[May-2026] Cisco 350-701 Actual Questions and Braindumps [Q250-Q267]

Share

[May-2026] Cisco 350-701 Actual Questions and Braindumps

Pass 350-701 Exam with Updated 350-701 Exam Dumps PDF 2026


Exam Topics

The candidates for the Cisco 350-701 exam are required to develop a good comprehension of the topics covered in its content before attempting the test. The detailed outline of knowledge and skills measured in the exam can be downloaded from the official website. A brief description of the domains of the 350-701 certification test is provided below:

Security Concepts – 25%

  • Comparing the site-to-site VPN as well as remote access VPN deployment kinds, including IPsec, sVTI, Cryptomap, FLEXVPN, DMVPN, etc;
  • Explaining the most common threats against the Cloud as well as on-premises environments;
  • Describing the function of the endpoint in the protection of humans from phishing & social engineering attacks;
  • Describing the functionality of the cryptography elements, such as encryption, hashing, NAT-T IPv4 for IPsec, SSL, PKI, IPsec, pre-shared key & certificate-based authorization;
  • Explaining security intelligence consumption, sharing, and authoring;

 

NEW QUESTION # 250
Which algorithm is an NGE hash function?

  • A. SHA-1
  • B. SISHA-2
  • C. MD5
  • D. HMAC

Answer: B


NEW QUESTION # 251
A mall provides security services to customers with a shared appliance. The mall wants separation of management on the shared appliance. Which ASA deployment mode meets these needs?

  • A. multiple zone mode
  • B. transparent mode
  • C. routed mode
  • D. multiple context mode

Answer: D

Explanation:
Multiple context mode allows you to partition a single ASA into multiple virtual firewalls, each with its own security policy, interfaces, and management IP address. This mode is useful for providing security services to different customers or tenants on a shared appliance, while maintaining separation of management and configuration. Each context acts as an independent device and can be in either routed or transparent mode.
You can also assign different administrators to each context and limit their access to specific commands and features. Multiple context mode is supported in Cisco ACI with the ASA device package version 1.2 or later. References:
https://www.cisco.com/c/en/us/td/docs/switches/datacenter/aci/apic/sw/1-x/L4-L7_Service_Graph_Deployment_
https://www.cisco.com/c/en/us/td/docs/security/asa/asa96/configuration/general/asa-96-general-config/intro-fw.h


NEW QUESTION # 252
Drag and drop the descriptions from the left onto the encryption algorithms on the right.

Answer:

Explanation:

Explanation


NEW QUESTION # 253
An engineer notices traffic interruption on the network. Upon further investigation, it is learned that broadcast packets have been flooding the network. What must be configured, based on a predefined threshold, to address this issue?

  • A. embedded event monitoring
  • B. Bridge Protocol Data Unit guard
  • C. storm control
  • D. access control lists

Answer: C

Explanation:
Storm control prevents traffic on a LAN from being disrupted by a broadcast, multicast, or unicast storm on one of the physical interfaces. A LAN storm occurs when packets flood the LAN, creating excessive traffic and degrading network performance. Errors in the protocol-stack implementation, mistakes in network configurations, or users issuing a denial-of-service attack can cause a storm.
By using the "storm-control broadcast level [falling-threshold]" we can limit the broadcast traffic on the switch.


NEW QUESTION # 254
What is a feature of the open platform capabilities of Cisco DNA Center?

  • A. domain integration
  • B. intent-based APIs
  • C. automation adapters
  • D. application adapters

Answer: B


NEW QUESTION # 255
Drag and drop the exploits from the left onto the type of security vulnerability on the right.

Answer:

Explanation:


NEW QUESTION # 256
Which attack is preventable by Cisco ESA but not by the Cisco WSA?

  • A. DoS
  • B. buffer overflow
  • C. SQL injection
  • D. phishing

Answer: D

Explanation:
Reference:
https://www.cisco.com/c/en/us/td/docs/security/esa/esa13-5/user_guide/b_ESA_Admin_Guide_13-5/m_advance


NEW QUESTION # 257
Which risk is created when using an Internet browser to access cloud-based service?

