Free Cisco 350-701 Practice Questions 2026 | Implementing and Operating Cisco Security Core Technologies (SCOR 350-701)

Explanation
This question tests the fundamental architectural difference between the two management tools.

Cisco FMC (Firepower Management Center):
This is a centralized management system. A single FMC appliance or virtual server can manage dozens or even hundreds of Cisco Firepower Threat Defense (FTD) devices (such as Firepower 2100 series, FTD on ASA 5500-X, etc.). You configure policies once and deploy them to many devices from a single pane of glass.

Cisco ASDM (Adaptive Security Device Manager):
This is a device-level management tool. It is used to manage a single Cisco ASA (Adaptive Security Appliance) firewall at a time. You connect ASDM directly to the IP address of one specific ASA to configure it.

Therefore, the primary and most significant benefit of FMC over ASDM is its ability to centrally manage a fleet of firewalls.

Why the other options are incorrect:

A. Cisco FMC uses Java while Cisco ASDM uses HTML5. This is factually incorrect.
The opposite is true. Historically, ASDM was a Java Web Start application, which caused many operational issues. Modern ASDM versions can use a standalone launcher or a web interface. Cisco FMC is a web-based (HTML5) application and does not require Java.

C. Cisco FMC supports pushing configurations to devices while Cisco ASDM does not.
This is incorrect. Both management tools push configurations to the devices they manage. ASDM pushes configurations to the single ASA it is connected to, while FMC pushes configurations to the multiple FTD devices under its control.

D. Cisco FMC supports all firewall products whereas Cisco ASDM only supports Cisco ASA devices.This is misleading and incorrect.
Cisco FMC does not manage traditional ASA firewalls running the legacy ASA software. FMC only manages firewalls running the Firepower Threat Defense (FTD) operating system. ASDM manages ASA firewalls running the legacy ASA software. They manage different product lines and operating systems.

Reference
This distinction is a core concept in the Cisco Security Certifications, particularly when comparing the older ASA platform to the newer Firepower/FTD platform.

Cisco FMC Data Sheet: Typically states it "simplifies security management with centralized, unified policies across the entire portfolio of Firepower NGFWs and NGIPSs."

Cisco ASDM Data Sheet: Describes it as "a powerful, per-device management tool."

The key differentiator is Centralized (FMC) vs. Per-Device (ASDM) Management.

Explanation
Cisco ASA NetFlow is more specifically known as NetFlow Secure Event Logging (NSEL). Unlike traditional NetFlow which samples traffic, NSEL is event-based and logs stateful firewall connection events.

A key capability is the ability to be selective about which traffic generates these NSEL events. This is configured using a Modular Policy Framework (MPF) service policy.

How it works:
You create a class-map to define the traffic you are interested in (e.g., traffic from a specific subnet, going to a specific port). You then apply a service-policy that includes the flow-export event-type command for that specific class of traffic.

Result:
This allows you to filter NSEL events so that only the traffic matching your policy class is sent to the NetFlow collector. This reduces the volume of data and focuses reporting on the most important traffic, which is the capability described in option A

Detailed Breakdown of Incorrect Options

B. It generates NSEL events even if the MPF is not configured

Why it is incorrect:
This is the opposite of the truth. The MPF (Modular Policy Framework) must be configured to enable and direct NSEL/NetFlow on an ASA. Without a service-policy that includes the flow-export command, the ASA will not generate or send any NSEL events to a collector. The configuration is not automatic.

C. It logs all event types only to the same collector

Why it is incorrect:
This is an absolute statement that is false. While a basic configuration might send all events to a single collector, the ASA is capable of more granular control. You can configure multiple flow-export destinations and use different MPF policies to send specific types of events (e.g., flow-create events) to one collector and other events (e.g., flow-teardown events) to another.

D. It sends NetFlow data records from active and standby ASAs in an active standby failover pair

Why it is incorrect:
In an active/standby failover pair, only the active unit processes traffic and generates NSEL events. The standby unit does not process traffic and therefore does not generate its own flow data. Sending duplicate records from both units would create inaccurate data on the collector. The failover link synchronizes configuration and state information, but it does not synchronize or forward NetFlow data from the standby unit.

Reference and Key Context

Cisco ASA Series NetFlow Configuration Guide:
This documentation explicitly details that NSEL is configured using the Modular Policy Framework and that you can use class-map to select the traffic for which you want to generate events.

NSEL Event Types:
NSEL is triggered by specific stateful firewall events like flow creation (flow-create), flow teardown (flow-teardown), and flow denial (flow-denied). The ability to filter which traffic generates these events is a fundamental capability.

