Architecture Assessment Trivia Quiz

Reviewed by Editorial Team
The ProProfs editorial team is comprised of experienced subject matter experts. They've collectively created over 10,000 quizzes and lessons, serving over 100 million users. Our team includes in-house content moderators and subject matter experts, as well as a global network of rigorously trained contributors. All adhere to our comprehensive editorial guidelines, ensuring the delivery of high-quality content.
Learn about Our Editorial Process
| By Tuhin Das
T
Tuhin Das
Community Contributor
Quizzes Created: 1 | Total Attempts: 980
| Attempts: 980
SettingsSettings
Please wait...
  • 1/69 Questions

    TRUE or FALSE: IPS policies can be applied to both User/Network rules and Business Application rules. Select one:

    • True
    • False
Please wait...
About This Quiz

This Architecture Assessment Trivia Quiz focuses on practical scenarios involving Sophos XG Firewall configurations. It assesses skills in network security, firewall rule management, and system troubleshooting, catering to professionals seeking to enhance their technical expertise in firewall administration.

Architecture Assessment Trivia Quiz - Quiz

Quiz Preview

  • 2. 

    Wireless access points are being deployed across a large office space. There will only be one network broadcast from the access points and because of the large space, you would like to take advantage of Fast BSS to ensure that users have the best roaming experience. What security modes can be used to support Fast BSS? (select all that apply) Select one or more:

    • WEP

    • WPA

    • WPA2

    Correct Answer
    A. WPA2
    Explanation
    WPA2 can be used to support Fast BSS. WPA2 is the most secure security mode among the options given. It provides stronger encryption and authentication compared to WEP and WPA, making it the ideal choice for ensuring the security of the network while also allowing for a seamless roaming experience for users in the large office space.

    Rate this question:

  • 3. 

    A customer has called you because they have forgotten their admin password and there are no other admin users defined. How can your customer regain access to the XG Firewall? Select one:

    • Boot into SF Loader and reset the admin password to default

    • The device will need to be RMA'd to Sophos

    • Reset the password from the Sophos website

    • Reset the password from the MyUTM portal

    • Sophos can remotely reset the admin password

    • Use the 'Forgot password' link on the WebAdmin login page

    Correct Answer
    A. Boot into SF Loader and reset the admin password to default
  • 4. 

    Your customer has an XG Firewall that is deployed in gateway mode, and they want to create a bridge pair with an interface in a LAN zone and an interface in a DMZ. Can this be done? Select one:

    • Yes

    • No

    Correct Answer
    A. Yes
    Explanation
    Check the image on page 40

    Rate this question:

  • 5. 

    In Lab 3 you configured a local NAT policy. What would the command be to SNAT the traffic from the XG firewall to the Internet to 10.1.1.45? Select one:

    • Set advanced-firewall sys-traffic-nat add destination 0.0.0.0 netmask 0.0.0.0 snatip 10.1.1.45

    • Set advanced-firewall sys-traffic-nat add destination * snatip 10.1.1.45

    • Set advanced-firewall sys-traffic-nat add snatip 10.1.1.45

    Correct Answer
    A. Set advanced-firewall sys-traffic-nat add destination 0.0.0.0 netmask 0.0.0.0 snatip 10.1.1.45
    Explanation
    The correct command to SNAT the traffic from the XG firewall to the Internet to 10.1.1.45 is "set advanced-firewall sys-traffic-nat add destination 0.0.0.0 netmask 0.0.0.0 snatip 10.1.1.45". This command sets up a NAT policy that specifies a destination of 0.0.0.0 netmask 0.0.0.0, which represents all traffic, and SNATs it to the IP address 10.1.1.45.

    Rate this question:

  • 6. 

    In Lab 2 you created a bridge with two ports that were both in the LAN zone, but the computers were not able to ping each other. If both ports are in the same zone why could the computers not ping each other? Select one:

    • There was no firewall rule to allow traffic from the LAN zone to another port in the LAN zone

    • Routing had not been enabled for the bridge pair

    • ICMP had not been enabled for the LAN zone

    Correct Answer
    A. There was no firewall rule to allow traffic from the LAN zone to another port in the LAN zone
    Explanation
    The computers were not able to ping each other because there was no firewall rule in place to allow traffic from the LAN zone to another port in the LAN zone. Without this rule, the firewall was blocking the communication between the computers even though they were in the same zone.

    Rate this question:

  • 7. 

    In Lab 7 you simulated a computer with a missing heartbeat, and interrogated the XG Firewall for computers with a missing heartbeat. How does the XG Firewall identify computers that are missing the Security Heartbeat? Select one:

    • User

    • Client ID

    • MAC Address

    • IP Address

    • Hostname

    • Live lookup to Sophos Central

    Correct Answer
    A. MAC Address
    Explanation
    The XG Firewall identifies computers that are missing the Security Heartbeat based on their MAC Address.

