mfvutykcfykuthgcyhkgc

Refer to the exhibit. The exhibit shows a prefix list configuration What can you conclude from the above prefix-list configuration?. The prefix 10.10.0.0/16 will be denied. The prefixes 10.10.0/16 and 10.0.0.0/16 will be denied. The prefix 10.10.10.0/24 will be permitted. The prefix 10.0.0.0/8 will be permitted.

Refer to the exhibit, which shows device registration on FortiManager. What can you conclude about the Spoke-1 and Spoke-2 configurations with respect to the information cond: Modified (recent auto-updated)?. Based on the policy configuration on NGFW-1, the configuration on both spoke is modified and nautomatically updated. On NGFW-A, the configuration was changed and spoke are wailing for an autoupdate. On both Spoke-1 and Spoke-2, the configuration was changed directly on the FortiGate device, and the changes were automatically retrieved by the device database. Spoke-1 and Spoke-2 are sharing the same security policy configuration and the same policy package.

Exhibit. Refer to the exhibit, which shows information about an OSPF interlace What two conclusions can you draw from this command output? (Choose two.). The port3 network has more man one OSPF router. The OSPF routers are in the area ID of 0.0.0.1. The interfaces of the OSPF routers match the MTU value that is configured as 1500. NGFW-1 is the designated router.

Which, three conditions are required for two FortiGate devices to form an OSPF adjacency? (Choose three.). OSPF interface network types match. OSPF router IDs are unique. OSPF interface priority settings are unique. OSPF link costs match. Authentication settings match.

Refer to the exhibits, which contain the network topology and BGP configuration for a hub. Exhibit A. An administrator is trying to configure ADVPN with a hub and spoke VPN setup using iBGP. All the VPNs are up and connected to the hub. The hub is receiving route information from both spokes over iBGP; however the spokes are not receiving route information from each other. What change must the administrator make to the hub BGP configuration so that the routes learned from one spoke are forwarded to the other spoke?. Configure the hub as a route reflector. Configure auto-discovery-sender on the hub. Add a prefix list to the hub that permits routes to be shared between the spokes. Enable route redistribution under config router bgp.

An administrator has configured two fortiGate devices for an HA cluster. While testing HA failover, the administrator notices that some of the switches in the network continue to send traffic to the former primary device What can the administrator do to fix this problem?. Verify that the speed and duplex settings match between me FortiGate interfaces and the connected switch ports. Configure set link -failed signal enable under-config system both Cluster members. Configure remote link monitoring to detect an issue in the forwarding path. Configure set send-garp-on-failover enable under config system ha on both cluster members.

Which statement about the designated router (DR) and backup designated router (BDR) in an OSPF multi- access network is true?. Only the DR receives link state information from non-DR routers. Non-DR and non-BDR routers form full adjacencies to DR only. FortiGate first checks the OSPF ID to elect a DR. Non-DR and non-BDR routers send link state updates and acknowledgements to 224.0.0.6.

Which two statements about IKE version 2 fragmentation are true? (Choose two.). Only some IKE version 2 packets are considered fragmentable. The reassembly timeout default value is 30 seconds. It is performed at the IP layer. The maximum number of IKE version 2 fragments is 128.

What two conclusions can you draw from the FortiGate output shown in the exhibit? (Choose two.). FortiGate creates separate virtual interfaces for each VPN client. add-route is enabled in the tunnel IPSec phase 1 configuration. FortiGate is not using the destination subnets of the quick mode selectors to populate the routing table. net-device is disabled in the tunnel IPSec phase 1 configuration.

Exhibit. Refer to the exhibit, which shows the output from the webfilter fortignard cache dump and webfilter categories commands. The administrator must convert the first three digits of the IP hex value to binary. The administrator can look up the hex value of 34 in the second command output. The administrator must add both the Pima in‘and Iphex values of 34 to get the category number. The administrator must convert the first two digits of the Domain hex value to a decimal value.

