Free Cisco 350-701 Practice Questions 2026 | Implementing and Operating Cisco Security Core Technologies (SCOR 350-701)

Explanation
This question highlights the fundamental difference between the two virtual firewall offerings from Cisco: the legacy ASA-based platform and the modern Firepower Threat Defense platform.

Cisco ASAv (Adaptive Security Virtual Appliance):
This is the virtual version of the classic Cisco ASA firewall. Its primary features are stateful firewall inspection, VPN (Site-to-Site and Remote Access), and basic networking services. It operates primarily at the network and transport layers (L3-L4). It does not have integrated, advanced threat-focused capabilities like URL Filtering, IPS, or Advanced Malware Protection (AMP) within its own image.

Cisco FTDv (Firepower Threat Defense virtual):
This is the virtual version of the modern Cisco Firepower Threat Defense software. It is a consolidated, next-generation firewall (NGFW) platform that integrates several security functions into a single image. Crucially, this includes:

Detailed Breakdown of Incorrect Options

A. Cisco FTDv runs on VMWare while ASAv does not

Why it is incorrect:
This is false. Both the Cisco ASAv and the Cisco FTDv are supported on multiple hypervisors, including VMware ESXi, Microsoft Hyper-V, KVM, and various public clouds like AWS, Azure, and Google Cloud. The virtualization platform is not a differentiating factor.

B. Cisco FTDv provides 1GB of firewall throughput while Cisco ASAv does not

Why it is incorrect:
This is misleading and incorrect. Throughput is determined by the licensed "instance size" or "throughput tier" for both virtual appliances. Both the ASAv and FTDv come in multiple performance tiers (e.g., 100Mbps, 1Gbps, 10Gbps). You can license an ASAv for 1Gbps of stateful firewall throughput, and you can license an FTDv for the same. The performance is a function of the license and the underlying host resources, not an inherent limitation of one platform over the other in this context.

C. Cisco FTDv runs on AWS while ASAv does not

Why it is incorrect:
This is false. Both the Cisco ASAv and the Cisco FTDv are officially supported and available as Amazon Machine Images (AMIs) in the AWS Marketplace. They are both designed for deployment in public cloud environments.

Reference:
This information is clearly outlined in the data sheets and feature guides for both the Cisco ASAv and Cisco FTDv on Cisco's official website.

Exam Tip:
When comparing ASAv vs. FTDv, always think "Traditional Stateful Firewall" vs. "Consolidated Next-Generation Firewall." The presence of application-layer controls like URL Filtering, IPS, and AMP is the definitive differentiator that FTDv provides.

Certificate Trust List

external user and relay mail authentication

Reference: https://www.cisco.com/c/en/us/support/docs/security/email-securityappliance/
118844-technoteesa-00.htmlThe exhibit in this Qshows a successful TLS
connection from the remote host (reception) in the mail log.

Explanation
Let's break down the requirements from the question and map them to the correct ESA features.

Requirement 1:
"Ensure there are no viruses before quarantined emails are delivered."

By default, the ESA scans messages for viruses as they arrive using the Anti-Virus scanning engines (like Sophos or McAfee). Messages that are clean are delivered; messages with viruses are typically dropped or quarantined.

However, the requirement specifies ensuring no viruses "before quarantined emails are delivered." This implies a scenario where messages are placed in a quarantine queue for other reasons (e.g., policy quarantines, suspected spam) and must be re-scanned before a user or administrator releases them.

How is this achieved?

Answer E:
Scan quarantined emails using AntiVirus signatures. The ESA has a specific feature called "Virus Outbreak Filter" or "Retrospective Anti-Virus" (depending on the version). This feature can be configured to periodically re-scan messages that are already in the quarantine. If a new virus signature is downloaded after a message was quarantined, this scan will detect the now-identified virus and take action (like deleting the message), ensuring it is never delivered to the user's inbox, even if released from quarantine.

Requirement 2:
"Delivery of mail from known bad mail servers must be prevented."

