All Braindump2go PDF Dumps and VCE Dumps

Braindump2go Latest and Hottest Dumps with PDF and VCE are free Shared Here!

350-701 Exam Dumps350-701 Exam Questions350-701 PDF Dumps350-701 VCE DumpsCisco

[2025-December-New]Braindump2go 350-701 Practice Exam Free[Q431-Q515]

admin

2025/December Latest Braindump2go 350-701 Exam Dumps with PDF and VCE Free Updated Today! Following are some new Braindump2go 350-701 Real Exam Questions!

QUESTION 431
An engineer is configuring device-hardening on a router in order to prevent credentials from being seen if the router configuration was compromised. Which command should be used?

A. service password-encryption
B. username <username> privilege 15 password <password>
C. service password-recovery
D. username < username> password <password>

Answer: A

QUESTION 432
Which security solution protects users leveraging DNS-layer security?

A. Cisco ISE
B. Cisco FTD
C. Cisco Umbrella
D. Cisco ASA

Answer: C

QUESTION 433
Which CoA response code is sent if an authorization state is changed successfully on a Cisco IOS device?

A. CoA-NCL
B. CoA-NAK
C. CoA-ACK
D. CoA-MAB

Answer: C
Explanation:
https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_aaa/configuration/15-sy/sec-usr-aaa-15-sy-book/sec-rad-coa.html

QUESTION 434
Which security solution uses NetFlow to provide visibility across the network, data center, branch offices, and cloud?

A. Cisco CTA
B. Cisco Secure Network Analytics
C. Cisco Encrypted Traffic Analytics
D. Cisco Umbrella

Answer: B

QUESTION 435
How does a WCCP-configured router identify if the Cisco WSA is functional?

A. If an ICMP ping fails three consecutive times between a router and the WSA, traffic is no longer transmitted to the router.
B. If an ICMP ping fails three consecutive times between a router and the WSA, traffic is no longer transmitted to the WSA.
C. The WSA sends a Here-l-Am message every 10 seconds, and the router acknowledges with an I-See-You message.
D. The router sends a Here-l-Am message every 10 seconds, and the WSA acknowledges with an I-See-You message.

Answer: C
Explanation:
When the WCCP service is active on a web cache server (WSA in this case), it periodically sends a WCCP HERE I AM broadcast or unicast message to the unit operating as a WCCP router.
If the information received in this message matches what is expected, the WCCP router replies with a WCCP I SEE YOU message.

QUESTION 436
Which solution supports high availability in routed or transparent mode as well as in northbound and southbound deployments?

A. Cisco FTD with Cisco ASDM
B. Cisco FTD with Cisco FMC
C. Cisco Firepower NGFW physical appliance with Cisco. FMC
D. Cisco Firepower NGFW Virtual appliance with Cisco FMC

Answer: B

QUESTION 437
Which Cisco ASA Platform mode disables the threat detection features except for Advanced Threat Statistics?

A. cluster
B. transparent
C. routed
D. multiple context

Answer: D
Explanation:
https://www.cisco.com/c/en/us/td/docs/security/asa/asa96/configuration/firewall/asa-96-firewall-config/conns-threat.html#ID-2132-00000035

QUESTION 438
Which benefit does DMVPN provide over GETVPN?

A. DMVPN supports QoS, multicast, and routing, and GETVPN supports only QoS.
B. DMVPN is a tunnel-less VPN, and GETVPN is tunnel-based.
C. DMVPN supports non-IP protocols, and GETVPN supports only IP protocols.
D. DMVPN can be used over the public Internet, and GETVPN requires a private network.

Answer: D

QUESTION 439
An organization has DHCP servers set up to allocate IP addresses to clients on the LAN.
What must be done to ensure the LAN switches prevent malicious DHCP traffic while also distributing IP addresses to the correct endpoints?

A. Configure Dynamic ARP Inspection and add entries in the DHCP snooping database
B. Configure DHCP snooping and set an untrusted interface for all clients
C. Configure Dynamic ARP Inspection and antispoofing ACLs in the DHCP snooping database
D. Configure DHCP snooping and set a trusted interface for the DHCP server

Answer: D
Explanation:
DHCP snooping acts like a firewall between untrusted hosts and DHCP servers. You use DHCP snooping to differentiate between untrusted interfaces connected to the end user and trusted interfaces connected to the DHCP server or another switch.

QUESTION 440
Which two parameters are used to prevent a data breach in the cloud? (Choose two.)

