FortiGate / FortiOS 7.6 Administrator

An administrator added a configuration for a new RADIUS server. While configuring, the administrator enabled Include in every user group. What is the impact of enabling Include in every user group in a RADIUS configuration?. This option places all users into every RADIUS user group, including groups that are used for the LDAP server on FortiGate. This option places all FortiGate users and groups required to authenticate into the RADIUS server, which, in this case, is FortiAuthenticator. This option places the RADIUS server, and all users who can authenticate against that server, into every FortiGate user group. This option places the RADIUS server, and all users who can authenticate against that server, into every RADIUS group.

Which statement about this firewall policy list is true?. The Implicit group can include more than one deny firewall policy. The firewall policies are listed by ingress and egress interfaces pairing view. LAN to WAN, WAN to LAN, and Implicit are sequence grouping view lists. The firewall policies are listed by ID sequence view.

The exhibits show a diagram of a FortiGate device connected to the network, and the firewall configuration. An administrator created a Deny policy with default settings to deny Webserver access for Remote-User2. The policy should work such that Remote-User1 must be able to access the Webserver while preventing Remote-User2 from accessing the Webserver. Which two configuration changes can the administrator make to the policy to deny Webserver access for Remote-User2? (Choose two.). Set the Destination address as Deny_IP in the Allow_access policy. Disable match-vip in the Deny policy. Enable match-vip in the Deny policy. Set the Destination address as Webserver in the Deny policy.

The exhibits show a diagram of a FortiGate device connected to the network, as well as the firewall policy and IP pool configuration on the FortiGate device. Two PCs, PC1 and PC2, are connected behind FortiGate and can access the internet successfully. However, when the administrator adds a third PC to the network (PC3), the PC cannot connect to the internet. Based on the information shown in the exhibit, which two configuration options can the administrator use to fix the connectivity issue for PC3? (Choose two.). In the IP pool configuration, set endip to 192.2.0.12. In the firewall policy configuration, add 10.0.1.3 as an address object in the source field. In the IP pool configuration, set type to overload. Configure another firewall policy that matches only the address of PC3 as source, and then place the policy on top of the list.

Refer to the exhibit. The NOC team connects to the FortiGate GUI with the NOC_Access admin profile. They request that their GUI sessions do not disconnect too early during inactivity. What must the administrator configure to answer this specific request from the NOC team?. Ensure that all NOC_Access users are assigned the super_admin role to guarantee access. Increase the admintimeout value under config system accprofile NOC_Access. Increase the offline value of the Override Idle Timeout parameter in the NOC_Access admin profile. Move NOC_Access to the top of the list to ensure all profile settings take effect.

Which two features of IPsec IKEv1 authentication are supported by FortiGate? (Choose two.). Extended authentication (XAuth) to request the remote peer to provide a username and password. Extended authentication (XAuth) for faster authentication because fewer packets are exchanged. Pre-shared key and certificate signature as authentication methods. No certificate is required on the remote peer when you set the certificate signature as the authentication method.

An administrator wants to form an HA cluster using the FGCP protocol. Which two requirements must the administrator ensure both members fulfill? (Choose two.). They must have the same number of configured VDOMs. They must have the same HA group ID. They must have the heartbeat interfaces in the same subnet. They must have the same hard drive configuration.

When FortiGate performs SSL/SSH full inspection, you can decide how it should react when it detects an invalid certificate. Which three actions are valid actions that FortiGate can perform when it detects an invalid certificate? (Choose three.). Block. Allow & Warning. Trust & Allow. Block & Warning. Allow.

What can you conclude from the log shown in the exhibit?. The IPS scan is paused by the IPS diagnostic command with bypass mode option 5. The IPS socket buffer is full and IPS engine cannot decode a packet. The IPS socket buffer is full and IPS engine needs more memory to create new sessions. The IPS session scan is paused and reevaluating the packet because of a dirty flag.

Which two statements are true about an HA cluster? (Choose two.). Link failover triggers a failover if the administrator sets the interface down on the primary device. HA incremental synchronization includes FIB entries and IPsec SAs. When sniffing the heartbeat interface, the administrator must see the IP address 169.254.0.2. An HA cluster cannot have both in-band and out-of-band management interfaces at the same time.

Review the intrusion prevention system (IPS) profile signature settings shown in the exhibit. What do you conclude when adding the FTP.Login.Failed signature to the IPS sensor profile?. The signature setting includes a group of other signatures. Traffic matching the signature will be allowed and logged. Traffic matching the signature will be silently dropped and logged. The signature setting uses a custom rating threshold.

Refer to the exhibit, which shows na SD-WAN zone configuration on the FortiGate GUI. Based on the exhibit, which statement is true?. The Underlay zone is the zone by default. port2 and port3 are not assigned to a zone. The virtual-wan-link and overlay zones can be deleted. The Underlay zone contains no member.

Refer to the exhibit, which shows a partial configuration from the remote authentication server. Why does the FortiGate administrator need this configuration?. To set up a RADIUS server Secret. To authenticate and match the Training OU on the RADIUS server. To authenticate Any FortiGate user groups. To authenticate only the Training user group.

The exhibit shows the FortiGuard Category Based Filter section of a corporate web filter profile. An administrator must block access to download.com, which belongs to the Freeware and Software Downloads category. The administrator must also allow other websites in the same category. What are two solutions for satisfying the requirement? (Choose two.). Set the Freeware and Software Downloads category Action to Warning. Configure a separate firewall policy with action Deny and an FQDN address object for *.download.com as destination address. Configure a static URL filter entry for download.com with Type and Action set to Wildcard and Block, respectively. Configure a web override rating for download.com and select Malicious Websites as the subcategory.

An administrator has configured an Application Overrides for the ABC.Com application signature and set the Action to Allow. This application control profile is then applied to a firewall policy that is scanning all outbound traffic. Logging is enabled in the firewall policy. To test the configuration, the administrator accessed the ABC.Com web site several times. Why are there no logs generated under security logs for ABC.Com?. The ABC.Com Action is set to Allow. The ABC.Com is hitting the category Excessive-Bandwidth. The ABC.Com Type is set as Application instead of Filter. The ABC.Com is configured under application profile, which must be configured as a web filter profile.

