Skip to content

WatchGuard Network Security Essentials β€” NIE Practice Test v1.0ΒΆ

Last updated on September 3, 2025

Grab the Study Guide for Review

You can download the study guide PDF from WatchGuard directly if you are enrolled in the course, otherwise you can grab it from our IT Glue documenation for WatchGuard Study Guide - Network Security Essentials for Locally-Managed Fireboxes

WatchGuard Network Security Essentials Test

Network and Network Security Basics

Q1. Based on this network diagram (Internet β†’ Firebox External 203.0.113.0/24; Trusted 10.0.1.0/24; Router 10.0.1.10 β†’ LAN C 172.16.30.0/24 with host 172.16.30.50), which static routes enable routing from 10.0.1.0/24 to 172.16.30.50? (Select two.)

  • a. Route to 172.16.30.0, Gateway 172.16.30.1
  • b. Route to 172.16.30.50, Gateway 10.0.1.10
  • c. Route to 10.0.1.10, Gateway 10.0.1.1
  • d. Route to 172.16.30.0/24, Gateway 10.0.1.10
flowchart LR Internet[Internet\n203.0.113.0/24] --> Ext[Firebox External] Ext --> Trust[Firebox Trusted\n10.0.1.1/24] Trust --> Router[Router\n10.0.1.10] Router --> LAN[LAN C\n172.16.30.0/24] LAN --> Host[Host\n172.16.30.50]
Reveal Answer

Answer: b, d

Explanation: Next-hop (gateway) must be directly reachable on the Firebox Trusted subnet (10.0.1.x). You can configure a host route to 172.16.30.50 via 10.0.1.10 or a subnet route to 172.16.30.0/24 via 10.0.1.10. The router at 10.0.1.10 must also be configured to route back to the Trusted network.

πŸ“– Study Guide pp. 93–95 (Static Routing, Section 5.2)

Q2. In a /27 subnet (192.168.50.0/27), how many usable hosts are available? Is it suitable for 25 devices? (Select one.)

  • a. 30 usable; Yes
  • b. 32 usable; Yes
  • c. 62 usable; No
  • d. 14 usable; No
Reveal Answer

Answer: a

Explanation: /27 yields 2^(32βˆ’27)=32 total addresses minus network & broadcast = 30 usable β†’ fits 25. This calculation ensures efficient IP allocation for small networks.

πŸ“– Study Guide pp. 91–92 (Subnetting, Section 4.1)

Q3. Packet filters inspect application-layer data like HTTP requests. True or False?

Reveal Answer

Answer: False

Explanation: Packet filters operate at L3/L4 (network/transport). Application-layer inspection (HTTP headers/body) is done by proxies or deep-inspection services, providing enhanced security beyond packet filtering.

πŸ“– Study Guide p. 126 (Packet Filters & Proxy Policies, Section 6.3)

Q4. Which are Layer 4 protocols? (Select two.)

  • a. IP
  • b. TCP
  • c. ICMP
  • d. UDP
Reveal Answer

Answer: b, d

Explanation: TCP and UDP operate at Layer 4 (transport layer), managing reliable and unreliable data transfer respectively, while IP and ICMP are Layer 3 protocols.

πŸ“– Study Guide pp. 126–127 (Protocols by Layer, Section 6.1)

Q5. Scenario: New office β€” Firebox External 198.51.100.0/24; Trusted 192.168.2.0/24; Router 192.168.2.15 β†’ remote LAN 10.20.50.0/24 hosting server 10.20.50.100. Which static routes must be added to the Firebox so hosts on 192.168.2.0/24 can reach 10.20.50.100? (Select two.)

