Fortinet FCP_FGT_AD-7.4 FCP – FortiGate 7.4 Administrator Online Training

exams

14 hours ago

Question #1

Refer to the exhibit.

Which route will be selected when trying to reach 10.20.30.254?

A . 10.20.30.0/24 [10/0] via 172.20.167.254, port3, [1/0]
B . 10.30.20.0/24 [10/0] via 172.20.121.2, port1, [1/0]
C . 10.20.30.0/26 [10/0] via 172.20.168.254, port2, [1/0]
D . 0.0.0.0/0 [10/0] via 172.20.121.2, port1, [1/0]

Reveal Solution Hide Solution

Correct Answer: A
A

Explanation:

The correct route to reach 10.20.30.254 would be:

Question #2

Which two IP pool types are useful for carrier-grade NAT deployments? (Choose two.)

A . Port block allocation
B . Fixed port range
C . One-to-one
D . Overload

Reveal Solution Hide Solution

Correct Answer: A,B
A,B

Explanation:

The two IP pool types that are useful for carrier-grade NAT (CGNAT) deployments are:

Question #3

What is eXtended Authentication (XAuth)?

A . It is an IPsec extension that forces remote VPN users to authenticate using their local ID.
B . It is an IPsec extension that forces remote VPN users to authenticate using their credentials (username and password).
C . It is an IPsec extension that authenticates remote VPN peers using a pre-shared key.
D . It is an IPsec extension that authenticates remote VPN peers using digital certificates.

Reveal Solution Hide Solution

Correct Answer: B
B

Explanation:

The correct answer is:

B. It is an IPsec extension that forces remote VPN users to authenticate using their credentials (username and password).

eXtended Authentication (XAuth) is an IPsec extension that adds additional authentication for remote VPN users after the initial IPsec phase 1 and phase 2 negotiations. XAuth requires users to provide their credentials (username and password) in addition to the standard IPsec authentication, enhancing the security of the VPN connection.

Question #4

What must you configure to enable proxy-based TCP session failover?

A . You must configure ha-configuration-sync under configure system ha.
B . You do not need to configure anything because all TCP sessions are automatically failed over.
C . You must configure session-pickup-enable under configure system ha.
D . You must configure session-pickup-connectionless enable under configure system ha.

Reveal Solution Hide Solution

Correct Answer: C
C

Explanation:

The correct answer is:

C. You must configure session-pickup-enable under configure system ha.

To enable proxy-based TCP session failover on a Fortinet FortiGate firewall, you must configure the session-pickup-enable setting under the high availability (HA) configuration. This setting allows the firewall to pick up and maintain TCP sessions after a failover event, ensuring continuity of service for established connections.

Question #5

An administrator needs to inspect all web traffic (including Internet web traffic) coming from users connecting to the SSL-VPN.

How can this be achieved?

A . Assigning public IP addresses to SSL-VPN users
B . Configuring web bookmarks
C . Disabling split tunneling
D . Using web-only mode

Reveal Solution Hide Solution

Correct Answer: C
C

Explanation:

The correct answer is: C. Disabling split tunneling

Split tunneling allows VPN users to access both local and remote networks simultaneously. However, if you want to inspect all web traffic, including Internet traffic, coming from users connecting to the SSL-VPN, you should disable split tunneling. Disabling split tunneling forces all user traffic through the VPN tunnel, allowing you to inspect and control the traffic more effectively.

Question #6

Which NAT method translates the source IP address in a packet to another IP address?

A . DNAT
B . SNAT
C . VIP
D . IPPOOL

Reveal Solution Hide Solution

Correct Answer: B
B

Explanation:

The correct answer is: B. SNAT

SNAT (Source Network Address Translation), also known as MASQUERADE in iptables, translates the source IP address in a packet to another IP address. It is commonly used in scenarios where internal private IP addresses need to be translated to a single public IP address when accessing the Internet, for example. DNAT (Destination Network Address Translation) translates the destination IP address in a packet to another IP address. VIP (Virtual IP) is used to designate a single IP address that represents multiple servers for load balancing or high availability purposes. IPPOOL typically refers to a range of IP addresses that can be dynamically assigned to clients, such as in DHCP.

Question #7

What is the common feature shared between IPv4 and SD-WAN ECMP algorithms?

A . Both can be enabled at the same time.
B . Both support volume algorithms.
C . Both control ECMP algorithms.
D . Both use the same physical interface load balancing settings.

Reveal Solution Hide Solution

Correct Answer: C
C

Explanation:

The correct answer is: C. Both control ECMP algorithms.

In the context of SD-WAN (Software-Defined Wide Area Network), ECMP (Equal-Cost Multi-Path) algorithms are used to determine the path packets should take through the network. Both IPv4 and SD-WAN ECMP algorithms control how traffic is load-balanced across multiple paths to a destination. While IPv4 ECMP operates at the network layer (Layer 3) of the OSI model, SD-WAN ECMP operates at a higher level, typically involving application-aware routing and more advanced traffic steering capabilities.

