Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

← Security Concepts practice sets

350-701 Security Concepts • Complete Question Bank

350-701 Security Concepts — All Questions With Answers

Complete 350-701 Security Concepts question bank — all 0 questions with answers and detailed explanations.

72
Questions
Free
No signup
Certifications/350-701/Practice Test/Security Concepts/All Questions
Question 1mediummultiple choice
Open the full VLAN trunking answer →

A network security engineer is deploying Cisco Firepower Threat Defense (FTD) in a data center. The requirement is to inspect traffic between two internal VLANs while allowing the firewall to enforce access control policies based on source and destination zones. Which deployment mode should the engineer use?

Question 2hardmultiple choice
Study the full SD-WAN breakdown →

A security architect is designing a zero-trust architecture for a remote workforce using Cisco SD-WAN. The company requires that all traffic between branch sites and the data center is encrypted and authenticated, and that no device can access resources unless it has a valid certificate. Which technology should be used to enforce device identity?

Question 3easymultiple choice
Study the full ACL explanation →

An engineer is troubleshooting a Cisco ASA firewall and notices that traffic from a specific subnet is being dropped. The engineer wants to verify if the drop is due to an access control list (ACL) or an inspection policy. Which command should be used to see the reason for packet drops?

Question 4mediummulti select
Read the full Security Concepts explanation →

Which TWO of the following are valid approaches to mitigate ARP spoofing attacks on a switched network?

Question 5hardmulti select
Read the full Security Concepts explanation →

Which THREE of the following are key principles of the Cisco Zero Trust security model?

Question 6mediummultiple choice
Read the full DHCP explanation →

Refer to the exhibit. An engineer has configured IP Source Guard and DHCP Snooping. A host with MAC 00:11:22:33:44:55 on Gi0/0 is assigned IP 192.168.1.10 via DHCP. However, the host cannot ping its default gateway 192.168.1.1. What is the most likely cause?

Exhibit

Refer to the exhibit.

interface GigabitEthernet0/0
 ip address 192.168.1.1 255.255.255.0
 ip verify source
!
interface GigabitEthernet0/1
 ip address 192.168.2.1 255.255.255.0
 ip verify source
!
ip dhcp snooping vlan 1-100
ip dhcp snooping information option
ip dhcp snooping
!
ip source binding 00:11:22:33:44:55 vlan 10 192.168.1.10 interface GigabitEthernet0/0
!
Question 7hardmultiple choice
Read the full Security Concepts explanation →

Refer to the exhibit. An engineer is analyzing an intrusion policy on Cisco Firepower Management Center (FMC). The network uses Windows servers and clients. A flood of HTTP traffic is being detected as a potential attack, but it is legitimate. Which preprocessor configuration change would most likely reduce false positives without losing detection of real attacks?

Exhibit

Refer to the exhibit.

! Cisco FMC intrusion policy snippet
preprocessor global_sensitivity: sensitivity_level high
preprocessor frag3: frag3_engine policy=first, bind_to=0.0.0.0
preprocessor stream5_global: track_tcp yes, track_udp yes
preprocessor stream5_tcp: policy=windows, use_static_footprint_sizes yes
preprocessor http_inspect: global iis_unicode_map unicode.map 1252
preprocessor http_inspect: default_inspect_http_profiles
preprocessor smtp: ports 25 465 587
!
Question 8easymultiple choice
Read the full DNS explanation →

A company is implementing Cisco Umbrella to provide DNS-layer security. They want to block access to known malicious domains while allowing all other traffic. Which policy configuration should be used?

Question 9mediummultiple choice
Read the full Security Concepts explanation →

An engineer is configuring Cisco ISE for guest access. The requirement is that guests must accept an acceptable use policy (AUP) before being granted network access. Which portal type should be used?

Question 10mediummulti select
Read the full VPN explanation →

Which TWO of the following are valid methods for authenticating VPN users in a Cisco AnyConnect deployment?

Question 11hardmulti select
Read the full Security Concepts explanation →

Which THREE of the following are common indicators of a DDoS attack at the network layer?

Question 12hardmultiple choice
Read the full Security Concepts explanation →

A financial company has a data center with Cisco FTD firewalls in a high-availability pair. They use Cisco ISE for network access control and Cisco Stealthwatch for network visibility. Recently, they deployed a new web application that is accessed by both internal employees and external customers. The application uses HTTPS on port 443. After deployment, the security team notices that the FTD is dropping some HTTPS sessions that appear legitimate. The drops are inconsistent and seem to occur only during peak hours. The FTD logs show the drop reason as 'TCP state violation'. The team has verified that the web server and clients are configured correctly. The Stealthwatch reports show no anomalies. What is the most likely cause and solution?

