Back to Cisco SCOR / CCNP Security Core 350-701 questions

Scenario-based practice

Refer to the Exhibit Practice Questions

Practise Cisco SCOR / CCNP Security Core 350-701 practice questions — original exam-style scenarios covering every exam domain, with detailed explanations, wrong-answer analysis, and common exam traps.

15
scenario questions
350-701
exam code
Cisco
vendor

Scenario guide

How to approach refer to the exhibit practice questions

Practise exhibit-style questions that ask you to read a topology, table, command output or diagram before choosing the best answer.

Quick answer

Exhibit-style questions test whether you can read a topology, command output, diagram or table before choosing the best answer.

How to extract the relevant detail from an exhibit.

How topology, command output or routing information affects the answer.

How to avoid answering from memory before reading the evidence.

How to map the exhibit back to the exam objective.

Related practice questions

Related 350-701 topic practice pages

Scenario questions usually connect to one or more exam topics. Use these links to review the underlying concepts behind the scenario.

Practice set

Practice scenarios

Question 1mediummultiple choice
Read the full NAT/PAT explanation →

Refer to the exhibit. An ASA is configured with the above access-list and NAT rule. A web server is reachable from the internet via the public IP 203.0.113.10. However, internal users from the inside network cannot access the web server using its public IP address. What is the most likely cause?

Exhibit

configure terminal
access-list OUTSIDE extended permit tcp any host 203.0.113.10 eq www
access-list OUTSIDE extended permit udp any host 203.0.113.10 eq domain
nat (inside,outside) source dynamic any interface
Question 2hardmultiple choice
Study the full ACL explanation →

Refer to the exhibit. An engineer has configured the ACL on the GigabitEthernet0/0 interface. Which of the following is true about the effect of this ACL?

Exhibit

interface GigabitEthernet0/0
 ip address 10.1.1.1 255.255.255.0
 ip access-group INBOUND in
!
ip access-list extended INBOUND
 deny ip 10.0.0.0 0.255.255.255 any
 permit ip any any
!
interface Serial0/0/0
 ip address 172.16.1.1 255.255.255.252
!
router eigrp 100
 network 10.1.1.0 0.0.0.255
 network 172.16.1.0 0.0.0.3

Refer to the exhibit. A security analyst sees this syslog message on a Cisco ASA. What does it indicate?

Exhibit

%ASA-4-106023: Deny tcp src outside:203.0.113.50/443 dst DMZ:10.10.10.10/80 by access-group "OUTSIDE"
Question 4easymultiple choice
Study the full AAA explanation →

Refer to the exhibit. A user attempts to SSH to the router. The RADIUS server is unreachable. What will happen?

Exhibit

Refer to the exhibit.
```
! RADIUS server configuration
radius server MY_RADIUS
 address ipv4 192.168.10.10 auth-port 1812 acct-port 1813
 key cisco123
!
aaa new-model
aaa authentication login default group radius local
aaa authorization exec default group radius local
aaa accounting exec default start-stop group radius
```
Question 5hardmultiple choice
Read the full DNS explanation →

Refer to the exhibit. An administrator notices that DNS responses larger than 512 bytes are being dropped. Which configuration change should be made to allow larger DNS responses?

Exhibit

show running-config | section policy-map
policy-map type inspect dns migrated_dns_map_1
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns migrated_dns_map_1
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rpc
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect xdmcp
  inspect sip
  inspect pptp
  inspect icmp
  inspect icmp error
  inspect ip-options
 class class-default
  set connection advanced-options UMBC_Inside
Question 6mediummultiple choice
Read the full VPN explanation →

Refer to the exhibit. An IPsec VPN tunnel between two routers is not passing traffic. IKE phase 1 is not complete (MM_NO_STATE). Phase 2 has no SA. Which issue is most likely causing the problem?