  • a. Route to 10.20.50.0, Gateway 10.20.50.1
  • b. Route to 10.20.50.100, Gateway 192.168.2.15
  • c. Route to 192.168.2.15, Gateway 192.168.2.1
  • d. Route to 10.20.50.0/24, Gateway 192.168.2.15
flowchart LR Internet[Internet\n198.51.100.0/24] --> Ext[Firebox External] Ext --> Trust[Firebox Trusted\n192.168.2.1/24] Trust --> Router[Router\n192.168.2.15] Router --> RemoteLAN[Remote LAN\n10.20.50.0/24] RemoteLAN --> Server[Server\n10.20.50.100]
Reveal Answer

Answer: b, d

Explanation: The next-hop must be reachable on the Firebox Trusted subnet (192.168.2.x). Add either a host route to 10.20.50.100 via 192.168.2.15 or a subnet route to 10.20.50.0/24 via 192.168.2.15. The router at 192.168.2.15 must route back to the Trusted network.

πŸ“– Study Guide pp. 93–95 (Static Routing, Section 5.2)

Q6. In a /28 subnet (172.16.20.0/28), how many usable hosts are available? Is it suitable for 12 devices? (Select one.)

  • a. 14 usable; Yes
  • b. 16 usable; Yes
  • c. 30 usable; No
  • d. 6 usable; No
Reveal Answer

Answer: a

Explanation: /28 β†’ 16 addresses βˆ’2 = 14 usable β†’ fits 12 devices. This subnet size is ideal for small office networks requiring efficient address space.

πŸ“– Study Guide pp. 91–92 (Subnetting, Section 4.1)

Q7. Proxy policies can filter application-layer content like HTTP headers. True or False?

Reveal Answer

Answer: True

Explanation: Proxy policies operate at Layer 7, enabling detailed inspection and filtering of application-layer data such as HTTP headers, unlike packet filters.

πŸ“– Study Guide p. 126 (Packet Filters & Proxy Policies, Section 6.3)

Q8. Which protocols operate at Layer 3? (Select two.)

  • a. TCP
  • b. IP
  • c. ICMP
  • d. UDP
Reveal Answer

Answer: b, c

Explanation: IP and ICMP operate at Layer 3 (network layer), handling addressing and diagnostics, while TCP and UDP are Layer 4 protocols.

πŸ“– Study Guide pp. 126–127 (Protocols by Layer, Section 6.1)

Administration and Initial Setup

Q9. After a Fireware update announcement, which methods allow you to check if your Firebox needs upgrading? (Select three.)

  • a. Auto-updates via WatchGuard Cloud
  • b. Web UI Dashboard β†’ System Status
  • c. Policy Manager β†’ Upgrade OS
  • d. CLI show version
  • e. WatchGuard Cloud β†’ Devices β†’ Updates
Reveal Answer

Answer: a, b, e

Explanation: Cloud and Web UI show available firmware; Cloud portal lists device updates. Policy Manager can upload images but primary checks are Cloud/Web UI. Ensure cloud connectivity for auto-updates.

πŸ“– Study Guide pp. 37–39 (Upgrade a Firebox, Section 2.1)

Q10. Default Packet Handling blocks which threats? (Select four.)

  • a. UDP floods
  • b. XSS injections
  • c. Spoofed sources
  • d. Blocked ports
  • e. Ransomware
  • f. IP scans
  • g. MITM
Reveal Answer

Answer: a, c, d, f

Explanation: Default handling targets network-level threats (floods, spoofing, port enforcement, scanning). Application-layer threats are handled by proxies/AV/APT Blocker, requiring additional configuration.

πŸ“– Study Guide p. 40 (Default Threat Protection, Section 2.2)

Q11. An auto-blocked site from scans: which statements apply? (Select two.)

  • a. Inbound traffic from that site is blocked
  • b. Outbound traffic to that site is blocked
  • c. The site is permanently blocked
  • d. The block is temporary (auto-block with expiration)
Reveal Answer

Answer: a, d

Explanation: Auto-block adds the host to block lists for a temporary period; it blocks incoming traffic originating from that host. Some configurations can be persistent if admin-configured. Check expiration settings for duration.

πŸ“– Study Guide p. 54 (Types of Log Messages / Auto-block, Section 3.1)

Q12. Users see certificate warnings on the portal β€” which two remedial options avoid asking users to bypass warnings? (Select two.)

