View 350-701 Exam Questions

Q: 1

[Security Concepts] What are two DDoS attack categories? (Choose two)

Options

Discussion

SteadyLead882 Feb 27, 2026 3:05 pm

Option A is correct. Only asymmetric encryption actually uses a separate public and private key pair, like RSA or ECC. Symmetric (B) always just has one secret shared between both sides. Pretty sure exam reports confirm this logic but open to debate if someone has seen it otherwise.

IvyJ Feb 14, 2026 11:54 pm

B/D. Both are actual DDoS attack types, not seeing any Cisco books mention sequential or screen-based.

Layla E. Feb 19, 2026 4:25 am

I think B and D, database is a distractor here since that's not a real DDoS attack category.

Ethan T. Feb 28, 2026 1:47 pm

Symmetric can't be called public key, only asymmetric uses public/private keys. A, not B.

Anita Feb 14, 2026 11:00 am

B. but isn't symmetric sometimes called public if both parties know the key?

Parker L. Feb 17, 2026 5:27 pm

B/D. Similar question came up in the official guide and practice test.

Sofia K. Feb 25, 2026 1:51 am

A is wrong, B and D. Only protocol and volume-based are real DDoS categories.

Reese Z. Feb 27, 2026 6:03 pm

Yeah, protocol and volume-based (B and D) are definitely real DDoS categories. Others like database or screen-based don't fit standard classifications. Pretty sure that's what Cisco wants here, let me know if you see it differently.

Sanjay F. Feb 18, 2026 10:56 pm

B and D tbh. Protocol and volume-based are actually recognized DDoS categories, unlike database which is just a decoy here. Saw similar on other practice sets, so pretty confident.

Neha X. Feb 25, 2026 8:55 pm

B. not C. Database isn't a DDoS category, protocol and volume-based are.

Be respectful. No spam.

Correct Answer:

B, D

Explanation

Distributed Denial of Service (DDoS) attacks are broadly classified into three main categories based on the network layer they target. Volume-based (or volumetric) attacks aim to consume all available bandwidth between the target and the internet. Protocol attacks focus on consuming the processing capacity of network infrastructure components like firewalls or load balancers by exploiting vulnerabilities in Layer 3 and Layer 4 protocols. The third category, not listed as an option, is application-layer attacks, which target specific application vulnerabilities.

Why Incorrect

A. sequential: This term describes a pattern or order of events, not a recognized category of DDoS attacks.

C. database: A database is a potential target of an application-layer DDoS attack, but it is not a fundamental attack category itself.

E. screen-based: This is not a standard term used in the classification of network security attacks like DDoS.

References

1. Cisco. (n.d.). What Is a Distributed Denial-of-Service (DDoS) Attack? Cisco. Retrieved from Cisco's public documentation. In the section "Common types of DDoS attacks

" the document explicitly lists the three main categories: "The most common types of DDoS attacks are: Volumetric attacks... Protocol attacks... Application layer attacks." This directly supports the selection of 'volume-based' and 'protocol' as correct categories.

2. Radware. (2013). DDoS Attack Types. In The Ultimate Guide to DDoS Attack Types

Motivations

and Mitigation Methods (p. 4). Radware Security. This document

often referenced in security curricula

outlines the three primary attack vectors: "Volume Based Attacks

" "Protocol Attacks

" and "Application Layer Attacks."

3. MIT OpenCourseWare. (2014). Lecture 15: Network Security & Denial of Service. In 6.858 Computer Systems Security

Fall 2014. Massachusetts Institute of Technology. The lecture notes discuss various DoS attacks that fall into the protocol (e.g.

SYN flooding) and volumetric (e.g.

amplification attacks) categories

establishing these as fundamental classifications in an academic context.

Q: 2

[Security Concepts] Which Cisco DNA Center Intent API action is used to retrieve the number of devices known to a DNA Center?

Options

Discussion

Leo L. Mar 4, 2026 2:21 am

Its B. Had something like this in a mock and the endpoint without '/count' gave device details as well as a total device number in the response payload. I think just calling the network-device endpoint gets you what you need. Might be missing a detail here but pretty sure that's how it went.

Leo K. Mar 4, 2026 1:47 pm

Nah, I don’t think it’s B. A is the only one with /network-device/count, which is how you get just the device count without all the details. B returns device info instead, easy to mix up here.

Avery T. Feb 17, 2026 4:37 am

A tbh, the "/network-device/count" endpoint is made just for getting the count, so B is a distractor here.

Meera Feb 27, 2026 5:25 pm

Call it A. The /count at the end specifically returns just the device count, not the full device objects. If you only want the number and nothing else, this is the more efficient API call. Correct me if I’m missing something.

