Study your flashcards anywhere!

Download the official Cram app for free >

  • Shuffle
    Toggle On
    Toggle Off
  • Alphabetize
    Toggle On
    Toggle Off
  • Front First
    Toggle On
    Toggle Off
  • Both Sides
    Toggle On
    Toggle Off
  • Read
    Toggle On
    Toggle Off

How to study your flashcards.

Right/Left arrow keys: Navigate between flashcards.right arrow keyleft arrow key

Up/Down arrow keys: Flip the card between the front and back.down keyup key

H key: Show hint (3rd side).h key

A key: Read text to speech.a key


Play button


Play button




Click to flip

57 Cards in this Set

  • Front
  • Back

You can use Firebox-DB authentication with any type of Mobile VPN

True or False


From the Firebox System Manager > Authentication List tab, you can view all of the authenticated users connected to your Firebox and disconnect any of them

True or False?


To use the Web Setup Wizard or Quick Setup Wizard to configure your Firebox or XTM device, your computer must have an IP address on which subnet?






When you configure the Global Application Control action, it is automatically applied to all policies?

True or False


You can configure your Firebox to automatically redirect users to the Authentication Portal page?

True or False


From the Fireware Web UI, you can generate a report that shows your device configuration settings

True or False?


Which takes precedence: WebBlocker category match or a WebBlocker Exception

WebBlocker Exception

Which of these actions adds a host to the temporary or permanent blocked sites list?

a. Enable the AUTO-block sites that attempt to connect option in a deny policy

b. Add the site to the Blocked Sites Exceptions List

c. Add Site to Blocked Sites List

A: Enable the Auto-Block sites that attempt to connect option in a deny policy

C: Add site to blocked sites list

You can configure the SMTP-proxy policy to restrict email messages and email content based on which of these message characteristics?

a. Sender Mail From address

b. Attachment file and content type

C. Maximum Email Size

D. Number of Addresses

After you enable Gateway AntiVirus, IPS, or Application Control, how can you make sure the services protect your network from the latest known threats?

Enable automatic signature updates

When your device is in a default state, to which interface do you connect your management computer so you can use the Quick Setup Wizard or Web Setup Wizard to configure the device?

Interface 1

How can you prevent connections to the Fireware Web UI from computers on optional interface Eth2?

Remove the Optional Alias from Eth2

The IP address for the trusted interface on your Firebox is, but you want to change the IP address for this interface. How can you avoid a network outage for clients on the trusted network when you change the interface IP address to

Add as a secondary IP address for the interface.

To enable remote devices to send log messages to Dimension through the gateway Firebox, what must you verify is included in your gateway Firebox configuration?

Add the IP address for this instance of Dimension, and the Log Server Encryption Key you specified in the Setup Wizard, to the WatchGuard Log Server list.

Which policies can use the Intrusion Prevention Service to block network attacks?

All Policies

Which items are included in a Firebox backup image?

It includes the XTM device OS, configuration file, feature keys, Device Management users, passphrases, DHCP leases, and certificates. The backup image also includes any event notification settings that you configured in Traffic Monitor.

When you examine the log messages In Traffic Monitor, you see that some network packets are denied with an unhandled packet log message. What does this log message mean?

An unhandled packet is a packet that does not match any policy rule.

If you use an external authentication server for mobile VPN, which option must you complete before remote users can authenticate?

If you create a Mobile VPN user group that authenticates to a third-party server, make sure you create a group on the server that has the same name as the name you added for the Mobile VPN group.

How can you include log messages from more than one Firebox in a single report generated by Dimension?

1. Add the devices to one group

2. Include them in the scheduled reports

You can configure your Firebox to send log messages to how many WatchGuard Log Servers at the same time?

As many as you have configured on your network

Which of these services would you use to allow the use of P2P programs for a specific department in your organization?

Application Control

Which WatchGuard Subscription Service must be enabled in a proxy policy before you can use APT Blocker?

Gateway Antivirus

Which of these threats can the Firebox prevent with the default packet handling settings?

1. Spoofing

2. Flood Attacks (DDOS)

3. Block all traffic to and from an address

4. Probes

When your users connect to the Authentication Portal page to authenticate, they see a security warning message in their browses, which they must accept before they can authenticate. How can you make sure they do not see this security warning message in their browsers?

If you want to remove this warning, you can use a third-party certificate or create a custom certificate that matches the IP address or domain name used for authentication.

The policies in a default Firebox configuration do not allow outgoing traffic from optional interfaces.


Only 50 clients on the trusted network of your Firebox can connect to the Internet at the same time. What could cause this?

DHCP Address Pool only has 50 addresses

You have a privately addressed email server behind your Firebox. If you want to make sure that all traffic from this server to the Internet appears to come from the public IP address, regardless of policies, which from of NAT would you use?

1-to-1 NAT

What settings must you device configuration file include for Gateway AntiVirus to protect users on your network?