  • a. Use web server certificate for proxy
  • b. Import a CA-signed certificate into the Firebox
  • c. Tell users to disable browser warnings
  • d. Export the Firebox self-signed cert and import it into clients
Reveal Answer

Answer: b, d

Explanation: Use a trusted CA cert on the Firebox or distribute the self-signed cert into client trust stores so browsers trust the portal. This ensures secure and seamless access.

πŸ“– Study Guide pp. 179–183 (Authentication & Certificates, Section 9.1)

Q13. Scenario: After a power outage a Firebox running Fireware v12.11.2 reboots with a corrupted configuration. You have a backup config on a local PC. Which tools can restore the configuration and verify OS post-restore? (Select two.)

  • a. Web UI Dashboard β†’ System Status
  • b. Policy Manager β†’ Restore Configuration
  • c. CLI restore command
  • d. Cloud β†’ Devices β†’ Backup
Reveal Answer

Answer: b, c

Explanation: Policy Manager can restore saved configs; CLI restore (or Policy Manager CLI workflows) can also import/restore. After restore, Web UI/CLI show OS version. Ensure backup integrity before restoring.

πŸ“– Study Guide pp. 27–29 (Configuration Files & Backup, Section 1.3)

Q14. After a security patch release, which methods let you verify the Firebox OS version? (Select three.)

  • a. Cloud auto-update check
  • b. Web UI Dashboard β†’ About
  • c. Policy Manager β†’ System Info
  • d. CLI version command
  • e. Cloud β†’ Device β†’ Overview
Reveal Answer

Answer: b, c, d

Explanation: Web UI About, Policy Manager System Info, and CLI version command provide direct OS version details. Cloud checks are for updates, not verification.

πŸ“– Study Guide pp. 37–39 (Upgrade & Version Verification, Section 2.1)

Q15. Default Threat Protection includes protection against which attacks? (Select four.)

  • a. TCP SYN floods
  • b. SQL injection
  • c. Source address spoofing
  • d. Denied services (blocked ports)
  • e. Malware downloads
  • f. Port scanning
  • g. Phishing
Reveal Answer

Answer: a, c, d, f

Explanation: Default protections are oriented to L3/L4 threats (floods, spoofing, port enforcement, scanning). App-layer attacks are handled by proxies/AV/APT, requiring additional subscriptions.

πŸ“– Study Guide p. 40 (Default Threat Protection, Section 2.2)

Q16. A site is auto-blocked after repeated connection attempts. Which are true? (Select two.)

  • a. Only outbound traffic is blocked
  • b. Both directions are blocked
  • c. Permanent block applied
  • d. Temporary block applied
Reveal Answer

Answer: b, d

Explanation: Auto-block by default blocks both directions and is temporary, with an expiration unless manually adjusted. Check admin settings for duration control.

πŸ“– Study Guide p. 54 (Auto-block behavior, Section 3.1)

Q17. Scenario: You need to distribute a self-signed Firebox cert to 200 company devices to avoid portal warnings. Which approach is best? (Select one.)

  • a. Ask each user to accept the warning
  • b. Deploy the cert via enterprise MDM/Group Policy to clients
  • c. Disable warnings in browsers
  • d. Replace the web server cert with the Firebox cert
Reveal Answer

Answer: b

Explanation: Use centralized management (MDM/GPO) to distribute and trust the cert β€” scalable and secure. This avoids manual user intervention.

πŸ“– Study Guide pp. 179–183 (Certificate Management, Section 9.1)

Q18. True or False: Policy Manager is the only method to upload a Fireware OS image to a Firebox.

Reveal Answer

Answer: False

Explanation: You can use WatchGuard Cloud or the Web UI in some cases; Policy Manager is one method but not the only one. Verify method compatibility with your Firebox model.

πŸ“– Study Guide pp. 36–40 (Upgrade Methods, Section 2.1)

Logging, Monitoring, Reporting, and ThreatSync

Q19. FSM Authentication List shows connected users and allows disconnects. True or False?

Reveal Answer

Answer: True

Explanation: FSM provides real-time visibility into authenticated users, allowing admins to disconnect users as needed for security management.