Key Takeaway:
The power of ASA NetFlow (NSEL) is its integration with the ASA's powerful MPF, which allows an administrator to be very precise about which traffic flows are exported to the collector. This filtering capability is a direct and important feature.

Explanation for Each Option:
A. authenticates the IKEv2 peers in the 172.16.0.0/16 range by using the key ciscXXXXXXXX (Incorrect):
The crypto isakmp key command is specific to IKEv1 (Internet Key Exchange version 1) on Cisco IOS devices, not IKEv2. While IKEv2 uses a similar pre-shared key mechanism, this command syntax is tied to IKEv1 configuration. Thus, it does not authenticate IKEv2 peers, making this option incorrect. (Reference: Cisco IOS Security Configuration Guide, IKEv1 vs. IKEv2.)

B. authenticates the IP address of the 172.16.0.0/32 peer by using the key ciscXXXXXXXX (Incorrect):
The command specifies address 172.16.0.0 without a mask, which defaults to a /32 (single IP) in some contexts, but when followed by a subnet (implied /16 from 172.16.0.0 range), it applies to the 172.16.0.0/16 network. It authenticates a range of peers, not just 172.16.0.0/32, making this option inaccurate. (Reference: Cisco IOS IPsec Configuration Guide, ISAKMP Key Syntax.)

C. authenticates the IKEv1 peers in the 172.16.0.0/16 range by using the key ciscXXXXXXXX (Correct):
The crypto isakmp key ciscXXXXXXXX address 172.16.0.0 command configures a pre-shared key (ciscXXXXXXXX) for IKEv1 Phase 1 authentication. The IP address 172.16.0.0 without a mask implies a /16 range (172.16.0.0 - 172.16.255.255), authenticating all peers in this subnet, aligning with standard IKEv1 behavior on Cisco routers. (Reference: Cisco IOS ISAKMP Configuration Guide, Pre-Shared Keys.)

D. secures all the certificates in the IKE exchange by using the key ciscXXXXXXXX (Incorrect):
This command configures a pre-shared key for IKEv1 authentication, not certificate-based security. Certificate-based authentication uses crypto ca commands and relies on digital certificates, not pre-shared keys. The key here authenticates peers, not certificates, making this option a misinterpretation of the command’s purpose. (Reference: Cisco IOS PKI Configuration Guide, Certificate Authentication.)

Additional Notes:
The crypto isakmp key command is a key topic in the 350-701 SCOR exam under VPN technologies, configuring IKEv1 pre-shared keys. As of 09:12 AM PKT, October 02, 2025, this remains a standard configuration for site-to-site VPNs. For details, refer to the Cisco IOS Security Configuration Guide (cisco.com) and the 350-701 Exam Blueprint (Section 3.0 Security Concepts). More questions?

Note:
The key "ciscXXXXXXXX" appears to be a placeholder with truncated characters; I treated it as a valid pre-shared key for explanation purposes.

Explanation:
The Secure Hash Algorithm (SHA) is a cryptographic hash function. In the context of a VPN, its primary role is to provide data integrity.

Let's break down how it works and why the other options are incorrect:

A) Integrity is CORRECT.
In an IPsec VPN, SHA (e.g., SHA-256, SHA-384) is used within the Hash-based Message Authentication Code (HMAC) function. For every packet sent through the VPN tunnel, the sender calculates a hash (a unique digital fingerprint) of the packet's contents. This hash is sent along with the packet. The receiver recalculates the hash upon receipt. If the hashes match, it proves the packet was not altered in transit. If even a single bit was changed, the hashes would be completely different, indicating a loss of integrity.

Why the other options are incorrect:

B) Key exchange is INCORRECT.
Key exchange is the process of securely establishing a shared secret key between two peers. This is the function of protocols like Diffie-Hellman (DH) or RSA, not the Secure Hash Algorithm.

C) Encryption is INCORRECT.
Encryption is the process of scrambling data to make it unreadable to anyone without the key. This is the function of symmetric encryption algorithms like AES (Advanced Encryption Standard), 3DES, or ChaCha20. SHA does not perform encryption or decryption.

D) Authentication is INCORRECT.
This is a common point of confusion. While the HMAC function (which uses SHA) provides data origin authentication (proving the data came from the expected peer and wasn't modified), the primary function listed for the algorithm itself is integrity. Peer authentication (verifying the identity of the VPN peer) is typically handled by pre-shared keys (PSK) or digital certificates during the IKE negotiation phase.

