efw76

You must minimize CPU and RAM use on a FortiGate firewall while also enabling essential security features, such as web filtering and application control for HTTPS traffic. Which SSL inspection setting reduces system load while also enabling security features, such as web filtering and application control for encrypted HTTPS traffic?. Enable SSL certificate inspection mode to perform basic checks without decrypting traffic. Disable SSL inspection to preserve resources. Use deep SSL inspection to inspect encrypted HTTPS traffic. Configure SSL inspection to handle HTTPS traffic efficiently.

The configuration of Windows PC, PC 1, with a default MTU of 1500 bytes, FortiGate interfaces with an MTU of 1000 bytes, and the results of PC 1 pinging over server 172.16.0.251 are shown. Why is the PC1 user unable to ping server 172.16.0.254 and seeing the message: Packet needs to be fragmented but DF set?. The user must adjust the TCP maximum segment size (MSS) to 1000 for the ping to succeed. The ip.flags.mf option must be enabled on FortiGate. The user must adjust the ping MTU to 1000 to succeed. The user must account for the size of the Ethernet header when configuring the MTU value. FortiGate honors the do not fragment bit and the packets are dropped. The user must adjust the ping MTU to 972 to succeed.

Refer to the exhibit. An enterprise network connected to an ISP is shown. You must configure a loopback as a BGP source to connect to the ISP. Which two commands must you use to establish the connection? (Choose two.). ibgp-enfогсе-multihop. ebgp-enfоrce-multihop. recursive-next-hop. update-source.

Refer to the exhibit. A network topology and a FortiGate routing table is shown. What must you configure in the BGP section to add only the subnet 100.64.2.0/24 in the routing table of FortiGate_A?. Configure route-map-in on FortiGate_A. Configure connected routes redistribution on FortiGate_C. Configure BGP route redistribution on FortiGate_B. Configure the 100.64.2.0/24 network on FortiGate_C.

Refer to the exhibit. An HA configuration of an active-active (A-A) cluster with the same HA uptime shown. You want HQ-NGFW-2 to handle the Core2 VDOM traffic. Which modification must you make to achieve this outcome?. Enable override in virtual duster 2 for HQ-NGFW-2. Change the priority from 120 to 200 for HQ-NGFW-2. Change the priority from 100 to 160 for HQ-NGFW-2. Reboot HQ-NGFW-2.

You receive a FortiAnalyzer alert warning that a 1 ТВ disk filled up in a day. Upon investigation, you find thousands of unusual DNS log requests, such as JHCMQK.website.com, with no answers. You later discover that DNS exfiltration is occurring through both UDP and TLS. How can you prevent this data theft technique?. Use a file filter profile to protect against DNS exfiltration. Use an intrusion prevention system (IPS) profile and DNS exfiltration-related signatures. Enable DNS filter to protect against DNS exfiltration. Enable data loss prevention (DLP) to prevent DNS exfiltration.

Refer to the exhibit. Based on the exhibit, what is the first message that Spoke 1 replies to the hub instructing it to bring up the dynamic tunnel if a client generates traffic destined to Spoke 2?. Shortcut query. Shortcut forward. Shortcut offer. Shortcut reply.

Refer to the exhibit. A network diagram with a hub and spokes deployment is shown. You must deploy several spokes, including the BGP configuration for the spokes that connect to the hub. Which two commands would you use to minimize the amount of configuration needed on the hub? (Choose two.). ebgp-multipath. route-overlap. neighbor-range. neighbor-group.

Refer to the exhibit. The VDOM configuration on a FortiGate device is shown. You discover that web filtering stopped working in Core1 and Core2 after a maintenance window. What are two reasons why web filtering stopped working? (Choose two.). The root VDOM does not use a VDOM link to connect with the Core1 and Core2 VDOMs. The root VDOM does not have access to any valid, public Fortinet Distribution Network (FDN). The root VDOM does not have access to FortiManager in a closed network. The Core1 and Core2 VDOMs must also be enabled as management VDOMs to receive FortiGuard updates.