Exhibit

Router1#show crypto ipsec sa peer 10.1.1.2
interface: Tunnel0
    Crypto map tag: VPN-CM, local addr 10.1.1.1
   protected vrf: (none)
   local  ident (addr/mask/prot/port): (10.1.1.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (10.2.2.0/255.255.255.0/0/0)
   current_peer 10.1.1.2 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 10.1.1.1, remote crypto endpt.: 10.1.1.2
     path mtu 1500, ipsec overhead 66, media mtu 1500
     current outbound spi: 0x0(0)
     PFS (Y/N): N, DH group: none
     inbound esp sas:
      spi: 0x0(0)
        transform: esp-aes 256 esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 0, flow_id: 0, sibling_flags 80000040, crypto map: VPN-CM
        sa timing: remaining key lifetime (k/sec): (0/0)
        IV size: 16 bytes
        replay detection support: Y
     inbound ah sas:
     inbound pcp sas:
     outbound esp sas:
      spi: 0x0(0)
        transform: esp-aes 256 esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 0, flow_id: 0, sibling_flags 80000040, crypto map: VPN-CM
        sa timing: remaining key lifetime (k/sec): (0/0)
        IV size: 16 bytes
        replay detection support: Y
     outbound ah sas:
     outbound pcp sas:

Router1#show crypto isakmp sa
dst             src             state          conn-id slot
10.1.1.2        10.1.1.1        MM_NO_STATE    1       0
Question 7hardmultiple choice
Read the full DNS explanation →

Refer to the exhibit. A network engineer applies a zone-based firewall policy to a router. Users in the INSIDE zone report they can access HTTP servers on the OUTSIDE zone but cannot resolve DNS names or access MS-SQL servers. What does the policy do to DNS and MS-SQL traffic?

Exhibit

policy-map type inspect INSPECT-POLICY
 class type inspect BAD_TRAFFIC
  drop
 class type inspect GOOD_TRAFFIC
  inspect
! 
class-map type inspect match-any BAD_TRAFFIC
 match protocol dns
 match protocol ms-sql
! 
class-map type inspect match-any GOOD_TRAFFIC
 match access-group 100
! 
zone security INSIDE
zone security OUTSIDE
zone-pair security ZP-IN-2-OUT source INSIDE destination OUTSIDE
 service-policy type inspect INSPECT-POLICY
Question 8mediummultiple choice
Full question →

Refer to the exhibit. The file invoice.pdf was determined to be malicious by the AMP cloud, yet the endpoint allowed it to execute. What is the most likely reason?

Exhibit

Refer to the exhibit.

AMP for Endpoints connector log:

2025-01-15 10:23:45 [INFO] File scan initiated: C:\Users\jdoe\Documents\invoice.pdf
2025-01-15 10:23:46 [INFO] Sending file to cloud for analysis (SHA-256: abc123...)
2025-01-15 10:23:50 [INFO] Cloud analysis result: disposition = Malicious, score = 95
2025-01-15 10:23:50 [INFO] Action taken: Allow (policy rule: "Allow on low confidence")
Question 9mediummultiple choice
Full question →

Refer to the exhibit. A file with SHA256 hash 'a1b2c3d4e5f6...' is detected on an endpoint. The threat grid returns a score of 90 for this file. What action is taken by AMP?

Exhibit

Refer to the exhibit.

```
{
  "policy": {
    "name": "Default",
    "file_reputation": [
      {
        "threat_score": 100,
        "action": "block"
      },
      {
        "threat_score": 80,
        "action": "quarantine"
      },
      {
        "threat_score": 0,
        "action": "allow"
      }
    ],
    "custom_detections": [
      {
        "sha256": "a1b2c3d4e5f6...",
        "action": "block"
      }
    ]
  }
}
```
Question 10hardmultiple choice
Full question →

Refer to the exhibit. An engineer notices that a malicious file disguised as 'app.exe' in the FinanceApp folder (SHA-256 unknown to AMP) was blocked. However, another unknown executable in the same folder was also blocked, causing a false positive. What should the engineer change in the policy to allow only the legitimate 'app.exe' while still blocking unknown executables?

