













Study with the several resources on Docsity
Earn points by helping other students or get them with a premium plan
Prepare for your exams
Study with the several resources on Docsity
Earn points to download
Earn points by helping other students or get them with a premium plan
WATCHGUARD NETWORK SECURITY ESSENTIALS EXAM
Typology: Exams
1 / 21
This page cannot be seen from the preview
Don't miss anything!














Allow Incoming connections to the example.com domain only - Answers-.From the SMTP proxy action settings in this image, which of these options is configured for incoming SMTP traffic? (Select one.) Allow Incoming connections to the example.com domain only Allow Outgoing connection from example.com Deny Incoming connections to the example.com domain only Deny outgoing connections from example.com Any-optional Optional- 1 Any - Answers-***In the network configuration in this image, which aliases is Eth2 a member of? (Select three.) A. Any-optional B. Any-External C. Optional- 1 D. Any E. Any-Trusted ***When your device is in a default state, to which interface do you connect your management computer so you can use the Quick Setup Wizard or Web SetupWizard to configure the device? (Select one.) A. Interface 0 B. Console interface C. Any interface D. Interface 1 - Answers-Interface 1 ***In the default Firebox configuration file, which policies control management access to the device? (Select two.) A. WatchGuard B. FTP C. Ping D. WatchGuard Web UI E. Outgoing - Answers-WatchGuard WatchGuard Web UI To use the Web Setup Wizard or Quick Setup Wizard to configure your Firebox or XTM device, your computer must have an IP address on which subnet? (Select one.) A. 10.0.10.0/
D. 192.168.1.0/24 - Answers-10.0.1.0/ ***What is the best method to downgrade the version of Fireware OS on your Firebox without losing all device configuration settings? (Select one.) A. Restore a saved backup image that was created for the device before the last Fireware OS upgrade. B. Use the Upgrade OS feature in Fireware Web UI to install the sysa_dl file for an order version of Fireware OS. C. Change the OS compatibility setting in Policy Manager to downgrade the device. Then use Policy Manager to save the configuration to the device. D. Use the downgrade feature on Policy Manager to select a previous of Fireware OS. - Answers-Restore a saved backup image that was created for the device before the last Fireware OS upgrade. ***You configured four Device Administrator user accounts for your Firebox. To see a report of which Device Management users have made changes to the device configuration, what must you do? (Select two.) A. Start Firebox System Manager for the device and review the activity for the Management Users on the Authentication List tab. B. Connect to Report Manager or Dimension and view the Audit Trail report for your device. C. Open WatchGuard Server Center and review the configuration history for managed devices. D. Configure your device to send audit trail log messages to your WatchGuard Log Server or Dimension Log Server. - Answers-Connect to Report Manager or Dimension and view the Audit Trail report for your device. Open WatchGuard Server Center and review the configuration history for managed devices. ***Which items are included in a Firebox backup image file? (Select four.) A. Support snapshot B. Fireware OS C. Configuration file D. Log file E. Feature keys F. Certificates G. Passwords This question was on the exam but it had different answers.
E. 192.0.2.1/24 - Answers-192.168.50.1/ 10.50.1.1/ 172.16.0.1/ The policies in a default Firebox configuration do not allow outgoing traffic from optional interfaces. False True - Answers-false When you examine the log messages In Traffic Monitor, you see that some network packets are denied with an unhandled packet log message. What does this log massage mean? (Select one.) A. The packet is denied because the site is on the Blocked Sites List. B. The packet is denied because it matched a policy. C. The packet is denied because it matched an IPS signature. D. The packet is denied because it does not match any firewall policies. - Answers-The packet is denied because it does not match any firewall policies. Which of these actions adds a host to the temporary or permanent blocked sites list? (Select three.) A. Enable the AUTO-block sites that attempt to connect option in a deny policy. B. Add the site to the Blocked Sites Exceptions list. C. On the Firebox System Manager >Blocked Sites tab, select Add. D. In Policy Manager, select Setup> Default Threat Protection > Blocked Sites and click Add. - Answers-1. Enable the AUTO-block sites that attempt to connect option in a deny policy.
