the outside to a server on the DMZ. The outside interface has security level 0 and the DMZ interface has security level 50. Which set of commands correctly implements the required access and NAT?

Question 37mediummultiple choice
Read the full Network Security explanation →

A security administrator is configuring a Cisco FTD device using FMC. The goal is to block traffic from a specific country and allow all other traffic. Which action should be taken in the access control policy?

Question 38easymultiple choice
Read the full Network Security explanation →

On a Cisco ASA, which table holds information about translated addresses for active connections?

Question 39hardmultiple choice
Read the full Network Security explanation →

An engineer is tuning Snort signatures on a Cisco FTD to reduce false positives. A rule triggers on legitimate traffic that matches a known exploit pattern but is actually benign. Which tuning technique would be most appropriate to suppress the alerts without completely disabling the rule?

Question 40mediummultiple choice
Read the full VPN explanation →

A company uses Cisco AnyConnect for remote access VPN. They want to allow only specific Active Directory groups to access the corporate network. Which feature on the ASA or FTD should be configured to enforce this?

Question 41mediummultiple choice
Read the full Network Security explanation →

A Cisco FTD is deployed in inline mode and is configured with a file policy to detect malware. When a file is transferred, the FTD computes a SHA-256 hash and checks it against AMP cloud. The cloud returns 'unavailable' for the hash. What action will the FTD take by default?

Question 42easymultiple choice
Read the full VPN explanation →

Which type of VPN on Cisco ASA is typically used for site-to-site connectivity and encrypts all traffic between two sites?

Question 43hardmultiple choice
Read the full NAT/PAT explanation →

An organization has a Cisco ASA with two interfaces: inside (security 100) and outside (security 0). They want to allow traffic from inside to outside without NAT for a specific subnet. Which configuration achieves this?

Question 44mediummultiple choice
Read the full Network Security explanation →

A security analyst is monitoring the Cisco FMC and notices a high number of false positives from an intrusion rule that detects SQL injection attempts. The legitimate web application frequently generates similar patterns. Which course of action would reduce false positives while maintaining detection for actual attacks?

Question 45easymultiple choice
Read the full Network Security explanation →

Which of the following is a characteristic of a stateful firewall like Cisco ASA?

Question 46mediummultiple choice
Read the full Network Security explanation →

A Cisco FTD is configured with SSL/TLS inspection using the 'decrypt-known-key' method. Which traffic can be decrypted with this method?

Question 47hardmultiple choice
Read the full Network Security explanation →

A network engineer is deploying a Cisco FTD in active/standby high availability. Which statement is true about the configuration synchronization?

Question 48mediummulti select
Read the full Network Security explanation →

A security administrator is deploying a Cisco ASA in a DMZ architecture. The inside interface is security 100, outside interface is security 0, and DMZ interface is security 50. Which TWO statements about traffic flow are correct?

Question 49mediummulti select
Read the full Network Security explanation →

A company is designing a network segmentation strategy using firewalls. Which THREE considerations are important for a defense-in-depth approach?

Question 50hardmulti select
Review the full subnetting walkthrough →

A Cisco FTD is configured with an access control policy that includes a rule to allow traffic from a specific source subnet. However, traffic is being blocked. Which TWO possible causes should be checked?

Question 51easymultiple choice
Read the full Network Security explanation →

Which interface security level is assigned to the inside interface on a Cisco ASA by default?

Question 52mediummultiple choice
Read the full NAT/PAT explanation →

An engineer wants to configure NAT on a Cisco ASA such that multiple internal hosts share a single public IP address when accessing the internet. Which NAT type should be used?

Question 53hardmultiple choice
Read the full Network Security explanation →

A Cisco FTD device managed by FMC is processing traffic. An access control rule is configured with the action 'Interactive Block'. What behavior does this action trigger?

Question 54mediummultiple choice
Read the full Network Security explanation →

In a Snort intrusion detection rule, which part specifies the action to take when the rule matches?

Question 55mediummultiple choice
Read the full Network Security explanation →

An organization wants to deploy Cisco Firepower in a high-availability pair with active/standby failover. Which management solution allows this configuration?

Question 56easymultiple choice
Read the full Network Security explanation →

Which deployment mode allows a Cisco Firepower NGFW to inspect traffic without being in the direct forwarding path?

Question 57mediummultiple choice
Read the full VPN explanation →

A network engineer is configuring a site-to-site VPN between two Cisco ASAs using IKEv2. Which component defines the encryption and hash algorithms for Phase 2?