Logan G. Mar 3, 2026 5:00 pm

I don’t think it’s B. A

Arjun G. Feb 26, 2026 2:44 am

B tbh, saw something like this in exam reports. The network-device endpoint usually gives info on all devices including the total count in the response, so you wouldn't need /count. Pretty sure about B but could be overthinking it.

Jamie Q. Mar 1, 2026 6:15 am

B not A

Jordan P. Feb 27, 2026 11:14 am

PreciseReviewer4091 Mar 2, 2026 1:11 pm

Why does Cisco love to confuse us with these almost-the-same endpoints? For just the number, it's A. That '/network-device/count' is straight from the API docs.

Priya L. Feb 28, 2026 4:56 pm

Just going off what I've seen, looks like A is the one for just getting the number.

Be respectful. No spam.

Q: 3

[Security Concepts] Which technology should be used to help prevent an attacker from stealing usernames and passwords of users within an organization?

Options

Discussion

Sofia I. Feb 24, 2026 1:38 pm

C or D? Seen people get tripped up by this, but IOS zone-based firewalls only let an interface be in one zone at a time. Option D matches what I remember from the config guides, not as flexible as some other firewalls. Correct me if I'm off here.

Adam N. Feb 25, 2026 9:09 am

Option D, Saw similar wording in practice, MFA is what actually stops attackers with stolen credentials from getting in.

Avery V. Mar 2, 2026 6:19 pm

Its D. MFA is what actually stops attackers from using stolen credentials, while C just tackles ARP spoofing which isn’t the core issue here. I think some might pick C by mistake but D matches the wording better. Agree?

Sean P. Feb 17, 2026 6:45 am

D imo. C is a classic trap since DAI is about ARP attacks but for preventing actual credential theft, MFA (D) fits better. Seen similar logic on exam reports.

Casey N. Feb 25, 2026 4:38 am

Its D, but if the scenario talked about network sniffing at L2, C would flip to correct.

Layla R. Feb 18, 2026 11:59 pm

C/D? C is tempting but it's actually D, since MFA directly addresses credential theft and not just ARP attacks.

Aaron U. Feb 25, 2026 7:48 am

I think C since Dynamic ARP Inspection helps block some credential theft by stopping ARP spoofing attacks.

Arjun A. Feb 17, 2026 8:49 pm

C or D? Dynamic ARP Inspection (C) protects against ARP spoofing, but that won't really stop stolen credentials. MFA (D) actually blocks the use of compromised passwords by requiring a second factor. I think D is more correct but open to another angle.

Mason O. Feb 24, 2026 7:10 am

Guessing D, had something like this in a mock. MFA is what stops stolen credentials from working. Anyone picked C here?

Anita S. Feb 15, 2026 7:01 am

I always thought C made sense since multiple zones might mean more flexibility.

Be respectful. No spam.

Correct Answer:

Explanation

Multifactor authentication (MFA) is an authentication method that requires the user to provide two

or more verification factors to gain access to a resource such as an application, online account, or a

VPN1. MFA is a core component of a strong identity and access management (IAM) policy. MFA can

help prevent an attacker from stealing usernames and passwords of users within an organization by

adding an extra layer of security beyond the traditional username and password. For example, a user

may need to enter a one-time code sent to their phone or email, scan their fingerprint, or use a

hardware token to prove their identity. This way, even if an attacker obtains the user’s credentials,

they cannot access the resource without the second factor2.

The other options are not technologies that can help prevent an attacker from stealing usernames

and passwords of users within an organization. RADIUS-based REAP is a protocol that allows wireless

clients to authenticate with a RADIUS server, but it does not provide MFA3. Fingerprinting is a

technique that identifies the operating system or application of a device based on its network

characteristics, but it does not provide MFA4. Dynamic ARP Inspection is a security feature that

prevents ARP spoofing attacks by validating ARP packets, but it does not provide MFA5.

Reference := 1: What is Multi-Factor Authentication (MFA)? |

OneLogin(https://www.onelogin.com/learn/what-is-mfa) 2: What is: Multifactor Authentication -

Microsoft Support(https://support.microsoft.com/en-us/topic/what-is-multifactor-authenticatione5e39437-121c-be60-d123-eda06bddf661) 3: Implementing and Operating Cisco Security Core

Technologies (SCOR) v1.0, Module 3: Securing the Network, Lesson 3.3: Secure Wireless Connectivity,

Topic 3.3.1: Wireless Security Protocols, page 3-40. 4: Implementing and Operating Cisco Security

Core Technologies (SCOR) v1.0, Module 2: Securing the Cloud, Lesson 2.2: Cloud Security

Assessment, Topic 2.2.1: Cloud Security Concepts, page 2-13. 5: Implementing and Operating Cisco

Security Core Technologies (SCOR) v1.0, Module 3: Securing the Network, Lesson 3.2: Secure

Network Access, Topic 3.2.2: Layer 2 Security Features, page 3-19.

