my test

Refer to the exhibit, which contains a session diagnostic output. Which statement is true about the session diagnostic output?. The session is a UDP unidirectional state. The session is in TCP ESTABLISHED state. The session is a bidirectional UDP connection. The session is a bidirectional TCP connection.

Which two statements are correct regarding FortiGate HA cluster virtual IP addresses? (Choose two.). Heartbeat interfaces have virtual IP addresses that are manually assigned. A change in the virtual IP address happens when a FortiGate device joins or leaves the cluster. Virtual IP addresses are used to distinguish between cluster members. The primary device in the cluster is always assigned IP address 169.254.0.1.

The HTTP inspection process in web filtering follows a specific order when multiple features are enabled in the web filter profile. What order must FortiGate use when the web filter profile has features enabled, such as safe search?. DNS-based web filter and proxy-based web filter. Static URL filter, FortiGuard category filter, and advanced filters. Static domain filter, SSL inspection filter, and external connectors filters. FortiGuard category filter and rating filter.

If Internet Service is already selected as Source in a firewall policy, which other configuration objects can be added to the Source filed of a firewall policy?. IP address. Once Internet Service is selected, no other object can be added. User or User Group. FQDN address.

Which statement about the IP authentication header (AH) used by IPsec is true?. AH does not provide any data integrity or encryption. AH does not support perfect forward secrecy. AH provides data integrity bur no encryption. AH provides strong data integrity but weak encryption.

When a firewall policy is created, which attribute is added to the policy to support recording logs to a FortiAnalyzer or a FortiManager and improves functionality when a FortiGate is integrated with these devices?. Log ID. Universally Unique Identifier. Policy ID. Sequence ID.

Which statements about the firmware upgrade process on an active-active HA cluster are true? (Choose two.). The firmware image must be manually uploaded to each FortiGate. Only secondary FortiGate devices are rebooted. Uninterruptable upgrade is enabled by default. Traffic load balancing is temporally disabled while upgrading the firmware.

Which two statements ate true about the Security Fabric rating? (Choose two.). It provides executive summaries of the four largest areas of security focus. Many of the security issues can be fixed immediately by clicking Apply where available. The Security Fabric rating must be run on the root FortiGate device in the Security Fabric. The Security Fabric rating is a free service that comes bundled with alt FortiGate devices.

An administrator has configured two-factor authentication to strengthen SSL VPN access. Which additional best practice can an administrator implement?. A. Configure Source IP Pools. Configure split tunneling in tunnel mode. Configure different SSL VPN realms. Configure host check.

Which of the following conditions must be met in order for a web browser to trust a web server certificate signed by a third-party CA?. The public key of the web server certificate must be installed on the browser. The web-server certificate must be installed on the browser. The CA certificate that signed the web-server certificate must be installed on the browser. The private key of the CA certificate that signed the browser certificate must be installed on the.

A network administrator is troubleshooting an IPsec tunnel between two FortiGate devices. The administrator has determined that phase 1 fails to come up. The administrator has also re-entered the pre-shared key on both FortiGate devices to make sure they match. Based on the phase 1 configuration and the diagram shown in the exhibit, which two configuration changes will bring phase 1 up? (Choose two.). On HQ-FortiGate, set IKE mode to Main (ID protection). On both FortiGate devices, set Dead Peer Detection to On Demand. On HQ-FortiGate, disable Diffie-Helman group 2. On Remote-FortiGate, set port2 as Interface.

Which of the following are purposes of NAT traversal in IPsec? (Choose two.). Create a new firewall policy with the new HTTP service and place it above the existing HTTP policy. Create a new service object for HTTP service and set the session TTL to never. Set the TTL value to never under config system-ttl. Set the session TTL on the HTTP policy to maximum.

A team manager has decided that, while some members of the team need access to a particular website, the majority of the team does not Which configuration option is the most effective way to support this request?. Implement a web filter category override for the specified website. Implement a DNS filter for the specified website. Implement web filter quotas for the specified website. Implement web filter authentication for the specified website.

A network administrator has enabled full SSL inspection and web filtering on FortiGate. When visiting any HTTPS websites, the browser reports certificate warning errors. When visiting HTTP websites, the browser does not report errors. What is the reason for the certificate warning errors?. The browser requires a software update. FortiGate does not support full SSL inspection when web filtering is enabled. The CA certificate set on the SSL/SSH inspection profile has not been imported into the browser. There are network connectivity issues.

Which certificate value can FortiGate use to determine the relationship between the issuer and the certificate?. Subject Key Identifier value. SMMIE Capabilities value. Subject valueC. Subject value. Subject Alternative Name value.

Which two statements are true about the RPF check? (Choose two.). The RPF check is run on the first sent packet of any new session. The RPF check is run on the first reply packet of any new session. The RPF check is run on the first sent and reply packet of any new session. RPF is a mechanism that protects FortiGate and your network from IP spoofing attacks.