Refer to the exhibit. An OSPF network is shown. Which configuration must you apply to optimize the OSPF database?. Set the area 0.0.0.1 to the type Stub in the area border FortiGate. Set a route map in the autonomous system boundary FortiGate. Set the area 0.0.0.1 to the type NSSA in the area border FortiGate. Set a prefix list in the autonomous system boundary FortiGate.

Refer to the exhibits. The system administrator settings configured on a root FortiGate and the Security Fabric settings configured on a downstream FortiGate are shown. When prompted to sign in with Security Fabric to the downstream FortiGate. a user enters the single sign-on (SSO) provider credentials. What happens next for the user?. The user is redirected to the root FortiGate. The user accesses the downstream FortiGate with super_admin_readonly privileges. The user accesses the root FortiGate with AdminSSO privileges. The user receives an authentication failure message.

Refer to the exhibit. The ADVPN IPsec interface represents the VPN IPsec phase 1 from Hub A to Spoke 1 and Spoke 2, and from Hub В to Spoke 3 and Spoke 4. You must configure an ADVPN using IBGP and EBGP to connect Overlay 1 with Overlay 2. Which parameters must you configure in the phase 1 VPN IPsec configuration of the ADVPN tunnels?. set auto-discovery-forwarder enable and set remote-as x. set auto-discovery-crossover enable and set enforce-multihop enable. set auto-discovery-sender enable and set network-id x. set auto-discovery-receiver enable and set remote-ip x.

Refer to the exhibit. The partial output of an OSPF command is shown. While checking the OSPF status of FortiGate. you receive the output shown in the exhibit. Based on the output, which two statements about FortiGate are correct? (Choose two.). FortiGate injects external routing information. FortiGate is a backup designated router. FortiGate is connected to multiple areas. FortiGate has OSPF ECMP enabled.

Refer to the exhibit, which contains the partial output of an OSPF command. An administrator is checking the OSPF status of a FortiGate device and receives the output shown in the exhibit. Which statement on this FortiGate device is correct?. The FortiGate device can inject external routing information. The FortiGate device is in the area 0.0.0.5. The FortiGate device does not support OSPF ECMP. The FortiGate device is a backup designated router.

Refer to the exhibit. You are deploying a hub and spokes network and using OSPF as a dynamic protocol. Which configuration is recommended for neighbor adjacency through the hub?. Set virtual-link enable in the OSPF configuration. Set rfc1583-compatible enable in the router configuration. Set network-type point-to-multipoint in the hub interface. Set route-reflector-client enable in the router configuration.

Refer to the exhibit. A network diagram showing the corporate network and a new remote office network is shown. You must integrate the new remote office network with the corporate enterprise network. What must you do to allow routing between the two networks?. Implement BGP to inject the new remote office network into the corporate FortiGate device. Add the network 192.168.1.0/24 in the OSPF section on the corporate FortiGate device. Implement OSPF over IPsec on both FortiGate devices. Configure virtual links on both FortiGate devices.

Refer to the exhibit. The packet capture output of a client hello message is shown. You are updating a firewall policy that includes SSL certificate inspection. You are capturing packets from the traffic passing through this firewall policy. Which two statements about the packet capture are correct? (Choose two.). You can effectively apply an antivirus security profile to this traffic. You can effectively apply a web filtering profile to this traffic. The subject alternative name (SAN) is necessary to apply security profiles. The client supports only TLS versions 1.2 and 1.3.

Refer to the exhibit. The status of a new BGP configuration on FortiGate is shown. Based on the output shown in the exhibit, which configuration should you consider next?. Contact the remote peer administrator to enable BGP. Configure a static route to 100.65.4.1. Enable ebgp-multipath. Enable ebgp-enforce-multihop.