Summary of IPsec VPN Cryptographic Roles:

Encryption: AES, 3DES

Integrity: SHA, MD5 (via HMAC)

Key Exchange: Diffie-Hellman (DH)

Peer Authentication:Pre-shared Keys (PSK) or Digital Certificates (RSA)

Reference:

IPsec Protocol Standard (RFC 4301): Defines the use of integrity algorithms (like those in the SHA family) for the Authentication Header (AH) and Encapsulating Security Payload (ESP) protocols to provide data integrity.

Crypto VPN Configuration Guides (IOS/ASA):When configuring an IPsec transform set, you select an encryption cipher (e.g., esp-aes) and an integrity (authentication) algorithm (e.g., esp-sha-hmac), clearly separating the two functions.

Cisco Firepower natively provides intrusion prevention capabilities while Cisco ASA
does not.

show dot1x all

Explanation:
Since the specific output is not provided in the question, I will deduce the correct command based on the context of 802.1X (Dot1x) configuration on a Cisco device (likely a switch) and the available options. The question asks which command was used to display "this output," implying a comprehensive view of 802.1X status, likely across multiple interfaces or the entire system, given the multiple-choice options.

Analysis of Options:

A. show dot1x all:
This command displays detailed 802.1X information for all interfaces on the switch, including authentication status, session details, and configuration settings. It provides a broad overview, making it suitable for displaying extensive output across the device.

B. show dot1x: This is a basic command that shows a summary of 802.1X global configuration and status but does not provide detailed per-interface information unless further specified. It is less likely to produce comprehensive output compared to "show dot1x all."

C. show dot1x all summary:
This is not a valid Cisco IOS command. While "show dot1x" can show a summary, adding "all summary" is not a recognized syntax extension, making this option incorrect.

D. show dot1x interface gi1/0/12:
This command displays 802.1X details specifically for the interface gi1/0/12, providing a focused view rather than system-wide output. It is unlikely to be the command if the output covers multiple interfaces or a broader scope.

Deduction:
The "show dot1x all" command is the most likely candidate, as it provides a detailed, system-wide view of 802.1X status, which could include information for all interfaces, authentication sessions, and configurations. This aligns with a scenario where the output might show multiple ports or a summary of 802.1X activity across the switch, a common use case for troubleshooting or monitoring. Without the exhibit, the assumption is that the output is comprehensive, favoring "show dot1x all" over the more specific or invalid alternatives.

Final Answer:
A. show dot1x all

Additional Notes:
Displaying 802.1X status is a key topic in the 350-701 SCOR exam under endpoint security. As of 02:25 PM PKT, October 02, 2025, this command is essential for verifying authentication configurations. Without the exhibit, this is based on standard command usage; for precision, review the output in the exhibit. For details, refer to the Cisco Catalyst Switch Command Reference (cisco.com) and the 350-701 Exam Blueprint (Section 2.0 Endpoint Security).

The file upload is abandoned

https://www.cisco.com/c/en/us/support/docs/security/email-securityappliance/
118796-technoteesa-00.htmlIn this question, it stated “the network is congested”
(not the file analysis server was overloaded) so theappliance will not try to upload the file again.

Explanation
The key detail in the question is "receiving too many connection requests from multiple machines." This describes a classic Denial-of-Service (DoS) or Distributed Denial-of-Service (DDoS) attack scenario aimed at exhausting the target's resources.

D. SYN flood:
This is a correct answer. A SYN flood is a type of DoS/DDoS attack where an attacker sends a rapid succession of TCP SYN packets to a target device. Each SYN packet is the first step in the TCP three-way handshake, requesting a new connection. The target allocates resources for each half-open connection and sends back a SYN-ACK, but the attacker never completes the handshake with the final ACK. This quickly consumes all available connections on the target, preventing it from establishing legitimate connections.

Why the other options are incorrect:

A. phishing:
This is a social engineering attack, not a network-level connection flood. Phishing uses deceptive emails or messages to trick users into revealing sensitive information like passwords. It does not involve overwhelming a device with connection requests.

B. slowloris:
While Slowloris is also a DoS attack, its method is different. It works by opening many partial HTTP connections to the target and keeping them open by sending headers very slowly. The question specifically mentions "too many connection requests," which aligns more with the rapid initiation of connections in a SYN flood rather than the slow, low-bandwidth consumption of open connections in a Slowloris attack.

