Fireware Essentials

Front 1

What is the "WSM"?

Back 1

The WatchGuard System Manager is the primary software application you use to manage Firebox devices and WatchGuard servers on your network.

Front 2

What are the components included with WSM?

Back 2

- Policy Manager

- Firebox System Manager (FSM)

- HostWatch

Front 3

What are the components included with WatchGuard Server Center?

Back 3

- Management Server

- Log Server

- Report Server

- Quarantine Server

- WebBlocker Server

Front 4

What is the "Management Server"?

Back 4

Manages multiple Firebox devices at the same time and creates virtual private network(VPN) tunnels with a simple drag-and-drop method.

Front 5

What is the "Log Server"?

Back 5

Collects log messages from Firebox devices and servers.

Front 6

What is the "Report Server"?

Back 6

Periodically consolidates data collected by your Log Servers and uses this data to generatethe reports that you select.

Front 7

What is the "Quarantine Server"?

Back 7

Collects and isolates SMTP email confirmed as spam by spamBlocker, or confirmed tohave a virus by Gateway Antivirus or by spamBlocker’s Virus Outbreak Detection feature.

Front 8

What is the "WebBlocker Server"?

Back 8

Provides information for an HTTP-proxy to deny user access to specified categories ofwebsites.

Front 9

What components are included with the "WatchGuard Web Center"?

Back 9

- Log Manager

- Report Manager

- CA Manager

Front 10

What port do you use to connect to the WebCenter?

Back 10

4130

Front 11

What is "WatchGuard Dimensions"?

Back 11

A virtual solution you can use to capture the log data from your Firebox devices,FireClusters, and WatchGuard servers. You can use Dimension to see this log data in real-time, track it across yournetwork, view the source and destination of the traffic, view log message details of the traffic, monitor threats to yournetwork, and view or generate reports of the traffic.

Front 12

What 4 components make up "WatchGuard Dimensions"?

Back 12

- Log Collector

- Log Server

- Log Database

- Web Services

Front 13

What is the "Log Collector" (In relation to WatchGuard Dimensions)?

Back 13

Receives log messages from Firebox devices, FireClusters, and WatchGuard servers andaggregates the log message data into dashboard summaries and reports.

Front 14

What is the "Log Server" (In relation to WatchGuard Dimensions)?

Back 14

Provides the API for log data, provisioning, and automated maintenance of Dimension.

Front 15

What is the "Log Database" (In relation to WatchGuard Dimensions)?

Back 15

Provides storage for all log message data.

Front 16

What is the "Web Services" (In relation to WatchGuard Dimensions)?

Back 16

Serves the Dimension WebUI to users and administrators.

Front 17

Which components of "WatchGuard Dimensions" are automatically installed?

Back 17

All of them:

- Log Collector

- Log Server

- Log Database

- Web Services

Front 18

Which components of "WatchGuard Dimensions" are automatically configured?

Back 18

- Log Collector

- Log Database

- Web Services

You have to configure the Log Server after the initial install.

Front 19

Can you configure a device before activating it?

Back 19

No

Front 20

What happens when you activate a device?

Back 20

You start the LiveSecurity Service subscription for the device.

Front 21

What is the "LiveSecurity Service"?

Back 21

Provides alerts, threatresponses, and expert advice to help you keep your network secure and up-to-date.

Front 22

What must you have to activate a device?

Back 22

Firebox serial number

An account on the WatchGuard website

Front 23

What are the two setup wizards?

Back 23

Quick Setup Wizard - inWatchGuard System Manager, select Tools > Quick Setup Wizard

Web Setup Wizard - To start theWeb Setup Wizard, in a web browser, type https://10.0.1.1:8080

Front 24

What are the differences between the two setup wizards?

Back 24

The Web Setup Wizard can activate the device and download the require feature key if the external interface has access to the internet

The Quick Setup Wizard has an option to install software on a device started in recovery mode.

Front 25

When a device uses the factory default settings what two interfaces are active?

Back 25

- Interface 0 (Eth0)

- Interface 1 (Eth1)

Front 26

What is Interface 0 (Eth0)?

Back 26

Interface 0 is configured as an External interface, and is configured to use DHCP to request an IP address. If youuse the Web Setup Wizard to configure a device, we recommend that you connect Interface 0 to a network thathas a DHCP server and Internet access, so the Firebox can connect to WatchGuard to download the Fireboxfeature key.

Front 27

What is Interface 1 (Eth1)?

Back 27

Interface 1 is configured as a Trusted interface, with the IP address 10.0.1.1. It has a DHCP Server enabled, andis configured to assign IP addresses on the 10.0.1.0/24 subnet. You must connect your computer to interface 1or to a network connected to Interface 1 when you run the Web Setup Wizard or Quick Setup Wizard.

Front 28

What is a "Feature Key"?

Back 28

You receive the feature key when you activate your Firebox on the WatchGuard website. Eachfeature key is unique to the serial number of the Firebox. Thefeature key is required to enable all device functionality.

Front 29

What happens if the Firebox doesn't have a feature key?

Back 29

It only allows one connection to the internet.

Front 30

When you setup a Firebox using either of the setup wizards what 5 basic policies does it add?

Back 30

- Outgoing

- FTP Packet Filter

- Ping

- WatchGuard WebUI

- WatchGuard

Front 31

What is "Policy Manager"?

Back 31

Is the WSM tool you use to build the security rules your Firebox uses to protect your network. You usePolicy Manager to configure policies, set up VPNs, change Device Management user account passphrases, andconfigure logging and notification options.

Front 32

Can you install different versions of WSM?

Back 32

You can have more than one version of WSM installed on your computer. However, you can have onlyone version of the server components (Management Server, Log Server, Report Server, QuarantineServer, and WebBlocker Server) installed.

Front 33

What is required before you start the "Quick Setup Wizard"?

Back 33

- An account on the WatchGuard website

- The IP address of the gateway router this device will connect to

- A feature key

- An IP address to give to the external and trusted interfaces of the device

Front 34

Is the "Policy Manager" a online tool?

Back 34

No its offline

Front 35

What is the "OS Compatibility Version"?

Back 35

Policy Manager can manage devices that use different versions of Fireware XTM OS. Each device configuration has anOS Compatibility setting that controls which configuration options are available for some features.

Front 36

What happens to the feature key when you save a Firebox config to a local file?

Back 36

The feature key is stored as a separate file, in the samedirectory as the configuration file.

Front 37

What are the two places you can save a config file on the Policy Manager?

Back 37

- To a local file

- To a Firebox or XTM device

Front 38

Does the policy manager let you save if a setting isn't compatible?

Back 38

If any setting is not compatible, PolicyManager displays a message and does not save the configuration to the device

Front 39

Using policy manager can you save a config file that created on one device for another device?

Back 39

To do this, you must remove the existing feature key from the configuration, and add the feature key for the new device.When you add the new feature key, Policy Manager automatically updates the model number in the configuration file.Before you can save the configuration to a different device, you may also need to change other settings to make theconfiguration compatible with the new device. For example, you might need to change the OS Compatibility setting, ormodify the Network settings, if the new device has a different number of network interfaces

Front 40

What are the 3 default user accounts?

Back 40

- admin

- status

- wgsupport

Front 41

What role does the "admin" account have?

Back 41

Device Administrator (read-write permissions)

Front 42

What is the default password for the "admin" account?

Back 42

Readwrite

Front 43

What role does the "status" account have?

Back 43

Device Monitor (read-only permissions)

Front 44

What is the default password for the "status" account?

Back 44

Readonly

Front 45

What is the default role for the "wgsupport" account?

Back 45

Disabled

Front 46

Can more than one "Device Administrator" accounts connect to a device at one time?