A network administrator has configured an SSL/SSH inspection profile defined for full SSL inspection and set with a private CA certificate. The firewall policy that allows the traffic uses this profile for SSL inspection and performs web filtering. When visiting any HTTPS websites, the browser reports certificate warning errors. What is the reason for the certificate warning errors?. The browser does not recognize the certificate in use as signed by a trusted CA. With full SSL inspection it is not possible to avoid certificate warning errors at the browser level. The SSL cipher compliance option is not enabled on the SSL inspection profile. This setting is required when the SSL inspection profile is defined with a private CA certificate. The certificate used by FortiGate for SSL inspection does not contain the required certificate extensions.

Refer to the exhibit. The predefined deep-inspection and custom-deep-inspection profiles exclude some web categories from SSL inspection, as shown in the exhibit. For which two reasons are these web categories exempted? (Choose two.). The resources utilization is optimized because these websites are in the trusted domain list on FortiGate. These websites are in an allowlist of reputable domain names maintained by FortiGuard. The legal regulation aims to prioritize user privacy and protect sensitive information for these websites. The FortiGate temporary certificate denies the browser's access to websites that use HTTP Strict Transport Security.

You have implemented the application sensor and the corresponding firewall policy as shown in the exhibits. You cannot access any of the Google applications, but you are able to access www.fortinet.com. Which two actions would you take to resolve the issue? (Choose two.). Set the action for Google in the Application and Filter Overrides section to Allow. Add *Google*.com to the URL category in the security profile. Move up Google in the Application and Filter Overrides section to set its priority to 1. Set SSL inspection to deep-content inspection. Change the Inspection mode to Flow-based.

An administrator has configured a dialup IPsec VPN on FortiGate with add-route enabled. However, the static route is not showing in the routing table. Which two statements about this scenario are correct? (Choose two.). The administrator must use a policy route instead of a static route for add-route to work properly. The administrator must define the remote network correctly in the phase 2 selectors. The administrator must enable a dynamic routing protocol on the dialup interface. The administrator must ensure phase 2 is successfully established.

Which three statements about SD-WAN performance SLAs are true? (Choose three.). They monitor the state of the FortiGate device. They rely on session loss and jitter. They can be measured actively or passively. They are applied in a SD-WAN rule lowest cost strategy. All the SLA targets can be configured.

Refer to the exhibit. FGT-1 and FGT-2 are updated with HA configuration commands shown in the exhibit. What would be the expected outcome in the HA cluster?. FGT-2 will take over as the primary because it has the override enable setting and higher priority than FGT-1. FGT-1 will synchronize the override disable setting with FGT-2. The HA cluster will become out of sync because the override setting must match on all HA members. FGT-1 will remain the primary because FGT-2 has lower priority.

Which method allows management access to the FortiGate CLI without network connectivity?. Telnet console. CLI console widget. SSH console. Serial console.

An administrator wants to add HQ-ISFW-2 in the Security Fabric. HQ-ISFW-2 is in the same subnet as HQ-ISFW. After configuring the Security Fabric settings on HQ-ISFW-2, the status stays Pending. What can be the two possible reasons? (Choose two.). Management IP must be set to 10.0.13.254. SAML Single Sign-On must be set to Manual. Upstream FortiGate IP must be set to 10.0.11.254. HQ-ISFW-2 must be authorized on HQ-ISFW.

An administrator suspects that the Collector Agent is not forwarding login events to FortiGate. What is the most effective troubleshooting step?. Restart the domain controller to refresh authentication services. Verify if DC agent is enabled on the FortiGate. Verify if FortiGate is set to use LDAP authentication instead of FSSO. Check if TCP port 8000 is open between the collector agent and FortiGate.

An administrator wants to analyze and manage digital certificates to prevent browser warnings when users connect to the SSL VPN portal. Which two statements describe how to correctly do this? (Choose two.). The administrator must disable HTTPS administrative access entirely to avoid certificate warnings. The administrator can rely on the default FortiGate self-signed certificate to prevent all security warnings in the browser. The administrator can import the FortiGate self-signed certificate into each user’s browser as a trusted certificate. The administrator can use a publicly trusted certificate from a known certificate authority (CA) to stop browser warnings.

A diagram of a FortiGate device connected to the network VIP object and firewall policy configurations are shown. The WAN (port2) interface has the IP address 100.65.0.101/24. The LAN (port4) interface has the IP address 10.0.11.254/24. If the host 100.65.1.111 sends a TCP SYN packet on port 443 to 100.65.0.200, what will the source address, destination address, and destination port of the packet be at the time FortiGate forwards the packet to the destination?. 10.0.11.254, 10.0.15.50, and 4443, respectively. 10.0.11.254, 100.65.0.200, and 443, respectively. 100.65.1.111, 10.0.11.50, and 4443, respectively. 100.65.1.111, 10.0.11.50, and 443, respectively.

Which two statements describe how the RPF check is used? (Choose two.). The RPF check is run on the first sent packet of any new session. The RPF check is a mechanism that protects FortiGate and the network from IP spoofing attacks. The RPF check is run on the first sent and reply packet of any new session. The RPF check is run on the first reply packet of any new session.

Which three statements explain a flow-based antivirus profile? (Choose three.). If a virus is detected, the last packet is delivered to the client. Flow-based inspection uses a hybrid of the scanning modes available in proxy-based inspection. FortiGate buffers the whole file but transmits to the client at the same time. The IPS engine handles the process as a standalone. Flow-based inspection optimizes performance compared to proxy-based inspection.

A network administrator is configuring an IPsec VPN tunnel for a sales employee travelling abroad. Which IPsec Wizard template must the administrator apply?. Remote Access. Hub-and-Spoke. Site to Site. Dial up User.

The exhibits show a diagram of a FortiGate device connected to the network, as well as the IP pool configuration and firewall policy objects The WAN (port1) interface has the P address 10.200.1.1/24. The LAN (port3) interface has the IP address 10.0.1.254/24. Which IP address will be used to source NAT (SNAT) the traffic, if the user on Local-Client (10.0.1.10) pings the IP address of Remote-FortiGate (10.200.3.1)?. 10.200.1.149. 10.200.1.1. 10.200.1.49. 10.200.1.99.

Refer to the exhibit Which two conclusions can you make from the debug flow output? (Choose two.). The default gateway is configured on port2. The debug flow is for UDP traffic. The RPF check fails. The matching firewall policy denies the traffic.