Refer to the exhibits. The ADVPN network topology and partial BGP configuration are shown. Which two parameters must you configure in the config neighbor range for spokes shown in the exhibit? (Choose two.). set prefix 10.0.12.0 255.255.255.0. set route-reflector-client enable. set neighbor-group advpn. set prefix 172.16.1.0 255.255.255.0.

Refer to the exhibit. A partial VPN configuration is shown. Which statement about this VPN IPsec phase 1 configuration is correct?. FortiGate will not add a route to its routing information base (RIB) or forwarding information base (FIB) when the dynamic tunnel is negotiated. This configuration must include certificates associated peer IDs to enhance security. A separate interface is created for each dial-up tunnel, which can be slower and more resource intensive, especially in large networks. This configuration is the best for networks with regular traffic intervals, providing a balance between connectivity assurance and resource utilization.

A revision history window at the FortiManager device layer is shown. The IT team is trying to identify the administrator responsible for the most recent update to the FortiGate device database. What can the IT team conclude?. The user script_manager, an API user from the Fortinet Developer Network (FDN). is retrieving a configuration. The retrieve process was automatically triggered by a Remote FortiGate Directly (via CLI) script. To identify the user who created the event, in the FortiManager system logs, they must use the type=script filter in the user field. To identify the user who created the event, they must view it on the Configuration and Installation widget on FortiGate at the FortiManager device layer.

Refer to the exhibit. A normalized interface LAN on FortiManager is shown. Which two statements about this interface configuration are correct? (Choose two.). The normalized interface LAN will be mapped to the private interface for FortiGate-VM64 model devices. The normalized interface LAN will be mapped to the wireless interface for FortiGate-81E model devices. The normalized interface LAN will be mapped to the port2 interface for NGFW-1 [Core2]. The normalized interface LAN will be mapped to the Human Resources interface for any FortiGate-40F model devices.

Refer to the exhibits. A policy package conflict status and information from the import device wizard in the Core1 VDOM are shown. When you import a policy package, the following message appears for the Web_restrictions web filter profile and the deep-inspection SSL-SSH profile: The following objects were found having conflicts. Please confirm your settings, then continue. The Web_restrictions and deep-inspection profiles are used by other FortiGate devices within FortiManager. Which step must you take to resolve the issue?. Create uniquely named objects on FortiGate and reimport them into the policy package. Retrieve the FortiGate configuration to automatically export correct objects and policies. Use non-default object values because FortiManager is unable to alter default values. Select the FortiManager configuration that accepts changes on FortiManager and preserves existing configurations on FortiGate devices.

Refer to the exhibit. A physical topology along with a traffic log is shown. You are using FortiAnalyzer to monitor traffic from the device with IP address 10.0.2.51, which is located behind the FortiGate internal segmentation firewall (ISFW) device. Unified threat management (UTM) is not enabled in the firewall policy on the HQ-ISFW device, and you are surprised to see a log with the action Malware, as shown in the exhibit. What are two reasons why FortiAnalyzer would display this log? (Choose two.). Security rating is enabled in HQ-ISFW. UTM is enabled in the firewall policy in HQ-NGFW-1. HQ-ISFW is in a Security Fabric environment. HQ-ISFW is not connected to FortiAnalyzer and traffic must go through HQ-NGFW-1.

You are checking an enterprise network and see a suspicious packet with the MAC address 00:09:0f:09:18:81. Which two statements about the suspicious packet are correct? (Choose two.). The suspicious packet is related to a cluster with a group-id value lower than 255. The suspicious packet corresponds to a port with a physical index equal to 2. The suspicious packet is related to a cluster that has VDOMs enabled. The suspicious packet is related to a cluster configured with the FortiGate Session Life Protocol (FGSP).

In a transparent VDOM interface, what does the command set forward-domain <domain_ID> do?. It allows the interface to access the configured admin domain. It restricts the interface to managing traffic from only the specified VLAN, effectively segregating network traffic. It isolates traffic within a specific VLAN by assigning a broadcast domain to an interface based on the VLAN ID. It assigns a unique domain ID to the interface, allowing it to operate across multiple VLANs within the same VDOM.