Question #8

Refer to the exhibit.

Which statement about the configuration settings is true?

A . When a remote user accesses http://10.200.1.1:443, the SSL-VPN login page opens.
B . When a remote user accesses https://10.200.1.1:443, the SSL-VPN login page opens.
C . When a remote user accesses https://10.200.1.1:443, the FortiGate login page opens.
D . The settings are invalid. The administrator settings and the SSL-VPN settings cannot use the same port.

Reveal Solution Hide Solution

Correct Answer: B
B

Explanation:

B. When a remote user accesses https://10.200.1.1:443, the SSL-VPN login page opens.

In this scenario, the remote user is accessing the FortiGate device using HTTPS (port 443), which is typically used for SSL-VPN access. Therefore, when accessing the device at that address and port, the SSL-VPN login page should open for the user to authenticate and establish a VPN connection.

Question #9

What is the limitation of using a URL list and application control on the same firewall policy, in NGFW policy-based mode?

A . It limits the scanning of application traffic to the browser-based technology category only.
B . It limits the scanning of application traffic to the DNS protocol only.
C . It limits the scanning of application traffic to use parent signatures only.
D . It limits the scanning of application traffic to the application category only.

Reveal Solution Hide Solution

Correct Answer: A
A

Explanation:

Question #10

Refer to the exhibits.

The exhibits show the firewall policies and the objects used in the firewall policies.

The administrator is using the Policy Lookup feature and has entered the search criteria shown in the exhibit.

Which policy will be highlighted, based on the input criteria?

A . Policy with ID 4.
B . Policy with ID 5.
C . Policies with ID 2 and 3.
D . Policy with ID 1.

Reveal Solution Hide Solution

Correct Answer: B
B

Explanation:

Policy with ID 5.

It’s coming from port 3 – hits Facebook-Web (Application) from the screenshot it show that it allows http and https traffic (80, 443).

There are 3 rules related to port3

and two rules source LOCAL_CLIENT

this would leave us with Rule 1 & 5

Rule one Service is = ULL_UDP

Rule five = Internet Services

Destination port we are looking for is 443 (usually this is TCP)

So it had to be PID5

We are looking for a policy that will allow or deny traffic from the source interface Port3 and source IP address 10.1.1.10 (LOCAL_CLIENT) to facebook.com TCP port 443 (HTTPS). There are only two policies that will match this traffic, policy ID 2 and 5. In FortiGate, firewall policies are evaluated from top to bottom. This means that the first policy that matches the traffic is applied, and subsequent policies are not evaluated. Based on the Policy Lookup criteria, Policy ID 5 will be highlighted.

Question #11

FortiGate is operating in NAT mode and is configured with two virtual LAN (VLAN) subinterfaces added to the same physical interface.

In this scenario, what are two requirements for the VLAN ID? (Choose two.)

A . The two VLAN subinterfaces can have the same VLAN ID, only if they have IP addresses in the same subnet.
B . The two VLAN subinterfaces can have the same VLAN ID, only if they belong to different VDOMs.
C . The two VLAN subinterfaces must have different VLAN IDs.
D . The two VLAN subinterfaces can have the same VLAN ID, only if they have IP addresses in
different subnets.

Reveal Solution Hide Solution

Correct Answer: B,C
B,C

Explanation:

B. The two VLAN subinterfaces can have the same VLAN ID, only if they belong to different VDOMs.

C. The two VLAN subinterfaces must have different VLAN IDs. https://community.fortinet.com/t5/FortiGate/Technical-Note-How-to-use-emac-vlan-to-share-the-same-VL AN/ta-p/192843?externalID=FD43883

Each interface (physical or VLAN) can belong to only one VDOM.

Meaning that sub-interfaces (VLANs) from the same physical interface can have the same VLAN ID as

long as they are not assign to the same VDOM.

VLAN

https://community.fortinet.com/t5/FortiGate/Technical-Tip-rules-about-VLAN-configuration-and-VDOM-interface/ta-p/197640

* VLANs can be created on any physical or aggregate (802.3ad) interfaces

– The same VLAN number cannot be configured twice on the same physical interface

– The same VLAN number can be used on different physical interfaces

– The usable VLAN ID range is from 1 to 4094

* VDOM interface assignment

– Two VDOMs cannot share the same interface or VLAN

– A VLAN sub-interface can belong to a different VDOM than the physical interface it is attached to.

Question #12

An administrator has configured a strict RPF check on FortiGate.

How does strict RPF check work?

A . Strict RPF allows packets back to sources with all active routes.
B . Strict RPF checks the best route back to the source using the incoming interface.
C . Strict RPF checks only for the existence of at least one active route back to the source using the incoming interface.
D . Strict RPF check is run on the first sent and reply packet of any new session.