If you disable the Outgoing policy, which policies must you add to allow trusted users to connect to commonly used websites? (Select three.) A. HTTP port 80 B. NAT policy C. FTP port 21 D. HTTPS port 443 E. DNS port 53 - Answers-HTTP port 80 HTTPS port 443 DNS port 53 The default Outgoing policy has been removed and there is no policy to allow DNS traffic. - Answers-Users on the trusted network cannot browse Internet websites. Based on the configuration shown in this image, what could be the problem with this policy configuration? (Select one.) A. The default Outgoing policy has been removed and there is no policy to allow DNS traffic. B. The HTTP-proxy policy has higher precedence than the HTTPS-proxy policy. C. The HTTP-proxy policy is configured for the wrong port. D. The HTTP-proxy allows Any-Trusted and Any-Optional to Any-External. How is a proxy policy different from a packet filter policy? (Select two.) A. Only a proxy policy examines information in the IP header. B. Only a proxy policy uses the IP source, destination, and port to control network traffic. C. Only a proxy policy can prevent specific threats without blocking the entire connection. D. Only a proxy works at the application, network, and transport layers to examine all connection data. - Answers-Only a proxy policy can prevent specific threats without blocking the entire connection. Only a proxy works at the application, network, and transport layers to examine all connection data. Which authentication servers can you use with your Firebox? (Select four.) A. Active Directory B. RADIUS C. LDAP D. Linux Authentication E. Kerberos F. TACACS+ G. Firebox databases - Answers-Active Directory RADIUS
B. Create a global dynamic NAT rule for traffic from the email server and set the source IP address to 203.0.113.25. C. Create a static NAT action for traffic to the email server, and set the source IP address to 203.0.113.25. - Answers-Create a global dynamic NAT rule for traffic from the email server and set the source IP address to 203.0.113.25. ***Match each type of NAT with the correct description: Conserves IP addresses and hides the internal topology of your network. (Choose one). A. 1-to1 NAT B. Dynamic NAT C. NAT Loopback - Answers-Dynamic NAT If your Firebox has a single public IP address, and you want to forward inbound traffic to internal hosts based on the destination port, which type of NAT should you use? (Select one.) A. Static NAT B. 1-to-1 NAT C. Dynamic NAT - Answers-Static NAT ***You need to create an HTTP-proxy policy to a specific domain for software updates (example.com). The update site has multiple subdomains and dynamic IP addresses on a content delivery network. Which of these options is the best way to define the destination in your HTTP-proxy policy? (Select one.) A. Configure a host name for update.example.com. B. Configure an FQDN for *.example.com. C. Add IP addresses that correspond to each software update server in the domain. D. Create an alias for all subdomains and known IP addresses for example.com. - Answers-Configure an FQDN for *.example.com. Prevent mail relay for the example.com domain. - Answers-From the SMTP proxy action settings in this image, which of these options is configured for incoming SMTP traffic? (Select one.) A. Rewrite the Mail From header for the example.com domain. B. Deny incoming mail from the example.com domain. C. Prevent mail relay for the example.com domain. D. Deny outgoing mail from the example.com domain. You can configure the SMTP-proxy policy to restrict email messages and email content based on which of these message characteristics? (Select four.) A. Sender Mail From address B. Check URLs in message with WebBlocker
C. Email message size D. Attachment file name and content type E. Maximum email recipients - Answers-Sender Mail From address Email message size Attachment file name and content type Maximum email recipients An email newsletter about sales from an external company is sometimes blocked by spamBlocker. What option could you choose to make sure the newsletter is delivered to your users? (Select one.) A. Add a spamBlocker exception based on the From field of the newsletter email. B. Set the spamBlocker action to quarantine the email for later retrieval. C. Add a spamBlocker subject tag for bulk email messages. D. Set the spamBlocker virus outbreak detection action to allow emails from the newsletter source. - Answers-Add a spamBlocker subject tag for bulk email messages. ***Your company denies downloads of executable files from all websites. What can you do to allow users on the network to download executable files from the companys remote website? (Select one.) A. Add an HTTP proxy exception for the company's remote website. B. Create a WebBlocker exception to allow access to the company's remote website. C. Create an IPS exception. D. Create a Blocked Sites exception. E. Configure HTTP Request > URL Paths to allow the company's remote website. - Answers-Add an HTTP proxy exception for the company's remote website. A user receives a deny message that the installation file (install.exe) is blocked by the HTTP-proxy policy and cannot be downloaded. Which HTTP proxy action rule must you modify to allow download of the installation file? (Select one.) A. HTTP Request > Request Methods B. HTTP Response > Body Content Types C. HTTP Response > Header Fields D. WebBlocker E. HTTP Request > Authorization - Answers-HTTP Response > Body Content Types Which takes precedence: WebBlocker category match or a WebBlocker exception? A. WebBlocker exception B. WebBlocker category match - Answers-WebBlocker exception ***To prevent certificate error warnings in your browser when you use deep content inspection with the HTTPS proxy, you can export the proxy authority certificate from the Firebox and import that certificate to all client devices.