Back 46

No

Front 47

Can more than one "Device Monitor" accounts connect to a device at one time?

Back 47

Yes

Front 48

What authentication servers can you use for user account on your device?

Back 48

- Firebox-DB

- Active Directory

- LDAP

- RADIUS

Front 49

What authentication server is used by default for user accounts?

Back 49

Firebox-DB

Front 50

Is the "WebUI" a online configuration tool?

Back 50

Yes

Front 51

Is the "CLI" and online configuration tool?

Back 51

Yes

Front 52

Which packet filter policy controls administrative connections to the device?

Back 52

WG-Firebox-Mgmt

The Quick SetupWizard adds this policy with the name WatchGuard. This policy controls access to the device on TCP ports 4105, 4117,and 4118. When you allow connections in the WatchGuard policy, you also allow connections to each of these ports.

Front 53

What does the device backup include?

Back 53

Is a saved copy of the working image from the device flash disk. The backupimage includes the Firebox or XTM device OS, configuration file, feature keys, passphrases, DHCP leases, andcertificates. The backup image also includes any event notification settings that you configured in Traffic Monitor

Front 54

Can you encrypt device backups?

Back 54

Yes

Front 55

What is the backup file extension?

Back 55

.fxi

Front 56

What is the only way to downgrade a device with factory resetting it?

Back 56

Restoring a saved backup image which was taken before the upgrade.

Front 57

What are the 4 types of network interfaces?

Back 57

- External

- Trusted

- Optional

- Custom

Front 58

What is an "External Interface"?

Back 58

An external interface connects to a wide area network (WAN), such as the Internet, and can have either astatic or dynamic IP address. The device gets a dynamic IP address for the external interface from either aDHCP (Dynamic Host Configuration Protocol) server or PPPoE (Point-to-Point Protocol over Ethernet) server.

Front 59

What is a "Trusted Interface"?

Back 59

A trusted interface connects the private local area network (LAN) or internal network that you want to secure.User workstations and private servers which cannot be accessed from outside the network are usually found intrusted networks.

Front 60

What is an "Optional Interface"?

Back 60

Optional interfaces connect to your optional networks, which are mixed trust or DMZ environments separatedfrom your trusted networks.

Front 61

What is the difference between "Optional Interfaces" and "Trusted Interfaces"?

Back 61

The only difference is that optionalinterfaces are members of the alias Any-Optional.

Front 62

What is a "Custom Interface"?

Back 62

A custom interface defines a custom internal security zone that has a level of trust different from trusted oroptional. A custom interface is not a member of the built-in aliases Any-Trusted, Any-Optional, or Any-External,so traffic for a custom interface is not allowed through the Firebox unless you specifically configure policies toallow it.

Front 63

Which aliases is the "Custom Interface" not a member of?

Back 63

- Any-Trusted

- Any-Optional

- Any-External

Front 64

Which aliases is the "Custom Interface" a member of?

Back 64

The alias "All"

Front 65

What is the built in alias for "External Interfaces"?

Back 65

Any-External

Front 66

What is the built in alias for "Trusted Interfaces"?

Back 66

Any-Trusted

Front 67

What is the built in alias for "Optional Interfaces"?

Back 67

Any-Optional

Front 68

What is a member of the "Any" alias?

Back 68

- Users

- Groups

- Interfaces

- Addresses

- Tunnels

- Custom Interfaces

Front 69

On which interfaces can you configure to dish out DHCP?

Back 69

- Trusted Interfaces

- Optional Interfaces

Front 70

What are the 3 WatchGuard network modes?

Back 70

- Mixed Routing

- Drop-In

- Bridge Mode

Front 71

What is the "Drop-In Mode"?

Back 71

- All of the Firebox interfaces are on the same network and have the same IP address.

- The computers on the trusted or optional interfaces can have a public IP address.

- NAT is not necessary.

Front 72

What is "Bridge Mode"?

Back 72

- All of the Firebox interfaces are on the same network. You specify anIP address to use to manage the device.

- Traffic from all trusted or optional interfaces is examined and sent tothe external interface. Interface IP addresses cannot be configured.

NAT is not used in Bridge mode. Traffic sent or received through thedevice appears to come from its original source.

Front 73

What is "DynamicDNS"?

Back 73

Dynamic DNS to make sure that the IP address associated with your domain name changes when yourISP gives your Firebox a new IP address.

DynDNS is the only dynamic DNS service supported by your Firebox

Front 74

What is a "Secondary Network"?

Back 74

A secondary network is a network that shares one of the same physical networks as one of the Firebox interfaces.When you add a secondary network, you add a second IP alias to the interface. This IP alias is the default gateway forall the computers on the secondary network

Front 75

What mode can "Secondary Networks" only be used in?

Back 75

- Mixed Routing

- Drop-In

Front 76

In what instances are "Secondary Networks" useful?

Back 76

- Network Consolidation

- Network Migration

- Static NAT to Multiple Servers

Front 77

What is a "Network Bridge"?

Back 77

Used to merge two or more physical network interfaces on your Firebox.

Front 78

What are "Static Routes"?

Back 78

You can add static routes to control how your Firebox sends traffic to other devices. For example, you can create astatic route to specify that all traffic that goes to a server at another company is sent through a specific externalinterface.

Front 79

What are the two "Route" types on a Firewall?

Back 79

Static Routes — A manually configured route to a specific network or host.

Dynamic Routes — A route automatically learned and updated by a router, based on communication withadjacent network routers.

Front 80

What does the "Routing Table" include?

Back 80

- Routes to networks for all enabled Firebox interfaces and BOVPN virtual interfaces

- Static network routes or host routes you add to your configuration

- Routes the Firebox learns from dynamic routing processes that are enabled on the device

The default route, which is used when a more specific route to a destination is not defined. This is the gateway IPaddress you specify for your external interface

Front 81

What are "Metrics" in regards to routing?

Back 81

A metric is a numeric value used for priority. If there are more than one route to the same destination then the one with the highest priority will go first.

Front 82

What are "VLANs"?

Back 82

Are an advanced network feature that allow you to groupdevices by traffic patterns instead of by physical network access. You can use VLANs to connect devices ondifferent networks so that they appear to be part of the same network.

Front 83

What is "Link Aggregation"?

Back 83

Link Aggregation is an advanced network feature that allows you to group physicalinterfaces together to work together as a single logical interface. You can use a link aggregation interface toincrease the cumulative throughput beyond the capacity of a single physical interface, and to provide redundancyif there is a physical link failure.

Front 84

What is "Multi-WAN"?

Back 84

The multi-WAN feature allows you to send network traffic to multiple external interfaces. This is useful when you want to have a backup Internet connection, or if you want to divide your outgoing network traffic between multiple physical interfaces.

Front 85

Can you use "Multi-WAN" for inbound network traffic?

Back 85

No

Front 86

What modes can you use "Multi-WAN" in?

Back 86

Mixed Routing Mode

Front 87

What is "FireCluster"?

Back 87

If you have two Firebox devices of the same model, you can configure the two devices as a FireCluster for high availability and load sharing.

Front 88

Which modes can you use IPv6 in?

Back 88

Mixed Routing Mode

Front 89

What are the recommended ranges for Trusted and Optional Interfaces?

Back 89

- 10.0.0.0 - 10.255.255.255 (10.0.0.0/8)

- 172.16.0.0 - 172.31.255.255 (172.16.0.0/12)

- 192.168.0.0 -192.168.255.255 (192.168.0.0/16)

Front 90

What is a "Slash Notation"?

Back 90

Slash notation, also known as CIDR (Classless Inter-Domain Routing) notation, is a shorter way to write an IPv4 address and its subnet mask together.

e.g. instead of 255.255.255.0 would be /24

Front 91

What do you need to configure to setup the "Log Server"?

