|Which of the following settings and protocols can be used to provide secure and restrictive administrative access to FortiGate? (Choose three.) Trusted host SSH Trusted authentication HTTPS FortiTelemetry .
What is the purpose of the Policy Lookup feature? It searches the matching policy based on input criteria. It creates a new firewall policy based on input criteria. It finds duplicate objects in firewall policies. It creates packet flow over FortiGate by sending real-time traffic.
Which statements are true regarding incoming and outgoing interfaces in firewall policies? (Choose two.) A zone can be chosen as the outgoing interface. An incoming interface is mandatory in a firewall policy, but an outgoing interface is optional. Multiple interfaces can be selected as incoming and outgoing interfaces. Only the any interface can be chosen as an incoming interface.
Which statement about firewall policy NAT is true? You must configure SNAT for each firewall policy. DNAT can automatically apply to multiple firewall policies, based on DNAT rules. SNAT can automatically apply to multiple firewall policies, based on SNAT policies. DNAT is not supported.
An administrator has configured central DNAT and virtual IPs. Which of the following can be selected in the firewall policy Destination field? An IP pool The mapped IP address object of the VIP object
A VIP object A VIP group.
Examine this partial output from the diagnose sys session list CLI command:
diagnose sys session list
session info: proto=6 proto_state=05 duration=2 expire=78 timeout=3600 flags=00000000 sockflag=00000000 sockport=0 av_idx=0 use=3
What does this output state? proto_state=05 is the TCP state. proto_state=05 means there is only one-way traffic. proto_state=05 is the UDP state. proto_state=05 is the ICMP state.
What methods can be used to deliver the token code to a user who is configured to use two-factor authentication? (Choose three.) Instant message app FortiToken SMS text message Voicemail message Email.
FortiGate has been configured for Firewall Authentication. When attempting to access an external website, the user is not presented with a login prompt. What is the most likely reason for this situation? The user is using a super admin account. No matching user account exists for this user. The user is using a guest account profile. The user was authenticated using passive authentication.
View the exhibit. What does this raw log indicate? (Choose two.) FortiGate allowed the traffic to pass. 10.0.1.10 is the IP address for *.cdn.mozilla.net. Traffic originated from 184.108.40.206. Traffic matches the application profile on firewall policy ID 1. .
What fields are included in the header section of a log message? (Choose three.) policyid action level date and time type and subtype.
What behavior results from this full (deep) SSL configuration? (Choose two.) A temporary untrusted FortiGate certificate replaces the server certificate when the server certificate is untrusted. The browser bypasses all certificate warnings and allows the connection. A temporary trusted FortiGate certificate replaces the server certificate, even when the server certificate is untrusted. A temporary trusted FortiGate certificate replaces the server certificate when the server certificate is trusted.
Which of the following statements about blocking known Botnet Command and Control domains are true? (Choose two.) The Botnet Command and Control domains can be enabled in the Web Filter profile.
DNS lookups are checked against the Botnet Command and Control database. You must manually download the Botnet Command and Control database and import it into FortiGate. This service requires a FortiGuard antivirus license.
Which of the following are valid actions for static URL filtering? (Choose three.) Block Exempt
Examine the following log message attributes and select two correct statements from the list below. (Choose two.)
hostname=www.youtube.com profiletype=""Webfilter_Profile"" profile=""default"" status=""passthrough""msg=""URL belongs to a category with warnings enabled""
The website was allowed on the first attempt. The user failed authentication. The user was prompted to decide whether to proceed or go back. The category action was set to warning.
Which of the following statements about the FortiGate application control database are true? (Choose two.)
The application control database is part of the IPS signatures database. The application control database updates are included in the free FortiGuard service. The application control database uses TCP port 53 for downloads. The application control database uses a hierarchical structure to organize application signatures.
Which of the following statements about application control profile mode are true? (Choose two.) It uses flow-based scanning techniques, regardless of the inspection mode used. It can be configured in either flow-based profile-based or proxy-based FortiOS inspection mode. It cannot be used in conjunction with IPS scanning. It can scan only unsecure protocols.