Q: 4

[Security Concepts] Based on the NIST 800-145 guide, which cloud architecture is provisioned for exclusive use by a specific group of consumers from different organizations and may be owned, managed, and operated by one or more of those organizations?

Options

Discussion

PreciseTester9848 Feb 17, 2026 10:00 pm

Option C, seen this in official guide and practice test questions before.

Robin Q. Feb 20, 2026 5:31 pm

B , private cloud. "Exclusive use" makes me think of dedicated resources for one group, even if it's across orgs. Not sure if community is right here but open to being corrected.

Ava P. Mar 5, 2026 11:06 pm

Not B, it's C. Community cloud is specifically for a group of consumers from different orgs, per NIST 800-145. Private cloud sounds tempting with "exclusive use," but that's just for a single org. Anyone pick A by mistake?

TaylorL Feb 20, 2026 10:01 am

C fits here, since NIST 800-145 says community cloud is for a group from different orgs. If it was just one org, it'd be B (private cloud). Saw a really similar question in a practice set. Pretty sure it's C but open to corrections.

SaraR Feb 28, 2026 3:46 pm

C , is correct. Had something like this in a mock-community cloud is for exclusive use by a group from different orgs, exactly what NIST 800-145 says. Private cloud would be just one org. Pretty sure about C, anyone seeing it differently?

FriendlyOps8065 Mar 4, 2026 8:42 pm

Yeah, that's A. FlexVPN active/active mode is great because you can set up several routers or VRFs as hubs, which DMVPN can't match. DMVPN does active/standby but not real multi-hub active. If you need scale and redundancy with more than one hub, FlexVPN is the way to go.

MiaF Feb 26, 2026 4:22 pm

I don't think it's B. C matches NIST since community cloud lets different orgs share a cloud for exclusive use, which is what the scenario describes. Private cloud would only be for a single org, so that's the trap here. Pretty sure about C but open if anyone thinks otherwise.

Priya O. Feb 26, 2026 2:47 pm

Probably C, saw a similar question in some exam reports and community cloud fits for multiple orgs sharing exclusive access.

Arjun K. Feb 26, 2026 1:00 pm

I actually think B here, since "exclusive use" feels like private cloud, even if it's multiple orgs.

Nora D. Mar 2, 2026 12:06 pm

Be respectful. No spam.

Q: 5

[Security Concepts] Which algorithm provides asymmetric encryption?

Options

Discussion

Luna E. Feb 18, 2026 2:01 pm

C vs D? I think it's C (RSA) since it's the only asymmetric choice. D (3DES) is a trap because it's legacy but still symmetric like AES and RC4. Pretty sure C's correct but let me know if I'm missing something.

SteadyAuditor1226 Feb 22, 2026 2:20 pm

I get the confusion here, but C for RSA.

Aisha Mar 6, 2026 9:30 pm

Probably C. 3DES (D) trips people up since it's old but it's still symmetric, not asymmetric like RSA. Agree?

FriendlyLead3162 Mar 6, 2026 4:23 pm

Seen this type on several practice sets, the official guide spells it out. RSA (C) is always the asymmetric one listed here, while RC4, AES, and 3DES are symmetric. If anyone saw a twist on exam let me know but pretty sure it stays this way.

Sanjay W. Feb 18, 2026 8:40 am

Grace A. Feb 22, 2026 11:49 pm

B , the typical trap here is mixing up IPsec tunnel mode functions with transport. I think B lines up best if you compare the descriptions to the way VPN types are matched in Cisco training, but not 100% sure. Disagree?

Ivy Y. Feb 19, 2026 10:11 pm

Probably D, since those descriptions fit what I remember for VPN functions in Cisco docs.

Anita Feb 17, 2026 9:59 am

man Cisco loves to overcomplicate their VPN terms. C or D for me, not sure

LunaY Feb 25, 2026 6:53 am

C for sure. RSA is the only one that's actually asymmetric, the rest (RC4, AES, 3DES) are symmetric block or stream ciphers. Pretty common to see questions trying to trip you up with 3DES or AES here, but it's always RSA for asymmetric. Any objections?

LaylaV Mar 3, 2026 5:28 am

Don’t think it can be D. 3DES is still symmetric, just has multiple keys, so C makes more sense for asymmetric.

Be respectful. No spam.

Correct Answer:

Explanation

Asymmetric encryption, also known as public-key cryptography, is a type of encryption that uses a

pair of keys to encrypt and decrypt data. The pair of keys includes a public key, which can be shared

with anyone, and a private key, which is kept secret by the owner. In asymmetric encryption, the

sender uses the recipient’s public key to encrypt the data. The recipient then uses their private key to

decrypt the data. This approach allows for secure communication between two parties without the

need for both parties to have the same secret key. RSA is one of the most commonly used

asymmetric encryption algorithms. It is based on the mathematical problem of factoring large

numbers, which is believed to be hard to solve. RSA stands for Rivest-Shamir-Adleman, the names of

the three inventors of the algorithm. RSA can be used for both encryption and digital signatures. To

generate an RSA key pair, the following steps are performed:

Choose two large prime numbers, p and q, and compute their product, n = pq. This is called the

modulus.