A network administrator is reviewing firewall policies in both Interface Pair View and By Sequence View. The policies appear in a different order in each view. Why is the policy order different in these two views?. By Sequence View groups policies based on rule priority, while Interface Pair View always follows the order of traffic logs. Policies in Interface Pair View are prioritized by security levels, while By Sequence View strictly follows the administrator's manual ordering. Interface Pair View sorts policies based on matching interfaces, while By Sequence View shows the actual processing order of rules. The firewall dynamically reorders policies in Interface Pair View based on recent traffic patterns, but By Sequence View remains static.

You have created a web filter profile named restrict_media-profile with a daily category usage quota. When you are adding the profile to the firewall policy, the restrict_media-profile is not listed in the available web profile drop down. What could be the reason?. The firewall policy is in no-inspection mode instead of deep-inspection. The naming convention used in the web filter profile is restricting it in the firewall policy. The inspection mode in the firewall policy is not matching with web filter profile feature set. The web filter profile is already referenced in another firewall policy.

You want to ensure that an SSL VPN user's authenticated session does not remain active after they disconnect from the VPN. Which configuration will ensure this?. Configure the firewall authentication session timeout to be lower than the SSL VPN session timeout. Enable settings to force the firewall authentication session to end when the SSL VPN session ends. Increase the SSL VPN idle timeout to reduce the chance of early disconnections. Manually clear active firewall authentication sessions after a user disconnects.

Refer to the exhibit, which shows na SD-WAN zone configuration on the FortiGate GUI. Based on the exhibit, which statement is true?. The d-wan zone contains no member. The virtual-wan-link zone contains no member. The underlay zone contains port1 and port2. The d-wan zone cannot be deleted.

A remote user reports slow SSL VPN performance and frequent disconnections. The user is located in an area with poor internet connectivity. What setting should the administrator adjust to improve the user's experience?. Increase the session timeout for inactive sessions. Enable split tunneling to reduce VPN traffic. Configure the DTLS timeout to accommodate high-latency connections. Change the SSL VPN port to a non-standard port.

You have implemented the application sensor and the corresponding firewall policy as shown in the exhibits. Which two factors can you observe from these configurations? (Choose two.). Facebook access is allowed but you cannot play Facebook videos based on Video/Audio category filter settings. YouTube search is allowed based on the Google Application and Filter override settings. YouTube access is blocked based on Excessive-Bandwidth Application and Filter override settings. Facebook access is blocked based on the category filter settings.

A network administrator wants to set up redundant IPsec VPN tunnels on FortiGate by using two IPsec VPN tunnels and static routes. All traffic must be routed through the primary tunnel when both tunnels are up. The secondary tunnel must be used only if the primary tunnel goes down. In addition, FortiGate should be able to detect a dead tunnel to speed up tunnel failover. Which two key configuration changes must the administrator make on FortiGate to meet the requirements? (Choose two.). In the phase1-interface, enable npu-offload to detect a dead tunnel. Enable Dead Peer Detection. Use the VPN wizard to create an IPsec template for a redundant IPsec VPN tunnel. Configure a lower distance on the static route for the primary tunnel, and a higher distance on the static route for the secondary tunnel.

Based on the current HA status, an administrator updates the override and priority parameters on HQ-NGFW-1 and HQ-NGFW-2 as shown in the exhibit. What would be the expected outcome in the HA cluster?. HQ-NGFW-2 will take over as the primary because it has the override enable setting and higher priority than HQ-NGFW-1. HQ-NGFW-1 will remain the primary because HQ-NGFW-2 has lower priority. The HA cluster will become out of sync because the override setting must match on all HA members. HQ-NGFW-1 will synchronize the override disable setting with HQ-NGFW-2.

You are asked to implement an antivirus profile for files downloaded through FTP, HTTP, and HTTPS. While testing, you are successful with HTTP and FTP protocols, but FortiGate does not block the file download over HTTPS. What could be the cause?. The SSL inspection mode in the firewall policy is not deep content inspection. Web filter is not enabled on the firewall policy to complement the antivirus profile. The feature set in the antivirus profile is not set to Flow-based. The action on the firewall policy is not set to deny.

An administrator configures FortiGuard servers as DNS servers on FortiGate using default settings. What is true about the DNS connection to a FortiGuard server?. It uses UDP 53. It uses UDP 8888. It uses DNS over TLS. It uses DNS over HTTPS.

Refer to the exhibits. An administrator creates a new address object on the root FortiGate (HQ- NGFW-1) in the Security Fabric. After synchronization, this object is not available on the downstream FortiGate (HQ-ISFW). What must the administrator do to synchronize the address object?. Change the csf setting on both devices to set downstream-access enable. Change the csf setting on HQ-NGFW-1 (root) to set fabric-object-unification default. Change the csf setting on HQ-ISFW (downstream) to set configuration-sync local. Change the csf setting on HQ-ISFW (downstream) to set saml-configuration-sync default.

The exhibits show the application sensor configuration and the Excessive-Bandwidth and Apple filter details. Based on the configuration, what will happen to Apple FaceTime if there are only a few calls originating or incoming?. Apple FaceTime will be allowed, based on the Apple filter configuration. Apple FaceTime will be blocked, based on the Excessive-Bandwidth filter configuration. Apple FaceTime will be allowed, based on the Video/Audio category configuration. Apple FaceTime will be allowed only if the Apple filter in Application and Filter Overrides is set to Allow.

The HTTP inspection process in web filtering follows a specific order when multiple features are enabled in the web filter profile. Which order must FortiGate use when the web filter profile has features such as safe search enabled?. DNS-based web filter and proxy-based web filter. FortiGuard category filter and rating filter. Static URL filter, FortiGuard category filter, and advanced filters. Static domain filter, SSL inspection filter, and external connectors filters.

Based on the routing table shown in the exhibit, which two statements are true? (Choose two.). A packet with the source IP address 10.0.13.10 arriving on port2 is allowed if strict RPF is disabled. A packet with the source IP address 10.10.10.10 arriving on port2 is allowed if strict RPF is enabled. A packet with the source IP address 10.100.110.10 arriving on port2 is allowed if strict RPF is enabled. A packet with the source IP address 10.100.110.10 arriving on port3 is allowed if strict RPF is disabled.

