Architecture Assessment Trivia Quiz
-
A customer calls you because some settings have been changed on their XG Firewall by the admin user. Your customer is the only person that knows the admin password but some of the IT department have access using SSH keys. How can your customer identify who logged in to make the changes? Select one:
-
Find the SSH key in dropbear.log
-
This information cannot be found
-
Check the audit.log
-
Search in the Log Viewer
-
This Architecture Assessment Trivia Quiz focuses on practical scenarios involving Sophos XG Firewall configurations. It assesses skills in network security, firewall rule management, and system troubleshooting, catering to professionals seeking to enhance their technical expertise in firewall administration.
Quiz Preview
- 2.
Look at the diagram below. Where does DNAT happen? Select one or more:
-
1
-
2
-
3
-
4
-
5
-
6
-
7
Correct Answer(s)
A. 1
A. 5Explanation
Check the image on page 55Rate this question:
-
- 3.
Your customer has an XG Firewall that is deployed in gateway mode, and they want to create a bridge pair with an interface in a LAN zone and an interface in a DMZ. Can this be done? Select one:
-
Yes
-
No
Correct Answer
A. YesExplanation
Check the image on page 40Rate this question:
-
- 4.
Which of the following dynamic routing protocols are supported by Sophos XG Firewall? (select all that apply) Select one or more:
-
EIGRP
-
RIP
-
OSPF
-
IS-IS
-
IGRP
-
BGP
-
PIM-SM
Correct Answer(s)
A. RIP
A. OSPF
A. BGP
A. PIM-SMExplanation
Check the image on page no 76Rate this question:
-
- 5.
In Lab 2 you created a bridge with two ports that were both in the LAN zone, but the computers were not able to ping each other. If both ports are in the same zone why could the computers not ping each other? Select one:
-
There was no firewall rule to allow traffic from the LAN zone to another port in the LAN zone
-
Routing had not been enabled for the bridge pair
-
ICMP had not been enabled for the LAN zone
Correct Answer
A. There was no firewall rule to allow traffic from the LAN zone to another port in the LAN zoneExplanation
The computers were not able to ping each other because there was no firewall rule in place to allow traffic from the LAN zone to another port in the LAN zone. Without this rule, the firewall was blocking the communication between the computers even though they were in the same zone.Rate this question:
-
- 6.
You are the network administrator of the Sophos Store, a large retailer of socks and stickers.The Sophos Store has a head office in London with branch offices in New York and Vancouver and retail stores located throughout the world.
- The Sophos Store has multiple servers in subnet 192.168.1.0/2
- The user network subnet is 172.16.1.0/24
- Sophos Store would like to increase the internal bandwidth for each server
-
Add another NIC to the server and configure Gateway mode with Multi port L3 bridge
-
Connect another XG Firewall Port to the switch and configure Active-Backup LAG
-
Connect another XG Firewall Port to the switch and configure 802.3ad LAG
-
Add another NIC to the server and make L3 bridge with multiple ports
Correct Answer
A. Connect another XG Firewall Port to the switch and configure 802.3ad LAGExplanation
Connecting another XG Firewall Port to the switch and configuring 802.3ad LAG would be recommended to Sophos Store. This would allow for the aggregation of multiple ports, increasing the internal bandwidth for each server. LAG (Link Aggregation Group) combines multiple physical connections into a single logical connection, providing higher throughput and redundancy. 802.3ad is a standard for link aggregation that ensures load balancing and fault tolerance across the aggregated links. This solution would effectively enhance the internal bandwidth for the servers at the Sophos Store.Rate this question:
- 7.
Your customer contacts you for assistance in configuring DoS (Denial-of-Service) protection for their public facing application server. The customer has provided this network diagram and the following information about the application:
- The application server requires an MTU of 1460
- The application requires up to 73kb of data to be transferred to complete a transaction for a connected client
- A connected client might perform up to 5 transactions per second
- The application uses a proprietary protocol
-
Configure the packets per second in the DoS policy to 25,600
-
Configure the DoS policy for SYN-Flood protection
-
Configure the DoS policy for UDP-Flood protection
-
Configure the DoS policy per destination
-
Configure the packets per second in the DoS policy to 256
-
Configure the packets per second in the DoS policy to 2,560
-
Configure the DoS policy per source
Correct Answer(s)
A. Configure the DoS policy for UDP-Flood protection
A. Configure the packets per second in the DoS policy to 256
A. Configure the DoS policy per sourceExplanation
73kb ----- 73*1024=74752 mb total MB / mtu 74752/1460=51.2 51.2*5 packet per second=256Rate this question:
- 8.