Reveal Solution Hide Solution

Correct Answer: B
B

Explanation:

B. Strict RPF checks the best route back to the source using the incoming interface.

Strict: In this mode, Fortigate also verifies that the matching route is the best route in the routing table. That is, if the route in table contains a matching route for the source address and the incoming interface, but there is a better route for the source address through another interface the RPF check fails.

The Strict Reverse Path Forwarding (RPF) check is a security feature that helps prevent source IP address spoofing. When enabled, the FortiGate unit checks the source IP address of each incoming packet and compares it to the routing table to ensure that the packet arrives on the expected interface. Here’s an explanation of the statement:

B. Strict RPF checks the best route back to the source using the incoming interface.

When the FortiGate unit receives a packet, it checks the source IP address and verifies that the packet arrives on the expected interface based on the routing table. The "best route back to the source" refers to the route in the routing table that would be used to send packets back to the source IP address. If the incoming interface matches the expected interface based on the routing table, the check passes. If not, the packet may be considered as potentially spoofed, and it might be dropped or subjected to further security measures.

This strict RPF check helps in preventing IP address spoofing, which is a common technique used in various network attacks.

Loose RPF checks for any route and Strict RPF check for best route

Question #13

An administrator has configured the following settings:

config system settings

set ses-denied-traffic enable

end

config system global

set block-session-timer 30

end

What are the two results of this configuration? (Choose two.)

A . Device detection on all interfaces is enforced for 30 seconds.
B . Denied users are blocked for 30 seconds.
C . The number of logs generated by denied traffic is reduced.
D . A session for denied traffic is created.

Reveal Solution Hide Solution

Correct Answer: C,D
C,D

Explanation:

The timer config any way is by seconds.

ses-denied-traffic Enable/disable including denied session in the session table. block-session-timer

Duration in seconds for blocked sessions (1 – 300 sec (5 minutes), default = 30).

C. The number of logs generated by denied traffic is reduced.

D. A session for denied traffic is created.

During the session, if a security profile detects a violation, FortiGate records the attack log immediately. To reduce the number of log messages generated and improve performance, you can enable a session table entry of dropped traffic. This creates the denied session in the session table and, if the session is denied, all packets of that session are also denied. This ensures that FortiGate does not have to do a policy lookup for each new packet matching the denied session, which reduces CPU usage and log generation. This option is in the CLI, and is called ses-denied-traffic. You can also set the duration for block sessions. This determines how long a session will be kept in the session table by setting block-sessiontimer in the CLI. By default, it is set to 30 seconds.

Reference and download study guide:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-enable-denied-session-to-be-added-into-the/ta-p/195478

Question #14

Refer to the exhibits.

The exhibits show the SSL and authentication policy (Exhibit A) and the security policy (Exhibit B) for Facebook.

Users are given access to the Facebook web application. They can play video content hosted on Facebook, but they are unable to leave reactions on videos or other types of posts.

Which part of the policy configuration must you change to resolve the issue?

A . Force access to Facebook using the HTTP service.
B . Make the SSL inspection a deep content inspection.
C . Add Facebook in the URL category in the security policy.
D . Get the additional application signatures required to add to the security policy.

Reveal Solution Hide Solution

Correct Answer: B
B

Explanation:

Needs SSL full inspection.

They can play video (tick) content hosted on Facebook, but they are unable to leave reactions on videos or other types of posts.

This indicate that the rule are partially working as they can watch video but can’t react, i.e. liking the content. So, must be an issue with the SSL inspection rather then adding an app rule.

The lock logo behind Facebook_like.Button indicates that SSL Deep Inspection is Required. All other Application Signatures Facebook and Facebook_Video.Play does not require SSL inspection. Hence that the users can play video content. If you look up the Application Signature for Facebook_like.Button it will say "Requires SSL Deep Inspection".

FortiGate needs to perform full SSL inspection. Without full SSL inspection, FortiGate cannot inspect encrypted traffic.

Question #15

Refer to the exhibits.

An administrator creates a new address object on the root FortiGate (Local-FortiGate) in the security fabric. After synchronization, this object is not available on the downstream FortiGate (ISFW).

What must the administrator do to synchronize the address object?

A . Change the csf setting on ISFW (downstream) to set configuration-sync local.
B . Change the csf setting on ISFW (downstream) to set authorization-request-type certificate.
C . Change the csf setting on both devices to set downstream-access enable.
D . Change the csf setting on Local-FortiGate (root) to set fabric-object-unification default.

Reveal Solution Hide Solution

Correct Answer: C
C

Explanation:

C is correct because D is already set to default (Global CMDB objects will be synchronized in Security Fabric.)

