Sophos Firewall ACTUAL EXAM
2026/2027: 100% Verified Questions
& Correct Answers
Question 1: A company is deploying a Sophos XGS firewall in bridge mode between their
internal LAN (192.168.1.0/24) and existing router. They need to ensure that the firewall can
inspect traffic without changing IP addresses. Which configuration is most appropriate?
A. Configure the bridge interface with IP 192.168.1.1/24 and enable proxy ARP
B. Create a transparent bridge pair with no IP addressing and place it inline
C. Configure NAT rules to translate all traffic through the firewall
D. Set up the firewall as a Layer 3 gateway with static routing
Correct Answer: B
Rationale: Transparent bridge mode allows the Sophos XGS firewall to inspect traffic without
changing IP addresses or acting as a Layer 3 gateway. The bridge pair operates at Layer 2,
maintaining existing IP schemes while providing full security inspection capabilities.
Question 2: An administrator needs to configure SSL VPN access for remote users with the
following requirements: - Users must authenticate against Active Directory - Split tunneling
should be enabled - Only RDP (3389) and HTTPS (443) traffic should be allowed through the
tunnel. Which SSL VPN policy configuration meets these requirements?
A. Enable "Allow all traffic" in SSL VPN settings and configure user-based firewall rules
B. Configure "Allowed services" to include RDP and HTTPS, enable split tunneling, and set AD
authentication
C. Disable split tunneling and create specific firewall rules for VPN zone
D. Configure full tunnel mode with AD authentication and web filtering
Correct Answer: B
Rationale: The SSL VPN policy should specify allowed services (RDP and HTTPS), enable
split tunneling to reduce bandwidth usage, and configure Active Directory authentication. This
provides granular control over VPN traffic while maintaining security.
,Question 3: A Sophos XGS firewall is experiencing high CPU usage during business hours.
Investigation shows that web filtering is consuming significant resources. Which optimization
would most effectively reduce CPU load while maintaining security?
A. Disable web filtering entirely and rely only on IPS
B. Configure web filtering exceptions for trusted business applications
C. Reduce the size of the URL database
D. Enable hardware acceleration for web filtering
Correct Answer: B
Rationale: Configuring web filtering exceptions for trusted business applications reduces
processing overhead while maintaining security for unknown or risky traffic. This approach
optimizes performance without compromising protection.
Question 4: A network administrator needs to configure high availability (HA) for a pair of
Sophos XGS firewalls. The primary requirement is zero-downtime failover with session
preservation. Which HA mode should be implemented?
A. Active-Passive with session sync
B. Active-Active with load balancing
C. Standalone with manual failover
D. Cluster mode with distributed processing
Correct Answer: A
Rationale: Active-Passive HA with session synchronization provides zero-downtime failover
by maintaining session state on the backup unit. When failover occurs, existing connections
continue without interruption, meeting the zero-downtime requirement.
Question 5: An organization wants to implement application control to block social media
during business hours (8 AM - 6 PM) but allow it during lunch (12 PM - 1 PM) and after hours.
Which configuration approach is most effective?
A. Create time-based firewall rules with application control policies
B. Configure user-based policies with Active Directory integration
C. Implement bandwidth shaping with time restrictions
D. Use web filtering categories with schedule exceptions
Correct Answer: A
, Rationale: Time-based firewall rules with application control policies provide granular control
over application access based on time schedules. This allows blocking social media during
specific business hours while permitting access during defined lunch and after-hours periods.
Question 6: A Sophos XGS firewall is showing multiple failed login attempts from external IP
addresses. The administrator wants to implement automatic IP blocking for brute force
attacks. Which feature should be configured?
A. Intrusion Prevention System (IPS) with custom signatures
B. DoS protection with threshold settings
C. Authentication failure tracking with automatic blocking
D. Geo-blocking for specific countries
Correct Answer: C
Rationale: Authentication failure tracking monitors failed login attempts and can
automatically block source IP addresses after reaching defined thresholds. This provides
dynamic protection against brute force attacks without manual intervention.
Question 7: A company needs to configure site-to-site IPsec VPN between their main office
Sophos XGS firewall and a branch office using a third-party firewall. The branch office uses a
dynamic IP address. Which IPsec configuration option is most suitable?
A. Main mode with pre-shared key
B. Aggressive mode with dynamic DNS
C. IKEv2 with certificate authentication
D. L2TP over IPsec for compatibility
Correct Answer: B
Rationale: Aggressive mode with dynamic DNS allows IPsec VPN establishment when one
endpoint has a dynamic IP address. This mode reduces the number of message exchanges
and can work with dynamic addressing schemes while maintaining security through
pre-shared keys or certificates.
Question 8: An administrator needs to configure web filtering to block access to file sharing
sites while allowing access to cloud storage services like OneDrive and Google Drive for
business use. Which approach provides the most granular control?
