








































Study with the several resources on Docsity
Earn points by helping other students or get them with a premium plan
Prepare for your exams
Study with the several resources on Docsity
Earn points to download
Earn points by helping other students or get them with a premium plan
Watchguard Network Security Essentials WatchGuard Network Security Essentials COMPLETE EXAM LATEST VERSION 2026-2027 QUESTIONS AND ANSWERS.pdf
Typology: Exams
1 / 48
This page cannot be seen from the preview
Don't miss anything!









































For which of these third party authentication methods must you specify a search base? (Select two.)
B. Active Directory C. SecurID D. LDAP - answer>>Active Directory LDAP
You have a privately addressed email server behind your Firebox. If you want to make sure that all traffic from this server to the Internet appears to come from the public IP address 203.0.113.25, regardless of policies, which from of NAT would you use? (Select one.)
A. In the SMTP policy that handles traffic from the email server, select the option to apply dynamic NAT to all traffic in the policy and set the source IP address 203.0.113.25. B. Create a global dynamic NAT rule for traffic from the email server and set the source IP address to 203.0.113.25. C. Create a static NAT action for traffic to the email server, and set the source IP address to 203.0.113.25. - answer>>Create a global dynamic NAT rule for traffic from the email server and set the source IP address to 203.0.113.25.
***Match each type of NAT with the correct description: Conserves IP addresses and hides the internal topology of your network. (Choose one).
A. 1-to1 NAT B. Dynamic NAT C. NAT Loopback - answer>>Dynamic NAT
If your Firebox has a single public IP address, and you want to forward inbound traffic to internal hosts based on the destination port, which type of NAT should you use? (Select one.)
A. Static NAT B. 1-to-1 NAT C. Dynamic NAT - answer>>Static NAT
***You need to create an HTTP-proxy policy to a specific domain for software updates (example.com). The update site has multiple subdomains and dynamic IP addresses on a content delivery network. Which of these options is the best way to define the destination in your HTTP-proxy policy? (Select one.)
A. Configure a host name for update.example.com. B. Configure an FQDN for *.example.com. C. Add IP addresses that correspond to each software update server in the domain. D. Create an alias for all subdomains and known IP addresses for example.com. - answer>>Configure an FQDN for *.example.com.
Prevent mail relay for the example.com domain. - answer>>From the SMTP proxy action settings in this image, which of these options is configured for incoming SMTP traffic? (Select one.)
A. Rewrite the Mail From header for the example.com domain. B. Deny incoming mail from the example.com domain. C. Prevent mail relay for the example.com domain. D. Deny outgoing mail from the example.com domain.
You can configure the SMTP-proxy policy to restrict email messages and email content based on which of these message characteristics? (Select four.)
A. Sender Mail From address
A. HTTP Request > Request Methods B. HTTP Response > Body Content Types C. HTTP Response > Header Fields D. WebBlocker E. HTTP Request > Authorization - answer>>HTTP Response > Body Content Types
Which takes precedence: WebBlocker category match or a WebBlocker exception?
A. WebBlocker exception B. WebBlocker category match - answer>>WebBlocker exception
***To prevent certificate error warnings in your browser when you use deep content inspection with the HTTPS proxy, you can export the proxy authority certificate from the Firebox and import that certificate to all client devices.
A. True B. False - answer>>True
***Which of these options must you configure in an HTTPS-proxy policy to detect credit card numbers in HTTP traffic that is encrypted with SSL? (Select two.)
A. WebBlocker B. Gateway AntiVirus C. Application Control D. Content Inspection E. Data Loss Prevention - answer>>Content inspection Data Loss Prevention
Match each WatchGuard Subscription Service with its function.Uses full-system emulation analysis to identify characteristics and behavior of zero-day malware. (Choose one).