The root device has downstream access disabled, so it needs to be enabled to sync the object.

downstream-access – Enable/disable downstream device access to this device’s configuration and data.

disable – Disable downstream device access to this device’s configuration and data.

The CLI command "set fabric-object-unification" is only available on the root FortiGate.

Question #16

Refer to the exhibits.

Exhibit A shows system performance output.

Exhibit B shows a FortiGate configured with the default configuration of high memory usage thresholds.

Based on the system performance output, which two results are correct? (Choose two.)

A . FortiGate will start sending all files to FortiSandbox for inspection.
B . FortiGate has entered conserve mode.
C . Administrators cannot change the configuration.
D . Administrators can access FortiGate only through the console port.

Reveal Solution Hide Solution

Correct Answer: B,C
B,C

Explanation:

What actions does FortiGate take to preserve memory while in conserve mode?

• FortiGate does not accept configuration changes, because they might increase memory usage.

• FortiGate does not run any quarantine action, including forwarding suspicious files to FortiSandbox.

• You can configure the fail-open setting under config ips global to control how the IPS engine behaves when the IPS socket buffer is full.

Based on the system performance output, it appears that FortiGate has entered conserve mode and administrators cannot change the configuration.

FortiGate has entered conserve mode: When FortiGate enters conserve mode, it reduces its operational capacity in order to conserve resources and improve performance. This may be necessary if the system is experiencing high levels of traffic or if there are issues with resource utilization.

Administrators cannot change the configuration: When the system is in conserve mode, administrators may not be able to change the configuration. This is because the system is prioritizing resource conservation over other activities, and making changes to the configuration may require additional resources that are not available.

It is important to note that FortiGate will not start sending all files to FortiSandbox for inspection, and administrators may still be able to access FortiGate through other means besides the console port. "If memory usage goes above the percentage of total RAM defined as the red threshold, FortiGate enters conserve mode."

"FortiGate does not accept configuration changes, because they might increase memory usage."

Reference: https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-conserve-mode-is-triggered/ta-p/198580

Question #17

Refer to the exhibit showing a debug flow output.

What two conclusions can you make from the debug flow output? (Choose two.)

A . The debug flow is for ICMP traffic.
B . The default route is required to receive a reply.
C . A new traffic session was created.
D . A firewall policy allowed the connection.

Reveal Solution Hide Solution

Correct Answer: A,C
A,C

Explanation:

ICMP proto = 1

New session

As protocol=1 thats why its ICMP.

Reference: https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml

Question #18

An administrator is configuring an IPsec VPN between site A and site B. The Remote Gateway setting in both sites has been configured as Static IP Address. For site A, the local quick mode selector is 192.168.1.0/24 and the remote quick mode selector is 192.168.2.0/24.

Which subnet must the administrator configure for the local quick mode selector for site B?

A . 192.168.2.0/24
B . 192.168.0.0/8
C . 192.168.1.0/24
D . 192.168.3.0/24

Reveal Solution Hide Solution

Correct Answer: A
A

Explanation:

Question #19

Which two settings are required for SSL VPN to function between two FortiGate devices? (Choose two.)

A . The client FortiGate requires a manually added route to remote subnets.
B . The client FortiGate requires a client certificate signed by the CA on the server FortiGate.
C . The server FortiGate requires a CA certificate to verify the client FortiGate certificate.
D . The client FortiGate requires the SSL VPN tunnel interface type to connect SSL VPN.

Reveal Solution Hide Solution

Correct Answer: C,D
C,D

Explanation:

The FortiGate can be configured as an SSL VPN client, using an SSL-VPN Tunnel interface type. The FortiGates must have a proper CA certificate installed to verify the certificate chain to the root CA that signed the certificate.

C. The server FortiGate requires a CA certificate to verify the client FortiGate certificate:

When setting up SSL VPN between two FortiGate devices, the server FortiGate needs a CA (Certificate Authority) certificate to verify the client FortiGate’s certificate. This ensures that the client connecting to the VPN is authenticated and trusted.

D. The client FortiGate requires the SSL VPN tunnel interface type to connect SSL VPN:

For the SSL VPN to function, the client FortiGate needs to have the SSL VPN tunnel interface type configured. This interface type is specifically designed for SSL VPN connections, allowing the client FortiGate to establish the VPN tunnel with the server FortiGate.

These two settings together ensure that the SSL VPN connection between the two FortiGate devices is properly authenticated and established, allowing secure communication between them.

Question #20

Which statement correctly describes the use of reliable logging on FortiGate?

A . Reliable logging is enabled by default in all configuration scenarios.
B . Reliable logging is required to encrypt the transmission of logs.
C . Reliable logging can be configured only using the CLI.
D . Reliable logging prevents the loss of logs when the local disk is full.

Reveal Solution Hide Solution

Correct Answer: B
B

Explanation:

Reliable logging prevents the loss of logs when the local disk is full.

