JT
JT Exams
Log inStart Free Trial
Security350-701300-710300-715300-720300-725300-730300-735

CCNP Security: Threat Defence and Policy Enforcement

CCNP Security is Cisco's professional-level security certification and it spans a wide surface: network security policy, cloud security, content security, VPNs, and automation. The SCOR (350-701) core exam covers all of that at a breadth level, while your chosen elective goes deep on one domain. The exam tests real enterprise security architecture, not just feature lists.

14 min
4 sections · 6 exam key points

SCOR Core: Threats, Defences, and Architecture

SCOR (350-701) splits into five domains. Security concepts cover the CIA triad, vulnerability versus threat versus risk, cryptographic foundations (symmetric/asymmetric, PKI, certificate chains), and authentication protocols (RADIUS, TACACS+, 802.1X). Network security tests Cisco firewall concepts — ASA security levels, zone-based policy on IOS-XE, and Firepower Threat Defence (FTD) policy architecture (prefilter, access control, intrusion, file, identity policies). Understand the difference between ASA and FTD in terms of management (ASDM versus FMC versus FDM).

Firepower: FMC Architecture and Policy Layers

FTD managed by FMC (Firepower Management Center) is the enterprise deployment model. Policy hierarchy: Platform Settings (device hardening) > Access Control Policy > Sub-policies (intrusion, file, identity). Network Analysis Policy (NAP) controls the preprocessors that feed Snort rules. Snort rules: header (protocol, source/dest IP/port, direction) and options (content, pcre, detection_filter, threshold, classtype). Understand how intrusion events, file events, and connection events differ in the event database. Security Intelligence (SI) blocks known-bad IPs/domains/URLs before access control rules are evaluated — it's the first line of defence.

VPN Technologies: Site-to-Site and Remote Access

IKEv1 Phase 1 (main mode: 6 messages, identity protected; aggressive mode: 3 messages, identity in cleartext) establishes the IKE SA. Phase 2 (quick mode) establishes IPsec SAs. IKEv2 consolidates this into IKE_SA_INIT and IKE_AUTH exchanges — simpler and more efficient. FlexVPN uses IKEv2 natively and supports dynamic routing over VPN tunnels. DMVPN phases: Phase 1 (hub-and-spoke only), Phase 2 (spoke-to-spoke via NHRP resolution, split-horizon disabled on hub), Phase 3 (NHRP shortcuts, hub forwards first packet then updates routing). AnyConnect remote access uses SSL/TLS or IKEv2/IPsec.

Cloud Security, Content Security, and Automation

Cloud security concepts: shared responsibility model (IaaS/PaaS/SaaS boundaries), CASB (Cloud Access Security Broker) for visibility and control of SaaS applications, CSPM (Cloud Security Posture Management) for misconfiguration detection. Content security: Cisco Email Security (ESA) — inbound mail policies, outbreak filters, DLP, encryption; Cisco Web Security (WSA) — URL filtering, AVC, SSL decryption, WCCP redirect. Umbrella: DNS-layer security, SIG (Secure Internet Gateway), Roaming Client, and Investigate for threat intelligence. Automation: pxGrid for context sharing between security products, Cisco DNA Center for policy, SecureX for cross-platform orchestration. Python with requests or Cisco SDK for Firepower/ISE/Umbrella APIs.

Key exam facts — 350-701 / 300-710 / 300-715 / 300-720 / 300-725 / 300-730 / 300-735

  • SCOR (350-701) is mandatory; choose one elective from SNCF (firewall), SISE (identity), SESA (email), SWSA (web), SVPN (VPN), or SAUTO (automation)
  • FTD access control policy is evaluated top-down; the first matching rule wins — order matters enormously
  • IKEv2 uses 4 messages total (2 exchanges); IKEv1 main mode uses 6 — know this for comparison questions
  • DMVPN Phase 3 requires ip nhrp redirect on the hub and ip nhrp shortcut on spokes
  • Umbrella DNS security blocks malicious domains before any IP connection is made — effective even for C2 beaconing
  • TACACS+ encrypts the entire payload; RADIUS only encrypts the password field

Common exam traps

FTD uses security levels just like the ASA

ASA security levels control traffic direction by default (higher to lower allowed) — FTD uses explicit zone-based rules instead

Both IPS inline and IDS promiscuous modes can actively block traffic

IPS inline mode drops packets in real time; IDS promiscuous mode only alerts — inline placement is required for blocking

Cisco ISE is a firewall that enforces traffic policy directly

Cisco ISE is not a firewall — it provides policy and identity services that other devices enforce

Practice this topic

350-701practice questions

Test yourself on CCNP Security

JT Exams routes you to questions in your exact weak areas — automatically, after every session.

Free practice testStart 7-Day Free Trial

No credit card · Cancel anytime

Related certification topics

CCNP Enterprise

350-401300-410