Choose a small number, e, that is relatively prime to (p-1)(q-1). This is called the public exponent.

Compute a number, d, that satisfies the equation ed ≡ 1 (mod (p-1)(q-1)). This is called the private

exponent.

The public key is (n, e) and the private key is (n, d).

To encrypt a message, m, with the public key (n, e), the following formula is used:

c = m^e mod n

To decrypt a ciphertext, c, with the private key (n, d), the following formula is used:

m = c^d mod n

Reference :=

[Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0], Module 3: VPN

Technologies, Lesson 3.1: Site-to-Site VPNs, Topic 3.1.2: IPsec VPNs

What is Asymmetric Encryption? - GeeksforGeeks

What is asymmetric encryption? | Asymmetric vs. symmetric … - Cloudflare

Q: 6

[Security Concepts] Which security product enables administrators to deploy Kubernetes clusters in air-gapped sites without needing Internet access?

Options

Discussion

Arjun G. Feb 22, 2026 9:44 pm

Nah, not B here. C is the one purpose-built for air-gapped Kubernetes, while B is a distractor that trips people up by name similarity. Unless something changed recently, it's definitely C.

HelpfulArchitect268 Feb 20, 2026 12:18 pm

C , but Cisco needs to stop messing with these product names. Seen similar in exam reports and only Cisco Container Platform is meant for air-gapped Kubernetes. The others don’t fit offline use.

Maya C. Feb 15, 2026 9:05 pm

Option C I don't think it's D, that's a common trap on site-to-site VPNs but the debug would show nothing if traffic wasn't interesting. Here it's showing failed ISAKMP exchange, which points to an auth key mismatch.

Kevin M. Feb 19, 2026 3:17 am

C imo. Debug output for ISAKMP failing after retransmits usually points to an authentication key mismatch. If the keys aren't the same on both routers, phase 1 can't finish. Seen it in labs and mentioned in the official guide as a main cause.

QuickSec6340 Feb 21, 2026 10:24 am

C . Cisco Container Platform is the only option designed for air-gapped Kubernetes deployments, pretty sure the other products either need cloud or aren't specific to k8s. Let me know if I'm missing something here.

Ava P. Mar 6, 2026 9:03 pm

C imo, that's the one built for air-gapped clusters. Not totally sure so let me know if I'm off.

Layla Y. Feb 21, 2026 12:24 pm

Alex Y. Feb 14, 2026 10:20 am

Probably C here. Had something like this in a mock and Cisco Container Platform is the one meant for air-gapped Kubernetes deployments. The others don’t have that offline/air-gap install capability. Pretty sure on this but open if anyone has seen it differently.

Alex O. Feb 15, 2026 3:26 pm

Not sure here, why not B? "Container Controller" sounds right for managing the cluster offline.

Ryan V. Feb 24, 2026 3:41 pm

C tbh, seen that in official guide and exam practice stuff lately.

Be respectful. No spam.

Q: 7

DRAG DROP [Network Security] Drag and drop the VPN functions from the left onto the description on the right.

Drag & Drop

Enable JavaScript to use the Drag & Drop feature.

RSA
AES
SHA-1
ISAKMP

Discussion

Reese V. Feb 15, 2026 2:45 am

SHA-1 → ensures data integrity, ISAKMP → defines IKE SAs, AES → confidentiality, RSA → authentication. Only thing is if they asked about signing or digital signatures, could maybe flip SHA-1 and RSA in a weird context, but for VPNs pretty sure this matches Cisco docs. Let me know if I'm missing an edge case.

Leo M. Mar 4, 2026 8:26 am

SHA-1 to ensures data integrity, ISAKMP to defines IKE SAs, AES to ensures data confidentiality, RSA to provides authentication. Seen a similar mapping in official practice labs. Pretty sure that's right for VPN fundamentals, but open if anyone has seen different options on their exam.

Ava Feb 20, 2026 10:29 pm

This order looks solid to me: SHA-1 for integrity, ISAKMP for IKE SAs, AES does confidentiality, RSA gives authentication. Pretty standard VPN roles per Cisco docs. If anyone sees a gotcha here let me know but I think this covers it.

AjayL Feb 17, 2026 6:55 pm

SHA-1 to data integrity, ISAKMP for IKE SAs, AES does confidentiality, RSA gives authentication. Official guide covers these, review practice questions too.

Neha K. Mar 6, 2026 9:53 am

Probably B. D is a common guess, but platform settings are more about things like NTP and device basics, not actual policies.