Which action can you take on FortiGate to block traffic using intrusion prevention system (IPS) protocol decoders, focusing on network transmission patterns and application signatures?. Enable inspect all ports in flow mode. Use application control to limit non-URL-based software handling. Enable application detection-based SD-WAN rules. Use the DNS filter to block application signatures and protocol decoders.

During the last network migration, the IT department discovered that all zero phase selectors in phase 2 IPsec configurations impact network operations. What are two valid recommendations to prevent potential invalid paths during future migrations? (Choose two.). Configure an IP address on the IPsec interface of each firewall to establish unique peer connections and avoid impacting network operations. Configure the VPN with the exact segments that will be encrypted in the phase two selectors. Configure an IPsec aggregate to create redundancy between each firewall peer. Configure routing protocols to specify allowed subnets over the tunnel.

You need an internal segmentation firewall (ISFW) FortiGate for a campus with an ultralow latency interface. Which FortiGate should you select?. FortiGate with ports X5 to X8. FortiGate with only one NP6. FortiGate with ports connected to a CP10. FortiGate with ports connected to a SP5.

A vulnerability scan report has revealed that a user has generated traffic to the website example.com using a weak SSUTLS version supported by the HTTPS web server. What can you do to block all outdated SSL/TLS versions on any HTTPS web server to prevent possible attacks on user traffic?. Enable server certificate SNI check in the SSL/SSH inspection profile. Enable auto-detection of outdated SSL/TLS versions in the SSL/SSH inspection profile to block vulnerable websites. Block invalid SSL certificates in the SSL/SSH inspection profile. Configure the unsupported SSL version and set the minimum allowed SSL version in the HTTPS settings of the SSL/SSH inspection profile.

You are setting up an ADVPN configuration and want to ensure that peer IDs are not exposed during VPN establishment. Which protocol can the administrator use to enhance security?. Use SSL VPN tunnel mode with certificates. Use IKEv2, which encrypts peer IDs and prevents exposure. Use IKEv1 aggressive mode with certificates. Use IKEv1 main mode with AES-GCM security proposal.

An administrator is setting up an ADVPN configuration and wants to ensure that peer IDs are not exposed during VPN establishment. Which protocol can the administrator use to enhance security?. Use IKEv2, which encrypts peer IDs and prevents exposure. Opt for SSL VPN web mode because it does not use peer IDs at all. Choose IKEv1 aggressive mode because it simplifies peer identification. Stick with IKEv1 main mode because it offers better performance.

To secure your enterprise network traffic, which step does FortiGate perform first, when handling the first packets of a session?. Decryption. Installation of the session key in the network processor (NP). A reverse path forwarding (RPF) check. IP integrity header checking.

You must update a firewall policy to block multiple websites within the subnet 172.165.58.0/24. What must you do to block these addresses efficiently?. Create an application sensor and apply the application control profile to the firewall policy. Create a URL filter and apply the web filter profile to the firewall policy. Create an IP address external connector and apply it to the destination field of the firewall policy. Create an Internet Service Database (ISDB) group and apply it to the destination field of the firewall policy.

If you implement IKEv2 in a VPN topology, which two statements are true? (Choose two.). Unlike IKEv1, it supports mode config. It includes stronger Diffie-Hellman (DH) groups, such as Elliptic Curve (ECP) groups. It supports the extensible authentication protocol (EAP). It exchanges a minimum of two messages to establish a secure tunnel.

You need to install a new intrusion prevention system (IPS) profile without triggering false positives that can impact applications and disrupt normal traffic flow. How can you prevent false positives on IPS analysis?. Use an IPS profile with action default and analyze the applications. Use the IPS profile extension to select an OS, protocol, and application for all the network internal services and users to prevent false positives. Use an IPS profile with Scan Outgoing Connections to block botnets, which can create false positives. Use an IPS profile with action monitor; however, you must be aware that this can compromise network integrity.