C. Configure Gateway AntiVirus settings for a proxy action. D. Disable automatic signature updates. E. Decrease the scan limits - Answers-Configure Gateway AntiVirus settings for a proxy action. Configure a policy to use a proxy action that has AntiVirus settings configured. After you enable Gateway AntiVirus, IPS, or Application control, how can you make sure the services protect your network from the latest known threats? (Select one.) A. Enable default packet handling. B. Configure reputation Enabled Defense. C. Enable automatic signature updates. D. Enable HTTPS deep inspection. - Answers-Enable automatic signature updates. Which policies can use the Intrusion Prevention Service to block network attacks? (Select one?) A. Only HTTP and HTTPS Proxy policies B. Only proxy policies C. All policies D. Only packet filter policies E. Only inbound policies - Answers-All policies Which of these services would you use to allow the use of P2P programs for a specific department in your organization? (Select one.) A. Reputation Enabled Defense B. Application Control C. Data Loss Prevention D. IPS - Answers-Application Control You can use Firebox System Manager to download a PCAP file that includes packet information about the protocols that manage traffic on your network. A. True B. False - Answers-True ***From the Firebox System Manager >Authentication List tab, you can view all of the authenticated users connected to your Firebox and disconnect any of them. A. True B. False - Answers-true Match the monitoring tool to the correct task.Which is not a Fireware monitoring tool? (Select one)
A. FireBox System Manager - Blocked Sites list B. Log Server C. FireWatch D. Firebox System Manager - Subscription services E. Firebox System Manager - Authentication list F. Traffic Monitor - Answers-Log Server Which diagnostic tasks can you run from the Traffic Monitor tab of Firebox System Manager? (Select four.) A. DNS lookup B. MAC address lookup C. Traceroute D. Reputation lookup E. Ping F. TCP dump - Answers-DNS lookup Traceroute Ping TCP dump How can you include log messages from more than one Firebox in a single report generated by Dimension? (Select two.) A. You cannot see report data in Dimension for more than one device. B. Create a device group and view the reports for that group. C. Create a report schedule that includes all the devices you want to include in the report. D. Export report data as a single PDF file for all the devices you want to include in the report. - Answers-Create a device group and view the reports for that group. Create a report schedule that includes all the devices you want to include in the report. To enable remote devices to send log messages to Dimension through the gateway Firebox, what must you verify is included in your gateway Firebox configuration? (Select one.) A. You can only send log messages to Dimension from a computer that is on the network behind your gateway Firebox. B. You must change the connection settings in Dimension, not on the gateway Firebox. C. You must add a policy to the remote device configuration file to allow traffic to a Dimension. D. You must make sure that either the WG-Logging packet filter policy, or another policy that allows external connections to Dimension over port 4115, is included - Answers-You must add a policy to the remote device configuration file to allow traffic to a Dimension.
A. Local: 192.168.1.0/24 <--> Remote: 10.0.10.0/24 - Answers-In this diagram, which branch office VPN tunnel route must you add on the Site B Firebox to allow traffic between devices on the trusted network at Site B and the trusted network at site A? (Select one.) A. Local: 192.168.1.0/24 <--> Remote: 10.0.10.0/ B. Local: 203.0.113.10/24 <--> Remote: 198.151.100.2/ C. Local: 10.0.10.1/24 <--> Remote: 192.168.1.1/ D. Local: 10.0.10.0/24 <--> Remote: 192.168.1.0/ 10.0.10.0/24 - Answers-A local branch office VPN tunnel route is configured as shown in this image. On the remote peer device, what must be configured as the remote network address for this tunnel route? (Select one.) A. 10.0.1.0/ B. 10.0.10.0/ C. 10.0.20.0/ false - Answers-***With the policies configured as shown in this image, HTTP traffic can be sent and received through branch office VPN tunnel.1 and tunnel.2. A. True B. False ***While troubleshooting a branch office VPN tunnel, you see this log message:2014- 07 - 23 12:29:15 iked (203.0.113.10<->203.0.113.20) Peer proposes phase one encryption 3 DES, expecting AES What settings could you modify in the local device configuration to resolve this issue? (Select one.) A. BOVPN Gateway settings B. BOVPN-Allow policies C. BOVPN Tunnel settings D. BOVPN Tunnel Route settings Hide Solution Discussion 1 - Answers-BOVPN Gateway settings If you use an external authentication server for mobile VPN, which option must you complete before remote users can authenticate? (Select one.) A. Create aliases for each remote user's virtual IP address. B. Reboot the authentication server. C. Add the Mobile VPN user group and remote users to your authentication server. D. Add the remote users to a Mobile VPN user group on your Firebox. - Answers-Add the Mobile VPN user group and remote users to your authentication server.
