1.

Portal
Where do you go to reboot and shutdown the XG Firewall?

Admin menu
System > Administration
Configure > System Services

2.
Your customer has configured a destination-based Security Heartbeat in the firewall rule shown here.

Which zone(s) can the Security Heartbeat settings be applied to? (select all that apply)

DMZ
LAN
WAN
WiFi
VPN

3. Page 61-62 and Portal

TRUE or FALSE: You can modify the IP address ranges for various countries in the Country Group objects
in the Sophos XG Firewall.

TRUE
FALSE

4. Page 134
You have been asked to create a site-to-site VPN connection with another company that will be
involved in a large project with yours.

Knowing that they do not have an XG Firewall, what is the best option for a site-to-site VPN protocol
between two different devices?

PPTP
L2TP
SSL
IPsec

5. Page 187
You have been asked to install STAS on your servers.

Which of the following are required in order for the installation to be successful? (select all that apply)

Access to security log

Active Directory
Logon as a service rights
SQL Server

6. Page 122
After enabling ATP on the XG Firewall, you test the ATP policy and cannot get the block page to
appear. You examine the configuration to see what is misconfigured, and find it as below.

Select the item that is preventing the block page from appearing.

Policy not enabled

Network Exception
Policy Setting
 Threat Exception

7. Page 182
You have recently deployed STAS in the network. Users are having issues getting proper access to
network resources when browsing from the terminal server.

What could be causing this?

The XG Firewall cannot determine which user is associated to the IP Address

User and Network rules do not apply to a terminal server
The XG Firewall is treating the users as if they are logging in from their local computers
Logins to Terminal Servers are not detected by STAS

8. Online KB
What is the purpose of DNS Request Routes?

Specify which DNS server to use for specific DNS domains

Define the gateway to use for the default DNS server
Control which networks can perform DNS requests for selected domains

9. Page 158
You have a RED device deployed at a remote network in a standard/split configuration. When you
connect a Sophos access point to the remote network, it never appears in the pending access point list
on the XG Firewall.

What configuration change needs to be made for the RED connection?

Configure a split DNS server address

Add 1.2.3.4 to the remote network list
Add the IP address of the access point to the split networks
Add the IP address of the XG firewall to the split networks

10. Portal
You have opened a ticket with Sophos Support to troubleshoot an issue on the XG Firewall. Rather
than connecting to the device, they ask for a CTR in order to view information from the firewall.

Which of the following can you generate a Consolidated Troubleshoot Report (CTR) for? (select all that
apply)

Denied websites
Allowed websites
Allowed applications
System Snapshot
 Denied applications
Log Files

11. Duplicate
Your customer has configured a destination-based Security Heartbeat in the firewall rule shown here.

Which zone(s) can the Security Heartbeat settings be applied to? (select all that apply)

WiFi
VPN
LAN
DMZ
WAN

12. Try 
There is a point to point SSL VPN connection between the head office and multiple branch offices.
Users in the New York branch office have notified you that they have unrestricted access to resources
when coming from the remote offices back to the head office.
Looking at the firewall rules on the head office XG Firewall as shown above, which rule is causing this?

LAN to LAN
From New York
To VPN
LAN to DMZ
From VPN
Internet Access

13. Page 153

You have deployed an XG Firewall as a wireless controller only. No other features are being enabled.
Because of this, the XG Firewall is not the edge device in the network.

What can be done so that the wireless access points can still register with the XG Firewall?

Set a DHCP option code with the IP address of the XG

Have the AP's get their configuration from the cloud provisioning service
 Create a static DNS entry with the IP address of the XG
Create a configuration file and load it to the AP's from a USB drive

14. Page 351

You get a call from a fellow administrator who was looking at the XG Firewall reports and noticed the
application risk meter was at 4.2. They were not sure if this was a cause for concern so they decided
to bring it to your attention.

Which of the following should be the basis of your response?