During the maintenance window, you must sniff all the traffic going through a specific firewall policy, which is handled by NP6 interfaces. The output of the sniffer trace provides just a few packets. Why is the output of the sniffer trace limited?. auto-asic-offload is set to enable in the firewall policy. The option npudbg is not added in the diagnose sniff packet command. This is an ultralow latency interface. inspection-mode is set to proxy in the firewall policy.

During the maintenance window, an administrator must sniff all the traffic going through a specific firewall policy, which is handled by NP6 interfaces. The output of the sniffer trace provides just a few packets. Why is the output of sniffer trace limited?. The traffic corresponding to the firewall policy is encrypted. auto-asic-off load is set to enable in the firewall policy,. inspection-mode is set to proxy in the firewall policy. The option npudbg is not added in the diagnose sniff packet command.

You must use FortiManager to standardize the deployment of same model FortiGate devices across branches with consistent interface roles and policy packages. In this scenario, what is the recommended best practice for interface assignment?. Create normalized interface types per-platform, to automatically recognize device layer interfaces based on the FortiGate model and interface name. Create interfaces using CLI scripts and use those interfaces in FortiGate policy packages. Enable metadata variables to use dynamic configurations on the standard interfaces of FortiManager. Use the install on feature in the policy package to automatically assign the interfaces across branches.

Refer to the exhibit. The FortiGuard security services on a FortiGate device is shown. You need to find the web filter database signature on FortiGate to resolve issues with websites not being filtered correctly in a flow-mode web filter profile. Why is the web filter database version not visible on the GUI, like it is with the intrusion prevention system (IPS) definitions?. The web filter database is stored locally, but you must use the CLI command diagnose autoupdate versions to see the web filter database version. The web filter database is accessible only after you add a web filter security profile in a firewall policy. The web filter database is stored locally on FortiGate, but you must enable Web Fitter in the Feature Visibility section to see the web filter database version. The web filter database is not hosted on FortiGate; FortiGate queries FortiGuard or FortManager for web filter ratings on demand.

You configured the FortiGate devices in an enterprise network to join the Fortinet Security Fabric. You have a list of IP addresses that must be blocked by the data center firewall. The list is updated daily. How can you automate updates to the firewall policy to add the IP addresses from the daily updated list?. With an external connector from External Feeds. With metadata variables in FortiManager. With a CLI script in FortiManager. With a Security Fabric automation.

Refer to the exhibit. The partial output of a troubleshooting command is shown. You are using IPsec on FortiGate extensively. Many tunnels are showing information that is similar to the output shown in the exhibit. Which statement about your IPsec use is correct?. Only the outbound IPsec SA is copied to the NPU. IPsec SAs cannot be offloaded. The two IPsec security associations (SA), inbound and outbound, are copied to the network processing unit (NPU). Only the inbound IPsec SA is copied to the NPU.

You must segment an enterprise network. Which two features could you use? (Choose two.). VLAN. Zero Trust Network Access (ZTNA). IPsec. VDOM.

Refer to the exhibit. An ADVPN network is shown. You must configure an ADVPN using IBGP for each local region and EBGP across regions to connect Overlay 1 with Overlay 2. Which two options must you configure in the Hub2Hub BGP peering? (Choose two.). set ebgp-enforce-multihop enable. set ibgp-enforce-multihop advpn. set attribute-unchanged next-hop. set next-hop-self enable.

Refer to the exhibit. A LAN interface connected from FortiGate to two FortiSwitch devices is shown. Which two statements about the LAN interface connection shown in the exhibit are correct? (Choose two.). The LAN interface must use an 802.3ad type interface. You must enable Spanning Tree Protocol (STP) or Rapid STP (RSTP) on FortiGate and FortiSwitch to avoid layer 2 loopbacks. The connection is using a FortiLink interface. FortiGate is using an SD-WAN-type interface to connect to one FortiSwitch device with MCLAG.