What is the application control profile scanning order? Application Overrides > Filter Overrides > Categories Filter Overrides > Application Overrides > Categories > Traffic Shaping Override Categories > Application Overrides > Filter Overrides Filter Overrides > Application Overrides > Categories.
Which of the following statements about FortiGate antivirus databases are true? (Choose two.) The normal database is available on all FortiGate models. The extreme database is available only on certain FortiGate models. The quick scan database is part of the normal database. The extended database is available only if grayware scanning is enabled.
Which of the following statements about antivirus scanning in proxy-based inspection mode are true? (Choose two.) A file does not need to be buffered completely before it is moved to the antivirus engine for scanning. The client must wait for the antivirus scan to finish scanning before it receives the file. If a virus is detected, a block replacement message is displayed immediately. FortiGate sends a reset packet to the client if antivirus reports the file as infected.
An administrator configured antivirus in flow-based inspection mode on the FortiGate. While testing the configuration, the administrator noticed that eicar.com test files can be downloaded using HTTPS protocol only. What is causing this issue? The test file is larger than the oversize limit. Hardware acceleration is in use. HTTPS protocol is not enabled under Inspected Protocols. Full-content inspection for HTTPS is disabled.
An administrator wants to monitor their network for any probing attempts aimed to exploit existing vulnerabilities in their servers. What must they configure on their FortiGate to accomplish this? (Choose two.) A web filtering profile using FortiGuard web rating. A DoS policy, and log all UDP and TCP scan attempts. An application control profile and set all application signatures to monitor. An IPS sensor to monitor all signatures applicable to the server.
Examine the exhibit, which shows a firewall policy configured with multiple security profiles. If the FortiGate is set for proxy inspection mode, which security profiles will be handled by the IPS engine? (Choose two.)
AntiVirus Application Control Web Filter IPS.
An administrator needs to inspect all web traffic (including Internet web traffic) coming from users connecting to the SSL-VPN. How can this be achieved? Disabling split tunneling Configuring web bookmarks. Using web-only mode. Assigning public IP addresses to SSL-VPN users.
An administrator needs to create a tunnel mode SSL-VPN to access an internal web server from the Internet. The web server is connected to port1. The Internet is connected to port2. Both interfaces belong to the VDOM named Corporation. What interface must be used as the source for the firewall policy that will allow this traffic? port2 port1 ssl.root ssl.Corporation.
View the exhibit. Which of the following statements about the configuration settings is true? When a remote user accesses https://10.200.1.1:443, the FortiGate login page opens. When a remote user accesses http://10.200.1.1:443, the SSL-VPN login page opens. The settings are invalid. The administrator settings and the SSL-VPN settings cannot use the same port. When a remote user accesses https://10.200.1.1:443, the SSL-VPN login page opens.
Which of the following are differences between IPsec main mode and IPsec aggressive mode? (Choose two.) Six packets are usually exchanged during main mode, while only three packets are exchanged during aggressive mode. The first packet of aggressive mode contains the peer ID, while the first packet of main mode does not. Main mode cannot be used for dialup VPNs, while aggressive mode can. Aggressive mode supports XAuth, while main mode does not.
Which of the following network settings can an IPsec gateway assign to an IPsec client using IP config mode? (Choose two.) NAT-T IP address Quick mode selectors DNS IP address.
What is eXtended Authentication (XAuth)? It is an IPsec extension that authenticates remote VPN peers using a preshared key. It is an IPsec extension that forces remote VPN users to authenticate using their credentials (user name and password). It is an IPsec extension that forces remote VPN users to authenticate using their local ID. It is an IPsec extension that authenticates remote VPN peers using digital certificates.
Which file names will match the *.tiff file name pattern configured in a DLP filter? (Choose two.) gif.tiff tiff.jpeg tiff.png tiff.tiff.
View the routing table, then identify which route will be selected when trying to reach 10.20.30.254? 10.20.30.0/24 [10/0] via 172.20.167.254, port3 10.30.20.0/24 [10/0] via 172.20.121.2, port1 10.20.30.0/26 [10/0] via 172.20.168.254, port2 0.0.0.0/0 [10/0] via 172.20.121.2, port1.