On a FortiGate device, reliable logging is a feature that helps to prevent the loss of log messages when the local disk is full. When reliable logging is enabled, the FortiGate will store log messages in a buffer until they can be written to the local disk. This helps to ensure that log messages are not lost due to a full disk, allowing administrators to maintain an accurate record of activity on the network.

Reliable logging is not enabled by default in all configuration scenarios, and it does not encrypt the transmission of logs or require the use of the CLI to be configured. However, it is a useful feature to enable in order to maintain a comprehensive record of activity on the network and help with troubleshooting and security analysis.

Reliable logging on FortiGate is used to prevent the loss of logs when the connection between FortiOS and FortiAnalyzer is disrupted. When reliable mode is enabled, logs are cached in a FortiOS memory queue. FortiOS sends logs to FortiAnalyzer, and FortiAnalyzer uses seq_no to track received logs.

The other statements are incorrect:

Reliable logging is not enabled by default in all configuration scenarios. It must be enabled explicitly. Reliable logging is not required to encrypt the transmission of logs. Encryption can be configured separately.

Reliable logging can be configured using the CLI or the FortiGate web interface.

The question is asking what describes the correct use meaning what is the main function of reliable logging wouldn’t that be preventing loss of logs since disk is full by sending to Analyzer making D the correct answer.

The question is asking what describes the correct use meaning what is the main function of reliable logging wouldn’t that be preventing loss of logs since disk is full by sending to Analyzer making D the correct answer.

You can encrypt the logs if you are sending your logs to cloud, but the main purpose of reliable logging is to make sure that all the logs you send are been received by the server.

You can encrypt the traffic, but it does not require, the most specific option is D.

Question #21

Refer to the exhibits.

The exhibits contain a network diagram, and virtual IP, IP pool, and firewall policies configuration information.

The WAN (port1) interface has the IP address 10.200.1.1/24.

The LAN (port3) interface has the IP address 10.0.1.254/24.

The first firewall policy has NAT enabled using IP pool.

The second firewall policy is configured with a VIP as the destination address.

Which IP address will be used to source NAT (SNAT) the internet traffic coming from a workstation with the IP address 10.0.1.10?

A . 10.200.1.1
B . 10.0.1.254
C . 10.200.1.10
D . 10.200.1.100

Reveal Solution Hide Solution

Correct Answer: D
D

Explanation:

From LAN to WAN, the Source NAT will use the IPPOOL with address configured 10.200.1.100 Destination NAT, from WAN to LAN, will use the VIP

The question says SNAT, so the only correct answer here (looking at the IP Pool) is D.

(Step 2): FortiGate uses as NAT IP the external IP address defined in the VIP when performing SNAT on all egress traffic sourced from the mapped address in the VIP, provided the matching firewall policy has NAT enabled.

Note that you can override the behavior described in step 2 by using an IP pool.

Reference: https://kb.fortinet.com/kb/documentLink.do?externalID=FD44529

Question #22

Refer to the exhibit.

The exhibit shows a diagram of a FortiGate device connected to the network, the firewall policy and VIP configuration on the FortiGate device, and the routing table on the ISP router.

When the administrator tries to access the web server public address (203.0.113.2) from the internet, the connection times out. At the same time, the administrator runs a sniffer on FortiGate to capture incoming web traffic to the server and does not see any output.

Based on the information shown in the exhibit, what configuration change must the administrator make to fix the connectivity issue?

A . Configure a loopback interface with address 203.0.113.2/32.
B . In the VIP configuration, enable arp-reply.
C . Enable port forwarding on the server to map the external service port to the internal service port.
D . In the firewall policy configuration, enable match-vip.

Reveal Solution Hide Solution

Correct Answer: B
B

Explanation:

In the routing table of the ISP we can see that the route is C (connected) which means that if there is no

ARP entry, traffic will be dropped by the ISP, and this is why there is no packets in the forti sniffer.

The external interface address is different from the external address configured in the VIP. This is not a problem as long as the upstream network has its routing properly set. You can also enable ARP reply on the VPN (enabled by default, here disabled) to facilitate routing on the upstream network.

Enabling ARP reply is usually not required in most networks because the routing tables on the adjacent devices contain the correct next hop information, so the networks are reachable. However, sometimes the routing configuration is not fully correct, and having ARP reply enabled can solve the issue for you. For this reason, it’s a best practice to keep ARP reply enabled.

Question #23

Which two statements are true about the FGCP protocol? (Choose two.)

A . FGCP elects the primary FortiGate device.
B . FGCP is not used when FortiGate is in transparent mode.
C . FGCP runs only over the heartbeat links.
D . FGCP is used to discover FortiGate devices in different HA groups.

Reveal Solution Hide Solution

Correct Answer: A,C
A,C

Explanation:

Question #24

A network administrator wants to set up redundant IPsec VPN tunnels on FortiGate by using two IPsec VPN tunnels and static routes.