In Lab 3 you configured a local NAT policy. What would the command be to SNAT the traffic from the XG firewall to the Internet to 10.1.1.45? Select one:
-
Set advanced-firewall sys-traffic-nat add destination 0.0.0.0 netmask 0.0.0.0 snatip 10.1.1.45
-
Set advanced-firewall sys-traffic-nat add destination * snatip 10.1.1.45
-
Set advanced-firewall sys-traffic-nat add snatip 10.1.1.45
Correct Answer
A. Set advanced-firewall sys-traffic-nat add destination 0.0.0.0 netmask 0.0.0.0 snatip 10.1.1.45Explanation
The correct command to SNAT the traffic from the XG firewall to the Internet to 10.1.1.45 is "set advanced-firewall sys-traffic-nat add destination 0.0.0.0 netmask 0.0.0.0 snatip 10.1.1.45". This command sets up a NAT policy that specifies a destination of 0.0.0.0 netmask 0.0.0.0, which represents all traffic, and SNATs it to the IP address 10.1.1.45.Rate this question:
-
- 9.
TRUE or FALSE: IPS policies can be applied to both User/Network rules and Business Application rules. Select one:
-
True
-
False
Correct Answer
A. TrueExplanation
IPS policies can indeed be applied to both User/Network rules and Business Application rules. Intrusion Prevention System (IPS) policies are designed to protect networks and systems from potential threats and attacks. These policies can include rules that define the behavior and actions allowed or blocked for users and network traffic, as well as rules specific to business applications. By applying IPS policies to both types of rules, organizations can enhance their overall security posture and mitigate risks from various sources.Rate this question:
-
- 10.
In Lab 3 you configured an advanced DoS policy. What command can you use to see the existing dos rules? Select one:
-
System dos-config show dos-rules
-
Show dos-config rules
-
Dos-config show dos-policies
-
System show dos-rules
Correct Answer
A. System dos-config show dos-rulesExplanation
The correct answer is "system dos-config show dos-rules". This command is used to view the existing DoS rules in Lab 3.Rate this question:
-
- 11.
Your customer's environment consists of a number of Windows servers, as well as Windows and Mac desktops and laptops. Users have commented that accessing files on the server has been slower since the new firewall was installed. After examining the configuration, you document that the servers are located in a separate zone called SERVERS and the users are located in the LAN zone. After researching the issue further, you believe that the issue is related to the IPS scanning of the traffic as it is passing from the LAN to the SERVERS zone. Currently, the LAN to DMZ IPS policy is applied to the network rule allowing the traffic to pass from one zone to the other. Which of the following options would you recommend to improve the performance for the users transferring files between the zones? Select one:
-
Disable IPS for the LAN zone to the SERVERS zone
-
Configure the Local NAT Policy on the firewall
-
Change the FastPath threshold value
-
Configure a more appropriate IPS policy for the LAN zone to the SERVERS zone
-
Adjust the size of the connection tracking database
-
Turn off Strict Policy on the firewall
Correct Answer
A. Configure a more appropriate IPS policy for the LAN zone to the SERVERS zoneExplanation
The given scenario suggests that the slow file access issue is due to the IPS scanning of traffic between the LAN and SERVERS zone. To improve performance, it is recommended to configure a more appropriate IPS policy for the LAN zone to the SERVERS zone. This means adjusting the IPS settings to better suit the traffic between these zones, potentially reducing the scanning overhead and improving file transfer speeds.Rate this question:
-
- 12.
A customer is configuring a Web Server Protection Policy but is not sure what needs to be added to the 'Entry URLs' field when Static URL Hardening is enabled. What do you tell your customer? (select all that apply) Select one or more:
-
You need to add all list of the URLs that you want to be hardened
-
You can include wildcards in the URLs
-
You need to add all of the URLs that you want people to access directly
-
The URLs are case sensitive
-
You need to add all of the URLs on your website
-
You need to add all of the directories on your website
Correct Answer(s)
A. You need to add all of the URLs that you want people to access directly
A. The URLs are case sensitiveExplanation
When Static URL Hardening is enabled, the 'Entry URLs' field in the Web Server Protection Policy should contain all the URLs that the customer wants people to access directly. This means that only the URLs added to this field will be hardened. Additionally, the URLs are case sensitive, so the customer needs to ensure that the correct case is used when adding them to the 'Entry URLs' field.Rate this question:
-
- 13.
In Lab 4 you configured a Webserver Protection Business Application Rule that load-balanced two intranet severs. How could you configure this so that one of the servers is the primary server and the other is only used as a backup? Select one:
-
Enable Path-specific routing and select 'Hot-standby mode'
-
Web Server Protection cannot do this, you need to use a load-balancing Business Application Rule
-
Enable 'Sticky Sessions'
-
Create two separate Business Application Rules, the top one will be the primary
Correct Answer
A. Enable Path-specific routing and select 'Hot-standby mode' -
- 14.