Which two modifications must you apply to the configuration of this custom signature so that you can save it on FortiGate? (Choose two.). Add severity. Add attack_id. Ensure that the header syntax is F-SBID. Start options with --.

What are two functions of automation stitches? (Choose two.). Automation stitches can be created to run diagnostic commands and email the results when CPU or memory usage exceeds specified thresholds. An automation stitch configured to execute actions in parallel can be set to insert a specific delay between actions. Automation stitches can be configured on any FortiGate device in a Security Fabric environment. An automation stitch configured to execute actions sequentially can take parameters from previous actions as input for the current action.

Which two statements about the Security Fabric are true? (Choose two.). FortiGate uses the FortiTelemetry protocol to communicate with FortiAnalyzer. Only the root FortiGate sends logs to FortiAnalyzer. Only FortiGate devices with configuration-sync receive and synchronize global CMDB objects that the root FortiGate sends. Only the root FortiGate collects network topology information and forwards it to FortiAnalyzer.

Refer to the exhibit, which shows an ADVPN network. An administrator must configure an ADVPN using IBGP and EBGP to connect overlay network 1 with 2. What must the administrator configure in the phase 1 VPN IPSEC configuration of the Hub2Hub tunnels?. set auto-discovery-sender enable. set auto-discovery-forwarder enable. set add-route enable. set auto-discovery-receiver enable.

What is true about the Fitter override option in the application control profile?. Helps to configure actions for predefined categories. Helps to categorize applications based on behavior risk or on technology. Helps to view the application control signatures for a specific category. Helps to control specific signature and applications.

Refer to the exhibit, which shows the output of a BGP summary. ‘What two conclusions can you draw from this BGP summary? (Choose two.). External BGP (EBGP) exchanges routing information. The BGP session with peer 10. 127. 0. 75 is established. The router 100. 64. 3. 1 has the parameter bfd set to enable. The neighbors displayed are linked to a local router with the neighbor-range set to a value of 4.

Which three conditions are required (or two FortiGate devices to form an OSPF adjacency? (Choose three.). OSPF peer interface must have same cost value. OSPF peer interface must have same MTU size. OSPF peer interface must have same Hello and Wait time. OSPF peer interface must have same Hello and Dead time. OSPF peer interfaces must have same network and mask.

Refer to the exhibit which shows an OSPF network. Which types of link-state advertisements (LSA) will NGFW-1 send if it is a backup designated router (BDR). NGFW-1 will send type 1 and type 2 LSAs. NGFW-1 will send type 1 and type 4 LSAs. NGFW-1 will send type 1 and type 3 LSAs. NGFW-1 will send type 1 and type 5 LSAs.

Exhibit. Refer to the exhibit, which contains a CLI script configuration on FortiManager. An administrator configured the CLI script on FortiManager but the script failed to apply any changes to the managed device after being executed. What are two reasons why the script did not make any changes to the managed device? (Choose two.). The commands that start with the # sign did not run. Incomplete commands can cause CLI scripts to fail. Static routes can be added using only TCI scripts. CLI scripts must start with #!.

While configuring the BGP protocol, an administrator applies the set netuork-inport-check disable command under config network. What will FortiGate do as a result of this command?. FortiGate will advertise only the corresponding prefixes in the BGP network table to its BGP neighbor, even if itis not in the routing table. FortiGate will advertise all the prefixes in the BGP network table to its BGP neighbor, even f itis not in the routing table. FortiGate will not advertise any imported routes received from one BGP neighbor to another. FortiGate will not advertise the prefixes, if it is not in the routing table.

Refer to the exhibit, which shows an ADVPN network. The client behind Spoke-1 generates traffic to the device located behind Spoke-2. Which first message does the hub send to Spoke-1 to bring up the dynamic tunnel?. Shortcut query. Shortcut reply. Shortcut offer. Shortcut forward.

Which two statements about metadata variables are true? (Choose two.). You create them on FortiGate. They apply only to non-firewall objects. The metadata format is $<metadata_variabie_name>. They can be used as variables in scripts.

