Free Cisco 350-701 Practice Questions 2026 | Implementing and Operating Cisco Security Core Technologies (SCOR 350-701)

Traffic storm control drops all broadcast and multicast traffic if the combined traffic
exceeds the level within the interval.

Explanation:
Cisco Stealthwatch Cloud has two primary deployment models for data collection:

Cloud-Native Integration:
For cloud environments (like AWS, Azure), it uses APIs and cloud-native flow logs. This is why "cloud logging is working as expected."

On-Premises Network:
For physical and private data centers, it requires an on-premises collector, officially called the Stealthwatch Cloud Sensor.

The sensor is a virtual machine deployed inside the private network. Its job is to:

Receive network flow data (NetFlow, IPFIX, sFlow) from routers, switches, and firewalls.

Perform initial analysis and compression.

Securely forward the relevant metadata and security events to the Stealthwatch Cloud console.

If logs are not being received from the on-premises network, the most likely cause is that this sensor is not deployed or is misconfigured.

Why the other options are incorrect:

A) Configure security appliances to send syslogs to Cisco Stealthwatch Cloud is INCORRECT.
Stealthwatch Cloud is primarily designed to analyze network flow data (NetFlow, IPFIX), not syslog. While it can integrate with other systems, its core threat detection for the network is based on flow analysis. Furthermore, the Stealthwatch Cloud console does not have a public endpoint for syslog ingestion from on-premises; all data flows through the sensor.

B) Configure security appliances to send NetFlow to Cisco Stealthwatch Cloud is INCORRECT.
You cannot configure your on-premises devices to send NetFlow directly to the Stealthwatch Cloud public IP address. The network flow data must be sent to the private IP address of the Stealthwatch Cloud Sensor, which then forwards it.

C) Deploy a Cisco FTD sensor to send events to Cisco Stealthwatch Cloud is INCORRECT.
While Cisco FTD can be a source of NetFlow data (by sending it to the Stealthwatch Cloud Sensor), the "FTD sensor" is not the correct component. The specific component required is the Stealthwatch Cloud Sensor VM.

Reference:
Cisco Stealthwatch Cloud Deployment Guide: The official documentation explicitly states that for on-premises networks, you must "Deploy the Stealthwatch Cloud sensor virtual machine" and then "Configure your network infrastructure to send NetFlow to the sensor."

Explanation:
The key to this question is recognizing the primary delivery method for each attack and which appliance is the gateway for that method.

D) phishing is CORRECT.
Phishing attacks are predominantly launched via email. The attacker sends a fraudulent email designed to trick the recipient into revealing sensitive information. The Cisco ESA is the first line of defense for email-borne threats and is specifically designed to detect and block phishing emails using techniques like sender reputation, anti-spam engines, and anti-phishing filters. The Cisco WSA, which filters web traffic, would only be involved if a user clicks a link within a phishing email, but it cannot prevent the phishing email itself from arriving in the user's inbox. Therefore, the initial phishing email is preventable by ESA but not by WSA.

Why the other options are incorrect:

A) buffer overflow is INCORRECT.
A buffer overflow is a software exploit that can be delivered via multiple vectors, including both malicious email attachments (filtered by ESA) and drive-by downloads from malicious websites (filtered by WSA). Both appliances can play a role in preventing its delivery.

B) DoS is INCORRECT.
A Denial-of-Service (DoS) attack aims to overwhelm a service with traffic. Both appliances can be involved in mitigating DoS attacks relevant to their protocols. The ESA can mitigate email-based DoS (mail bombing), and the WSA can help mitigate HTTP/HTTPS-based DoS attacks

C) SQL injection is INCORRECT.
SQL injection is an attack against web applications. It is typically launched through a web browser. The Cisco WSA, especially when integrated with a Web Application Firewall (WAF) like Cisco Secure Firewall Management Center, can detect and block SQL injection attempts in web traffic. The ESA would not see this attack as it does not involve the email protocol.

Summary of Responsibilities:
Cisco ESA: Protects against threats delivered via email (spam, phishing, malware in attachments).

Cisco WSA: Protects against threats delivered via web browsing (malicious sites, drive-by downloads, web application attacks).

Reference:
Cisco ESA vs. WSA Solution Overviews: The data sheets for each product clearly delineate their primary use cases, with ESA focusing on the email vector and WSA focusing on the web vector. Phishing is consistently listed as a top threat mitigated by the ESA.

utilization of different keys for encryption and decryption

provides the capability to only know the key on one side

Explanation for Each Option:

A. biometric factor (Correct):
The biometric factor, such as fingerprints, facial recognition, or iris scans, is a widely used authentication factor in multifactor authentication (MFA). It relies on unique physical characteristics, providing a strong, something-you-are component, making it one of the most common factors. (Reference: Cisco Identity Services Engine MFA Guide, Biometrics.)

B. time factor (Incorrect):
The time factor, often associated with time-based one-time passwords (TOTP) like those from authenticator apps, is a method within the possession factor (something-you-have), not a distinct authentication factor. It supports MFA but is not considered a primary factor type, rendering this option incorrect. (Reference: Cisco Secure Access TOTP Configuration.)