Back 91

Log Server Encryption Key

Front 92

Can you send log messages to more than one device at a time?

Back 92

Yes - but not with versions older than v11.10

Front 93

What mode does the "Log Server" operate in?

Back 93

Failover Mode - not redundancy mode so backup log server only becomes available when the primary server goes offline.

Front 94

What are the 5 types of log messages?

Back 94

- Traffic Log Messages

- Alarm Log Messages

- Event Log Messages

- Debug Log Messages

- Statistic Log Messages

Front 95

What are "Traffic Log Messages"?

Back 95

The Firebox sends traffic log messages as it applies packet filter and proxy policy rules to traffic that goesthrough the device.

Front 96

What are "Alarm Log Messages"?

Back 96

Alarm log messages are sent when an event occurs that causes the Firebox to send a notification request.

Front 97

What are "Event Log Messages"?

Back 97

The Firebox sends an event log message because of user activity.

Front 98

What are "Debug Log Messages"?

Back 98

Debug log messages include information used to help troubleshoot problems. You can select the level of debuglog messages to see in Traffic Monitor or write to a log file.

Front 99

What are "Statistic Log Messages"?

Back 99

Statistic log messages include information about the performance of your Firebox. By default, the Firebox sendslog messages about external interface performance and VPN bandwidth statistics to your log file. You can usethese log messages to help you determine how to change your Firebox settings to improve performance.

Front 100

What is the "WSM Log Server" messages stored in?

Back 100

A PostgreSQL database file.

Front 101

What are the "Dimensions Log Server" messages stored in?

Back 101

A PostgreSQL database file.

Front 102

True or False? For both log servers can you use an external database.

Back 102

True - as long as its PostgreSQL

Front 103

If you install the "WSM Log Server" on a dedicated machine what Firewall ports will you need to open up?

Back 103

Configure a WG-Logging policy to open these ports:

TCP 4115 — Used by devices with Fireware XTM OS

TCP 4107 — Used by devices with WFS OS, and by all SOHO, SOHO 6, and older Edge devices

Front 104

Can you change the "Log Server Encryption Key"?

Back 104

Yes

Front 105

What is the default location for the WatchGuard log files?

Back 105

Documents and Settings\WatchGuard\logs

Front 106

What can you install the "WatchGuard Dimensions" package on?

Back 106

Hyper-V or VMware

Front 107

What dashboard components are included with the "Firebox System Manager"?

Back 107

Front Panel

Traffic Monitor

Bandwidth Meter

Service Watch

Status Report

Authentication List

Blocked Sites

Subscription Services

Gateway Wireless Controller

Front 108

What dashboard components are included with the "Fireware XTM Web UI"?

Back 108

- Front Panel

- Traffic Monitor

- Authentication List

- Blocked Sites

- Subscription Services

- Gateway Wireless Controller

Front 109

In the dashboard what is the "Front Panel"?

Back 109

Displays the status of device interfaces, along with information aboutactive VPN tunnels and Subscription Services.

Front 110

In the dashboard what is the "Traffic Monitor"?

Back 110

Displays a color-coded list of the log messages from the device.

Front 111

In the dashboard what is the "Bandwidth Meter"?

Back 111

Provides a real-time graphical display of network activities across adevice. If you change the view from connections to bandwidth, FireboxSystem Manager remembers the setting the next time you start theapplication.

Front 112

In the dashboard what is the "Service Watch"?

Back 112

Shows a graph of the policies configured on a Firebox. The Y-axis(vertical) shows the number of connections or bandwidth used per policy.The X-axis (horizontal) shows the time. To get more information about apolicy at a point in time, click a location on the chart.

Front 113

In the dashboard what is the "Status Report"?

Back 113

Shows the technical details of the device.

Front 114

In the dashboard what is the "Authentication List"?

Back 114

Identifies the IP addresses and user names of all the users that areauthenticated to the device. Includes a Summary section with thenumber of users authenticated for each authentication type, and the totalnumber of authenticated users.

Front 115

In the dashboard what is the "Blocked Sites"?

Back 115

Lists all the sites currently blocked by the device. From this tab, you canremove a site from the temporary blocked sites list.

Front 116

In the dashboard what is the "Subscription Services"?

Back 116

Shows the status of Gateway AntiVirus, Intrusion Prevention Service,Application Control, spamBlocker, and Reputation Enabled Defense.From here, you can also perform a manual update of the signaturedatabases used by Gateway AV, IPS, and Application Control. In FSM,this tab is active only if you have purchased these services.

Front 117

In the dashboard what is the "Gateway Wireless Controller"?

Back 117

Shows the connection status and activity on your WatchGuard AP devices.

You can also monitor and manage the client connections to your WatchGuard AP devices.

Front 118

What diagnostics can you run from the "Firebox System Manager"?

Back 118

- Ping

- DNS Lookup

- TCP Dump

- Traceroute

- Download Packet Capture (PCAP) Files

Front 119

True or false? You can save a PCAP file and open it later in Traffic Monitor.

Back 119

False

Front 120

True or false? You can add a site to the Blocked Sites list from HostWatch.

Back 120

True

Front 121

What version is required to Static NAT for traffic from the optional network?

Back 121

Fireware v11.8.1

Front 122

What is Dynamic NAT used for?

Back 122

Dynamic NAT is used for traffic that goes out to the Internet from behind the Firebox.

Front 123

What is Static NAT used for?

Back 123

Static NAT is used for traffic that comes in to your network from the Internet, or for traffic from the optionalnetwork to the trusted network.

Front 124

What is 1-to-1 NAT used for?

Back 124

1-to-1 NAT is used for traffic in both directions.

Front 125

What is Dynamic NAT also known as?

Back 125

Masquerading

Front 126

What is Dynamic NAT?

Back 126

Firebox changes the source IP address of each outgoing connection to match theIP address of the device interface that the connection goes out through. For traffic that goes to an external network,packets go out through the device external interface, so dynamic NAT changes the source IP address to the deviceexternal interface IP address

Front 127

What is 1-to-1 NAT?

Back 127

Firebox changes and routes all incoming and outgoing packets sent from one range ofaddresses to a different range of addresses

Front 128

What does a 1-to-1 NAT rule always have precedence over?

Back 128

Dynamic NAT

Front 129

What can you specify in a 1-to-1 NAT rule?

Back 129

Interface

Real Base (means the actual internal IP)

NAT Base (means the external IP with will be NAT from)

Number of hosts to NAT (for ranges only)

Front 130

What is Policy Based Dynamic NAT?

Back 130

With policy-based dynamic NAT, you can make an exception to the global NAT rules

Front 131

Do policies have dynamic NAT enabled by default?

Back 131

Yes

Front 132

What is policy based 1-to-1 NAT?

Back 132

With this type of NAT, the Firebox uses the private and public IP address ranges that you set when you configuredGlobal 1-to-1 NAT, but you can enable or disable the rules for each individual policy

Front 133

Do policies have 1-to-1 NAT enabled by default?

Back 133

Yes

Front 134

What is Static NAT?

Back 134

Static NAT, also known as port forwarding, allows inbound connections on specific ports to one or more public serversfrom a single external IP address. The Firebox changes the destination IP address of the packets and forwards thembased on the original destination port number

Front 135

By default does a static NAT rule change the source IP for inbound traffic?

Back 135

No

Front 136

What is Server Load Balancing?

Back 136

A server load balancing SNAT action forwards inbound traffic addressed to one IP address to one of severalservers behind the firewall. In the SNAT action you select the load balancing algorithm to use and you canoptionally assign different weights to each server.