Your customer is configuring Web Server for their webmail but is getting an error when they try to login. Look at the log file below and select what needs to be done to resolve the error. (select all that apply) Select One or more :
-
Create an antivirus exception for the URL /MEWebMail/Mondo/lang/sys/login.aspx
-
Create a form hardening exception for the URL /MEWebMail/Mondo/lang/sys/login.aspx
-
Add ID 981003 to the filter rule skip list
-
Enable accept unhardened form data for the URL /MEWebMail/Mondo/lang/sys/login.aspx
-
Add ID 981200 to the filter rule skip list
-
Add ID 9 to the filter rule skip list
Correct Answer
A. Create a form hardening exception for the URL /MEWebMail/Mondo/lang/sys/login.aspxExplanation
Based on the given log file, the error encountered during login on the webmail is likely due to form hardening. Therefore, creating a form hardening exception for the URL /MEWebMail/Mondo/lang/sys/login.aspx would resolve the error.Rate this question:
-
- 15.
Your customer is configuring Web Server for their webmail but is getting an error when they try to login. Look at the log file below and select what needs to be done to resolve the error. (select all that apply) Select One or more :
-
Create an antivirus exception for the URL /MEWebMail/Mondo/lang/sys/login.aspx
-
Enable accept unhardened form data for the URL /MEWebMail/Mondo/lang/sys/login.aspx
-
Add ID 9 to the filter rule skip list
-
Add ID 981003 to the filter rule skip list
-
Create a form hardening exception for the URL /MEWebMail/Mondo/lang/sys/login.aspx
-
Add ID 981200 to the filter rule skip list
Correct Answer(s)
A. Add ID 981003 to the filter rule skip list
A. Add ID 981200 to the filter rule skip listExplanation
The error in the log file suggests that there is a filter rule blocking the login process. By adding ID 981003 and ID 981200 to the filter rule skip list, the web server will bypass these specific filter rules and allow the login to proceed successfully. This will resolve the error and allow the customer to log in to their webmail.Rate this question:
-
- 16.
You configured Web Server Authentication for a customer when you deployed their XG Firewall some time ago. The customer wants to allow another group to authenticate for the protected web service but does not know where to do this. Where do you direct your customer to add this group? Select one:
-
In the Authentication Template
-
In the Web Server Protection Policy
-
In the Path-specific routing
-
In the firewall authentication methods
-
In the Web Server Authentication Policy
-
In the Business Application Rule
-
In the Authentication Server
Correct Answer
A. In the Authentication TemplateExplanation
In order to add another group to authenticate for the protected web service, the customer should be directed to add this group in the Authentication Template.Rate this question:
-
- 17.
A customer is having problems configuring Web Server Protection for a section of their website that dynamically generates a survey in the browser. What do they need to configure to resolve the problem? Select one:
-
Enabled 'Pass Outlook Anywhere' in the Protection Policy
-
Enable 'Rewrite HTML' in the Business Application Rule
-
Create an exception for that path that will skip static URL hardening
-
Create an exception for that path that will skip cookie signing
-
Enable 'Pass Host Header' in the Business Application Rule
-
Create an exception for that path that will 'Accept unhardened form data'
Correct Answer
A. Create an exception for that path that will 'Accept unhardened form data'Explanation
To resolve the problem, the customer needs to create an exception for the specific path that will allow the web server to accept unhardened form data. This means that the web server protection will not apply to the section of the website that dynamically generates the survey in the browser, allowing it to function properly without any configuration issues.Rate this question:
-
- 18.
After configuring two new VPN connections, everything is running fine until the remote office loses Internet access. When it comes back up, the users are complaining that they can no longer access resources in the head office network. You verify that the Internet is working at both locations and then look at the VPN configuration, which is as below. What needs to be adjusted in the remote office? Select one:
-
Authentication Type
-
Action on VPN Restart
-
Remote IP Address
-
Connection Type
-
Policy
Correct Answer
A. Action on VPN Restart -
- 19.
Your company is configuring a site to site VPN with another company in order to share information for an upcoming project. The two networks have the following IP address network ranges: What feature can be used in the IPsec site-to-site VPN on an XG Firewall in order to allow communication between these networks? Select one:
-
NAT Overlap
-
NAT Traversal
-
Route Precedence
-
VPN Failover
Correct Answer
A. NAT OverlapExplanation
NAT Overlap can be used in the IPsec site-to-site VPN on an XG Firewall to allow communication between these networks. NAT Overlap is a feature that allows multiple devices on a private network to share a single public IP address. In this scenario, the two networks have overlapping IP address ranges, which means that without NAT Overlap, there would be conflicts and communication between the networks would not be possible. By enabling NAT Overlap, the XG Firewall can translate the overlapping IP addresses to unique addresses, ensuring that communication between the networks is successful.Rate this question:
-
- 20.