A. Block "File Sharing" category and create exceptions for approved domains
B. Configure URL filtering with specific allow/deny lists
C. Use application control to block file sharing applications
2026/2027: 100% Verified Questions
& Correct Answers
Question 1: A company is deploying a Sophos XGS firewall in bridge mode between their
internal LAN (192.168.1.0/24) and existing router. They need to ensure that the firewall can
inspect traffic without changing IP addresses. Which configuration is most appropriate?
A. Configure the bridge interface with IP 192.168.1.1/24 and enable proxy ARP
B. Create a transparent bridge pair with no IP addressing and place it inline
C. Configure NAT rules to translate all traffic through the firewall
D. Set up the firewall as a Layer 3 gateway with static routing
Correct Answer: B
Rationale: Transparent bridge mode allows the Sophos XGS firewall to inspect traffic without
changing IP addresses or acting as a Layer 3 gateway. The bridge pair operates at Layer 2,
maintaining existing IP schemes while providing full security inspection capabilities.
Question 2: An administrator needs to configure SSL VPN access for remote users with the
following requirements: - Users must authenticate against Active Directory - Split tunneling
should be enabled - Only RDP (3389) and HTTPS (443) traffic should be allowed through the
tunnel. Which SSL VPN policy configuration meets these requirements?
A. Enable "Allow all traffic" in SSL VPN settings and configure user-based firewall rules
B. Configure "Allowed services" to include RDP and HTTPS, enable split tunneling, and set AD
authentication
C. Disable split tunneling and create specific firewall rules for VPN zone
D. Configure full tunnel mode with AD authentication and web filtering
Correct Answer: B
Rationale: The SSL VPN policy should specify allowed services (RDP and HTTPS), enable
split tunneling to reduce bandwidth usage, and configure Active Directory authentication. This
provides granular control over VPN traffic while maintaining security.
,Question 3: A Sophos XGS firewall is experiencing high CPU usage during business hours.
Investigation shows that web filtering is consuming significant resources. Which optimization
would most effectively reduce CPU load while maintaining security?
A. Disable web filtering entirely and rely only on IPS
B. Configure web filtering exceptions for trusted business applications
C. Reduce the size of the URL database
D. Enable hardware acceleration for web filtering
Correct Answer: B
Rationale: Configuring web filtering exceptions for trusted business applications reduces
processing overhead while maintaining security for unknown or risky traffic. This approach
optimizes performance without compromising protection.
Question 4: A network administrator needs to configure high availability (HA) for a pair of
Sophos XGS firewalls. The primary requirement is zero-downtime failover with session
preservation. Which HA mode should be implemented?
A. Active-Passive with session sync
B. Active-Active with load balancing
C. Standalone with manual failover
D. Cluster mode with distributed processing
Correct Answer: A
Rationale: Active-Passive HA with session synchronization provides zero-downtime failover
by maintaining session state on the backup unit. When failover occurs, existing connections
continue without interruption, meeting the zero-downtime requirement.
Question 5: An organization wants to implement application control to block social media
during business hours (8 AM - 6 PM) but allow it during lunch (12 PM - 1 PM) and after hours.
Which configuration approach is most effective?
A. Create time-based firewall rules with application control policies
B. Configure user-based policies with Active Directory integration
C. Implement bandwidth shaping with time restrictions
D. Use web filtering categories with schedule exceptions
Correct Answer: A
, Rationale: Time-based firewall rules with application control policies provide granular control
over application access based on time schedules. This allows blocking social media during
specific business hours while permitting access during defined lunch and after-hours periods.
Question 6: A Sophos XGS firewall is showing multiple failed login attempts from external IP
addresses. The administrator wants to implement automatic IP blocking for brute force
attacks. Which feature should be configured?
A. Intrusion Prevention System (IPS) with custom signatures
B. DoS protection with threshold settings
C. Authentication failure tracking with automatic blocking
D. Geo-blocking for specific countries
Correct Answer: C
Rationale: Authentication failure tracking monitors failed login attempts and can
automatically block source IP addresses after reaching defined thresholds. This provides
dynamic protection against brute force attacks without manual intervention.
Question 7: A company needs to configure site-to-site IPsec VPN between their main office
Sophos XGS firewall and a branch office using a third-party firewall. The branch office uses a
dynamic IP address. Which IPsec configuration option is most suitable?
A. Main mode with pre-shared key
B. Aggressive mode with dynamic DNS
C. IKEv2 with certificate authentication
D. L2TP over IPsec for compatibility
Correct Answer: B
Rationale: Aggressive mode with dynamic DNS allows IPsec VPN establishment when one
endpoint has a dynamic IP address. This mode reduces the number of message exchanges
and can work with dynamic addressing schemes while maintaining security through
pre-shared keys or certificates.
Question 8: An administrator needs to configure web filtering to block access to file sharing
sites while allowing access to cloud storage services like OneDrive and Google Drive for
business use. Which approach provides the most granular control?
A. Block "File Sharing" category and create exceptions for approved domains
B. Configure URL filtering with specific allow/deny lists
C. Use application control to block file sharing applications
