exam 5

1. Refer to the exhibits. What will happen when a client attempts a mousedown cross-site scripting (XSS) attack against the site http://my.blog.org/user1/blog.php and FortiWeb is enforcing the highlighted signature? (Choose one answer). The connection will be stripped of the mousedown JavaScript code. The connection will be blocked as an XSS attack. FortiWeb will report the new mousedown attack to FortiGuard. The connection will be allowed.

2. Which three security features must you configure on FortiWeb to protect API connections? (Choose three answers). API user key enforcement. Single sign-on (SSO) authentication with Active Directory (AD). Machine learning (ML)-based API protection. API schema validation. API user authentication with SAML.

3. In SAML deployments, which server contains user authentication credentials (username/password)? (Choose one answer). Identity provider. Service provider. User database. Authentication client.

Which is an example of a cross-site scripting (XSS) attack? (Choose one answer). SELECT username FROM accounts WHERE username='admin';-- ' AND password='password';. <img src="http://badfile/nothere" onerror=alert(document.cookie);>. SELECT username FROM accounts WHERE username='XSS' ' AND password='alert("http://badurl.com")';. <IMG SRC="xss.png">.

5. An administrator notices multiple IP addresses attempting to log in to an application frequently, within a short time period. They suspect attackers are attempting to guess user passwords for a secure application. What is the best way to limit this type of attack on FortiWeb, while still allowing legitimate traffic through? (Choose one answer). Blocklist any suspected IPs. Configure a brute force login custom policy. Rate limit all connections from suspected IP addresses. Block the IP address at the border router.

6. What are two possible impacts of a DoS attack on your web server? (Choose two answers). The web application starts accepting unencrypted traffic. The web application is unable to accept any more connections because of network socket exhaustion. The web application server is unable to accept new client sessions due to memory exhaustion. The web application server database is compromised with data theft.

7. Which three stages are part of creating a machine learning (ML) bot detection algorithm? (Choose three answers). Model building. Model running. Model verification. Sample collecting. Model Bayesian analysis.

8. Which two items can be defined in a FortiWeb XML Protection Rule? (Choose two answers). API key. XML Schema. Web protection profile. Request URL.

9. What are two results of enabling monitor mode on FortiWeb? (Choose two answers). It does not affect denial-of-service (DoS) protection profile actions to rate limit traffic. It uses the default action for all profiles and, depending on the configuration, blocks or allows traffic. It does not affect any HTML rewriting or redirection actions in web protection profiles. It overrides all usual profile actions. FortiWeb accepts all requests and generates alert email or log messages only for violations.

10. Which statement is true? (Choose one answer). FortiWeb cannot perform content inspection on the traffic because it is encrypted. FortiWeb is decrypting and re-encrypting the traffic. The server is not performing any cryptography on the traffic. The server is encrypting traffic being sent to the client.

11. Refer to the exhibits. Attack ID 20000010 is brute force logins. Which statement is accurate about the potential attack? (Choose one answer). The attacker has successfully retrieved the credentials to www.example.com. www.example.com is running attacks against the client 192.168.1.11. The attack has happened 10 times. 192.168.1.11 is sending suspicious traffic to FortiWeb.

12. Which high availability (HA) mode uses gratuitous Address Resolution Protocol (ARP) to advertise a failover event to neighboring network devices? (Choose one answer). Passive-Passive. Active-Passive. Active-Active. Passive-Active.

13. A customer wants to be able to index your websites for search and advertisement purposes. What is the easiest way to allow this on a FortiWeb (Choose one answer). Add the indexer IP address to the trusted IP list on the FortiWeb. Add the indexer IP address to the FortiGuard "Known Search Engines" category. Create a firewall rule to bypass the FortiWeb entirely for the indexer IP address. Do not allow any external sites to index your websites.

14. Which Layer 7 routing method does FortiWeb support? (Choose one answer). URL policy routing. OSPF. BGP. HTTP content routing.

15. An attacker attempts to send an SQL injection attack containing the known attack string 'root';-- through an API call. Which FortiWeb inspection feature will be able to detect this attack the quickest? (Choose one answer). API gateway rule. Known signatures. Machine learning (ML)-based API protection—anomaly detection. ML-based API protection—threat detection.

16. How are bot machine learning (ML) models different from API or anomaly detection models? (Choose one answer). Bot ML models analyze multiple connections over time instead of analyzing each connection as a single unit. Bot ML models detect only anomalies and not actual threats. Bot ML models inspect more types of connection properties. Bot ML models do not update models periodically from new data.

17. Refer to the exhibits. What can you conclude from this support vector machine (SVM) plot of a potential bot connection? (Choose one answer). The connection is normal and within the expected averages. The connection uses too much bandwidth. The connection uses an excessive amount of TCP connections, but is harmless. The connection is possibly a bot.