In Lab 5, if the New York Gateway had 2 WAN connections, then how many IPsec connections would be created on the New York Gateway in order to take advantage of the maximum number of possible VPN failover routes? Select one :
-
1
-
2
-
3
-
4
-
6
-
8
-
10
Correct Answer
A. 4Explanation
If the New York Gateway had 2 WAN connections, then there would be a total of 4 IPsec connections created on the New York Gateway in order to take advantage of the maximum number of possible VPN failover routes. Each WAN connection would require 2 IPsec connections, resulting in a total of 4 IPsec connections.Rate this question:
-
- 21.
A customer has added an MPLS between its large offices in the UK, US and Japan. The customer also has VPNs connecting the larger offices and the smaller offices. The customer has noticed that the traffic between the larger offices is going over the slower VPNs rather than the faster MPLS. What options would the customer have in order to route the traffic over the MPLS? Select one or more:
-
Configure the Local NAT Policy
-
Configure route precedence on the XG firewall
-
Change the order of the firewall rules so the MPLS traffic rule is above the VPN rule.
-
Adjust the weights on the static routes
-
Configure Policy based routing to route the traffic
Correct Answer(s)
A. Configure route precedence on the XG firewall
A. Configure Policy based routing to route the trafficExplanation
The customer can configure route precedence on the XG firewall to prioritize the MPLS traffic over the VPN traffic. This will ensure that the traffic between the larger offices is routed through the faster MPLS connection. Additionally, the customer can also configure policy-based routing to explicitly route the traffic over the MPLS. These options will allow the customer to control the routing of traffic and ensure that it takes the desired path.Rate this question:
-
- 22.
A client contacts you complaining that their virtual XG firewall has been running very slowly. The client is running a central XG firewall on a virtual host and has over 100 remote locations connected to this host via XG to XG RED tunnels. They have followed the best practices for firewall and security configurations. After gathering some information on the existing setup, you find that the virtual host is running on older hardware and the CPU's are consistently showing very high utilization. Without compromising the security of the device or the network, what would you recommend to the customer to help alleviate the slowness problem? Select one:
-
Turn off Tunnel Compression on all of the RED tunnels between the Host and the remote locations
-
Add a second virtual XG firewall to the virtual host and move half of the RED connections to it
-
Disable IPS on any policies not using HTTP
Correct Answer
A. Turn off Tunnel Compression on all of the RED tunnels between the Host and the remote locations -
- 23.
In which RED deployment mode do you need to configure the following?
- IP address of the RED interface on the Sophos XG Firewall
- Zone of the RED interface on the Sophos XG Firewall
- DHCP Server
- A list of split networks
-
Standard/Split
-
Transparent/Split
-
Standard/Unified
Correct Answer
A. Standard/SplitExplanation
In the Standard/Split deployment mode, the following configurations need to be made on the Sophos XG Firewall: IP address of the RED interface, Zone of the RED interface, DHCP Server, and a list of split networks. This mode allows the RED device to be connected to a separate network segment, and the traffic from the RED device is split between the local and remote networks.Rate this question:
- 24.
How is a RED configured to connect to Sophos XG Firewall? (select all that apply) Select one or more:
-
The configuration is created on Sophos XG Firewall
-
The RED can load the configuration from a USB drive
-
The RED can download the configuration from the provisioning servers
-
The RED sends a discovery packet to the IP address 1.2.3.4
-
The RED can be configured using its own web interface
Correct Answer(s)
A. The configuration is created on Sophos XG Firewall
A. The RED can load the configuration from a USB drive
A. The RED can download the configuration from the provisioning serversExplanation
The configuration for a RED can be created directly on the Sophos XG Firewall. Additionally, the RED can load the configuration from a USB drive or download it from the provisioning servers. This allows for flexibility in how the RED is configured and allows for easy deployment and management of multiple RED devices.Rate this question:
-
- 25.
When configuring a RED manually with a USB stick, what do you need to consider? (select all that apply) Select one:
-
The WAN interface must have a static IP address
-
If you lose the unlock code the RED cannot ever be connected to another Sophos XG Firewall
-
The USB key must never be unplugged from the RED
Correct Answer
A. If you lose the unlock code the RED cannot ever be connected to another Sophos XG FirewallExplanation
If you lose the unlock code for the RED device, it cannot be connected to another Sophos XG Firewall. This means that the device will be permanently locked and unable to establish a connection with any other firewall. Therefore, it is important to keep the unlock code safe and secure to ensure the proper functioning of the RED device.Rate this question:
-
- 26.