This is a classic case for reputation-based filtering. The ESA needs to make a decision about an incoming connection before it accepts the entire email message. This is efficient and prevents wasted resources.

How is this achieved?

Answer A:
Use outbreak filters from SenderBase. SenderBase (Cisco's security intelligence network) maintains a massive, real-time database of IP addresses and their reputation scores. "Outbreak Filters" use this data. When an email server connects to the ESA, the ESA can immediately query SenderBase. If the connecting IP is on a known bad list (e.g., a known source of spam, malware, or part of a botnet), the ESA can block the connection outright, preventing the message from ever being delivered.

Detailed Breakdown of Incorrect Options

B. Enable a message tracking service

Why it is incorrect:
Message tracking is a reporting and troubleshooting feature. It allows an administrator to search for a specific message and see its path through the ESA (accepted, scanned, quarantined, delivered, etc.). It is a reactive tool used for diagnosis and has no proactive role in blocking viruses or bad senders.

C. Configure a recipient access table

Why it is incorrect:
A Recipient Access Table (RAT) is used to control inbound routing and acceptance based on the recipient's email address. It answers the question, "Is this recipient valid and which mail policy should apply?" It does not scan for virus content or make decisions based on the reputation of the sending server's IP address.

D. Deploy the Cisco ESA in the DMZ

Why it is incorrect:
While it is a common and recommended network design to place the ESA in a DMZ, this is a deployment topology, not a specific configuration action to meet the functional requirements. An ESA placed anywhere on the network edge can be configured with Anti-Virus and SenderBase filters. The physical or logical location does not, by itself, fulfill the tasks of virus scanning and sender reputation blocking.

Summary and Reference

To block known bad servers:
You use SenderBase/IP Reputation filtering (A). This is a first-line defense that stops threats before they enter your system.
To ensure quarantined messages are virus-free before release: You enable retrospective Anti-Virus scanning on the quarantine (E). This is a safety net that catches new threats that were unknown at the time of initial delivery.

Reference:
These features are core components of the Cisco ESA and are documented in the "Anti-Spam and Antivirus" and "Reputation Filtering and Outbreak Filters" sections of the Cisco Email Security Appliance Administration Guide.

Explanation for Each Option:

A. TLSv1.2 (Incorrect):
Transport Layer Security (TLS) version 1.2 is a secure protocol used by Cisco AnyConnect VPN for encrypted communication. While it provides strong security, it operates over TCP, which can introduce latency due to retransmissions and connection overhead, resulting in lower throughput performance compared to DTLS, making this option less optimal. (Reference: Cisco AnyConnect VPN Configuration Guide, TLS Options.)

B. TLSv1.1 (Incorrect):
TLS version 1.1 is an older protocol with known security vulnerabilities and is deprecated in modern implementations, including Cisco AnyConnect. It also uses TCP, leading to similar throughput limitations as TLSv1.2, and its obsolescence makes it an unsuitable choice for performance, rendering this option incorrect. (Reference: Cisco AnyConnect Security Protocols.)

C. BJTLSv1 (Incorrect):
"BJTLSv1" does not correspond to any recognized protocol variant in Cisco AnyConnect or standard VPN implementations. It appears to be a typographical error or misinterpretation (possibly intended as a variant of TLS). No such protocol exists, making this option invalid for throughput performance consideration. (Reference: Cisco AnyConnect Supported Protocols.)

D. DTLSv1 (Correct):
Datagram Transport Layer Security (DTLS) version 1, used by Cisco AnyConnect VPN, operates over UDP, avoiding TCP overhead and retransmission delays. This results in stronger throughput performance, especially for real-time applications like voice or video, making DTLSv1 the preferred protocol for maximizing VPN performance in supported environments. (Reference: Cisco AnyConnect DTLS Configuration Guide.)