πŸ“– Study Guide p. 61 (Monitoring with Firebox System Manager, Section 10.1)

Q20. The Status Report includes which of these? (Select three.)

  • a. Blocked IPs
  • b. Processes
  • c. Routes (IPv4 routing table)
  • d. DNS servers
  • e. Subscriptions
Reveal Answer

Answer: b, c, d

Explanation: The Status Report details system processes, routing tables, and DNS configurations, aiding in troubleshooting and network management.

πŸ“– Study Guide pp. 200–202 (Status Reports, Section 10.2)

Q21. Where can you view AV block counts? (Select one.)

  • a. Traffic Monitor
  • b. Policy Manager Subscriptions
  • c. Web UI Subscription dashboard / FSM tab
  • d. Front Panel
  • e. FireWatch
Reveal Answer

Answer: c

Explanation: The Web UI Subscription dashboard and FSM tab provide detailed AV block statistics, essential for monitoring security service effectiveness.

πŸ“– Study Guide pp. 205–207 (Subscription Services Reporting, Section 10.3)

Q22. Logs show suspicious outbound from a host β€” what is the best first action? (Select one.)

  • a. Block the host
  • b. Scan the host for malware
  • c. Increase logging
  • d. Check policies
Reveal Answer

Answer: b

Explanation: Investigate the host with malware scans and endpoint tools before taking network-wide blocks to confirm the threat source.

πŸ“– Study Guide pp. 209–210 (Incident Response & Logs, Section 10.4)

Q23. Scenario: Traffic Monitor shows a spike of blocked outbound connections from host 192.168.1.50. What is the first step to investigate using Firebox tools? (Select one.)

  • a. Increase logging verbosity
  • b. Check the host’s activity in Firebox System Manager (FSM)
  • c. Block the host immediately
  • d. Review Dimension reports
Reveal Answer

Answer: b

Explanation: Use FSM/Traffic Monitor to see real-time connections and detail before escalating; capture PCAPs where needed for deeper analysis.

πŸ“– Study Guide p. 61 (Monitoring with FSM, Section 10.1)

Q24. FSM Traffic Monitor can display real-time user activity. True or False?

Reveal Answer

Answer: True

Explanation: FSM Traffic Monitor provides real-time visibility into user activity, enabling immediate response to anomalies.

πŸ“– Study Guide p. 61 (FSM Traffic Monitor, Section 10.1)

Q25. Which items appear in the System Status report? (Select three.)

  • a. Active connections
  • b. CPU usage
  • c. Firewall rules
  • d. Interface status
  • e. Log file size
Reveal Answer

Answer: a, b, d

Explanation: The System Status report includes active connections, CPU usage, and interface status, providing a comprehensive overview of device health.

πŸ“– Study Guide p. 65 (System Status / Web UI, Section 10.2)

Q26. Where do you check IPS block statistics? (Select one.)

  • a. Traffic Monitor
  • b. Web UI Security Services
  • c. Policy Manager Logs
  • d. Dimension Reports
  • e. Front Panel
Reveal Answer

Answer: b

Explanation: The Web UI Security Services section provides detailed IPS block statistics, crucial for assessing intrusion prevention effectiveness.

πŸ“– Study Guide p. 65 (Security Services Monitoring, Section 10.3)

Networking and NAT

Q27. Use 1-to-1 NAT for multiple inbound servers? True or False?

Reveal Answer

Answer: False

Explanation: For multiple services on one public IP, use port-based Static NAT (SNAT) or policy NAT; 1:1 maps full addresses and requires many public IPs, which is inefficient here.

πŸ“– Study Guide pp. 101–108 (NAT Concepts, Section 5.3)

Q28. Which are valid bridge configurations? (Select three.)

  • a. Bridge across zones
  • b. Multiple interfaces in bridge
  • c. VLANs on bridge
  • d. Bridge must be Trusted
  • e. Secondary IPs on bridge
Reveal Answer

Answer: b, c, e

Explanation: Bridges support multiple interfaces, VLANs, and secondary IPs, offering flexibility in network design without zone restrictions.

