Free Cisco 350-701 Practice Questions 2026 | Implementing and Operating Cisco Security Core Technologies (SCOR 350-701)

Explanation for Each Option:

A. Sophos engine (Correct):
The Sophos engine is an integrated antivirus scanning component in Cisco ESA that performs multilayer malware detection using signature-based analysis and heuristic scanning. It examines email attachments and content at multiple stages to identify and block viruses, contributing to a comprehensive defense approach. (Reference: Cisco ESA Antivirus Configuration Guide, Sophos Engine.)

B. white list (Incorrect):
A white list allows known safe senders or content to bypass scanning, which is a filtering mechanism but not a multilayer approach to fight viruses and malware. It focuses on allowing rather than detecting threats, making it unsuitable for proactive virus defense. (Reference: Cisco ESA Mail Policies Guide, White Listing.)

C. RAT (Incorrect):
RAT (Remote Access Trojan) is a type of malware that provides unauthorized access, not a configuration feature in Cisco ESA. It is a threat to detect, not a tool for multilayer virus protection, rendering this option incorrect. (Reference: Cisco ESA Threat Detection Overview.)

D. outbreak filters (Correct):
Outbreak filters, powered by Cisco Talos threat intelligence, provide multilayer protection by scanning emails for emerging malware and viruses not yet in signature databases. They use reputation-based analysis and real-time updates to block suspicious content, enhancing the ESA's virus-fighting capabilities. (Reference: Cisco ESA Outbreak Filters Guide.)

E. DLP (Incorrect):
Data Loss Prevention (DLP) focuses on preventing sensitive data exfiltration, not on detecting or fighting viruses and malware. While it adds security, it is not part of the multilayer antivirus approach, making this option incorrect. (Reference: Cisco ESA DLP Configuration.)

Additional Notes:
Configuring multilayer protection in Cisco ESA is a key topic in the 350-701 SCOR exam under content security. As of 5:00 PM PKT, October 03, 2025, Sophos and outbreak filters are essential.

Explanation:
Cisco Identity Services Engine (ISE) is the central policy engine that enables Network Access Control (NAC). A core component of its functionality is Posture Assessment.

Let's break down why ISE is the correct answer and the role of the other platforms:

C) Cisco ISE is CORRECT.
Cisco ISE's Posture Service is specifically designed to check the state (or "health") of an endpoint before allowing it onto the network. It can verify:

The presence, version, and status of antivirus/antimalware software.

Whether the latest antivirus signatures are installed.

The presence of specific operating system security patches and hotfixes.

The status of the host firewall.

Based on this check, ISE can enforce a policy. For example, it can grant full access to compliant devices, but place non-compliant devices into a quarantined VLAN where they can only access patch servers until they meet the security requirements. This directly prevents vulnerable machines from connecting and causing a malware outbreak.

Why the other options are incorrect:

A) Cisco WiSM is INCORRECT.
Cisco WiSM (Wireless Services Module) was a hardware module for Catalyst switches that hosted wireless controllers. It is an obsolete product related to wireless LAN management, not endpoint compliance.

B) Cisco ESA is INCORRECT.
Cisco ESA (Email Security Appliance) is a gateway that scans incoming and outgoing emails for spam, malware, and phishing attacks. It protects the email vector but does not check the compliance state of endpoints already inside the network.

D) Cisco Prime Infrastructure is INCORRECT.
Cisco Prime Infrastructure is a network management tool. It is used for provisioning, monitoring, and troubleshooting network devices (routers, switches, WLCs). While it can provide visibility into what devices are connected, it does not have the capability to perform a posture check on an endpoint to verify its antivirus status or patch level.

Reference:
Cisco ISE Administrator Guide, "About Posture Service": The official documentation defines the Posture service as the component that "assesses the state of an endpoint to determine whether it is compliant with the policies that you define," explicitly listing checks for antivirus and patch levels.

Cisco SCOR 350-701 Exam Objectives: The blueprint covers Secure Network Access using Cisco ISE, with posture being a key technology for ensuring endpoint compliance.

Explanation:
"Transparent" redirection means that end-users do not need to configure any proxy settings in their web browsers. The redirection happens at the network level, invisible to the user.