Refer to the exhibit. FortiGate_A and FortiGate_B are members of a FortiGate Session Life Support Protocol (FGSP) cluster in an enterprise network. While testing the cluster using the ping command, you monitor packet loss and on FortiGate_B, you see the session list output is shown in the exhibit. What is causing this output on FortiGate_B?. session-pickup-connectionless is set to disable on FortiGate_B. The session synchronization is encrypted. FortiGate_B is configured in passive mode. standalone-config-sync is set to disable on FortiGate_B.

Users in your organization who are on an IPsec VPN between FortiGate A and FortiGate B are experiencing intermittent issues since implementing VXLAN. You suspect that packets exceeding the 1500-byte default maximum transmission unit (MTU) are causing the problems. How would you adjust the interface MTU value help resolve issues caused by protocols that add extra headers to IP packets?. Adjust the MTU on interfaces only in wired connections like Point-to-Point Protocol over Ethernet (PPPOE), optic fiber, and Ethernet cable. Adjust the MTU on interfaces in controlled environments where all devices along the path allow MTU interface changes. Adjust the MTU on interfaces only on FortiGate A and FortiGate B. Adjust the MTU on all FortiGate interfaces after adjusting the TCP maximum segment size (MSS).

Refer to the exhibits. The routing tables of FortiGate A and FortiGate B are shown. FortiGate_A and FortiGate_B are in the same autonomous system. You want to add only route 172.16.1.248/30 on FortiGate_A by updating the BGP configuration. Which configuration must you apply?. The prefix 172.16.1.248/30 in the BGP Networks section on FortGate_B. A BGP route map in for 172.16.1.248/30 on FortiGate_A. Enable Redistribute Connected in the BGP section on FortiGate_B. A BGP route map out for 172.16.1.248/30 on FortiGate_B.

Refer to the exhibits. The routing tables of FortiGate_A and FortiGate_B, and a network topology are shown. Why does FortiGate_B have only one external route available to 100.75.5.1/32?. The subnet 10.0.11.0/24 is not located in the FortiGate_B area. FortiGate_A advertises only one external route to FortiGate_B. The route to 100.75.5.1/32 shown on FortiGate_B has the lowest cost. rfc-1583-compatible is not set to enable on FortiGate_B.

Refer to the exhibit. A partial enterprise network is shown. What must you configure so that FortiGate A and other OSPF routers in the backbone learn about prefixes generated within the RIP domain?. Configure a virtual link between FortiGate A and B. Set the area 0.0.0.1 type to stub on FortiGate A and B. Enable RIP redistribution on FortiGate B. Configure a distribute-route-map-in on FortiGate B.

A FortiGate device using unified threat management (UTM) profiles is reaching resource limits, and you expect traffic in your enterprise network to increase. You received an additional FortiGate of the same model. Which two options should you consider using to integrate the additional FortiGate into your enterprise network? (Choose two.). FortiGate Clustering Protocol (FGCP) in active-active (A-A) mode with switches. FortiGate Clustering Protocol (FGCP) in active-passive (A-P) mode with VDOM disabled. FortiGate Session Life Support Protocol (FGSP) with external load balancers. Virtual Router Redundancy Protocol (VRRP) with switches.

Refer to the exhibit. The packet capture output of a client hello message is shown. You are updating a firewall policy that includes SSL certificate inspection. You are capturing packets from the traffic passing through this firewall policy. Which two statements about the packet capture are correct? (Choose two.). The subject alternative name (SAN) is necessary to apply security profiles. The client support only TLS versions 1.2 and 1.3. You can effectively apply a web filtering profile to this traffic. You can effectively apply an antivirus security profile to this traffic.

You are trying to efficiently deploy ADVPN within the enterprise network. Which two approaches can facilitate this deployment? (Choose two.). On FortiGate, utilize loopback interfaces to reduce the number of routes and peers. On FortiManager, enable ADVPN on VPN Manager. On FortiGate, connect only the links with the best status. FortiManager, activate the recommended IPsec tunnel provisioning templates and enable ADVPN.