πŸ“– Study Guide pp. 80–82 (Bridge Mode & VLANs, Section 4.3)

Q29. Diagram: Firebox bridge interface; Port 2 untagged VLAN 30 β†’ Switch Port 5; Port 8 tagged VLAN 40 β†’ tagged hosts. How to configure the switch ports for the tagged hosts? (Select two.)

  • a. Port 5 VLAN 30 tagged
  • b. Port 5 VLAN 30 untagged
  • c. Port 5 no VLAN
  • d. Port 8 VLAN 40 tagged
  • e. Port 8 VLAN 40 untagged
flowchart LR FB["Firebox Bridge"] P2["Port 2\nUntagged VLAN 30"] S5["Switch Port 5"] P8["Port 8\nTagged VLAN 40"] S8["Switch Port 8 (trunk)"] H1["Host VLAN30 (untagged)"] H2["Host VLAN40 (tagged)"] FB --> P2 --> S5 --> H1 FB --> P8 --> S8 --> H2
Reveal Answer

Answer: b, d

Explanation: Untagged client ports must be untagged for their VLAN; trunk/tagged ports must carry VLAN tags for tagged hosts. Ensure switch port alignment with Firebox settings.

πŸ“– Study Guide pp. 86–92 (VLAN Tagging, Section 4.4)

Q30. True or False: You can override global Static/Dynamic NAT from within an individual policy's advanced NAT settings.

Reveal Answer

Answer: True

Explanation: Policy-level NAT settings allow overrides for specific traffic flows, providing granular control over global NAT configurations.

πŸ“– Study Guide pp. 98–106 (Policy NAT Overrides, Section 5.3)

Q31. Scenario: A Firebox is configured with a single public IP (203.0.113.10). You want HTTPS to be forwarded to Server A (10.1.1.10) and SMTP to Server B (10.1.1.20). Which NAT method is correct? (Select one.)

  • a. 1-to-1 NAT
  • b. Dynamic NAT
  • c. Static NAT (SNAT / port forward)
  • d. No NAT required
flowchart TB InternetClient1 -->|HTTPS 443| Firebox InternetClient2 -->|SMTP 25| Firebox Firebox -->|SNAT 443| ServerA[10.1.1.10] Firebox -->|SNAT 25| ServerB[10.1.1.20]
Reveal Answer

Answer: c

Explanation: SNAT (port-based static NAT / port forwarding) maps specific public ports on one IP to different internal servers, optimizing IP usage.

πŸ“– Study Guide pp. 101–108 (SNAT vs 1:1, Section 5.3)

Q32. Scenario: Company sets up Firebox bridge: Port 3 untagged VLAN 20 β†’ Switch Port 4; Port 7 tagged VLAN 60 β†’ tagged server. How should Switch Port 4 be configured? (Select one.)

  • a. VLAN 20 tagged
  • b. VLAN 20 untagged
  • c. VLAN 60 tagged
  • d. No VLAN
flowchart LR Firebox --> Port3[Port 3\nUntagged VLAN 20] --> Switch4[Switch Port 4] Firebox --> Port7[Port 7\nTagged VLAN 60] --> Server[Tagged Server VLAN60]
Reveal Answer

Answer: b

Explanation: Switch Port 4 must be untagged for VLAN 20 to match the Firebox’s untagged configuration, ensuring proper traffic flow.

πŸ“– Study Guide pp. 86–92 (VLAN Configuration, Section 4.4)

Q33. True or False: Dynamic NAT supports multiple internal connections mapped to a single public IP.

Reveal Answer

Answer: True

Explanation: Dynamic NAT uses port address translation (PAT) to map multiple internal IPs to a single public IP, enabling efficient resource use.

πŸ“– Study Guide p. 101 (Dynamic NAT, Section 5.3)

Q34. Which of the following are valid reasons to use a bridge instead of routing? (Select two.)

  • a. To maintain L2 adjacency between devices
  • b. To hide devices behind NAT
  • c. To consolidate VLANs at L3
  • d. To pass VLAN tags transparently
Reveal Answer

Answer: a, d

Explanation: Bridging maintains L2 adjacency and passes VLAN tags transparently, ideal for scenarios requiring layer 2 connectivity without IP routing.