B) configure policy-based routing on the network infrastructure is CORRECT.
Policy-Based Routing (PBR) allows a network administrator to define routing policies that override the normal routing table. A router or layer 3 switch can be configured with a PBR rule that matches web traffic (e.g., TCP port 80/443) and forwards it to the WSA's IP address instead of sending it directly to its destination.

E) use Web Cache Communication Protocol is CORRECT.
WCCP (Web Cache Communication Protocol) is a Cisco-developed protocol specifically designed for transparently redirecting traffic. A network device (like a router) running WCCP (the "client") forms a relationship with the WSA (the "server"). The network device then intercepts web traffic and transparently forwards it to the WSA for filtering and scanning.

Why the other options are incorrect:

A) configure Active Directory Group Policies to push proxy settings is INCORRECT.
This is an explicit proxy deployment method, not a transparent one. The client is explicitly told to send its web traffic to the proxy (WSA) by its configuration.

C) reference a Proxy Auto Config file is INCORRECT.
A PAC file is also a form of explicit proxy configuration. The browser is given a script (the PAC file) that tells it when to use a proxy and when to connect directly.

D) configure the proxy IP address in the web-browser settings is INCORRECT.
This is the most basic form of explicit proxy configuration. The user or administrator manually enters the proxy server's details into the browser's connection settings.

Summary:
Transparent Redirection: WCCP, PBR. The user is unaware.

Explicit Proxy: Browser settings, PAC files, Group Policy. The client is configured to use the proxy.

Reference:
Cisco WSA Deployment Guide, "Transparent Redirection": The official documentation details both WCCP and PBR as the primary methods for deploying the WSA in a transparent mode.

It validates if anti-virus software is installed

SHA

FlexVPN uses IKEv2, DMVPN uses IKEv1 or IKEv2

Correct Answer: C. FlexVPN uses IKEv2, DMVPN uses IKEv1 or IKEv2

This is correct because:
FlexVPN is an IKEv2-only architecture. Its very design and feature set (like stateful failover, client mobility, and simplified configuration) are built directly on top of IKEv2's improvements and new payloads. It is a modern solution that mandates IKEv2.

DMVPN is a protocol-agnostic overlay. Its primary innovation is the use of the Next Hop Resolution Protocol (NHRP) to create dynamic multipoint GRE tunnels. The encryption (IPsec) for these tunnels can be established using the more traditional and widely deployed IKEv1 or the more modern IKEv2.

Detailed Breakdown of Incorrect Options

A. DMVPN uses IKEv1 or IKEv2, FlexVPN only uses IKEv1
This option is incorrect because it reverses the IKEv2 dependency.

Why "DMVPN uses IKEv1 or IKEv2" is correct:
As explained above, this part of the statement is true. DMVPN was originally deployed with IKEv1 and is still commonly used that way. However, Cisco has fully supported and documented DMVPN Phase 3 configurations using IKEv2, leveraging its benefits like better reliability and built-in dead peer detection (DPD).

Why "FlexVPN only uses IKEv1" is catastrophically wrong:
This is the core error. FlexVPN was introduced after IKEv2 was standardized (RFC 5996) and was designed specifically to leverage its advantages. Using IKEv1 with FlexVPN is not just unsupported; it's technically impossible because the FlexVPN configuration commands on Cisco IOS/IOS-XE (e.g., ikev2 profile, ikev2 authorization policy) are exclusive to the IKEv2 protocol stack. FlexVPN would simply not function with IKEv1.

In a Nutshell:
This option takes a true fact about DMVPN and pairs it with a completely inverted and false fact about FlexVPN.

B. DMVPN uses only IKEv1 FlexVPN uses only IKEv2
This option is half-right and half-wrong.

Why "DMVPN uses only IKEv1" is incorrect:
This is an absolute statement ("only") that is false. While IKEv1 was the dominant and initially the only option for many years, DMVPN evolved. Cisco explicitly supports and provides configuration guides for DMVPN with IKEv2. The ability to use IKEv2 provides benefits such as:

MOBIKE Support:
Allows a mobile client to change its IP address (e.g., moving from Wi-Fi to cellular) without tearing down the IPsec tunnel.