The exhibits show a diagram of a FortiGate device connected to the network, and the firewall configuration. An administrator created a Deny policy with default settings to deny Webserver access for Remote-User2. The policy should work such that Remote-User1 must be able to access the Webserver while preventing Remote-User2 from accessing the Webserver. Which additional configuration can the administrator add to a deny firewall policy, beyond the default behavior, to block Remote-User2 from accessing the Webserver?. Set the Destination address as Deny_IP in the Allow_access policy. Configure a One-to-One IP Pool object in a new policy. Disable match-vip in the Allow_access policy. Set the Destination address as Webserver in the Deny policy.

An administrator wants to configure dead peer detection (DPD) on IPsec VPN for detecting dead tunnels. The requirement is that FortiGate sends DPD probes only when there is no inbound traffic. Which DPD mode on FortiGate meets this requirement?. Enabled. On Idle. Disabled. On Demand.

A network administrator enabled antivirus and selected an SSL inspection profile on a firewall policy. When downloading an EICAR test file through HTTP, FortiGate detects the virus and blocks the file. When downloading the same file through HTTPS, FortiGate does not detect the virus and does not block the file, allowing it to be downloaded. The administrator confirms that the traffic matches the configured firewall policy. What are two reasons for the failed virus detection by FortiGate? (Choose two.). FortiGate is using the default port for FortiGuard communication. The weight increases as the number of failed packets rises. The selected SSL inspection profile has certificate inspection enabled. The website is exempted from SSL inspection.

Refer to the exhibit. Which shows a firewall policy to enable active authentication. When attempting to access an external website using an active authentication method, the user is not presented with a login prompt. What is the most likely reason for this situation?. The Service DNS is required in the firewall policy. The Remote-users group must be set up correctly in the FSSO configuration. The Remote-users group is not added to the Destination. No matching user account exists for this user.

Which two statements are true about the routing entries in this database table? (Choose two.). The default route on port2 is marked as the standby route. The port2 interface is marked as inactive. All of the entries in the routing database table are installed in the FortiGate routing table. Both default routes have different administrative distances.

The administrator configured SD-WAN rules and set the FortGate traffic log page to display SD- WAN-specific columns: SD-WAN Quality and SD- WAN Rule Name FortiGate allows the traffie according to policy ID 1 placed at the top. This is the policy that allows SD-WAN traffic. Despite these settings, the traffic logs do not show the name of the SD- WAN rule used to steer those traffie flows. What could be the reason?. There is no application control profile applied to the firewall policy. Destinations in the SD-WAN rules are configured for each application, but feature visibility is not enabled. SD-WAN rule names do not appear immediately. The administrator must refresh the page. FortiGate load balanced the traffic according to the implicit SD-WAN rule.

An administrator has configured the following settings. What are the two results of this configuration? (Choose two.). Session helpers are disabled for denied traffic. A session for denied traffic is created. The number of logs generated by denied traffic is reduced. Denied users are blocked for 30 minutes.

The exhibits show a diagram of a FortiGate device connected to the network, and the firewall policies, VIP, and IP pool configurations on the FortiGate device. The WAN (port2) interface has the IP address 100.65.0.101/24. The LAN (port4) interface has the IP address 10.0.11.254/24. The first firewall policy has NAT enabled using the IP pool. The second firewall policy is configured with a VIP as the destination address. Which IP address will be used to source NAT (SNAT) the internet traffic coming from a workstation with the IP address 10.0.11.50?. 100.65.0.200. 100.65.0.102. 100.65.0.101. 10.0.11.254.

Which statement correctly describes NetAPI polling mode for the FSSO collector agent?. NetAPI polling can increase bandwidth usage in large networks. The NetSessionEnum function is used to track user logouts. The collector agent uses a Windows API to query DCs for user logins. The collector agent must search Windows application event logs.

An administrator manages a FortiGate model that supports NTurbo. How does NTurbo acceleration enhance antivirus performance?. For flow-based inspection, NTurbo establishes a dedicated data path to redirect traffic between the IPS engine and FortiGate ingress and egress interfaces. For proxy-based inspection, NTurbo offloads traffic to the content processor. For flow-based inspection, NTurbo creates two inspection sessions on the FortiGate device. For proxy-based inspection, NTurbo buffers the whole file and then sends it to the antivirus engine.

The exhibits show a diagram of a FortiGate device connected to the network, VIP configuration, firewall policy, and the sniffer CLI output on the FortiGate device. The WAN (port1) interface has the IP address 10.200.1.1/24. The LAN (port3) interface has the IP address 10.0.1.254/24. The webserver host (10.0.1.10) must use its VIP external IP address as the source NAT (SNAT) when it pings remote server (10.200.3.1). Which two statements are valid to achieve this goal? (Choose two.). Create a new firewall policy before Internet_Access for the webserver and apply the IP pool. Enable NAT on the Allow_access firewall policy. Disable port forwarding on the VIP object. Disable NAT on the Internet_Access firewall policy.

An administrator has created a new firewall address to use as the destination for a static route. Why is the administrator not able to select the new address in the Destination field of the new static route?. In the new firewall address, the FQDN address must first be resolved. In the new firewall address, Routing configuration must be enabled. In the new static route, the administrator must select Named Address. In the new static route, the administrator must first set the interface to port2.

As an administrator you have created an IPS profile, but it is not performing as expected. While testing you got the output as shown in the exhibit. What could be the possible reason of the diagnose output shown in the exhibit?. There is a no firewall policy configured with an IPS security profile. Administrator entered the command diagnose test application ipsmonitor 5. FortiGate entered into IPS fail open state. Administrator entered the command diagnose test application ipsmonitor 99.

What would be the impact of these settings on the Server certificate SNI check configuration on FortiGate?. FortiGate will accept and use the CN in the server certificate for URL filtering if the SNI does not match the CN or SAN fields. FortiGate will accept the connection with a warning if the SNI does not match the CN or SAN fields. FortiGate will close the connection if the SNI does not match the CN or SAN fields. FortiGate will close the connection if the SNI does not match the CN and SAN fields.

Which three pieces of information does FortiGate use to identify the hostname of the SSL server when SSL certificate inspection is enabled? (Choose three.). The server name indication (SNI) extension in the client hello message. The serial number in the server certificate. The subject field in the server certificate. The host field in the HTTP header. The subject alternative name (SAN) field in the server certificate.