A. Reputation Enable Defense RED B. Gateway / Antivirus C. Data Loss Prevention DLP D. Spam Blocker E. WebBlocker F. Intrusion Prevention Server IPS G. Application Control H. Quarantine Server I. APT - answer>>APT
When you configure the Global Application Control action, it is automatically applied to all policies.
A. True B. False - answer>>False
Which WatchGuard Subscription Service must be enabled in a proxy policy before you can use APT Blocker? (Select one.)
B. Application Control C. Gateway Antivirus D. WebBlocker E. IPS - answer>>Gateway Antivirus
What settings must your device configuration file include for Gateway AntiVirus to protect users on your network? (Select two.)
A. Configure a policy to use a proxy action that has AntiVirus settings configured. B. Install the Gateway AntiVirus server on your network.
You can use Firebox System Manager to download a PCAP file that includes packet information about the protocols that manage traffic on your network.
A. True B. False - answer>>True
***From the Firebox System Manager >Authentication List tab, you can view all of the authenticated users connected to your Firebox and disconnect any of them.
A. True B. False - answer>>true
Match the monitoring tool to the correct task.Which is not a Fireware monitoring tool? (Select one)
A. FireBox System Manager - Blocked Sites list B. Log Server C. FireWatch D. Firebox System Manager - Subscription services E. Firebox System Manager - Authentication list F. Traffic Monitor - answer>>Log Server
Which diagnostic tasks can you run from the Traffic Monitor tab of Firebox System Manager? (Select four.)
A. DNS lookup B. MAC address lookup C. Traceroute D. Reputation lookup E. Ping
F. TCP dump - answer>>DNS lookup Traceroute Ping TCP dump
How can you include log messages from more than one Firebox in a single report generated by Dimension? (Select two.)
A. You cannot see report data in Dimension for more than one device. B. Create a device group and view the reports for that group. C. Create a report schedule that includes all the devices you want to include in the report. D. Export report data as a single PDF file for all the devices you want to include in the report. - answer>>Create a device group and view the reports for that group.
Create a report schedule that includes all the devices you want to include in the report.
To enable remote devices to send log messages to Dimension through the gateway Firebox, what must you verify is included in your gateway Firebox configuration? (Select one.)
A. You can only send log messages to Dimension from a computer that is on the network behind your gateway Firebox. B. You must change the connection settings in Dimension, not on the gateway Firebox. C. You must add a policy to the remote device configuration file to allow traffic to a Dimension. D. You must make sure that either the WG-Logging packet filter policy, or another policy that allows external connections to Dimension over port 4115, is included - answer>>You must add a policy to the remote device configuration file to allow traffic to a Dimension.
Which WatchGuard tools can you use to review the log messages generated by your Firebox? (Select three).
A. Firebox System Manager > Traffic Monitor B. Fireware XTM Web UI > Traffic Monitor
D. The user or group is not present in the Firebox User database. - answer>>The Firebox or XTM device uses the default self-signed certificate.
From the Fireware Web UI, you can generate a report that shows your device configuration settings.
A. True B. False - answer>>True
A. Local: 192.168.1.0/24 <--> Remote: 10.0.10.0/24 - answer>>In this diagram, which branch office VPN tunnel route must you add on the Site B Firebox to allow traffic between devices on the trusted network at Site B and the trusted network at site A? (Select one.)
A. Local: 192.168.1.0/24 <--> Remote: 10.0.10.0/ B. Local: 203.0.113.10/24 <--> Remote: 198.151.100.2/ C. Local: 10.0.10.1/24 <--> Remote: 192.168.1.1/ D. Local: 10.0.10.0/24 <--> Remote: 192.168.1.0/
10.0.10.0/24 - answer>>A local branch office VPN tunnel route is configured as shown in this image. On the remote peer device, what must be configured as the remote network address for this tunnel route? (Select one.)
false - answer>>***With the policies configured as shown in this image, HTTP traffic can be sent and received through branch office VPN tunnel.1 and tunnel.2. A. True B. False
***While troubleshooting a branch office VPN tunnel, you see this log message:2014-07-23 12:29:15 iked (203.0.113.10<->203.0.113.20) Peer proposes phase one encryption 3 DES, expecting AES
What settings could you modify in the local device configuration to resolve this issue? (Select one.)