After enabling IPS you receive feedback about traffic being dropped. What could be the reason?. Np-accel-mode is set to enable. Traffic-submit is set to disable. IPS is configured to monitor. Fail-open is set to disable.

Refer to the exhibit, which contains a partial configuration of the global system. What can you conclude from the output?. set strict-dirty-session-check enable command instructs the FortiGate to offload all dirty session traffic to its SPU. set check-protocol-header loose command enables hardware acceleration on this FortiGate device. set av-failopen pass command instructs the FortiGate to offload all traffic that uses the antivirus proxy to NP. set memory-use-threshold-extreme command instructs the FortiGate to disable hardware acceleration if the memory extreme threshold reaches 95%.

You are testing the implementation of a new custom remote desktop application in your network In which two ways can you eliminate false positives in IPS during this testing phase? (Choose two). Create an IP address exception. Adjust the rate-based signature threshold and its duration. Enable the preserve source pore option in the firewall policy. Permanently bypass the affected endpoints.

Refer to the exhibit, which shows a network diagram. Which IPsec phase 2 configuration should you implement so that only one remote site is connected at any time?. Set route-overlap to allow. Set single-source to enable. Set route-overlap to either use-new or use-old. Set net-device to enable.

In which two ways does fortiManager function when it is deployed as a local FDS? (Choose two). It can be configured as an update server a rating server or both. It provides VM license validation services. It supports rating requests from non-FortiGate devices. It caches available firmware updates for unmanaged devices.

Which FortiGate in a Security fabric sends logs to FortiAnalyzer?. Only the root FortiGate. Each FortiGate in the Security fabric. The FortiGate devices performing network address translation (NAT) or unified threat management (UTM). if configured. Only the last FortiGate that handled a session in the Security Fabric.

Which configuration can be used to reduce the number of BGP sessions in on IBGP network?. Route-reflector-peer enable. Route-reflector-client enable. Route-reflector enable. Route-reflector-server enable.

You want to improve reliability over a lossy IPSec tunnel. Which combination of IPSec phase 1 parameters should you configure?. fec-ingress and fec-egress. dpd and dpd-retry interval. fragmentation and fragmentation-mtu. keepalive and keylive.

An administrator configured the following command on FortiGate config router ospf set restart-mode graceful-restart Which two statements correctly describe the result of the above command? (Choose two.). FortiGate is configured with graceful restart and will exit graceful mode, if the network topology changes. After the default 40 seconds wait time the OSPF neighbors will resume communication with the restarting router. The OSPF neighbor that receives the grace link-state advertisement (LSA) will enter into helper mode. In an HA cluster FortiGate devices will keep the OSPF routes in their routing table to avoid traffic interruption during an HA failover.

Exhibit. Refer to the exhibit which provides information on BGP neighbors. What can you conclude from this command output?. The local FortiGate has initiated a TCP connection, but there is no response from its BGP peer. The local FortiGate starts sending its routing table with its iBGP peer. The local FortiGate is having a fully established and active BGP connection with its peer. The local FortiGate is missing the config neighbor command in its BGP configuration.

You created a VPN community using VPN Manager on FortiManager. You also added gateways to the VPN community. Now you are trying to create firewall policies to permit traffic over the tunnel however, the VPN interfaces do not appear as available options. Create interface mappings for the IPsec VPN interfaces before you use them in a policy. Refiesh the device status using the Device Manager so that FortiGate populates the IPSec interfaces. Configure the phase 1 settings in the VPN community that you didnt initially configure. FortiGate automatically generates the interfaces after you configure the required settings. install the VPN community and gateway configuration on the fortiGate devices so that the VPN interfaces appear on the Policy Objects on fortiManager.

