WATCHGUARD NETWORK SECURITY
ESSENTIALS CERTIFICATION SCRIPT
2026 QUESTIONS WITH SOLUTIONS
GRADED A+
◍ Allow Incoming connections to the example.com domain only.
Answer: .From the SMTP proxy action settings in this image, which of these
options is configured for incoming SMTP traffic? (Select one.)Allow
Incoming connections to the example.com domain onlyAllow Outgoing
connection from example.com Deny Incoming connections to the
example.com domain onlyDeny outgoing connections from example.com
◍ Any-optionalOptional-1Any.
Answer: ***In the network configuration in this image, which aliases is
Eth2 a member of? (Select three.)A. Any-optionalB. Any-ExternalC.
Optional-1D. AnyE. Any-Trusted
◍ DHCP Port.
Answer: UDP 67, 68
◍ DNS Port.
Answer: TCP/UDP 53
◍ ***When your device is in a default state, to which interface do you connect
your management computer so you can use the Quick Setup Wizard or Web
SetupWizard to configure the device? (Select one.)
A. Interface 0
B. Console interface
C. Any interface
D. Interface 1.
, Answer: Interface 1
◍ HTTP Port.
Answer: TCP 80
◍ ***In the default Firebox configuration file, which policies control
management access to the device? (Select two.)
A. WatchGuard
B. FTP
C. Ping
D. WatchGuard Web UI
E. Outgoing.
Answer: WatchGuardWatchGuard Web UI
◍ HTTPS Port.
Answer: TCP 443
◍ To use the Web Setup Wizard or Quick Setup Wizard to configure your
Firebox or XTM device, your computer must have an IP address on which
subnet? (Select one.)
A. 10.0.10.0/24
B. 10.0.1.0/24
C. 172.16.10.0/24
D. 192.168.1.0/24.
Answer: 10.0.1.0/24
◍ ***What is the best method to downgrade the version of Fireware OS on
your Firebox without losing all device configuration settings? (Select one.)
A. Restore a saved backup image that was created for the device before the
last Fireware OS upgrade.
B. Use the Upgrade OS feature in Fireware Web UI to install the sysa_dl file
for an order version of Fireware O
S. C. Change the OS compatibility setting in Policy Manager to downgrade
the device. Then use Policy Manager to save the configuration to the device.
D. Use the downgrade feature on Policy Manager to select a previous of
Fireware O
, S. .
Answer: Restore a saved backup image that was created for the device
before the last Fireware OS upgrade.
◍ FTP Port.
Answer: TCP 20, 21
◍ ***You configured four Device Administrator user accounts for your
Firebox. To see a report of which Device Management users have made
changes to the device configuration, what must you do? (Select two.)
A. Start Firebox System Manager for the device and review the activity for
the Management Users on the Authentication List tab.
B. Connect to Report Manager or Dimension and view the Audit Trail report
for your device.
C. Open WatchGuard Server Center and review the configuration history for
managed devices.
D. Configure your device to send audit trail log messages to your
WatchGuard Log Server or Dimension Log Server..
Answer: Connect to Report Manager or Dimension and view the Audit Trail
report for your device.Open WatchGuard Server Center and review the
configuration history for managed devices.
◍ ***Which items are included in a Firebox backup image file? (Select four.)
A. Support snapshot
B. Fireware OS
C. Configuration file
D. Log file
E. Feature keys
F. Certificates
G. PasswordsThis question was on the exam but it had different
answers.One of the answer options was policies. I don't believe feature keys
was on there. Also users and roles were on there..
Answer: Configuration fileCertificatesPasswords Feature key
◍ ***Only 50 clients on the trusted network of your Firebox can connect to
, the Internet at the same time. What could cause this? (Select one.)
A. The Live Security feature key is expired.
B. The device feature key allows a maximum of 50 client connections.
C. The DHCP address pool on the trusted interface has only 50 IP addresses.
D. The Outgoing policy allows a maximum of 50 client connections..
Answer: The DHCP address pool on the trusted interface has only 50 IP
addresses.
◍ Route to 10.0.20.0/24, Gateway 10.0.2.254.
Answer: Clients on the trusted network need to connect to a server behind a
router on the optional network. Based on this image, what static route must
be added to the Firebox for traffic from clients on the trusted network to
reach a server at 10.0.20.100? (Select one.)A. Route to 10.0.20.0/24,
Gateway 10.0.2.1B. Route to 10.0.20.0/24, Gateway 10.0.2.254C. Route to
10.0.20.0, Gateway 10.0.2.254D. Route to 10.0.10.0/24, Gateway 10.0.10.1
◍ ***The IP address for the trusted interface on your Firebox is 10.0.40.1/24,
but you want to change the IP address for this interface. How can you avoid
a network outage for clients on the trusted network when you change the
interface IP address to 10.0.50.1/24? (Select one.)
A. Create a 1-to-1 NAT rule for traffic from the 10.0.40.0/24 subnet to
addresses on the 10.0.50.0/24 subnet.
B. Add 10.0.40.1/24 as a secondary IP address for the interface.
C. Add IP addresses on the 10.0.40.0/24 subnet to the DHCP Server IP
address pool for this interface.
D. Add a route to 10.0.40.0/24 with the gateway 10.0.50.1..
Answer: Add 10.0.40.1/24 as a secondary IP address for the interface.
◍ SMTP Port.
Answer: TCP 25
◍ ***Which of these options are private IPv4 addresses you can assign to a
trusted interface, as described in RFC 1918, Address Allocation for Private
Internets?(Select three.)
