350-701 · topic practice

Network Security practice questions

Use this page to practise Network Security questions for this certification. Focus on how the exam tests network security in scenario format — understanding the why behind each answer builds more durable knowledge than memorising options.

Courseiva uses original exam-style practice questions designed for learning and revision. The goal is to understand the concepts, recognise exam patterns, and improve through explanations — not memorise copied exam dumps.

Reviewed byJohnson Ajibi· MSc IT Security
20 questionsDomain: Network Security

What the exam tests

What to know about Network Security

Network Security questions on this certification test your ability to deploy and manage network security concepts in scenario-based situations.

Core Network Security concepts and how they apply in real-world cloud scenarios.

How to deploy network security correctly and verify the outcome.

Troubleshooting network security issues by interpreting error output and system state.

Cloud best practices and Network Security design trade-offs tested by this certification.

Watch out for

Common Network Security exam traps

  • Selecting the most expensive service when a simpler managed option meets the requirement.
  • Forgetting that cloud resources must be explicitly secured — defaults are rarely secure.
  • Choosing a global service fix when the issue is region-specific.
  • Overlooking cost implications of cross-region data transfer in architecture questions.

Practice set

Network Security questions

20 questions · select your answer, then reveal the explanation

Question 1mediummultiple choice
Open the full VLAN trunking answer →

A network engineer is troubleshooting an issue where users on VLAN 10 cannot access the internet, but they can reach internal resources. The firewall is configured with a default route pointing to the ISP router. The engineer notices that NAT is configured but traffic is not being translated. Which configuration is most likely missing?

A security engineer is implementing Cisco Identity Services Engine (ISE) for 802.1X authentication. The requirement is to allow full network access for corporate devices that pass posture assessment, while providing limited access for guest devices. The engineer configures an authorization policy with conditions based on identity group and posture status. However, guest devices are still getting full access. What is the most likely cause?

Question 3easymultiple choice
Read the full VPN explanation →

A company wants to deploy a site-to-site VPN between two branch offices using Cisco IOS routers. The security policy requires that all traffic between the sites must be encrypted and authenticated using strong encryption. The engineer chooses IPsec with IKEv2. Which IPsec transform set configuration provides the strongest encryption and authentication?

Question 4mediummultiple choice
Read the full Network Security explanation →

An engineer is configuring Cisco Firepower Threat Defense (FTD) with a pre-filter policy to block traffic from known malicious IP addresses before it reaches the access control policy. The pre-filter rules are configured to block traffic from the malicious IPs. However, the engineer notices that some traffic from those IPs is still being allowed. What is the most likely reason?

A network administrator is configuring Cisco ASA with FirePOWER services. The administrator wants to inspect SSL traffic but is concerned about certificate pinning in modern applications. Which action should the administrator take to ensure that SSL inspection does not break applications that use certificate pinning?

Question 6mediummultiple choice
Study the full ACL explanation →

An engineer applies the ACL shown in the exhibit to the inbound direction of interface GigabitEthernet0/0. The goal is to block all traffic from host 10.1.1.100 to the 192.168.0.0/16 network. However, traffic from 10.1.1.100 to 192.168.1.1 is still being permitted. What is the most likely reason?

Exhibit

Refer to the exhibit.

ip access-list extended BLOCK_TRAFFIC
 deny ip host 10.1.1.100 192.168.0.0 0.0.255.255
 permit ip any any
!
interface GigabitEthernet0/0
 ip access-group BLOCK_TRAFFIC in

Which TWO are valid methods for implementing Network Admission Control (NAC) in a Cisco environment?

Which THREE are characteristics of Cisco Stealthwatch?

Question 9hardmultiple choice
Read the full wireless explanation →

A multinational company has deployed a Cisco Firepower 4100 series device as the perimeter firewall. The network consists of multiple internal segments: a corporate LAN (192.168.1.0/24), a data center (10.10.0.0/16), and a guest wireless network (172.16.0.0/16). The firewall is configured with the following access control policy rules:

1. Allow from any to any (for testing, but currently enabled) 2. Allow from corporate LAN to data center (destination ports TCP/443, TCP/8443) 3. Block from guest wireless to data center 4. Allow from any to internet (destination any)

Recently, the security team discovered that a host in the guest network (172.16.5.50) is communicating with a server in the data center (10.10.10.100) on TCP port 443. The security team wants to immediately block this traffic without affecting other legitimate communications. Which action should be taken first?