Refer to the exhibits. A network topology, firewall policy, and SSL/SSH inspection profile configuration are shown. What must you configure on firewall policy ID 2 to detect HTTPS attacks that target a Linux server hosting the website www.acmetest.com?. Enable SSL inspection of the SSL server and upload the certificate of the Linux server website to the SSL/SSH inspection profile. Enable HTTPS in the protocol port mapping of the deep-inspection SSL/SSH inspection profile. Set ips-sensor to IPS_block in the firewall policy. Set inspection-mode to f1ow to analyze the HTTPS packets and make sure that they are as expected.

You want to scale the IBGP sessions and optimize the routing table in an IBGP network. Which parameter should you configure?. neighbor-group. neighbor-range. recursive-next-hop. route-reflector-client.

An administrator wants to scale the IBGP sessions and optimize the routing table in an IBGP network. Which parameter should the administrator configure?. network-import-check. ibgp-enforce-multihop. neighbor-group. route-reflector-client.

If you configure set tcp-mss-sender and set tcp-mss-receiver in a firewall policy, how does it affect the size and handling of TCP packets in the network?. The maximum segment size permitted in the firewall policy determines whether TCP packets are allowed or denied. The TCP packet modifies the packet size only if no fragmentation occurs. Applying commands in a firewall policy determines the largest payload a device can handle in a single TCP segment. The commands affect the payload size of the packet and the size of the IP header for handling TCP packets.

You must enable direct communication between multiple spokes in a organization’s network. Each spoke has more than one internet connection. Each spoke must connect directly without passing through the hub and the links must automatically switch to the best available connection. How can you achieve automatic detection and optimal link utilization between spokes?. Set up OSPF routing over dynamic VPN tunnels between spokes. Use ADVPN 2.0 to facilitate dynamic direct tunnels and automatic link optimization. Implement SD-WAN policies at the hub and the spokes. Establish dynamic VPN tunnels between spokes with predefined backup routes.

An organization acquired multiple branches across different countries and must install FortiGate devices at each branch. However, their IT staff lacks the knowledge required to implement the initial configuration on the FortiGate devices. Which three approaches can the organization take to successfully deploy advanced initial configurations on the FortiGate devices at their remote branches? (Choose three.). Apply Jinja in the FortiManager scripts for large-scale and advanced deployments. Use provisioning templates and install configuration settings at the device layer. On FortiManager, add the FortiGate devices as model devices, and use zero-touch provisioning (ZTP) or low-touch provisioning (LTP) to connect to the FortiGate devices. Use the global ADOM to deploy global object configurations to each FortiGate device. Use metadata variables to dynamically assign values according to each FortiGate device.

Refer to the exhibit. A prerun CLI template that is used in zero-touch provisioning (ZTP) and low-touch provisioning (LTP) with FortiManager is shown. The template is not assigned even though the configuration is already installed on FortiGate. Which statement about this scenario is true?. The administrator must use postrun CLI templates that are designed for ZTP and LTP. Prerun CLI templates for ZTP and LTP must be unassigned manually after the first installation, to avoid conflicting error objects when importing a policy package. The administrator did not assign the template correctly when they added the model device because prerun CLI templates remain permanently assigned to the firewall. Pre-run CLI templates are automatically unassigned after the quick install process.

You are using Virtual eXtensible LAN (VXLAN) extensively on FortiGate. Which specialized acceleration hardware must you use to improve FortiGate performance?. CP10. NTurbo. CPU. NP7.

In which two ways does FortiGate utilize the Internet Service Database (ISDB) within firewall policies and SD-WAN rules? (Choose two.). The ISDB works in proxy mode, allowing the analysis of packets in layers 3 and 4 of the OSI model. The ISDB blocks the IP addresses and ports of an application predefined by FortiGuard. The ISDB limits access by URL and domain. FortiGate has a predefined list of all IP addresses and ports for specific applications downloaded from FortiGuard.