View the routing table and sniffer output in the exhibit. Assuming telnet service is enabled for port1, which one of the following statements correctly describes why FGT1 is not responding to the SYN packets? The port1 interface is administratively down. The connection is denied because of forward policy check. The connection is dropped because of reverse path forwarding check. The port1 interface does not have an IP address.
View the exhibit. A user at 192.168.32.15 is trying to access the web server at 172.16.32.254.
Which of the following statements best describes how the FortiGate will perform reverse path forwarding (RPF) checks on this traffic? (Choose two.) Strict RPF check will allow the traffic. Strict RPF check will deny the traffic. Loose RPF check will deny the traffic. Loose RPF check will allow the traffic.
Which of the following statements are true regarding the SD-WAN feature on FortiGate? (Choose two.) Each member interface requires its own firewall policy to allow traffic. FortiGate supports only one SD-WAN interface per VDOM. SD-WAN provides route failover protection, but cannot load-balance traffic. An SD-WAN static route does not require a next-hop gateway IP address.
A firewall administrator wants to implement SD-WAN. The load-balancing algorithm must use one interface until the session volume reaches 80% threshold, at which point the algorithm should start using the next SD-WAN member interface. Which one of the load-balancing algorithms will achieve this? Source-destination IP Volume Spillover Sessions.
Examine the exhibit, which shows a FortiGate device with two VDOMs: VDOM1 and VDOM2. Both VDOMs are operating in NAT/route mode. The subnet 10.0.1.0/24 is connected to VDOM1. The subnet 10.0.2.0/24 is connected to VDOM2. There is an inter-VDOM link between VDOM1 and VDOM2.
What is required in the FortiGate configuration to route traffic between both subnets through an inter-VDOM link? A static route in VDOM2 with the destination subnet matching the subnet assigned to the inter-VDOM link. A static route in VDOM1 for the destination subnet of 10.0.1.0/24. A static route in VDOM2 for the destination subnet 10.0.1.0/24. A firewall policy in VDOM1 to allow the traffic from 10.0.1.0/24 to 10.0.2.0/24 with port1 as the source interface and port2 as the destination interface.
A FortiGate has multiple VDOMs operating in NAT mode with multiple VLAN interfaces in each VDOM. Which of the following statements is true regarding the IP addresses assigned to each VLAN interface? Different VLANs can never share the same IP address on the same physical device. Different VLANs can share the same IP address as long as they are in different physical interfaces. Different VLANs can share the same IP address as long as they are in different VDOMs. Different VLANs can share the same IP address as long as they have different VLAN tag IDs.
Which of the following configuration settings are global settings? (Choose two.) HA settings FortiGuard settings User & Device settings Firewall policies.
A client workstation is connected to FortiGate port2. The FortiGate port1 is connected to an ISP router. Port2 and port3 are both configured as a software switch. What IP address must be configured on the workstation as the default gateway? The FortiGate's management IP address. The router IP address. The port2 IP address. The software switch interface IP address.
What are the advantages of an IPsec hub-and-spoke topology over an IPsec full mesh topology? (Choose two.) More tolerant of VPN failures Faster connection speed Easier to scale Easier to configure .
Which of the following statements are true about route-based IPsec VPNs? (Choose two.) They can be created in transparent mode VDOMs. They support L2TP-over-IPsec tunnels. They require firewall policies with the Action set to IPsec. A virtual IPsec interface is created automatically after a phase 1 is added to the configuration.
Under which circumstance is the IPsec ESP traffic encapsulated over UDP? When the phase 1 is configured to use aggressive mode. When NAT-T detects there is a device between both IPsec peers doing NAT over the IPsec traffic. When the IPsec VPN is configured as dial up. When using IKE version 2 (IKEv2).
Which of the following statements about advanced AD access mode for the FSSO collector agent are true? (Choose two.) FortiGate can act as an LDAP client to configure the group filters. It uses the Windows convention for naming; that is, Domain\Username. It supports monitoring of nested groups. It is only supported if DC agents are deployed.
What does the command diagnose debug fsso-polling refresh-user do? It refreshes all users learned through agentless polling. It enables agentless polling mode real-time debug. It displays status information and some statistics related to the polls done by FortiGate on each DC. It refreshes user group information from any servers connected to FortiGate using a collector agent.