A. BOVPN Gateway settings B. BOVPN-Allow policies C. BOVPN Tunnel settings D. BOVPN Tunnel Route settings Hide Solution Discussion 1 - answer>>BOVPN Gateway settings
If you use an external authentication server for mobile VPN, which option must you complete before remote users can authenticate? (Select one.)
A. Create aliases for each remote user's virtual IP address. B. Reboot the authentication server. C. Add the Mobile VPN user group and remote users to your authentication server. D. Add the remote users to a Mobile VPN user group on your Firebox. - answer>>Add the Mobile VPN user group and remote users to your authentication server.
In a Mobile VPN configuration, why would you choose default route VPN over split tunnel VPN? (Select one.)
A. Default route VPN allows your Firebox to examine all remote user traffic B. Default route VPN uses less bandwidth C. Default route VPN uses less processing power D. Default route VPN automatically allows dynamic NAT - answer>>Default route VPN allows your Firebox to examine all remote user traffic
You can use Firebox-DB authentication with any type of Mobile VPN.
F. Traffic Monitor - answer>>Traffic Monitor
Match the monitoring tool to the correct task.Which tool can learn the status of your IPS signature database? (Select one)
A. FireBox System Manager - Blocked Sites list B. Log Server C. Service Watch D. Firebox System Manager - Subscription services E. Firebox System Manager - Authentication list F. Traffic Monitor - answer>>Firebox System Manager - Subscription services
Match the monitoring tool to the correct task.Which tool can view a list of users connected to the Firebox? (Select one)
A. FireBox System Manager - Blocked Sites list B. Log Server C. Service Watch D. Firebox System Manager - Subscription services E. Firebox System Manager - Authentication list F. Traffic Monitor - answer>>Firebox System Manager - Authentication list
Match each WatchGuard Subscription Service with its function.Manages use of applications on your network. (Choose one)
A. Reputation Enable Defense RED B. Data Loss Prevention DLP C. Intrusion Prevention Server IPS D. Application Control
E. APT Blocker - answer>>Application Control
Match each WatchGuard Subscription Service with its function.A repository where email messages can be sent based on analysis by spamBlocker, Gateway AntiVirus, or Data Loss Prevention. (Choose one).
A. Gateway / Antivirus B. Data Loss Prevention DLP C. Spam Blocker D. Intrusion Prevention Server IPS E. Quarantine Server - answer>>Quarantine Server
Match each WatchGuard Subscription Service with its function.Cloud based service that controls access to website based on a sites previous behavior. (Choose one).
A. Reputation Enable Defense RED B. Data Loss Prevention DLP C. WebBlocker D. Intrusion Prevention Server IPS E. Application Control F. Quarantine Server - answer>>Reputation Enable Defense RED
Match each WatchGuard Subscription Service with its function.Scans files to detect malicious software infections. (Choose one).
A. Reputation Enable Defense RED B. Gateway / Antivirus C. Data Loss Prevention DLP D. Spam Blocker E. Quarantine Server - answer>>Gateway / Antivirus
A. Reputation Enable Defense RED B. Gateway / Antivirus C. WebBlocker D. Intrusion Prevention Server IPS E. Application Control - answer>>WebBlocker
***Match each type of NAT with the correct description:Allows a user on the trusted or optional network to connect to a public server that is on the same physical Firebox interface by its public IP address or domain name. (Choose one)
A. 1-to1 NAT B. Dynamic NAT C. NAT Loopback - answer>>NAT Loopback
***Match each type of NAT with the correct description:Changes and routes all incoming and outgoing packets sent from one range of addresses to a different range of addresses. (Choose one)
A. 1-to1 NAT B. Dynamic NAT C. NAT Loopback - answer>>1-to1 NAT
*** True of false: a packet filter analyzes traffic at the application, transport, network layers? - answer>>false
***Your company denies downloads of PDF files from all websites. What can you do to allow users on the network to download PDF files from the companys remote website? (Select one.)