18. What is the difference between an API gateway protection schema and a machine learning (ML) API protection schema? (Choose one answer). An API gateway protection schema does not allow authentication. An API gateway protection schema handles response bodies. An API gateway protection schema supports data types other than string. An API gateway protection schema cannot change without administrator intervention.

19. Which high availability mode is commonly used to integrate with a traffic distributer like FortiADC? (Choose one answer). Cold standby. Load sharing. Active-Active. Active-Passive.

20. What are two additional configuration elements that you must be configure for this API gateway? (Choose two answers). You must define rate limits. You must define URL prefixes. You must select a setting in the Allow User Group field. You must enable and configure Host Status.

21. Which command will enable debugging for the FortiWeb user tracking feature? (Choose one answer). diagnose debug application user-tracking 7. debug application user-tracking 7. debug enable user-tracking 7. diagnose debug enable user-tracking 7.

22. Which two functions does the first layer of the FortiWeb anomaly machine learning (ML) analysis mechanism perform? (Choose two answers). Determines whether an anomaly is a real attack or just a harmless anomaly that should be ignored. Determines a probability model behind every parameter and HTTP method passing through FortiWeb. Determines whether traffic is an anomaly, based on observable features over time. Determines if a detected threat is a false-positive or not.

23. What is true about this FortiWeb device? (Choose two answers). It is currently running version 6.4.0. It was upgraded to a different version after initial installation. It is currently running version 6.4.1. It has 41% of the disk available for logging.

24. Review the following configuration: config router setting set ip-forward enable end What are two routing behaviors that you can expect on FortiWeb after this configuration change? (Choose two answers). Non-HTTP traffic routed through the FortiWeb is allowed. Only ICMP traffic is allowed. All other traffic is dropped. IPv6 routing is enabled. Non-HTTP traffic destined to the FortiWeb virtual server IP address is dropped.

25. Which would be a reason to implement HTTP rewriting? (Choose one answer). To replace a vulnerable element in a requested URL. To implement load balancing. To redirect HTTP to HTTPS. The original page has moved to a new URL.

26. A FortiWeb device is deployed upstream of a device performing source network address translation (SNAT) or load balancing. What configuration must you perform on FortiWeb to preserve the original IP address of the client? (Choose one answer). Enable and configure the Preserve Client IP setting. Enable and configure the Add X-Forwarded-For setting. Turn off NAT on the FortiWeb. Use a transparent operating mode on FortiWeb.

27. What can a FortiWeb administrator do if a client has been incorrectly period blocked? (Choose one answer). Manually release the IP address from the blocklist. Disable and re-enable the server policy. Force a new IP address to the client. Allow the period block to expire on its own, you cannot override it.

28. FortiADC is applying SNAT to all inbound traffic going to the servers. When an attack occurs, FortiWeb blocks traffic based on the 192.0.2.1 source IP address, which belongs to FortiADC. This setup is breaking all connectivity and genuine clients are not able to access the servers. What can the administrator do to avoid this problem? (Choose two answers). Enable and configure the Use X-Forwarded-For setting on FortiWeb. No special configuration is required; connectivity will be re-established for all clients after the set timeout. Enable and configure the Preserve Client IP setting on the client. Place FortiWeb in front of FortiADC.

29. Review the following configuration: config waf machine-learning-policy edit 1 set sample-limit-by-ip 0 next end Which result would you expect from this configuration setting? (Choose one answer). When ML is in its collecting phase, FortiWeb will not accept any samples from any IP addresses. When ML is in its running phase, FortiWeb will accept an unlimited number of samples from the same source IP address. When machine learning (ML) is in its running phase, FortiWeb will accept a set number of samples from the same source IP address. When ML is in its collecting phase, FortiWeb will accept an unlimited number of samples from the same source IP address.

30. You are using HTTP content routing on FortiWeb. You want requests for web application A to be forwarded to a cluster of web servers, which all host the same web application. You want requests for web application B to be forwarded to a different, single web server. Which statement regarding this solution is true? (Choose one answer). The server policy always applies the same web protection profile to both web application A and web application B. You must create static routes on the FortiWeb to allow these requests. You must put the single web server for application B into a server pool and use it with HTTP content routing. You must chain policies so that all requests go to the virtual server for policy A first, and then redirect requests for web application B to go to the virtual server for policy B.

31. Which implementation is most suited for a deployment that must meet PCI DSS compliance criteria? (Choose one answer). SSL offloading with FortiWeb in transparency mode. SSL offloading with FortiWeb in full transparent proxy mode. SSL offloading with FortiWeb in reverse proxy mode. SSL offloading with FortiWeb in PCI DSS mode.

