Back to Cisco SCOR / CCNP Security Core 350-701 questions

Scenario-based practice

Hard Difficulty Questions

Practise Cisco SCOR / CCNP Security Core 350-701 practice questions — original exam-style scenarios covering every exam domain, with detailed explanations, wrong-answer analysis, and common exam traps.

20
scenario questions
350-701
exam code
Cisco
vendor

Scenario guide

How to approach hard difficulty questions

These are the questions most candidates get wrong. They require connecting multiple concepts, reading tricky output, or knowing edge-case behaviour that isn't on most study cards. Practising them trains you to operate under uncertainty — a necessary skill on the real exam.

Quick answer

Hard Difficulty Questions questions test whether you can apply the concept in context, not just recognise a definition.

How the topic appears in realistic exam-style scenarios.

Which detail in the question changes the correct answer.

How to eliminate plausible but wrong options.

How to connect the question back to the wider exam objective.

Related practice questions

Related 350-701 topic practice pages

Scenario questions usually connect to one or more exam topics. Use these links to review the underlying concepts behind the scenario.

Practice set

Practice scenarios

Question 1hardmultiple choice
Full question →

A financial company has a data center with Cisco FTD firewalls in a high-availability pair. They use Cisco ISE for network access control and Cisco Stealthwatch for network visibility. Recently, they deployed a new web application that is accessed by both internal employees and external customers. The application uses HTTPS on port 443. After deployment, the security team notices that the FTD is dropping some HTTPS sessions that appear legitimate. The drops are inconsistent and seem to occur only during peak hours. The FTD logs show the drop reason as 'TCP state violation'. The team has verified that the web server and clients are configured correctly. The Stealthwatch reports show no anomalies. What is the most likely cause and solution?

Question 2hardmulti select
Full question →

Which THREE are characteristics of Cisco Stealthwatch?

Question 3hardmultiple choice
Full question →

A network administrator is configuring Cisco ASA with FirePOWER services. The administrator wants to inspect SSL traffic but is concerned about certificate pinning in modern applications. Which action should the administrator take to ensure that SSL inspection does not break applications that use certificate pinning?

Question 4hardmultiple choice
Review the full routing breakdown →

A network administrator is configuring IKEv2 on a Cisco router and wants to ensure that the router does not initiate connections but only responds to incoming IKEv2 requests. Which configuration command should be applied?

Question 5hardmultiple choice
Open the full BGP breakdown →

A multinational corporation is migrating its on-premises data center to a public cloud provider. The security policy requires that all traffic between cloud VPCs and the on-premises network must be inspected by a next-generation firewall (NGFW) deployed in the cloud. The on-premises network uses BGP for dynamic routing. Which design meets the requirement while minimizing latency and administrative overhead?

Question 6hardmultiple choice
Read the full DNS explanation →

A security team suspects that malware is exfiltrating data by encoding it in DNS queries. Which Cisco security solution is specifically designed to analyze DNS traffic for malicious activity?

Question 7hardmultiple choice
Full question →

A security engineer is configuring Cisco Web Security Appliance (WSA) to block access to social media sites during business hours. The company wants to allow access to LinkedIn for the HR department. Which policy configuration approach should the engineer use?

Question 8hardmultiple choice
Read the full DNS explanation →

You are a security engineer for a multinational corporation with 5,000 employees. The company uses Cisco Umbrella for DNS-layer security, Cisco Web Security Appliance (WSA) for proxy services in the data center, and Cisco Email Security Appliance (ESA) for email security. Recently, the security team has received multiple reports of users receiving phishing emails that bypass the ESA. The emails contain links to malicious websites that are also not blocked by Umbrella or WSA. Upon investigation, you find that the phishing emails use newly registered domains (less than 24 hours old) and the malicious websites are hosted on cloud infrastructure with frequently changing IP addresses. The company's current security policies rely on signature-based detection and static blocklists. Which action should you take to most effectively mitigate these threats?

Question 9hardmulti select
Full question →

Which TWO configuration steps are required to enable Cisco AMP for Endpoints to use the Threat Grid appliance for file analysis?

Question 10hardmultiple choice
Full question →

In a Cisco TrustSec deployment, security group tags (SGTs) are used to represent user and device roles. These tags must be propagated across the network. Which protocol is used to carry SGT information in Ethernet frames?