C. confidentiality factor (Incorrect):
"Confidentiality factor" is not a recognized authentication factor in MFA. Confidentiality relates to data protection, not user authentication, and is unrelated to the standard factors (something-you-know, -have, -are), making this option invalid. (Reference: NIST Digital Identity Guidelines, Authentication Factors.)

D. knowledge factor (Correct):
The knowledge factor, such as passwords or PINs, is one of the most commonly used authentication factors in MFA. It represents something-you-know, providing a foundational element that is often combined with other factors, making it a standard and widely adopted choice. (Reference: Cisco ISE Knowledge-Based Authentication.)

E. encryption factor (Incorrect):
"Encryption factor" is not an authentication factor in MFA. Encryption is a security mechanism used to protect data, not to verify identity, and does not align with the recognized categories (knowledge, possession, biometric), rendering this option incorrect. (Reference: Cisco Secure Encryption Overview.)

Additional Notes:
Understanding MFA factors is a key topic in the 350-701 SCOR exam under endpoint security. As of 12:15 PM PKT, October 03, 2025, knowledge and biometric factors are prevalent.

Explanation for Each Option:

A. Have Cisco Prime Infrastructure issue an SNMP set command to re-enable the ports after the preconfigured interval (Incorrect):
While Cisco Prime Infrastructure can manage devices via SNMP, issuing an SNMP set command to re-enable ports requires specific configuration and manual intervention. It is not a standard or automated method for recovering error-disabled interfaces, and it depends on external tools, making it less practical than built-in recovery mechanisms. (Reference: Cisco Prime Infrastructure User Guide, SNMP Management.)

B. Use EEM to have the ports return to service automatically in less than 300 seconds (Incorrect):
Embedded Event Manager (EEM) can automate actions based on events, such as re-enabling ports after a timer. However, this requires custom scripting and configuration, which is not a default or guaranteed method for error-disable recovery. It is an advanced option, not a standard action, making it incorrect as a primary solution. (Reference: Cisco IOS EEM Configuration Guide.)

C. Enter the shutdown and no shutdown commands on the interfaces (Correct):
Manually issuing the shutdown and no shutdown commands on the affected interfaces is a direct and widely accepted method to recover from an error-disabled state. This clears the error condition and reactivates the ports, ensuring they return to service after the traffic storm issue is resolved, making it a standard action. (Reference: Cisco IOS Interface Command Reference, Error Disable Recovery.)

D. Enable the snmp-server enable traps command and wait 300 seconds (Incorrect):
The snmp-server enable traps command enables SNMP notifications (e.g., for error-disabled states), but it does not automatically re-enable ports. Waiting 300 seconds assumes a recovery timer, which requires additional error-disable recovery configuration. This alone does not restore service, making it insufficient without further setup. (Reference: Cisco IOS SNMP Configuration Guide.)

E. Ensure that interfaces are configured with the error-disable detection and recovery feature (Correct):
Configuring the error-disable detection and recovery feature (e.g., errdisable recovery cause all and setting a timer like errdisable recovery interval) allows interfaces to automatically recover from error-disabled states, such as those caused by a traffic storm. This proactive setup ensures ports return to service without manual intervention, meeting the requirement. (Reference: Cisco IOS LAN Switching Configuration Guide, Error Disable Recovery.)

Additional Notes:
Error-disable recovery is a key topic in the 350-701 SCOR exam under network security. As of 05:15 PM PKT, October 01, 2025, this remains a standard practice for managing interface errors. For details, refer to the Cisco IOS Interface and Switching Configuration Guides (cisco.com) and the 350-701 Exam Blueprint (Section 1.0 Security Concepts).

Explanation
This question compares the design considerations for two scalable VPN solutions: FlexVPN and DMVPN. The key advantage of an active/active FlexVPN configuration in this context is its ability to leverage multiple routers or Virtual Routing and Forwarding (VRF) instances for load sharing and redundancy.

Active/Active FlexVPN:
In this design, you can have two (or more) hub routers, each terminating FlexVPN sessions. These hubs can be:

Distinct Physical Routers:
Spokes can be configured to establish tunnels to multiple hubs, distributing the load.

Different VRFs on the Same Router:
A single physical router can act as multiple logical hubs using VRFs, providing path isolation and the appearance of multiple endpoints for spokes.

This architecture allows for true load balancing of VPN traffic across different paths or logical routers, which is a more complex but powerful feature.

Why the other options are incorrect:

B. Traffic is distributed statically by default.
Neither FlexVPN nor DMVPN distributes traffic in a purely static manner by default. Load distribution typically requires careful design and configuration (like routing protocol tuning) and is not a simple default behavior.

C. Floating static routes are required.
Floating static routes are a common mechanism for providing backup paths in many network designs, including both DMVPN and FlexVPN. They are not a unique reason to choose one over the other.

