Professional Documents
Culture Documents
What features are not supported on Sophos Firewall deployed in bridge mode?
Email Protection
VPN Concentrator
Web Protection
TLS Decryption
Multiple WAN Links
Here are the three main things you learned in this chapter.
There are broadly four modes of deployment for Sophos Firewall: gateway, bridge, mixed, and
discover. Mixed mode is a combination of gateway mode, the most common type of deployment,
and bridge mode, as it is not a pure transparent bridge.
Bridge mode is a fully transparent bridge that is deployed inline without changing the network
topology. As it is transparent it does not support terminating VPNs or multiple WAN links.
Fail-to-wire is a fault-tolerance feature on XGS Series devices that protects your essential
business communications in the event of a power outage. You would use this when deploying
in bridge mode.
Updates
Security Lookups
User Identification
Here are the three main things you learned in this chapter.
Discover mode provides non-intrusive monitoring of network traffic without making changes to the
architecture. It allows Sophos Firewall to see a copy of the network traffic and report on threats
being missing by the current solution.
Discover mode is enabled per-port on the Console. The port needs to be connected to a managed
switch with port mirroring enabled for the port Sophos Firewall is connected to.
So that Sophos Firewall can receive updates and perform lookups you can configure a WAN
connection. By connecting Sophos Firewall to the LAN, clients can establish a Security
Heartbeat with Sophos Firewall, and Sophos Firewall can be configured to lookup user
identities.
Advanced Interface Configuration on Sophos Firewall
You want to display the MTU setting for PortA. You have typed show network and
a space. Now type the rest of the command.
Show network mtu-mss PortA
What command would you run on the console to see which type of routes are being
processed first?
system route_precedence show
Here are the three main things you learned in this chapter.
Sophos Firewall marks incoming traffic with the matching routes and the destination zone before
DNAT is applied. Routes are then processed in order of precedence before SNAT is applied.
Sophos Firewall has the WAN link manager for configuring balancing and failover of Internet links.
There is also the gateway manager for creating and managing custom gateways for SD-WAN
routing.
SD-WAN profiles provide link selection based on link quality and performance using latency,
jitter, packet loss, or a combination of all three. SD-WAN routes provide powerful traffic
selection options, that can leverage SD-WAN profiles for link selection.
Here are the three main things you learned in this chapter.
Sophos Firewall supports RIP, OSPF, BGP, and PIM-SM as dynamic routing protocols.
Dynamic routing protocols can be configured either in the web admin or via the console.
You can view detailed information for configured dynamic routing can be viewed in the web
admin on the Routing information tab.
Order these Firewall rules for the best efficiency and security
Here are the three main things you learned in this chapter.
FastPath can offload traffic to increase the speed of connections, but not all traffic will be offloaded.
Firewall rules can be created to maximize the amount of traffic offloaded to the FastPath.
Firewall rules can be ordered for performance and protection. Firewall rule groups can help to
organize devices that have many rules.
The general rules are; the more specific the rule, the closer to the top the rule should be, rules
that are processed more often should be above other rules, and unless it is a catch
True or False. DNAT rules take precedence over device access
TRUE
Here are the three main things you learned in this chapter.
Firewall rules match on post-NAT zone and pre-NAT IP address.
The default SNAT rule will automatically add WAN zone interfaces to the outbound interface
configuration.
You can use local NAT policies to set the source IP address for system generated traffic to
selected destinations.
Before applying a traffic shaping policy, what needs to be configured on the Sophos
Firewall?
Total WAN bandwidth
Firewall rules
TRUE or FALSE: A user-based policy cannot be applied to groups
False
Here are the three main things you learned in this chapter.
Traffic shaping policies can target network traffic or users.
Policies can guarantee or limit the traffic.
The priority controls which traffic is processed first.
When creating an IPS policy, in which 3 of the following ways can signatures be selected?
Here are the three main things you learned in this chapter.
Default IPS policies are designed to cover a wide range of scenarios and are therefore not
optimized.
Each firewall rule should have its own customized IPS policy that only includes the signatures for the
services and hosts that will be using it.
When creating a new IPS policy you can clone rules from an existing policy to streamline the
process.
Here are the three main things you learned in this chapter.
When denial-of-service, or DoS protection is configured in the Web Admin it is applied globally for
all traffic.
Advanced DoS is made up of DoS policies and DoS rules. DoS policies configure limits for each attack
type. DoS rules configure which traffic the DoS policy is applied to.