An administrator is configuring two FortiGate devices in an HA cluster. While configuring the devices, the administrator issues the following commands on both HA cluster members: config system ha set link-failed-signal enable In which two ways do these commands impact the HA cluster? (Choose two.). They force the former primary to send gratuitous ARP packets when the failover happens to indicate that the virtual MAC address is now using a different device. They force the former primary to shut down all its interfaces for one second when failover happens, excluding the heartbeat and reserved management interfaces. They force both HA devices for remote link monitoring to detect an issue in the forwarding path. They force the switches to update their MAC forwarding tables, when failover happens.

Refer to the exhibit, which contains information about an IPsec VPN tunnel. What two conclusions can you draw from the command output? (Choose two.). ead peer detection is set to enable. The IKE version is 2. Both IPsec SAs are loaded on the kernel. Forward error correction in phase 2 is set to enable.

You contoured an address object on the tool fortiGate in a Security Fabric. This object is not synchronized with a downstream device. Which two reasons could be the cause? (Choose two). The address object on the tool FortiGate has fabric-object set to disable. The root FortiGate has configuration-sync set to enable. The downstream TortiGate has fabric-object-unification set to local. The downstream FortiGate has configuration-sync set to local.

Which two features are true regarding IPS hardware acceleration? (Choose two.). cp-accel-iaode advanced option is available only on FortiGate devices that have one or more CP8 processors. set np-access-mode basic will provide last path for IPS inspected traffic. FortiGate does not support IPSA if the cp-accel-mode is configured as none. Network processors provide pre-IPS anomaly filtering and logging.

Which two statements about IKE vision 2 are true?. Phase 1 includes main mode. It supports the extensible authentication protocol (EAP). It supports the XAuth protocol. It exchanges a minimum of four messages to establish a secure tunnel.

Which two statements about BFD are true? (Choose two.). It can support neighbor only over the next hop in BGP. You can disable it at the protocol level. It works for OSPF and BGP. You must configure it globally only.

Refer to the exhibit, which contains a partial policy configuration. Which setting must you configure to allow SSH?. Specify SSH in the Service field. Configure pot 22 in the Protocol Options field. Include SSH in the Application field. Select an application control profile corresponding to SSH in the Security Profiles section.

Exhibit. Refer to the exhibit, which shows a partial web filter profile configuration. What can you conclude from this configuration about access to www.facebook.com, which is categorized as Social Networking?. The access is blocked based on the Content Filter configuration. The access is allowed based on the FortiGuard Category Based Filter configuration. The access is blocked based on the URL Filter configuration. The access is blocked if the local or the public FortiGuard server does not reply.

Refer to the exhibit, which shows two configured FortiGate devices and peering over FGSP. The main link directly connects the two FortiGate devices and is configured using the set session-syn-dev <interface> command. ‘What is the primary reason to configure the main link?. To have both sessions and configuration synchronization in layer 2. To load balance both sessions and configuration synchronization between layer 2 and 3. To have only configuration synchronization in layer 3. To have both sessions and configuration synchronization in layer 3.

In which two ways does FortiManager function when it is deployed as a local FDS? (Choose two.). It caches available firmware updates for both managed and unmanaged devices. It can be configured as an update server, a rating server, or both. It functions as a rating server only for web filtering and antispam services. It downloads license information for registered and unregistered devices.

Which statement is true regarding the Bidirectional Forwarding Detection protocol in BGP?. BFD is only supported when two FortiGate devices are directly connected on the same network. BFD is using BGP keepalive messages to check the status of BGP peer. BFD is used to detect one way device failure. BFD is enabled under config router bfd configuration.

Refer to the exhibit, which shows config system central-management information. Which setting must you configure for the web filtering feature to function?. Add server. fortiguard. net to the server list. Configure securewf.fortiguard. net on the default servers. Set update-server-location to automatic. Configure server-type with the rating option.

Refer to the exhibit, which shows a partial touting table What two concisions can you draw from the corresponding FortiGate configuration? (Choose two.). IPSec Tunnel aggregation is configured. net-device is enabled in the tunnel IPSec phase 1 configuration. OSPFconfigured to run over IPSec. add-route is disabled in the tunnel IPSec phase 1 configuration.