An administrator configured both members of an HA cluster at the same time. After one week of monitoring, the administrator wants to verify the HA failover performance. How can the administrator force a failover?. The administrator must set the parameter override to enable on HQ-NGFW-2. The administrator must reset the HA uptime on HQ-NGFW-1. The administrator must set the monitored port1 to down on HQ-NGFW-1. The administrator must increase the HA priority on HQ-NGFW-2.

An administrator must enable a DHCP server on one of the directly connected networks on FortiGate. However, the administrator is unable to complete the process on the GUI to enable the service on the interface. In this scenario, what prevents the administrator from enabling DHCP service?. Another interface is configured as the only DHCP server on FortiGate. The DHCP server setting is available only on the CLI. The FortiGate model does not support the DHCP server. The role of the interface prevents setting a DHCP server.

Refer to the exhibits, which show the firewall policy and an antivírus profile configuration. Why is the user unable to receive a block replacement message when downloading an infected file for the first time?. Flow-based inspection is used, which resets the last packet to the user. The option to send files to FortiSandbox for inspection is enabled. The firewall policy performs a full content inspection on the file. The intrusion prevention security profile must be enabled when using flow-based inspection mode.

FortiGate has two separate firewall policies for Sales and Engineering to access the same web server with the same security profiles. Which action must the administrator perform to consolidate the two policies into one?. Enable Multiple Interface Policies to select port1 and port2 in the same firewall policy. Select port1 and port2 subnets in a single firewall policy. Replace port1 and port2 with the any interface in a single firewall policy. Create an Aggregate interface that includes port1 and port2 to create a single firewall policy.

Which three methods are used by the collector agent for AD polling? (Choose three.). FortiGate polling. FSSO REST API. NetAPI. WinSecLog. WMI.

What are two features of FortiGate FSSO agentless polling mode? (Choose two.). FortiGate uses the AD server as the collector agent. FortiGate does not support workstation check. FortiGate uses the SMB protocol to read the event viewer logs from the DCs. FortiGate directs the collector agent to use a remote LDAP server.

FortiGate has two separate firewall policies for Sales and Engineering to access the same web server with the same security profiles. Which action must the administrator perform to consolidate the two policies into one?. Create an Interface Group that includes port1 and port2 to create a single firewall policy. Replace port1 and port2 with the any interface in a single firewall policy. Enable Multiple Interface Policies to select port1 and port2 in the same firewall policy. Select port1 and port2 subnets in a single firewall policy.

The SSL VPN connection fails when a user attempts to connect to it. What should the user do to successfully connect to the SSL VPN?. Change the server IP address. Change the idle-timeout. Change the SSL VPN port on the client. Change the SSL VPN portal to the tunnel.

FortiGate is operating in NAT mode and has two physical interfaces connected to the LAN and DMZ networks respectively. Which two statements about the requirements of connected physical interfaces on FortiGate are true? (Choose two.). Both interfaces must have directly connected routes on the routing table. Both interfaces must have IP addresses assigned. Both interfaces must have DHCP enabled and interfaces set to LAN and DMZ roles assigned. Both interfaces must have the interface role assigned.

Which two settings are required for SSL VPN to function between two FortiGate devices?. The server FortiGate requires a CA certificate to verify the client FortiGate certificate. The client FortiGate requires the SSL VPN tunnel interface type to connect SSL VPN. The client FortiGate requires a client certificate signed by the CA on the server FortiGate. The client FortiGate requires a manually added route to remote subnets.

A network administrator is troubleshooting an IPsec tunnel between two FortiGate devices. The administrator has determined that phase 1 status is up, but phase 2 fails to come up. Based on the phase 2 configuration shown in the exhibit, which two configuration changes will bring phase 2 up? (Choose two.). On HQ-NGFW, set Encryption to AES256. On HQ-NGFW, enable Diffie-Hellman Group 2. On BR1-FGT, set Remote Address to 10.0.11.0/255.255.255.0. On BR1-FGT, set Seconds to 43200.

Which statement is a characteristic of automation stitches?. They can run multiple actions at the same time. They can be run only on devices in the Security Fabric. They can have one or more triggers. They can be created only on downstream devices in the fabric.

You have implemented the application sensor and the corresponding firewall policy as shown in the exhibits. You cannot access any of the Google applications, but you are able to access www.fortinet.com. What would you do to resolve this issue?. Set SSL inspection to deep-content-inspection. Add Google.com to the URL category in the security profile. Move up Google in the Application and Filter Overrides section to set its priority to 1. Change the Inspection mode to Proxy-based.

What are three key routing principles in SD-WAN? (Choose three.). By default, SD-WAN rules are skipped if only one route to the destination is available. SD-WAN rules have precedence over any other type of routes. By default, SD-WAN rules are skipped if the best route to the destination is not an SD- WAN member. Regular policy routes have precedence over SD-WAN rules. By default, SD-WAN rules are skipped if the included SD-WAN members do not have a valid route to the destination.

What are two features of the NGFW profile-based mode? (Choose two.). NGFW profile-based mode can only be applied globally and not on individual VDOMs. NGFW profile-based mode policies support both flow inspection and proxy inspection. NGFW profile-based mode supports applying applications and web filtering profiles in a firewall policy. NGFW profile-based mode must require the use of central source NAT policy.

Refer to the exhibit. Which algorithm does SD-WAN use to distribute traffic that does not match any of the SD- WAN rules?. All traffic from a source IP to a destination IP is sent to the same interface. Traffic is distributed based on the number of sessions through each interface. All traffic from a source IP is sent to the same interface. Traffic is sent to the link with the lowest latency.

An administrator manages a FortiGate model that supports NTurbo. How does NTurbo enhance performance for flow-based inspection?. NTurbo buffers the whole file and then sends it to the antivirus engine. NTurbo offloads traffic to the content processor. NTurbo creates two inspection sessions on the FortiGate device. NTurbo creates a special data path to redirect traffic between the IPS engine its ingress and egress interfaces.

An administrator creates a new address object on the root FortiGate (Local-FortiGate) in the security fabric. After synchronization, this object is not available on the downstream FortiGate (ISFW). What must the administrator do to synchronize the address object?. Change the csf setting on both devices to set downstream-access enable. Change the csf setting on ISFW (downstream) to set configuration-sync local. Change the csf setting on Local-FortiGate (root) to set fabric object-unification default. Change the csf setting on ISFW (downstream) to set authorization-request-type certificate.