All traffic must be routed through the primary tunnel when both tunnels are up. The secondary tunnel must be used only if the primary tunnel goes down. In addition, FortiGate should be able to detect a dead tunnel to speed up tunnel failover.

Which two key configuration changes must the administrator make on FortiGate to meet the requirements? (Choose two.)

A . Configure a higher distance on the static route for the primary tunnel, and a lower distance on the static route for the secondary tunnel.
B . Configure a lower distance on the static route for the primary tunnel, and a higher distance on the
static route for the secondary tunnel.
C . Enable Auto-negotiate and Autokey Keep Alive on the phase 2 configuration of both tunnels.
D . Enable Dead Peer Detection.

Reveal Solution Hide Solution

Correct Answer: B,D
B,D

Explanation:

To set up redundant IPsec VPN tunnels on FortiGate and meet the specified requirements, the administrator should make the following key configuration changes:

B. Configure a lower distance on the static route for the primary tunnel, and a higher distance on the static route for the secondary tunnel.

By configuring a lower administrative distance for the static route of the primary tunnel, the FortiGate will prefer this route when both tunnels are up. If the primary tunnel goes down, the higher administrative distance on the static route for the secondary tunnel will cause the FortiGate to use the secondary tunnel.

D. Enable Dead Peer Detection.

Dead Peer Detection (DPD) should be enabled to detect the status of the VPN tunnels. If the FortiGate detects that the primary tunnel is no longer responsive (dead), it can trigger the failover to the secondary tunnel, ensuring a faster tunnel failover.

So, the correct choices are B and D.

Question #25

What are two benefits of flow-based inspection compared to proxy-based inspection? (Choose two.)

A . FortiGate uses fewer resources.
B . FortiGate performs a more exhaustive inspection on traffic.
C . FortiGate adds less latency to traffic.
D . FortiGate allocates two sessions per connection.

Reveal Solution Hide Solution

Correct Answer: A,C
A,C

Explanation:

Question #26

FortiGuard categories can be overridden and defined in different categories. To create a web rating override for the example.com home page, the override must be configured using a specific syntax.

Which two syntaxes are correct to configure a web rating override for the home page? (Choose two.)

A . www.example.com
B . www.example.com/index.html
C . www.example.com:443
D . example.com

Reveal Solution Hide Solution

Correct Answer: A,D
A,D

Explanation:

Question #27

Refer to exhibit.

An administrator configured the web filtering profile shown in the exhibit to block access to all social networking sites except Twitter. However, when users try to access twitter.com, they are redirected to a FortiGuard web filtering block page.

Based on the exhibit, which configuration change can the administrator make to allow Twitter while blocking all other social networking sites?

A . On the FortiGuard Category Based Filter configuration, set Action to Warning for Social Networking.
B . On the Static URL Filter configuration, set Type to Simple.
C . On the Static URL Filter configuration, set Action to Exempt.
D . On the Static URL Filter configuration, set Action to Monitor.

Reveal Solution Hide Solution

Correct Answer: C
C

Explanation:

C. On the Static URL Filter configuration, set Action to Exempt.

Based on the exhibit, the administrator has configured the FortiGuard Category Based Filter to block access to all social networking sites, and has also configured a Static URL Filter to block access to twitter.com. As a result, users are being redirected to a block page when they try to access twitter.com.

To allow users to access twitter.com while blocking all other social networking sites, the administrator can make the following configuration change:

On the Static URL Filter configuration, set Action to Exempt: By setting the Action to Exempt, the administrator can override the block on twitter.com that was specified in the FortiGuard Category Based Filter. This will allow users to access twitter.com, while all other social networking sites will still be blocked.

Note:

Tested this in a lab environment and to make this work as stated in the question the Exempt action is the only way to go, and also *.twimg.com will has to be added to the URL Filter with an Exempt action for this situation to really work!

Allow: Access is permitted. Traffic is passed to remaining operations, including FortiGuard web filter, web content filter, web script filters, and antivirus scanning.

Exempt: Allows traffic from trusted sources to bypass all security inspections.

Question #28

Which three statements explain a flow-based antivirus profile? (Choose three.)

A . Flow-based inspection uses a hybrid of the scanning modes available in proxy-based inspection.
B . If a virus is detected, the last packet is delivered to the client.
C . The IPS engine handles the process as a standalone.
D . FortiGate buffers the whole file but transmits to the client at the same time.
E . Flow-based inspection optimizes performance compared to proxy-based inspection.

Reveal Solution Hide Solution

Correct Answer: A,D,E
A,D,E

Explanation:

A: Flow-based inspection mode uses a hybrid of the scanning modes available in proxy-based inspection.

