Question 360 of 500
Content SecurityeasyMultiple ChoiceObjective-mapped

Quick Answer

The answer is that the internal websites are not in the proxy bypass list. In explicit proxy mode, the Cisco WSA requires client browsers to be configured to send all HTTP/HTTPS traffic to the proxy, but internal intranet resources must be excluded from this proxy path. When the WSA attempts to proxy requests for internal websites, it often cannot route to private IP addresses or resolve internal DNS names, causing the connection to fail—while external internet traffic succeeds because the proxy can reach public destinations. On the Cisco SCOR / CCNP Security Core 350-701 exam, this scenario tests your understanding of explicit proxy traffic flow and the critical role of bypass lists or PAC files; a common trap is assuming the WSA can handle all traffic equally. Remember the memory tip: "External works, internal breaks—check the bypass list for intranet takes."

350-701 Content Security Practice Question

This 350-701 practice question tests your understanding of content security. The scenario asks you to isolate a root cause — eliminate options that address a different problem before choosing. After answering, compare your reasoning against the explanation and wrong-answer breakdown below. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.

A company's Cisco WSA is configured with explicit proxy mode. Users report that they can browse the internet but cannot access internal websites hosted on the company's intranet. What is the most likely cause?

Clue words in this question

Noticing these words before you look at the options changes how you read each choice.

  • Clue: "most likely"

    Why it matters: Probability qualifier — the question wants the most probable cause or outcome, not a guaranteed one. Eliminate low-probability options.

Question 1easymultiple choice
Full question →

Answer choices

Why each option matters

Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.

Correct answer & explanation

The internal websites are not in the proxy bypass list.

In explicit proxy mode, the WSA requires clients to be configured to send traffic to it. If internal websites are not added to the proxy bypass list (or the WSA's PAC file does not direct internal traffic directly), the WSA will attempt to proxy requests for internal sites, which may fail because the WSA cannot route to internal IPs or the internal DNS resolution fails. This is the most likely cause because users can browse the internet (proxied traffic works) but cannot reach internal sites (which should bypass the proxy).

Key principle: Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.

Answer analysis

Option-by-option breakdown

For each option: why learners choose it and why it is or isn't the right answer here.

  • The WSA is in transparent proxy mode.

    Why it's wrong here

    Explicit mode is configured.

  • Users are not authenticated to the WSA.

    Why it's wrong here

    Authentication not required for access.

  • The internal websites are not in the proxy bypass list.

    Why this is correct

    Proxy bypass list needed for internal traffic.

    Clue confirmation

    The clue word "most likely" in the question point toward this answer.

    Related concept

    Read the scenario before looking for a memorised answer.

  • SSL decryption is blocking the internal sites.

    Why it's wrong here

    SSL decryption is for HTTPS inspection.

Common exam traps

Common exam trap: answer the scenario, not the keyword

Cisco often tests the distinction between explicit and transparent proxy modes, and the trap here is that candidates assume authentication or SSL decryption is the cause, when the real issue is the proxy bypass list not covering internal destinations.

Detailed technical explanation

How to think about this question

Explicit proxy mode relies on the client's browser or OS proxy settings to forward traffic to the WSA. Internal websites typically use private IP addresses (e.g., 10.x.x.x, 192.168.x.x) that the WSA cannot route to unless the WSA has a route to the internal network or the traffic is bypassed. The proxy bypass list (or PAC file) should include internal domains/subnets to ensure the client sends requests directly, not through the WSA. Misconfiguration here is a common root cause in enterprise deployments.

KKey Concepts to Remember

  • Read the scenario before looking for a memorised answer.
  • Find the constraint that changes the correct option.
  • Eliminate answers that are true in general but not in this case.

TExam Day Tips

  • Watch for words such as best, first, most likely and least administrative effort.
  • Review why wrong options are wrong, not only why the correct option is correct.

Key takeaway

Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.

Real-world example

How this comes up in practice

A practitioner preparing for the 350-701 exam encounters this exact type of scenario on the job. The correct answer here is not the most general option — it is the best answer for the specific constraint described. Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option. Real exam questions reward reading the full scenario before eliminating options, because the constraint defines which answer fits.

What to study next

Got this wrong? Here's your next step.

Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.

Related practice questions

Related 350-701 practice-question pages

Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.

Practice this exam

Start a free 350-701 practice session

Short sessions build daily habit. Longer sessions build exam-day stamina. Try a timed session to simulate real conditions.

FAQ

Questions learners often ask

What does this 350-701 question test?

Content Security — This question tests Content Security — Read the scenario before looking for a memorised answer..

What is the correct answer to this question?

The correct answer is: The internal websites are not in the proxy bypass list. — In explicit proxy mode, the WSA requires clients to be configured to send traffic to it. If internal websites are not added to the proxy bypass list (or the WSA's PAC file does not direct internal traffic directly), the WSA will attempt to proxy requests for internal sites, which may fail because the WSA cannot route to internal IPs or the internal DNS resolution fails. This is the most likely cause because users can browse the internet (proxied traffic works) but cannot reach internal sites (which should bypass the proxy).

What should I do if I get this 350-701 question wrong?

Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.

Are there clue words in this question I should notice?

Yes — watch for: "most likely". Probability qualifier — the question wants the most probable cause or outcome, not a guaranteed one. Eliminate low-probability options.

What is the key concept behind this question?

Read the scenario before looking for a memorised answer.

About these practice questions

Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →

How Courseiva writes practice questions · Editorial policy

Last reviewed: Jun 25, 2026

Question Discussion

Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.

Loading comments…

Sign in to join the discussion.

This 350-701 practice question is part of Courseiva's free Cisco certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the 350-701 exam.