Additional Notes:
Optimizing VPN performance with DTLS is a key topic in the 350-701 SCOR exam under VPN technologies. As of 11:37 AM PKT, October 02, 2025, DTLS remains the best choice for throughput. For details, refer to the Cisco AnyConnect Administration Guide (cisco.com) and the 350-701 Exam Blueprint (Section 3.0 Security Concepts).

CoA

Explanation for Each Option:

A. posture assessment (Incorrect):
Posture assessment in Cisco Identity Services Engine (ISE) evaluates the compliance of an endpoint (e.g., checking for updated antivirus or patches) to determine access privileges. While useful for security policy enforcement, it does not specifically trigger reauthentication when an endpoint is removed from an identity group. This process focuses on device health, not session revalidation, making this option incorrect. (Reference: Cisco ISE User Guide, Posture Assessment.)

B. CoA (Correct):
Change of Authorization (CoA) in Cisco ISE allows dynamic updates to an endpoint’s session, such as reauthentication or policy reapplication, when its attributes change (e.g., removal from an identity group). Configuring CoA ensures that when an endpoint is deleted from a group, ISE can issue a CoA request to the network device, forcing the endpoint to reauthenticate and apply new policies. (Reference: Cisco ISE Admin Guide, CoA Configuration.)

C. external identity source (Incorrect):
An external identity source (e.g., Active Directory, LDAP) integrates ISE with external directories to authenticate users or devices. While it provides identity data, including group membership, it does not inherently enforce reauthentication when an endpoint is removed from a group. This requires an additional mechanism like CoA to trigger session updates, making this option insufficient alone. (Reference: Cisco ISE Deployment Guide, Identity Sources.)

D. SNMP probe (Incorrect):
An SNMP probe in ISE collects device information (e.g., IP, MAC) for profiling and monitoring but does not enforce reauthentication. It supports endpoint identification, not dynamic session management like reauthentication after group deletion. This passive data collection lacks the active policy enforcement needed, rendering this option incorrect for the scenario. (Reference: Cisco ISE Profiler Guide, SNMP Probe.)

Additional Notes:
CoA is a critical feature in the 350-701 SCOR exam under ISE and endpoint security, enabling dynamic policy enforcement. As of 04:14 PM PKT, October 01, 2025, this remains a best practice for managing endpoint sessions. For details, consult the Cisco ISE Administration Guide (cisco.com, under ISE documentation) and the 350-701 Exam Blueprint (Section 2.0 Endpoint Security). More questions?

Threat Intelligence Director

Explanation for Each Option:

A. It corrupts DNS servers by replacing the actual IP address with a rogue address to collect information or start other attacks (Incorrect):
This describes a DNS poisoning or spoofing attack, where a rogue IP address is inserted to redirect traffic. While this can facilitate data theft, it is not the mechanism of DNS tunneling, which involves embedding data within DNS queries, making this option incorrect. (Reference: Cisco DNS Security Best Practices, Spoofing.)

B. It encodes the payload with random characters that are broken into short strings and the DNS server rebuilds the exfiltrated data (Correct):
DNS tunneling exfiltrates data by encoding the payload (e.g., stolen data) into DNS query names (e.g., subdomains), breaking it into short strings to fit DNS protocol limits. A malicious DNS server or command-and-control (C2) system reassembles the data, enabling covert data exfiltration from the corporate network. (Reference: Cisco Secure Firewall DNS Inspection Guide, Tunneling Detection.)

C. It redirects DNS requests to a malicious server used to steal user credentials, which allows further damage and theft on the network (Incorrect):
Redirecting DNS requests to a malicious server aligns with phishing or credential theft attacks, not DNS tunneling. Tunneling focuses on data exfiltration via encoded queries, not credential redirection, rendering this option incorrect for the specific technique. (Reference: Cisco Umbrella Threat Intelligence, Phishing.)

D. It leverages the DNS server by permitting recursive lookups to spread the attack to other DNS servers (Incorrect):
Permitting recursive lookups is a DNS server configuration issue that can be exploited for amplification attacks (e.g., DDoS), not data exfiltration via tunneling. DNS tunneling does not rely on spreading to other servers but on encoding data in queries to a single C2 server, making this option wrong. (Reference: Cisco DNS Security, Recursive Lookup Risks.)