Which statement best describes the role of a DC agent in an FSSO DC agent mode solution? Captures the user IP address and workstation name and forwards them to FortiGate. Captures the logon events and forwards them to FortiGate. Captures the logon and logoff events and forwards them to the collector agent. Captures the logon events and forwards them to the collector agent.
Which statement about traffic flow in an active-active HA cluster is true? The ACK from the client is received on the physical MAC address of the primary device. The secondary device responds to the primary device with a SYN/ACK, then the primary device forwards the SYN/ACK to the client. The SYN packet from the client always arrives at the primary device first. All FortiGate devices are assigned the same virtual MAC addresses for the HA heartbeat interfaces to redistribute to the sessions.
Which statement about the HA override setting in FortiGate HA clusters is true? It is used to enable monitored ports. Configuring the HA override will reboot the FortiGate device. It synchronizes device priority on all cluster members. You must configure override settings manually and separately for each cluster member. .
Which protocols can a client use to authenticate against a FortiGate configured as transparent web proxy? (Choose three.) SSH SMTP SOCKS HTTP FTP.
How can you configure the web proxy to block HTTP packets that request a specific HTTP method? Create a DNS filter that matches the HTTP method, and apply it to a proxy policy with the action DENY. Create a proxy address that matches the HTTP method, and apply it to a proxy policy with the action DENY. Apply a web filter profile to a proxy policy that blocks the HTTP method. Create a firewall service that matches the HTTP method, and apply it to a proxy policy with the action DENY.
Examine this FortiGate configuration:
config system global
set av-failopen pass
set fail-open disable
Examine the output of the following debug command:
# diagnose hardware sysinfo conserve
memory conserve mode: on
total RAM: 3040 MB
memory used: 2706 MB 89% of total RAM
memory freeable: 334 MB 11% of total RAM
memory used + freeable threshold extreme: 2887 MB 95% of total RAM
memory used threshold red: 2675 MB 88% of total RAM
memory used threshold green: 2492 MB 82% of total RAM
Based on the diagnostics outputs above, how is the FortiGate handling packets that require IPS inspection? They are dropped. They are allowed and inspected as long as no additional proxy-based inspection is required. They are allowed and inspected. They are allowed, but with no inspection.
When does the FortiGate enter into fail-open session mode? When a proxy (for proxy-based inspection) runs out of connections. When memory usage goes above the red threshold. When CPU usage goes above the red threshold. When memory usage goes above the extreme threshold.
Can you use NTurbo hardware acceleration for proxy-based inspection mode
antivirus scans? Yes No.
Which protocol does FortiGate use to download antivirus and IPS packages? UDP TCP.
How does FortiGate check content for spam or malicious websites? Live queries to FortiGuard over UDP Local verification using downloaded web ?lter database locally on FortiGate.
How do you restrict logins to FortiGate to be only from specific IP addresses? Disable HTTPS access on interface Configure trusted host.
When configuring FortiGate as a DHCP server to restrict access by MAC address, what does the Assign IP option do?
Assign a specific IP address to a MAC address Dynamically assign an IP to a MAC address.
When configuring FortiGate as a DNS server, which resolution method uses the FortiGate DNS database only to try to resolve queries? Non-recursive Recursive.
When restoring an encrypted system configuration file, in addition to needing the FortiGate model and ?rmware version from the time the configuration file was produced, you also must provide:
The password to decrypt the file The private decryption key to decrypt the file.
What are the essential devices that are required by the F ortinet Security Fabric? FortiAnalyzer, FortiManager, and FortiGates FortiAnalyzer, and FortiGates.
What criteria does FortiGate use to match traffic to a ?rewall policy? Source and destination interfaces Security profiles.
What must be selected in the Source field of a firewall policy? At least one address object At least one source user and one source address object
On which FortiGate interface is Device Detection enabled when configuring a ?rewall policy with a device definition? Source interface of the Firewall policy Destination interface of the firewall policy.
Firewall policy name is mandatory when configuring 0n the _______ CLI GUI.
What will happen when the Action option in the firewall policy is set to Learn? All services in firewall policy are enabled Hidden security pro?les are enabled.
What is the purpose of applying security profiles to a ?rewall policy To allow access to certain subnets To protect your network from threats and control access'to specific applications and URLs.