Question 13easymultiple choice
Read the full Security Concepts explanation →

A security engineer is configuring a Cisco ASA to block traffic from a specific IP address. Which access control entry (ACE) should be applied to the inbound direction of the outside interface?

Question 14mediummultiple choice
Read the full DNS explanation →

A company is deploying Cisco Umbrella to protect against DNS-based threats. Which deployment method provides the most comprehensive coverage for all devices on the network without requiring per-device configuration?

Question 15hardmultiple choice
Read the full Security Concepts explanation →

An engineer is troubleshooting traffic drops on a Cisco Firepower Threat Defense (FTD) device. The traffic is allowed by the access control policy but is being dropped. Which feature should the engineer check to identify the cause of the drop?

Question 16mediumdrag order
Read the full Security Concepts explanation →

Drag and drop the steps to configure 802.1X port-based authentication on a Cisco switch in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 17mediumdrag order
Review the full routing breakdown →

Drag and drop the steps to recover a lost password on a Cisco IOS router in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 18mediummatching
Read the full Security Concepts explanation →

Match each protocol to its default port number.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

443

22

53

25

161

Question 19mediummatching
Read the full Security Concepts explanation →

Match each Cisco security solution to its primary use case.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Next-generation firewall and IPS

DNS-layer security and web filtering

Endpoint threat detection and response

Network access control and policy enforcement

Network traffic analysis and anomaly detection

Question 20easymultiple choice
Open the full VLAN trunking answer →

A network engineer is configuring a new firewall to enforce security policies between two internal VLANs. The goal is to allow only HTTP traffic from the finance VLAN to the HR VLAN, while blocking all other traffic. Which type of firewall rule should be applied to achieve this requirement with minimal administrative overhead?

Question 21mediummultiple choice
Read the full Security Concepts explanation →

A company is implementing a Zero Trust architecture. The security team needs to ensure that all traffic between workloads in a private cloud is encrypted and mutually authenticated. Which solution best meets these requirements?

Question 22hardmultiple choice
Read the full Security Concepts explanation →

During a security audit, a penetration tester discovers that a Cisco ASA firewall is configured with a rule that permits traffic from the inside interface with a source IP address in the RFC 1918 range to the outside interface. The rule uses the 'inspect' command for HTTP and FTP. Which potential vulnerability does this configuration introduce?

Question 23easymultiple choice
Read the full Security Concepts explanation →

A security administrator is tasked with implementing a solution that provides single sign-on (SSO) for users accessing multiple enterprise applications. The solution must support SAML 2.0 and integrate with the existing Microsoft Active Directory. Which component is essential for this architecture?

Question 24mediummultiple choice
Open the full VLAN trunking answer →

A network engineer is troubleshooting an issue where users on a specific VLAN cannot access the internet through a Cisco ASA firewall. The ASA has a default route pointing to the ISP router. The security policy includes an ACL that permits all traffic from the inside interface to the outside interface. What is the most likely cause of the problem?

Question 25hardmultiple choice
Read the full Security Concepts explanation →

A security engineer is evaluating a web application firewall (WAF) rule set. The application uses a custom REST API that accepts JSON payloads. Which WAF rule is most effective at preventing SQL injection attacks while minimizing false positives?

Question 26easymultiple choice
Read the full Security Concepts explanation →

An organization wants to restrict administrative access to Cisco network devices based on the time of day and source IP address. Which technology should be used?

Question 27mediummultiple choice
Read the full wireless explanation →

A company deploys Cisco ISE for network access control. They want to enforce that only employees with a valid certificate and a compliant posture can access the corporate Wi-Fi. Which policy combination should be used?

Question 28hardmultiple choice
Read the full NAT/PAT explanation →

A security engineer is analyzing logs from a Cisco ASA. They notice that a specific internal host is generating a high volume of outbound TCP SYN packets to multiple external IP addresses on port 443, but no SYN-ACK responses are received. What is the most likely explanation?

Question 29mediummulti select
Review the full routing breakdown →

Which TWO of the following are best practices for securing Cisco routers against unauthorized access? (Choose two.)

