Career upgrade: Learn practical AI skills for better jobs and higher pay.
Level up
PracticeVideosBlogFlashcardsEspañol
All Practice Exams

100+ Free Sophos ZTNA Engineer Practice Questions

Pass your Sophos ZTNA Course Assessment / Certified Engineer (Z15) exam on the first try — instant access, no signup required.

✓ No registration✓ No credit card✓ No hidden fees✓ Start practicing immediately
Sophos does not publish pass rates for the ZTNA course assessment Pass Rate
100+ Questions
100% Free
1 / 100
Question 1
Score: 0/0

Why is it important to sync user GROUP membership from the IdP into Sophos Central, not just usernames?

A
B
C
D
to track
Same family resources

Explore More Sophos Certifications

Continue into nearby exams from the same family. Each card keeps practice questions, study guides, flashcards, videos, and articles in one place.

Sophos Certified Architect — Central Endpoint, Intercept X & Server (AT15)

Practice Questions

Sophos Certified Architect — Central XDR / MDR (AT12)

Practice Questions

Sophos Certified Architect — Sophos Firewall

Practice Questions

Sophos Certified Engineer — Central Endpoint Protection

Practice Questions

Sophos Certified Engineer — Central XDR Detection and Response (ET12)

Practice Questions

Sophos Certified Engineer — Sophos Firewall

Practice Questions
2026 Statistics

Key Facts: Sophos ZTNA Engineer Exam

30

Exam Questions

Sophos course assessment

80%

Passing Score

Sophos

45 min

Exam Duration

Sophos

Free

Cost (Partners)

Sophos enablement

~2h45m

Course Length

Sophos ZTNA training

NetExam

Delivery

Sophos Training Portal

The Sophos ZTNA Engineer credential is earned by passing the end-of-course assessment for the Sophos Zero Trust Network Access training (~2h45m, intermediate). The assessment is approximately 30 multiple-choice questions in 45 minutes with an 80% passing score, delivered through the Sophos Training Portal (NetExam). Treat this as a course assessment rather than a full standalone Engineer certification — it is bundled with the free course and is most relevant for Sophos partners and engineers deploying Sophos ZTNA. Topics include NIST 800-207 Zero Trust, the Sophos Central / ZTNA Gateway / ZTNA Agent architecture, gateway deployment on VMware/Hyper-V/AWS/Sophos Firewall, SAML integration with Entra ID and Okta, per-application policies with Synchronized Security health gates, and ZTNA monitoring and troubleshooting.

Sample Sophos ZTNA Engineer Practice Questions

Try these sample questions to test your Sophos ZTNA Engineer exam readiness. Each question includes a detailed explanation. Start the interactive quiz above for the full 100+ question experience with AI tutoring.