Front 137

What is a NAT Loopback?

Back 137

NAT loopback allows a user on the Trusted or Optional networks to use the public IP address or domain name to getaccess to a public server that is on the same physical device interface.

Front 138

What do you need to create for a NAT Loopback to work?

Back 138

Create a policy inyour configuration to allow the traffic. The From section of the policy must list the Trusted or Optional networks fromwhich access is allowed. The To section of the policy must contain a static NAT entry for each server to allow accesswith NAT loopback.

Front 139

What is static NAT also known as?

Back 139

Port Forwarding

Front 140

What are the two types of Intrusion Prevention Service (IPS)?

Back 140

Firewall Based IPS

Signature Based IPS

Front 141

What is Firewall Based IPS

Back 141

The Firebox combines protocol anomaly detection with traffic analysis toproactively block many common attacks.

A firewall-based IPS can also protect your network from a zero-day threat

Front 142

What is Protocol Anomaly Detection in regards to Firewall Based IPS

Back 142

Protocol anomaly detection is the examination of a packet forcompliance with RFC guidelines. Attackers can make packets that are different from RFC standards in waysthat allow them to bypass standard packet filters and get access to your network. If you block non-compliantpackets, you can also block the attack. This allows your Firebox to proactively protect you against attacks thatare as yet unknown.

Front 143

What is Traffic Pattern Analysis in regards to Firewall Based IPS

Back 143

Traffic pattern analysis examines a series of packets over time and matches them against known patterns ofattack

Front 144

What is Signature Based IPS

Back 144

It compares the contents ofpackets against a database of character strings that are known to appear in attacks. Each unique characterstring is called a signature. When there is a match, the Firebox can block the traffic and notify the networkadministrator. To remain protected, you must regularly update the signature database.

Front 145

What uses less processing power, Firewall Based IPS or Signature Based IPS

Back 145

Signature-based approaches use less computer processing time than firewall-based IPS options, however, tokeep them current the database must be updated regularly. As a result, signature-based IPS is good formaintaining efficient, high performance protection while firewall-based IPS catches the zero-day threats.

Front 146

What is best to catch zero day threats, Firewall Based IPS or Signature Based IPS

Back 146

Firewall Based IPS

Front 147

What is Default Packet Handling

Back 147

Is a set of pattern analysis rules to help protect your Firebox from attacks, and to show theFirebox how to process packets when no other rules are specified. With default packet handling, a firewall examines thesource and destination of each packet it receives. The firewall looks at the IP address and port number and monitors thepackets for patterns that show your network is at risk. If there is a risk and the device is properly configured, itautomatically blocks the possible attack.

Front 148

What happens when Default Packet Handling rejects a packet

Back 148

Rejects packets that could be used to get information about your network

Automatically blocks all traffic to and from a source IP address when a configured limit is reached

Adds an event to the log file

Sends an SNMP trap to the SNMP management server (when configured)

Sends a notification of possible security risks (when configured)

Front 149

What are Unhandled Packets

Back 149

Packets that are denied by the firewall because they do not match any of the firewall policies are blocked as unhandledpackets.

Front 150

Are the sources of Unhandled Packets blocked by default

Back 150

No

Front 151

What is the "Blocked Sites" feature

Back 151

Helps stop network traffic from systems that you know or think are a security risk. After youidentify the source of suspicious traffic, you can block all the connections to and from that IP address.

Front 152

Will the Blocked Sites feature allow an IP to connect if there is a policy allowing it.

Back 152

No

Front 153

What are the two types of blocked IP addresses in relation to "Blocked Sites"

Back 153

Permanent Blocked Sites

Auto-Blocked Sites

Front 154

What are Permanent Blocked Sites in relation to "Blocked Sites"

Back 154

These are IP addresses that you manually add to your device configuration filebecause you want all connections to and from the IP address blocked

Front 155

What are Auto-Blocked Sites in relation to "Blocked Sites"

Back 155

These are IP addresses that the device adds to, and removes from, a list of sites that aretemporarily blocked based on the packet handling rules specified in your device configuration. These IPaddresses are blocked for a period of time you select. This feature is known as the Temporary Blocked Sites list.

Front 156

Which ports are automatically blocked by default.

Back 156

0 - NONE

1 - TCPmux

111 - RPC

513,514 - rlogin, rsh, rcp

2049 - NFS

6000-6005 - X Window System

7100 - X Font Server

8000

Front 157

What is the Blocked Sites Exceptions list

Back 157

An exception is an entry for which all other rules do not apply. For blocked sites, an exception is an IP address ornetwork address that is never blocked. The automatic rules do not apply for this host. The rule also takes precedenceover the manually blocked sites list.

Front 158

True or false? An unhandled packet is a packet that does not match any rule created in Policy Manager.

Back 158

True

Front 159

What are the two types of Policies

Back 159

Packet Filter Policy

Proxy Policy

Front 160

What is a Packet Filter Policy

Back 160

A packet filter examines the IP header of each packet to control the network traffic into and out of your network.It is the most basic feature of a firewall. If the IP header information is valid, then the Firebox allows the packet. Ifthe packet header information is not valid, the device drops the packet.

Front 161

What is a Proxy Policy

Back 161

A proxy monitors and scans the entire connection, from the protocol commands to the data inside the packet. Itexamines the commands used in the connection to make sure they are in the correct syntax and order. It alsoexamines the contents of each packet to make sure that connections are secure. A proxy operates at theapplication layer, as well as the network and transport layers of aTCP/IP packet, while a packet filter operates only at the network and transport protocol layers.

Front 162

True of False - Proxy policy can prevent potential threats fromreaching your network without blocking the entire connection

Back 162

True

Front 163

What can be in the source and destination of a policy

Back 163

IP Address

IP Host Range

Host Name

Network Address

User Group

Alias

VPN Tunnel

FQDN

Front 164

What are the 5 default aliases

Back 164

Any

Firebox

Any-Trusted

Any-External

Any-Optional

Front 165

In the Advanced Policy Properties what is the "Proxy Action"

Back 165

Each time you add a proxy policy to Policy Manager, you select a set of rules used to protect either clients or servers on your network. You can use the default proxy action settings, or you can modify them to meet the needs of your organization.

Front 166

In the Advanced Policy Properties what is the "Schedule"

Back 166

You can set policies to only be active at the times of the day that you specify. You can also create scheduletemplates so that you can use the same schedule for more than one policy.

Front 167

In the Advanced Policy Properties what is the "Traffic Management"

Back 167

A Traffic Management action can guarantee that a particular policy always has a certain amount of bandwidththrough the Firebox, or it can limit the amount of bandwidth that the policy can use.

Front 168

In the Advanced Policy Properties what is the "Quality of Service (QoS) Marking"

Back 168

QoS marking allows you to mark network traffic with bits that identify it to other devices that understand QoS.The Firebox and other QoS-capable devices can assign higher or lower priorities to each type of traffic with QoSmarking.

Front 169

In the Advanced Policy Properties what is the "Network Address Translation (NAT)"

Back 169

You can enable or selectively disable 1-to-1 and dynamic NAT in any policy. You can also configure incomingNAT properties to allow Internet connections to privately addressed servers protected by the Firebox.

Front 170

In the Advanced Policy Properties what is the "ICMP Error Handling"

Back 170

You can customize the method the Firebox uses to handle ICMP errors for each policy.

Front 171

In the Advanced Policy Properties what is the "Custom Idle Timeout"

Back 171

Use this feature to set the amount of time the Firebox waits before it drops a connection.

Front 172

In the Advanced Policy Properties what is the "Sticky Connections"

Back 172

A sticky connection is a connection that continues to use the same interface for a defined period of time whenyour Firebox is configured with multiple WAN interfaces. Stickiness makes sure that, if a packet goes outthrough one external interface, any future packets between the source and destination address pair use the sameexternal interface for a specified period of time.