In a Mobile VPN configuration, why would you choose default route VPN over split tunnel VPN? (Select one.) A. Default route VPN allows your Firebox to examine all remote user traffic B. Default route VPN uses less bandwidth C. Default route VPN uses less processing power D. Default route VPN automatically allows dynamic NAT - Answers-Default route VPN allows your Firebox to examine all remote user traffic You can use Firebox-DB authentication with any type of Mobile VPN. A. True B. False - Answers-True Which tool is used to see a treemap visualization of the traffic through your Firebox? (Select one) A. FireBox System Manager - Blocked Sites list B. Log Server C. Service Watch D. Firebox System Manager - Subscription services E. Firebox System Manager - Authentication list F. Traffic Monitor - Answers-Service Watch Which tool can add an IP address for the Firebox to permanently block? (Select one) A. FireBox System Manager - Blocked Sites list B. Log Server C. Service Watch D. Firebox System Manager - Subscription services E. Firebox System Manager - Authentication list F. Traffic Monitor - Answers-FireBox System Manager - Blocked Sites list Match the monitoring tool to the correct task.Which tool can ping the source of a denied packet? (Select one) A. FireBox System Manager - Blocked Sites list B. Log Server C. Service Watch D. Firebox System Manager - Subscription services E. Firebox System Manager - Authentication list F. Traffic Monitor - Answers-Traffic Monitor Match the monitoring tool to the correct task.Which tool can learn the status of your IPS signature database? (Select one)
Match each WatchGuard Subscription Service with its function.Scans files to detect malicious software infections. (Choose one). A. Reputation Enable Defense RED B. Gateway / Antivirus C. Data Loss Prevention DLP D. Spam Blocker E. Quarantine Server - Answers-Gateway / Antivirus Match each WatchGuard Subscription Service with its function.Prevents accidental or unauthorized transmission of confidential information outside your network. (Choose one). A. Reputation Enable Defense RED B. Gateway / Antivirus C. Data Loss Prevention DLP D. Intrusion Prevention Server IPS E. APT Blocker - Answers-Data Loss Prevention DLP Match each WatchGuard Subscription Service with its function.Uses signatures to provide real-time protection against network attacks. (Choose one). A. Reputation Enable Defense RED B. Data Loss Prevention DLP C. Intrusion Prevention Server IPS D. Application Control E. APT Blocker - Answers-Intrusion Prevention Server IPS Match each WatchGuard Subscription Service with its function. Uses rules, pattern matching, and sender reputation to block unwanted email messages. (Choose one). A. Reputation Enable Defense RED B. Gateway / Antivirus C. Spam Blocker D. Intrusion Prevention Server IPS E. APT Blocker - Answers-Spam Blocker Match each WatchGuard Subscription Service with its function. Controls access to website based on content categories.. (Choose one). A. Reputation Enable Defense RED B. Gateway / Antivirus C. WebBlocker D. Intrusion Prevention Server IPS E. Application Control - Answers-WebBlocker
***Match each type of NAT with the correct description:Allows a user on the trusted or optional network to connect to a public server that is on the same physical Firebox interface by its public IP address or domain name. (Choose one) A. 1-to1 NAT B. Dynamic NAT C. NAT Loopback - Answers-NAT Loopback ***Match each type of NAT with the correct description:Changes and routes all incoming and outgoing packets sent from one range of addresses to a different range of addresses. (Choose one) A. 1-to1 NAT B. Dynamic NAT C. NAT Loopback - Answers- 1 - to1 NAT *** True of false: a packet filter analyzes traffic at the application, transport, network layers? - Answers-false ***Your company denies downloads of PDF files from all websites. What can you do to allow users on the network to download PDF files from the companys remote website? (Select one.) A. Add an HTTP proxy exception for the company's remote website. B. Create a WebBlocker exception to allow access to the company's remote website. C. Create an IPS exception. D. Create a Blocked Sites exception. E. Configure HTTP Response > body Content types select .pdf extensions - Answers- Configure HTTP Response > body Content types select .pdf extensions *** What are included in a config file?
You can use the TCP-UDP proxy to control Web, FTP, and SIP traffic on ports other than 80, 21, and 5060. a. True b. False - Answers-a. True. The TCP-UDP proxy applies to TCP and UDP traffic on any TCP or UDP port. Which authentication servers can be used with any type of Mobile VPN (Select two.) a. Firebox-DB b. Active Directory c. RADIUS d. LDAP - Answers-Firebox-DB RADIUS .Do you need a static route on Floor 1 and Floor 2 - Answers-There are two networks one on floor 1 subnet 192.168.3.0/24 and one network on floor 2 192.168.2.0/24. How can people on floor 1 reach a server on floor 2. Do you need a static route on Floor 1 No changes need to be made networks on the same subnet. Do you need a static route on Floor 2 Do you need a static route on Floor 1 and Floor 2
. - Answers-SDWAN fails over under what conditions Is it Latency Jitter Loss . - Answers-What NAT do you use when coming from a private network and trying to connection to servers on the internet? 1:1 Nat NAT loopback Dynamic NAT Static NAT . - Answers-If a connection fails to fail over and your boss wants you tell him why it didn't failover? SDWAN ping policy wasn't setup Link monitor failed Link monitor was set to gradually fall back Link Monitor was set tp ping the default gateway but the outage happened further upstream