Users are doing very few risky activities on the network

There are some users showing risky behavior but it is currently at a low level
There are users performing risky actions on the network

15. Page 70
TRUE or FALSE: When creating a new zone you have to enable at least one admin service.

TRUE
FALSE

16. Page 244

You have been asked to create a surfing quota for guest access that allows users access to the internet
for 20 hours in a week and then terminates the connection with no recurrence.
Which image shows the best way to configure the surfing quota?

A
B
C
D

17. Help and Portal

An administrator at a remote site is attempting to upload an SSL site-to-site VPN client configuration
file that you have sent them. They comment that they are not able to upload the file into their
firewall.

What could be preventing them from doing this?

The Administrator has entered the wrong connection name

VPN configuration is encrypted
The Administrator needs to override the peer name
The Administrator needs to configure a HTTP proxy server

18. Page20& 218

You are contacted by a customer that is concerned about where the potential malware is executed in
Sophos Sandstorm, and wants to be sure that it could not accidentally spread to their network.

Where do you tell them that Sophos Sandstorm executes potential malware when the feature is enabled
on an XG Firewall? (select all that apply)

In the cloud
On the auxiliary XG Firewall in the cluster
On the primary XG Firewall in the cluster
On a Windows server of your choice

19. Page 398

A customer that is configuring a new XG Firewall has forgotten their admin password and they haven't
created any other administrator users yet.

How can the admin password be reset to the default?

Reboot and use SFLoader

Login to the MyUTM portal and reset the password from there
Connect to the console using a serial cable and run the command reset-admin-password
Contact Sophos support who can use a remote connection to reset the password

20. Page 310

You have deployed a number of access points in the network and are now in the process of
configuring the wireless networks that will be broadcast from the AP's. There are no existing VLANS in
the network and everything is connected using basic layer 2 switches. As part of the configuration,
you are setting up a secure guest network that needs to have its traffic isolated.

What security mode would allow this to be done without any additional changes to the network
confguration?

Bridge to AP LAN
Bridge to VLAN
Separate Zone

21. Portal
How do you enable and disable IPsec VPNs?

Through the Console

Using the ON/OFF toggle switch
They are always enabled unless the connection is down
By clicking on the status indicators

22. Page 112 and Help

It is brought to your attention that the heartbeat status of a machine on the network has gone from
GREEN to RED

Which of the following could be the cause for this change in status? (select all that apply)

Email protection has blocked an email that originated at the computer

Endpoint agent has stopped working
IPS has blocked traffic to the machine
Malware has been detected on this machine

23. Portal
When performing a backup of the configuration on the XG Firewall, which locations can the resulting
backup file be sent to? (select all that apply)

Local
FTP
HTTPS
SSH
Email

24. Page 118

Your customer has recently deployed Sophos Central to their devices and has asked you to help
configure Security Heartbeat in their firewall rules. You are configuring a rule to allows computers
connected to the LAN to access intranet servers. Your customer wants to ensure that only computers
that have a GREEN Security Heartbeat are able to access the intranet servers.

Which of the configurations shown here should you use?

A
B
C
D
E
F

25. Portal
TRUE or FALSE: When you create a new network firewall rule it will be enabled by default.
 TRUE
FALSE

26. Page 361

While visiting a customer that has been trialing Sophos Sandstorm you want to review the activity with
them.

Where would you do this?

On the XG Firewall under MONITOR & ANALYZE > Reports > Sandstorm
In Sophos Central under CONFIGURE > System Settings > Registered Firewall Appliances
On the XG Firewall under MONITOR & ANALYZE > Current Activities > Sandstorm
In Sophos Central under ANALYZE > Alerts
On the XG Firewall under PROTECT > Advanced Threat > Sandstorm Activity

27. Portal
TRUE or FALSE: Hotspots can only be created for wireless networks using the separate zone access
method.

TRUE
FALSE

28. Page 337

An organization consists of many offsite users that are allowed to install software on their company
laptops. Most users are comfortable installing applications themseles as long as they have the install
files.

Where can a user download the SSL VPN client from, in order to install on their workstation?

Sophos Cloud
User Portal
sophos.com
WebAdmin

29. Help
After deploying a Sophos XG Firewall, concerns have been expressed regarding internal computers
contacting command and control servers and becoming bots.