Which two protocol options are available on the CLI but not on the GUI when configuring an SD-WAN Performance SLA? (Choose two.). DNS. ping. udp-echo. TWAMP.

An administrator needs to configure VPN user access for multiple sites using the same soft FortiToken. Each site has a FortiGate VPN gateway. What must an administrator do to achieve this objective?. The administrator can register the same FortiToken on more than one FortiGate. The administrator must use a FortiAuthenticator device. The administrator can use a third-party radius OTP server. The administrator must use the user self-registration server.

Which two statements are true when FortiGate is in transparent mode? (Choose two.). By default, all interfaces are part of the same broadcast domain. The existing network IP schema must be changed when installing a transparent mode. Static routes are required to allow traffic to the next hop. FortiGate forwards frames without changing the MAC address.

Which three CLI commands can you use to troubleshoot Layer 3 issues if the issue is in neither the physical layer nor the link layer? (Choose three.). diagnose sys top. execute ping. execute traceroute. diagnose sniffer packet any. get system arp.

Examine this PAC file configuration. Which of the following statements are true? (Choose two.). Browsers can be configured to retrieve this PAC file from the FortiGate. Any web request to the 172.25. 120.0/24 subnet is allowed to bypass the proxy. All requests not made to Fortinet.com or the 172.25. 120.0/24 subnet, have to go through altproxy.corp.com: 8060. Any web request fortinet.com is allowed to bypass the proxy.

If the Issuer and Subject values are the same in a digital certificate, which type of entity was the certificate issued to?. A CRL. A person. A subordinate CA. A root CA.

Which three statements are true regarding session-based authentication? (Choose three.). HTTP sessions are treated as a single user. IP sessions from the same source IP address are treated as a single user. It can differentiate among multiple clients behind the same source IP address. It requires more resources. It is not recommended if multiple users are behind the source NAT.

Which statement regarding the firewall policy authentication timeout is true?. It is an idle timeout. The FortiGate considers a user to be "idle" if it does not see any packets coming from the user's source IP. It is a hard timeout. The FortiGate removes the temporary policy for a user's source IP address after this timer has expired. It is an idle timeout. The FortiGate considers a user to be "idle" if it does not see any packets coming from the user's source MAC. It is a hard timeout. The FortiGate removes the temporary policy for a user's source MAC address after this timer has expired.

Which of statement is true about SSL VPN web mode?. The tunnel is up while the client is connected. It supports a limited number of protocols. The external network application sends data through the VPN. It assigns a virtual IP address to the client.

What inspection mode does FortiGate use if it is configured as a policy-based next-generation firewall (NGFW)?. Full Content inspection. Proxy-based inspection. Certificate inspection. Flow-based inspection.

Which of the following are valid actions for FortiGuard category based filter in a web filter profile ui proxy-based inspection mode? (Choose two.). Warning. Exempt. Allow. Learn.

Which two types of traffic are managed only by the management VDOM? (Choose two.). FortiGuard web filter queries. PKI. Traffic shaping. DNS.

Which of the following statements is true regarding SSL VPN settings for an SSL VPN portal?. By default, FortiGate uses WINS servers to resolve names. By default, the SSL VPN portal requires the installation of a client's certificate. By default, split tunneling is enabled. By default, the admin GUI and SSL VPN portal use the same HTTPS port.

Refer to the exhibits. The exhibits show the firewall policies and the objects used in the firewall policies. The administrator is using the Policy Lookup feature and has entered the search criteria shown in the exhibit. Which policy will be highlighted, based on the input criteria?. Policy with ID 4. Policy with ID 5. Policies with ID 2 and 3. Policy with ID 4.

Which statement correctly describes the use of reliable logging on FortiGate?. Reliable logging is enabled by default in all configuration scenarios. Reliable logging is required to encrypt the transmission of logs. Reliable logging can be configured only using the CLI. Reliable logging prevents the loss of logs when the local disk is full.

Refer to the exhibit. The exhibit shows a diagram of a FortiGate device connected to the network, the firewall policy and VIP configuration on the FortiGate device, and the routing table on the ISP router. When the administrator tries to access the web server public address (203.0.113.2) from the internet, the connection times out. At the same time, the administrator runs a sniffer on FortiGate to capture incoming web traffic to the server and does not see any output. Based on the information shown in the exhibit, what configuration change must the administrator make to fix the connectivity issue?. Configure a loopback interface with address 203.0.113.2/32. In the VIP configuration, enable arp-reply. Enable port forwarding on the server to map the external service port to the internal service port. In the firewall policy configuration, enable match-vip.

What are two benefits of flow-based inspection compared to proxy-based inspection? (Choose two.). FortiGate uses fewer resources. FortiGate performs a more exhaustive inspection on traffic. FortiGate adds less latency to traffic. FortiGate allocates two sessions per connection.