D. HSRP is used for failover.
Hot Standby Router Protocol (HSRP) is a first-hop redundancy protocol used to provide a virtual default gateway for end-hosts on a LAN. It is not directly involved in the core VPN tunnel establishment or failover between hub routers in a WAN VPN design like FlexVPN or DMVPN. While HSRP might be used on the LAN side of the hubs, it is not the reason to select an active/active FlexVPN design.

Reference:
The design flexibility of FlexVPN, including its support for multiple peers and VRFs, is a key differentiator documented by Cisco.

The Cisco IOS FlexVPN Configuration Guide discusses active/active high availability designs, stating that they allow for "load balancing of IPsec sessions among multiple peers" and that "VRF-aware IPsec" is a supported feature. This ability to leverage multiple routers or VRFs is a primary architectural reason an engineer would choose an active/active FlexVPN design over a traditional single-hub DMVPN model.

Explanation
This question tests the fundamental understanding of how a Next-Generation Intrusion Prevention System (NGIPS) operates. The key term is "inline."

In an inline deployment, the Firepower device is physically placed directly in the path of the network traffic. For traffic to flow from one network segment to another, it must pass through the Firepower sensors. This physical placement is achieved by configuring inline interface pairs (or sets). One interface in the pair receives traffic, and the other transmits it, creating a logical "bump in the wire."

This architecture is essential for the "Prevention" aspect of IPS, as it allows the system to not only detect but also block malicious packets in real-time by dropping them before they reach their target.

Why the other options are incorrect:

A. ASA with Firepower module cannot be deployed.
This is incorrect. The Firepower Threat Defense (FTD) software, which combines ASA and Firepower services, can absolutely be deployed in inline mode. In fact, this is the standard deployment for FTD as a gateway.

B. It cannot take actions such as blocking traffic.
This is the exact opposite of the truth. The primary purpose and benefit of deploying a NGIPS inline (as opposed to passive) is to enable blocking and other "impactful" actions like modifying traffic. A passive (out-of-band) deployment can only detect and alert.

C. It is out-of-band from traffic.
This is incorrect and describes the opposite deployment mode. "Out-of-band" (or passive) mode is when the sensor analyzes a copy of the traffic (e.g., from a SPAN port). An inline deployment is, by definition, in-band.

Reference:
This is a core concept in the Cisco Firepower deployment guide.

As per the Cisco Firepower Management Center Configuration Guide, it states:

"In an inline deployment, you assign interfaces to inline sets... Traffic entering one interface in the set is analyzed before it is passed out the other interface in the set."

"Because the device is physically in the path of the traffic, it can take actions on that traffic before it reaches its destination."

This confirms that inline deployment is defined by the use of inline interface pairs and is characterized by its ability to block traffic.

Explanation:
The process follows a clear cycle of intelligence creation, distribution, and use:

Authoring:
Cisco Talos, one of the largest commercial threat intelligence teams in the world, researches and analyzes global threats. They author the rules, signatures, and intelligence data.

Sharing:
Talos packages this intelligence into updates (e.g., intrusion rules, vulnerability database - VDB - updates, Security Intelligence feeds for IPs and URLs).

Consumption:
The Cisco Firepower Management Center (FMC) and its managed devices download these updates. This is the act of consuming the threat intelligence provided by Talos.

Analysis & Enforcement:
Firepower then uses this consumed intelligence to analyze network traffic and enforce security policies, blocking malicious activity.

Therefore, the specific term for Firepower downloading the updates is consumption.

Why the other options are incorrect:

B) sharing is INCORRECT.
"Sharing" is the action performed by the source, which is Cisco Talos. Talos shares its intelligence; Firepower consumes it.

C) analysis is INCORRECT.
"Analysis" is what happens after the intelligence is consumed. Firepower and Talos both perform analysis, but the act of downloading the updates is not analysis itself.

D) authoring is INCORRECT.
"Authoring" is the creation of the intelligence, which is done exclusively by Cisco Talos. Firepower does not author the threat intelligence; it uses it.

Reference:

Cisco Firepower Management Center Configuration Guide, "Managing Updates": The documentation refers to the process of downloading and installing rule updates, VDB updates, and other intelligence packs from Cisco.

Cisco Talos Intelligence: The Talos website and data sheets describe their role as the provider (author and sharer) of intelligence that Cisco security products consume to protect networks.

Application
Description automatically generated with low confidence
ExplanationThe Firepower System uses network discovery and identity policies to collect
host, application, and user data for traffic on your network. You can use certain types of
discovery and identity data to build a comprehensive map of your network assets, perform
forensic analysis, behavioral profiling, access control, and mitigate and respond to the
vulnerabilities and exploits to which your organization is susceptible.The Cisco Advanced
Malware Protection (AMP) solution enables you to detect and block malware, continuously
analyze for malware, and get retrospective alerts. AMP for Networks delivers networkbased
advanced malware protection that goes beyond point-in-time detection to protect
your organization across the entire attack continuum – before, during, and after an attack.

Designed for Cisco Firepower® network threat appliances, AMP for Networks detects,
blocks, tracks, and contains malware threats across multiple threat vectors within a single
system. It also provides the visibility and control necessary to protect your organization
against highly sophisticated, targeted, zero-day, and persistent advanced malware threats.