What security feature on the XG Firewall can help prevent this?

ATP
TOTP
RED
 IPS

30. Page 234

You have enabled SafeSearch in a web protection policy on the XG Firewall. Enabling this feature was
not in the original plan and now some coworkers are worried about the additional load this may put
on the XG Firewall.

What can you tell them to ease their minds?

SafeSearch uses less than 5% additional resources per 1000 users on the XG Firewall
SafeSearch is processed by the search engine and not the XG Firewall
SafeSearch is handled by the client browser so it does not use any extra resources 

31. Page 158-159

You are in the process of deploying multiple RED devices to allow for remote access from various
branch offices. Due to bandwidth issues at the head office, you would like to deploy the RED devices
so that only necessary traffic is routed back to the head office.

What modes of deployment could be used to achieve this? (select all that apply)

Transparent/Split
Standard/Split
Standard/Unified

32. Page 175

You need to create a user account to authenticate a VOIP system that needs access to the Internet.
The system does not have the ability to authenticate with your directory service.

What type of user would you create to accomplish this?

Directory Service User

Clientless User
System User
Guest User

33. Page 226

You would like to restrict users from logging into Google services that are not tied to company
approved domains.

Where in a web policy can you find the option to enforce that only certain domains are available for
Google Apps?

User Activities
General Settings
 Exceptions
Advanced Settings

34. Page 267

You have configured your email protection with the default MTA mode. Some email servers are
rejecting emails sent from the XG Firewall.

What would you check first when troubleshooting this issue?

The sending mail server has been added to the allowed relays
SMTP Relay has been enabled for the WAN zone
The SMTP host name has been configured correctly

35. Portal
Your company has a very strict web usage policy that does not allow users to browse the Internet
except to a minimum number of approved types of sites. After reviewing the policy, you confirm that
there are five categories of web sites in the XG Firewall that will meet the allowances set forth by
company policy.

You have created a web policy that will allow only 5 different categories of web sites. You have then
applied this policy to all relevant outbound traffic rules.

When you sit down to test the rule, you are still able to access pages that should be blocked.

What is the most likely reason for this?

The Web Proxy settings were not configured to capture the traffic
Ports 80 and 443 were not added to the transparent filter list
The Default Action was not modified in the rule to block all traffic
The default time constraints on the policy were not set to business hours

36. Page 295

Which of the following types of email can be released from the quarantine in the User Portal? (select all
that apply)

Probable Spam
Blocked File Type
Spam
Unscannable content (e.g., encrypted)
Virus

37. Page 287

A customer is interested in using SPX to allow users to encrypt emails that contain sensitive
information. They want to know options they have for setting the encryption password.

What do you tell your customer? (select all apply)

You can use RSA tokens to create the password

You can use passwords generated by the ISP
The XG Firewall can generate a password for encryption and email it to the sender
The sender can specify the password in the subject line
The password can be generated by the Outlook add-in
The XG Firewall can email the recipient to create an encryption password
The XG Firewall at the recipients site can generate the password

38. Help
A customer has created an SSL VPN Remote Access policy for their Active Directory users, but they are
unable to authenticate successfully to establish a VPN connection.

What does the customer need to do to resolve the issue?

Select the Active Directory server's certificate in the SSL VPN Settings
You cannot authentication Active Directory users with the SSL VPN
Select the Active Directory server as an authentication source in SSL VPN Authentication Methods
Select the Active Directory server in the SSL VPN Remote Access policy

39. Page 271 and Help

What is the danger of adding the ANY Host/Network object to the Allow Relay from Hosts/Networks
section of the Relay settings on the XG Firewall?

Users will be able to bypass email filtering on their local clients

Anyone internally or externally could use the firewall to send email
This will cause the processing time for emails to exceed their time to live

40. Page 340

The company has a number of Android tablets that have been assigned to users. They would like
these users to have secure remote access through a VPN back to the company to run a specific
Android application and connect to a server.

What mobile VPN options are natively supported for Android devices? (select all that apply)

RED
SSH
L2TP over IPsec
IPsec