Question 30hardmulti select
Read the full Security Concepts explanation →

Which THREE of the following are valid characteristics of a next-generation firewall (NGFW) compared to a traditional stateful firewall? (Choose three.)

Question 31easymulti select
Read the full Security Concepts explanation →

Which TWO of the following are common security objectives of the Cisco TrustSec solution? (Choose two.)

Question 32mediummultiple choice
Study the full ACL explanation →

Refer to the exhibit. A network administrator applies the ACL to the interface. What is the effect on traffic inbound to the interface?

Exhibit

Refer to the exhibit.
```
interface GigabitEthernet0/1
 ip address 192.168.1.1 255.255.255.0
 ip access-group INBOUND in
!
access-list 100 permit tcp any host 192.168.1.100 eq 80
access-list 100 deny ip any any
```
Question 33hardmultiple choice
Read the full VPN explanation →

Refer to the exhibit. The crypto map is applied to an interface. Which additional configuration is necessary for IPsec to function correctly?

Exhibit

Refer to the exhibit.
```
ipsec proposal MY_PROPOSAL
 esp encryption aes-256
 esp integrity sha256
!
crypto map MY_MAP 10 ipsec-isakmp
 set peer 203.0.113.1
 set transform-set MY_SET
 match address 100
!
access-list 100 permit ip 10.1.1.0 0.0.0.255 10.2.2.0 0.0.0.255
```
Question 34easymultiple choice
Study the full AAA explanation →

Refer to the exhibit. A user attempts to SSH to the router. The RADIUS server is unreachable. What will happen?

Exhibit

Refer to the exhibit.
```
! RADIUS server configuration
radius server MY_RADIUS
 address ipv4 192.168.10.10 auth-port 1812 acct-port 1813
 key cisco123
!
aaa new-model
aaa authentication login default group radius local
aaa authorization exec default group radius local
aaa accounting exec default start-stop group radius
```
Question 35easymultiple choice
Read the full Security Concepts explanation →

A network engineer needs to implement a security solution that provides encryption, integrity, and authentication at Layer 2 between two switches. Which technology should be used?

Question 36mediummultiple choice
Read the full Security Concepts explanation →

An organization wants to enforce micro-segmentation in a data center to isolate application tiers. Which Cisco technology allows defining security policies based on endpoint groups rather than IP addresses?

Question 37hardmultiple choice
Read the full Security Concepts explanation →

A security administrator discovers that users are evading the corporate firewall by using SSH to tunnel HTTP traffic to external servers. Which action can be taken on a Cisco ASA firewall to detect and prevent this?

Question 38easymultiple choice
Read the full Security Concepts explanation →

Which Cisco ISE node is responsible for authenticating endpoints and enforcing access policies?

Question 39mediummultiple choice
Read the full NAT/PAT explanation →

A company is deploying a new remote access solution for teleworkers. They need to ensure that only company-owned devices can connect, and that the devices meet security posture requirements. Which combination of technologies should be used?

Question 40hardmultiple choice
Read the full Security Concepts explanation →

During a security incident, it is observed that a server behind a Cisco ASA is being accessed repeatedly with different source IPs in a short time. The firewall logs show many dropped packets to the server's IP on port 443. What is the most effective mitigation to reduce the impact while maintaining legitimate access?

Question 41easymultiple choice
Read the full Security Concepts explanation →

Which Cisco TrustSec feature uses a classification packet to carry security group information across network devices?

Question 42mediummultiple choice
Read the full Security Concepts explanation →

A network team is configuring Cisco FTD for a new branch office. They want to allow outbound web traffic but block all inbound traffic except for a specific public server. Which policy type should be used to allow the return traffic for outbound connections?

Question 43hardmultiple choice
Read the full VPN explanation →

An engineer is troubleshooting an IPsec VPN between two Cisco routers. The tunnel is up, but traffic is not passing. The encryption domain on both sides is correctly configured. What is the most likely cause?

Question 44easymulti select
Read the full Security Concepts explanation →

Which TWO of the following are components of Cisco TrustSec?

Question 45mediummulti select
Read the full Security Concepts explanation →

Which THREE of the following are benefits of using Cisco ISE for network access control?

Question 46hardmulti select
Read the full Security Concepts explanation →

Which TWO of the following are true about MACsec?

Question 47easymultiple choice
Read the full Security Concepts explanation →

Refer to the exhibit. The tunnel is established but no traffic is encrypted. What is the most likely issue?

