350-701 · topic practice

Network Security practice questions

Practise Cisco SCOR / CCNP Security Core 350-701 Network Security practice questions — original exam-style scenarios with answer choices, explanations, and analysis of common mistakes.

Courseiva uses original exam-style practice questions designed for learning and revision. The goal is to understand the concepts, recognise exam patterns, and improve through explanations — not memorise copied exam dumps.

Reviewed byJohnson Ajibi· MSc IT Security
20 questionsDomain: Network Security

What the exam tests

What to know about Network Security

Network Security questions test whether you can apply the concept in context, not just recognise a definition.

How the topic appears in realistic exam-style scenarios.

Which detail in the question changes the correct answer.

How to eliminate plausible but wrong options.

How to connect the question back to the wider exam objective.

Watch out for

Common Network Security exam traps

  • Answering from memory before reading the full scenario.
  • Missing a constraint such as cost, availability, security, scope or command context.
  • Choosing a broad answer when the question asks for the most specific fix.
  • Ignoring why the wrong options are tempting.

Practice set

Network Security questions

20 questions · select your answer, then reveal the explanation

An engineer is configuring a Cisco ASA and needs to ensure that traffic from the outside interface to a web server on the DMZ is allowed. The inside interface is security level 100 and the DMZ is level 50. The outside interface is level 0. Which statement about the default traffic flow is true?

Question 2mediummultiple choice
Read the full NAT/PAT explanation →

A network administrator is configuring NAT on a Cisco ASA to allow internal users to access the internet using a single public IP address. The internal network uses RFC 1918 addresses. Which type of NAT should be configured?

Question 3hardmultiple choice
Study the full QoS explanation →

An engineer is configuring a Modular Policy Framework (MPF) on a Cisco ASA to inspect HTTP traffic and apply QoS. The engineer creates a class-map to match HTTP traffic using the 'match port tcp 80' command. However, the policy is not being applied correctly. What is the most likely reason?

Question 4mediummultiple choice
Read the full Network Security explanation →

A company uses Cisco Firepower Threat Defense (FTD) managed by FMC. They need to create an access control policy that allows traffic from specific source IPs to a web server, but blocks all other traffic. How should the rule base be ordered?

A security administrator is investigating an alert from an IPS that detected a SQL injection attempt. The alert was triggered by a signature that looks for specific patterns in the traffic. What type of detection method is this?

Question 6mediummultiple choice
Read the full Network Security explanation →

A Cisco Firepower administrator configures an access control policy with a rule that trusts traffic from a specific source network. What is the effect of the trust action on the traffic?

An engineer is deploying a Cisco FTD in inline mode and wants to inspect SSL/TLS traffic using the 'decrypt-resign' action. What must be configured on the client devices to avoid certificate errors?

Question 8mediummultiple choice
Read the full VPN explanation →

A company is deploying Cisco AnyConnect SSL VPN and wants to enforce different access policies based on the endpoint's antivirus status. Which feature should be used?

Question 9easymultiple choice
Read the full VPN explanation →

A Cisco ASA is configured with a site-to-site VPN using IKEv2. Which component defines the encryption and authentication algorithms for the IPsec tunnel?

Question 10mediummultiple choice
Read the full Network Security explanation →

A security analyst is tuning Snort rules to reduce false positives. The analyst identifies a rule that triggers on a common benign application. Which action should be taken to suppress alerts for that specific traffic without disabling the rule entirely?

An engineer configures a Cisco FTD in a high-availability pair with active/standby failover. The primary unit fails, and the standby takes over. After the primary recovers, what must be done to ensure it resumes as active?

Question 12mediummultiple choice
Read the full Network Security explanation →

A company uses Cisco Firepower with FMC and wants to block access to social media websites for all users. Which feature should be used to create this policy?

A Cisco FTD is deployed in inline mode and configured with an access control policy. The policy includes rules with actions: Trust, Allow, Block, and Interactive Block. Which two statements about these actions are correct? (Choose two.)

An engineer is configuring a Cisco ASA to support a DMZ segment. Which three of the following are best practices for DMZ design? (Choose three.)

Question 15easymulti select
Read the full VPN explanation →

A network engineer is configuring site-to-site IPsec VPN on a Cisco ASA using IKEv2. Which two components are required for IKEv2 configuration? (Choose two.)

An administrator configures a Cisco ASA with an interface named 'inside' at security level 100 and 'outside' at security level 0. Which statement about traffic flow is true?

Question 17mediummultiple choice
Read the full NAT/PAT explanation →

A network engineer is configuring NAT on a Cisco ASA for internal servers to be accessible from the internet. One server (10.1.1.10) must always be reachable via a fixed public IP (203.0.113.10). Which NAT type should be used?

Question 18mediummultiple choice
Read the full Network Security explanation →

An engineer is configuring an access control policy on Cisco FMC for FTD. The policy must allow HTTP traffic from the inside zone to the outside zone, but block all other traffic. Which rule configuration is correct?

Which Snort rule action causes the FTD to drop a packet and generate an alert?

A Cisco FTD device is deployed in inline mode and configured with an SSL policy to decrypt traffic. The policy uses 'Decrypt - Known Key' for traffic to an internal server. What is required for this decryption to work?

Free account

Track your progress over time

Create a free account to save your results and see which topics improve across sessions.

Focused Network Security sessions

Start a Network Security only practice session

Every question in these sessions is drawn from the Network Security domain — nothing else.

Related practice questions

Related 350-701 topic practice pages

Move into related areas when this topic feels solid.

Frequently asked questions

What does the 350-701 exam test about Network Security?
Network Security questions test whether you can apply the concept in context, not just recognise a definition.
How should I use these practice questions?
Select your answer before revealing the explanation. Then read why each option is right or wrong — this active recall approach builds retention far faster than re-reading notes.
Can I practise just Network Security questions in a focused session?
Yes — the session launcher on this page draws every question from the Network Security domain. Use a 10-question session first to gauge your baseline, then move to 20 or 30 once the weak spots are clear.
Where can I practise other 350-701 topics?
Use the topic links above to move to related areas, or go back to the 350-701 question bank to see all topics.
Are these real exam questions or dumps?
These are original practice questions written to test the same concepts the 350-701 exam covers. They are not copied from any real exam or dump site.