πŸ“– Study Guide pp. 80–87 (Bridging & VLANs, Section 4.3)

Q35. True or False: Policy-level NAT can be used to implement inbound port forwarding for a specific policy without changing global NAT settings.

Reveal Answer

Answer: True

Explanation: Policy-level NAT allows targeted port forwarding, offering flexibility without altering global NAT configurations.

πŸ“– Study Guide pp. 98–106 (Policy NAT Overrides, Section 5.3)

Q36. Scenario: You need to publish 3 internal web servers but have only one public IP. Which solution is best?

  • a. 1:1 NAT for each server
  • b. Port-based SNAT/forwarding
  • c. Use Dynamic NAT
  • d. Put servers behind a router with VPN access only
Reveal Answer

Answer: b

Explanation: Port-based SNAT forwards different ports (or hostnames via reverse proxy) to different servers on the same public IP, maximizing resource efficiency.

πŸ“– Study Guide pp. 101–108 (SNAT Examples, Section 5.3)

Policies, Proxies, and Security Services

Q37. Given the policy table: HTTPS-proxy (HR β†’ External), HTTP (Marketing β†’ External), Any (Trusted β†’ External). Can Marketing use HTTPS (assuming Any is enabled)? (Select one.)

  • a. No β€” HTTPS only HR
  • b. No β€” Any excludes Marketing
  • c. Yes β€” HTTP allows both
  • d. Yes β€” Any allows
Reveal Answer

Answer: d

Explanation: The Any policy matches traffic not matched by more specific rules; if Any allows HTTPS, Marketing can use it unless another deny exists. Policy precedence applies.

πŸ“– Study Guide pp. 117–118 (Policy Precedence, Section 6.2)

Q38. If you disable the default Any policy, which items must you explicitly allow to restore basic web browsing? (Select three.)

  • a. HTTP
  • b. HTTPS
  • c. DNS
  • d. SMTP
  • e. NTP
Reveal Answer

Answer: a, b, c

Explanation: HTTP and HTTPS enable web access, while DNS resolves domain names, all essential for basic browsing after disabling Any.

πŸ“– Study Guide pp. 117–118 (Policy Basics & DNS requirement, Section 6.2)

Q39. True or False: Updates (signatures/AV) download over HTTPS from dynamic CDNs, and DNS resolution is required.

Reveal Answer

Answer: True

Explanation: Updates use HTTPS for security and dynamic CDNs for availability, requiring DNS to resolve hostnames.

πŸ“– Study Guide pp. 164–173 (Subscription & Update mechanics, Section 8.1)

Q40. WebBlocker should be enabled in which proxy to block/allow web content categories? (Select one.)

  • a. IPS
  • b. AV
  • c. HTTP-proxy
  • d. APT
  • e. App Control
Reveal Answer

Answer: c

Explanation: The HTTP-proxy handles WebBlocker, enabling content category filtering for HTTP/HTTPS traffic.

πŸ“– Study Guide p. 161 (WebBlocker / HTTP/HTTPS proxy, Section 8.2)

Q41. Scenario: Policies β€” HTTPS-proxy (Finance β†’ External), HTTP (Support β†’ External), Any (Trusted β†’ External). A Support user attempts to reach an HTTPS site. Will the connection be allowed? (Select one.)

  • a. No β€” HTTPS only Finance
  • b. No β€” Any blocks Support
  • c. Yes β€” Any allows it
  • d. Yes β€” HTTP policy permits HTTPS
Reveal Answer

Answer: c

Explanation: If the Any policy allows HTTPS, traffic from Support falls through to Any and is allowed (unless there is an explicit deny). Policy order matters.

πŸ“– Study Guide pp. 117–118 (Policy Matching / Precedence, Section 6.2)

Q42. If you disable Any and want to allow email access, which two items should you permit? (Select two.)

