20+ practice questions focused on Network Security — one of the most tested topics on the Cisco SCOR / CCNP Security Core 350-701 exam. Each question includes a detailed explanation so you learn why the right answer is correct.
Start Network Security PracticeA network engineer is troubleshooting an issue where users on VLAN 10 cannot access the internet, but they can reach internal resources. The firewall is configured with a default route pointing to the ISP router. The engineer notices that NAT is configured but traffic is not being translated. Which configuration is most likely missing?
Explanation: For NAT to translate traffic, the firewall must know which traffic to translate. An ACL is used to match the source IP addresses (or networks) that should be translated. Without an ACL applied to the NAT rule, the firewall has no criteria to identify traffic from VLAN 10 for translation, so packets are forwarded without NAT, causing internet access to fail while internal routing works.
A security engineer is implementing Cisco Identity Services Engine (ISE) for 802.1X authentication. The requirement is to allow full network access for corporate devices that pass posture assessment, while providing limited access for guest devices. The engineer configures an authorization policy with conditions based on identity group and posture status. However, guest devices are still getting full access. What is the most likely cause?
Explanation: Cisco ISE authorization policies are evaluated in top-down order, and the first matching rule is applied. If the corporate device rule is placed above the guest rule, guest devices that do not meet the posture condition may still match the corporate rule if the condition is not restrictive enough (e.g., if the identity group condition is broad or the posture check is not enforced as a required match). This results in guest devices receiving full access instead of the intended limited access.
A company wants to deploy a site-to-site VPN between two branch offices using Cisco IOS routers. The security policy requires that all traffic between the sites must be encrypted and authenticated using strong encryption. The engineer chooses IPsec with IKEv2. Which IPsec transform set configuration provides the strongest encryption and authentication?
Explanation: Option B is correct because it specifies AES-256 encryption, which is the strongest symmetric cipher available in IPsec transform sets, combined with ESP-SHA256-HMAC for integrity and authentication. IKEv2 supports these modern algorithms, and this configuration meets the requirement for strong encryption and authentication.
An engineer is configuring Cisco Firepower Threat Defense (FTD) with a pre-filter policy to block traffic from known malicious IP addresses before it reaches the access control policy. The pre-filter rules are configured to block traffic from the malicious IPs. However, the engineer notices that some traffic from those IPs is still being allowed. What is the most likely reason?
Explanation: Pre-filter rules are evaluated in order of priority (lower numbers first). If a rule with a higher priority number (lower priority) is configured to allow traffic, it will be matched before a lower-numbered (higher priority) block rule if the allow rule appears earlier in the sequence. This causes the traffic to be permitted before reaching the intended block rule, which is why some malicious IP traffic is still allowed.
A network administrator is configuring Cisco ASA with FirePOWER services. The administrator wants to inspect SSL traffic but is concerned about certificate pinning in modern applications. Which action should the administrator take to ensure that SSL inspection does not break applications that use certificate pinning?
Explanation: Option C is correct because certificate pinning hardcodes the expected certificate or public key within an application. If the ASA decrypts and re-encrypts the traffic using a different certificate (even one signed by a trusted CA), the pinned certificate will not match, causing the application to reject the connection. By creating an SSL decryption rule that excludes traffic from applications known to use certificate pinning, the administrator avoids breaking those applications while still inspecting other SSL traffic.
+15 more Network Security questions available
Practice all Network Security questions1. Baseline your knowledge
Start with 10 questions to gauge your current understanding of Network Security. This tells you whether you need a concept refresher or just practice.
2. Review every explanation
For each question — right or wrong — read the full explanation. Understanding why an answer is correct is more valuable than knowing the answer itself.
3. Focus on exam traps
Network Security questions on the 350-701 frequently use trap wording. Look for subtle differences in answers that test your precision, not just general knowledge.
4. Reach 80% consistently
Do repeated sessions until you score 80%+ three times in a row. Then move to mixed-mode practice to test cross-topic recall under realistic conditions.
The exact number varies per candidate. Network Security is tested as part of the Cisco SCOR / CCNP Security Core 350-701 blueprint. Practicing with targeted Network Security questions ensures you can handle any format or difficulty that appears.
Yes. Courseiva provides free 350-701 practice questions across all exam topics and domains. The platform includes topic-based practice, mock exams, missed-question review, bookmarked questions, and readiness tracking — no account required.
Difficulty is subjective, but Network Security is a high-priority exam concept tested in multiple ways — direct recall, scenario analysis, and command-output interpretation. Consistent practice is the best way to build confidence.
Launch a full Network Security practice session with instant scoring and detailed explanations.
Start Network Security Practice →