Refer to exhibit. An administrator configured the web filtering profile shown in the exhibit to block access to all social networking sites except Twitter. However, when users try to access twitter.com, they are redirected to a FortiGuard web filtering block page. Based on the exhibit, which configuration change can the administrator make to allow Twitter while blocking all other social networking sites?. On the FortiGuard Category Based Filter configuration, set Action to Warning for Social Networking. On the Static URL Filter configuration, set Type to Simple. On the Static URL Filter configuration, set Action to Exempt. On the Static URL Filter configuration, set Action to Monitor.

What are two functions of ZTNA? (Choose two.). ZTNA manages access through the client only. ZTNA manages access for remote users only. ZTNA provides a security posture check. ZTNA provides role-based access.

Which timeout setting can be responsible for deleting SSL VPN associated sessions?. SSL VPN idle-timeout. SSL VPN http-request-body-timeout. SSL VPN login-timeout. SSL VPN dtls-hello-timeout.

Which statement is correct regarding the use of application control for inspecting web applications?. Application control can identify child and parent applications, and perform different actions on them. Application control signatures are organized in a nonhierarchical structure. Application control does not require SSL inspection to identity web applications. Application control does not display a replacement message for a blocked web application.

Refer to the exhibits. Exhibit A shows a topology for a FortiGate HA cluster that performs proxy-based inspection on traffic. Exhibit B shows the HA configuration and the partial output of the get system ha status command. Based on the exhibits, which two statements about the traffic passing through the cluster are true? (Choose two.). For non-load balanced connections, packets forwarded by the cluster to the server contain the virtual MAC address of port2 as source. The traffic sourced from the client and destined to the server is sent to FGT-1. The cluster can load balance ICMP connections to the secondary. For load balanced connections, the primary encapsulates TCP SYN packets before forwarding them to the secondary.

Refer to the exhibit. Based on the ZTNA tag, the security posture of the remote endpoint has changed. What will happen to endpoint active ZTNA sessions?. They will be re-evaluated to match the endpoint policy. They will be re-evaluated to match the firewall policy. They will be re-evaluated to match the ZTNA policy. They will be re-evaluated to match the security policy.

Refer to the exhibit. The exhibit shows a diagram of a FortiGate device connected to the network and the firewall policy and IP pool configuration on the FortiGate device. Which two actions does FortiGate take on internet traffic sourced from the subscribers? (Choose two.). FortiGate allocates port blocks per user, based on the configured range of internal IP addresses. FortiGate allocates port blocks on a first-come, first-served basis. FortiGate generates a system event log for every port block allocation made per user. FortiGate allocates 128 port blocks per user.

Which statement about video filtering on FortiGate is true?. Video filtering FortiGuard categories are based on web filter FortiGuard categories. It does not require a separate FortiGuard license. Full SSL inspection is not required. It is available only on a proxy-based firewall policy.

Which statement describes a characteristic of automation stitches?. They can have one or more triggers. They can be run only on devices in the Security Fabric. They can run multiple actions simultaneously. They can be created on any device in the fabric.

Refer to the exhibits. Exhibit A shows a network diagram. Exhibit B shows the firewall policy configuration and a VIP object configuration. The WAN (port1) interface has the IP address 10.200.1.1/24. The LAN (port3) interface has the IP address 10.0.1.254/24. If the host 10.200.3.1 sends a TCP SYN packet on port 10443 to 10.200.1.10, what will the source address, destination address, and destination port of the packet be, after FortiGate forwards the packet to the destination?. 10.0.1.254, 10.0.1.10, and 443, respectively. 10.0.1.254, 10.0.1.10, and 10443, respectively. 10.200.3.1, 10.0.1.10, and 443, respectively.

Refer to the exhibit. The exhibit shows the output of a diagnose command. What does the output reveal about the policy route?. It is an ISDB route in policy route. It is a regular policy route. It is an ISDB policy route with an SDWAN rule. It is an SDWAN rule in policy route.

Refer to the exhibit. A network administrator is troubleshooting an IPsec tunnel between two FortiGate devices. The administrator has determined that phase 1 status is up, but phase 2 fails to come up. Based on the phase 2 configuration shown in the exhibit, which configuration change will bring phase 2 up?. On Remote-FortiGate, set Seconds to 43200. On HQ-FortiGate, set Encryption to AES256. On HQ-FortiGate, enable Diffie-Hellman Group 2. On HQ-FortiGate, enable Auto-negotiate.

An administrator configures FortiGuard servers as DNS servers on FortiGate using default settings. What is true about the DNS connection to a FortiGuard server?. It uses UDP 8888. It uses UDP 53. It uses DNS over HTTPS. It uses DNS overTLS.

Which three methods are used by the collector agent for AD polling? (Choose three.). FortiGate polling. NetAPI. Novell API. WMI. WinSecLog.