A. 192.168.50.1/24
ESSENTIALS CERTIFICATION SCRIPT
2026 QUESTIONS WITH SOLUTIONS
GRADED A+
◍ Allow Incoming connections to the example.com domain only.
Answer: .From the SMTP proxy action settings in this image, which of these
options is configured for incoming SMTP traffic? (Select one.)Allow
Incoming connections to the example.com domain onlyAllow Outgoing
connection from example.com Deny Incoming connections to the
example.com domain onlyDeny outgoing connections from example.com
◍ Any-optionalOptional-1Any.
Answer: ***In the network configuration in this image, which aliases is
Eth2 a member of? (Select three.)A. Any-optionalB. Any-ExternalC.
Optional-1D. AnyE. Any-Trusted
◍ DHCP Port.
Answer: UDP 67, 68
◍ DNS Port.
Answer: TCP/UDP 53
◍ ***When your device is in a default state, to which interface do you connect
your management computer so you can use the Quick Setup Wizard or Web
SetupWizard to configure the device? (Select one.)
A. Interface 0
B. Console interface
C. Any interface
D. Interface 1.
, Answer: Interface 1
◍ HTTP Port.
Answer: TCP 80
◍ ***In the default Firebox configuration file, which policies control
management access to the device? (Select two.)
A. WatchGuard
B. FTP
C. Ping
D. WatchGuard Web UI
E. Outgoing.
Answer: WatchGuardWatchGuard Web UI
◍ HTTPS Port.
Answer: TCP 443
◍ To use the Web Setup Wizard or Quick Setup Wizard to configure your
Firebox or XTM device, your computer must have an IP address on which
subnet? (Select one.)
A. 10.0.10.0/24
B. 10.0.1.0/24
C. 172.16.10.0/24
D. 192.168.1.0/24.
Answer: 10.0.1.0/24
◍ ***What is the best method to downgrade the version of Fireware OS on
your Firebox without losing all device configuration settings? (Select one.)
A. Restore a saved backup image that was created for the device before the
last Fireware OS upgrade.
B. Use the Upgrade OS feature in Fireware Web UI to install the sysa_dl file
for an order version of Fireware O
S. C. Change the OS compatibility setting in Policy Manager to downgrade
the device. Then use Policy Manager to save the configuration to the device.
D. Use the downgrade feature on Policy Manager to select a previous of
Fireware O
, S. .
Answer: Restore a saved backup image that was created for the device
before the last Fireware OS upgrade.
◍ FTP Port.
Answer: TCP 20, 21
◍ ***You configured four Device Administrator user accounts for your
Firebox. To see a report of which Device Management users have made
changes to the device configuration, what must you do? (Select two.)
A. Start Firebox System Manager for the device and review the activity for
the Management Users on the Authentication List tab.
B. Connect to Report Manager or Dimension and view the Audit Trail report
for your device.
C. Open WatchGuard Server Center and review the configuration history for
managed devices.
D. Configure your device to send audit trail log messages to your
WatchGuard Log Server or Dimension Log Server..
Answer: Connect to Report Manager or Dimension and view the Audit Trail
report for your device.Open WatchGuard Server Center and review the
configuration history for managed devices.
◍ ***Which items are included in a Firebox backup image file? (Select four.)
A. Support snapshot
B. Fireware OS
C. Configuration file
D. Log file
E. Feature keys
F. Certificates
G. PasswordsThis question was on the exam but it had different
answers.One of the answer options was policies. I don't believe feature keys
was on there. Also users and roles were on there..
Answer: Configuration fileCertificatesPasswords Feature key
◍ ***Only 50 clients on the trusted network of your Firebox can connect to
, the Internet at the same time. What could cause this? (Select one.)
A. The Live Security feature key is expired.
B. The device feature key allows a maximum of 50 client connections.
C. The DHCP address pool on the trusted interface has only 50 IP addresses.
D. The Outgoing policy allows a maximum of 50 client connections..
Answer: The DHCP address pool on the trusted interface has only 50 IP
addresses.
◍ Route to 10.0.20.0/24, Gateway 10.0.2.254.
Answer: Clients on the trusted network need to connect to a server behind a
router on the optional network. Based on this image, what static route must
be added to the Firebox for traffic from clients on the trusted network to
reach a server at 10.0.20.100? (Select one.)A. Route to 10.0.20.0/24,
Gateway 10.0.2.1B. Route to 10.0.20.0/24, Gateway 10.0.2.254C. Route to
10.0.20.0, Gateway 10.0.2.254D. Route to 10.0.10.0/24, Gateway 10.0.10.1
◍ ***The IP address for the trusted interface on your Firebox is 10.0.40.1/24,
but you want to change the IP address for this interface. How can you avoid
a network outage for clients on the trusted network when you change the
interface IP address to 10.0.50.1/24? (Select one.)
A. Create a 1-to-1 NAT rule for traffic from the 10.0.40.0/24 subnet to
addresses on the 10.0.50.0/24 subnet.
B. Add 10.0.40.1/24 as a secondary IP address for the interface.
C. Add IP addresses on the 10.0.40.0/24 subnet to the DHCP Server IP
address pool for this interface.
D. Add a route to 10.0.40.0/24 with the gateway 10.0.50.1..
Answer: Add 10.0.40.1/24 as a secondary IP address for the interface.
◍ SMTP Port.
Answer: TCP 25
◍ ***Which of these options are private IPv4 addresses you can assign to a
trusted interface, as described in RFC 1918, Address Allocation for Private
Internets?(Select three.)
A. 192.168.50.1/24