    Rate this question:

  • 8. 

    In Lab 3 you configured an advanced DoS policy. What command can you use to see the existing dos rules? Select one:

    • System dos-config show dos-rules

    • Show dos-config rules

    • Dos-config show dos-policies

    • System show dos-rules

    Correct Answer
    A. System dos-config show dos-rules
    Explanation
    The correct answer is "system dos-config show dos-rules". This command is used to view the existing DoS rules in Lab 3.

    Rate this question:

  • 9. 

    When configuring a RED manually with a USB stick, what do you need to consider? (select all that apply) Select one:

    • The WAN interface must have a static IP address

    • If you lose the unlock code the RED cannot ever be connected to another Sophos XG Firewall

    • The USB key must never be unplugged from the RED

    Correct Answer
    A. If you lose the unlock code the RED cannot ever be connected to another Sophos XG Firewall
    Explanation
    If you lose the unlock code for the RED device, it cannot be connected to another Sophos XG Firewall. This means that the device will be permanently locked and unable to establish a connection with any other firewall. Therefore, it is important to keep the unlock code safe and secure to ensure the proper functioning of the RED device.

    Rate this question:

  • 10. 

    You have a RED device deployed at a remote network in a standard/split configuration. When you connect a Sophos access point to the remote network, it never appears in the pending access point list on the XG Firewall. What configuration change needs to be made for the RED connection? Select one:

    • Add the IP address of the XG firewall to the split networks

    • Add the IP address of the access point to the split networks

    • Add 1.2.3.4 to the remote network list

    • Configure a split DNS server address

    Correct Answer
    A. Add 1.2.3.4 to the remote network list
    Explanation
    Adding 1.2.3.4 to the remote network list will allow the Sophos access point to be recognized by the XG Firewall.

    Rate this question:

  • 11. 

    In Lab 4 you configured Web Server Protection. When configuring Web Server Protection, how do you identify which rules and paths you need to create exceptions for? Select one:

    • By reviewing the reverseproxy.log

    • By performing a packet capture

    • Enable debug logging and generate a CTR

    • Using trial and error

    Correct Answer
    A. By reviewing the reverseproxy.log
    Explanation
    When configuring Web Server Protection, reviewing the reverseproxy.log is the most effective way to identify which rules and paths need to be created exceptions for. The reverseproxy.log contains detailed information about the requests and responses that the web server receives and sends. By analyzing this log, you can identify any patterns or specific requests that need to be exempted from the standard rules and paths. This allows you to fine-tune the Web Server Protection configuration and ensure that legitimate traffic is not blocked or affected by the security measures in place.

    Rate this question:

  • 12. 

    What is the importance of using a valid email address when you enable RED services on the XG Firewall? Select one:

    • RED notification emails will be sent to this address

    • You will be sent a confirmation email and have to click a link to complete the process

    • The unlock codes for REDs will be sent to this email address

    Correct Answer
    A. The unlock codes for REDs will be sent to this email address
    Explanation
    When you enable RED services on the XG Firewall, it is important to use a valid email address because the unlock codes for REDs will be sent to this email address. These unlock codes are necessary to complete the setup process and activate the RED devices. Using a valid email address ensures that you receive the unlock codes and can successfully complete the configuration of the RED services on the XG Firewall.

    Rate this question:

  • 13. 

    What does the command "service -S" do? Select one:

    • Start a specific service

    • List all of the services and their current state

    • Show the state of a specific service

    • Stop a specific service

    Correct Answer
    A. List all of the services and their current state
    Explanation
    The command "service -S" lists all of the services and their current state. This command provides an overview of the status of all services running on the system, allowing the user to see which services are currently active or inactive. It is a useful command for system administrators or users who need to monitor the status of various services on their system.

    Rate this question:

  • 14. 

    In Lab 9 you retrieved a log file from an XG Firewall. How is this done? Select one:

    • Use SCP to copy the file from the XG Firewall

    • Send the logs via email

    • Download them from the WebAdmin

    • Upload them to an FTP server from the XG Firewall

    Correct Answer
    A. Upload them to an FTP server from the XG Firewall
    Explanation
    To retrieve a log file from an XG Firewall, the logs need to be uploaded to an FTP server from the XG Firewall. This means that the log file is transferred from the firewall to an FTP server for further analysis or storage. The other options mentioned, such as using SCP, sending logs via email, or downloading them from the WebAdmin, are not the correct methods for retrieving log files from an XG Firewall.

    Rate this question:

  • 15. 