Refer to the exhibit. which contains a partial configuration of the global system. What can you conclude from this output?. NPs and CPs are enabled. Only CPs arc disabled. Only NPs are disabled. NPs and CPs arc disabled.

Refer to the exhibit, which shows an error in system fortiguard configuration. What is the reason you cannot set the protocol to udp in config system fortiguard?. FortiManager provides FortiGuard. fortiguard-anycast is set to enable. You do not have the corresponding write access. udp is not a protocol option.

Exhibit. Refer to the exhibit, which provides information on BGP neighbors. Which can you conclude from this command output?. The router are in the number to match the remote peer. You must change the AS number to match the remote peer. BGP is attempting to establish a TCP connection with the BGP peer. The bfd configuration to set to enable.

Refer to exhibit, which shows a central management configuration Which server will FortiGate choose for web filler rating requests if 10.0.1.240 is experiencing an outage?. Public FortiGuard servers. 10.0.1.242. 10.0.1.244. 10.0.1.243.

Refer to the exhibit, which contains an active-active load balancing scenario. During the traffic flow, the primary FortiGate forwards the SYN packet to the secondary FortiGate. What is the destination MAC address or addresses when packets are forwarded from the primary FortiGate to the secondary FortiGate?. Secondary physical MAC port1. Secondary virtual MAC port1. Secondary virtual MAC port1 then physical MAC port1. Secondary physical MAC port2 then virtual MAC port2.

You want to block access to the website ww.eicar.org using a custom IPS signature. ] Which custom IPS signature should you configure?. F-SBID( --name "eicar"; --protocol udp; --flow from_server; --pattern "eicar"; --context host;). F-SBID( --name "detect_eicar"; --protocol udp; --service dns; --flow from_client; --pattern "www.eicar.org"; --no_case; --context host;). F-SBID( --name "detect_eicar"; --protocol tcp; --service dns; --flow from_server; --pattern "eicar"; --no_case; --context host;). F-SBID( --name "eicar"; --protocol tcp; --service HTTP; --flow from_client; --pattern "www.eicar.org"; --no_case; --context host;).

Refer to the exhibits, which show the configurations of two address objects from the same FortiGate. Why can you modify the Engineering address object, but not the Finance address object?. you have read-only access. FortiGate joined the Security Fabric and the Finance address object was configured on the root FortiGate. FortiGate is registered on FortiManager. Another user is editing the Finance address object in workspace mode.

Which two statements about ADVPN are true? (Choose two.). auto-discovery receiver must be set to enable on the Spokes. Spoke-to-spoke traffic never goes through the hub. It supports NAI for on-demand tunnels. Routing is configured by enabling add-advpn-route.

ISFW is installed in the access layer, NGFW is performing SNAT and web filtering, DCFW is running IPS. Which two statements are true regarding the Security Fabric logging? (Choose two.). DCFW is responsible for generating UTM logs for file server sessions initiated by Client-1, only if an IPS inspection is triggered. ISFW is responsible for generating traffic logs for only Web traffic and SMB traffic from Client-1. The SMB session which is forwarded to NGFW logs that event. The web session forwarded to the NGFW generates the relevant UTM logs along with initial traffic log.

Which two statements about ADVPN are true? (Choose two.). You must disable add-route in the hub. AllFortiGate devices must be in the same autonomous system (AS). The hub adds routes based on IKE negotiations. You must configure phase 2 quick mode selectors to 0.0.0.0 0.0.0.0.

Refer to the exhibit, which shows a routing table. What two options can you configure in OSPF to block the advertisement of the 10.1.10.0 prefix? (Choose two.). Remove the 10.1.10.0 prefix from the OSPF network. Configure a distribute-list-out. Configure a route-map out. Disable Redistribute Connected.

Refer to the exhibit, which shows an ADVPN network. Which VPN phase 1 parameters must you configure on the hub for the ADVPN feature to function? (Choose two.). set auto-discovery-forwarder enable. set add-route enable. set auto-discovery-receiver enable. set auto-discovery-sender enable.