Question 11hardmulti select
Full question →

Which THREE of the following are features of Cisco Identity Services Engine (ISE) that can be used to enforce network access control?

Question 12hardmultiple choice
Study the full ACL explanation →

Refer to the exhibit. An engineer has configured the ACL on the GigabitEthernet0/0 interface. Which of the following is true about the effect of this ACL?

Exhibit

interface GigabitEthernet0/0
 ip address 10.1.1.1 255.255.255.0
 ip access-group INBOUND in
!
ip access-list extended INBOUND
 deny ip 10.0.0.0 0.255.255.255 any
 permit ip any any
!
interface Serial0/0/0
 ip address 172.16.1.1 255.255.255.252
!
router eigrp 100
 network 10.1.1.0 0.0.0.255
 network 172.16.1.0 0.0.0.3
Question 13hardmultiple choice
Full question →

A company uses FMC to manage FTD devices. After deploying a new intrusion policy, the analyst sees that no events are generated for a known vulnerability, even though the policy includes a rule for it. The analyst checks and the rule is enabled and the policy is applied. What is the most likely cause?

Question 14hardmultiple choice
Full question →

An engineer is troubleshooting traffic drops on a Cisco Firepower Threat Defense (FTD) device. The traffic is allowed by the access control policy but is being dropped. Which feature should the engineer check to identify the cause of the drop?

Question 15hardmultiple choice
Full question →

During a security audit, a penetration tester discovers that a Cisco ASA firewall is configured with a rule that permits traffic from the inside interface with a source IP address in the RFC 1918 range to the outside interface. The rule uses the 'inspect' command for HTTP and FTP. Which potential vulnerability does this configuration introduce?

Question 16hardmulti select
Full question →

Which TWO of the following are true about MACsec?

Question 17hardmultiple choice
Read the full DNS explanation →

Refer to the exhibit. An administrator notices that DNS responses larger than 512 bytes are being dropped. Which configuration change should be made to allow larger DNS responses?

Exhibit

show running-config | section policy-map
policy-map type inspect dns migrated_dns_map_1
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns migrated_dns_map_1
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rpc
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect xdmcp
  inspect sip
  inspect pptp
  inspect icmp
  inspect icmp error
  inspect ip-options
 class class-default
  set connection advanced-options UMBC_Inside
Question 18hardmultiple choice
Read the full DNS explanation →

Refer to the exhibit. A network engineer applies a zone-based firewall policy to a router. Users in the INSIDE zone report they can access HTTP servers on the OUTSIDE zone but cannot resolve DNS names or access MS-SQL servers. What does the policy do to DNS and MS-SQL traffic?

Exhibit

policy-map type inspect INSPECT-POLICY
 class type inspect BAD_TRAFFIC
  drop
 class type inspect GOOD_TRAFFIC
  inspect
! 
class-map type inspect match-any BAD_TRAFFIC
 match protocol dns
 match protocol ms-sql
! 
class-map type inspect match-any GOOD_TRAFFIC
 match access-group 100
! 
zone security INSIDE
zone security OUTSIDE
zone-pair security ZP-IN-2-OUT source INSIDE destination OUTSIDE
 service-policy type inspect INSPECT-POLICY
Question 19hardmultiple choice
Full question →

A security engineer is troubleshooting an issue where a known malicious file (SHA-256: 3a7c...f9e) is not being detected by Cisco Secure Endpoint on a Windows 10 endpoint. The file was downloaded from the internet. The policy has the 'File Reputation' setting set to 'Use cloud lookup', and the 'Exploit Prevention' module is enabled. The endpoint is connected to the internet and can reach the AMP cloud. What is the most likely reason for the missed detection?

Question 20hardmultiple choice
Full question →

During a cloud migration, an administrator notices that a workload in Azure is generating outbound traffic that is being blocked by the cloud security group. The workload requires connectivity to a specific SaaS application (Office 365) using TLS. The security group denies all outbound traffic except to specific IP ranges. Which action should the administrator take?

These 350-701 practice questions are part of Courseiva's free Cisco certification practice question bank. Courseiva provides original exam-style 350-701 questions with detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics.