Free Practice Questions for Cisco 350-401 Exam

The correct answers are B. Intrusion prevention and C. Application control.

Cisco documentation explains that a traditional firewall typically provides stateful inspection of traffic. A next-generation firewall (NGFW) adds advanced capabilities beyond that, including integrated intrusion prevention and application awareness/control.

Cisco describes Next-Generation Intrusion Prevention System (NGIPS) as a next-generation firewall capability that goes beyond what a standard stateful firewall provides. This allows the firewall to inspect traffic for malicious patterns and block threats, not just permit or deny sessions.

Cisco also lists Application Visibility and Control (AVC) or application awareness and control as a defining NGFW feature. This allows policies to be enforced based on the actual application, rather than only IP addresses, ports, and protocols.

A. Stateful traffic inspection This is a standard firewall capability, not a feature unique to NGFWs. Cisco specifically contrasts NGFW features with traditional stateful inspection.

D. Remote access VPN Cisco lists VPN as a firewall service, but it is not one of the advanced features that distinguish NGFW from a standard firewall. Cisco notes that NGFW capabilities are beyond traditional stateful inspection and VPN.

E. Network telemetry Network telemetry may be used for monitoring and analytics, but it is not identified by Cisco as one of the classic distinguishing NGFW features in this context.

ENCOR exam point:

Know this distinction clearly:

Standard firewall: mainly stateful inspection

Next-generation firewall: adds intrusion prevention and application control/visibility

The correct answer is B. TLS or SSL for communication.

In basic API authentication, credentials (such as username and password) are often transmitted using Base64 encoding, which is not encrypted. This makes them vulnerable to sniffer (packet capture) attacks if sent over an unencrypted channel.

TLS (Transport Layer Security) and its predecessor SSL provide encryption of the communication channel.

This ensures that even if packets are captured, the credentials remain confidential and unreadable.

Cisco documentation emphasizes that APIs (RESTCONF, HTTP-based APIs) should use HTTPS (HTTP over TLS) to secure credentials in transit.

A. VPN connection between client and server While a VPN encrypts traffic, it is not specifically required for API authentication security. The standard and expected method is TLS/HTTPS.

C. AAA services to authenticate the API AAA controls who can access, but it does not encrypt credentials in transit.

D. next-generation firewall A firewall provides traffic filtering and threat protection but does not directly secure credential transmission in basic API authentication.

Basic Authentication = NOT secure by itself

Always pair it with HTTPS (TLS encryption)

Rule to remember:

If credentials travel over the network → encrypt with TLS

A screenshot of a computer AI-generated content may be incorrect.