A. DLP solutions
B. strong user authentication
C. encryption
D. complex cloud-based web proxies
E. antispoofing programs

Answer: BC
Explanation:
Strong user authentication: This ensures only authorized individuals can access cloud data. Methods include multi-factor authentication (MFA) and strong passwords.
Encryption: This scrambles data at rest and in transit, making it unreadable to unauthorized users even if intercepted.
https://www.otava.com/blog/7-ways-to-prevent-data-leaks-in-the-cloud/
https://www.getkisi.com/blog/7-tips-prevent-cloud-security-threats

QUESTION 441
Which technology enables integration between Cisco ISE and other platforms to gather and share network and vulnerability data and SIEM and location information?

A. pxGrid
B. NetFlow
C. SNMP
D. Cisco Talos

Answer: A
Explanation:
Cisco ISE uses Cisco Platform Exchange Grid (pxGrid) technology to share contextual data with leading SIEM and TD partner solutions.

QUESTION 442
Which Cisco DNA Center Intent API action is used to retrieve the number of devices known to a DNA Center?

A. GET https://fqdnOrlPofDnaCenterPlatform/dna/intent/api/v1/network-device/count
B. GET https://fqdnOrlPofDnaCenterPlatform/dna/intent/api/v1/network-device
C. GET https://fqdnOrlPofDnaCenterPlatform/dna/intent/api/v1/networkdevice?parameter1=value&param eter2=value&….
D. GET https://fqdnOrlPofDnaCenterPlatform/dna/intent/api/v1/networkdevice/startIndex/recordsToReturn

Answer: A
Explanation:
https://developer.cisco.com/docs/dna-center/#!get-device-count

QUESTION 443
An organization must add new firewalls to its infrastructure and wants to use Cisco ASA or Cisco FTD. The chosen firewalls must provide methods of blocking traffic that include offering the user the option to bypass the block for certain sites after displaying a warning page and to reset the connection.
Which solution should the organization choose?

A. Cisco FTD because it supports system rate level traffic blocking, whereas Cisco ASA does not
B. Cisco ASA because it allows for interactive blocking and blocking with reset to be configured via the GUI, whereas Cisco FTD does not.
C. Cisco FTD because it enables interactive blocking and blocking with reset natively, whereas Cisco ASA does not
D. Cisco ASA because it has an additional module that can be installed to provide multiple blocking capabilities, whereas Cisco FTD does not.

Answer: C

QUESTION 444
An engineer is configuring web filtering for a network using Cisco Umbrella Secure Internet Gateway. The requirement is that all traffic needs to be filtered. Using the SSL decryption feature, which type of certificate should be presented to the end-user to accomplish this goal?

A. third-party
B. self-signed
C. organization owned root
D. SubCA

Answer: C

QUESTION 445
An engineer needs to configure an access control policy rule to always send traffic for inspection without using the default action. Which action should be configured for this rule?

A. monitor
B. allow
C. block
D. trust

Answer: B
Explanation:
Rule 4: Allow is the final rule. For this rule, matching traffic is allowed; however, prohibited files, malware, intrusions, and exploits within that traffic are detected and blocked. Remaining non-prohibited, non-malicious traffic is allowed to its destination, though it is still subject to identity requirements and rate limiting. You can configure Allow rules that perform only file inspection, or only intrusion inspection, or neither.
https://www.cisco.com/c/en/us/td/docs/security/firepower/610/configuration/guide/fpmc-config-guide-v61/access_control_rules.html

QUESTION 446
When NetFlow is applied to an interface, which component creates the flow monitor cache that is used to collect traffic based on the key and nonkey fields in the configured record?

A. records
B. flow exporter
C. flow sampler
D. flow monitor

Answer: D
Explanation:
Flow monitors are the Flexible NetFlow component that is applied to interfaces to perform network traffic monitoring. Flow monitors consist of a record and a cache. You add the record to the flow monitor after you create the flow monitor. The flow monitor cache is automatically created at the time the flow monitor is applied to the first interface. Flow data is collected from the network traffic during the monitoring process based on the key and nonkey fields in the record, which is configured for the flow monitor and stored in the flow monitor cache.

QUESTION 447
Which encryption algorithm provides highly secure VPN communications?

A. 3DES
B. AES 256
C. AES 128
D. DES

Answer: B

QUESTION 448
An administrator needs to configure the Cisco ASA via ASDM such that the network management system can actively monitor the host using SNMPv3.
Which two tasks must be performed for this configuration? (Choose two.)

