Free Cisco 350-701 Practice Questions 2026 | Implementing and Operating Cisco Security Core Technologies (SCOR 350-701)

Explanation for Each Option:

A. permit (Incorrect):
The "permit" action in Cisco Firepower allows traffic to pass but subjects it to inspection based on security policies (e.g., intrusion prevention, malware scanning). Since the requirement is to allow a new application without inspection, this option does not meet the need, as it involves full policy enforcement. (Reference: Cisco Firepower Access Control Policy Guide.)

B. trust (Correct):
The "trust" action in Cisco Firepower allows traffic to pass through the device without any inspection, bypassing security checks like intrusion prevention or file analysis. This is suitable for a new application that has never been seen, ensuring traffic flows without interference, aligning with the requirement. (Reference:Cisco Firepower Trust Rule Configuration.)

C. reset (Incorrect):
The "reset" action terminates the connection by sending a TCP reset to both the client and server, blocking the traffic. This is the opposite of allowing the new application to pass, making it unsuitable for the administrator’s goal of enabling traffic flow. (Reference: Cisco Firepower Rule Actions Documentation.)

D. allow (Incorrect):
The "allow" action permits traffic but applies default inspection based on the access control policy, including potential deep packet inspection or threat detection. This does not satisfy the requirement to pass traffic without inspection, as it involves some level of security processing, rendering this option incorrect. (Reference: Cisco Firepower Access Control Basics.)

E. monitor (Correct):
The "monitor" action allows traffic to pass through Cisco Firepower while enabling logging and monitoring without enforcing blocking or inspection rules. Combined with "trust," it ensures the new application’s traffic flows without inspection while still providing visibility, meeting the dual requirement effectively. (Reference: Cisco Firepower Monitor Rule Configuration.)

Additional Notes:
Configuring Firepower rules is a key topic in the 350-701 SCOR exam under network security. As of 12:00 PM PKT, October 02, 2025, trust and monitor actions support new application handling. For details, refer to the Cisco Firepower Configuration Guide (cisco.com) and the 350-701 Exam Blueprint (Section 1.0 Security Concepts).

Explanation:
The configuration shows several 802.1X-related commands, but it is missing the fundamental command that enables the 802.1X protocol on the port.

Let's break down the configuration and the role of the missing command:

D) dot1x pae authenticator is CORRECT.
The command dot1x pae authenticator is what tells the switch port to act as the Port Access Entity (PAE) for 802.1X. The PAE is the component responsible for enforcing authentication on the port. Without this command, the switch will not initiate the 802.1X process with the connecting device, even though other parameters like authentication port-control auto are set. This is a very common oversight.

Why the other options are incorrect:

A) authentication open is INCORRECT.
The authentication open command is used in WebAuth (centralized web authentication) scenarios, not for standard 802.1X machine authentication. It is not required for this configuration.

B) dot1x reauthentication is INCORRECT.
The dot1x reauthentication command enables periodic reauthentication of the client. While it's a good practice, it is not required for the initial authentication to occur. Its absence would not prevent the first authentication attempt.

C) cisp enable is INCORRECT.
The cisp enable command is used to enable the Cisco Inter-Switch Link Protocol (CISL) for VTP, which is completely unrelated to 802.1X authentication. This is a distractor.

Reference:

Cisco IOS Security Command Reference, "dot1x pae": The official documentation states this command is used to "enable 802.1X authentication on the port" and specifies the role of the port (authenticator, supplicant, or both).

Cisco 802.1X Configuration Guides: The configuration examples for enabling 802.1X consistently show the dot1x pae authenticator command as a necessary step to activate the protocol on an interface.

Explanation
This question tests your understanding of the evolution and different roles of endpoint security solutions.

Endpoint Protection Platform (EPP) is a preventative solution. It's the modern evolution of traditional antivirus. Its primary goal is to block known threats at the point of entry. It does this using signatures, heuristics, and machine learning to stop malware from executing. It focuses on the question: "Can I prevent this bad thing from happening?"

Endpoint Detection and Response (EDR) is a detective and responsive solution. It operates on the assumption that some advanced threats will inevitably bypass preventative controls (like an EPP). EDR continuously monitors endpoint activity (processes, network connections, file changes, etc.), records this data, and uses advanced analytics, behavioral analysis, and threat intelligence to identify suspicious activities that indicate a breach. It focuses on the questions: "Has something bad already gotten in? What did it do? How do I find and remove it?"

Therefore, you choose an EDR solution specifically when you need to go beyond basic prevention and require advanced capabilities to detect, investigate, and respond to sophisticated, evasive, or ongoing attacks that have bypassed your first line of defense.

Detailed Breakdown of Incorrect Options

B. When there is a need for traditional anti-malware detection

Why it is incorrect:
This is the exact opposite of the correct logic. If your primary need is traditional anti-malware detection (blocking viruses, worms, and known ransomware), then an Endpoint Protection Platform (EPP) is the appropriate choice. EPPs are built for this purpose. Choosing an EDR solely for this would be overkill and would underutilize its core strengths. In fact, most modern EDR solutions are now bundled with or built upon a strong EPP foundation.

C. When there is no need to have the solution centrally managed

Why it is incorrect:
Both EPP and EDR solutions are almost exclusively centrally managed. A central management console is a critical feature for both, allowing security teams to set policies, deploy updates, and view the security status of all endpoints. EDR, in particular, is highly dependent on central management because its value comes from correlating data from all endpoints to detect lateral movement and coordinated attacks. A non-centrally managed EDR would be virtually useless.