Additional Notes:
Understanding DNS tunneling for exfiltration is a key topic in the 350-701 SCOR exam under content security. As of 11:38 AM PKT, October 03, 2025, it remains a sophisticated threat.

Explanation for Each Option:

A. Use MAB with profiling (Correct):
Since the medical device lacks a supplicant, 802.1X authentication is not feasible. MAC Authentication Bypass (MAB) allows devices to be authenticated based on their MAC address, and profiling in Cisco ISE can identify the device type (e.g., medical device) to apply appropriate policies. This ensures secure connectivity by matching the device to a predefined profile, meeting the requirement. (Reference: Cisco ISE User Guide, MAB and Profiling.)

B. Use MAB with posture assessment (Incorrect):
Posture assessment in Cisco ISE evaluates a device’s compliance (e.g., patch levels, antivirus status), requiring an agent or supplicant to report this data. Without a supplicant on the medical device, posture assessment cannot be performed, making this option impractical despite MAB’s applicability, rendering it incorrect for the scenario. (Reference: Cisco ISE Posture Assessment Guide.)

C. Use 802.1X with posture assessment (Incorrect):
802.1X requires a supplicant on the device to perform authentication using credentials or certificates, which the medical device lacks. Additionally, posture assessment needs an agent, further unsupported without a supplicant. This combination is unfeasible, making it an incorrect solution for securely connecting the device. (Reference: Cisco ISE 802.1X Configuration Guide.)

D. Use 802.1X with profiling (Incorrect):
Similar to option C, 802.1X relies on a supplicant for authentication, which the medical device does not have. Profiling can identify device types, but without 802.1X support, authentication fails. This approach does not meet the secure connectivity requirement, making it incorrect for the given context. (Reference: Cisco ISE Profiling and 802.1X Integration.)

Additional Notes:
Securing IoT devices like medical equipment with MAB and profiling is a key topic in the 350-701 SCOR exam under endpoint security. As of 09:45 AM PKT, October 02, 2025, this is a standard practice for NAC. For details, refer to the Cisco ISE Administration Guide (cisco.com) and the 350-701 Exam Blueprint (Section 2.0 Endpoint Security).

Explanation
The Cisco Email Security Appliance (ESA) uses several key tables (often referred to by their acronyms) to control different aspects of mail flow. The question specifically asks about controlling the acceptance or rejection of emails based on the recipient address.

D. RAT (Recipient Access Table):
This is the correct list. The RAT is used to define policies for incoming emails based on the recipient's email address. It allows an administrator to explicitly Accept or Reject messages destined for specific recipients or domains. For example, you can use the RAT to reject all mail for former employees or accept mail only for valid, existing mailboxes.

Why the other options are incorrect:

A. SAT (Sender Access Table):
This table is used to control mail flow based on the sender's email address or domain. It is used for policies like whitelisting or blacklisting senders.

B. BAT (Branded Anti-Spam Table):
This is not a standard table in the ESA's mail flow policies. "BAT" is not a recognized acronym for a core access table in this context.

C. HAT (Host Access Table):
This is one of the first tables used during an SMTP connection. It controls mail flow based on the IP address of the connecting host (the sending mail server). It is used for IP-based whitelisting, blacklisting, and rate limiting.

Reference:
This is a fundamental concept in Cisco ESA administration. The Cisco Email Security Appliance User Guide (AsyncOS) clearly defines the purpose of each table:

Recipient Access Table (RAT):
"Use the RAT to accept or reject messages based on the envelope recipient."

Sender Access Table (SAT):
"Use the Sender Access Table (SAT) to accept or reject messages based on the envelope sender."

Host Access Table (HAT):
"Use the HAT to define the policies that are applied to the hosts (IP addresses) from which the appliance receives connections."

Therefore, to control access based on the recipient address, you must configure the RAT.