Which of the following is the default VIP type? static—nat load-balance.
Which one of the following statements is true? Central NAT is not enabled by default. Both central NAT and firewall policy NAT can be enabled together.
What happens if there is no matching central SNAT policy or no central SNAT policy configured?
The egress interface IPwill be used. FortiGate drops traffic.
Which method would be used for advanced application tracking and control? Session helper Application layer gateway.
Which profile is an example of application layer gateway? WAF profile VOIP profile.
An administratorwants to check the total number of TCP sessions for an IP pool named INTERNAL. Which one of the following CLI commands should the administrator use? diag firewall ippool-all stats INTERNAL diag firewall ippool-all list INTERNAL.
When FortiGate uses RADIUS server for remote authentication, which statement about RADIUS is true? FortiGate must query remote RADIUS server using the distinguished name (dn). RADIUS group memberships are provided by vendor specific attributes (VSAs) configured on
the RADIUS server.
Which of the following is a valid reply from a RADIUS server to an ACCESS REQUEST packet from FortiGate?. ACCESS-PENDING ACCESS-REJECT.
A remote LDAP user is trying to authenticate with a user name and password. How does FortiGate verify the login credentials? FortiGate queries its own database for user credentials. FortiGate sends the user entered credentials to the remote server for verification.
Which statement about guest user groups is true? Guest usergroup accounts are temporary. Guest user group account passwords are temporary.
Which local storage type is preferred for logging? Flash memory Hard drive.
The system reserves approximately ___ % of its disk space for system usage and unexpected quota overflow. 75 25.
The primary purpose of which device is to store and analyze logs? FortiAnalyzer FortiManager.
What protocol does FortiGate use to send encrypted logs to FortiAnalyzer? OFTPS SSL.
If you enable reliable logging, which transport protocol will FortiGate use?
What attribute or extension is used to identify the owner of a certificate? The subject name in the certificate The unique serial number in the certificate.
How does FortiGate check to see if a certificate has been revoked? It checks the CRL that resides on FortiGate. It retrieves the CRL from a directory server.
Which one of the following is a certificate extension and value that is required in the FortiGate CA certificate in order to enable full SSL inspection? CRL DP=ca_arl.arl cA=True.
For full SSL inspection, which configuration requires FortiGate to act as a CA? Multiple clients connecting to multiple servers Protecting the SSL server.
Deleting a CSR that is a pending state does not impact your ability to install the certificate. True False.
What is one reason why a CA would trust and accept a CSR from a FortiGate? The CSR is signed by the FortiGate’s private key. he CA inherently trusts all FortiGates.
Which of the following is a valid action for FortiGuard web category filtering? Allow Deny.
Which of the following statements about blocking the known Botnet Command
and Control domains is true? DNS lookups are checked against the Botnet Command and Control database. The Botnet Command and Control domains can be enabled into the Web Filter profile.
2. Which of the following web filtering modes inspects only the fully qualified domain name? Proxy based DNS based.
1. Which statement about application control is true? It uses the IPS engine to scan traffic for application patterns. It is unable to scan P2P architecture traffic.
Which statement about the application control database is true? The application control database is separate from the IPS database. The application control database must be updated manually.
Which statement about application control in NGFW policy-based configuration is true? Applications are applied directly to the firewall policies. The application control profile must be applied to firewall policies.
What statement about the HTTP block page for application control is true? It can be used only for web applications. It works for all types of applications.
Which of the following information will not be included in the application event log when using NGFW policy-based mode? Application control profile name Application name.
Which databases can be manually selected for use in antivirus scanning? Normal, Extended, and Extreme Quick, Normal, and Extreme.
How do you enable botnet protection? Enable botnet scans under FortiSandbox configuration. Enable botnet scans on external (WAN) facing interfaces.
What does the logging of oversized files option do? Enables logging of all files that cannot be scanned due to oversize limit. Logs all files that are over 5MB.
Which of the following are evaluated first in an IPS sensor? IPS filter IPS signature.
Which IPS component is updated most frequently? Protocol decoders IPS signature database.
WAF protocol constraints protect against what type of attacks? Buffer overflow ICMP Sweep.