Front 173

In the Advanced Policy Properties what is the "Policy-based Routing"

Back 173

If your Firebox is configured with multi-WAN, you can configure a policy with a specific external interface to usefor all outbound traffic that matches that policy.

Front 174

In the Advanced Policy Properties what is the "Bandwidth and Time Quotas"

Back 174

You can enable time and bandwidth usage quotas in a policy. This feature is useful for applying a daily limit toyour user's Internet usage in an HTTP Proxy Policy to enforce corporate acceptable use policies.

Front 175

What is the "Outgoing Policy"

Back 175

The default Outgoing policy is a packet filter policy that is automatically added to your Firebox configuration when yourun the Quick Setup Wizard to set up your device and create a basic device configuration file. The Outgoing policyallows all TCP and UDP connections from any trusted or optional source on your network to any external network.

Front 176

Does the "Outgoing Policy" filter content when it examines traffic.

Back 176

No as its a packet filter policy not a proxy policy

Front 177

What is the "Policy Precedence".

Back 177

Precedence refers to the order in which the Firebox examines network traffic and applies a policy rule. The Firebox sortspolicies automatically.

Front 178

What is a "Policy Tag".

Back 178

A policy tag is a label you can apply to your policies to help you organize them into easy to manage groups. You canapply more than one policy tag to a policy and apply any policy tag to many policies.

Front 179

Can you disable the Auto-Order mode feature for policy precendence

Back 179

Yes

Front 180

True or false? You can use the same operating schedule for multiple policies.

Back 180

True

Front 181

True or false? You cannot use SNMP for policy event notifications.

Back 181

False

Front 182

True or false? Policies are ordered primarily by name.

Back 182

False

Front 183

True or false? You can only apply a policy tag to a single policy.

Back 183

False

Front 184

True or false? You cannot save a filter to apply it again later.

Back 184

False

Front 185

True or false? If you select Match All when you apply a filter, all policies that have any of the policy tags youinclude in the filter will appear in the filtered policy list.

Back 185

False. If you select Match All, only policies that have all of the policy tags you specify in the filter will appear inthe filtered policy list.

Front 186

What are "ALGs".

Back 186

Application Layer Gateways (ALGs) are very similar to proxy policies, but also contain features thatallow the Firebox to automatically manage some of the network connections necessary for Voice-over-IP (VoIP)sessions to operate correctly.

Front 187

What are the 9 proxy policies that you can use?

Back 187

DNS

FTP

H.232

HTTP

HTTPS

POP3

SIP

SMTP

TCP-UDP

Front 188

Does the DNS proxy work if DNS requests are not routed through the Firebox

Back 188

No, if your network clients use a static IP address to connect directly to a DNS server on yournetwork, the DNS proxy settings have no effect

Front 189

What are "OpCodes" in relation to the DNS Proxy

Back 189

OPcodes (operational codes) are commands sent to a DNS server, such as query, update, or status requests.

Front 190

True or false? An Application Layer Gateway (ALG) is the same as a packet filter policy.

Back 190

False - An ALG is similar to a proxy policy and also manages some network connections used by that protocol.

Front 191

What are the two default SMTP-proxy policy actions

Back 191

SMTP-Incoming.Standard

SMTP-Outgoing.Standard

Front 192

What are the two default POP3-proxy policy actions

Back 192

POP3-Server.Standard

POP3.Client.Standard

Front 193

Does spamBlocked search contents of emails or patterns in spam traffic

Back 193

spamBlocker looks for patterns in spam traffic, instead of the contents ofindividual email messages. Because it uses a combination of rules, pattern matching, and sender reputation, it can findspam in any language, format, or encoding method.

Front 194

What actions can you configure the spamBlocker to take

Back 194

Deny

Add Subject Line (marks email as spam or not spam then allows through)

Allow

Drop (Unlike deny this drops immediately without sending any SMTP error to sending server)

Quarantine

Front 195

Does spamBlocker require a DNS server to work

Back 195

Yes so the Firebox can resolve the IP Addresses of the CYREN servers.

Front 196

What are the 3 spamBlocker categories

Back 196

Confirmed Spam

Bulk

Suspect

Front 197

Can spamBlocker detect spam in outgoing SMTP email

Back 197

No

Front 198

What is Virus Outbreak Detection

Back 198

Virus Outbreak Detection (VOD) is a technology that identifies email virus outbreaks worldwide within minutesand then provides protection against those viruses

Front 199

What needs to be enabled to allow alarms when a virus is detected by spamBlocker

Back 199

Virus Outbreak Detection

Front 200

Which proxies work with spamBlocker

Back 200

POP3

SMTP

Front 201

What is the "Web Blocker" in relation to HTTP Client/Server optional services.

Back 201

Controls the websites trusted users are allowed to browse to at different times of the day. WebBlocker is onlyavailable for the HTTP-Client proxy action.

Front 202

What is the "Gateway AntiVirus (Gateway AV)" in relation to HTTP Client/Server optional services.

Back 202

Scans HTTP traffic and can stop viruses before they connect to the client computers and HTTP servers on yournetwork.

Front 203

What is the "Reputation Enabled Defense (RED)" in relation to HTTP Client/Server optional services.

Back 203

Sends requested URLs to a cloud-based WatchGuard reputation server, that returns a reputation score. TheHTTP-proxy uses the reputation score to determine whether to drop the traffic, allow the traffic and scan itlocally, or allow the traffic without a local scan.

Front 204

What is the "APT (Advanced Persistent Threat)" in relation to HTTP Client/Server optional services.

Back 204

Scans HTTP traffic and blocks APT (Advanced Persistent Threat) malware that takes advantage of zero-dayexploits to gain access to your network. Files are sent to a cloud-based service and examined with full systememulation analysis to identify the characteristics and behavior of advanced malware.

Front 205

True or False. The HTTP-Client and HTTP-Server proxy actions have the same sets of rules, but the default settings are different.

Back 205

True

Front 206

What quotas can you set on HTTP and HTTPS policies.

Back 206

Time — The time quota is set in minutes per day.

Bandwidth — The bandwidth quota is set in MB per day.

Front 207

What are the two WebBlocker database options

Back 207

Websense cloud with Websense categories (130 categories)

WebBlocker Server with SurfControl categories (54 categories)

Front 208

What must you do in order to use WebBlocker

Back 208

Install and set up the WebBlocker Server (only if you want to use the SurfControl categories)

Activate a WebBlocker license

Configure an HTTP-proxy policy to use WebBlocker

Front 209

True or False? The websites you block with WebBlocker exceptions apply only to HTTP traffic (not HTTPS)

Back 209

True

Front 210

How do you do a WebBlocker local override?

Back 210

User must know the override password?

Front 211

You can use the WebBlocker local override with HTTP and HTTP proxy policies. True or False

Back 211

False only HTTP-proxy

Front 212

True or False. You can use schedules with WebBlocker

Back 212

True

Front 213

True or False. To use "WebBlocker Server with SurfControl" and "WebBlocker with Websense" you need a local WebBlocker server

Back 213

False only with WebBlocker Server with SurfControl

Front 214

How does Reputation Enabled Defense (RED) work?

Back 214

WatchGuard RED uses cloud-based WatchGuard reputation servers that assign a reputation score between 1 and 100to every URL. When a user goes to a website, RED sends the requested web address (or URL) to the WatchGuardreputation server. The WatchGuard server responds with a reputation score for that URL. Based on the reputationscore, and on locally configured thresholds, RED determines whether the Firebox should drop the traffic, allow thetraffic and scan it locally with Gateway AV, or allow the traffic without a local Gateway AV scan. This increasesperformance, because Gateway AV does not need to scan URLs with a known good or bad reputation.