You are encountering connectivity problems caused by intermediate devices blocking IPsec traffic. In which two ways can you effectively resolve the problem? (Choose two.). You should use the protocol IKEv2. You can configure a hub-and-spoke topology with SSL VPN tunnels to bypass blocked UDP ports. You can use SSL VPN tunnel mode to prevent problems with blocked ESP and UDP ports (500 or 4500). You can turn on fragmentation to fix large certificate negotiation problems.

When configuring firewall policies which of the following is true regarding the policy ID?. It is mandatory to provide a policy ID while creating a firewall policy regardless of GUI or CLI. A policy ID cannot be edited once a policy is created. You can create a policy in CLI with policy ID 0. A firewall policy ID identifies the order of policy execution in firewall policies.

Which three strategies are valid SD-WAN rule strategies for member selection? (Choose three.). Best Quality with load balancing. Manual with load balancing. Lowest Quality (SLA) with load balancing. Lowest Cost (SLA) with load balancing. Lowest Cost (SLA) without load balancing.

Why would the firewall policy not block a well-known virus, for example eicar?. Web filter is not enabled on the firewall policy to complement the antivirus profile. The firewall policy is not configured in proxy-based inspection mode. The action on the firewall policy is not set to deny. The firewall policy does not apply deep content inspection.

Refer to the exhibit. Why did the FortiGate device drop the packet?. It matched an explicitly configured firewall policy with the action DENY. It cannot reach the next-hop IP. It matched the default implicit firewall policy. It failed the RPF check.

Refer to the exhibit, which shows the IPS sensor configuration. If traffic matches this IPS sensor, which two actions is the sensor expected to take? (Choose. The sensor will gather a packet log for all matched traffic. The sensor will block all attacks aimed at Windows servers. The sensor will allow attackers matching the Microsoft.Windows.iSCSI.Target.DoS signature. The sensor will reset all connections that match these signatures.

Refer to the exhibit showing a FortiGuard connection debug output. Based on the output, which two facts does the administrator know about the FortiGuard connection? (Choose two.). A local FortiManager is one of the servers FortiGate communicates with. One server was contacted to retrieve the contract information. FortiGate is using default FortiGuard communication settings. There is at least one server that lost packets consecutively.

Which two statements are true regarding FortiGate HA configuration synchronization? (Choose two.). Incremental configuration synchronization can occur from changes made on any FortiGate device within the HA cluster. Checksums of devices are compared against each other to ensure configurations are the same. Checksums of devices will be different from each other because some configuration items are not synced to other HA members. Incremental configuration synchronization can occur only from changes made on the primary FortiGate device.

A FortiGate administrator is required to reduce the attack surface on the SSL VPN portal. Which SSL timer can you use to mitigate a denial of service (DoS) attack?. SSL VPN dtls-hello-timeout. SSL VPN http-request-header-timeout. SSL VPN login-timeout. SSL VPN idle-timeout.

A FortiGate firewall policy is configured with active authentication, however, the user cannot authenticate when accessing a website. Which protocol must FortiGate allow even though the user cannot authenticate?. DNS. LDAP. TACACS+. Kerberos.

A network administrator has enabled full SSL inspection and web filtering on FortiGate. When visiting any HTTPS websites, the browser reports certificate warning errors. When visiting HTTP websites, the browser does not report errors. What is the reason for the certificate warning errors?. The certificate used by FortiGate for SSL inspection does not contain the required certificate extensions. The full SSL inspection feature does not have a valid license. The matching firewall policy is set to proxy inspection mode. The browser does not trust the certificate used by FortiGate for SSL inspection.

An administrator wanted to configure an IPS sensor to block traffic that triggers a signature set number of times during a specific time period. How can the administrator achieve the objective?. Use IPS packet logging option with periodical filter option. Use IPS filter, rate-mode periodical option. Use IPS signatures, rate-mode periodical option. Use IPS group signatures, set rate-mode 60.

Refer to the exhibit, which shows a routing table. An administrator wants to create a new static route so the traffic to the subnet 172.20.1.0/24 is routed through port2 only. What are the two criteria that the administrator can use to achieve this objective? (Choose two.). The existing static route through port3 must have the distance set to 11. The new static route must have the priority set to 3. The new static route must have the distance set to 9. The new static route must have the metric set to 1.

An administrator configured a FortiGate device to act as a collector for agentless polling mode. What must the administrator add to the FortiGate device to retrieve AD user group information?. TACACS server. RADIUS server. LDAP server. Keycloak server.

You have configured an application control profile, set peer-to-peer traffic to Block under the Categories tab, and applied it to the firewall policy. However, your peer-to-peer traffic on known ports is passing through the FortiGate without being blocked. What FortiGate settings should you check to resolve this issue?. FortiGuard category ratings. Network Protocol Enforcement. Application and Filter Overrides. Replacement Messages for UDP-based Applications.

Which two statements describe characteristics of automation stitches? (Choose two.). Multiple actions can run in parallel. An automation stitch can have multiple triggers. Triggers can involve external connectors. Actions involve only devices included in the Security Fabric.

Which two statements about equal-cost multi-path (ECMP) configuration on FortiGate are true?. If SD-WAN is disabled, you can configure the parameter v4-ecmp-mode to volume- based. If SD-WAN is enabled, you control the load balancing algorithm with the parameter load- balance-mode. If SD-WAN is enabled, you can configure routes with unequal distance and priority values to be part of ECMP. If SD-WAN is disabled, you configure the load balancing algorithm in config system settings.

FortiGate. However, the administrator is unable to complete the process on the GUI to enable the service on the interface. In this scenario, what prevents the administrator from enabling DHCP service?. Another interface is configured as the only DHCP server on FortiGate. The DHCP server setting is available only on the CLI. The FortiGate model does not support the DHCP server. The role of the interface prevents setting a DHCP server.

What is the primary FortiGate election process when the HA override setting is enabled?. Connected monitored ports > Priority > HA uptime > FortiGate serial number. Connected monitored ports > System uptime > Priority > FortiGate serial number. Connected monitored ports > Priority > System uptime > FortiGate serial number. Connected monitored ports > HA uptime > Priority > FortiGate serial number.

Which two statements are correct when FortiGate enters conserve mode? (Choose two.). FortiGate halts complete system operation and requires a reboot to regain available resources. FortiGate refuses to accept configuration changes. FortiGate continues to transmit packets without IPS inspection when the fail-open global setting in IPS is enabled. FortiGate continues to run critical security actions, such as quarantine.