  • a. HTTP
  • b. HTTPS
  • c. SMTP
  • d. DNS
  • e. IMAP
Reveal Answer

Answer: c, d

Explanation: SMTP (or IMAP/POP depending on client) plus DNS for name resolution are required for email functionality, ensuring connectivity to mail servers.

πŸ“– Study Guide pp. 117–118 (Policy Basics, Section 6.2)

Q43. Which service should be active before Application Control to ensure web-app filtering functions? (Select one.)

  • a. WebBlocker
  • b. AV
  • c. HTTP-proxy
  • d. IPS
  • e. APT
Reveal Answer

Answer: c

Explanation: The HTTP-proxy must be active to process web traffic, enabling Application Control to filter web applications effectively.

πŸ“– Study Guide p. 136 (Application Control & Proxy dependencies, Section 7.2)

Authentication and VPN

Q44. What is the WatchGuard Auth policy used for? (Select one.)

  • a. Management UI
  • b. BOVPN
  • c. Portal access
  • d. Mobile VPN
Reveal Answer

Answer: c

Explanation: The WatchGuard Auth policy secures user portal access, ensuring authenticated entry to services like captive portals.

πŸ“– Study Guide p. 179 (Firebox Authentication, Section 9.1)

Q45. Log: IKE phase-1 fail: No proposal chosen β€” which configuration should you check/fix? (Select one.)

  • a. Gateway (Phase 1 proposals)
  • b. Tunnel (Phase 2 settings)
  • c. TLS Certificate
  • d. Shared secret
Reveal Answer

Answer: a

Explanation: This message indicates Phase 1 proposal mismatch (encryption/hash/DH/lifetime). Align gateway proposals on both peers.

πŸ“– Study Guide pp. 153–158 (IKE / VPN Troubleshooting)

Q46. Which clientless mobile VPN option is recommended for iOS/Android (native support)? (Select one.)

  • a. IPSec
  • b. SSL
  • c. IKEv2
  • d. L2TP
  • e. PPTP
Reveal Answer

Answer: c

πŸ“– Study Guide p. 196 (Mobile VPN with IKEv2)

Q47. You have multiple external interfaces and a BOVPN to a remote site. To have failover to a secondary interface, which configuration is required? (Select one.)

  • a. Use SD-WAN in policies
  • b. Add a new static route
  • c. Add the interface to policy To list
  • d. Add the secondary external as a VPN endpoint/gateway
  • e. Enable Multi-WAN select VPN
Reveal Answer

Answer: d

πŸ“– Study Guide p. 95 (Multi-WAN & BOVPN)

Q48. Scenario: Remote office with primary WAN1 (203.0.113.1) and backup WAN2 (198.51.100.1). The primary fails. Which configuration provides automatic VPN failover? (Select one.)

  • a. Add WAN2 to policy From
  • b. Configure Multi-WAN with VPN failover
  • c. Create a new static route for WAN2
  • d. Enable SD-WAN rules
flowchart LR Main[Main Office Firebox\nWAN1:203.0.113.1\nWAN2:198.51.100.1] Remote[Remote Office Firebox] Internet[Internet] Main -->|WAN1 Primary| Internet --> Remote Main -->|WAN2 Failover| Internet --> Remote
Reveal Answer

Answer: b

Explanation: Multi-WAN/VPN endpoint configuration supports automatic failover to the secondary WAN.

πŸ“– Study Guide p. 95 (Multi-WAN)

Q49. What is the role of the Firebox Auth policy? (Select one.)

  • a. Device management
  • b. VPN tunnel setup
  • c. User portal authentication
  • d. Network monitoring
Reveal Answer

Answer: c

πŸ“– Study Guide p. 179 (Authentication Policy)

Q50. Which VPN type is broadly recommended for best Windows/Linux/mobile client compatibility? (Select one.)

  • a. SSL
  • b. IKEv2
  • c. IPSec
  • d. L2TP
  • e. PPTP
Reveal Answer

Answer: b

Explanation: IKEv2 offers strong security, mobility, and broad native OS support across Windows, Linux (with clients), and mobile platforms.

πŸ“– Study Guide p. 196 (Mobile VPN with IKEv2)