Free Cisco 350-701 Practice Questions 2026 | Implementing and Operating Cisco Security Core Technologies (SCOR 350-701)

Explanation for Each Option:

A. Can track ingress and egress information (Correct):
NetFlow flow monitoring tracks both ingress (incoming) and egress (outgoing) traffic on an interface, providing detailed visibility into the direction of data flows. This is a key feature for understanding network traffic patterns, making it a correct choice. (Reference: Cisco NetFlow Configuration Guide, Ingress/Egress Tracking.)

B. Include the flow record and the flow importer (Incorrect):
While NetFlow involves flow records (data collected about flows) and a flow exporter (which sends data to a collector), the "flow importer" is not a standard term. The correct component is the flow collector, and this option misrepresents the feature, rendering it incorrect. (Reference: Cisco NetFlow Components Overview.)

C. Copies all ingress flow information to an interface (Incorrect):
NetFlow does not copy all ingress flow information to an interface; it samples and aggregates flow data based on configured parameters. This option suggests a full copy, which is inaccurate and not a feature of NetFlow, making it incorrect. (Reference: Cisco NetFlow Sampling Guide.)

D. Does not required packet sampling on interfaces (Incorrect):
NetFlow often requires packet sampling (e.g., using NetFlow sampling or sFlow) to manage high traffic volumes, especially on busy interfaces. The statement is false, as sampling is a common requirement, rendering this option incorrect. (Reference: Cisco NetFlow Sampling Configuration.)

E. Can be used to track multicast, MPLS, or bridged traffic (Correct):
NetFlow supports monitoring of multicast, MPLS (Multiprotocol Label Switching), and bridged traffic, providing visibility into these specialized traffic types. This flexibility is a valuable feature, making it a correct choice. (Reference: Cisco NetFlow Advanced Features Guide, Multicast/MPLS Support.)

Additional Notes:
Understanding NetFlow features is a key topic in the 350-701 SCOR exam under network security. As of 3:50 PM PKT, October 03, 2025, its tracking capabilities are critical for monitoring.

It includes multiple interfaces and access rules between interfaces are customizable

https://www.cisco.com/c/en/us/td/docs/security/asa/asa95/configuration/general/asa-95- generalconfig/intro-fw.htmlNote: BVI interface is not used for management purpose. But we can add a separate Management slot/port interface that is not part of any bridge group, and that allows only management traffic to the ASA.

Explanation:
For the WSA to perform SSL decryption (acting as a man-in-the-middle), it must dynamically generate a certificate for the website the user is visiting. For this to work without causing security errors in the user's browser, the certificate used to sign these dynamic certificates must meet specific criteria.

Let's break down why B and E are correct:

B) It must reside in the trusted store of the WSA.
This is CORRECT. The WSA needs the root Certificate Authority (CA) certificate or the intermediate CA certificate to sign the dynamically generated certificates it presents to users. This signing certificate must be installed in the WSA's local trusted certificate store so it can be used for this purpose.

E) It must contain a SAN. This is CORRECT.
A Subject Alternative Name (SAN) is a critical extension in an X.509 certificate that allows a single certificate to secure multiple domain names. Modern browsers require the SAN field to match the domain name being accessed. If the WSA's signing certificate does not have a SAN, the dynamically generated certificates it creates will be missing this field, causing browsers to display certificate warnings and block the connection.

Why the other options are incorrect:

A) It must include the current date. This is INCORRECT.
While it is a fundamental requirement for any valid certificate to be within its validity period (not before/not after dates), this is a generic requirement for all certificates, not a specific criterion for the WSA's decryption certificate.

C) It must reside in the trusted store of the endpoint.
This is a tricky one but is INCORRECT in the context of what the question is asking. The certificate that must be in the endpoint's trusted store is the Root CA certificate that issued the WSA's signing certificate. The question asks about the certificate the WSA uses, which is the signing certificate (often an intermediate CA). The trust chain must ultimately lead to a root CA trusted by the endpoint, but the specific certificate the WSA uses does not itself need to be in the endpoint's store.

D) It must have been signed by an internal CA.
This is INCORRECT. While it is a very common and recommended practice to use an internally managed CA for this purpose (for security and control), it is not a strict technical requirement. The WSA can use a certificate from a public CA. However, this is highly discouraged for security and practical reasons (a public CA would not issue a certificate for another entity's domain).

Reference:
Cisco WSA AsyncOS Administration Guide for Web Security (SSL Decryption Chapter): The configuration guide for enabling SSL decryption explicitly states the requirement to upload a CA certificate and private key to the WSA and emphasizes that the certificate must contain X.509 v3 extensions, specifically the Subject Alternative Name (SAN) field, to be compatible with modern browsers.

GRE over IPsec cannot be used as a standalone protocol, and L2TP can.

local web auth

central web auth

CI

Explanation for Each Option:

A. DLP solutions (Correct):
Data Loss Prevention (DLP) solutions monitor, detect, and prevent unauthorized data exfiltration from the cloud by enforcing policies on sensitive data (e.g., PII, financial records). This directly mitigates data breaches by controlling data movement, making it a key parameter. (Reference: Cisco Secure Cloud DLP Features.)

B. strong user authentication (Correct):
Strong user authentication, such as multifactor authentication (MFA), ensures only authorized users access cloud resources. By reducing the risk of credential-based attacks (e.g., phishing), it prevents unauthorized access that could lead to data breaches, making it an essential parameter. (Reference: Cisco Cloud Security Best Practices, MFA.)

C. encryption (Incorrect):
Encryption protects data at rest and in transit, enhancing security, but it is a protective measure rather than a preventive parameter against breaches. If access is already compromised, encryption alone cannot stop data exfiltration, making it a supporting rather than primary factor. (Reference: Cisco Cloud Encryption Guide.)

D. complex cloud-based web proxies (Incorrect):
Complex cloud-based web proxies (e.g., for filtering or caching) improve performance and security but are not specifically designed to prevent data breaches. They address web traffic management, not direct data loss prevention or access control, rendering this option less relevant. (Reference: Cisco Umbrella Proxy Features.)

E. antispoofing programs (Incorrect):
Antispoofing programs prevent IP spoofing in network attacks (e.g., DDoS), which is valuable for network security but not a primary measure against cloud data breaches. They do not address insider threats or data exfiltration, making this option incorrect for the context. (Reference: Cisco Secure Firewall Antispoofing.)

Additional Notes:
Preventing cloud data breaches is a key topic in the 350-701 SCOR exam under cloud security. As of 12:30 PM PKT, October 03, 2025, DLP and authentication are critical defenses.

WSA

Cisco Web Security Appliance