Question 58hardmultiple choice
Read the full Network Security explanation →

An engineer observes that the Cisco ASA connection table shows a consistent number of entries for UDP traffic, but the xlate table shows no entries. What is the most likely reason?

Question 59mediummultiple choice
Read the full Network Security explanation →

Which Cisco Firepower feature uses SHA-256 hashes to determine the disposition of files and block malware?

Question 60easymultiple choice
Read the full Network Security explanation →

On a Cisco ASA, which command applies a policy-map globally to all interfaces?

Question 61hardmultiple choice
Read the full Network Security explanation →

A Cisco FTD device is configured with an SSL decryption rule using 'Decrypt - Known Key'. In which scenario is this action appropriate?

Question 62mediummultiple choice
Read the full Network Security explanation →

In Cisco ASA modular policy framework, what is the function of a class-map?

Question 63mediummulti select
Read the full Network Security explanation →

A security analyst is tuning Snort IPS rules to reduce false positives. Which TWO strategies are effective?

Question 64mediummulti select
Read the full VPN explanation →

An engineer is configuring a Cisco AnyConnect SSL VPN for remote access. Which TWO features are commonly used to control access based on endpoint security posture?

Question 65hardmulti select
Read the full Network Security explanation →

A company wants to deploy a DMZ segment accessible from the internet. Which THREE considerations are critical for firewall zone design and security?

Question 66easymultiple choice
Read the full Network Security explanation →

An engineer is configuring a Cisco ASA to allow traffic from the inside (security level 100) to the outside (security level 0). They create an access list permitting HTTP traffic from inside to outside and apply it to the inside interface inbound. What is the expected behavior?

Question 67mediummultiple choice
Read the full VPN explanation →

A network administrator is configuring site-to-site IPsec VPN between two Cisco ASAs using IKEv2. They want to ensure that only specific subnets are encrypted, using Virtual Tunnel Interface (VTI). Which configuration element is essential for VTI?

Question 68hardmultiple choice
Read the full Network Security explanation →

A Cisco FTD device is deployed in inline mode and is configured with an access control policy that includes an Intrusion Policy set to 'Balanced Security and Connectivity' and a File Policy with Malware & File blocking enabled. Traffic from a host inside to an external server is allowed by an access control rule. The administrator notices that a file download (PDF) is being blocked even though the file has a good reputation. What is the most likely cause?

Question 69mediummultiple choice
Read the full Network Security explanation →

An organization is deploying Cisco Firepower Threat Defense (FTD) in a high-availability (HA) pair in active/standby mode. Which statement about state synchronization is true?

Question 70easymultiple choice
Read the full Network Security explanation →

A security analyst is reviewing Snort rule output and sees an alert with the following details: action: alert, protocol: tcp, src: any, dst: any, content: 'malicious'. What type of detection is this rule using?

Question 71mediummultiple choice
Read the full Network Security explanation →

A company uses Cisco Firepower Management Center (FMC) to manage multiple FTD devices. They want to create an access control policy that allows traffic from a specific user group (Active Directory) to access a web server on the internet, but blocks all other traffic from that group to the internet. Which identity source should be configured in FMC?

Question 72mediummultiple choice
Read the full VPN explanation →

An engineer is configuring Dynamic Access Policy (DAP) on an ASA for AnyConnect VPN. They want to assign different access policies based on the client's anti-virus status and device posture. What must be configured to obtain this information?

Question 73hardmultiple choice
Read the full Network Security explanation →

A Cisco FTD sensor is deployed in passive mode (IDS) and is receiving traffic via a network tap. The access control policy is configured with an intrusion policy set to 'Security over Connectivity'. However, the administrator notices that the sensor is not generating alerts for some attacks that were identified by a previous inline sensor. What is the most likely reason?

Question 74easymultiple choice
Read the full NAT/PAT explanation →

Which NAT type on a Cisco ASA translates both the source and destination IP addresses and is typically used to allow external hosts to access internal servers?

Question 75mediummultiple choice
Study the full ACL explanation →

A network architect is designing a DMZ for a web server farm. The ASA firewall will have three interfaces: inside (level 100), DMZ (level 50), and outside (level 0). They want to allow HTTP traffic from the internet to the DMZ web servers and also allow the web servers to initiate connections to the inside for database updates. What is the minimal ACL configuration to achieve this?