Aaron Mar 3, 2026 1:02 pm

SHA-1 to ensures data integrity, ISAKMP to defines IKE SAs, AES to ensures data confidentiality, RSA to provides authentication.

Logan U. Feb 25, 2026 6:33 am

Pretty sure it's SHA-1 to integrity, ISAKMP to IKE SAs, AES for confidentiality, RSA for authentication.

Jason H. Feb 19, 2026 10:34 pm

Nah, I don't think ISAKMP is a trap here. SHA-1 to integrity, ISAKMP to IKE SAs, AES for confidentiality, RSA for authentication.

Ethan J. Feb 26, 2026 12:24 am

SHA-1 → ensures data integrity, ISAKMP → defines IKE SAs, AES → ensures data confidentiality, RSA → provides authentication. Pretty sure that's right since AES is for encryption, ISAKMP is the framework for SAs, SHA-1 handles hash checks. I don't think ISAKMP for confidentiality is a trap but saw that mix-up before.

Mason Y. Feb 18, 2026 4:37 pm

Maybe D, since intrusion policy is a big focus with FMC device management.

Be respectful. No spam.

Correct Answer:

Answer Areas ensures data integrity: C. SHA-1 defines IKE SAS: D. ISAKMP ensures data confidentiality: B. AES provides authentication: A. RSA

Explanation

SHA-1 (Secure Hash Algorithm 1) is a hashing algorithm used to generate a unique digest of a message. In VPNs (specifically IPsec), it is used within HMAC to verify that data has not been altered during transit, ensuring data integrity.

ISAKMP (Internet Security Association and Key Management Protocol) provides the framework for authentication and key exchange. It defines the procedures and packet formats to establish, negotiate, modify, and delete Security Associations (SAs), effectively defining IKE SAs.

AES (Advanced Encryption Standard) is a symmetric key encryption algorithm. It encrypts the data payload, rendering it unreadable to unauthorized users, which ensures data confidentiality.

RSA (Rivest-Shamir-Adleman) is an asymmetric algorithm often used for digital signatures. In the IKE phase, peers use RSA signatures to prove their identities to one another, providing authentication.

References

IETF RFC 2408, Internet Security Association and Key Management Protocol (ISAKMP), Section 1: "ISAKMP defines the procedures for authenticating a communicating peer, creation and management of Security Associations, key generation techniques, and threat mitigation."

NIST Special Publication 800-77 Rev. 1, Guide to IPsec VPNs, Section 2.2.1: Discusses how encryption algorithms like AES provide confidentiality. Section 2.2.2: Describes how hash functions (e.g., SHA) are used to provide data integrity.

Cisco Systems, IPsec Configuration Guide, "IKEv1 and IKEv2 Packet Exchange": Details the use of RSA signatures for the authentication method during IKE phase 1 negotiations.

Stallings, W., Cryptography and Network Security: Principles and Practice, 7th Edition, Pearson. Chapter 19 (IP Security): Explains the role of ISAKMP in defining the SA management and the use of HMAC-SHA for integrity.

Q: 8

[Endpoint Protection and Detection] An engineer needs a solution for TACACS+ authentication and authorization for device administration. The engineer also wants to enhance wired and wireless network security by requiring users and endpoints to use 802.1X, MAB, or WebAuth. Which product meets all of these requirements?

Options

Discussion

Sanjay X. Feb 20, 2026 1:24 am

encountered exactly similar question in my exam, on my practice set, it's B.

Chris Feb 27, 2026 6:43 am

These Cisco product names always trip people up, it's like they want us to confuse Prime and ISE every exam. Option B

Ava P. Mar 5, 2026 7:59 am

Prime Infrastructure seems right since it manages devices, so A.

Chloe Mar 1, 2026 9:50 pm

ISE is the only one here that does both TACACS+ for admin and supports 802.1X, MAB, WebAuth for endpoints. Pretty sure it's B, but I'd double check the docs since Prime gets confused with AAA sometimes.

Robin W. Mar 4, 2026 2:32 am

ISE is the only one that combines TACACS+, 802.1X, MAB, and WebAuth centralization. B

Quinn Mar 5, 2026 8:35 am

B tbh, Prime is a trap since it doesn't handle all the AAA stuff needed here.

Sanjay Y. Feb 27, 2026 8:37 am

A could work if you're just thinking about device management since Prime controls infrastructure, right? Doesn't it do some AAA too? Not totally sure but went with A here, since it's tempting for admin tasks.

Adam S. Feb 28, 2026 10:03 pm

Nah, it's B. A is always tempting because Prime does a lot, but it doesn't actually handle TACACS+ or all the 802.1X/AAA stuff like ISE. I've seen this type of trap in practice sets.