Front 215

In Reputation Enabled Defense (RED) is a score of 100 good or bad

Back 215

100 - Bad

1 - Good

Front 216

In Reputation Enabled Defense (RED) what are the 2 reputation thresholds

Back 216

Bad Repudiation Threshold - 90

Good Reputation Threshold - 10

Front 217

In Reputation Enabled Defense (RED) what happens if you score under the "Good Reputation Threshold"

Back 217

If the score for a URL is lower than the Good reputation threshold and GatewayAntiVirus is enabled, the HTTP proxy bypasses the Gateway AV scan.

Front 218

In Reputation Enabled Defense (RED) what happens if you score under the "Bad Reputation Threshold"

Back 218

If the score for a URL is higher than the Bad reputation threshold, the HTTP proxydenies access without any further inspection.

Front 219

In Reputation Enabled Defense (RED) what happens if you score between the Good and Bad Reputation Thresholds

Back 219

If the score for a URL is equal to or between the configured reputation thresholds and if you have enabled Gateway AV,the content is scanned for viruses.

Front 220

In Reputation Enabled Defense (RED) what happens if your response comes back late?

Back 220

If the response comes back late, it is possible you will see the reputation score assigned as -1 in theTraffic Monitor.

Front 221

True or false? WebBlocker adds URL filtering to the SMTP-proxy policy.

Back 221

False

Front 222

True or false? An exception to the WebBlocker rules allows a site that is normally blocked to be viewed, or a sitethat is normally viewed to be blocked.

Back 222

True

Front 223

True or false? You can allow a user to bypass the WebBlocker restrictions.

Back 223

True

Front 224

True or false? A user does not have be authenticated to the Firebox to apply bandwidth and time quotas to theirweb traffic.

Back 224

False

Front 225

What does Intrusion Prevention Service protect against.

Back 225

Identifies direct attacks on your network applications or operating system.

Front 226

What does GatewayAV protect against.

Back 226

Identifies viruses and trojans brought into your network through email, web browsing, TCPconnections, or FTP downloads.

Front 227

What does APT Blocker protect against.

Back 227

Identifies advanced malware brought into your network through email, web browsing, or FTPtraffic.

Front 228

What are the GatewayAV actions.

Back 228

Allow

Allows the packet to go to the recipient, even if the content contains a virus.

Deny (FTP proxy only)

Denies the file and sends a deny message to the sender.

Lock (SMTP and POP3 proxies only)

Locks the attachment. A file that is locked cannot be opened by the user. Only the administrator can unlock thefile. The administrator can use a different antivirus tool to scan the file and examine the content of theattachment.

Quarantine (SMTP proxy only)

If you use the SMTP proxy, you can send email messages with a virus or possible virus to the QuarantineServer.

Remove (SMTP and POP3 proxies only)

Removes the attachment and allows the message and any other safe attachments to go to the recipient.

Drop (not supported in POP3 proxy)

Drops the packet and drops the connection. No information is sent to the source of the message.

Block (not supported in POP3 proxy)

Blocks the packet, and adds the IP address of the sender to the Blocked Sites list.

Front 229

What proxies can you use APT Blocker with?

Back 229

SMTP

POP3

HTTP

FTP

Front 230

True or False? APT Blocker uses the same scan process as Gateway AntiVirus

Back 230

True

Front 231

True or False? To use APT Blocker you must enable GatewayAV

Back 231

True

Front 232

What are the APT Threat Levels

Back 232

High

Medium

Low

Front 233

What are the APT Blocker Actions

Back 233

Allow

Allows and delivers the file or email attachment to the recipient, even if the content contains detected malware.

Drop

Drops the connection. No information is sent to the source of the message. For the SMTP-proxy, the attachmentis stripped before the message is delivered to the recipient.

Block

Blocks the connection, and adds the IP address of the sender to the Blocked Sites list. For the SMTP-proxy, theattachment is stripped before the message is delivered to the recipient.

Quarantine (SMTP proxy only)

When you use the SMTP-proxy with APT Blocker, you can send email messages to the Quarantine Server. TheSMTP-proxy removes the part of the message that triggered APT Blocker and sends the modified message tothe recipient. The removed part of the message is replaced with the deny message that is configured in the proxyaction settings.

For the HTTP-proxy and FTP-proxy, this action is converted to a Drop action.

Front 234

True or False? Data Loss Prevention only scans outbound traffic not inbound

Back 234

True

Front 235

What proxy actions does Data Loss Prevention work with?

Back 235

SMTP

FTP

HTTP

Front 236

True or False? For DLP to scan HTTPS content, you must enable deep inspection of content in the HTTPS proxy action, and configurethe HTTPS proxy action to use an HTTP proxy action with Data Loss Prevention configured.

Back 236

True

Front 237

What is a Data Loss Prevention Sensor?

Back 237

DLP sensor, you enable one or more of the predefined contentcontrol rules, and configure the action to take if data is detected that matches the selected rules. You can configuredifferent actions for email and non-email traffic, and different actions based on the source or destination of the traffic. Inthe DLP sensor you also configure the scan limit, and the action to take for objects that cannot be scanned.

Front 238

What are the 2 predefined Data Loss Prevention Sensors?

Back 238

HIPAA Audit Sensor

PCI Audit Sensor

Front 239

True or False? If you enable a largenumber of rules in a Data Loss Prevention sensor, the performance of the Firebox could be noticeably affected.

Back 239

True

Front 240

What are the Data Loss Prevention actions?

Back 240

Allow — Allows the connection or email

Deny — Denies the request and drops the connection. A notification is sent to the source of the content.

Drop — Denies the request and drops the connection. No information is sent to the source of the content.

Block — Denies the request, drops the connection, and adds the IP address of the content source or sender tothe Blocked Sites list.

Lock — (Email content only) Locks the email attachment. A file that is locked cannot be opened easily by theuser. Only the administrator can unlock the file.

Remove — (Email content only) Removes the attachment and allows the message to be sent to the recipient.

Quarantine — (Email content only) Send the email message to the Quarantine Server.

Front 241

True or False? DLP and Gateway AV don't use the same scan engine

Back 241

False - If you enable DLP and Gateway AV for the sameproxy action, the larger configured scan limit is used for both services.

Front 242

What are the Intrusion Prevention Service scan modes.

Back 242

Full Scan

IPS scans all packets for traffic handled by policies with IPS enabled. This mode is the most secure, but there isa trade-off with performance.

Fast Scan

IPS scans fewer packets to improve performance. This option greatly improves the throughput for scannedtraffic, but does not provide the comprehensive coverage of Full Scan mode. This is the default mode.

Front 243

What are the Intrusion Prevention Service threat levels

Back 243

Critical

High

Medium

Low

Information

Front 244

What are the Intrusion Prevention Service actions

Back 244

Allow

Allows the content, even if the it matches an IPS signature.

Drop

Drops the content and drops the connection. No information is sent to the sender.

Block

Blocks the packet, and adds the source IP address to the Blocked Sites list.

Front 245

What threat levels does Intrusion Prevention Service drop traffic by default

Back 245

Critical

High

Medium

Low

Front 246

True or False? When you enable IPS, it is enabled for all policies by default.

Back 246

True

Front 247

What must you do to get Intrusion Prevention Service to scan HTTPS content

Back 247

Enable deep packet inspection

Front 248

When is it unnecessary to use Application Control

Back 248

If you control both sides of the traffic flow

Policies that are restricted by a port and protocol that only allow a known service e.g. DNS, RDP

Front 249

True or false? Gateway AntiVirus can detect viruses in password-protected ZIP files.