Exhibit

crypto ipsec transform-set ESP-AES256-SHA esp-aes 256 esp-sha-hmac
 mode tunnel
crypto map CMAP 10 ipsec-isakmp
 set peer 10.0.0.2
 set transform-set ESP-AES256-SHA
 match address 100
access-list 100 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
Question 48mediummultiple choice
Review the full routing breakdown →

Refer to the exhibit. What is the most likely reason for the high number of 'No route to host' drops on a Cisco ASA?

Exhibit

show asp drop
Frame drop:
  No route to host                        100
  Access list deny                         50
  Flow blocked (other)                      0
Flow drop:
  No valid session                        20
  Stateful ACL check failed                 5
Cluster drop: 0
Question 49hardmultiple choice
Read the full DNS explanation →

Refer to the exhibit. An administrator notices that DNS responses larger than 512 bytes are being dropped. Which configuration change should be made to allow larger DNS responses?

Exhibit

show running-config | section policy-map
policy-map type inspect dns migrated_dns_map_1
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns migrated_dns_map_1
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rpc
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect xdmcp
  inspect sip
  inspect pptp
  inspect icmp
  inspect icmp error
  inspect ip-options
 class class-default
  set connection advanced-options UMBC_Inside
Question 50mediummultiple choice
Read the full Security Concepts explanation →

A company is designing a secure segmentation strategy for a three-tier web application. They want to isolate the web, application, and database tiers while allowing only necessary traffic. Which design best achieves defense-in-depth while minimizing complexity?

Question 51easymultiple choice
Read the full Security Concepts explanation →

Which security principle ensures that a user or system is granted only the minimum permissions necessary to perform a specific function?

Question 52hardmultiple choice
Read the full VPN explanation →

A network engineer is troubleshooting a site-to-site IPsec VPN that fails to establish. The IKE phase 1 completes successfully, but phase 2 fails. The debug output shows 'IPSEC(validate_proposal): transform set proposal mismatch'. Both peers have the same transform set configured. What is the most likely cause?

Question 53mediummultiple choice
Study the full AAA explanation →

A network administrator is configuring management access on a Cisco router. The requirement is to provide encrypted remote access with AAA authentication and fallback to local credentials if the AAA server is unavailable. Which configuration best meets these requirements?

Question 54easymultiple choice
Read the full Security Concepts explanation →

Which security concept involves creating multiple layers of defense so that if one layer is breached, subsequent layers still provide protection?

Question 55hardmultiple choice
Read the full Security Concepts explanation →

An organization discovers that a man-in-the-middle attack was successfully performed using a forged certificate issued by a trusted CA. The legitimate CA’s private key was compromised. Which PKI component was breached?

Question 56mediummultiple choice
Read the full Security Concepts explanation →

A company uses Cisco ISE for network access control. They want to allow employee-owned devices to access the guest network after a simple registration, while corporate devices get full access. Which ISE configuration best achieves this?

Question 57easymultiple choice
Read the full Security Concepts explanation →

Which type of firewall is best suited to inspect application-layer traffic and protect against exploits like SQL injection?

Question 58easymultiple choice
Study the full ACL explanation →

After applying a new extended ACL inbound on an interface, users report they can no longer reach a critical server on a different subnet. The ACL permits the server's IP and required ports. What is the most likely cause?

Question 59mediummulti select
Read the full Security Concepts explanation →

Which TWO methods can be used to enforce least privilege within a network infrastructure? (Choose two.)

Question 60hardmulti select
Read the full Security Concepts explanation →

Which THREE elements are essential components of a secure network architecture according to Cisco's SAFE model? (Choose three.)

Question 61easymulti select
Study the full AAA explanation →

Which TWO benefits does centralized RADIUS authentication provide over local authentication on network devices? (Choose two.)

Question 62mediummultiple choice
Read the full VPN explanation →

Refer to the exhibit. An IPsec VPN tunnel between two routers is not passing traffic. IKE phase 1 is not complete (MM_NO_STATE). Phase 2 has no SA. Which issue is most likely causing the problem?