  • A. vulnerabilities within protocol
  • B. misconfiguration of infrastructure, which allows unauthorized access
  • C. intermittent connection to the cloud connectors
  • D. insecure implementation of API

Answer: D


NEW QUESTION # 258
An administrator is establishing a new site-to-site VPN connection on a Cisco IOS router. The organization needs to ensure that the ISAKMP key on the hub is used only for terminating traffic from the IP address of
172.19.20.24. Which command on the hub will allow the administrator to accomplish this?

  • A. crypto isakmp identity address 172.19.20.24
  • B. crypto ca identity 172.19.20.24
  • C. crypto enrollment peer address 172.19.20.24
  • D. crypto isakmp key Cisco0123456789 172.19.20.24

Answer: D

Explanation:
The command "crypto isakmp identity address 172.19.20.24" is not valid. We can only use "crypto isakmp identity {address | hostname}. The following example uses preshared keys at two peers and sets both their ISAKMP identities to the IP address.
At the local peer (at 10.0.0.1) the ISAKMP identity is set and the preshared key is specified:
crypto isakmp identity address
crypto isakmp key sharedkeystring address 192.168.1.33
At the remote peer (at 192.168.1.33) the ISAKMP identity is set and the same preshared key is specified:
crypto isakmp identity address
crypto isakmp key sharedkeystring address 10.0.0.1
Reference: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/a1/sec-a1-cr-book/sec-crc4.
html#wp3880782430The command "crypto enrollment peer address" is not valid either.The command
"crypto ca identity ..." is only used to declare a trusted CA for the router and puts you in the caidentity configuration mode. Also it should be followed by a name, not an IP address. For example: "crypto caidentity CA-Server" -> Answer A is not correct.Only answer B is the best choice left.


NEW QUESTION # 259
How does the Cisco WSA enforce bandwidth restrictions for web applications?

  • A. It implements a policy route to redirect application traffic to a lower-bandwidth link.
  • B. It simulates a slower link by introducing latency into application traffic.
  • C. It sends commands to the uplink router to apply traffic policing to the application traffic.
  • D. It dynamically creates a scavenger class QoS policy and applies it to each client that connects through the WSA.

Answer: B

Explanation:
The Cisco WSA can enforce bandwidth restrictions for web applications by using the Application Visibility and Control (AVC) engine. The AVC engine allows the WSA to identify and control application activity on the network, and to apply bandwidth limits to certain application types or individual applications. The WSA dynamically creates a scavenger class QoS policy and applies it to each client that connects through the WSA.
The scavenger class QoS policy assigns a low priority to the application traffic and limits the bandwidth usage based on the configured settings. This way, the WSA can prevent congestion and ensure fair allocation of bandwidth among different applications and users. References:
* User Guide for AsyncOS 11.8 for Cisco Web Security Appliances - GD (General Deployment) - Managing Access to Web Applications
* WSA - limit bandwidth - Cisco Community


NEW QUESTION # 260
Refer to the exhibit.

What does the API do when connected to a Cisco security appliance?

  • A. get the process and PID information from the computers in the network
  • B. gather the network interface information about the computers AMP sees
  • C. gather network telemetry information from AMP for endpoints
  • D. create an SNMP pull mechanism for managing AMP

Answer: B

Explanation:
The call to API of "https://api.amp.cisco.com/v1/computers" allows us to fetch list of computers across your organization that Advanced Malware Protection (AMP) sees. Reference: https://api-docs.amp.cisco.com/api_actions/details?api_action=GET+%2Fv1% 2Fcomputers&api_host=api.apjc.amp.cisco.com&api_resource=Computer&api_version=v1 Reference:
The call to API of "https://api.amp.cisco.com/v1/computers" allows us to fetch list of computers across your organization that Advanced Malware Protection (AMP) sees. Reference: https://api-docs.amp.cisco.com/api_actions/details?api_action=GET+%2Fv1% 2Fcomputers&api_host=api.apjc.amp.cisco.com&api_resource=Computer&api_version=v1


NEW QUESTION # 261
Drag and drop the descriptions from the left onto the correct protocol versions on the right.