Which two statements about the FortiGuard connection are true? (Choose two.). FortiGate is using the default port for FortiGuard communication. You can configure unreliable protocols to communicate with FortiGuard Server. The weight increases as the number of failed packets rises. FortiGate identified the FortiGuard Server using DNS lookup.

FortiGate is integrated with Forti Analyzer and FortiManager. When creating a firewall policy, which attribute must an administrator include to enhance functionality and enable log recording on FortiAnalyzer and FortiManager?. Policy ID. Sequence ID. Universally Unique Identifier. Log ID.

Which inspection mode does FortiGate use for application profiles if it is configured as a profile- based next- generation firewall (NGFW)?. Flow-based inspection. Full content inspection. Certificate inspection. Proxy-based inspection.

What would be the impact of this configuration on FortiGate?. FortiGate will enable strict RPF on all its interfaces and port1 will be enable for asymmetric routing. Port1 will be enabled with flexible RPF, and all other interfaces will be enabled for strict RPF. The global configuration will take precedence and FortiGate will enable strict RPF on all interfaces. FortiGate will enable strict RPF on all its interfaces and port1 will be exempted from RPF checks.

An administrator needs to analyze and resolve port conflicts between SSL VPN and HTTPS administrative access on the same interface. In which two ways can this be done? (Choose. Run SSL VPN on one interface using port 443 and enable HTTPS administrative access on a different interface, also using port 443. Change the port number for either the SSL VPN service or the HTTPS administrative service if both are on the same interface. Disable SSL VPN if HTTPS administrative access is using port 443 on any interface. Keep port 443 for both SSL VPN and HTTPS administrative access on the same interface without any problems.

Based on this partial configuration, what are the two possible outcomes when FortiGate enters conserve mode? (Choose two.). Administrators must restart FortiGate to allow new sessions. FortiGate skips quarantine actions. FortiGate drops new sessions requiring inspection. Administrators cannot change the configuration.

Refer to the exhibit. In the network shown in the exhibit, the web client cannot connect to the HTTP web server. The administrator runs the FortiGate built-in sniffer and gets the output shown in the exhibit. What should the administrator do next, to troubleshoot the problem? (Choose one answer). Execute a debug flow. Capture the traffic using an external sniffer connected to port1. Run a sniffer on the web server. Execute another sniffer on FortiGate, this time with the filter "host 10.0.1.10".

A new administrator is configuring FSSO authentication on FortiGate using DC Agent Mode. Which step is NOT part of the expected process? (Choose one answer). The collector agent forwards login event data to FortiGate. The user logs into the windows domain. FortiGate determines user identity based on the IP address in the FSSO list. The DC agent sends login event data directly to FortiGate.

An administrator notices that some users are unable to establish SSL VPN connections, while others can connect without any issues. What should the administrator check first? (Choose one answer). Ensure that user traffic is hitting the firewall policy. Ensure that forced tunneling is enabled to reroute all traffic through the SSL VPN. Ensure that the HTTPS service is enabled on SSL VPN tunnel interface. Ensure that the affected users are using the correct port number.

When configuring a FortiGate in a multi-WAN setup, why would an administrator enable session preservation on an interface? (Choose one answer). To make sure all sessions without source NAT enabled always use the primary WAN link. To ensure that existing SSL VPN connections remain on the same interface even if route changes occur. To improve security by forcing users to authenticate again when the WAN link changes. To allow the FortiGate to dynamically change interfaces for all active sessions when a WAN link fails.

When configuring firewall policies which of the following is true regarding the policy ID? (Choose two answers). A policy ID cannot be edited once a policy is created. A firewall policy ID identifies the order of policy execution in firewall policies. It is mandatory to provide a policy ID while creating a firewall policy regardless of GUI or CLI. You can create a policy in CLI with policy ID 0.

Refer to the exhibits. The exhibits show a diagram of a FortiGate device connected to the network, as well as the firewall policy and IP pool configuration on the FortiGate device. Two PCs, PC1 and PC2, are connected behind FortiGate and can access the internet successfully. However, when the administrator adds a third PC to the network (PC3), the PC cannot connect to the internet. Based on the information shown in the exhibit, which two configuration options can the administrator use to fix the connectivity issue for PC3? (Choose two answers). In the system settings, set Multiple Interface Policies to enable. In the firewall policy, set match-vip to enable using CLI. In the IP pool configuration, set type to overload. In the IP pool configuration, set endip to 100.65.0.112.

You have configured the FortiGate device for FSSO. A user is successful in log-in to Windows, but their access to the internet is denied. What should the administrator check first? (Choose one answer). The FortiGate firewall policy settings for SSL decryption. Whether the user is assigned to the correct AD group. The FortiGate FSSO active users list for user's IP address. The Windows event viewer for failed login attempts.

Refer to the exhibits. An administrator configured the Web Filter Profile to block access to all social networking sites except Facebook. However, when users try to access facebook.com, they are redirected to a FortiGuard web filtering block page. Based on the exhibits, which configuration change must the administrator make to allow Facebook while blocking all other social networking sites? (Choose one answer). Change the type as Simple in the Static URL Filter section. Set the Action as Exempt for www.facebook.com in the Static URL Filter. Set the Social Networking action as warning in the FortiGuard Category Based Filter. Change the Feature set of Web Filter Profile as Proxy-based.

Refer to the exhibits. The exhibits show a diagram of a FortiGate device connected to the network, as well as the IP pool configuration and firewall policy objects. The WAN (port2) interface has the IP address 100.65.0.101/24. The LAN (port4) interface has the IP address 10.0.11.254/24. Which IP address will be used to source NAT (SNAT) the traffic, if the user on HQ-PC-1 (10.0.11.50) pings the IP address of BR-FGT (100.65.1.111)? (Choose one answer). 100.65.0.49. 100.65.0.101. 100.65.0.149. 100.65.0.99.

Refer to the exhibits. The exhibits show the system performance output and default configuration of high memory usage thresholds on a FortiGate device. Based on the system performance output, what are the two possible outcomes? (Choose two answers). Administrators can access FortiGate only through the console port. Administrators can change the configuration. FortiGate has entered conserve mode. FortiGate drops new sessions.