C. pharming:
This is an attack that redirects a website's traffic to a fraudulent site, typically by poisoning DNS records. Like phishing, it is an attack on integrity and confidentiality, not an attack that overwhelms a device with connection requests to deny availability.

Reference:
This is a fundamental topic in network security, covered in the Security Concepts domain of the SCOR 350-701 exam.

Cisco Security Documentation on DoS Attacks: Describes various flood attacks, including SYN floods, as common methods to exhaust connection state tables on servers, firewalls, and other network devices.

In summary, an attack characterized by a target device being overwhelmed with initial connection requests from multiple sources is a SYN flood attack.

Explanation:
Cisco's Firepower licensing is modular, and the "Protect" license is the one that specifically enables the Intrusion Prevention System (IPS) and Next-Generation IPS (NGIPS) capabilities.

Let's break down the license types:

D) Protect is CORRECT.
The Protect license is required to enable the core IPS/NGIPS functionality. This includes:

Intrusion Prevention System (IPS) signature updates and engine.

Network-based application visibility and control (AVC).

File and malware inspection.

The underlying Security Intelligence (SI) feeds, which include IP, URL, and domain reputation data, are a foundational part of this license. SI acts as a first line of defense, quickly blocking connections to known malicious IPs and URLs before more resource-intensive inspection like IPS occurs.

Why the other options are incorrect:

A) Control is INCORRECT.
The Control license is focused on identity-based policies and integration with Cisco TrustSec for security group tagging (SGT) and enforcement. It is not required for the basic IPS and Security Intelligence to function.

B) Malware is INCORRECT.
While the Malware license is often bundled, it specifically enables advanced file analysis and sandboxing with Advanced Malware Protection (AMP). The basic file and malware inspection that is part of NGIPS is included in the Protect license. The "Malware" license typically refers to the more advanced retrospective analysis and threat intelligence from Talos.

C) URL Filtering is INCORRECT.
The URL Filtering license provides access to Cisco's full, categorized URL database (like "Gambling," "Social Media") to create policies based on website categories. The Security Intelligence component included with the Protect license only blocks URLs/domains that are on a known-malicious threat list, not general web categorization and filtering.

Reference:

Cisco Firepower Management Center Configuration Guide, "Licensing":
The official documentation clearly maps features to license types. It states that the "Protect" license is required for Intrusion Policies, File Policies, and Security Intelligence (which includes IP, URL, and Domain block lists).

Cisco Firepower Data Sheets:
Product data sheets for the FTD and NGIPS consistently list Intrusion Prevention and Security Intelligence as core features enabled by the Protect license.

Explanation for Each Option:

A. Cisco Cloudlock (Correct):
Cisco Cloudlock is a cloud-native, API-based Cloud Access Security Broker (CASB) designed to protect cloud environments by reducing compromises, application risks, and data breaches. It integrates with cloud applications via APIs to provide visibility, data security, and threat protection in non-on-premises environments like SaaS, IaaS, and PaaS, making it the ideal solution for this scenario. (Reference: Cisco Cloudlock Datasheet, API Integration.)

B. Cisco Umbrella (Incorrect):
Cisco Umbrella is a cloud-delivered security platform that provides DNS-layer protection, blocking malicious domains and phishing attempts. While effective for securing internet traffic, it is not primarily an API-based broker focused on reducing application risks and data breaches in non-on-premises cloud environments, making it less suitable for this specific use case. (Reference: Cisco Umbrella Overview.)

C. Cisco AMP (Incorrect):
Cisco Advanced Malware Protection (AMP) is a threat-focused solution that detects, prevents, and responds to malware across endpoints, networks, and cloud environments. Although it enhances security, it is not an API-based broker tailored for managing cloud application risks and data breaches in non-on-premises settings, focusing more on malware-specific threats. (Reference: Cisco AMP Datasheet.)

D. Cisco App Dynamics (Incorrect):
Cisco App Dynamics is an application performance monitoring (APM) tool that helps optimize application performance and troubleshoot issues in cloud and on-premises environments. It is not designed as an API-based broker to reduce compromises, application risks, or data breaches, as its primary focus is performance rather than security brokering. (Reference: Cisco App Dynamics User Guide.)

Additional Notes:
Cisco Cloudlock, relevant to the 350-701 SCOR exam under cloud security, is tailored for non-on-premises environments. As of 09:08 AM PKT, October 02, 2025, it remains a key CASB solution. For details, refer to the Cisco Cloudlock documentation (cisco.com) and the 350-701 Exam Blueprint (Section 3.0 Security Concepts).