In Lab 5 you configured an XG-to-XG RED tunnel. You have configured a RED tunnel between two XG Firewalls but you are unable to connect to a server at the remote site. What are the most likely causes of this problem? Select one or more:
-
There is no firewall rule to allow the traffic
-
No route has been configured for the traffic
-
The route precedence needs to be configured to favor the RED tunnel
-
The XG Firewall needs to be rebooted
-
The RED tunnel needs to be added to the VPN zone
Correct Answer(s)
A. There is no firewall rule to allow the traffic
A. No route has been configured for the trafficExplanation
The most likely causes of the problem are that there is no firewall rule to allow the traffic and no route has been configured for the traffic. Without a firewall rule allowing the traffic, the XG Firewalls will block the connection. Additionally, without a configured route, the XG Firewalls will not know how to properly direct the traffic to the remote site.Rate this question:
-
- 27.
Your customer has deployed STAS on their network for single sign-on. Users at a small branch site that does not have a domain controller are not being authenticated with the XG Firewall at that site, but they can be seen in the Live Users list on the head office XG Firewall. The small branch site is connected to the head office using an SSL site-to-site VPN. What could be the problem? (select all that apply) Select one or more:
-
The agent may not be configured with the collector IP address
-
The collector may not be configured with the IP address of the branch office XG Firewall and vice versa
-
The XG Firewall in the branch office may not be configured to allow the Collector in the VPN zone
Correct Answer(s)
A. The collector may not be configured with the IP address of the branch office XG Firewall and vice versa
A. The XG Firewall in the branch office may not be configured to allow the Collector in the VPN zoneExplanation
The problem could be that the collector is not configured with the IP address of the branch office XG Firewall and vice versa. This means that the collector is not able to communicate with the XG Firewall at the branch office, causing the authentication process to fail. Additionally, the XG Firewall in the branch office may not be configured to allow the collector in the VPN zone, further preventing authentication from taking place.Rate this question:
-
- 28.
You are troubleshooting STAS issues for a customer and want to check that logins are being reported to the XG Firewall by STAS.
- The IP address of the XG Firewall is 172.16.16.16
- The IP address of the STA Collector is 172.16.16.50
- The IP address of the STA Agent is 172.16.16.43
-
Tcpdump "host 172.16.16.78 and port 6060"
-
Tcpdump "host 172.16.16.50 and port 5566"
-
Tcpdump "host 172.16.16.78 and port 6677"
-
Tcpdump "host 172.16.16.43 and port 6677"
-
Tcpdump "host 172.16.16.43 and port 5566"
-
Tcpdump "host 172.16.16.16 and port 6677"
-
Tcpdump "host 172.16.16.16 and port 6060"
Correct Answer
A. Tcpdump "host 172.16.16.16 and port 6060"Explanation
The correct answer is "tcpdump "host 172.16.16.16 and port 6060". This command will capture network traffic on the XG Firewall with the IP address 172.16.16.16 and the port number 6060. By using this command, you can check if logins are being reported to the XG Firewall by STAS.Rate this question:
- 29.
In Lab 6 you cleared the cached authentication status after installing STAS. How can you remove computers from the authentication cache? (select all that apply) Select one or more:
-
With the command "ipset -D lusers "
-
Flush the cache for the Authentication Server
-
Restart the Authentication service in the WebAdmin
-
Reinstall the STAS software
Correct Answer(s)
A. With the command "ipset -D lusers "
A. Restart the Authentication service in the WebAdminExplanation
To remove computers from the authentication cache, you can use the command "ipset -D lusers" and restart the Authentication service in the WebAdmin. These actions will clear the cached authentication status and remove the computers from the cache.Rate this question:
-
- 30.
Your customer has configured Security Heartbeat on their XG Firewall so that only computers that have a GREEN heartbeat status are able to connect to the intranet servers. The computers that are connecting through an SSL remote access VPN using split tunneling are unable to access the intranet servers. What can the customer to do to resolve the problem? (select all that apply) Select one or more:
-
Configure the heartbeat IP address as a permitted network resource in the VPN profile
-
Configure the DNS server for the computer to be the XG Firewall
-
Enable VPN support for the firewall in Sophos Central
-
Add the WAN port to the permitted network resources for the VPN
-
Add 'cloud.sophos.com' to the VPN permitted network resourced
Correct Answer
A. Configure the heartbeat IP address as a permitted network resource in the VPN profileExplanation
The customer should configure the heartbeat IP address as a permitted network resource in the VPN profile. This will allow the computers connecting through the SSL remote access VPN to access the intranet servers by recognizing their GREEN heartbeat status.Rate this question:
-
- 31.
Your customer has called you because they have a computer with a YELLOW heartbeat and they are not sure what this means. What do you tell your customer are possible causes of this? (select all that apply) Select one or more:
-
Malware has not been cleaned up
-
Malicious traffic to a known C&C server has been detected
-
Active malware has been detected
-
The Endpoint Agent is not running
-
Inactive malware has been detected
-
A PUA (Potentially Unwanted Application) has been detected
-
Communications to a known bad host has been detected
Correct Answer(s)
A. Inactive malware has been detected
A. A PUA (Potentially Unwanted Application) has been detectedExplanation
Possible causes of a computer with a YELLOW heartbeat could be that inactive malware has been detected or a PUA (Potentially Unwanted Application) has been detected.Rate this question:
-
- 32.