A. Specify the SNMP manager and UDP port.
B. Specify an SNMP user group
C. Specify a community string.
D. Add an SNMP USM entry
E. Add an SNMP host access entry

Answer: BD
Explanation:
https://www.cisco.com/c/en/us/td/docs/security/asa/asa92/asdm72/general/asa-general-asdm/monitor-snmp.html

QUESTION 449
Which Cisco ASA deployment model is used to filter traffic between hosts in the same IP subnet using higher-level protocols without readdressing the network?

A. routed mode
B. transparent mode
C. single context mode
D. multiple context mode

Answer: B
Explanation:
https://grumpy-networkers-journal.readthedocs.io/en/latest/VENDOR/CISCO/FIREWALL/ASA/TRANSPARENTFW.html

QUESTION 450
Which function is performed by certificate authorities but is a limitation of registration authorities?

A. accepts enrollment requests
B. certificate re-enrollment
C. verifying user identity
D. CRL publishing

Answer: D

QUESTION 451
Which two functions does the Cisco Advanced Phishing Protection solution perform in trying to protect from phishing attacks? (Choose two.)

A. blocks malicious websites and adds them to a block list
B. does a real-time user web browsing behavior analysis
C. provides a defense for on-premises email deployments
D. uses a static algorithm to determine malicious
E. determines if the email messages are malicious

Answer: CE
Explanation:
After the analysis, potentially malicious messages are remediated from the recipient mailbox automatically, based on the pre-configured policies on the AdvancedPhishingProtection cloud service.
Set up the email gateway as a sensor engine on the Cisco Advanced Phishing Protection cloud service.
This deploys the email gateway as a lightweight sensor via the cloud or on-premise.
https://www.cisco.com/c/en/us/td/docs/security/ces/user_guide/esa_user_guide_13-5/b_ESA_Admin_Guide_ces_13-5/m_advanced_phishing_protection.pdf
https://www.cisco.com/c/en/us/td/docs/security/esa/esa13-5/user_guide/b_ESA_Admin_Guide_13-5/m_advanced_phishing_protection.html

QUESTION 452
What is a feature of NetFlow Secure Event Logging?

A. It exports only records that indicate significant events in a flow.
B. It filters NSEL events based on the traffic and event type through RSVP.
C. It delivers data records to NSEL collectors through NetFlow over TCP only.
D. It supports v5 and v8 templates.

Answer: A
Explanation:
https://www.cisco.com/c/en/us/td/docs/security/asa/asa91/asdm71/general/asdm_71_general_config/monitor_nsel.pdf

QUESTION 453
A hacker initiated a social engineering attack and stole username and passwords of some users within a company. Which product should be used as a solution to this problem?

A. Cisco NGFW
B. Cisco AnyConnect
C. Cisco AMP for Endpoints
D. Cisco Duo

Answer: D

QUESTION 454
Which technology provides the benefit of Layer 3 through Layer 7 innovative deep packet inspection, enabling the platform to identify and output various applications within the network traffic flows?

A. Cisco NBAR2
B. Cisco ASAV
C. Account on Resolution
D. Cisco Prime Infrastructure

Answer: A

QUESTION 455
Which RADIUS feature provides a mechanism to change the AAA attributes of a session after it is authenticated?

A. Authorization
B. Accounting
C. Authentication
D. CoA

Answer: D

QUESTION 456
Which type of data exfiltration technique encodes data in outbound DNS requests to specific servers and can be stopped by Cisco Umbrella?

A. DNS tunneling
B. DNS flood attack
C. cache poisoning
D. DNS hijacking

Answer: A
Explanation:
https://umbrella.cisco.com/blog/improvements-dns-tunneling-dns-exfiltration-detection

QUESTION 457
A large organization wants to deploy a security appliance in the public cloud to form a site-to-site VPN and link the public cloud environment to the private cloud in the headquarters data center. Which Cisco security appliance meets these requirements?

A. Cisco Cloud Orchestrator
B. Cisco ASAV
C. Cisco WSAV
D. Cisco Stealthwatch Cloud

Answer: B

QUESTION 458
Which CLI command is used to enable URL filtering support for shortened URLs on the Cisco Secure Email Gateway?

A. webadvancedconfig
B. websecurity advancedconfig
C. outbreakconfig
D. websecurity config

Answer: B
Explanation:
https://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/118775-technote-esa-00.html

QUESTION 459
Which standard is used to automate exchanging cyber threat information?

A. TAXIL
B. MITRE
C. IoC
D. STIX

Answer: A
Explanation:
TAXII, short for Trusted Automated eXchange of Intelligence Information, defines how cyber threat information can be shared via services and message exchanges.

QUESTION 460
What is a function of the Layer 4 Traffic Monitor on a Cisco WSA?