Aaron T. Feb 25, 2026 12:30 pm

B fits since ISE does both TACACS+ for device admin and handles 802.1X, MAB, WebAuth for wired and wireless access. Prime is more for managing devices but doesn't do full AAA. Pretty sure it's B here, but correct me if I'm missing something.

Sean L. Feb 26, 2026 10:09 pm

Official guide and labs both stress ISE for these use cases. B

Be respectful. No spam.

Correct Answer:

Explanation

Cisco Identity Services Engine (ISE) is a comprehensive identity and access control policy platform. It is specifically designed to provide centralized Authentication, Authorization, and Accounting (AAA) services. ISE meets all the requirements by functioning as a TACACS+ server for device administration (controlling access to network devices like routers and switches) and as a RADIUS server to enforce network access policies for users and endpoints using protocols such as 802.1X, MAC Authentication Bypass (MAB), and Web Authentication (WebAuth) for both wired and wireless networks.

Why Incorrect

A. Cisco Prime Infrastructure: This is a network management platform for monitoring and configuration, not a policy enforcement engine for AAA services like TACACS+ or 802.1X.

C. Cisco Stealthwatch: Now called Cisco Secure Network Analytics, this tool provides network visibility and threat detection using telemetry like NetFlow. It does not perform AAA functions.

D. Cisco AMP for Endpoints: Now called Cisco Secure Endpoint, this is an endpoint protection (EPP) and detection/response (EDR) solution focused on malware. It does not provide network access control.

---

References

1. Cisco Identity Services Engine (ISE) Data Sheet. Cisco. "Cisco ISE is a centralized solution that automates and simplifies secure access control... It provides: [...] Device administration (via TACACS+)

[...] IEEE 802.1X

MAC Authentication Bypass (MAB)

web authentication". This document explicitly lists both core functionalities required by the question.

Source: Cisco Identity Services Engine (ISE) Data Sheet

"Features and benefits" table.

2. Cisco Identity Services Engine Administrator Guide

Release 3.2. Cisco. "Device administration access service provides a policy framework for controlling access to the network devices... Cisco ISE uses the TACACS+ protocol for device administration." This confirms the TACACS+ capability. The guide also extensively covers configuring authentication and authorization policies for 802.1X

MAB

and WebAuth.

Source: Chapter: "Device Administration"

Section: "Device Administration Access Service" and Chapter: "Authentication"

Section: "Authentication Policies".

3. SCOR 350-701 Official Cert Guide. Cisco Press. "ISE is the Cisco solution for network access control (NAC) and is the main product that implements AAA for users and devices connecting to a network... ISE also supports TACACS+ for device administration."

Source: Chapter 21

"Cisco Identity Services Engine (ISE)"

Section: "ISE Fundamentals".

Q: 9

DRAG DROP [Security Concepts] Drag and drop the features of Cisco ASA with Firepower from the left onto the benefits on the right.

Drag & Drop

Enable JavaScript to use the Drag & Drop feature.

Full Context Awareness
NGIPS
AMP
Collective Security Intelligence

Discussion

LukeG Feb 27, 2026 2:21 pm

Don’t think NGIPS should be on the detection/blocking/remediation line. AMP is Cisco’s advanced malware solution, so more aligned with that benefit. The proper mapping is: AMP → detection/blocking/remediation, Full Context Awareness → policy enforcement with visibility, Collective Security Intelligence → real-time threat intel, NGIPS → threat prevention/mitigation. Others might put NGIPS first, but exam wording points to this order.

Daniel Y. Feb 23, 2026 6:36 am

AMP → detection, blocking and remediation; Full Context Awareness → policy enforcement with user/VM visibility; Collective Security Intelligence → real-time threat intelligence; NGIPS → threat prevention and mitigation for known/unknown threats. Got this mapping from Cisco docs too. Only slight uncertainty is if AMP and NGIPS ever swap, but pretty sure this is right since AMP is for malware and NGIPS handles broader threat types. Anyone see it different?

Taylor N. Feb 27, 2026 11:39 am

C . The main thing with patching is cutting down risks from known threats, not just getting new features or disabling protocols. That regular patch cycle really keeps vulnerabilities in check. Pretty sure that's what Cisco's looking for here, but open if anybody thinks otherwise.

Reese A. Feb 18, 2026 5:23 pm

AMP to detection, blocking and remediation; Full Context Awareness to policy enforcement with user/VM visibility; Collective Security Intelligence to real-time threat intelligence; NGIPS to threat prevention and mitigation. Seen similar exam mappings-easy to mix up NGIPS and AMP but NGIPS is broader. Pretty sure this is right, but open to corrections if anyone thinks otherwise.

LukeM Feb 16, 2026 12:37 am

Full Context Awareness → detection, blocking and remediation; NGIPS → policy enforcement with visibility; AMP → threat prevention and mitigation for known/unknown threats; Collective Security Intelligence → real-time threat intel. I matched NGIPS to visibility since it inspects flows, and AMP for the broader mitigation part. Might be off on one, but that's how I remembered from lab work. What do you guys think?