D: the IPS engine reads the payload of each packet, caches a local copy, and forwards the packet to the receiver at the same time. some operations can be offloaded to SPUs to improve performance (not C).

E: If performance is your top priority, then flow inspection mode is more appropriate. Extra explanation:

Question #29

Which three criteria can FortiGate use to look for a matching firewall policy to process traffic? (Choose three.)

A . Services defined in the firewall policy
B . Highest to lowest priority defined in the firewall policy
C . Destination defined as Internet Services in the firewall policy
D . Lowest to highest policy ID number
E . Source defined as Internet Services in the firewall policy

Reveal Solution Hide Solution

Correct Answer: A,C,E
A,C,E

Explanation:

Question #30

What are two functions of ZTNA? (Choose two.)

A . ZTNA manages access through the client only.
B . ZTNA manages access for remote users only.
C . ZTNA provides a security posture check.
D . ZTNA provides role-based access.

Reveal Solution Hide Solution

Correct Answer: C,D
C,D

Explanation:

C. ZTNA provides a security posture check.

D. ZTNA provides role-based access.

ZTNA (Zero Trust Network Access) is a security architecture that is designed to provide secure access to network resources for users, devices, and applications. It is based on the principle of "never trust, always verify," which means that all access to network resources is subject to strict verification and authentication.

Two functions of ZTNA are:

ZTNA provides a security posture check: ZTNA checks the security posture of devices and users that are attempting to access network resources. This can include checks on the device’s software and hardware configurations, security settings, and the presence of malware.

ZTNA provides role-based access: ZTNA controls access to network resources based on the role of the user or device. Users and devices are granted access to only those resources that are necessary for their role, and all other access is denied. This helps to prevent unauthorized access and minimize the risk of data breaches.

Question #31

A network administrator is configuring a new IPsec VPN tunnel on FortiGate. The remote peer IP address is dynamic. In addition, the remote peer does not support a dynamic DNS update service.

Which type of remote gateway should the administrator configure on FortiGate for the new IPsec VPN tunnel to work?

A . Pre-shared key
B . Dialup user
C . Dynamic DNS
D . Static IP address

Reveal Solution Hide Solution

Correct Answer: B
B

Explanation:

In a scenario where the remote peer IP address is dynamic, and the remote peer does not support a dynamic DNS update service, the appropriate choice for configuring the remote gateway on FortiGate is:

B. Dialup user

Configuring the remote gateway as a dialup user allows flexibility for dynamic remote peer IP addresses without relying on dynamic DNS. Dialup user configurations are suitable for scenarios where the remote peer’s IP address may change dynamically, and it is not possible to use a static IP address or dynamic DNS.

The peer IP is not static.

D cannot be correct as the remote peer has a dynamic address so this will not be known to the local side as it may change.

The same goes for dynamic.

PSK is not an option, the answer is B.

Question #32

Which timeout setting can be responsible for deleting SSL VPN associated sessions?

A . SSL VPN idle-timeout
B . SSL VPN http-request-body-timeout
C . SSL VPN login-timeout
D . SSL VPN dtls-hello-timeout

Reveal Solution Hide Solution

Correct Answer: A
A

Explanation:

The SSL VPN idle-timeout setting determines how long an SSL VPN session can be inactive before it is terminated. When an SSL VPN session becomes inactive (for example, if the user closes the VPN client or disconnects from the network), the session timer begins to count down. If the timer reaches the idle- timeout value before the user reconnects or sends any new traffic, the session will be terminated and the associated resources (such as VPN tunnels and virtual interfaces) will be deleted.

Also, an inactive SSL VPN is disconnected after 300 seconds (5 minutes) of inactivity. You can change this timeout using the Idle Logout setting on the GUI.

Question #33

Which statement is correct regarding the use of application control for inspecting web applications?

A . Application control can identify child and parent applications, and perform different actions on them.
B . Application control signatures are organized in a nonhierarchical structure.
C . Application control does not require SSL inspection to identify web applications.
D . Application control does not display a replacement message for a blocked web application.

Reveal Solution Hide Solution

Correct Answer: A
A

Explanation:

Application control in FortiGate can identify both parent and child applications within web applications. This allows for granular control and the ability to perform different actions based on the specific application detected.

Application control is a feature that allows FortiGate to inspect and control the use of specific web applications on the network. When application control is enabled, FortiGate can identify child and parent applications, and can perform different actions on them based on the configuration.

The FortiGuard application control signature database is organized in a hierarchical structure. This gives you the ability to inspect the traffic with more granularity. You can block Facebook applications while allowing users to collaborate using Facebook chat.

Question #34

A network administrator enabled antivirus and selected an SSL inspection profile on a firewall policy. When downloading an EICAR test file through HTTP, FortiGate detects the virus and blocks the file. When downloading the same file through HTTPS, FortiGate does not detect the virus and does not block the file, allowing it to be downloaded.