How would fec-ingress and fec-sgress IPsec configuration affect an IPsec tunnel?. When an FGSP member in FortiGate fails, FortiGate flushes the corresponding tunnels and sends out dead peer detection probes to find unavailable remote peers. FortiGate will consider all IKEV2 packets as fragmentable. If fragmentation occurs, FortiGate will allow the packets at the IKE layer. FortiGate will add additional redundant information to reconstruct any lost or erratically received packets.

Refer to the exhibit, which contains a partial VPN configuration. ‘What can you conclude from this configuration1?. FortiGate creates separate virtual interfaces for each dial up client. The VPN should use the dynamic routing protocol to exchange routing information Through the tunnels. Dead peer detection s disabled. The routing table shows a single IPSec virtual interface.

Refer to the exhibit, which contains a CLI script configuration on FortiManager. An administrator configured the CLI script on FortiManager Which statement is true based on the script configuration?. The script successfully added a static route with gateway 10.20.121.2 on the manages device. CLI scripts must start with #!. The commands are missing d3_cmd at beginning. The CLI scripts failed to execute because of an incomplete command.

Refer to the exhibit, which contains a partial BGP combination. You want to configure a loopback as the OGP source. Which two parameters must you set in the BGP configuration? (Choose two). ebgp-enforce-multihop. recursive-next-hop. ibgp-enfoce-multihop. update-source.

Refer to the exhibit, which shows an SSL certification inspection configuration. Which action does FortiGate take if the server name indication (SNI) does not match either the common name (CN) or any of the subject alternative names (SAN) in the server certificate?. FortiGate uses the first entry listed in the SAN field in the server certificate. FortiGate uses the CN information from the Subject field in the server certificate. FortiGate uses the SNI from the user's web browser. FortiGate closes the connection because this represents an invalid SSL/TLS configuration.

Refer to the exhibit, which contains a partial OSPF configuration. ‘What can you conclude from this output?. Neighbors maintain communication with the restarting router. The router sends grace LSAs before it restarts. FortiGate restarts if the topology changes. The restarting router sends gratuitous ARP for 30 seconds.

Which statement about network processor (NP) offloading is true?. For TCP traffic FortiGate CPU offloads the first packets of SYN/ACK and ACK of the three-way handshake to NP. The NP provides IPS signature matching. You can disable the NP for each firewall policy using the command np-acceleration st to loose. The NP checks the session key or IPSec SA.

Which two statements about the Security Fabric are true? (Choose two.). Each member of the Security Fabric maintains the shared Security Fabric map. Only the root FortiGate collects network topology information and forwards it to FortiAnalyzer. FortiGate uses the FortiTelemetry protocol to communicate with FortiAnalyzer. Each FortiGate device in the Security Fabric must have bidirectional FortiTelemetry connectivity. Only FortiGate devices with configuration-sync set to Local receive and synchronize the global CMDB objects that the root FortiGate sends.

How are bulk configuration changes made using FortiManager CLI scripts? (Choose two.). When run on the Device Database, changes are applied directly to the managed FortiGate device. When run on the Remote FortiGate directly, administrators do not have the option to review the changes prior to installation. When run on the All FortiGate in ADOM, changes are automatically installed without the creation of a new revision history. When run on the Policy Package, ADOM database, you must use the installation wizard to apply the changes to the managed FortiGate device.

Which two statements about the BFD parameter in BGP are true? (Choose two.). It allows failure detection in less than one second. The two routers must be connected to the same subnet. Ttis supported for neighbors over multiple hops. It detects only two-way failures.

Refer to the exhibit, which contains an ADVPN network diagram and a partial BGP con figuration Which two parameters Should you configure in config neighbor range? (Choose two.). set prefix 172.16.1.0 255.255.255.0. set route reflector-client enable. set neighbor-group advpn. set prefix 10.1.0 255.255.254.0.