1Which NIST publication formally defines the Zero Trust Architecture principles that ZTNA solutions like Sophos ZTNA implement?
A.NIST SP 800-53
B.NIST SP 800-171
C.NIST SP 800-207
D.NIST SP 800-63
Explanation: NIST Special Publication 800-207, 'Zero Trust Architecture' (August 2020), is the canonical reference for Zero Trust. It defines the core tenets — verify explicitly, use least-privilege access, and assume breach — that ZTNA products like Sophos ZTNA implement.
2Which statement best describes the fundamental access difference between a traditional VPN and Sophos ZTNA?
A.VPNs encrypt traffic, while ZTNA never encrypts traffic
B.VPNs grant broad network access, while ZTNA grants per-application access tied to identity and device health
C.VPNs require an agent, while ZTNA never uses an agent
D.VPNs work over public networks, while ZTNA only works on internal LANs
Explanation: Traditional VPNs place the user on the corporate network with broad layer-3 access once authenticated. Sophos ZTNA, following Zero Trust principles, grants access per application based on identity, group, and device health — the user never has full network reachability.
3Which three components make up the Sophos ZTNA architecture?
A.Sophos Firewall, Intercept X, Sophos Email
B.Sophos Central, ZTNA Gateway, ZTNA Agent
C.Sophos Mobile, Sophos Wireless, Sophos Cloud Optix
D.Sophos Connect, Sophos SD-WAN, Sophos AP
Explanation: Sophos ZTNA is built on three components: Sophos Central (cloud management plane), the ZTNA Gateway (broker that fronts protected applications), and the ZTNA Agent (endpoint software that creates the device-to-gateway tunnel and reports device health).
4Which Zero Trust tenet from NIST 800-207 means that no user, device, or workload is trusted by default — every access request must be authenticated and authorized?
A.Verify explicitly
B.Trust but verify
C.Defense in depth
D.Air-gap by default
Explanation: 'Verify explicitly' is the first NIST 800-207 tenet — every access decision must be authenticated and authorized using all available signals (identity, device health, location, time). It replaces the legacy 'trust the network' assumption.
5Sophos ZTNA is described as a 'cloud-delivered' service. What does that mean for the management plane?
A.All endpoint traffic is decrypted in the Sophos cloud
B.Configuration, policies, and logs are managed centrally through Sophos Central
C.Customer applications must be hosted in AWS or Azure
D.The gateway must run on a Sophos-owned datacenter
Explanation: 'Cloud-delivered' refers to the management and policy plane: Sophos Central is the cloud SaaS console where admins define applications, identity providers, and access policies. The gateway and applications can still live on-prem or in any cloud.
6In Sophos ZTNA, which component performs the actual brokering of user traffic to a protected application?
A.Sophos Central
B.ZTNA Gateway
C.ZTNA Agent
D.Identity Provider
Explanation: The ZTNA Gateway sits in front of protected applications and brokers connections from authenticated agents (or browsers) to the application. Sophos Central handles policy and configuration, but the data path goes through the gateway.
7Which Zero Trust principle most directly explains why a Sophos ZTNA policy grants a user access to only one specific application rather than the whole network?
A.Assume breach
B.Defense in depth
C.Least-privilege access
D.Implicit trust
Explanation: Least-privilege access — a core NIST 800-207 tenet — dictates that users get only the minimum access needed to do their job. Per-application access in ZTNA is the practical implementation of this principle, eliminating broad network reachability.
8A traditional remote-access VPN is sometimes described as a 'castle-and-moat' security model. What is the primary weakness of that model that ZTNA addresses?
A.VPNs cannot encrypt UDP traffic
B.Once inside the perimeter, an attacker has broad lateral access
C.VPN clients cannot run on Linux
D.VPN tunnels expire after 24 hours
Explanation: Castle-and-moat assumes attackers stay outside the perimeter. Once a credential is compromised and a VPN tunnel is established, the attacker has broad layer-3 access and can move laterally. ZTNA replaces network-level trust with per-application authorization tied to identity and device posture.
9In Sophos ZTNA, identity-driven access means access decisions are based primarily on which factor?
A.The IP address of the source endpoint
B.The user's identity and group, plus device posture, evaluated per application
C.The time of day only
D.Whether the endpoint is on-LAN or off-LAN
Explanation: Sophos ZTNA evaluates each access request against the authenticated user identity and group from the IdP, the device's health and posture, and any contextual conditions — independent of the source IP or whether the user is on-LAN.
10What is 'micro-segmentation' in the context of Zero Trust, and how does Sophos ZTNA implement it?
A.Splitting users into small Active Directory groups; ZTNA does this via SAML claims
B.Logically isolating workloads/applications so each requires its own access decision; ZTNA does this by exposing each app individually behind the gateway
C.Splitting network bandwidth into reserved channels; ZTNA does this via QoS
D.Encrypting each packet with a different key; ZTNA does this with rolling AES keys
Explanation: Micro-segmentation logically isolates each application or workload so that access requires a separate, identity-aware authorization decision. Sophos ZTNA implements this by publishing each application individually through the gateway with its own policy.