    Your customer wants to create a gateway on a VLAN interface in their Intranet zone to use in a policy routing rule. Can they do this? Select one:

    • YES

    • NO

    Correct Answer
    A. YES
    Explanation
    Yes, the customer can create a gateway on a VLAN interface in their Intranet zone to use in a policy routing rule. This means they can set up a specific route for traffic coming from that VLAN interface, allowing them to control how the traffic is routed within their network.

    Rate this question:

  • 16. 

    How do you read the contents of a Consolidated Troubleshooting Report (CTR)? Select one:

    • Upload the CTR to the MyUTM site and use the web-based viewer

    • Use the viewer in the WebAdmin

    • Use the standalone tool from the Sophos Website

    • It is encrypted and can only be read by Sophos

    Correct Answer
    A. It is encrypted and can only be read by Sophos
  • 17. 

    You want to create a rule so that only traffic from secure servers in the network use the second Internet connection (WAN 2). What type of rule do you need to create? Select one:

    • Policy Routing Rule

    • BGP Route

    • Business Application Rule

    • Static Route

    Correct Answer
    A. Policy Routing Rule
    Explanation
    A policy routing rule needs to be created in order to ensure that only traffic from secure servers in the network uses the second Internet connection (WAN 2). This rule will allow for the specific routing of traffic based on certain policies or criteria, in this case, the security level of the server. By implementing a policy routing rule, the network administrator can effectively direct traffic from secure servers to the desired Internet connection, while other traffic can continue to use the default connection.

    Rate this question:

  • 18. 

    A customer calls you because some settings have been changed on their XG Firewall by the admin user. Your customer is the only person that knows the admin password but some of the IT department have access using SSH keys. How can your customer identify who logged in to make the changes? Select one:

    • Find the SSH key in dropbear.log

    • This information cannot be found

    • Check the audit.log

    • Search in the Log Viewer

    Correct Answer
    A. Find the SSH key in dropbear.log
    Explanation
    The customer can identify who logged in to make the changes by finding the SSH key in the dropbear.log. This log file records all SSH key-based authentication attempts and provides information about the user who logged in using the SSH key. By examining the dropbear.log, the customer can determine which IT department member accessed the XG Firewall and made the changes.

    Rate this question:

  • 19. 
    Look at the diagram below. Where does DNAT happen? Select one or more: - ProProfs

    Look at the diagram below. Where does DNAT happen? Select one or more:

    • 1

    • 2

    • 3

    • 4

    • 5

    • 6

    • 7

    Correct Answer(s)
    A. 1
    A. 5
    Explanation
    Check the image on page 55

    Rate this question:

  • 20. 

    Which of the following dynamic routing protocols are supported by Sophos XG Firewall? (select all that apply) Select one or more:

    • EIGRP

    • RIP

    • OSPF

    • IS-IS

    • IGRP

    • BGP

    • PIM-SM

    Correct Answer(s)
    A. RIP
    A. OSPF
    A. BGP
    A. PIM-SM
    Explanation
    Check the image on page no 76

    Rate this question:

  • 21. 

    You are the network administrator of the Sophos Store, a large retailer of socks and stickers.The Sophos Store has a head office in London with branch offices in New York and Vancouver and retail stores located throughout the world.
    • The Sophos Store has multiple servers in subnet 192.168.1.0/2
    • The user network subnet is 172.16.1.0/24
    • Sophos Store would like to increase the internal bandwidth for each server
    For the above scenario, select which of the following you would recommend to Sophos Store. Select One :

    • Add another NIC to the server and configure Gateway mode with Multi port L3 bridge

    • Connect another XG Firewall Port to the switch and configure Active-Backup LAG

    • Connect another XG Firewall Port to the switch and configure 802.3ad LAG

    • Add another NIC to the server and make L3 bridge with multiple ports

    Correct Answer
    A. Connect another XG Firewall Port to the switch and configure 802.3ad LAG
    Explanation
    Connecting another XG Firewall Port to the switch and configuring 802.3ad LAG would be recommended to Sophos Store. This would allow for the aggregation of multiple ports, increasing the internal bandwidth for each server. LAG (Link Aggregation Group) combines multiple physical connections into a single logical connection, providing higher throughput and redundancy. 802.3ad is a standard for link aggregation that ensures load balancing and fault tolerance across the aggregated links. This solution would effectively enhance the internal bandwidth for the servers at the Sophos Store.

    Rate this question:

  • 22. 

    A client contacts you complaining that their virtual XG firewall has been running very slowly. The client is running a central XG firewall on a virtual host and has over 100 remote locations connected to this host via XG to XG RED tunnels. They have followed the best practices for firewall and security configurations. After gathering some information on the existing setup, you find that the virtual host is running on older hardware and the CPU's are consistently showing very high utilization. Without compromising the security of the device or the network, what would you recommend to the customer to help alleviate the slowness problem? Select one:

    • Turn off Tunnel Compression on all of the RED tunnels between the Host and the remote locations

    • Add a second virtual XG firewall to the virtual host and move half of the RED connections to it

    • Disable IPS on any policies not using HTTP

    Correct Answer
    A. Turn off Tunnel Compression on all of the RED tunnels between the Host and the remote locations
  • 23. 

    When you are sizing for a virtual XG Firewall, what performance decrease should you allow for the hypervisor? Select one:

    • 12%

    • 10%

    • 5%

    • 15%

    • 7%

    Correct Answer
    A. 10%
    Explanation
    When sizing for a virtual XG Firewall, it is important to consider the performance decrease caused by the hypervisor. The correct answer is 10%. This means that when determining the required resources for the virtual firewall, you should account for a 10% decrease in performance due to the hypervisor overhead. This ensures that the virtual firewall has enough resources to handle the expected workload efficiently and effectively.

    Rate this question:

  • 24. 

    In Lab 4 you configured a Webserver Protection Business Application Rule that load-balanced two intranet severs. How could you configure this so that one of the servers is the primary server and the other is only used as a backup? Select one:

    • Enable Path-specific routing and select 'Hot-standby mode'

    • Web Server Protection cannot do this, you need to use a load-balancing Business Application Rule

    • Enable 'Sticky Sessions'

    • Create two separate Business Application Rules, the top one will be the primary

    Correct Answer
    A. Enable Path-specific routing and select 'Hot-standby mode'
  • 25. 
    Your company is configuring a site to site VPN with another company in order to share information for an upcoming project. The two networks have the following IP address network ranges: What feature can be used in the IPsec site-to-site VPN on an XG Firewall in order to allow communication between these networks? Select one: - ProProfs

    Your company is configuring a site to site VPN with another company in order to share information for an upcoming project. The two networks have the following IP address network ranges: What feature can be used in the IPsec site-to-site VPN on an XG Firewall in order to allow communication between these networks? Select one:

    • NAT Overlap

    • NAT Traversal

    • Route Precedence

    • VPN Failover

    Correct Answer
    A. NAT Overlap
    Explanation
    NAT Overlap can be used in the IPsec site-to-site VPN on an XG Firewall to allow communication between these networks. NAT Overlap is a feature that allows multiple devices on a private network to share a single public IP address. In this scenario, the two networks have overlapping IP address ranges, which means that without NAT Overlap, there would be conflicts and communication between the networks would not be possible. By enabling NAT Overlap, the XG Firewall can translate the overlapping IP addresses to unique addresses, ensuring that communication between the networks is successful.

    Rate this question:

  • 26. 

    In Lab 8 you created an Active-Active cluster, and then an Active-Passive cluster. How do you convert an Active-Active cluster into an Active-Passive cluster? Select one:

    • Use the "system ha active-active off" command

    • Disable HA and create a new cluster

    • Change the cluster mode on the primary device

    Correct Answer
    A. Disable HA and create a new cluster
    Explanation
    To convert an Active-Active cluster into an Active-Passive cluster, the HA (High Availability) needs to be disabled and a new cluster needs to be created. This involves configuring one device as the active device and the other device as the passive device. The active device will handle all the traffic and the passive device will remain idle until the active device fails, at which point it will take over the traffic handling responsibilities.

    Rate this question:

  • 27. 

    What ports are used by the RED 15 and RED 50? (select all that apply) Select one or more:

    • TCP:443

    • TCP:3400

    • TCP:3410

    • UDP:500

    • UDP:3400

    • UDP:3410

    Correct Answer(s)
    A. TCP:3400
    A. UDP:3410
    Explanation
    Check on the page no 219 At the remote location, the RED requires:
    • A power connection
    • A network connection
    • A DHCP server to provide an IP address, DNS server and default gateway
    • Port 3400 TCP (COMMON FOR ALL RED DEVICE)
    • Port 3400 UDP (RED 10)
    • Port 3410 UDP (RED 50 and RED 15)

    Rate this question:

  • 28. 

    What is used to determine which channels the access point can broadcast on? Select one:

    • The Zone the access point is in

    • The country selected when the access point was accepted on the XG Firewall

    • The number of radios the access point can use at one time

    • The letter designation after the access point model number

    Correct Answer
    A. The country selected when the access point was accepted on the XG Firewall
    Explanation
    The country selected when the access point was accepted on the XG Firewall is used to determine which channels the access point can broadcast on. Different countries have different regulations and restrictions regarding wireless frequencies and channels. The access point needs to comply with these regulations and can only broadcast on channels that are allowed in the selected country.

    Rate this question:

  • 29. 

    Your customer's environment consists of a number of Windows servers, as well as Windows and Mac desktops and laptops. Users have commented that accessing files on the server has been slower since the new firewall was installed. After examining the configuration, you document that the servers are located in a separate zone called SERVERS and the users are located in the LAN zone. After researching the issue further, you believe that the issue is related to the IPS scanning of the traffic as it is passing from the LAN to the SERVERS zone. Currently, the LAN to DMZ IPS policy is applied to the network rule allowing the traffic to pass from one zone to the other. Which of the following options would you recommend to improve the performance for the users transferring files between the zones? Select one:

    • Disable IPS for the LAN zone to the SERVERS zone

    • Configure the Local NAT Policy on the firewall

    • Change the FastPath threshold value

    • Configure a more appropriate IPS policy for the LAN zone to the SERVERS zone

    • Adjust the size of the connection tracking database

    • Turn off Strict Policy on the firewall

    Correct Answer
    A. Configure a more appropriate IPS policy for the LAN zone to the SERVERS zone
    Explanation
    The given scenario suggests that the slow file access issue is due to the IPS scanning of traffic between the LAN and SERVERS zone. To improve performance, it is recommended to configure a more appropriate IPS policy for the LAN zone to the SERVERS zone. This means adjusting the IPS settings to better suit the traffic between these zones, potentially reducing the scanning overhead and improving file transfer speeds.

    Rate this question:

  • 30. 

    You are troubleshooting STAS issues for a customer and want to check that logins are being reported to the XG Firewall by STAS.
    • The IP address of the XG Firewall is 172.16.16.16
    • The IP address of the STA Collector is 172.16.16.50
    • The IP address of the STA Agent is 172.16.16.43
    What command would you use? Select one:

    • Tcpdump "host 172.16.16.78 and port 6060"

    • Tcpdump "host 172.16.16.50 and port 5566"

    • Tcpdump "host 172.16.16.78 and port 6677"

    • Tcpdump "host 172.16.16.43 and port 6677"

    • Tcpdump "host 172.16.16.43 and port 5566"

    • Tcpdump "host 172.16.16.16 and port 6677"

    • Tcpdump "host 172.16.16.16 and port 6060"

    Correct Answer
    A. Tcpdump "host 172.16.16.16 and port 6060"
    Explanation
    The correct answer is "tcpdump "host 172.16.16.16 and port 6060". This command will capture network traffic on the XG Firewall with the IP address 172.16.16.16 and the port number 6060. By using this command, you can check if logins are being reported to the XG Firewall by STAS.

    Rate this question:

  • 31. 

    Your customer has called you because they have a computer with a YELLOW heartbeat and they are not sure what this means. What do you tell your customer are possible causes of this? (select all that apply) Select one or more:

    • Malware has not been cleaned up

    • Malicious traffic to a known C&C server has been detected

    • Active malware has been detected

    • The Endpoint Agent is not running

    • Inactive malware has been detected

    • A PUA (Potentially Unwanted Application) has been detected

    • Communications to a known bad host has been detected

    Correct Answer(s)
    A. Inactive malware has been detected
    A. A PUA (Potentially Unwanted Application) has been detected
    Explanation
    Possible causes of a computer with a YELLOW heartbeat could be that inactive malware has been detected or a PUA (Potentially Unwanted Application) has been detected.

    Rate this question:

  • 32. 

    You have a large network that spans many different subnets. Wireless has been deployed in the network however there are issues with access points communicating back to the XG Firewall. You have identified security devices in the network that may be blocking ports between the XG Firewall and the APs. What ports need to be open to allow for proper wireless communication? (select all that apply) Select one or more:

    • 414 UDP

    • 2712 TCP

    • 415 UDP

    • 3148 UDP

    • 443 TCP

    Correct Answer(s)
    A. 414 UDP
    A. 2712 TCP
    A. 415 UDP
    Explanation
    The correct answer is 414 UDP, 2712 TCP, and 415 UDP. These ports need to be open to allow for proper wireless communication between the access points and the XG Firewall. The UDP protocol is used for port 414 and 415, while the TCP protocol is used for port 2712. By opening these ports, the access points will be able to communicate with the XG Firewall effectively, resolving the communication issues.

    Rate this question:

  • 33. 

    You are enabling SSH access to an XG Firewall using keys. Which of the following algorithms could you use to generate the key? (select all that apply) Select one or more:

    • ECDSA

    • DSA

    • RSA

    • SHA2556

    • DES

    • AES256

    Correct Answer(s)
    A. ECDSA
    A. DSA
    A. RSA
    Explanation
    You can use ECDSA, DSA, and RSA algorithms to generate the key for enabling SSH access to an XG Firewall. These algorithms are commonly used for generating cryptographic keys and ensuring secure communication. ECDSA (Elliptic Curve Digital Signature Algorithm), DSA (Digital Signature Algorithm), and RSA (Rivest-Shamir-Adleman) are all widely accepted and secure algorithms for key generation in SSH.

    Rate this question:

  • 34. 

    In Lab 5, if the New York Gateway had 2 WAN connections, then how many IPsec connections would be created on the New York Gateway in order to take advantage of the maximum number of possible VPN failover routes? Select one :

    • 1

    • 2

    • 3

    • 4

    • 6

    • 8

    • 10

    Correct Answer
    A. 4
    Explanation
    If the New York Gateway had 2 WAN connections, then there would be a total of 4 IPsec connections created on the New York Gateway in order to take advantage of the maximum number of possible VPN failover routes. Each WAN connection would require 2 IPsec connections, resulting in a total of 4 IPsec connections.

    Rate this question:

  • 35. 

    Your customer has configured Security Heartbeat on their XG Firewall so that only computers that have a GREEN heartbeat status are able to connect to the intranet servers. The computers that are connecting through an SSL remote access VPN using split tunneling are unable to access the intranet servers. What can the customer to do to resolve the problem? (select all that apply) Select one or more:

    • Configure the heartbeat IP address as a permitted network resource in the VPN profile

    • Configure the DNS server for the computer to be the XG Firewall

    • Enable VPN support for the firewall in Sophos Central

    • Add the WAN port to the permitted network resources for the VPN

    • Add 'cloud.sophos.com' to the VPN permitted network resourced

    Correct Answer
    A. Configure the heartbeat IP address as a permitted network resource in the VPN profile
    Explanation
    The customer should configure the heartbeat IP address as a permitted network resource in the VPN profile. This will allow the computers connecting through the SSL remote access VPN to access the intranet servers by recognizing their GREEN heartbeat status.

    Rate this question:

  • 36. 

    Your XG Firewall is configured with multiple IP addresses on the WAN interface that are used to publish various services. How would you specify the IP address that should be used for traffic that originates from the XG Firewall? Select one:

    • Configure a Local NAT policy

    • Create a firewall rule and enable 'Rewrite source address'

    • Enable the 'Default Interface' tab in the ports settings

    • Create a firewall rule and select the required gateway

    Correct Answer
    A. Configure a Local NAT policy
    Explanation
    To specify the IP address that should be used for traffic originating from the XG Firewall, you would configure a Local NAT policy. This allows you to define a specific IP address to be used as the source address for outbound traffic from the firewall. By configuring a Local NAT policy, you can ensure that traffic originating from the XG Firewall is sent out with the desired IP address, which is useful when publishing various services using multiple IP addresses on the WAN interface.

    Rate this question:

  • 37. 

    How many Business Application Rules do you need to create when configuring Web Server Protection for Microsoft Exchange? Select one:

    • 5

    • 6

    • 3

    • 4

    • 1

    • 2

    Correct Answer
    A. 3
    Explanation
    When configuring Web Server Protection for Microsoft Exchange, you need to create 3 Business Application Rules. These rules are used to define the specific behavior and security settings for the web server. Each rule will specify the conditions and actions to be taken in order to protect the server and its resources.

    Rate this question:

  • 38. 

    After configuring two new VPN connections, everything is running fine until the remote office loses Internet access. When it comes back up, the users are complaining that they can no longer access resources in the head office network. You verify that the Internet is working at both locations and then look at the VPN configuration, which is as below. What needs to be adjusted in the remote office? Select one:

    • Authentication Type

    • Action on VPN Restart

    • Remote IP Address

    • Connection Type

    • Policy

    Correct Answer
    A. Action on VPN Restart
  • 39. 

    In which RED deployment mode do you need to configure the following?
    • IP address of the RED interface on the Sophos XG Firewall
    • Zone of the RED interface on the Sophos XG Firewall
    • DHCP Server
    • A list of split networks
    Select one:

    • Standard/Split

    • Transparent/Split

    • Standard/Unified

    Correct Answer
    A. Standard/Split
    Explanation
    In the Standard/Split deployment mode, the following configurations need to be made on the Sophos XG Firewall: IP address of the RED interface, Zone of the RED interface, DHCP Server, and a list of split networks. This mode allows the RED device to be connected to a separate network segment, and the traffic from the RED device is split between the local and remote networks.

    Rate this question:

  • 40. 

    On which devices can you disable HA? (select all that apply) Select one or more:

    • Primary

    • Auxiliary

    • Standalone

    Correct Answer(s)
    A. Primary
    A. Standalone
    Explanation
    You can disable HA on the Primary device and the Standalone device. This means that you have the option to turn off High Availability on these devices.

    Rate this question:

  • 41. 

    In Lab 5 you configured site-to-site VPN connections for multiple networks on both the London and New York sites. TRUE or FALSE: To create a VPN to multiple remote networks at a single location you need to create a VPN for each network. Select one:

    • True

    • False

    Correct Answer
    A. False
    Explanation
    To create a VPN to multiple remote networks at a single location, you do not need to create a VPN for each network. Instead, you can use a single VPN connection to connect to multiple remote networks simultaneously. This allows for more efficient and streamlined network management, as all the networks can be accessed through a single VPN connection.

    Rate this question:

  • 42. 

    Your customer has deployed STAS on their network for single sign-on. Users at a small branch site that does not have a domain controller are not being authenticated with the XG Firewall at that site, but they can be seen in the Live Users list on the head office XG Firewall. The small branch site is connected to the head office using an SSL site-to-site VPN. What could be the problem? (select all that apply) Select one or more:

    • The agent may not be configured with the collector IP address

    • The collector may not be configured with the IP address of the branch office XG Firewall and vice versa

    • The XG Firewall in the branch office may not be configured to allow the Collector in the VPN zone

    Correct Answer(s)
    A. The collector may not be configured with the IP address of the branch office XG Firewall and vice versa
    A. The XG Firewall in the branch office may not be configured to allow the Collector in the VPN zone
    Explanation
    The problem could be that the collector is not configured with the IP address of the branch office XG Firewall and vice versa. This means that the collector is not able to communicate with the XG Firewall at the branch office, causing the authentication process to fail. Additionally, the XG Firewall in the branch office may not be configured to allow the collector in the VPN zone, further preventing authentication from taking place.

    Rate this question:

  • 43. 

    In Lab 2 you configure policy routing for an MPLS scenario. When you created the firewall rules that allowed the traffic to the remote network you disabled NATing by deselecting the 'Rewrite source address' option. Why would the routing not have worked correctly if NATing been enabled in this scenario? Select one:

    • The traffic would not have matched a policy route on the LOCAL XG Firewall

    • The traffic would not have matched a firewall rule on the REMOTE XG Firewall

    • The traffic would not have matched a policy route on the REMOTE XG Firewall

    • The traffic would not have matched a firewall rule on the LOCAL XG Firewall

    Correct Answer
    A. The traffic would not have matched a firewall rule on the REMOTE XG Firewall
    Explanation
    If NATing had been enabled in this scenario, the source address of the traffic would have been rewritten. This means that the firewall rule on the REMOTE XG Firewall, which was configured to allow traffic to the remote network, would not have matched the rewritten source address. Therefore, the traffic would not have matched a firewall rule on the REMOTE XG Firewall, resulting in the routing not working correctly.

    Rate this question:

  • 44. 

    You configured Web Server Authentication for a customer when you deployed their XG Firewall some time ago. The customer wants to allow another group to authenticate for the protected web service but does not know where to do this. Where do you direct your customer to add this group? Select one:

    • In the Authentication Template

    • In the Web Server Protection Policy

    • In the Path-specific routing

    • In the firewall authentication methods

    • In the Web Server Authentication Policy

    • In the Business Application Rule

    • In the Authentication Server

    Correct Answer
    A. In the Authentication Template
    Explanation
    In order to add another group to authenticate for the protected web service, the customer should be directed to add this group in the Authentication Template.

    Rate this question:

  • 45. 

    A customer wants to confirm whether their planned configuration for a RED 50 is correct before implementing it. The configuration hasthe following:
    • The second IP/hostname for Sophos XG Firewall is configured for load balancing
    • The second uplink on a RED 50 is configured for failover
    Assuming that no links have failed, the customer wants to confirm which connections would be actively used? (select all that apply) Select one or more:

    • RED 50 Uplink 2 to XG Firewall Hostname 2

    • RED 50 Uplink 1 to XG Firewall Hostname 2

    • RED 50 Uplink 2 to XG Firewall Hostname 1

    • RED 50 Uplink 1 to XG Firewall Hostname 1

    Correct Answer(s)
    A. RED 50 Uplink 1 to XG Firewall Hostname 2
    A. RED 50 Uplink 1 to XG Firewall Hostname 1
    Explanation
    The customer wants to confirm which connections would be actively used assuming no links have failed. The configuration states that the second IP/hostname for Sophos XG Firewall is configured for load balancing, and the second uplink on a RED 50 is configured for failover. This means that Uplink 1 will be actively used for both XG Firewall Hostname 2 and XG Firewall Hostname 1, while Uplink 2 will not be actively used for either hostname. Thus, the correct connections that would be actively used are RED 50 Uplink 1 to XG Firewall Hostname 2 and RED 50 Uplink 1 to XG Firewall Hostname 1.

    Rate this question:

  • 46. 

    In Lab 6 you cleared the cached authentication status after installing STAS. How can you remove computers from the authentication cache? (select all that apply) Select one or more:

    • With the command "ipset -D lusers "

    • Flush the cache for the Authentication Server

    • Restart the Authentication service in the WebAdmin

    • Reinstall the STAS software

    Correct Answer(s)
    A. With the command "ipset -D lusers "
    A. Restart the Authentication service in the WebAdmin
    Explanation
    To remove computers from the authentication cache, you can use the command "ipset -D lusers" and restart the Authentication service in the WebAdmin. These actions will clear the cached authentication status and remove the computers from the cache.

    Rate this question:

  • 47. 

    Your customer is configuring Web Server for their webmail but is getting an error when they try to login. Look at the log file below and select what needs to be done to resolve the error. (select all that apply) Select One or more :

    • Create an antivirus exception for the URL /MEWebMail/Mondo/lang/sys/login.aspx

    • Enable accept unhardened form data for the URL /MEWebMail/Mondo/lang/sys/login.aspx

    • Add ID 9 to the filter rule skip list

    • Add ID 981003 to the filter rule skip list

    • Create a form hardening exception for the URL /MEWebMail/Mondo/lang/sys/login.aspx

    • Add ID 981200 to the filter rule skip list

    Correct Answer(s)
    A. Add ID 981003 to the filter rule skip list
    A. Add ID 981200 to the filter rule skip list
    Explanation
    The error in the log file suggests that there is a filter rule blocking the login process. By adding ID 981003 and ID 981200 to the filter rule skip list, the web server will bypass these specific filter rules and allow the login to proceed successfully. This will resolve the error and allow the customer to log in to their webmail.

    Rate this question:

  • 48. 

    Following an extended period of growth your customer is starting to outgrow the capabilities of their current device. Your customer is considering whether they should purchase a second device that is the same is their existing model and create an Active-Active cluster, or whether they need to purchase a higher model device. You explain to your customer that not everything is load balanced in an Active-Active cluster. Which of the following types of traffic do you tell your customer are load balanced in Active-Active mode? (select all that apply) Select one or more:

    • VPN traffic

    • ICMP traffic

    • SNAT TCP traffic

    • UDP traffic

    • TCP traffic

    • VLAN traffic

    Correct Answer(s)
    A. SNAT TCP traffic
    A. TCP traffic
    A. VLAN traffic
    Explanation
    In an Active-Active cluster, the types of traffic that are load balanced include SNAT TCP traffic, TCP traffic, and VLAN traffic. Load balancing ensures that these types of traffic are evenly distributed across multiple devices, improving performance and preventing overload on a single device. Other types of traffic such as VPN traffic, ICMP traffic, and UDP traffic may not be load balanced in an Active-Active cluster, meaning they may not be evenly distributed and may still rely on a single device for processing.

    Rate this question:

  • 49. 

    How is a RED configured to connect to Sophos XG Firewall? (select all that apply) Select one or more:

    • The configuration is created on Sophos XG Firewall

    • The RED can load the configuration from a USB drive

    • The RED can download the configuration from the provisioning servers

    • The RED sends a discovery packet to the IP address 1.2.3.4

    • The RED can be configured using its own web interface

    Correct Answer(s)
    A. The configuration is created on Sophos XG Firewall
    A. The RED can load the configuration from a USB drive
    A. The RED can download the configuration from the provisioning servers
    Explanation
    The configuration for a RED can be created directly on the Sophos XG Firewall. Additionally, the RED can load the configuration from a USB drive or download it from the provisioning servers. This allows for flexibility in how the RED is configured and allows for easy deployment and management of multiple RED devices.

    Rate this question:

Quiz Review Timeline (Updated): Aug 5, 2024 +

Our quizzes are rigorously reviewed, monitored and continuously updated by our expert board to maintain accuracy, relevance, and timeliness.

  • Current Version
  • Aug 05, 2024
    Quiz Edited by
    ProProfs Editorial Team
  • Jul 24, 2019
    Quiz Created by
    Tuhin Das

Recent Quizzes

Computer Networks and Security Exams Prep Test Computer Networks and Security Exams Prep Test
mPhilGEPS Infra Monitoring and Server Acces mPhilGEPS Infra Monitoring and Server Acces
BCA 6th Sem internal exam Network Security BCA 6th Sem internal exam Network Security
Forensics And Network Intrusion Practice Exam- I Forensics And Network Intrusion Practice Exam- I
Network Security Exam MCQ Quiz! Network Security Exam MCQ Quiz!
Important Trivia Questions On Network Security! Important Trivia Questions On Network Security!
Back to Top Back to top
Advertisement
×

Wait!
Here's an interesting quiz for you.

We have other quizzes matching your interest.