32. Which two statements about running a vulnerability scan are true? (Choose two answers). You should run the vulnerability scan on the live website to get accurate results. You should run the vulnerability scan multiple times so it can automatically update the scan parameters. You should run the vulnerability scan in a test environment. You should run the vulnerability scan during a maintenance window.

33. Under which two circumstances does FortiWeb use its own certificates? (Choose one answer). Routing an HTTPS connection to a FortiGate. Making a secondary HTTPS connection to a server where FortiWeb acts as a client. Connecting to browser clients using SSL. An administrator session connecting to the GUI using HTTPS.

34. When is it possible to use a self-signed certificate, rather than one purchased from a commercial certificate authority? (Choose one answer). If you are an enterprise whose computers all trust the active directory or CA server that signed the certificate. If you are a small business or home office. If you are an enterprise whose employees use only mobile devices. If you are an enterprise whose resources do not need security or https connections.

35. Which two objects are required to configure a server policy in reverse proxy mode without content routing? (Choose two answers). Virtual server. Site publishing. Protected hostname. Server pool.

36. In which two operating modes can FortiWeb modify HTTP packets? (Choose two answers). True transparent proxy. Virtual proxy. Transparent inspection. Reverse proxy.

37. Which response body type is supported for API machine learning (ML) detection? (Choose one answer). XML. All types of response body ML detection are supported. OpenAPI. JSON.

38. What is one of the key benefits of the FortiGuard IP reputation feature? (Choose one answer). It maintains a list of public IP addresses with bad reputation scores (for participating in attacks.). It is updated weekly. It provides documentation for IP addresses that are suspect, so that administrators can manually update their blacklists. It maintains a list of all public and private IP addresses and their reputations.

39. Which configuration element defines the field names, sizes, and data types of inputs that are enforced by FortiWeb? (Choose one answer). API schema. FortiGuard API database. API standards text file. API extreme memory profiles (XMP) configuration file.

40. What is the main benefit of using the period block action? (Choose one answer). It allows FortiGuard Labs to create a signature to block future occurrences. Attackers participating in an attack are blocked at the IP layer. It allows connections from IP addresses that are not performing attacks. FortiWeb conserves RAM usage by sending HTTP 403 responses.

41. Which two statements accurately describe the FortiWeb machine learning (ML) feature? (Choose two answers). FortiWeb uses the second layer of ML to identify whether an attack is real. The first layer of ML flags and inspects detected anomalies. ML results in fewer false-positives. ML inspects all fields and all content of web traffic.

42. What is this a section of name: Fortinet servers: url: 'https://fortigate.com/' paths: /ui: get: summary: Get UI items operationId: getui tags: ui responses: "200": description: An array of UI information content: application/json: schema: type: string (Choose one answer). The FortiGate UI interface in HTML. The result of a show ui details command on a FortiWeb server. A FortiWeb configuration file. An API schema file.

43. Which machine learning (ML) model is used for bot detection on FortiWeb? (Choose one answer). Bayesian algorithm. Explainable Artificial Intelligence (XAI). Support vector machine (SVM). Generative Pre-trained Transformer (GPT).

44. "Which is an example of a typical SQL injection attack?" (Choose one answer). <sql>select(ALL USERS);</sql>. SELECT cmd.exe FROM commands where users='admin';. <script>alert("Reflected XSS");</script>. SELECT username FROM accounts WHERE username='admin';-- ' AND password='password';.

45. When FortiWeb is enforcing client sessions with SAML authentication, which SAML role does FortiWeb play? (Choose one answer). Web service provider. Identity provider. User authorization provider. Service provider.

46. Refer to the exhibit, Which statement about the Strictness Level for Anomaly setting is correct? (Choose one answer). Setting the level to 0 will disable anomaly detection. A lower strictness level will generate fewer anomalies to be analyzed by the FortiWeb threat models. A lower strictness level will generate more anomalies to be analyzed by the FortiWeb threat models. This setting is universal to all FortiWeb machine learning (ML) profiles.

47. Which configuration item must be defined to start creating and enforcing a machine learning (ML) API detection policy? (Choose one answer). ML Type. Schema. Domain. Source IP address.

48. You can configure FortiWeb to send traffic to third-party IPS/IDS devices through network interfaces for traffic monitoring. Which two operation modes support this feature? (Choose two answers). Reverse proxy. True transparent proxy. Offline protection. Transparent proxy.

49. Which type of environment is most suited for True transparent proxy mode? (Choose one answer). Flexible environments where you can easily change the IP addressing scheme. Networks that extensively use dynamic routing. New networks where infrastructure is not yet defined. Environments where you cannot change the IP addressing scheme.