About the Sophos ZTNA Engineer Exam

The Sophos ZTNA Course Assessment (sometimes referenced as Z15 or Sophos ZTNA Certified Engineer) is the end-of-course evaluation for Sophos's intermediate Zero Trust Network Access training. It validates engineer-level understanding of NIST 800-207 Zero Trust principles, the Sophos ZTNA architecture (Sophos Central management, ZTNA Gateway, ZTNA Agent), gateway deployment on VMware/Hyper-V/AWS/Sophos Firewall with HA and sizing, SAML identity provider integration with Microsoft Entra ID and Okta, application and policy configuration including Synchronized Security with Intercept X, agent install for Windows and macOS, agentless web access, and monitoring/troubleshooting via Sophos Central. The course is approximately 2 hours 45 minutes and is free for Sophos partners through the enablement track.

Assessment

30 multiple-choice questions covering Zero Trust principles, Sophos ZTNA architecture, gateway deployment, identity provider integration, application and policy configuration, agent connection flow, and monitoring/troubleshooting

Time Limit

45 minutes

Passing Score

80%

Exam Fee

Free with course (partner enablement) (Sophos / NetExam Training Portal)

Sophos ZTNA Engineer Exam Content Outline

20%

ZTNA Concepts & Architecture

NIST 800-207 Zero Trust principles (verify explicitly, least privilege, assume breach), ZTNA vs traditional VPN benefits (no broad network access, app-level access, identity-driven), Sophos ZTNA cloud-delivered architecture (Sophos Central, ZTNA Gateway, ZTNA Agent), micro-segmentation, dark-cloud application access

20%

Deployment & Gateways

ZTNA Gateway deployment options (VMware ESXi 6.5+, Hyper-V 2016+, AWS, Sophos Firewall v19.5 MR3+/v20+), recommended sizing 2 vCPU / 4 GB RAM / 80 GB SSD per ~10,000 agents, clustering up to 9 nodes / ~90,000 agents, one-arm vs two-arm deployment, UTC time, public DNS A records, wildcard certificates (RSA 2048+ or ECDSA, Let's Encrypt or BYO), TCP/443 reachability

15%

Identity Provider Integration

Microsoft Entra ID (Azure AD), Okta, on-prem Active Directory via Entra Connect federation, SAML 2.0 metadata exchange (entity ID, sign-in URL, ACS URL, signing certificate), Conditional Access alignment for MFA and compliant device, Sophos ID admin accounts, group-based authorization

20%

Application & Policy Configuration

Application types (web HTTP/HTTPS, TCP non-web like RDP/SSH/SQL/SMB, UDP), public alias FQDN, access policies with user/group subjects, MFA enforcement via IdP Conditional Access, Synchronized Security with Intercept X red/yellow/green Heartbeat, per-application enforcement, evaluation order (first-match with implicit deny)

10%

Endpoint Agent & Connection Flow

Sophos ZTNA Agent install (Windows 10 1803+ MSI, macOS BigSur 11+/Monterey 12+ PKG, deployed via Intune/Jamf/SCCM), agentless web browser access for HTTP/HTTPS, DNS interception for app FQDNs, outbound TLS to gateway public hostname, traffic flow agent → gateway → application, Synchronized Security with Intercept X

15%

Monitoring & Troubleshooting

Sophos Central ZTNA dashboard (alerts, top apps by data), event logs and reports, agent connectivity tests, policy mismatch diagnostics, gateway health monitoring, wildcard certificate renewal (Let's Encrypt 90-day), IdP sign-in log correlation (Entra ID Sign-ins, Okta System Log), TLS/clock-skew issues

How to Pass the Sophos ZTNA Engineer Exam

What You Need to Know

  • Passing score: 80%
  • Assessment: 30 multiple-choice questions covering Zero Trust principles, Sophos ZTNA architecture, gateway deployment, identity provider integration, application and policy configuration, agent connection flow, and monitoring/troubleshooting
  • Time limit: 45 minutes
  • Exam fee: Free with course (partner enablement)