To use the WAF feature, which inspection mode should be used? Flow Proxy.
Which Chipset uses NTurbo to accelerate IPS sessions? CP9 SoC3.
Which of the following features requires full SSL inspection to maximize it’s detection capability? WAF DOS.
When IPS fail open is triggered, what is the expected behavior if the IPS fail open option is set to enabled? New packets will pass through New packets will be dropped.
A web-mode SSL-VPN user connects to a remote web server. What’s the source IP address of the HTTP request the web server receives? The remote user's IP address The FortiGate device's internal IP address.
A web-mode SSL-VPN user accesses internal network resources by using: Bookmarks FortiClient.
Which FortiGate interface allows administrators to create user-specific bookmarks? Command line interface (CLI) Graphical user interface (GUI).
In which encapsulation mode is the original IP header protected? Tunnel mode Transport mode.
Which encapsulation mode is used for end-to-end (or client—to-client) VPNs? Tunnel mode Transportmode.
Which statement about quick mode selectors is true? Only phase 2 has quick mode selectors. Only phase 1 has quick mode selectors.
Dialup lPseC is also known as ? point—to-point point-to-multipoint.
Which actions can you configure in a DLP filter? Monitor Log only.
Which filter types can be configured for DLP? Folders type filter Messages typefilter.
2. Which statement about fingerprinting sensitivity in DLP is true? Custom fingerprint sensitivity level can be configured on the CLI only. FortiGate appends a fingerprint sensitivity tag to all emails sent by users.
1. Which of the following items can be archived by a DLP sensor that is configured for summary archiving? Sender email address (in the case of SMTP traffic) Attached file (in the case of SMTP traffic).
When a file matches more than one rule in a DLP sensor, what action does FortiGate take? The action specified by the rule that most speci?cally matches the file. The action specified in the first rule from top to bottom.
Which of the following objects can be used to create static routes? ISDB objects Service objects.
What is the expected behavior when the Stop policy routing action is used in a policy route? FortiGate will skip over this policy route and try to match another in the list. FortiGate will route the traffic based on the regular routing table.
The Priority attribute applies to which type of routes? Static Dynamic.
Which attribute does FortiGate use to determine the best route for a packet, if it matches multiple dynamic routes that have the same Distance? Priority Metric.
Which of the following route attributes does not appear on the GUI routing monitor? Distance Priority.
What is the default ECMP method on FortiGate? Weighted source IP
What is the default RPF check method on FortiGate? Loose Strict.
Which of the following route lookup scenarios will satisfy the RPF Check for a packet? Routing table has an active route for the destination IP of the packet. Routing table has an active route for the source IP of the packet.
What is the purpose of the link health monitor setting update—static—route? It creates a new static route for the backup interface. It removes all static routes associated With the link health monitor's interface.
When using link health monitoring, which route attribute must also be configured to achieve route failover protection? Distance Metric.
Which method of load balancing is supported by SD-WAN but not supported by ECMP routing? Sessions Volume.
Which of the following configuration tasks is correct when implementing SD-WAN? Configure a default route using the sd-wan virtual interface. Configure firewall policies for each individual member interfaces.
Which of the following status check protocols is only available from the CLI? TCP-Echo HTTP.
Which of the following is an SD-WAN rule matching parameter for traffic sources? User groups IPS signatures.
You can configure SD-WAN rules to choose the egress interface based on which one of the following parameters? Cost Latency.
Which of the following should be used to monitor the session distribution across the SD-WAN member interfaces? SD-WAN Link Status monitor SD—WAN Usage monitor.
When verifying SD—WAN traffic routing with the CLI packet capture tool, which verbosity level should you use? 1 4.
Which is a requirement for creating an inter-VDOM link between two VDOMs? The inspection mode of at least one VDOM must be proxy based. At least one of the VDOMS must be operating in NAT mode.
Which type of VDOM link requires that both sides of the link be in the same IP subnet? NAT—to-transparent NAT-to-NAT.
Of these options, which one is a possible reason why an administrator might not be able to gain access to a specific VDOM? The administrator is using an IP address not specified as a trusted host. The administrator is using the Super_Admin profile.