Advanced DoS configuration requires you to use packets-per-second, or PPS. To calculate this,
you need to know details of the software such as how many concurrent connections there will
be, protocol used, and the size and frequency of transactions.
TRUE or FALSE: A Sophos Firewall can be associated with multiple Sophos Central accounts.
FALSE
ATT:
A Sophos Firewall can only be associated with one Central account,
A Central account can have multiple Sophos Firewalls
Which 2 of the following are potential causes for a managed endpoint having a YELLOW
heartvbeat status?
A PUA (Potentially Unwanted Application) has been detected.
Inactive malware has been detected.
When using Synchronized Security, how does the Sophos Firewall determine whether it needs
to send the IP addresses of its LAN interfaces to Sophos Central?
One or more discover mode interfaces are configured.
Here are the three main things you learned in this chapter.
Devices with a Security Heartbeat are identified by their IP address when the traffic is passing
through the firewall. For lateral movement protection other devices use the MAC address of
endpoints with a RED health status to drop traffic.
Central brokers trust between the endpoints and firewall using certificates, but the heartbeat is
established between the endpoint and firewall.
Endpoints use a public IP address to establish the heartbeat with the firewall so it is routed
through the Internet gateway, which should be the Sophos Firewall. For this reason, endpoints
need to be connected directly to the network or via VPN.
05 – SITE-TO-SITE
You need to create SNAT and DNAT rules for the overlapping networks on each side of
the VPN.
You need to use IP ranges for the networks when configuring NATing
Use unNATed source and destination networks to limit the scope of the NATing.
Use one-to-one load balancing for the DNAT
TRUE or FALSE: you can use SD-WAN profiles with route-based VPNs.
TRUE
TRUE or FALSE: The only way to failover between two route-based IPSec VPN is to create a
failover group.
FALSE
Here are the three main things you learned in this chapter.
Route-based VPNs support routing using static routes, SD-WAN policy routes, and dynamic routing.
You can use SD-WAN profiles and SD-WAN policy routes with route-based VPNs to select the best
link for traffic.
Where you have overlapping subnets on either side of the tunnel you need to use NATing. For
route-based VPNs you can create SNAT and DNAT rules using the normal method. For policy-based
VPNs you need to configure the NATingin the connection.
You can create failover groups for IPsec VPNs. It would be more common to use these with
policy-based VPNs as you can use SD-WAN policy routes to manage connections for route-
based VPNs.
Advanced Remote Ethernet Device Configuration on Sophos Firewall
Enter the TCP port that Remote Ethernet Devices use as a control channel.
3400
Enter the UDP port that Remote Ethernet Devices use as a data channel
3410
Match the RED mode to its description.
Standard/Unified Sophos Firewall is the DHCP server and default gateway for the
remote network. Only defined traffic is sent through the RED.
Standard/Split Sophos Firewall gets its IP address from a DHCP server on the remote
network.
Transparent/Split All traffic generated on the remote network is sent through the RED
to Sophos Firewall.
How many connections are established between a RED and Sophos Firewall if the
second WAN interface on the RED is configured for failover and the second hostname
of the Sophos Firewall is configured for balancing?
2
Here are the three main things you learned in this chapter.
Remote Ethernet Devices use ports 3400 TCP and 3410 UDP to create a connection to Sophos
Firewall.
You can configure a second hostname for Sophos Firewall and use it either for failover or balancing.
The second WAN interface on REDs can also be configured for either failover or balancing.
You can create a RED tunnel between two Sophos Firewalls.
06 – AUTHENTICATION
Advanced STAS Configuration on Sophos Firewalls
When configuring STAS, what is the maximum number of collectors you
can have in a collector group?
5
STAS has a collector group with 3 collectors and 12 agents. Which collector IP
address(es) do you need to configure on the STA agents?
The IP addresses of all the Collectors
Here are the three main things you learned in this chapter.
All the Collectors should be configured with the IP addresses of all the Sophos Firewalls so that all
the firewalls have all the logged in users.
All the Agents should be configured with the IP addresses of all the Collectors to provide
redundancy.
Collector groups provide redundancy, and you can have a maximum of five Collectors in a
Collector group.
07 – WEB PROTECTION
Managing TLS Decryption for Web Protection on Sophos Firewall
You must comply with Payment Card Industry Data Security Standard.
Which default encryption profile should you use?
Strict Compliance
You need to provide certificates for TLS inspection; Which of these statements is
true?