Exhibit

Router1#show crypto ipsec sa peer 10.1.1.2
interface: Tunnel0
    Crypto map tag: VPN-CM, local addr 10.1.1.1
   protected vrf: (none)
   local  ident (addr/mask/prot/port): (10.1.1.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (10.2.2.0/255.255.255.0/0/0)
   current_peer 10.1.1.2 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 10.1.1.1, remote crypto endpt.: 10.1.1.2
     path mtu 1500, ipsec overhead 66, media mtu 1500
     current outbound spi: 0x0(0)
     PFS (Y/N): N, DH group: none
     inbound esp sas:
      spi: 0x0(0)
        transform: esp-aes 256 esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 0, flow_id: 0, sibling_flags 80000040, crypto map: VPN-CM
        sa timing: remaining key lifetime (k/sec): (0/0)
        IV size: 16 bytes
        replay detection support: Y
     inbound ah sas:
     inbound pcp sas:
     outbound esp sas:
      spi: 0x0(0)
        transform: esp-aes 256 esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 0, flow_id: 0, sibling_flags 80000040, crypto map: VPN-CM
        sa timing: remaining key lifetime (k/sec): (0/0)
        IV size: 16 bytes
        replay detection support: Y
     outbound ah sas:
     outbound pcp sas:

Router1#show crypto isakmp sa
dst             src             state          conn-id slot
10.1.1.2        10.1.1.1        MM_NO_STATE    1       0
Question 63hardmultiple choice
Read the full DNS explanation →

Refer to the exhibit. A network engineer applies a zone-based firewall policy to a router. Users in the INSIDE zone report they can access HTTP servers on the OUTSIDE zone but cannot resolve DNS names or access MS-SQL servers. What does the policy do to DNS and MS-SQL traffic?

Exhibit

policy-map type inspect INSPECT-POLICY
 class type inspect BAD_TRAFFIC
  drop
 class type inspect GOOD_TRAFFIC
  inspect
! 
class-map type inspect match-any BAD_TRAFFIC
 match protocol dns
 match protocol ms-sql
! 
class-map type inspect match-any GOOD_TRAFFIC
 match access-group 100
! 
zone security INSIDE
zone security OUTSIDE
zone-pair security ZP-IN-2-OUT source INSIDE destination OUTSIDE
 service-policy type inspect INSPECT-POLICY
Question 64hardmultiple choice
Open the full VLAN trunking answer →

A large enterprise with over 2,000 employees recently experienced a security breach. An attacker gained initial access through a phishing email and then moved laterally across the network to reach a critical database server. The network currently has a flat Layer 2 topology with all devices in a single large VLAN. The company wants to prevent lateral movement in the future while maintaining operational simplicity. They have a Cisco ISE deployment already but it is only used for wireless guest access. The security team is evaluating options. Option A: Deploy 802.1X with dynamic VLAN assignment across all wired ports. This would authenticate users and assign them to different VLANs based on identity. Option B: Implement micro-segmentation using Cisco TrustSec with Security Group Tags (SGTs) on the existing switches and enforce SGT-based policies on the firewalls. This would allow traffic control between groups regardless of IP. Option C: Install a next-generation firewall at the internet edge and enable IPS to block known attack signatures. Option D: Upgrade all access switches to support Private VLANs (PVLANs) and configure promiscuous ports for servers. Which solution BEST addresses the lateral movement problem while leveraging existing infrastructure?

Question 65mediummulti select
Read the full Security Concepts explanation →

A network administrator is configuring port security on a Cisco switch port connected to a single endpoint. The requirement is that only the first device that connects to the port is allowed, and any subsequent device that attempts to connect must trigger an error-disabled state. Which two features must be configured to meet this requirement?

Question 66easymultiple choice
Read the full NAT/PAT explanation →

A company deploys Cisco Firepower Threat Defense (FTD) in transparent mode. They create an access control rule to allow HTTP traffic from the inside network (10.10.10.0/24) to a web server at 192.168.1.100. The rule is configured with action 'Allow', a source zone 'inside', a destination zone 'outside', and an intrusion policy attached. After deployment, users report they cannot access the web server. The administrator verifies that the web server is reachable from other networks and that the FTD management interface is accessible. The FTD's packet capture shows no traffic matching the rule. The rule is listed first in the access control policy. What is the most likely cause of the problem?

Question 67mediummultiple choice
Read the full VPN explanation →

A company deploys Cisco ASA with clientless SSL VPN to provide remote access to internal web-based applications. Users connect via a web browser and authenticate using RADIUS. The security policy requires that users re-authenticate after 15 minutes of inactivity. The administrator configures the group-policy with 'vpn-idle-timeout 15' and 'vpn-session-timeout 60'. After testing, the administrator finds that users can still access the internal web applications even after the VPN session has timed out. The administrator checks the ASA logs and confirms that the VPN session is indeed terminated. The web applications are standard HTTP-based and do not have their own session timeout mechanisms. What is the most likely cause of this issue?