A. blocks traffic from URL categories that are known to contain malicious content
B. decrypts SSL traffic to monitor for malicious content
C. monitors suspicious traffic across all the TCP/UDP ports
D. prevents data exfiltration by searching all the network traffic for specified sensitive information

Answer: C

QUESTION 461
A network engineer entered the snmp-server user asmith myv7 auth sha cisco priv aes 256 cisc0xxxxxxxxx command and needs to send SNMP information to a host at 10.255.255.1.
Which command achieves this goal?

A. snmp-server host inside 10.255.255.1 version 3 myv7
B. snmp-server host inside 10.255.255.1 snmpv3 myv7
C. snmp-server host inside 10.255.255.1 version 3 asmith
D. snmp-server host inside 10.255.255.1 snmpv3 asmith

Answer: C
Explanation:
ASA(config)#snmp-server host inside 10.1.1.1 version 3 administrator <- specify the NMS host

QUESTION 462
Refer to the exhibit. What are two indications of the Cisco Firepower Services Module configuration? (Choose two.)

A. The module is operating in IDS mode.
B. The module fails to receive redirected traffic
C. Traffic is blocked if the module fails.
D. Traffic continues to flow if the module fails.
E. The module is operating in IPS mode.

Answer: AD
Explanation:
sfr {fail-open | fail-close [monitor-only]} <- There’s a couple different options here. The first one is fail-open which means that if the Firepower software module is unavailable, the ASA will continue to forward traffic. fail-close means that if the Firepower module fails, the traffic will stop flowing. While this doesn’t seem ideal, there might be a use case for it when securing highly regulated environments. The monitor-only switch can be used with both and basically puts the Firepower services into IDS-mode only. This might be useful for initial testing or setup.

QUESTION 463
Why is it important for the organization to have an endpoint patching strategy?

A. so the organization can identify endpoint vulnerabilities
B. so the internal PSIRT organization is aware of the latest bugs
C. so the network administrator is notified when an existing bug is encountered
D. so the latest security fixes are installed on the endpoints

Answer: D

QUESTION 464
An email administrator is setting up a new Cisco Secure Email Gateway. The administrator wants to enable the blocking of greymail for the end user. Which feature must the administrator enable first?

A. File Analysis
B. IP Reputation Filtering
C. Intelligent Multi-Scan
D. Anti-Virus Filtering

Answer: C

QUESTION 465
What limits communication between applications or containers on the same node?

A. microsegmentation
B. container orchestration
C. microservicing
D. Software-Defined Access

Answer: A
Explanation:
Microsegmentation is the practice of dividing a computer network into smaller segments, or microsegments, in order to limit communication between applications or containers on the same node. This approach uses network security policies to define what traffic is allowed to flow between different microsegments, which helps to reduce the attack surface and minimize the impact of a security breach. Microsegmentation is often used in conjunction with other security measures such as firewalls and intrusion detection systems to provide a more comprehensive security strategy.

QUESTION 466
Which open source tool does Cisco use to create graphical visualizations of network telemetry on Cisco IOS XE devices?

A. InfluxDB
B. Splunk
C. SNMP
D. Grafana

Answer: D
Explanation:
https://blogs.cisco.com/developer/getting-started-with-model-driven-telemetry

QUESTION 467
How does the Cisco WSA enforce bandwidth restrictions for web applications?

A. It implements a policy route to redirect application traffic to a lower-bandwidth link.
B. It dynamically creates a scavenger class QoS policy and applies it to each client that connects through the WSA.
C. It sends commands to the uplink router to apply traffic policing to the application traffic.
D. It simulates a slower link by introducing latency into application traffic.

Answer: D
Explanation:
https://www.cisco.com/c/en/us/td/docs/security/wsa/wsa11-7/user_guide/b_WSA_UserGuide_11_7/b_WSA_UserGuide_11_7_chapter_01111.pdf

QUESTION 468
Which two components do southbound APIs use to communicate with downstream devices? (Choose two.)

A. services running over the network
B. OpenFlow
C. external application APIs
D. applications running over the network
E. OpFlex

Answer: BE

QUESTION 469
What is the term for when an endpoint is associated to a provisioning WLAN that is shared with guest access, and the same guest portal is used as the BYOD portal?

A. single-SSID BYOD
B. multichannel GUI
C. dual-SSID BYOD
D. streamlined access

Answer: C
Explanation:
If guest access is utilizing one of the named guest account, then same guest portal can be used for employee BYOD portal. This flow is called Dual-SSID BYOD, where the endpoint is associated to a provisioning WLAN which is typically shared with guest access.
https://community.cisco.com/t5/security-knowledge-base/ise-byod-dual-vs-single-ssid-onboarding/ta-p/3641422

QUESTION 470
Which feature within Cisco ISE verifies the compliance of an endpoint before providing access to the network?