Certificates can be deployed to managed Wndows endpoint using Active Directory GPOs
09 WIRELESS PROTECTION
Troubleshooting Access Point Deployment on Sophos Firewall
What IP address does the access point send a discover packet to?
1.2.3.4
What port does the Sophos access point connect to the Sophos Firewall on?
2712
Which feature would you use to proted against cross-site scripting attacks?
Threat Filters
Which of the following options allows RPC over HTTP traffic to traverse the Web Server
Protection module?
Pass Outlook Anywhere
When browsing your website, you notice that it is not being displayed correctly and are
experiencing content-encoding errors. Which additional option in the web application
firewall can you enable to stop this from happening?
Disable compression support.
When refining the configuration of a web server protection rule, which log file do you need to
check on the advanced shell?
reverseproxy.log
TRUE or FALSE: Web Server Protection Entry URLs are case sensitive.
TRUE
You are refining your web server protection configuration and need to skip a threat filter rule,
where do you enter the ID?
Protection Policy
TRUE or FALSE: You can append and prepend a string to the username when passing through
credentials.
TRUE
Here are the main things you learned in this chapter.
In the authentication policy you choose between presenting a basic authentication prompt or form-
based login, and if form-based, the template to use. You also select the users and groups that are
allowed to login and whether to pass the credentials through to the web server.
You can optionally add a prefix or suffix to the username when it is passed through. This can be
used to reformat usernames into UPN (user principal name) format or Windows domain format as
required by the web application.
Select the authentication policy in the firewall rule, either to the whole web server, or to a single
path using path-specific routing.
11 - High AVAILABILITY
Which of the following statements are true about the active-passive HA on Sophos Firewall?
All traffic is sent to the primary device.
The primary device processes all traffic.
The Primary device own the virtual MAC address.
The Primary device will respond to ARP requests.
The HA cluster uses a virtual MAC address, which is always owned by the current primary device. All
traffic is always sent to the primary device because it responds to ARPs with the virtual MAC address.
In active-active mode, the primary device forwards the packet to the auxiliary device using the physical
MAC address. The primary device forwards the response to the auxiliary device using the physical MAC
address.
Which of the following statements are TRUE about the port that is used for the dedicated HA
link?
The port must be in a DMZ zone.
Must be the same port on both devices.
Must be in a DMZ zone
Devices must have the same number of ports.
Which log file contains the results of checks carried out when enabling high availability?
applog.log
Where would you perform an Ethernet card test?
SF Loader
Here are the main things you learned in this chapter.
To enable HA on Sophos Firewall, both devices must be the same model with the same firmware
version, the MTU/MSS, link speed and duplex settings should be default, the WAN links must have
static IP addresses, and the HA port must be in a DMZ zone with SSH enabled.
Creating the HA cluster starts with the CSC service performing a sanity check. This is logged in
/log/applog.log.
Faulty ports and cables can result in either both devices becoming primary, or the primary device
failing over the auxiliary device.
12 - PUBLIC CLOUD
Here are the main things you learned from this chapter.
You can connect your on-premise firewall to Azure using a site-to-site VPN, either to an Azure
hosted Sophos Firewall, or directly to an Azure VPN gateway.
Azure VPN gateways can be either policy-based or route-based. To use IKEv2 you must use a route-
based VPN. The firewall WAN interface must have an MSS of 2350 or MTU of 1400 to prevent
fragmentation on Azure.
The connection configuration file downloaded from Azure contains all the information for
configuring the site-to-site VPN and routing on Sophos Firewall.
In a hybrid deployment you can connect to AWS using site-to-site VPNs either to another Sophos
Firewall or to an AWS VPN gateway or Express Route. AWS VPN gateways always create two
connections for redundancy.
If you are connecting to a Sophos Firewall in AWS, you do not need an interface for each subnet in
AWS. AWS can manage the routing if you create and apply the route table to the relevant AWS
private subnets.
When configuring the xfrminterfaces, in the ‘Advanced settings’ set the MTU to 1436 and the MSS
to 1379.
You can import AWS VPN connections on Sophos Firewall, either by downloading a configuration
file from AWS, or entering AWS IAM credentials so that Sophos Firewall can connect to download
the configuration.
When you download the configuration file you select the vendor, platform, version, and IKE version.
The configuration file will create two connections for redundancy and configures BGP; however, you
still need to add local networks to the BGP configuration.
If your Sophos Firewall is behind a NAT, you will need to edit the configuration file so that the
customer gateway outside IP address matches your WAN IP, otherwise the configuration will fail to
import.
13 – COURSE REVIEW