What are two characteristics of HA cluster heartbeat IP addresses in a FortiGate device? (Choose two answers). Heartbeat IP addresses are used to distinguish between cluster members. Heartbeat interfaces have virtual IP addresses that are manually assigned. A change in the heartbeat IP address happens when a FortiGate device joins or leaves the cluster. The heartbeat interface of the primary device in the cluster is always assigned IP address 169.254.0.1.

Refer to the exhibit. Why is the Antivirus scan switch grayed out when you are creating a new antivirus profile for FTP? (Choose one answer). FortiGate, with less than 2 GB RAM, does not support the Antivirus scan feature. None of the inspected protocols are active in this profile. The Feature Set for the profile is Flow-based but it must be Proxy-based. Antivirus scan is disabled under System -> Feature visibility.

What are two features of collector agent advanced mode? (Choose two answers). Advanced mode uses the Windows convention—NetBios: Domain\Username. In advanced mode, FortiGate can be configured as an LDAP client and group filters can be configured on FortiGate. Advanced mode supports nested or inherited groups. In advanced mode, security profiles can be applied only to user groups, not individual users.

Refer to the exhibits. A web filter profile configuration and firewall policy configuration are shown. You are trying to access www.facebook.com, but you are redirected to a FortiGuard web filtering block page. Based on the exhibits, what is the possible cause of the issue? (Choose one answer). The firewall policy inspection mode is incorrect. For www.facebook.com, the URL filter action is incorrect. The web rating override configuration is incorrect. The web filter profile feature set is configured incorrectly.

Which two statements about the Security Fabric rating are true? (Choose two answers). The root FortiGate provides executive summaries of all the FortiGate devices in the Security Fabric. The Security Posture category provides PCI compliance results. Security Rating Insights are available only in the Security Rating page. A license is required to obtain an executive summary in the Security Rating section.

How can the administrator view the log messages shown in the exhibit? (Choose two answers). Filtering by Policy UUID and Application Name in the log entry. By right clicking the Implicit deny policy. Through Security event log page. Through FortiGate CLI command diagnose log test.

An administrator wants to address shadow IT visibility challenges and prevent users from sending sensitive files outside the organization without proper approval. Which FortiSASE method should the administrator implement to achieve these goals? (Choose one answer). Secure SD-WAN access (SSD-WAN). Secure internet access (SIA). Secure private access (SPA). Secure SaaS access (SSA).

You are configuring FortiAnalyzer on FortiGate. Which step must you take to connect FortiAnalyzer to FortiGate? (Choose one answer). Enable disk logging on FortiGate. Authorize FortiGate on FortiAnalyzer. Configure UDP port 514 on FortiGate. Verify the FortiAnalyzer serial number.

Refer to the exhibit. You deployed a FortiGate Cloud-Native Firewall (CNF) in AWS for FortiGate CNF policy enforcement for EC2 instance traffic. Which path does the EC2 traffic take from the EC2 instance to the internet? (Choose one answer). EC2 instance → internet gateway (IGW) → gateway load balancer (GWLB) → FortiGate CNF → internet. EC2 instance → GWLBe → FortiGate CNF → GWLBe → IGW → internet. EC2 instance → FortiGate CNF → GWLB → GWLBe → IGW → internet. EC2 instance → GWLB endpoint (GWLBe) → FortiGate CNF → IGW → internet.

You are onboarding an agentless, secure web gateway (SWG) endpoint for secure internet access (SIA). What will happen to the user's nonweb traffic? (Choose one answer). All the nonweb traffic will bypass FortiSASE. FortiSASE will use SWG to redirect nonweb traffic to FortiExtender. The endpoint will use split tunneling to redirect nonweb traffic to FortiSASE. FortiSASE will use Firewall-as-a-Service (FWaaS) to redirect nonweb traffic.

How does FortiExtender connect to FortiSASE in a site-based, remote internet access method? (Choose one answer). FortiExtender first connects to a FortiGate LAN extension through a secure web gateway (SWG). FortiExtender uses a Virtual Extensible LAN (VXLAN)-over-IPsec connection. FortiExtender uses the proxy auto-configuration (PAC) file and an explicit web proxy to connect. FortiExtender establishes a secure SSL connection using FortiClient.

Refer to the exhibit. A partial cloud topology is shown. You deployed a FortiGate Cloud-Native Firewall (CNF) in AWS. During the deployment, which components must the FortiGate CNF create to handle traffic from the EC2 instance? (Choose one answer). The GWLB, GWLBe, and the internet gateway (IGW) in the customer VPC. The CNF VPC, customer VPC, and GWLB. The gateway load balancer endpoint (GWLBe) in the customer virtual private cloud (VPC). The customer VPC and GWLBe.

Which two ways can you view the log messages shown in the exhibit? (Choose two answers). By right clicking the implicit deny policy. By filtering by policy universally unique identifier (UUID) and application name in the log entry. In the Forward Traffic section. Using the FortiGate CLI command diagnose log test.

Which two components are part of the secure internet access (SIA) agent-based mode on FortiSASE? (Choose two answers). FortiExtender. FortiSASE Firewall-as-a-Service (FWaaS). VPN policies. The proxy auto-configuration (PAC) file.

There are multiple dialup IPsec VPNs configured in aggressive mode on the HQ FortiGate. The requirement is to connect dial-up users to their respective department VPN tunnels. Which phase 1 setting you can configure to match the user to the tunnel? (Choose one answer). Peer ID. Local Gateway. Dead Peer Detection. IKE Mode Config.

Which statement correctly describes Fortinet Security Intelligence Access (SIA)? (Choose one answer). It provides URL filtering based on static local categories only. It is used to authenticate users through FortiAuthenticator. It encrypts traffic between FortiGate and FortiAnalyzer. It uses FortiGuard threat intelligence to dynamically block malicious destinations.

What is the primary goal of Fortinet Secure Access Service Edge (SASE)? (Choose one answer). To manage FortiGate devices using FortiManager. To analyze logs and events using FortiAnalyzer. To provide secure connectivity and security services from the cloud for remote users. To replace on-premises firewalls with standalone cloud firewalls.

When configuring the connection between FortiGate and FortiAnalyzer, which option indicates that reliable traffic is enabled? (Choose one answer). The interface status is set to up. A padlock icon appears in the connection settings. The connection status shows a green check icon. The logging mode is set to real-time.