Question 68hardmultiple choice
Study the full ACL explanation →

A large enterprise uses Cisco TrustSec to enforce segmentation between departments. The network consists of Cisco Catalyst switches running IOS XE with IP ACLs and Security Group Tags (SGTs). The security policy requires that traffic from the Engineering group (SGT=10) to the Finance group (SGT=20) be allowed only to TCP port 443. The administrator configures a Security Group Access Control List (SGACL) on Cisco ISE with a permit statement for TCP 443 and a deny for all other traffic, and pushes it to the switches. After deployment, they notice that Engineering users can access Finance servers not only on TCP 443 but also on other ports. The administrator verifies that the SGACL is correctly configured on ISE and that the switches are receiving the SGTs. Additionally, the switches have IP ACLs on the interfaces. What is the most likely cause of this issue?

Question 69mediummultiple choice
Review the full routing breakdown →

A network administrator is configuring Cisco Firepower Threat Defense (FTD) in routed mode to provide intrusion prevention (IPS) for internal traffic. They create an access control rule that allows traffic from the internal network (10.0.0.0/8) to the internet, and they attach an intrusion policy to this rule. After deploying the configuration, they generate known malicious traffic from a test host and observe that no alerts are triggered in the Firepower Management Center (FMC). The administrator checks the FTD and confirms that the Snort process is running, and the rule is at the top of the access control policy with action 'Allow'. What is the most likely cause of this issue?

Question 70mediummultiple choice
Review the full routing breakdown →

Refer to the exhibit. An administrator has configured the router with zone-based firewall rules. Traffic from the DMZ zone to the OUTSIDE zone is being dropped, although traffic from the INSIDE zone to the OUTSIDE zone flows normally. The DMZ zone is configured with security-level 50 and the INSIDE zone with 100. What is the most likely cause of the dropped traffic?

Exhibit

zone-pair security ZP_INSIDE_OUT source INSIDE destination OUTSIDE
 service-policy type inspect INSIDE_OUT_POLICY
!
class-map type inspect match-any DMZ_OUT_TRAFFIC
 match protocol tcp
 match protocol udp
!
policy-map type inspect DMZ_OUT_POLICY
 class type inspect DMZ_OUT_TRAFFIC
  inspect
 class class-default
  drop
Question 71easymulti select
Read the full Security Concepts explanation →

Which TWO of the following are core components of the Cisco Identity Services Engine (ISE) for policy enforcement?

Question 72hardmultiple choice
Open the full VLAN trunking answer →

A financial institution with a flat Layer 2 network has experienced a ransomware incident where an infected workstation in the accounting department propagated laterally to a server in the finance department. The network spans 10 switches connected in a star topology with a collapsed core. The IT team wants to implement segmentation to contain such threats in the future, without requiring major hardware upgrades and with minimal change to IP addressing. The network currently uses a single VLAN with /16 subnet. Which of the following approaches would BEST achieve the segmentation goal, considering the constraints?

Practice tests

Scored 10-question sessions with instant feedback and explanations.

350-701 Practice Test 1 — 10 Questions→350-701 Practice Test 2 — 10 Questions→350-701 Practice Test 3 — 10 Questions→350-701 Practice Test 4 — 10 Questions→350-701 Practice Test 5 — 10 Questions→350-701 Practice Exam 1 — 20 Questions→350-701 Practice Exam 2 — 20 Questions→350-701 Practice Exam 3 — 20 Questions→350-701 Practice Exam 4 — 20 Questions→Free 350-701 Practice Test 1 — 30 Questions→Free 350-701 Practice Test 2 — 30 Questions→Free 350-701 Practice Test 3 — 30 Questions→350-701 Practice Questions 1 — 50 Questions→350-701 Practice Questions 2 — 50 Questions→350-701 Exam Simulation 1 — 100 Questions→

Practice by domain

Each domain maps to a weighted exam section. Focus on the domain where you are weakest.

Endpoint Protection and DetectionSecure Network Access, Visibility and EnforcementSecurity ConceptsNetwork SecurityCloud SecurityContent Security

Practice by scenario

Filter questions by type — troubleshooting, exhibit, drag-and-drop, PBQ, ACLs, OSPF, and more.

Browse scenarios→

Continue studying

All Security Concepts setsAll Security Concepts questions350-701 Practice Hub