A. Add an HTTP proxy exception for the company's remote website. B. Create a WebBlocker exception to allow access to the company's remote website. C. Create an IPS exception.
D. Create a Blocked Sites exception. E. Configure HTTP Response > body Content types select .pdf extensions - answer>>Configure HTTP Response > body Content types select .pdf extensions
*** What are included in a config file?
***Match the diagnostic tool to the system component?
***Line of code from traffic monitor for troubleshooting IKV2-VPN.
If it fails phase 1, what do you check? If it fails on phase 2, what do you check? - answer>>Phase 1-Check gateway settings Phase 2-Check tunnel settings
***True and False Default Threat protection happens after going through the policy list top to bottom - answer>>false
d. Yes, the Outgoing policy allows this traffic. - answer>>From the policies shown in this image, can users in the Sales group connect from the trusted network to websites with HTTPS? (Select one.)
a. No. The HTTPS-proxy policy only allows HTTPS traffic for the Accounting group. b. No. The Outgoing policy does not allow any traffic from the Sales group. c. Yes. The HTTP policy allows HTTP and HTTPS traffic for the Sales group. d. Yes. The Outgoing policy allows HTTPS traffic from the trusted network.
You can configure Dynamic NAT to route incoming connections from the Internet to two different FTP servers on the trusted network.
a. True b. False - answer>>b. False. Dynamic NAT applies only to outgoing connections.
What port and protocol is used by DNS? (Select one.)
a. UDP/ b. UDP/ c. TCP/ d. TCP/25 - answer>>UDP/
While troubleshooting a branch office VPN tunnel, you see the log message below. What settings could you modify in the local device configuration to resolve the configuration issue? (Select one.) iked (203.0.113.50<->203.0.113.20)IKE phase-2 negotiation from 203.0.113.50:500 to 203.0.113.20:500 failed. Tunnel='tunnel.1' Reason=Received proposal without PFS, Expecting PFS enabled id="0205-0002" Debug
a. BOVPN Gateway settings b. BOVPN Tunnel settings c. BOVPN over TLS settings
d. IKEv2 Shared settings - answer>>BOVPN Tunnel settings.
b and d. You can configure a static route to the specific server, or to the entire subnet it is on. In either case, the gateway is the IP address of the router that connects to that network, and the gateway must be reachable by the firewall. - answer>>Based on this network diagram, which of these static routes could you add to the Firebox to enable the Firebox to route traffic from clients on the 192.168.10.0/24 subnet to a server at 10.0.20.80? (Select two.)
a. Route to 10.0.20.0, Gateway 10.0.2. b. Route to 10.0.20.80, Gateway 192.168.10. c. Route to 192.168.10.5, Gateway 192.168.10. d. Route to 10.0.20.0/24, Gateway 192.168.10.
You can use the TCP-UDP proxy to control Web, FTP, and SIP traffic on ports other than 80, 21, and 5060.
a. True b. False - answer>>a. True. The TCP-UDP proxy applies to TCP and UDP traffic on any TCP or UDP port.
Which authentication servers can be used with any type of Mobile VPN (Select two.)
a. Firebox-DB b. Active Directory c. RADIUS d. LDAP - answer>>Firebox-DB RADIUS
.Do you need a static route on Floor 1 and Floor 2 - answer>>There are two networks one on floor 1 subnet 192.168.3.0/24 and one network on floor 2 192.168.2.0/24. How can people on floor 1 reach a server on floor 2.
Do you need a static route on Floor 1 No changes need to be made networks on the same subnet.