Refer to the exhibit, which shows a network diagram. Which protocol should you use to configure the FortiGate cluster?. FGCP in active-passive mode. FGSP. VRRP. FGCP in active-active mode.

Refer to the exhibit, which contains a TCL script configuration on FortiManager. An administrator has configured the TCL script on FortiManager, but the TCL script failed to apply any changes to the managed device after being run. Why did the TCL script fail to make any changes to the managed device?. The TCL procedure run_cmd has not been created. The TCL script must start with #include. There is no corresponding #! to signify the end of the script. The TCL procedure lacks the required loop statements to iterate through the changes.

Refer to the exhibit, which shows an OSPF network. Which types of ink-state advertisements (LSA) will NGFW-1 send, if itis a backup designated router (BDR)?. ONGFW-1 will send type 1 and type 2 LSAs. NGFW-1 will send type land type 3 LSA. ONGFW-1 will send type 1 and type 4 LSA. ONGFW-1 will send type land type 5 LSA.

Which two statements about the neighbor-group command are true? (Choose two.). You can configure it on the GUI. It applies common settings in an OSPF area. It is combined with the neighbor-range parameter. You can apply it in Internal BGP (IBGP) and External BGP (EBGP).

Refer to the exhibit, which contains the partial ADVPN configuration of a spoke. Which two parameters must you configure on the corresponding single hub? (Choose two.). Set auto-discovery-sender enable. Set ike-version 2. Set auto-discovery-forwarder enable. Set auto-discovery-receiver enable.

Which statement about ADVPN is true?. lt only uses BGP for dynamic routing. It requires all the devices must be on the same AS for inter-region ADVPN topology. lt is a combination of hub-and spoke and full-mesh topologies. It supports only on single hub-and spoke architecture.

You want to configure faster failure detection for BGP Which parameter should you enable on both connected FortiGate devices?. Ebgp-enforce-multihop. bfd. Distribute-list-in. Graceful-restart.

Refer to the exhibit. The partial interface configuration of two FortiGate devices is shown. Which two conclusions can you draw from this configuration? (Choose two.). You can include 4.4.4.4 and 4.4.4.2 IP addresses using set vrdst command. At the time of failover, FortiGate_A will change its priority to 30. By default, preemption mode is enabled. In VRRP, you are restricted to add a third FortiGate into VRRP group 1.

Refer to the exhibit, which contains the partial interface configuration of two FortiGate devices. Which two conclusions can you draw from this con figuration? (Choose two). 10.1.5.254 is the default gateway of the internal network. On failover new primary device uses the same MAC address as the old primary. The VRRP domain uses the physical MAC address of the primary FortiGate. By default FortiGate B is the primary virtual router.

Refer to the exhibit, which shows information about an OSPF interface. What two conclusions can you draw from this command output? (Choose two.). NGFW-1 sends its LSA updates to 224.0.0.6 address. NGFW-1 sends its LSA updates to 224.0.0.5 address. NGFW-1 forms neighbor adjacency only with DR and BDR router. NGFW-1 forms neighbor adjacency only if other OSPF routers match the wait time of 40 seconds.

Refer to the exhibit, which shows a partial routing table. What two conclusions can you draw from the FortiGate output shown in the exhibit? (Choose two.). FortiGate creates separate virtual interfaces for each VPN client. add-route is enabled in the tunnel IPsec phase 1 configuration. FortiGate is not using the destination subnets of the quick mode selectors to populate the routing table. net-device is disabled in the tunnel IPsec phase 1 configuration.

Which statement about meta fields is true?. Meta fields must be set to required. Meta field changes are applied only at the ADOM level. Meta fields are useful for creating multiple objects with the same logical name but different values. Meta fields can be used as variables in scripts or provisioning templates.

An administrator is configuring application control with FortiGate running in next-generation firewall (NGFW) policy-based mode. Which two actions must the administrator take? (Choose two.). Configure the action as quarantine, if an application requires feedback to prevent instability. Configure central source network address translation (SNAT), if NAT is required. Create an application control profile and apply the profile to a firewall policy. Specify an SSL/SSH inspection profile on a consolidated policy.