Back 249

False

Front 250

True or false? The Intrusion Prevention Service is only compatible with the HTTP and TCP proxies. It cannotdetect possible intrusions in the SMTP, POP3, DNS, or FTP proxies.

Back 250

False

Front 251

True or false? If you want to report on the usage of applications that are not blocked, you must enable logging ofallowed packets in each policy that has Application Control enabled.

Back 251

True

Front 252

True or false? If Gateway AV and DLP are both enabled for the same policy, the Gateway AV scan result actiontakes precedence over the DLP action.

Back 252

True

Front 253

What authentication servers foes Fireware XTM support?

Back 253

Firebox-DB

Active Directory

LDAP (Lightweight Directory Access Protocol)

RADIUS

SecureID

VASCO

Front 254

What are the 5 types of log messages

Back 254

Traffic Log Messages

Alarm Log Messages

Event Log Messages

Debug Log Messages

Statistic Log Message

Front 255

True or false? WSM Log Manager automatically saves the search queries you run.

Back 255

False

You cannot save a search query to run it again later.

Front 256

True or false? When you run a search query from WSM Log Manager, it applies to all the devices that areconnected to your Log Server.

Back 256

False

You can only run a search query on one Firebox at a time.

Front 257

True or false? From WSM Log Manager, you can export log messages for more than one Firebox at the sametime.

Back 257

False

You can export the log messages for only one Firebox at a time.

Front 258

True or false? You can use WSM Report Manager to generate an On-Demand Report about more than oneFirebox at the same time.

Back 258

False

From WSM Report Manager, you can only generate an On-Demand report for one Firebox at a time.

Front 259

True or false? From WSM Log Manager, you can save a search query for a specific Firebox to run it again for onlythat Firebox.

Back 259

True

You can save a search query for a Firebox to run it again later for the same Firebox. You cannot save searchquery parameters to run the same search for a different Firebox.

Front 260

True or false? You can use WSM Report Manager to configure any report and send it in an email.

Back 260

False

You can run On-Demand and Per Client reports from WSM Report Manager and generate a PDF of each report,but WSM Report Manager cannot connect to your email program to open an email message and attach the PDFthe message.

Front 261

True or false? To connect to WatchGuard WebCenter, use the IP address of your Firebox.

Back 261

False

Use the IP address of your WSM Log Server or Report Server to connect to WatchGuard WebCenter over port4130.

Front 262

True or false? You can email a PDF of a report directly from WSM Report Manager.

Back 262

False

You can generate a PDF of a report from WSM Report Manager, but you must save it and attach it to an emailmessage in your own email editor.

Front 263

True or false? To configure your Firebox to send log messages to Dimension, in the Logging Settings for yourFirebox, you add the IP address and encryption key for the Dimension Log Server, just as you would for a WSMLog Server.

Back 263

True

The configuration settings to send log messages from your Firebox to a Dimension Log Server are the same asfor a WSM Log Server.

Front 264

True or false? After you install Dimension and configure your devices to send log messages to Dimension, youmust wait 24–48 hours before you can see any reports in Dimension.

Back 264

False

After you have installed Dimension and configured your devices to sent log messages to Dimension, you canview those log messages and see reports of the log message data, usually within five minutes.

Front 265

True or false? You can only run a search of log messages in Dimension from the Log Search page.

Back 265

False

You can run a search from both the Log Manager (simple search) and the Log Search (complex search) pages inDimension.

Front 266

True or false? You can export log messages from Dimension to a CSV file.

Back 266

True

You can export log messages for a single Firebox or a group of devices from Dimension to a CSV file.

Front 267

True or false? You can create groups of Firebox devices in Dimension.

Back 267

True

You can create groups of Firebox devices in Dimension that you can use to see log messages and reports formultiple devices at the same time.

Front 268

True or false? When you view reports for groups of devices, data for each Firebox is included in a separatereport.

Back 268

False

When you create a Device group in Dimension, data for all the devices in the group are included in one report.

Front 269

True or false? You can only export report data from Dimension to a PDF file or CSV file if you create a reportschedule.

Back 269

False

You can export reports from Dimension as a PDF or a CSV file when you view an automatically generated report.

Front 270

What is Branch Office VPN (BOVPN)

Back 270

An encrypted and authenticated connection between two networks, where data is sentthrough an untrusted network, such as the Internet. The BOVPN connection is also called a tunnel. The gateways,which are endpoints of the tunnel on both networks, send and receive VPN data.

Front 271

What are the benefits of Branch Office VPN (BOVPN)

Back 271

Privacy or confidentiality of the data — The VPN uses encryption to guarantee that traffic between the twoprivate networks is secret. An attacker who intercepts the traffic cannot understand it.

Data integrity — The VPN guarantees that the data that passes through it has not been changed after it wassent.

Data authentication — The VPN guarantees that data that passes through the tunnel actually comes from one ofthe two endpoints of the VPN, and not from some attacker on the Internet.

Direct private IP address to private IP address communication — The computers at the two officescommunicate as if they were not behind devices configured with Network Address Translation (NAT). The datatunnels through NAT for a transparent connection between the devices.

Front 272

What are the 3 Branch Office VPN types (BOVPN)

Back 272

Manual BOVPN gateway and associated tunnels

BOVPN virtual interface

Managed VPN tunnel

Front 273

What is the "Managed VPN tunnel" BOVPN type?

Back 273

A managed VPN tunnel is a BOVPN tunnel that you create between two centrally managed Firebox devices.From your WatchGuard Management Server, you can drag-and drop one managed device onto another manageddevice to quickly configure a VPN tunnel between the two devices, based on templates and VPN resourcesdefined on the Management Server. Managed VPN tunnels are not discussed in detail in this course, but use thesame security settings and protocols as a manual VPN tunnel.

Front 274

What is the "BOVPN virtual interface" BOVPN type?

Back 274

A BOVPN virtual interface is a manual BOVPN configuration option for a VPN between two Firebox devices thatuse Fireware v11.8 or higher. This type of VPN offers more flexibility in configuration, because the devicedecides whether to route a packet through the virtual interface tunnel based on the outgoing interface specifiedfor the packet. You can specify a BOVPN virtual interface as the destination for traffic in a policy. You can alsospecify a BOVPN virtual interface when you configure static routes, dynamic routing, and policy-based routing.You can select any internal or external interface as the gateway endpoint for a BOVPN virtual interface.

Front 275

What is the "Manual BOVPN gateway and associated tunnels" BOVPN type?

Back 275

You can manually create a BOVPN gateway and its associated tunnels. When you configure a manual BOVPNgateway, you can use a second Firebox as the other BOVPN gateway, or a third-party VPN device that supportsIPSec.

When you add a BOVPN gateway and tunnels to configure a BOVPN, you set both the source and destinationfor the traffic you want to send through the tunnel. The device routes a packet through the BOVPN tunnel if thesource and destination of the packet match a configured VPN tunnel route.

Front 276

Can you use the Management Server to configure a BOVPN virtual interface

Back 276

No

Front 277

When would you use a Manual BOVPN?

Back 277

For a VPN tunnel between a Firebox and a third-party device, youmust use a manual BOVPN.

Front 278

When would you use a "BOVPN Virtual Interface"?

Back 278

Use this type of VPN for a VPN tunnel between two Firebox devicesthat use Fireware XTM OS v11.8 or higher, if you want to separate therouting from the VPN security association.

Front 279

When would you use a "Managed BOVPN"?

Back 279

Managed BOVPN tunnels are useful if you want to create andmanage a large number of tunnels between Firebox devices managedby a WatchGuard Management Server.