A security engineer is configuring Cisco TrustSec on a network. Which TWO actions are required to enable TrustSec on a Cisco switch?

Refer to the exhibit. An engineer configured 802.1X on two switch ports. On Gi1/0/1, a VoIP phone and a PC are connected via a hub. On Gi1/0/2, only a single PC is connected. Which port will successfully authenticate both devices, and what is the issue with the other port?

Exhibit

Refer to the exhibit.

interface GigabitEthernet1/0/1
 switchport access vlan 10
 switchport mode access
 authentication host-mode multi-auth
 authentication port-control auto
 dot1x pae authenticator
 dot1x timeout tx-period 3
 spanning-tree portfast

interface GigabitEthernet1/0/2
 switchport access vlan 20
 switchport mode access
 authentication host-mode single-host
 authentication port-control auto
 dot1x pae authenticator
 dot1x timeout tx-period 30
 spanning-tree portfast

A large enterprise uses Cisco Firepower Threat Defense (FTD) as its next-generation firewall. The network team recently deployed a new application that uses HTTPS for all communications. Users report that the application is slow and sometimes fails to load pages. The security team suspects that SSL inspection might be causing the issue. The FTD is configured with an SSL policy that decrypts all HTTPS traffic using a self-signed certificate. The internal CA is not trusted by the application servers. Which action should the engineer take to resolve the performance and connectivity issues while maintaining security visibility?

Question 13mediumdrag order
Review the full routing breakdown →

Drag and drop the steps to configure a Cisco IOS router as a Zone-Based Firewall (ZBF) in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 14mediumdrag order
Read the full DHCP explanation →

Drag and drop the steps to configure a Cisco router as a DHCP server in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Match each Cisco ASA feature to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Modular Policy Framework for traffic inspection

High availability with active/standby or active/active

Graphical management interface

Command-line interface for configuration

VPN client for remote access

Match each encryption algorithm to its type.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Symmetric block cipher

Asymmetric public-key algorithm

Hash function

Symmetric block cipher (legacy)

Key exchange algorithm

Question 17easymultiple choice
Read the full VPN explanation →

A network engineer is troubleshooting an IPsec VPN tunnel that fails to establish. The configuration includes a crypto map with a matching access list. Which command should be used to verify the security associations and error counters for the IPsec phase?

Question 18mediummultiple choice
Read the full Network Security explanation →

A company is deploying a new ASA firewall in a DMZ design. They need to allow web traffic from the internet to a web server in the DMZ, while also permitting outbound traffic from the DMZ to the internet for software updates. Which access control approach best meets these requirements with minimal risk?

Question 19hardmultiple choice
Read the full VPN explanation →

An engineer is designing a FlexVPN deployment with multiple hub routers and spoke routers. The spokes need to establish tunnels to the closest hub based on latency. Which feature should be configured to achieve dynamic hub selection?

Question 20mediummultiple choice
Read the full DNS explanation →

A security administrator is reviewing firewall logs and notices that an internal user is generating excessive outbound DNS queries to a known malicious domain. The company uses Cisco Umbrella for DNS-layer security. How should the administrator investigate and block this traffic?

Free account

Track your progress over time

Create a free account to save your results and see which topics improve across sessions.

Focused Network Security sessions

Start a Network Security only practice session

Every question in these sessions is drawn from the Network Security domain — nothing else.

Related practice questions

Related 350-701 topic practice pages

Move into related areas when this topic feels solid.

Frequently asked questions

What does the 350-701 exam test about Network Security?
Network Security questions on this certification test your ability to deploy and manage network security concepts in scenario-based situations.
How should I use these practice questions?
Select your answer before revealing the explanation. Then read why each option is right or wrong — this active recall approach builds retention far faster than re-reading notes.
Can I practise just Network Security questions in a focused session?
Yes — the session launcher on this page draws every question from the Network Security domain. Use a 10-question session first to gauge your baseline, then move to 20 or 30 once the weak spots are clear.
Where can I practise other 350-701 topics?
Use the topic links above to move to related areas, or go back to the 350-701 question bank to see all topics.
Are these real exam questions or dumps?
These are original practice questions written to test the same concepts the 350-701 exam covers. They are not copied from any real exam or dump site.