A. Posture
B. Profiling
C. pxGrid
D. MAB

Answer: A

QUESTION 471
Which MDM configuration provides scalability?

A. pushing WPA2-Enterprise settings automatically to devices
B. enabling use of device features such as camera use
C. BYOD support without extra appliance or licenses
D. automatic device classification with level 7 fingerprinting

Answer: C

QUESTION 472
Which Cisco ISE service checks the compliance of endpoints before allowing the endpoints to connect to the network?

A. posture
B. profiler
C. Cisco TrustSec
D. Threat Centric NAC

Answer: A

QUESTION 473
Which endpoint protection and detection feature performs correlation of telemetry, files, and intrusion events that are flagged as possible active breaches?

A. retrospective detection
B. indication of compromise
C. file trajectory
D. elastic search

Answer: B
Explanation:
https://www.cisco.com/c/en/us/solutions/collateral/enterprise-networks/advanced-malware-protection/solution-overview-c22-734228.html

QUESTION 474
Which feature enables a Cisco ISR to use the default bypass list automatically for web filtering?

A. filters
B. group key
C. company key
D. connector

Answer: D

QUESTION 475
A network engineer has configured a NTP server on a Cisco ASA. The Cisco ASA has IP reachability to the NTP server and is not filtering any traffic. The show ntp association detail command indicates that the configured NTP server is unsynchronized and has a stratum of 16.
What is the cause of this issue?

A. Resynchronization of NTP is not forced
B. NTP is not configured to use a working server.
C. An access list entry for UDP port 123 on the inside interface is missing.
D. An access list entry for UDP port 123 on the outside interface is missing.

Answer: B
Explanation:
The stratum level of a NTP server represents its level of precision and accuracy, a stratum level of 16 indicates that the server is unsynchronized and cannot be used as a time source. This means that the configured NTP server is not working and cannot provide correct time to the ASA. The engineer should check the NTP server configuration and availability, also it’s important to check if the NTP server is reachable and configured to use the correct IP address.

QUESTION 476
When a next-generation endpoint security solution is selected for a company, what are two key deliverables that help justify the implementation? (Choose two.)

A. signature-based endpoint protection on company endpoints
B. macro-based protection to keep connected endpoints safe
C. continuous monitoring of all files that are located on connected endpoints
D. email integration to protect endpoints from malicious content that is located in email
E. real-time feeds from global threat intelligence centers

Answer: CE

QUESTION 477
What is the process of performing automated static and dynamic analysis of files in an isolated environment against preloaded behavioral indicators for threat analysis?

A. deep visibility scan
B. point-in-time checks
C. advanced sandboxing
D. advanced scanning

Answer: C
Explanation:
https://www.cisco.com/c/en_in/products/security/advanced-malware-protection/index.html

QUESTION 478
Which solution is made from a collection of secure development practices and guidelines that developers must follow to build secure applications?

A. AFL
B. Fuzzing Framework
C. Radamsa
D. OWASP

Answer: D

QUESTION 479
What do tools like Jenkins, Octopus Deploy, and Azure DevOps provide in terms of application and infrastructure automation?

A. continuous integration and continuous deployment
B. cloud application security broker
C. compile-time instrumentation
D. container orchestration

Answer: A

QUESTION 480
Which direction do attackers encode data in DNS requests during exfiltration using DNS tunneling?

A. inbound
B. north-south
C. east-west
D. outbound

Answer: D

QUESTION 481
Which Cisco DNA Center RESTful PNP API adds and claims a device into a workflow?

A. api/v1/onboarding/workflow
B. api/v1/onboarding/pnp-device/import
C. api/v1/onboarding/pnp-device
D. api/v1/file/config

Answer: B
Explanation:

QUESTION 482
What is a feature of container orchestration?

A. ability to deploy Amazon ECS clusters by using the Cisco Container Platform data plane
B. ability to deploy Amazon EKS clusters by using the Cisco Container Platform data plane
C. ability to deploy Kubernetes clusters in air-gapped sites
D. automated daily updates

Answer: C

QUESTION 483
What are two security benefits of an MDM deployment? (Choose two.)

A. robust security policy enforcement
B. privacy control checks
C. on-device content management
D. distributed software upgrade
E. distributed dashboard

Answer: AC

QUESTION 484
An organization is implementing AAA for their users. They need to ensure that authorization is verified for every command that is being entered by the network administrator. Which protocol must be configured in order to provide this capability?