Sanjay Feb 15, 2026 7:30 pm

Nah, the right mapping should be AMP to detection/blocking/remediation, Full Context Awareness to policy enforcement with visibility, Collective Security Intelligence to real-time threat updates, and NGIPS to threat prevention/mitigation. Easy to mix up NGIPS and AMP here since both do detection but NGIPS is broader. Disagree?

Aaron Feb 19, 2026 10:48 am

Definitely sticking with C here.

Amelia D. Feb 27, 2026 11:10 am

Its C, saw similar in exam reports. Key point is cutting down known vulnerabilities.

Zoe Feb 23, 2026 2:39 pm

A sounds possible to me. Getting new features from patches can be pretty important for endpoints since it boosts capabilities and sometimes even makes support easier. Not totally sure though, maybe that's more of a bonus than the main reason?

Ravi X. Feb 28, 2026 11:33 pm

If the question said "best reason for patching" instead of just "important," would that change whether C is correct or not?

Be respectful. No spam.

Correct Answer:

Answer Area detection, blocking and remediation to protect the enterprise against targeted malware attacks: C. AMP policy enforcement based on complete visibility of users and communication between virtual machines: A. Full Context Awareness real-time threat intelligence and security protection: D. Collective Security Intelligence threat prevention and mitigation for known and unknown threats: B. NGIPS

Explanation

Advanced Malware Protection (AMP) is specifically designed to detect, block, and remediate malware, including zero-day attacks, through continuous analysis. Full Context Awareness aggregates data on users, devices, applications, and operating systems, providing the visibility necessary to create and enforce granular security policies. Collective Security Intelligence (powered by Cisco Talos) provides the system with real-time updates on global threat intelligence (IP, URL, and domain reputation) to block attacks proactively. Finally, the Next-Generation Intrusion Prevention System (NGIPS) utilizes this context and intelligence to provide comprehensive threat prevention and mitigation against both known exploits and unknown vulnerabilities.

References

Cisco Systems. (2015). Cisco ASA with Firepower Services Data Sheet. Retrieved from Cisco.com. (Section: "Features and Benefits", specifically Table 1 which maps features like "Full Context Awareness" to visibility/policy enforcement and "AMP" to malware remediation).

Cisco Systems. Cisco Firepower Management Center Configuration Guide, Version 6.0. "Chapter: Security Intelligence and Content Blocking". (Discusses the role of Collective Security Intelligence in real-time threat blocking).

Cisco Systems. Cisco ASA with Firepower Services - At-a-Glance. (Explicitly links NGIPS to comprehensive threat prevention and AMP to malware remediation).

Q: 10

DRAG DROP [Security Concepts] Drag and drop the capabilities from the left onto the correct technologies on the right.

Drag & Drop

Enable JavaScript to use the Drag & Drop feature.

detection, blocking, tracking, analysis, and remediation to protect against targeted persistent malware attacks
superior threat prevention and mitigation for known and unknown threats
application-layer control and ability to enforce usage and tailor detection policies based on custom applications and URLS
combined integrated solution of strong defense and web protection, visibility, and controlling solutions

Discussion

Ivy Feb 26, 2026 4:39 am

Next Generation Intrusion Prevention System matches with "superior threat prevention and mitigation for known and unknown threats," while Advanced Malware Protection is about "detection, blocking, tracking, analysis, and remediation." App-layer control lines up with "application control and URL filtering," and WSA is the one described as a "combined integrated solution." I think this is right, since AMP's retrospective functions get overlooked easily-NGIPS sounds similar but it's more about active prevention than after-the-fact tracking. Anyone see it differently?

Nina P. Mar 6, 2026 7:19 pm

NGIPS → superior threat prevention, AMP → detection/blocking/analysis/remediation, app control/URL filtering → application-layer, WSA → integrated web protection.

Zoe F. Feb 22, 2026 7:30 am

NGIPS: superior threat prevention, AMP: detection & remediation, app control: app-layer control, WSA: combined web protection.

Jordan I. Mar 4, 2026 11:17 pm

This matches typical Cisco exam mappings. NGIPS gets "superior threat prevention," AMP is "detection, blocking, tracking, analysis, and remediation," app control/URL filtering is the application-layer control one, and WSA is the integrated web protection. Official study guide has this breakdown if you want to double-check.

Zoe B. Mar 5, 2026 12:24 am

NGIPS to superior threat prevention, AMP to detection/tracking/analysis/remediation, app control to app-layer control, WSA for all-in-one web protection.

Riley M. Feb 21, 2026 10:49 am

NGIPS gets "superior threat prevention and mitigation for known and unknown threats" since that's its main purpose. AMP goes with "detection, blocking, tracking, analysis, and remediation" because that's the retrospective angle. Seen this on study guides so pretty confident but let me know if I missed something.