Question 76hardmultiple choice
Read the full Network Security explanation →

A Cisco FTD administrator is configuring SSL/TLS inspection. They want to inspect encrypted traffic to an external website that uses a certificate signed by a public CA. Which SSL/TLS inspection action should be used to decrypt this traffic?

Question 77mediummultiple choice
Read the full VPN explanation →

An organization is deploying Cisco AnyConnect VPN with split tunneling. They want to ensure that only traffic destined for the corporate network goes through the VPN tunnel, while internet-bound traffic goes directly. Which configuration element on the ASA controls this?

Question 78easymultiple choice
Read the full Network Security explanation →

Which Cisco Firepower management option is used for on-box management of a single FTD device, without a separate management center?

Question 79mediummultiple choice
Read the full Network Security explanation →

A security engineer is tuning an IPS to reduce false positives. They notice that legitimate traffic is triggering a signature for a worm that uses a specific HTTP GET request. The engineer wants to disable the signature for that specific traffic pattern but keep it enabled for other traffic. What is the best approach?

Question 80hardmultiple choice
Read the full Network Security explanation →

A Cisco FTD device is configured with an access control policy that has multiple rules. The first rule is 'Allow' for all traffic from the internal network to the internet. The second rule is 'Block' for traffic from a specific internal host to any destination. However, the administrator notices that the specific host can still access the internet. What is the most likely cause?

Question 81mediummulti select
Read the full Network Security explanation →

A security administrator is configuring a Cisco Firepower system for network discovery and wants to identify hosts and services on the network. Which two actions must be configured to enable network discovery? (Choose two.)

Question 82hardmulti select
Read the full VPN explanation →

A company is using Cisco ASA with AnyConnect VPN. They want to implement Dynamic Access Policy (DAP) to enforce access based on device compliance. Which two attributes can DAP use to evaluate endpoint posture? (Choose two.)

Question 83mediummulti select
Read the full Network Security explanation →

A network engineer is configuring a Cisco ASA to use the Modular Policy Framework (MPF) for advanced traffic inspection. Which three components are part of the MPF? (Choose three.)

Question 84easymulti select
Read the full Network Security explanation →

Which two actions are valid actions in a Cisco Firepower access control rule? (Choose two.)

Question 85mediummulti select
Read the full Network Security explanation →

A security analyst is investigating a potential intrusion and suspects that the IPS is missing some attacks (false negatives). Which two factors can contribute to false negatives in signature-based IPS? (Choose two.)

Question 86mediummultiple choice
Study the full ACL explanation →

An engineer configures a Cisco ASA firewall with three interfaces: inside (security level 100), outside (security level 0), and DMZ (security level 50). Traffic from the inside network to the DMZ network is sourced from 10.1.1.0/24 and destined to 192.168.1.0/24. The inside interface is configured with IP 10.1.1.1, DMZ interface with IP 192.168.1.1. An ACL on the inside interface permits IP traffic from 10.1.1.0/24 to 192.168.1.0/24. What happens when a packet from 10.1.1.10 to 192.168.1.10 arrives at the inside interface?

Question 87mediummultiple choice
Read the full VPN explanation →

A network administrator is configuring site-to-site VPN between two Cisco ASA firewalls using IKEv2. The administrator wants to ensure that the VPN tunnel uses the most secure encryption algorithm available. Which encryption algorithm should be selected in the IKEv2 proposal?

Question 88easymultiple choice
Read the full Network Security explanation →

Which statement accurately describes the difference between signature-based and anomaly-based intrusion detection?

Question 89hardmultiple choice
Read the full Network Security explanation →

An engineer is configuring Cisco Firepower Threat Defense (FTD) in inline NGFW mode. The access control policy must block all traffic from geolocation 'North Korea' and allow all other traffic. Which type of rule should be used and in what order should it be placed?

Question 90easymultiple choice
Read the full Network Security explanation →

In Cisco Firepower Management Center (FMC), which action in an access control rule will send a TCP RST to the source and destination and log the event?

Question 91mediummultiple choice
Read the full NAT/PAT explanation →

A Cisco ASA is configured with dynamic PAT to translate internal addresses to a single outside IP address. A user on the inside initiates a connection to an external web server. The ASA creates a connection entry. Which table is checked first when a return packet arrives from the web server?