A. EAPOL
B. SSH
C. RADIUS
D. TACACS+

Answer: D
Explanation:
Check and send every executed command to ISE for verification.
https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/200208-Configure-ISE-2-0-IOS-TACACS-Authentic.html

QUESTION 485
What is the recommendation in a zero-trust model before granting access to corporate applications and resources?

A. to use multifactor authentication
B. to use strong passwords
C. to use a wired network, not wireless
D. to disconnect from the network when inactive

Answer: A

QUESTION 486
Which Cisco AMP feature allows an engineer to look back to trace past activities, such as file and process activity on an endpoint?

A. endpoint isolation
B. advanced search
C. advanced investigation
D. retrospective security

Answer: D
Explanation:
Retrospective security is the ability to look back in time and trace processes, file activities, and communications in order to understand the full extent of an infection, establish root cause, and perform remediation. The need for retrospective security arises when any indication of a compromise occurs, such as an event trigger, a change in the disposition of a file, or an IoC trigger.

QUESTION 487
Which solution stops unauthorized access to the system if a user’s password is compromised?

A. VPN
B. MFA
C. AMP
D. SSL

Answer: B

QUESTION 488
What is a benefit of using Cisco Tetration?

A. It collects telemetry data from servers and then uses software sensors to analyze flow information.
B. It collects policy compliance data and process details.
C. It collects enforcement data from servers and collects interpacket variation.
D. It collects near-real time data from servers and inventories the software packages that exist on servers.

Answer: A

QUESTION 489
How does Cisco Umbrella protect clients when they operate outside of the corporate network?

A. by modifying the registry for DNS lookups
B. by using Active Directory group policies to enforce Cisco Umbrella DNS servers
C. by using the Cisco Umbrella roaming client
D. by forcing DNS queries to the corporate name servers

Answer: C
Explanation:
The Cisco Umbrella roaming client is a lightweight software that can be installed on Windows and Mac laptops, as well as on iOS and Android mobile devices. The client sends DNS queries to the Cisco Umbrella global network, where the queries are filtered and either allowed or blocked based on the organization’s security policies.
The Cisco Umbrella roaming client also provides visibility into the security posture of the devices, regardless of their location. This allows organizations to detect and respond to threats in real-time, regardless of where the device is located.
https://www.cisco.com/c/en/us/products/security/umbrella/umbrella-roaming.html

QUESTION 490
Which API method and required attribute are used to add a device into Cisco DNA Center with the native API?

A. GET and serialNumber
B. userSudiSerlalNos and deviceInfo
C. POST and name
D. lastSyncTime and pid

Answer: C
Explanation:
GET information about clients, sites, topology, devices, and issues; Create (POST) and manage (PUT, DELETE) sites, devices, IP Pools, edge and border devices, and authentication profiles.
https://developer.cisco.com/docs/dna-center/#!add-device-1

QUESTION 491
What are two facts about WSA HTTP proxy configuration with a PAC file? (Choose two.)

A. It is defined as a Transparent proxy deployment.
B. In a dual-NIC configuration, the PAC file directs traffic through the two NICs to the proxy.
C. The PAC file, which references the proxy, is deployed to the client web browser.
D. It is defined as an Explicit proxy deployment.
E. It is defined as a Bridge proxy deployment.

Answer: CD

QUESTION 492
Which solution should be leveraged for secure access of a CI/CD pipeline?

A. Duo Network Gateway
B. remote access client
C. SSL WebVPN
D. Cisco FTD network gateway

Answer: A

QUESTION 493
Which function is included when Cisco AMP is added to web security?

A. multifactor, authentication-based user identity
B. detailed analytics of the unknown file’s behavior
C. phishing detection on emails
D. threat prevention on an infected endpoint

Answer: B

QUESTION 494
A small organization needs to reduce the VPN bandwidth load on their headend Cisco ASA in order to ensure that bandwidth is available for VPN users needing access to corporate resources on the 10.0.0.0/24 local HQ network.
How is this accomplished without adding additional devices to the network?

A. Use split tunneling to tunnel traffic for the 10.0.0.0/24 network only.
B. Configure VPN load balancing to distribute traffic for the 10.0.0.0/24 network,
C. Configure VPN load balancing to send non-corporate traffic straight to the internet.
D. Use split tunneling to tunnel all traffic except for the 10.0.0.0/24 network.

