Question 884 of 988
Content SecuritymediumMultiple ChoiceObjective-mapped

350-701 Content Security Practice Question

This 350-701 practice question tests your understanding of content security. Read the scenario carefully and evaluate each option against the stated constraints before committing to an answer. After answering, compare your reasoning against the explanation and wrong-answer breakdown below. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.

A company uses Cisco Umbrella SIG to secure internet access for remote users. The security team wants to block access to social media websites but allow access to business-related websites that may share the same IP addresses. Which Umbrella feature should be used to enforce this granular control?

Answer choices

Why each option matters

Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.

Correct answer & explanation

Cloud proxy with URL filtering

Option C is correct because Cisco Umbrella's cloud proxy with URL filtering operates at the application layer (HTTP/HTTPS), inspecting full URLs rather than just domain names. This allows the security team to block social media websites while permitting business-related websites that may resolve to the same IP addresses, as the proxy can differentiate based on the URL path and content category.

Key principle: Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.

Answer analysis

Option-by-option breakdown

For each option: why learners choose it and why it is or isn't the right answer here.

  • DNS security layer

    Why it's wrong here

    DNS security blocks based on domain names but cannot differentiate between subdomains or paths on the same IP.

  • ThousandEyes agents

    Why it's wrong here

    ThousandEyes is for performance visibility, not policy enforcement.

  • Cloud proxy with URL filtering

    Why this is correct

    The cloud proxy inspects HTTP/HTTPS requests and can apply URL category policies to block social media while allowing business sites.

    Related concept

    Read the scenario before looking for a memorised answer.

  • AMP file scanning

    Why it's wrong here

    AMP is for malware detection, not URL categorization.

Common exam traps

Common exam trap: answer the scenario, not the keyword

Cisco often tests the distinction between DNS-layer security (domain-based) and proxy-based URL filtering (full URL inspection), leading candidates to mistakenly choose the DNS security layer when granular control over websites sharing IP addresses is required.

Detailed technical explanation

How to think about this question

The cloud proxy with URL filtering leverages a forward proxy architecture that intercepts HTTP/HTTPS requests and inspects the full URL, including the path and query parameters, against a cloud-based URL categorization database. This enables granular policy enforcement even when multiple domains share the same IP address via virtual hosting or content delivery networks (CDNs). In a real-world scenario, a business might use a SaaS platform like Salesforce hosted on the same CDN as a blocked social media site; URL filtering allows access to the business app while blocking the social media domain.

KKey Concepts to Remember

  • Read the scenario before looking for a memorised answer.
  • Find the constraint that changes the correct option.
  • Eliminate answers that are true in general but not in this case.

TExam Day Tips

  • Watch for words such as best, first, most likely and least administrative effort.
  • Review why wrong options are wrong, not only why the correct option is correct.

Key takeaway

Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.

Real-world example

How this comes up in practice

A security administrator must allow nursing staff to reach a patient records server while blocking access from the guest Wi-Fi VLAN. After applying an extended ACL, traffic is still blocked from nursing workstations. The ACL was applied outbound instead of inbound on the wrong interface. Questions like this test ACL direction and placement rules.

Visual reference

Client Recursive Resolver Root DNS (13 root servers) TLD DNS (.com, .org, …) Authoritative example.com query IP addr answer

Quick reference

OSI Model Reference

LayerNamePDUKey Protocols / Devices
7ApplicationDataHTTP, HTTPS, DNS, SMTP, FTP, SSH
6PresentationDataTLS / SSL, JPEG, ASCII encoding
5SessionDataNetBIOS, RPC, SIP
4TransportSegment / DatagramTCP, UDP
3NetworkPacketIP, ICMP, OSPF — Routers
2Data LinkFrameEthernet, Wi-Fi, PPP — Switches, Bridges
1PhysicalBitsCables, NICs, Hubs, Repeaters

What to study next

Got this wrong? Here's your next step.

Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.

Related practice questions

Related 350-701 practice-question pages

Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.

Practice this exam

Start a free 350-701 practice session

Short sessions build daily habit. Longer sessions build exam-day stamina. Try a timed session to simulate real conditions.

FAQ

Questions learners often ask

What does this 350-701 question test?

Content Security — This question tests Content Security — Read the scenario before looking for a memorised answer..

What is the correct answer to this question?

The correct answer is: Cloud proxy with URL filtering — Option C is correct because Cisco Umbrella's cloud proxy with URL filtering operates at the application layer (HTTP/HTTPS), inspecting full URLs rather than just domain names. This allows the security team to block social media websites while permitting business-related websites that may resolve to the same IP addresses, as the proxy can differentiate based on the URL path and content category.

What should I do if I get this 350-701 question wrong?

Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.

What is the key concept behind this question?

Read the scenario before looking for a memorised answer.

About these practice questions

Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →

How Courseiva writes practice questions · Editorial policy

Last reviewed: Jul 4, 2026

Question Discussion

Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.

Loading comments…

Sign in to join the discussion.

This 350-701 practice question is part of Courseiva's free Cisco certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the 350-701 exam.