Question 92hardmultiple choice
Read the full Network Security explanation →

An FTD device is deployed in passive mode. Which statement about its traffic processing is true?

Question 93mediummultiple choice
Study the full ACL explanation →

A Cisco ASA has three interfaces: inside (100), outside (0), and DMZ (50). A static NAT rule is configured to map the DMZ server 10.1.1.10 to outside address 200.1.1.10. An ACL on the outside interface permits traffic to 200.1.1.10. A host on the internet sends a packet to 200.1.1.10. What happens when the packet hits the outside interface?

Question 94easymultiple choice
Read the full VPN explanation →

Which of the following is a benefit of using Dynamic Access Policy (DAP) for AnyConnect SSL VPN?

Question 95mediummultiple choice
Study the full ACL explanation →

An engineer configures a Cisco ASA in a DMZ architecture. The DMZ hosts web servers that need to be accessible from the internet. Which security level should be assigned to the DMZ interface to ensure proper traffic flow without additional ACLs for return traffic?

Question 96hardmultiple choice
Read the full Network Security explanation →

In Cisco Firepower, a file policy is configured with a rule that detects malware. The action is set to 'Malware Cloud Lookup'. What happens if the SHA-256 hash of a file is unknown to the AMP cloud?

Question 97easymultiple choice
Read the full Network Security explanation →

Which component of a Snort rule specifies the action to take when the rule conditions are matched?

Question 98mediummultiple choice
Read the full Network Security explanation →

An engineer wants to configure high availability on a pair of Cisco Firepower Threat Defense (FTD) devices. Which HA mode supports active/standby failover with stateful replication of connection information?

Question 99hardmultiple choice
Read the full Network Security explanation →

In Cisco Firepower, an access control policy has multiple rules. Rule 1: Allow HTTP from any to any. Rule 2: Block HTTP from 10.0.0.0/8 to any. A packet from 10.0.0.1 to 192.168.1.1 with destination port 80 is inspected. What action is taken?

Question 100mediummultiple choice
Read the full Network Security explanation →

Which of the following is a characteristic of a 'false negative' in intrusion detection?

Question 101mediummulti select
Read the full VPN explanation →

A network security engineer is configuring Cisco ASA for remote access VPN using AnyConnect. Which two components must be configured to enable split tunneling? (Choose two.)

Question 102hardmulti select
Read the full Network Security explanation →

An engineer is deploying Cisco Firepower Threat Defense (FTD) in inline mode and needs to decrypt SSL traffic for inspection. Which two methods are supported by FTD for SSL decryption? (Choose two.)

Question 103easymulti select
Read the full Network Security explanation →

Which three actions are available in a Cisco Firepower access control rule? (Choose three.)

Question 104easymultiple choice
Read the full Network Security explanation →

An engineer needs to allow inbound HTTP traffic from the internet to a web server in the DMZ on a Cisco ASA. The DMZ interface security level is 50, and the outside interface is 0. Which interface direction should the access control entry be applied?

Question 105mediummultiple choice
Read the full VPN explanation →

A network administrator is configuring a site-to-site VPN between two Cisco ASA firewalls using IKEv2. Which component defines the encryption and authentication algorithms for the IPsec SA?

Question 106mediummultiple choice
Read the full Network Security explanation →

A security analyst notices a high number of false positives from an intrusion detection system (IDS) using signature-based detection. Which action would best reduce false positives while maintaining detection of real threats?

Question 107hardmultiple choice
Read the full Network Security explanation →

A Cisco FTD device is deployed inline and configured with an access control policy that includes a rule to block traffic from a specific source IP address. However, traffic from that IP is still passing through. What is the most likely cause?

Question 108easymultiple choice
Read the full NAT/PAT explanation →

On a Cisco ASA, which NAT type allows multiple internal hosts to share a single public IP address by using different source ports?

Question 109mediummultiple choice
Read the full Network Security explanation →

A company uses a Cisco FMC to manage multiple FTD devices. They want to decrypt SSL/TLS traffic from internal users to external websites using a known private key. Which SSL decryption method should they use?

Question 110mediummultiple choice
Read the full Network Security explanation →

A security engineer is configuring a Cisco FTD high availability pair in active/standby mode. Which statement is true about the failover configuration?

Question 111hardmultiple choice
Read the full Network Security explanation →

A Cisco ASA is configured with a modular policy framework to inspect HTTP traffic. The class-map matches HTTP traffic, and the policy-map applies inspection. Which command correctly applies the policy to an interface?