In Lab 7 you simulated a computer with a missing heartbeat, and interrogated the XG Firewall for computers with a missing heartbeat. How does the XG Firewall identify computers that are missing the Security Heartbeat? Select one:
-
User
-
Client ID
-
MAC Address
-
IP Address
-
Hostname
-
Live lookup to Sophos Central
Correct Answer
A. MAC AddressExplanation
The XG Firewall identifies computers that are missing the Security Heartbeat based on their MAC Address.Rate this question:
-
- 33.
You have a RED device deployed at a remote network in a standard/split configuration. When you connect a Sophos access point to the remote network, it never appears in the pending access point list on the XG Firewall. What configuration change needs to be made for the RED connection? Select one:
-
Add the IP address of the XG firewall to the split networks
-
Add the IP address of the access point to the split networks
-
Add 1.2.3.4 to the remote network list
-
Configure a split DNS server address
Correct Answer
A. Add 1.2.3.4 to the remote network listExplanation
Adding 1.2.3.4 to the remote network list will allow the Sophos access point to be recognized by the XG Firewall.Rate this question:
-
- 34.
Wireless access points are being deployed across a large office space. There will only be one network broadcast from the access points and because of the large space, you would like to take advantage of Fast BSS to ensure that users have the best roaming experience. What security modes can be used to support Fast BSS? (select all that apply) Select one or more:
-
WEP
-
WPA
-
WPA2
Correct Answer
A. WPA2Explanation
WPA2 can be used to support Fast BSS. WPA2 is the most secure security mode among the options given. It provides stronger encryption and authentication compared to WEP and WPA, making it the ideal choice for ensuring the security of the network while also allowing for a seamless roaming experience for users in the large office space.Rate this question:
-
- 35.
You have a large network that spans many different subnets. Wireless has been deployed in the network however there are issues with access points communicating back to the XG Firewall. You have identified security devices in the network that may be blocking ports between the XG Firewall and the APs. What ports need to be open to allow for proper wireless communication? (select all that apply) Select one or more:
-
414 UDP
-
2712 TCP
-
415 UDP
-
3148 UDP
-
443 TCP
Correct Answer(s)
A. 414 UDP
A. 2712 TCP
A. 415 UDPExplanation
The correct answer is 414 UDP, 2712 TCP, and 415 UDP. These ports need to be open to allow for proper wireless communication between the access points and the XG Firewall. The UDP protocol is used for port 414 and 415, while the TCP protocol is used for port 2712. By opening these ports, the access points will be able to communicate with the XG Firewall effectively, resolving the communication issues.Rate this question:
-
- 36.
You are working with a large customer with offices in countries all round the world, including London, New York, Milan, Sidney and Singapore. Your customer is already using XG Firewall at all of their offices, and now wants to roll out wireless access points at all sites to provide wireless access to their main internal network, as well as guest networks. In order to prepare for the rollout, what actions would you recommend to the customer in order to gather information and plan out the wireless deployment in the various offices? (select all that apply) Select one or more:
-
Determine if any of the walls or ceilings are made of materials that will significantly impede the signal
-
Floor plan of the offices
-
Perform a site survey at the various locations
-
Scan the to see which channels are being used by other wireless networks
-
The number of computers connecting to the physical network
-
Estimate the number of devices that will be connecting at each location
-
The number of servers in each office
Correct Answer(s)
A. Determine if any of the walls or ceilings are made of materials that will significantly impede the signal
A. Floor plan of the offices
A. Perform a site survey at the various locations
A. Scan the to see which channels are being used by other wireless networks
A. Estimate the number of devices that will be connecting at each locationExplanation
To gather information and plan out the wireless deployment, it is recommended to determine if any of the walls or ceilings are made of materials that will significantly impede the signal. This is important to ensure that the wireless access points can provide adequate coverage in all areas. Additionally, obtaining the floor plan of the offices will help in identifying the optimal locations for installing the access points. Performing a site survey at the various locations will further assess the signal strength and potential interference sources. Scanning the channels used by other wireless networks will help in selecting the least congested channels for deployment. Lastly, estimating the number of devices that will be connecting at each location is necessary to determine the capacity requirements for the wireless network.Rate this question:
-
- 37.