Which troubleshooting tool is best suited when trying to verify the firewall policy used by an inter-VDOM link? Sniffertrace Packetflowtrace.
In what operating mode does FortiGate need to be, to route traffic between VLANs? Transparent mode NAT mode.
How can an administrator configure FortiGate to have four interfaces in the same broadcast domain? Create a firewall policy on each of the four interfaces. Configure the operation mode as transparent and use the same forward domain ID.
What configuration setting must be enabled to allow VLAN-tagged traffic through a virtual wire pair? Transparent bridging Wildcard VLAN.
How is traffic handled in a virtual wire pair? Incoming traffic to one interface is always forwarded out through the other interface. Traffic is forwarded based on the destination MAC address.
In which operating mode is the software switch function supported? Transparent mode NAT mode.
What is the default STP mode for FortiGate? FortiGate passively forwards BPDUs. FortiGate has all STP functions disabled.
Which one of the following messages indicates that both ingress and egress ESP packets will be offloaded? npu_flag=00 npu_flag=03.
If you enable NAT in the firewall policy for VPN, which of the following issues may occur? Quick mode selector may mismatch Traffic may not be routed to the tunnel.
In FSSO, FortiGate allows network access based on __________ Active user authentication with username and password Passive user identification by user ID, IP address, and group membership.
Which logging level shows the logon events on the collector agent? Information Warning.
The command diagnose debug fsso=polling detail displays information for which mode of FSSO? Agentless polling mode Collector agent based polling mode.
You can configure virtual clustering between only _ FortiGate devices with multiple VDOIVIs in an Active-Passive HA cluster. two four.
The heartbeat interface IP address 169. 2 5-4 . 0 . l is assigned to which FortiGate in an HA cluster? The FortiGate with the highest serial number The FortiGate with the highest priority.
Which of the following statements about the firmware upgrade process on an HA cluster is true? You only need to upload the new firmware to the primary FortiGate to upgrade an HA cluster. The cluster members are not rebooted.
Which is an advantage of transparent web proxy over explicit web proxy? PAC files can be used to specify which proxy to use. Web browsers do not need to be configured to use the proxy.
Which of the following is a WPAD methods? LDAP query DHCP query.
Which of the following is required for redirecting user traf?c to the transparent web proxy? Traffic must match a firewall policy with a proxy option profile with the HTFP Policy Redirect setting enabled. Traffic must match a firewall policy with the action set to proxy.
Which of the following configuration objects can be used to filter web proxy traffic, based on the HTTP header information? FQDN addresses Proxy addresses.
What is included in the configuration of an authentication scheme? Authentication method Source IPaddress.
Which of the following is an advantage of lP-based authentication over session-based? It supports multiple users sharing the same IP address. It requires less memory.
What information is displayed in the output of a debug flow? Incoming Interface and matching firewall policy Matching content profiles and traffic log.
When is a new TCP session allocated? When a SYN packets is allowed When a SYN/ACK packet is allowed.
Which statement about the exhibit is true? (Choose two.) port1-VLAN10 and port2-VLAN10 can be assigned to different VDOMs. port1-VLAN1 is the native VLAN for the port1 physical interface. Traffic between port1-VLAN1 and port2-VLAN1 is allowed by default. Broadcast traffic received in port1-VLAN10 will not be forwarded to port2-VLAN10.
Which statements about IP-based explicit proxy authentication are true? (Choose two.) Sessions from the same source address are treated as a single user. FortiGate remembers authenticated sessions using browser cookies. IP-based authentication consumes less FortiGate’s memory than session-based authentication IP-based authentication is best suited to authenticating users behind a NAT device.
Which of the following Fortinet hardware accelerators can be used to offload flow-based antivirus inspection? (Choose two.) CP8 CP9 SP3 NP4.
Which commands are appropriate for investigating high CPU? (Choose two.) diag sys top. diag hardware sysinfo mem. diag debug flow. get system performance status.
Which of the following statements describes the objectives of the gratuitous ARP packets sent by an HA cluster? To synchronize the ARp tables in all the FortiGate Unis that are part of the HA cluster. To notify the network switches that a new HA master unit has been elected. To notify the master unit that the slave devices are still up and alive. To notify the master unit about the physical MAC addresses of the slave units.