Answer: A
Explanation:
Split tunneling allows the VPN client to choose which network traffic to send through the VPN tunnel and which traffic to send through the local internet connection. By configuring split tunneling to only tunnel traffic for the 10.0.0.0/24 network, the organization can reduce the VPN bandwidth load on the headend Cisco ASA. This way, only the necessary traffic to access corporate resources on the local HQ network will be sent through the VPN, while other non-corporate traffic can be sent through the local internet connection, thus reducing the VPN load.

QUESTION 495
Which solution detects threats across a private network, public clouds, and encrypted traffic?

A. Cisco Stealthwatch
B. Cisco CTA
C. Cisco Encrypted Traffic Analytics
D. Cisco Umbrella

Answer: A
Explanation:
Cisco Stealthwatch is a solution that detects threats across a private network, public clouds, and encrypted traffic.
Cisco Stealthwatch is a network security and threat detection platform that helps organizations protect their networks and data from cyber threats. It uses advanced analytics and machine learning to continuously monitor network traffic and identify suspicious activity, such as malware infections, data exfiltration, and other threats. Stealthwatch can detect threats across a private network, public clouds, and encrypted traffic, providing organizations with a comprehensive view of their security posture and helping them to respond quickly to potential threats.

QUESTION 496
Which Cisco security solution integrates with cloud applications like Dropbox and Office 365 while protecting data from being exfiltrated?

A. Cisco Tajos
B. Cisco Steaithwatch Cloud
C. Cisco Cloudlock
D. Cisco Umbrella Investigate

Answer: C
Explanation:
Cisco Cloudlock is an API-based broker that helps reduce compromises, application risks, and data breaches in an environment that is not on-premise. It provides protection of sensitive data throughout the full environment and helps secure cloud-based email, file storage, and web applications. Cloudlock detects and protects sensitive data across all cloud services, including cloud storage and collaboration services such as AWS, Box, Dropbox, Google Drive, Microsoft OneDrive, Salesforce, and more.

QUESTION 497
Drag and Drop Question
Drag and drop the exploits from the left onto the type of security vulnerability on the right.

Answer:

QUESTION 498
Drag and Drop Question
Drag and drop the concepts from the left onto the correct descriptions on the right.

Answer:

QUESTION 499
When network telemetry is implemented, what is important to be enabled across all network infrastructure devices to correlate different sources?

A. CDP
B. syslog
C. NTP
D. DNS

Answer: C
Explanation:
Without time synchronization, it is very difficult to correlate different sources of telemetry.
https://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Security/Baseline_Security/securebasebook/sec_chap5.html

QUESTION 500
Drag and Drop Question
Drag and drop the Cisco CWS redirection options from the left onto the capabilities on the right.

Answer:

QUESTION 501
What is the concept of continuous integration/continuous delivery pipelining?

A. The project code is centrally maintained, and each code change should trigger an automated build and test sequence.
B. The project is split into time-limited cycles, and focuses on pair programming for continuous code review.
C. The project is split into several phases where one phase cannot start before the previous phase finishes successfully.
D. Each project phase is independent from other phases to maintain adaptiveness and continual improvement.

Answer: A

QUESTION 502
Drag and Drop Question
Drag and drop the features of Cisco ASA with Firepower from the left onto the benefits on the right.

Answer:

QUESTION 503
Which two authentication protocols are supported by the Cisco WSA? (Choose two.)

A. WCCP
B. NTLM
C. TLS
D. SSL
E. LDAP

Answer: BE

QUESTION 504
When a Cisco Secure Web Appliance checks a web request, what occurs if it is unable to match a user-defined policy?

A. It blocks the request.
B. It applies the global policy.
C. It applies the next identification profile policy.
D. It applies the advanced policy.

Answer: B
Explanation:
Policy Order
The order in which policies are listed in a policy table determines the priority with which they are applied to Web requests. Web requests are checked against policies beginning at the top of the table and ending at the first policy matched. Any policies below that point in the table are not processed.
If no user-defined policy is matched against a Web request, then the global policy for that policy type is applied. Global policies are always positioned last in Policy tables and cannot be re-ordered.

QUESTION 505
Which Cisco solution extends network visibility, threat detection, and analytics to public cloud environments?

A. Cisco Umbrella
B. Cisco Stealthwatch Cloud
C. Cisco Appdynamics
D. Cisco CloudLock

Answer: B
Explanation:
https://blogs.cisco.com/security/agentless-threat-detection-for-microsoft-azure-workloads-with-cisco-stealthwatch-cloud

QUESTION 506
Which metric is used by the monitoring agent to collect and output packet loss and jitter information?