An existing customer wants to roll out VPN access to a large number of users. What should they consider when choosing which type of VPN to use? Select one or more:
-
The number of ports on the XG Firewall
-
How heavily utilized the current device is
-
The cost of the VPN client
-
Specific security requirements
-
How much bandwidth is available where the XG is located
-
Whether users will be connecting using wireless
Correct Answer(s)
A. How heavily utilized the current device is
A. The cost of the VPN client
A. Specific security requirements
A. How much bandwidth is available where the XG is locatedExplanation
When choosing which type of VPN to use for rolling out VPN access to a large number of users, several factors should be considered. Firstly, the heaviness of the current device's utilization is important to ensure that it can handle the increased workload. Secondly, the cost of the VPN client needs to be taken into account to ensure it fits within the budget. Additionally, specific security requirements must be considered to ensure the chosen VPN meets the necessary security standards. Lastly, the amount of available bandwidth where the XG is located should be considered to ensure smooth and efficient VPN connections.Rate this question:
-
- 38.
On which devices can you disable HA? (select all that apply) Select one or more:
-
Primary
-
Auxiliary
-
Standalone
Correct Answer(s)
A. Primary
A. StandaloneExplanation
You can disable HA on the Primary device and the Standalone device. This means that you have the option to turn off High Availability on these devices.Rate this question:
-
- 39.
Which of the following statements are TRUE about the virtual MAC address in an Active-Active HA cluster? (select all that apply) Select one or more:
-
The primary device owns the virtual MAC address
-
There is a virtual IP assigned to the virtual MAC address
-
The virtual MAC address is the physical address of the primary device
-
There is one virtual MAC address for each interface except the dedicated HA port
-
The virtual MAC address is applied to the interface on both devices
Correct Answer(s)
A. The primary device owns the virtual MAC address
A. There is one virtual MAC address for each interface except the dedicated HA portExplanation
The primary device owns the virtual MAC address, meaning that it is responsible for responding to ARP requests for the virtual MAC address. Additionally, there is one virtual MAC address for each interface except the dedicated HA port. This means that each interface in the Active-Active HA cluster has its own unique virtual MAC address.Rate this question:
-
- 40.
Which of the following statements are TRUE about the port that is used for the dedicated HA link? (select all that apply) Select one or more:
-
Must have the TELNET admin service enabled
-
Must have the SSH admin service enabled
-
Can be configured via DHCP
-
Must be in a zone of type DMZ
-
Must be in a zone of type HA
-
Must be the same port on both devices
-
The IP address must be in the same subnet on both devices
Correct Answer(s)
A. Must have the SSH admin service enabled
A. Must be in a zone of type DMZ
A. Must be the same port on both devices
A. The IP address must be in the same subnet on both devicesExplanation
The port used for the dedicated HA link must have the SSH admin service enabled because it is used for secure communication between the devices. It must also be in a zone of type DMZ, which is a demilitarized zone that separates the internal network from the external network. The port must be the same on both devices to establish a connection, and the IP address assigned to the port must be in the same subnet on both devices for proper communication.Rate this question:
-
- 41.
Which of the following are prerequisites for creating a HA cluster? (select all that apply) Select one or more:
-
The MTU-MSS on the dedicated port should be default
-
Hardware devices must be the same model
-
The MAC address must be overridden on the dedicated HA port
-
The Sophos XG Firewall firmware version must be the same
-
Devices must have the same number of ports
Correct Answer(s)
A. The MTU-MSS on the dedicated port should be default
A. Hardware devices must be the same model
A. The Sophos XG Firewall firmware version must be the same
A. Devices must have the same number of portsExplanation
To create a high availability (HA) cluster, several prerequisites need to be met. The first requirement is that the MTU-MSS (Maximum Transmission Unit - Maximum Segment Size) on the dedicated port should be set to default. This ensures proper communication between the devices in the cluster. Secondly, the hardware devices must be the same model to ensure compatibility and seamless failover. Additionally, the Sophos XG Firewall firmware version must be the same on all devices to ensure consistent functionality and configuration. Lastly, the devices must have the same number of ports to ensure proper network connectivity and redundancy.Rate this question:
-
- 42.
In Lab 8 you created an Active-Active cluster, and then an Active-Passive cluster. How do you convert an Active-Active cluster into an Active-Passive cluster? Select one:
-
Use the "system ha active-active off" command
-
Disable HA and create a new cluster
-
Change the cluster mode on the primary device
Correct Answer
A. Disable HA and create a new clusterExplanation
To convert an Active-Active cluster into an Active-Passive cluster, the HA (High Availability) needs to be disabled and a new cluster needs to be created. This involves configuring one device as the active device and the other device as the passive device. The active device will handle all the traffic and the passive device will remain idle until the active device fails, at which point it will take over the traffic handling responsibilities.Rate this question:
-
- 43.