Improved Reliability:
IKEv2 has more robust built-in mechanisms for dead peer detection and session resumption.

Simplified NAT Traversal:
IKEv2 handles NAT-T more seamlessly.

Denying that DMVPN can use IKEv2 ignores the last decade of its development and real-world deployments.

Why "FlexVPN uses only IKEv2" is correct: This part is 100% accurate, as previously established. FlexVPN is an IKEv2-native technology.

In a Nutshell:
This option fails because it incorrectly imposes an absolute limitation on DMVPN that does not exist in reality.

D. FlexVPN uses IKEv1 or IKEv2, DMVPN uses only IKEv2
This option is almost entirely backwards.

Why "FlexVPN uses IKEv1 or IKEv2" is incorrect:
This suggests FlexVPN is as flexible as DMVPN regarding the IKE protocol version, which it is not. There is no "IKEv1 profile" or equivalent configuration for a FlexVPN setup. The entire FlexVPN paradigm—from the initial handshake to the advanced features like server-led rekeying and stateful switchover—is dependent on IKEv2-specific exchanges and payloads.

Why "DMVPN uses only IKEv2" is incorrect:
This is the opposite of the truth. While using IKEv2 with DMVPN is a best practice for new deployments, the vast majority of existing DMVPN deployments in the world, and a huge body of historical documentation and training, are based on IKEv1. To claim DMVPN only uses IKEv2 would render a massive number of production networks "non-standard," which is not the case. DMVPN's design is separate from the IKE version used to secure it.

In a Nutshell:
This option completely swaps the characteristics of the two technologies. It assigns FlexVPN's flexibility to DMVPN and DMVPN's IKEv2 capability to FlexVPN. Exam Tip and Conceptual Takeaway

For the exam, remember this simple analogy:
DMVPN is like a "Framework." It defines how spokes discover each other (NHRP) and how traffic flows (mGRE). You can secure this framework with different "locks"—either the older, reliable lock (IKEv1) or the newer, smarter lock (IKEv2).

FlexVPN is like a "Pre-built Secure Vault." The vault and the lock (IKEv2) are manufactured as a single, integrated system. You cannot take the old lock (IKEv1) and put it on this new vault; it's designed to work only with its native, modern lock.

The remote connection will only be allowed from 1.2.3.4

Explanation for Each Option:

A. The key server that is managing the keys for the connection will be at 1.2.3.4 (Incorrect):
The crypto isakmp key command configures a pre-shared key for IKE authentication, not for designating a key server. Key servers are handled separately in scenarios like GETVPN with commands like crypto gdoi. Changing the address specifies the peer IP for key association, not a key management server role. This option misinterprets the command's purpose in ISAKMP policy. (Reference: Cisco IOS Security Configuration Guide, ISAKMP Pre-Shared Keys section.)

B. The remote connection will only be allowed from 1.2.3.4 (Correct):
The crypto isakmp key address command ties the pre-shared key to a specific peer IP for IKEv1 Phase 1 authentication. Using 0.0.0.0 allows any peer; changing to 1.2.3.4 restricts the key "cisco" to only initiate or respond to VPN tunnels from that exact IP address, enhancing security by limiting peer access. This is standard for peer-specific key configuration on Cisco IOS routers. (Reference: Cisco IOS IPsec Configuration Guide, Configuring ISAKMP Policies and Keys.)

C. The address that will be used as the crypto validation authority (Incorrect):
There is no concept of a "crypto validation authority" in ISAKMP configuration. This command deals with pre-shared keys for peer authentication during IKE negotiation, not certificate authorities or validation entities. Certificate-based auth uses crypto ca commands. Altering the address simply scopes the key to a peer IP, not validation roles. (Reference: Cisco 350-701 SCOR Exam Topics - VPN Technologies; IOS Security Commands Reference.)

D. All IP addresses other than 1.2.3.4 will be allowed (Incorrect):
This inverts the command's behavior. Specifying a particular IP like 1.2.3.4 restricts the pre-shared key to that peer only, denying others using the same key. Using 0.0.0.0 would allow all, but changing to a specific IP enforces strict peer matching for security, preventing unauthorized connections. This option incorrectly describes the restrictive effect. (Reference: Cisco VPN Configuration Guide, IKE Pre-Shared Key Restrictions.)