Refer to the exhibit. A FortiGate segmented into VDOMs is shown. You must ensure effective and accelerated internet access for all of the VDOMs in this enterprise network. How can you achieve this?. Create VLANs over network processing unit (NPU) vlinks. Connect a physical interface from each VDOM to the root VDOM. Create VDOM links. Configure network processing unit (NPU) vlinks.

Refer to the exhibit. The network diagram shows the addition of Site 2 with an overlapping network segment to the existing VPN IPsec connection between the hub and Site 1. Which IPsec phase 2 configuration must you make on the FortiGate hub to enable equal-cost multi-path (ECMP) routing when multiple remote sites connect with overlapping subnets?. Set multipath to enable. Set net-device to ecmp. Set route-overlap to allow. Set route-overlap to either use-new or use-old.

Refer to the exhibit. You need to modify the MED value advertised from FortiGate_1 to a BGP neighbor in the autonomous system, AS 30. Which parameter must you configure on FortiGate_1 to implement this?. distribute-list-out. route-map-out. prefix-list-out. route-overlap.

Refer to the exhibits. The firewall policy ID 1 of the DCFW policy package and the reinstall preview window for the DCFW policy package installation are shown. Why is FortiManager is installing set srcaddr “SSLVPN_TUNNEL_ADDR1” on firewall policy ID 1 when the policy package DCFW has the source address 10.0.5 on the firewall policy ID 1?. FortiManager has assigned firewall HQ-DCFW a CLI template that can overwrite configurations at the policy layer. FortiManager is installing the global policy package, which has higher priority than the ADOM policy package. The reinstall policy package ignores recent changes to the policy layer. The administrator must run the Install Wizard. The firewall policy and reinstall preview use the same addresses, but they have different names because of per-device mapping.

A user reports that their computer was infected with malware after accessing a secured HTTPS website. However, when you check the FortiGate logs, you see that FortiGate did not detect the website as insecure, despite having an SSL certificate and the correct profiles applied on the policy. How can you ensure that FortiGate can analyze encrypted HTTPS traffic on a website?. Enable server certificate SNI check to protect against unsecured HTTPS websites. Set min-allowed-ssl-version to tls-1.2. Enable full SSL inspection in the SSL/SSH Inspection profile to decrypt packets. Set inspection-mode to proxy.

You applied a block-all intrusion prevention system (IPS) profile for client and server targets to secure the server, but the database team reported that applications stopped working immediately after. How can you apply IPS in a way that ensures it does not disrupt existing applications in the network?. Set the IPS profile signature action to default and verity patterns. Use an IPS profile with all signatures in monitor mode and verify patterns before blocking. Limit the IPS profile to server targets only and set the action to default. Select flow mode in the IPS profile and monitor the application patterns.

65) An organization’s guest internet policy, operating in proxy mode, blocks access to artificial intelligence technology sites using FortiGuard. However, a guest user accessed a page in this category using port 8443. Which configuration change must you make for FortiGate to analyze HTTPS traffic on nonstandard ports like 6443, when full SSL inspection is active in the guest policy?. Block traffic on nonstandard ports by enabling server certificate SNI check in the SSL/SSH inspection profile. Enter 443, 8443 to analyze both standard (443) and non-standard (8443) HTTPS ports in the protocol port mapping section of the SSL/SSH Inspection profile. Enable network protocol enforcement for port 8443 with the protocol HTTPS in FortiGuard application control. Block untrusted SSL certificates in the SSL/SSH inspection profile.

Refer to the exhibits. The system administrator settings configured on a root FortiGate and the Security Fabric settings configured on a downstream FortiGate are shown. When prompted to sign in with Security Fabric to the downstream FortiGate, a user enters the single sign-on (SSO) provider credentials. What is the result?. The downstream FortiGate creates an SSO administrator account for AdminSSO with the super_admin profile. The user accesses the downstream FortiGate with super_admin_readonly profile. The user is prompted to create an administrator account for AdminSSO. The downstream FortiGate relies on the root FortiGate and does not create an administrator account.