Configure a policy to use a proxy action that has AntiVirus settings configured.

To prevent certificate error warnings in your browser when you use deep content inspection with the HTTPS proxy, you can export the proxy authority certificate from the Firebox and import that certificate to all client devices.

True or False?


While troubleshooting a branch office VPN tunnel, you see this log message:2014-07-23 12:29:15 iked (<-> Peer proposes phase one encryption 3DES, expecting AES. What settings could you modify in the local device configuration to resolve this issue?

BOVPN GatewaySettings

You configured four Device Administrator user accounts for your Firebox. To see a report of witch Device Management users have made changes to the device configuration, what must you do?

Connect to Report Manager or Dimension and view the Audit Trail report for your device.

For which of these third party authentication methods must you specify a search base?

Active Directory and LDAP

Which of these options are private IPv4 addresses you can assign to a trusted interface, as described in RFC 1918, Address Allocation for Private Internets?

In a Mobile VPN configuration, why would you choose default route VPN over split tunnel VPN?

The most secure option is to require that all remote user Internet traffic is routed through the VPN tunnel to the XTM device. Then, the traffic is sent back out to the Internet. With this configuration (known as default-route VPN), the XTM device is able to examine all traffic and provide increased security, although it uses more processing power and bandwidth

How is a proxy policy different from a packet filter policy?

A Proxy examines the packet content.

A proxy operates at the application layer, as well as the network and transport layers of a TCP/IP packet, while a packet filter operates only at the network and transport protocol layer.

You need to create an HTTP-proxy policy to a specific domain for software updates ( The update site has multiple subdomains and dynamic IP addresses on a content delivery network. Which of these options is the best way to define the destination in your HTTPproxy policy?

Add to HTTP-Proxy exception

What is the best method to downgrade the version of Fireware OS on your Firebox without losing all device configuration settings?

Restore a saved backup image that was created for the device before the last Fireware OS upgrade.

After you enable spamBlocker, your users experience no reduction in the amount of spam they receive. What could explain this?

1. No POP3 or SMTP proxy to scan inbound mail

2. DNS is not configured to resolve the spamBlocker addresses

In the default Firebox configuration file, which policies control management access to the device?

Watchguard and Watchguard Web UI

Which of these options must you configure in an HTTPS-proxy policy to detect credit card numbers in HTTP traffic that is encrypted with SSL?

1. Deep inspection of HTTPS content

2. Data Loss Prevention

Which authentication servers can you use with your Firebox?

Fire-DB, RADIUS, VASCO, SecurID, LDAP and Active Directory

Your company denies downloads of executable files from all websites. What can you do to allow users on the network to download executable files from the company’s remote website?

Add a HTTP Request URL Path for executable set to allow or Add a HTTP Body Content Type Allow rule for executable

You can use Firebox System Manager to download a PCAP file that includes packet information about the protocols that manage traffic on your network.

True or False?


Which diagnostic tasks can you run from the Traffic Monitor tab of Firebox System Manager?

1. DNS Lookup

2. Ping

3. Traceroute

4. TCP Dump

If your Firebox has a single public IP address, and you want to forward inbound traffic to internal hosts based on the destination port, which type of NAT should you use?

Static NAT

What is one reason that users could see a certificate warning in their web browsers when they connect to Fireware XTM Web UI?

The Firebox or XTM device uses the default self-signed certificate.

If you disable the Outgoing policy, which policies must you add to allow trusted users to connect to commonly used websites?

1. HTTP Port 80

2. HTTPS 443

3. DNS Port 53

A user receives a deny message that the installation file (install.exe) is blocked by the HTTP-proxy policy and cannot be downloaded. Which HTTP proxy action rule must you modify to allow download of the installation file?

HTTP Request > URL Paths

Which WatchGuard tools can you use to review the log messages generated by your Firebox?

1. Firebox System Manager > Traffic Monitor

2. Web UI > Traffic Monitor

3. Dimension/Log Server

An email newsletter about sales from an external company is sometimes blocked by spamBlocker. What option could you choose to make sure the newsletter is delivered to your users?

Add sender's from address to the exception list and use the Allow action

What uses Full system emulation (CPU and memory) to scan for advanced threats?

APT Blocker

What does this policy do?

What does this policy do?

Prevent an email relay on the domain

What aliases is Eth 2 apart of?

What aliases is Eth 2 apart of?

Any, Any-Trusted, Firebox

NAT Loopback

NAT loopback allows a user on the trusted or optional networks to connect to a public server with its public IP address or domain name if the server is on the same physical XTM device interface.

Dynamic NAT

Dynamic NAT is the most frequently used type of NAT. It changes the source IP address of an outgoing connection to the public IP address of the XTM device. Outside the XTM device, you see only the external interface IP address of the XTM device on outgoing packets.

What is RED?

Reputation Enabled Defense

What is a SNAT?

An SNAT action is a NAT mapping which replaces the original destination IP address (and optionally, port) with a new destination.