Front 280

What encryption algorithms do Fireware BOVPNs support

Back 280

DES (Data Encryption Standard)

3DES (Triple-DES)

AES (Advanced Encryption Standard)

Front 281

What authentication algorithms do Fireware BOVPNs support

Back 281

SHA-2 (Secure Hash Algorithm 2)

SHA-2 is the most secure authentication algorithm supported, and it is the most computationally intensive.Fireware supports these types of SHA2:

SHA2-256 — Produces a 265-bit (32 byte) message digest

SHA2-384 — Produces a 384-bit (48 byte) message digest

SHA2-512 — Produces a 512-bit (64 byte) message digest

SHA-2 is not supported on XTM 21, 22, 23, 510, 520, 530, 515, 525, 535, 545, 810, 820, 830, 1050,and 2050 devices.

SHA-1 (Secure Hash Algorithm 1)

SHA1 produces a 160-bit (20 byte) message digest.

MD5 (Message Digest Algorithm 5)

MD5 produces a 128-bit (16 byte) message digest, which makes it faster than SHA1 or SHA2. This is the leastsecure algorithm.

Front 282

What are the two VPN phases?

Back 282

Phase 1 — The main purpose of Phase 1 is to set up a secure encrypted channel through which the two devicescan negotiate Phase 2. If Phase 1 fails, the devices cannot begin Phase 2.

Phase 2 — The purpose of Phase 2 negotiations is for the two VPN gateways to agree on a set of parametersthat define what traffic can go through the VPN tunnel, and how to encrypt and authenticate the traffic. Thisagreement is called a Security Association.

Front 283

What happens during a "Phase 1 VPN Negotiation"

Back 283

The devices exchange credentials

The devices identify each other

The VPN gateways decide whether to use Main Mode or Aggressive Mode for Phase 1 negotiations.

Main Mode ensures the identity of both VPN gateways, but can be used only if both devices have a static IPaddress.

Aggressive Mode is faster but less secure than Main Mode, because it requires fewer exchanges betweentwo VPN gateways. In Aggressive Mode, the exchange relies mainly on the ID types used in the exchangeby both VPN gateways. Aggressive Mode does not ensure the identity of the VPN gateway.

The VPN gateways agree on Phase 1 parameters.

The VPN gateways agree on Phase 1 Transform settings. The settings in the Phase 1 transform on each IPSecdevice must exactly match, or IKE negotiations fail.

Front 284

What happens during a "Phase 2 VPN Negotiation"

Back 284

The VPN gateways use the Phase 1 SA to secure Phase 2 negotiations.

The VPN gateways exchange Phase 2 identifiers (IDs).

The VPN gateways agree on whether to use Perfect Forward Secrecy (PFS).

The VPN gateways agree on a Phase 2 proposal.

Front 285

What are the common reasons a BOVPN would fail?

Back 285

Lack of connectivity between the external interfaces of both devices

Pre-shared key does not match

Mismatch in Phase1 or Phase 2 settings

For a manual BOVPN: incorrect IP addresses or subnet masks in the tunnel routes on either device

Front 286

What are the two types of VPN diagnostic messages?

Back 286

Errors — indicate the VPN failed because of a configuration or connection issue.

Warnings — indicate a that a VPN is down because of an abnormal condition, such as dead peer detection(DPD) failure.

Front 287

True or False? The VPN Diagnostic Report temporarily increases the log level.

Back 287

True

Front 288

What does IKE stand for (related to VPNs)?

Back 288

Internet Key Exchange

Front 289

True or false? If you configure a VPN as a BOVPN virtual interface, the VPN on the remote VPN gateway mustalso be configured as a BOVPN virtual interface.

Back 289

True

Front 290

What is a VPN Tunnel?

Back 290

A VPN tunnel is a secure connection between a mobile user and resources on your network. A VPN client on the remoteuser’s computer sends traffic for your network through the VPN tunnel. When your Firebox receives traffic through aVPN tunnel, it forwards that traffic to the correct devices.

Front 291

What are the 4 types of Mobile VPN Supported?

Back 291

Mobile VPN with PPTP

Mobile VPN with IPSec

Mobile VPN with SSL

Mobile VPN with L2TP, with IPSec enabled

Front 292

What is the maximum VPN tunnels supported on Mobile VPN with PPTP?

Back 292

50

Front 293

What are the two ways a Mobile VPN client can route traffic to the Internet for Mobile VPN users

Back 293

Split Tunnel VPN

Default Route VPN

Front 294

What is the "Split Tunnel VPN"?

Back 294

In a split tunnel VPN, the VPN client splits the traffic that is destined for your private network from traffic that isdestined for the Internet. Only traffic that is addressed to your private network goes through the VPN tunnel. Splittunneling provides better network performance, but less security because policies are not applied to the Internettraffic. Split tunneling is the default configuration. If you use split tunneling, we recommend that each clientcomputer have a software firewall.

Front 295

What is the "Default Route VPN"?

Back 295

In a default route VPN, all remote user Internet traffic is routed through the VPN tunnel to the Firebox before itgoes to the Internet. This enables the device to examine all traffic, and provides increased security, although ituses more processing power and bandwidth. Another detractor for default route VPN is that it can dramaticallyincrease latency for systems like VoIP.

Front 296

When you enable Mobile VPN with SSL, Policy Manager creates two policies on the Firewall tab, what are these two policies?

Back 296

WatchGuard SSLVPN — This SSLVPN policy allows connections from an SSL VPN client on UDP port 443.

Allow SSLVPN Users — This Any policy allows the groups and users you configure for SSL authentication toget access to resources on your network.

Front 297

When you enable Mobile VPN with L2TP, Policy Manager creates two policies in the Firewall tab, what are these two policies?

Back 297

WatchGuard L2TP — This L2TP policy allows connections from an L2TP client on UDP port 1701.

Allow L2TP Users — This Any policy allows the groups and users you configured for L2TP authentication to getaccess to resources on your network.

Front 298

When you enable Mobile VPN with PPTP, Policy Manager creates one policy in the Firewall tab, what is this policy?

Back 298

WatchGuard PPTP — This PPTP policy allows connections from a PPTP VPN client on TCP port 1723.

Front 299

How do you download the SSL VPN client in your organisation?

Back 299

https://[external interface IP address]/sslvpn.html

Front 300

With Mobile SSL VPN what are the two auto reconnect options?

Back 300

Auto reconnect after a connection is lost

This option enables the Automatically reconnect check box in the Mobile VPN with SSL client. The user canchoose whether to automatically reconnect.If you select the Force users to authenticate after a connection is lost check box, the user must type thepassword again for each reconnection.

Allow the Mobile VPN with SSL client to remember password

This option enables the Remember password check box in the Mobile VPN with SSL client. The user canchoose whether the client remembers the password.

Front 301

True or false? If you use a third-party server for VPN authentication, that server must have a user group with aname that exactly matches the group name in the VPN configuration.

Back 301

True

Front 302

True or false? Split tunnel is more secure than default route VPN.

Back 302

False

Front 303

True or false? If you add a new Allowed Resource in a Mobile VPN with IPSec policy, that resource isautomatically added to the VPN configuration.

Back 303

False

Front 304

True or false? Mobile VPN with IPSec is the only VPN type that can use different VPN configurations fordifferent user groups at the same time.

Back 304

True

Front 305

Which VPN connection types can you configure in the native VPN client in Windows?

Back 305

PPTP

L2TP

Front 306

How do you get to the WebUI

Back 306

https:/<firebox-ip-address>/:8080

Front 307

True or false? You can save the Firebox configuration file to a local disk drive from the Web UI.

Back 307

True

Front 308

True or false? You must install WSM software to use the Web UI.

Back 308

False