D. When there is no firewall on the network

Why it is incorrect:
While having a firewall is a fundamental network security control, its absence is not the deciding factor between EPP and EDR. Both EPP and EDR provide host-based security on the endpoint itself, which is a different layer of defense (host-based vs. network-based). If there is no network firewall, you have a significant security gap that neither EPP nor EDR is designed to fill. You would need both a network firewall and an appropriate endpoint solution. The choice between EPP and EDR is based on the type of threats you need to address on the endpoint, not the presence or absence of a network control.

Reference and Modern Context:

Gartner Definitions:
Gartner, a leading IT research firm, clearly distinguishes these categories. They define EPP as a solution "to prevent file-based malware, detect malicious activity, and provide the investigation and remediation capabilities needed to respond to dynamic security incidents." They define EDR as a solution "that records endpoint-system-level behaviors... and provides the ability to search, discover, and investigate those behaviors for signs of malicious activity."

The Market Trend:
XDR: The market is now converging towards Extended Detection and Response (XDR), which integrates EPP, EDR, and other security controls (like email, network, and cloud) into a single, unified platform for even more advanced threat detection and response.

Key Takeaway:
For the exam, remember this simple analogy:
EPP is like a lock on your door – it keeps most common intruders out.
EDR is like a security camera and alarm system – it tells you when someone has picked the lock, broken a window, and is now moving through your house. You choose the cameras and alarms when you need that advanced level of detection and investigation.

dot1x system-auth-control

NMAP

http://www.network-node.com/blog/2016/1/2/ise-20-profiling

A picture containing table
Description automatically generated

Explanation:
Device compliance (or posture assessment) is the process of checking an endpoint's "health" against a set of security policies before granting it network access. The result of this check becomes a powerful attribute that can be used for dynamic policy enforcement.

D) Providing attribute-driven policies is CORRECT.
This is the primary benefit. Once a device's compliance state is determined (e.g., "Compliant," "Non-Compliant," "Out-of-Date"), this information is used as an attribute in authorization policies. This allows you to create granular, attribute-driven policies such as:

IF Device Compliance = Compliant THEN grant access to the Corporate Network VLAN.

IF Device Compliance = Non-Compliant THEN grant access only to the Remediation VLAN.

This enables dynamic and automated network access control based on the real-time security state of the device.

Why the other options are incorrect:

A) Verification of the latest OS patches is INCORRECT.
This is an example of a check that is performed during the compliance process, not the ultimate benefit. Verifying patches is a means to an end; the benefit is using that verification result to enforce a policy.

B) Device classification and authorization is INCORRECT.
Device classification (profiling) is a separate function that identifies what type of device it is (e.g., Windows laptop, iPhone). Authorization is the act of granting access. Compliance is a specific check that provides an input for authorization, but it is not the same as classification.

C) Providing multi-factor authentication is INCORRECT.
Multi-factor authentication (MFA) is a separate security control used to verify a user's identity. It is not related to checking the compliance state of a device.

Reference:
Cisco ISE Administrator Guide, "Posture Service": The documentation explains that the goal of posture assessment is to "assess the state of an endpoint" and then "make an authorization decision based on the endpoint's compliance," which is the definition of an attribute-driven policy.

Explanation
The command crypto isakmp key cisc0380739941 address 0.0.0.0 configures a pre-shared key (PSK) for the Phase 1 (ISAKMP) tunnel establishment in a DMVPN network.

C. Enter the same command on hostB:
This is correct. For two IPSec peers to successfully authenticate each other using a pre-shared key, they must both be configured with the identical key. The address 0.0.0.0 part of the command means this key is used for any peer, regardless of its IP address. Therefore, for hostA and hostB to form a tunnel, hostB must have the exact same command (crypto isakmp key cisc0380739941 address 0.0.0.0) in its configuration. The tunnel is failing because hostB is likely configured with a different key or no key at all.

Why the other options are incorrect:

A. Change isakmp to ikev2 in the command on hostA:
This is incorrect. The command syntax crypto isakmp key is the correct way to configure a pre-shared key for IKEv1. While IKEv2 is more modern and has advantages, the problem described is not the version of IKE but the fundamental lack of a matching key on the peer. Changing to IKEv2 on one side without also configuring a matching key on the other side would still result in a failure.

B. Enter the command with a different password on hostB:
This is the opposite of what is required. Using a different password on hostB would guarantee that the authentication fails, as the two peers would be presenting different shared secrets.

D. Change the password on hostA to the default password:
This is incorrect. There is no "default password" for ISAKMP pre-shared keys. They are explicitly configured by the administrator for security. Using a default, even if one existed, would be a major security risk.

Reference:
This is a fundamental principle of IPSec VPN configuration, covered in both the SCOR 350-701 exam blueprint and the ENCOR 350-401 exam.

Cisco IOS Command Reference for crypto isakmp key: The documentation states that the key must match for the peers to establish a secure connection.

IPSec VPN Fundamentals: The Internet Key Exchange (IKE) protocol, which uses ISAKMP, requires that both parties can prove they know the same pre-shared secret to authenticate the tunnel setup.

In summary, the core rule for pre-shared keys in IPSec is symmetry: both peers must be configured with the exact same key. The solution is to apply the identical crypto isakmp key command to the other peer (hostB).

applications

data

Customers must manage applications and data in PaaS.

phishing

Phishing is a form of social engineering. Phishing attacks use
email or malicious web sites to solicit personal,often financial, information. Attackers may send email seemingly from a reputable credit card company orfinancial institution that requests account information, often suggesting that there is a problem.