Additional Notes:
In Cisco IOS, the crypto isakmp key command is crucial for IKEv1 VPN setups, covered in the 350-701 SCOR exam under Secure VPN technologies. 0.0.0.0 is often used for dynamic peers (e.g., road warriors), while specific IPs suit site-to-site. For details, refer to Cisco's IOS Security Configuration Guide (cisco.com, search "crypto isakmp key") and the 350-701 Exam Blueprint (Section 3.0 Security Concepts). Best practice: Use specific IPs for better security. More questions?

Data loss prevention

Geolocation-based filtering

https://www.cisco.com/c/en/us/td/docs/security/esa/esa11-
0/user_guide_fs/b_ESA_Admin_Guide_11_0/b_ESA_Admin_Guide_chapter_00.html

The purpose of message integrity algorithms, such as Secure Hash Algorithm
(SHA-1), ensures data has notbeen changed in transit. They use one way hash functions to determine if data has been changed.SHA-1, which is also known as HMAC-SHA-1 is a
strong cryptographic hashing algorithm, stronger thananother popular algorithm known as
Message Digest 5 (MD5). SHA-1 is used to provide data integrity (toguarantee data has not
been altered in transit) and authentication (to guarantee data came from the source itwas
supposed to come from). SHA was produced to be used with the digital signature
standard.A VPN uses groundbreaking 256-bit AES encryption technology to secure your
online connection againstcyberattacks that can compromise your security. It also offers
robust protocols to combat malicious attacks and reinforce your online identity.IKE SAs
describe the security parameters between two IKE devices, the first stage in establishing
IPSec.

Explanation
When you use an Internet browser to access a cloud-based service (like Salesforce, Office 365, or Cisco WebEx), the entire interaction is based on web protocols, primarily HTTP/HTTPS, along with TLS for encryption.

C. vulnerabilities within protocol:
This is the most direct and universal risk created by this specific action. The protocols themselves can have inherent vulnerabilities. For example:

Vulnerabilities in the TLS/SSL protocol (e.g., Heartbleed, POODLE) could compromise the encryption protecting your data in transit.

Weaknesses in the HTTP protocol itself or its implementations could be exploited.

The browser's interpretation and execution of these protocols can introduce risks. This option describes a fundamental risk category inherent to using the web as a platform.

Why the other options are incorrect:

A. misconfiguration of infrastructure, which allows unauthorized access:
This is a significant risk in the cloud, but it is a risk created by the cloud service provider or the organization's cloud administrators. It is not a direct risk created by the simple act of an end-user accessing the service via a browser. The user is a consumer of the infrastructure, not the one creating the misconfiguration risk.

B. intermittent connection to the cloud connectors:
This describes a reliability or performance issue, not a security risk. While an intermittent connection can be frustrating and impact availability, it does not directly create a security vulnerability like data theft or unauthorized access.

D. insecure implementation of API:
This is a very important risk in cloud security. However, when a user accesses a service through a standard web browser, they are typically interacting with a web application front-end. The browser consumes the APIs that the web front-end uses, but the risk of an "insecure implementation" lies with the cloud service provider's developers. The act of using the browser doesn't create this risk; it merely exposes the user to it if the provider's implementation is flawed. Option C is a broader and more fundamental category of risk that encompasses the communication channel itself.

Reference
This concept falls under the domain of cloud security and web application security. The risk associated with underlying protocols is a foundational concept.

OWASP Top 10: While not listing "protocol vulnerabilities" as a separate category, many issues (like A09:2021-Security Logging and Monitoring Failures) can be related to how protocols are handled.

Cloud Security Alliance (CSA) Guidance: Highlights threats related to data breaches and insecure interfaces/APIs, which are often exploited through protocol-level weaknesses.

General Web Security Principles: The entire security model of the web is built upon the integrity of protocols like HTTPS/TLS. A vulnerability in these protocols is a systemic risk for every user accessing any cloud service.

In summary, while all options represent potential issues in a cloud ecosystem, the risk that is most directly and universally created by the act of using a web browser is the exposure to vulnerabilities within the web protocols themselves.