50. Which two statements about HTTPS on FortiWeb are true? (Choose two answers). After you enable HTTP Strict Transport Security (HSTS), you never need to configure static redirects to HTTPS. In SSL/TLS mode, the encrypted connection from the client is terminated on the protected web server. In transparent inspection mode, you have to specify a certificate on FortiWeb for decryption. Transparent inspection works with TLS 1.3.

51. FortiWeb is configured to block traffic from Japan to your web application server. However, in the logs, the administrator is seeing traffic allowed from one particular IP address which is geo-located in Japan. What can the administrator do to solve this problem? (Choose two answers). Manually update the geo-location IP addresses for Japan. If the IP address is configured as a geo reputation exception, remove it. Configure the IP address as a blacklisted IP address. If the IP address is configured as an IP reputation exception, remove it.

52. Which two statements most accurately describe a web application firewall (WAF)? (Choose two answers). WAF protects both clients and servers. WAF protects primarily clients. WAF protects primarily servers. WAF provides specialized application-layer threat detection.

53. Refer to the exhibits. A FortiWeb device is configured in reverse proxy mode and it is deployed downstream from a FortiGate device. Based on the configuration shown in the exhibits, which statement is true? (Choose one answer). FortiGate should forward web traffic to the web server IP addresses. This configuration will not work unless the FortiWeb is upstream of the FortiGate. FortiGate should forward web traffic to the virtual server IP address. You must disable the Preserve Client IP setting on the FortiGate for this configuration to work.

54. Which two configuration items are synchronized between two FortiWeb devices in an active-active high availability (HA) deployment? (Choose two answers). Policy configuration settings. Network settings. Log files. FortiWeb firmware upgrades.

55. When FortiWeb triggers a redirect action, which HTTP code does it send to the client to inform the browser of the new URL? (Choose one answer). 401. 400. 301. 300.

56. What key factor must be considered when setting brute force rate limiting and blocking? (Choose one answer). Multiple clients sharing a single Internet connection. Multiple clients using Wi-Fi and mobile data. Multiple clients using DHCP. Multiple clients connecting to multiple resource.

57. Refer to the exhibit, which shows SSL offloading. Which device is using the private key for the protected web server? (Choose one answer). Client. Server. None. The private key is not needed in SSL offloading. FortiWeb.

58. Which API call will be allowed by this machine learning (ML) learned schema? (Choose one answer). http://petstore.fortinet.demo/api/pet/findByStatus?status=ok. http://petstore.fortinet.demo/api/pet/findByStatus?status=pending. http://petstore.fortinet.demo/api/pet/findByStatus?name=allow. http://petstore.fortinet.demo/api/pet/findByStatus?name=confirmed.

59. A FortiWeb is deployed behind a FortiGate configured to insert the X-Forwarded-For (XFF) header in all HTTP traffic. When you view the attack logs on FortiWeb, which source IP address will you see? (Choose one answer). FortiWeb IP. FortiGate local internal IP. FortiGate public external IP. Client IP.

60. What potential risk is there in using a greedy regular expression match in URL rewriting, when large amounts of content need to be matched? (Choose one answer). It increases disk access-related CPU load resulting in premature disk failure. It requires all FortiWeb resources and interrupts traffic processing. It is not reliable as it might not scan all the content. It increases RAM usage resulting in performance degradation.

61. Refer to the exhibit. There is only one administrator account configured on FortiWeb. What must an administrator do to restrict any brute force attacks that attempt to gain access to the FortiWeb management GUI? (Choose one answer). Delete the built-in administrator user and create a new one. Configure IPv4 Trusted Host #3 with a specific IP address (Replace 0.0.0.0/0 with a specific IP address). The configuration changes must be made on the upstream device. Change the Access Profile to Read_Only.

62. You have configured an authentication rule with delegation enabled on FortiWeb. What happens when a user tries to access the web application? (Choose one answer). FortiWeb authenticates the client and forwards the connection with the successful credentials to the web application. FortiWeb redirects users to a FortiAuthenticator page, and allows access based on the authentication response. FortiWeb redirects the user to the back-end web application for authentication. FortiWeb forwards the HTTP challenge from the web application, and then monitors the client for the challenge response.

63. Refer to the exhibit. What is the most likely cause of this attack message? (Choose one answer). A bot attempting to download the contents of your website. A hacker attempting a denial-of-service attack. A user mistyping a URL. A user pressing the refresh button in their browser too many times.

64. Refer to the exhibit. There is only one administrator account configured on FortiWeb and IPv6 is not configured on any interface. What should an administrator do to restrict any brute force attacks that attempt to gain access to the FortiWeb management GUI? (Choose one answer). Delete the built-in administrator user and create a new one. Make configuration changes on the upstream device. Change the setting in the Access Profile field to Read_Only. Replace 0.0.0.0/0 with a specific IP address.