A. WSAv performance
B. AVC performance
C. OTCP performance
D. RTP performance

Answer: D
Explanation:
https://www.cisco.com/c/en/us/td/docs/ios/solutions_docs/avc/guide/avc-user-guide/avc_tech_overview.html

QUESTION 507
Which two criteria must a certificate meet before the Cisco Secure Web Appliance uses it to decrypt application traffic? (Choose two.)

A. It must include the current date.
B. It must reside in the trusted store of the Secure Web Appliance.
C. It must reside in the trusted store of the endpoint.
D. It must have been signed by an internal CA.
E. it must contain a SAN.

Answer: BC
Explanation:
It must reside in the trusted store of the endpoint: The certificate used by the Secure Web Appliance for HTTPS decryption must be trusted by the client devices (endpoints). This ensures that the endpoints recognize the appliance as a trusted intermediary and do not display certificate warnings.
It must reside in the trusted store of the Secure Web Appliance: The appliance itself must have access to the certificate, including the private key, in its trusted certificate store to use it for decrypting and re-encrypting traffic.

QUESTION 508
What are two benefits of using Cisco Duo as an MFA solution? (Choose two.)

A. grants administrators a way to remotely wipe a lost or stolen device
B. provides simple and streamlined login experience for multiple applications and users
C. native integration that helps secure applications across multiple cloud platforms or on-premises environments
D. encrypts data that is stored on endpoints
E. allows for centralized management of endpoint device applications and configurations

Answer: BC

QUESTION 509
How does Cisco Workload Optimization portion of the network do EPP solutions solely performance issues?

A. It deploys an AWS Lambda system
B. It automates resource resizing
C. It optimizes a flow path
D. It sets up a workload forensic score

Answer: B

QUESTION 510
What are two benefits of using an MDM solution? (Choose two.)

A. grants administrators a way to remotely wipe a lost or stolen device
B. provides simple and streamlined login experience for multiple applications and users
C. native integration that helps secure applications across multiple cloud platforms or on-premises environments
D. encrypts data that is stored on endpoints
E. allows for centralized management of endpoint device applications and configurations

Answer: AE

QUESTION 511
A company has 5000 Windows users on its campus. Which two precautions should IT take to prevent WannaCry ransomware from spreading to all clients? (Choose two.)

A. Segment different departments to different IP blocks and enable Dynamic ARp inspection on all VLANs
B. Ensure that noncompliant endpoints are segmented off to contain any potential damage.
C. Ensure that a user cannot enter the network of another department.
D. Perform a posture check to allow only network access to (hose Windows devices that are already patched.
E. Put all company users in the trusted segment of NGFW and put all servers to the DMZ segment of the Cisco NGFW.

Answer: BD

QUESTION 512
What provides total management for mobile and PC including managing inventory and device tracking, remote view, and live troubleshooting using the included native remote desktop support?

A. mobile device management
B. mobile content management
C. mobile application management
D. mobile access management

Answer: A

QUESTION 513
What is the process In DevSecOps where all changes In the central code repository are merged and synchronized?

A. CD
B. EP
C. CI
D. QA

Answer: C
Explanation:
Continuous integration (CI) is the process of automating and integrating code changes and updates from many team members during software development. In CI, automated tools confirm that software code is valid and error-free before it’s integrated, which helps detect bugs and speed up new releases.
https://www.cisco.com/c/en/us/solutions/data-center/data-center-networking/what-is-ci-cd.html#~ci-cd-explained

QUESTION 514
Based on the NIST 800-145 guide, which cloud architecture may be owned, managed, and operated by one or more of the organizations in the community, a third party, or some combination of them, and it may exist on or off premises?

A. hybrid cloud
B. private cloud
C. public cloud
D. community cloud

Answer: D

QUESTION 515
Which type of data does the Cisco Stealthwatch system collect and analyze from routers, switches, and firewalls?

A. NTP
B. syslog
C. SNMP
D. NetFlow

Answer: D

Resources From:

1.2025 Latest Braindump2go 350-701 Exam Dumps (PDF & VCE) Free Share:
https://www.braindump2go.com/350-701.html

2.2025 Latest Braindump2go 350-701 PDF and 350-701 VCE Dumps Free Share:
https://drive.google.com/drive/folders/1Fz2rtzfDdCvomlIPqv3RZzNAkMIepErv?usp=sharing

3.2025 Free Braindump2go 350-701 Exam Questions Download:
https://www.braindump2go.com/free-online-pdf/350-701-VCE-Dumps(431-515).pdf

Free Resources from Braindump2go,We Devoted to Helping You 100% Pass All Exams!