What are the primary considerations when sizing a RED? (select all that apply) Select one or more:
-
Number of users
-
Dual WAN ports
-
Throughput (Mbit/s)
-
VLAN tagging
-
LCD display
-
Built-in wireless
Correct Answer(s)
A. Dual WAN ports
A. Throughput (Mbit/s)
A. VLAN tagging
A. Built-in wirelessExplanation
When sizing a RED, the primary considerations include the number of users, throughput (Mbit/s), VLAN tagging, and built-in wireless. Dual WAN ports and LCD display are not mentioned as primary considerations for sizing a RED.Rate this question:
-
- 44.
When you are sizing for a virtual XG Firewall, what performance decrease should you allow for the hypervisor? Select one:
-
12%
-
10%
-
5%
-
15%
-
7%
Correct Answer
A. 10%Explanation
When sizing for a virtual XG Firewall, it is important to consider the performance decrease caused by the hypervisor. The correct answer is 10%. This means that when determining the required resources for the virtual firewall, you should account for a 10% decrease in performance due to the hypervisor overhead. This ensures that the virtual firewall has enough resources to handle the expected workload efficiently and effectively.Rate this question:
-
- 45.
A customer wants to protect external access to their Exchange server using Web Server Protection on the XG Firewall. What information would you need to be able to accurately size this? Select one or more:
-
The average number of concurrent users
-
The issuer of the HTTPS certificate
-
The peak number of concurrent users
-
Who their ISP is
-
The number of mailboxes on the Exchange Server
-
The size of the mailboxes
-
Whether they will be using dual AV scanning
Correct Answer(s)
A. The peak number of concurrent users
A. The number of mailboxes on the Exchange Server
A. Whether they will be using dual AV scanningExplanation
To accurately size the Web Server Protection on the XG Firewall for protecting external access to the Exchange server, the information needed includes the peak number of concurrent users, the number of mailboxes on the Exchange Server, and whether they will be using dual AV scanning. This information is crucial for determining the appropriate capacity and resources required to handle the expected load and ensure effective protection for the server. The average number of concurrent users, the issuer of the HTTPS certificate, who their ISP is, and the size of the mailboxes are not directly relevant to sizing the Web Server Protection.Rate this question:
-
- 46.
A company is looking at replacing their existing firewall with a Sophos XG firewall. They also have an aging web filter they would like to replace. The company has 100 users that will need access through the firewall. Of those, half would be considered advanced users and the other half just browse the internet and check their email. There are also 25 users that work from home and are connected via VPN back to the company 100% of the time. Just to be safe, they are considering the system load to be high. What device would be recommended for them? You may want to refer to the sizing guide. Please use this version of the sizing guide. Select One :
-
XG450
-
XG550
-
XG330
-
XG210
-
XG430
-
XG310
-
XG230
Correct Answer
A. XG310Explanation
Based on the given information, the company has 100 users, with half being advanced users and the other half browsing the internet and checking email. Additionally, there are 25 users connected via VPN back to the company at all times. Considering the system load to be high, the recommended device would be the XG310. This device is capable of handling the number of users and the high system load effectively.Rate this question:
-
- 47.
A customer has called you because they have forgotten their admin password and there are no other admin users defined. How can your customer regain access to the XG Firewall? Select one:
-
Boot into SF Loader and reset the admin password to default
-
The device will need to be RMA'd to Sophos
-
Reset the password from the Sophos website
-
Reset the password from the MyUTM portal
-
Sophos can remotely reset the admin password
-
Use the 'Forgot password' link on the WebAdmin login page
Correct Answer
A. Boot into SF Loader and reset the admin password to default -
- 48.
How do you read the contents of a Consolidated Troubleshooting Report (CTR)? Select one:
-
Upload the CTR to the MyUTM site and use the web-based viewer
-
Use the viewer in the WebAdmin
-
Use the standalone tool from the Sophos Website
-
It is encrypted and can only be read by Sophos
Correct Answer
A. It is encrypted and can only be read by Sophos -
- 49.
In Lab 9 you retrieved a log file from an XG Firewall. How is this done? Select one:
-
Use SCP to copy the file from the XG Firewall
-
Send the logs via email
-
Download them from the WebAdmin
-
Upload them to an FTP server from the XG Firewall
Correct Answer
A. Upload them to an FTP server from the XG FirewallExplanation
To retrieve a log file from an XG Firewall, the logs need to be uploaded to an FTP server from the XG Firewall. This means that the log file is transferred from the firewall to an FTP server for further analysis or storage. The other options mentioned, such as using SCP, sending logs via email, or downloading them from the WebAdmin, are not the correct methods for retrieving log files from an XG Firewall.Rate this question:
-
Quiz Review Timeline (Updated): Aug 5, 2024 +
Our quizzes are rigorously reviewed, monitored and continuously updated by our expert board to maintain accuracy, relevance, and timeliness.
-
Current Version
-
Aug 05, 2024Quiz Edited by
ProProfs Editorial Team -
Jul 24, 2019Quiz Created by
Tuhin Das
Back to top