Keys to Passing

  • Complete 500+ practice questions
  • Score 80%+ consistently before scheduling
  • Focus on highest-weighted sections
  • Use our AI tutor for tough concepts

Sophos ZTNA Engineer Study Tips from Top Performers

1Memorize the three NIST 800-207 Zero Trust tenets — verify explicitly, least-privilege access, and assume breach — and how Sophos ZTNA implements each
2Know the three Sophos ZTNA components by heart: Sophos Central (management), ZTNA Gateway (broker), ZTNA Agent (endpoint) — and which gateway hosts are supported (ESXi 6.5+, Hyper-V 2016+, AWS, Sophos Firewall v19.5 MR3+/v20+)
3Memorize the gateway sizing — 2 vCPU / 4 GB RAM / 80 GB SSD per ~10,000 agents, clusterable up to 9 nodes / ~90,000 agents — and the UTC time-zone requirement
4Practice the SAML federation flow with Entra ID and Okta: metadata exchange, ACS URL, group claims, and how Conditional Access enforces MFA and compliant device at the IdP
5Understand application types (web HTTP/HTTPS, TCP non-web, UDP) and that agentless access is web-only — RDP, SSH, and other TCP/UDP flows require the agent
6Master Synchronized Security health gates — red Heartbeat blocks; green is required by sensitive-app policies — and the typical troubleshooting path: agent UI → connectivity test → Central logs → IdP sign-ins → gateway health

Frequently Asked Questions

What is the Sophos ZTNA Engineer / ZTNA Course Assessment exam?

It is the end-of-course assessment for Sophos's Zero Trust Network Access (ZTNA) training, sometimes referenced as Z15. It validates engineer-level knowledge of Sophos ZTNA architecture (Sophos Central, ZTNA Gateway, ZTNA Agent), gateway deployment on VMware/Hyper-V/AWS/Sophos Firewall, SAML integration with Entra ID and Okta, application and policy configuration with Synchronized Security, agent install, and monitoring/troubleshooting.

How many questions are on the Sophos ZTNA assessment and what is the passing score?

The assessment is approximately 30 multiple-choice questions with a 45-minute time limit and an 80% passing score. It is delivered online via the Sophos Training Portal (NetExam) at the end of the ZTNA course.

Is this a full standalone certification or a course assessment?

Practically, treat the Sophos ZTNA Engineer / Z15 as a course assessment bundled with the intermediate ZTNA training (~2h45m) rather than a standalone Engineer-level certification on the scale of Sophos Firewall Engineer. It is most useful for Sophos partners and engineers actively deploying Sophos ZTNA and who want recorded enablement credit.

How much does the Sophos ZTNA assessment cost?

The course and its end-of-course assessment are typically free for Sophos partners through the partner enablement track on the Sophos Training Portal. Confirm current availability at training.sophos.com.

What identity providers does Sophos ZTNA support?

Sophos ZTNA officially supports Microsoft Entra ID (Azure AD), Okta, and on-prem Active Directory (typically synchronized to Entra ID via Entra Connect for federation). Integration uses SAML 2.0. MFA is delivered by the IdP, often via Entra ID Conditional Access or Okta sign-on policies.

What is the recommended gateway sizing?

Sophos documents 2 vCPU and 4 GB RAM with 80 GB SSD as the recommended VM sizing for a ZTNA Gateway, supporting up to about 10,000 concurrent agent connections per node. You can cluster up to 9 nodes for roughly 90,000 connections.

How does Synchronized Security influence ZTNA access?

Sophos Intercept X reports a Heartbeat health state (green/yellow/red) for each endpoint. ZTNA policies can require green health to grant access to a sensitive application — a red Heartbeat (active compromise) can immediately block access. This is a core differentiator over generic ZTNA solutions.