An administrator must improve the resiliency of a link by minimizing data loss within the enterprise network that has full path redundancy. What should the administrator enable on the FortiGate devices that use BGP as dynamic routing protocol between two separate autonomous systems? (Choose two.). graceful-restart. ibgp-multipath. bfd. route-reflector-client.

You want to know which content processor (CP) model FortiGate contains. Which command should you enter?. get hardware status. diagnose hardware deviceinfo. get hardware cp. diagnose hardware lspci | grep 4e36.

Which ADVPN configuration must be configured using a script on FortiManager, when using VPN Manager to manage FortiGate VPN tunnels?. Enable AD-VPN in IPsec phase 1. Configure IP addresses on IPsec virtual interfaces. Set protected network to all. Disable add-route on hub.

You want to have faster detection for OSPF. Which parameter should you enable on both connected FortiGate devices?. distribute-list-in. rfc1583-compatible. restart-on-topology-change. bfd.

Which two statements about the Security Fabric are true? (Choose two.). FortiGate uses the FortiTelemetry protocol to communicate with FortiAnalyzer. Only the root FortiGate sends logs to FortiAnalyzer. Only FortiGate devices with configuration-sync set to default receive and synchronize global CMDB objects that the root FortiGate sends. Only the root FortiGate collects network topology information and forwards it to FortiAnalyzer.

Refer to the exhibit, which shows information about an OSPF interface of hub router NGFW-1. Change the network type to point-to-multipoint. Change the router ID to 0.0.0.65. Change the router ID to 0.0.0.95. Change the router priority to 200.

How would fec-ingress and fec-egress IPsec configuration affect an IPsec tunnel?. FortiGate will consider all IKEv2 packets as fragmentable. When an FGSP member in FortiGate fails, FortiGate flushes the corresponding tunnels and sends out dead peer detection probes to find unavailable remote peers. If fragmentation occurs, FortiGate will allow the packets at the IKE layer. FortiGate will add additional redundant information to reconstruct any lost or erratically received packets.

Refer to the exhibits. A network diagram and the output from the command config system ha are shown. The administrator has configured the cluster with the commands shown in the exhibit. Why is the HA cluster not forming?. The administrator must reconfigure the monitor interface. The administrator must reconfigure the cluster in active-active mode. The administrator must reconfigure the cluster in FGSP mode. The administrator must reconfigure the heartbeat interface.

Refer to the exhibit. An administrator wants to expand the network by adding two additional FortiGate devices into AS 6500. Which configuration is the most effective way to improve BGP convergence in this scenario?. Prefix list. Route reflector. BFD. Neighbor group.

Which statement about network processor (NP) offloading is true?. When NP acceleration is enabled, firewall sessions may not offload if proxy-based security profiles are included in the firewall policy. You can disable the NP for each firewall policy using the command np-acceleration set to loose. he FortiGate CPU offloads all firewall sessions that require FortiOS session helper to the network processing unit (NPU). For UDP traffic, the FortiGate CPU offloads the first packet to identify it as fast-path traffic.

Which two configurations are mandatory for an auto-discovery VPN (ADVPN) implementation on a hub? (Choose two.). The remote-ip must be on a different IP address from the overlay subnet. set net-device must be disabled to avoid dynamic interface creation. set add-route must be enabled to add routes. An overlay IP address with a mask of /32 must be assigned to the IPsec virtual interface.

Which two statements about IKE version 2 fragmentation are true? (Choose two.). IKEv2 fragmentation is performed at IP layer. The reassembly timeout default value is 30 seconds. Only some IKE version 2 packets are considered fragmentable. The maximum number of IKE version 2 fragments are 64.

Which statement about meta fields is true?. Meta fields must be set to required. Meta field changes are applied only at the ADOM level. Meta fields are useful for creating multiple objects with the same logical name but different values. Meta fields can be used as variables in scripts or provisioning templates.