Exhibit

Refer to the exhibit.

AMP for Endpoints policy JSON snippet:

{
  "policy": {
    "name": "Windows_Workstations",
    "exclusions": {
      "file": [
        {
          "path": "C:\\Program Files\\FinanceApp\\*.exe",
          "action": "allow"
        }
      ],
      "process": [
        {
          "path": "C:\\Program Files\\FinanceApp\\app.exe",
          "action": "allow"
        }
      ]
    },
    "tetra": {
      "file_reputation": {
        "action_unknown": "block"
      }
    }
  }
}
Question 11easymultiple choice
Full question →

Refer to the exhibit. What happened to the file 'crack.exe'?

Exhibit

Refer to the exhibit.

Syslog output from AMP for Endpoints:

<134>Jan 15 11:00:00 C:\Program Files\Cisco\AMP\connector.exe: [TETRA Alert] File: C:\Users\test\Downloads\crack.exe SHA-256: d4e5f6... Disposition: Malicious Action: Blocked by policy (Blocked by TETRA. Policy: Workstations)
Question 12easymultiple choice
Full question →

Based on the exhibit, what does the 'Isolated: Yes' status indicate?

Exhibit

Refer to the exhibit.

```
show amp status
Connector Status: Connected
Last Connection: 2024-01-15 10:32:45 UTC
Policy Version: 2.3.4
Private Cloud: Disabled
Network Component: Enabled
Isolated: Yes
```
Question 13hardmultiple choice
Full question →

Based on the exhibit, what is the root cause of the AMP connector's inability to connect to the cloud?

Exhibit

Refer to the exhibit.

```
2024-01-15 11:00:00 ERROR: Failed to connect to AMP cloud: Connection timed out
2024-01-15 11:01:00 WARNING: Retrying connection in 60 seconds
2024-01-15 11:02:00 INFO: Proxy configured: proxy.company.com:3128
2024-01-15 11:03:00 ERROR: Proxy authentication failed: 407 Proxy Authentication Required
```
Question 14hardmultiple choice
Full question →

Refer to the exhibit. An engineer is analyzing an intrusion policy on Cisco Firepower Management Center (FMC). The network uses Windows servers and clients. A flood of HTTP traffic is being detected as a potential attack, but it is legitimate. Which preprocessor configuration change would most likely reduce false positives without losing detection of real attacks?

Exhibit

Refer to the exhibit.

! Cisco FMC intrusion policy snippet
preprocessor global_sensitivity: sensitivity_level high
preprocessor frag3: frag3_engine policy=first, bind_to=0.0.0.0
preprocessor stream5_global: track_tcp yes, track_udp yes
preprocessor stream5_tcp: policy=windows, use_static_footprint_sizes yes
preprocessor http_inspect: global iis_unicode_map unicode.map 1252
preprocessor http_inspect: default_inspect_http_profiles
preprocessor smtp: ports 25 465 587
!
Question 15mediummultiple choice
Read the full DHCP explanation →

Refer to the exhibit. An engineer has configured IP Source Guard and DHCP Snooping. A host with MAC 00:11:22:33:44:55 on Gi0/0 is assigned IP 192.168.1.10 via DHCP. However, the host cannot ping its default gateway 192.168.1.1. What is the most likely cause?

Exhibit

Refer to the exhibit.

interface GigabitEthernet0/0
 ip address 192.168.1.1 255.255.255.0
 ip verify source
!
interface GigabitEthernet0/1
 ip address 192.168.2.1 255.255.255.0
 ip verify source
!
ip dhcp snooping vlan 1-100
ip dhcp snooping information option
ip dhcp snooping
!
ip source binding 00:11:22:33:44:55 vlan 10 192.168.1.10 interface GigabitEthernet0/0
!

These 350-701 practice questions are part of Courseiva's free Cisco certification practice question bank. Courseiva provides original exam-style 350-701 questions with detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics.