You are on page 1of 10

estions Review

1. Overview v17.0.0

1. A user's computer is infected with a Trojan which is attempting to send personal

information obtained from the user’s computer to an external party.

Which mode of protection on the XG Firewall helps prevent the Trojan from being able to
transmit out of the network in this scenario?

2. What type of threat is being described below?

A targeted attack using spoof emails to persuade users to provide sensitive information or

2. Getting Started v17.0.0

1. When creating a new network zone on the XG Firewall, which 2 zone types can be

2. Where do you go to reboot and shutdown the XG Firewall?

3. Which is the only zone that does not have an assigned physical port or interface?

3. Network Protection v17.0.0

1. You create a new Sophos Central account and connect your XG Firewall to the account in
order to enable Security Heartbeat.

Which 2 additional requirements must be in place before the Security Heartbeat can be used?
"Please review the information covered in Module 3, Network Protection."

2. After deploying a Sophos XG Firewall, concerns have been expressed regarding internal
computers contacting command and control servers and becoming bots.

What security feature on the XG Firewall is designed to prevent this?

"Please review the information covered in Module 3, Network Protection."

3. Users complain that when working long hours, they often lose access to Internet resources
that they need to do their work.
Looking at the configuration of the rule above that is giving them access, what could be causing this?

4. You are concerned about incoming attacks from the outside.

What security feature can you implement to help protect against this?
4. Firewall Icons v17.0.0

1. Which firewall icon from below would represent a rule group?

5. Heartbeat v17.0.0

1. Your customer has recently deployed Sophos Central to their devices and has asked you to
help configure Security Heartbeat in their firewall rules. You are configuring a rule to allows
computers connected to the LAN to access intranet servers. Your customer wants to ensure that
only computers that have a GREEN Security Heartbeat are able to access the intranet servers.

Which of the configurations shown here should you use?

6. NAT Rules v17.0.0

1. You need to DNAT for HTTPS and SSH from a WAN IP address on the XG Firewall to a
server in the DMZ zone. SSH is running on a non-standard port on the server in the DMZ, so
you will configure the DNAT rule to listen on 2222 to match the port on the server in the
How many DNAT rules do you need to create?

7. Site to Site Connections v17.0.0

1. You are in the process of deploying multiple RED devices to allow for remote access
from various branch offices. Due to bandwidth issues at the head office, you would like to
deploy the RED devices so that only necessary traffic is routed back to the head office.

Which 2 modes of deployment could be used to achieve this?

2. The company is preparing to deploy a number of RED devices at remote locations.

These remote locations deal with sensitive corporate data and management would like to
ensure that traffic from those locations can be monitored and blocked from leaving the
corporate LAN.

What would be the most appropriate security mode to deploy the RED devices in?

3. Your XG Firewall has been replaced with a new XG Firewall and the previous device is
no longer available. There were a number of RED devices attached to the previous unit that
you would like to reprovision on the new firewall. These REDs were provisioned using the
RED provisioning service.

Where would you be able to find the unlock codes in order to reprovision the RED devices to
the new XG Firewall?

8. Authentication v17.0.0

1. You have been asked to install STAS on your servers.

Which 3 of the following are required in order for the installation to be successful?
"Please review the information covered in Module 5, Authentication."

2. You have been asked to enable two factor authentication using one-time passwords
on the XG Firewall.

Which 3 of the following forms of access can be secured using one-time passwords?

3. When employing the Sophos Transparent Authentication Suite, where in the network
is the agent software installed and configured?

9. Web Protection and Application Control v17.0.0

1. Which 3 of the following statements about web content filtering are TRUE?
Please review the web content filtering information in the delta training.
2. You are working on creating a custom list of categories to use in a web protection rule.
You do not have time to add all of the categories in manually.

What 3 options are there for quickly adding a large list of categories to the XG Firewall?
Please review the Web Protection and Application Control Module.

3. You are configuring malware scanning in your web protection policy for your security
conscious company. They want to ensure that the most secure scanning settings are in place
to protect users as they browse the web.

What 3 options would you make sure are enabled?

Please review the Web Protection and Application Control Module.

10. Surfing Quota v17.0.0

1. You have been asked to create a surfing quota for guest access that allows users access to
the internet for 20 hours in a week and then terminates the connection with no recurrence.

Which image shows the best way to configure the surfing quota?

11. Email Protection v17.0.0

1. You want to encrypt emails that contain financial data using SPX before they leave the

Which 2 steps do you need to take?

2. Your manager is interested in using SPX to allow users to encrypt emails that contain
sensitive information. They want to know what options they have for setting the encryption

What 3 methods do you tell your manager that they can use?
"Please review the information covered in Module 7, Email Protection."

3. When configuring Email Protection on XG Fireall, what is the danger of adding the
'ANY' Host/Network object to the 'Allow Relay from Hosts/Networks' field for host-based

12. Wireless Protection v17.0.0

1. You have deployed an XG Firewall as a wireless controller only. No other features are
being enabled. Because of this, the XG Firewall is not the edge device in the network.

What can be done so that the wireless access points can still register with the XG Firewall?
"Please review the information covered in Module 8, Wireless Protection."

2. Which of the following best describes the Bridge to AP LAN security mode for wireless
"Please review the information covered in Module 8, Wireless Protection."

3. After researching various wireless security options, you have decided that WPA2
Enterprise will be the optimal security method to authenticate and secure internal users of
the wireless LAN.

What is a limitation of RADIUS on the XG Firewall?

13. Remote Access v17.0.0

1. You are configuring Clientless VPN Portal access for users to access a specific
application. The application can be accessed using HTTPS, SSH, DCOM, and RPC connections.

Which 2 of these would be available to use in the clientless VPN portal?

14. Logging v17.0.0

1. You get a call from a fellow administrator who was looking at the XG Firewall reports
and noticed the application risk meter was at 4.2. They were not sure if this was a cause for
concern so they decided to bring it to your attention.

Which of the following should be the basis of your response?

2. Which of the following best describes the Executive Report?

15. Sizing v17.0.0

1. You have purchased a subscription to Sophos Central and deployed endpoint

protection to machines in the local network. You would now like to connect the XG firewall
to Sophos Central to implement Security Heartbeat.

Which XG FIREWALL subscription is required?

Please review the software subscriptions in the XG Firewall Overview module.

16. Labs v17.0.0

1. A customer has created an SSL VPN Remote Access policy for their Active Directory users,
but they are unable to authenticate successfully to establish a VPN connection.

What does the customer need to do to resolve the issue?

2. TRUE or FALSE: IPS policies can be applied to both User/Network rules and Business
Application rules.

3. A customer that is configuring a new XG Firewall has forgotten their admin password and
they haven't created any other administrator users yet.

How can the admin password be reset to the default?

4. The image below shows a NAT rule.

Which 5 of the following statements about this NAT rule are TRUE?

5. After enabling ATP on the XG Firewall, you test the ATP policy and cannot get the block page
to appear. You examine the configuration to see what is misconfigured, and find it as below.
Select the item that is preventing the block page from appearing.

6. The diagram below shows a company with two sites, one in London and in New York. Each
site has an Internet connection and is also connected via an MPLS.

You are configuring a static route on the London gateway to route traffic destined for the New
York network over the MPLS.

What IP address would need to go into the Gateway field to complete the static rule shown above?

7. How do you enable and disable IPsec VPNs?

8. TRUE or FALSE: Hotspots can only be created for wireless networks using the separate zone
access method.
Please review the tasks you completed in the labs.