Question 112easymultiple choice
Read the full Network Security explanation →

Which Cisco Firepower management option allows direct device management without a separate server, using a web interface on the FTD itself?

Question 113mediummultiple choice
Read the full Network Security explanation →

An engineer wants to block traffic from a specific country on a Cisco FTD. Which feature should be used in the access control policy?

Question 114hardmultiple choice
Read the full Network Security explanation →

A Cisco FTD is configured with a file policy to detect malware. The policy includes a rule to block files with a SHA-256 hash that is known to be malicious. Which component provides the SHA-256 disposition?

Question 115mediummultiple choice
Read the full VPN explanation →

Which VPN technology allows Cisco AnyConnect clients to use UDP for transport to avoid TCP overhead and improve performance?

Question 116mediummulti select
Read the full Network Security explanation →

A Cisco FTD is deployed in a data center and needs to provide intrusion prevention and application control. Which two actions are available in an access control rule? (Choose two.)

Question 117hardmulti select
Read the full Network Security explanation →

An engineer is tuning an IPS on a Cisco FTD to reduce false positives. Which three techniques are effective? (Choose three.)

Question 118mediummulti select
Read the full VPN explanation →

A company uses Cisco AnyConnect for remote access VPN. Which two components are used to enforce policies based on endpoint posture? (Choose two.)

Question 119mediummultiple choice
Read the full Network Security explanation →

An engineer is configuring a Cisco ASA to allow inbound HTTPS traffic from the outside to a web server on the DMZ. The outside interface has security level 0, the DMZ interface has security level 50, and the inside has security level 100. Which set of commands correctly allows the traffic considering stateful inspection?

Question 120hardmultiple choice
Read the full Network Security explanation →

A Cisco FTD device is deployed in passive mode. The security team wants to block malicious traffic without affecting legitimate traffic. Which action should be used in the access control policy rule?

Question 121mediummultiple choice
Read the full Network Security explanation →

An organization is using Cisco FMC with FTD devices. They want to detect and block malware in HTTP traffic. Which policy component must be configured to inspect files and submit SHA-256 hashes to AMP cloud for disposition?

Question 122easymultiple choice
Read the full Network Security explanation →

Which of the following is a characteristic of anomaly-based intrusion detection compared to signature-based detection?

Question 123hardmultiple choice
Read the full VPN explanation →

A network security engineer is configuring site-to-site IPsec VPN between two Cisco ASA firewalls using IKEv2. Which of the following configuration elements is required to define the encryption and integrity algorithms for the IPsec SA?

Question 124mediummultiple choice
Read the full Network Security explanation →

An administrator configures a Cisco ASA with the following Modular Policy Framework (MPF) commands:

class-map type inspect http match any policy-map type inspect http http_policy parameters protocol-violation action reset service-policy http_policy global

What is the result of this configuration?

Question 125easymultiple choice
Read the full Network Security explanation →

In a Cisco FTD deployment, which management option allows on-box management without the need for a separate FMC server?

Practice tests

Scored 10-question sessions with instant feedback and explanations.

350-701 Practice Test 1 — 25 Questions→350-701 Practice Test 2 — 25 Questions→350-701 Practice Test 3 — 25 Questions→350-701 Practice Test 4 — 25 Questions→350-701 Practice Test 5 — 25 Questions→350-701 Practice Exam 1 — 20 Questions→350-701 Practice Exam 2 — 20 Questions→350-701 Practice Exam 3 — 20 Questions→350-701 Practice Exam 4 — 20 Questions→Free 350-701 Practice Test 1 — 30 Questions→Free 350-701 Practice Test 2 — 30 Questions→Free 350-701 Practice Test 3 — 30 Questions→350-701 Practice Questions 1 — 50 Questions→350-701 Practice Questions 2 — 50 Questions→350-701 Exam Simulation 1 — 100 Questions→

Practice by domain

Each domain maps to a weighted exam section. Focus on the domain where you are weakest.

Security ConceptsNetwork SecurityEndpoint Security and IdentityCloud SecurityContent SecurityEndpoint Protection and DetectionSecure Network Access, Visibility and Enforcement

Practice by scenario

Filter questions by type — troubleshooting, exhibit, drag-and-drop, PBQ, ACLs, OSPF, and more.

Browse scenarios→

Continue studying

All Network Security setsAll Network Security questions350-701 Practice Hub