Answer:

Explanation:


NEW QUESTION # 262
Which two deployment modes does the Cisco ASA FirePower module support? (Choose two)

  • A. transparent mode
  • B. inline mode
  • C. routed mode
  • D. active mode
  • E. passive monitor-only mode

Answer: B,D

Explanation:
Explanation You can configure your ASA FirePOWER module using one of the following deployment models: You can configure your ASA FirePOWER module in either an inline or a monitor-only (inline tap or passive) deployment. Reference: https://www.cisco.com/c/en/us/td/docs/security/asa/asa92/asdm72/firewall/asa-firewall-asdm/ modules-sfr.html You can configure your ASA FirePOWER module using one of the following deployment models:
You can configure your ASA FirePOWER module in either an inline or a monitor-only (inline tap or passive) deployment.
Reference:
Explanation You can configure your ASA FirePOWER module using one of the following deployment models: You can configure your ASA FirePOWER module in either an inline or a monitor-only (inline tap or passive) deployment. Reference: https://www.cisco.com/c/en/us/td/docs/security/asa/asa92/asdm72/firewall/asa-firewall-asdm/ modules-sfr.html


NEW QUESTION # 263
Which risk is created when using an Internet browser to access cloud-based service?

  • A. misconfiguration of Infra, which allows unauthorized access
  • B. vulnerabilities within protocol
  • C. intermittent connection to the cloud connectors
  • D. insecure implementation of API

Answer: D


NEW QUESTION # 264
An engineer recently completed the system setup on a Cisco WSA Which URL information does the system send to SensorBase Network servers?

  • A. complete URL,without obfuscating the path segments
  • B. URL information collected from clients that connect to the Cisco WSA using Cisco AnyConnect
  • C. Summarized server-name information and MD5-hashed path information
  • D. none because SensorBase Network Participation is disabled by default

Answer: C

Explanation:
The Cisco WSA can participate in the Cisco SensorBase Network, which is a threat management database that collects and shares data from Cisco security products. By participating in the SensorBase Network, the WSA can receive web reputation scores and URL categories for the requested web content, and also contribute data to improve the accuracy and efficacy of the service. The data that the WSA sends to the SensorBase Network servers includes information about request attributes and how the appliance handles requests. However, to protect the privacy and confidentiality of the users and the organization, the WSA does not send the complete URL, but only the summarized server-name information and the MD5-hashed path information. The MD5 hash is a one-way encryption algorithm that converts the path information into a fixed- length string that cannot be reversed. This way, the SensorBase Network can identify the URL without revealing the actual content or parameters of the request. The WSA also does not send any personal or confidential information such as usernames and passwords, or any information about HTTPS transactions, except for the IP address, web reputation score, and URL category of the server name in the certificate. The SensorBase Network Participation is enabled by default, but it can be disabled by the administrator if desired123. References: 3: Web Base Network Participation (WBNP) and Sender Base Network Participation (SBNP) - Cisco 2: User Guide for AsyncOS 15.0 for Cisco Secure Web Appliance - GD (General Deployment) - Introduction 1: User Guide for AsyncOS 12.0 for Cisco Web Security Appliances - GD (General Deployment) - Introduction


NEW QUESTION # 265
Which group within Cisco writes and publishes a weekly newsletter to help cybersecurity professionals remain aware of the ongoing and most prevalent threats?

  • A. Talos
  • B. CSIRT
  • C. DEVNET
  • D. PSIRT

Answer: A

Explanation:
Reference:
https://talosintelligence.com/


NEW QUESTION # 266
Refer to the exhibit.

What does the API key do while working with https://api.amp.cisco.com/v1/computers?

  • A. HTTP authentication
  • B. Imports requests
  • C. HTTP authorization
  • D. displays client ID

Answer: B


NEW QUESTION # 267
......

Latest 350-701 Pass Guaranteed Exam Dumps with Accurate & Updated Questions: https://pass4sure.trainingquiz.com/350-701-training-materials.html