Liam Z. Mar 2, 2026 1:49 pm

Next Generation Intrusion Prevention System → superior threat prevention, Advanced Malware Protection → detection/analysis/remediation, app control/URL filtering → application-layer control, Cisco WSA → integrated web protection. Had something like this in a mock, matches up.

Morgan F. Feb 21, 2026 5:12 pm

NGIPS → superior threat prevention
AMP → detection, blocking, tracking, analysis, and remediation
App control/URL filtering → application-layer control on apps and URLs
WSA → combined web protection solution.

Not seeing a reason to swap AMP and NGIPS here-the keywords match the specific tech well. NGIPS is all about broad threat prevention, while AMP does tracking/analysis/remediation (that after-the-fact stuff). Sometimes WSA throws people off but it's definitely the all-in-one web defense. Pretty confident but open if you spot something off.

Zoe L. Feb 26, 2026 8:48 pm

NGIPS maps to "superior threat prevention and mitigation for known and unknown threats," AMP is "detection, blocking, tracking, analysis, and remediation to protect against targeted persistent malware attacks." Application control and URL filtering connects with "application-layer control... on custom applications and URLs," and Cisco WSA is the "combined integrated solution of strong defense and web protection." Seen similar matches in practice sets. I think this is spot on but correct me if you see any mixup.

Noah Feb 25, 2026 1:20 am

NGIPS: detection, blocking, tracking, analysis, and remediation; AMP: superior threat prevention; app control/URL filtering: integrated solution; WSA: application-layer control.

Be respectful. No spam.

Correct Answer:

Positions Next Generation Intrusion Prevention System: B. superior threat prevention and mitigation for known and unknown threats Advanced Malware Protection: A. detection, blocking, tracking, analysis, and remediation to protect against targeted persistent malware attacks application control and URL filtering: C. application-layer control and ability to enforce usage and tailor detection policies based on custom applications and URLS Cisco Web Security Appliance: D. combined integrated solution of strong defense and web protection, visibility, and controlling solutions

Explanation

Next Generation Intrusion Prevention System (NGIPS): Cisco defines its NGIPS capabilities as providing "superior threat prevention and mitigation" by leveraging contextual awareness to detect both known exploits and unknown (zero-day) threats.

Advanced Malware Protection (AMP): AMP is distinguished by its "retrospective security" capabilities. The keywords "tracking," "analysis," and "remediation" (specifically the ability to fix issues after a file enters the network) are unique to AMP's "before, during, and after" attack continuum.

Application Control and URL Filtering: This technology (often part of AVC) operates at the "application-layer," allowing administrators to enforce policies on specific "custom applications and URLs" rather than just ports or IP addresses.

Cisco Web Security Appliance (WSA): The WSA is a dedicated "web protection" gateway. The description "combined integrated solution... of web protection" directly describes the WSA's role in securing web traffic with visibility and control.

References

Cisco Systems. (2015). Cisco ASA with Firepower Services Data Sheet. Cisco.com. (Section: "Product Overview", Table 1 features the exact phrase "Superior threat prevention and mitigation for known and unknown threats" and "Detection, blocking, tracking, analysis, and remediation" for AMP).

Cisco Systems. (2020). Cisco Web Security Appliance Data Sheet. Cisco.com. (Describes the WSA as an "all-in-one web security gateway" providing defense, visibility, and control).

Cisco Systems. Firepower Management Center Configuration Guide, Version 6.0. (Chapter: "Access Control Policies", specifically discussing "Application Visibility and Control (AVC)" and "URL Filtering" for application-layer enforcement).

Question 1 of 20 · Page 1 / 2

Premium Access Includes

✓ Quiz Simulator
✓ Exam Mode
✓ Progress Tracking
✓ Question Saving
✓ Flash Cards
✓ Drag & Drops
✓ 3 Months Access
✓ PDF Downloads

Get Premium Access

📖 About this Domain

🎓 What You Will Learn

🛠️ Skills You Will Build

💡 Top Tips to Prepare

📖 About this Domain

🎓 What You Will Learn

🛠️ Skills You Will Build

💡 Top Tips to Prepare

📖 About this Domain

🎓 What You Will Learn

🛠️ Skills You Will Build

💡 Top Tips to Prepare

📖 About this Domain

🎓 What You Will Learn

🛠️ Skills You Will Build

💡 Top Tips to Prepare

📖 About this Domain

🎓 What You Will Learn

🛠️ Skills You Will Build

💡 Top Tips to Prepare

📖 About this Domain

🎓 What You Will Learn

🛠️ Skills You Will Build

💡 Top Tips to Prepare

Premium Access Includes

FLASH OFFER

avail 10% DISCOUNT on YOUR PURCHASE