The administrator confirms that the traffic matches the configured firewall policy.

What are two reasons for the failed virus detection by FortiGate? (Choose two.)

A . The website is exempted from SSL inspection.
B . The EICAR test file exceeds the protocol options oversize limit.
C . The selected SSL inspection profile has certificate inspection enabled.
D . The browser does not trust the FortiGate self-signed CA certificate.

Reveal Solution Hide Solution

Correct Answer: A,C
A,C

Explanation:

Two possible explanations for FortiGate’s failure to detect the virus are:

Question #35

Refer to the exhibits.

Exhibit A shows a topology for a FortiGate HA cluster that performs proxy-based inspection on traffic.

Exhibit B shows the HA configuration and the partial output of the get system ha status command.

Based on the exhibits, which two statements about the traffic passing through the cluster are true? (Choose two.)

A . For non-load balanced connections, packets forwarded by the cluster to the server contain the virtual MAC address of port2 as source.
B . The traffic sourced from the client and destined to the server is sent to FGT-1.
C . The cluster can load balance ICMP connections to the secondary.
D . For load balanced connections, the primary encapsulates TCP SYN packets before forwarding them
to the secondary.

Reveal Solution Hide Solution

Correct Answer: A,D
A,D

Explanation:

A: Non load balance: traffic enters port1 and go out port2 from FGT1. FGT2 is in primary mode

D: In proxy inspection mode, SYN packet goes to FGT1 port1. It is then forwarded to FGT2. the source MAC address of the packet is changed to the physical MAC address of port1 on the primary and the destination MAC address to the physical MAC address of port1 on the secondary. This is also known as MAC address rewrite. In addition, the primary encapsulates the packet in an Ethernet frame type 0x8891. The encapsulation is done only for the first packet of a load balanced session

Question #36

Which two attributes are required on a certificate so it can be used as a CA certificate on SSL inspection? (Choose two.)

A . The keyUsage extension must be set to keyCertSign.
B . The CA extension must be set to TRUE.
C . The issuer must be a public CA.
D . The common name on the subject field must use a wildcard name.

Reveal Solution Hide Solution

Correct Answer: A,B
A,B

Explanation:

Full SSL inspection – Certificate requirements:

FortiGate is acting as a proxy web server. In order for FortiGate to act in these roles, its CA certificate must have the basic constraints extension set to cA=True and the value of the keyUsage extension set to keyCertSign.

The CA=True value identifies the certificate as a CA certificate. The KryUsage =KeyCertSign value indicates that the certificate corresponding private key is permitted to sign certificates. see RFC 5280 section 4.2.1.9 basic Constraints.

Although it appears as though the user browser is connected to the web server, the browser is connected to FortiGate. FortiGate is acting as a proxy web server. In order for FortiGate to act in these roles, its CA certificate must have the basic constraints extension set to cA=True and the value of the keyUsage extension set to keyCertSign.

Question #37

Which two configuration settings are global settings? (Choose two.)

A . User & Device settings
B . Firewall policies
C . HA settings
D . FortiGuard settings

Reveal Solution Hide Solution

Correct Answer: C,D
C,D

Explanation:

The two configuration settings that are global settings are:

C. HA settings – High Availability settings are typically configured globally to manage failover and redundancy.

D. FortiGuard settings – FortiGuard settings for security services and updates are also configured globally to ensure consistent protection across the network.

HA configuration overview. The purpose of an HA configuration is to reduce downtime when a zone or instance becomes unavailable. This might happen during a zonal outage, or when an instance runs out of memory. With HA, your data continues to be available to client applications.

FortiGuard > Settings provides a central location for configuring and enabling your FortiManager system’s built-in FDS as an FDN override server.

Question #38

Which additional load balancing method is supported in equal cost multipath (ECMP) load balancing when SD-WAN is enabled?

A . Volume based
B . Source-destination IP based
C . Source IP based
D . Weight based

Reveal Solution Hide Solution

Correct Answer: A
A

Explanation:

Volume load balancing method is supported in equal cost multipath (ECMP) load balancing when SD-WAN is enabled.

What is load balancing method?

Load balancing means are regarded as a form of an algorithms or method that is used to rightly share an incoming server request or traffic in the midst or among servers that is from the server pool.

Note that Volume load balancing method is supported in equal cost multipath (ECMP) load balancing when SD-WAN is enabled as that is its role.

Question #39

Examine the exhibit, which shows a firewall policy configured with multiple security profiles.

Which two security profiles are handled by the IPS engine? (Choose two.)

A . Web Filter
B . IPS
C . AntiVirus
D . Application Control

Reveal Solution Hide Solution

Correct Answer: B,D
B,D

Explanation:

When the FortiGate is set for proxy inspection mode, the IPS engine will handle the Application Control and IPS security profiles.

The security profiles that will be handled by the IPS engine when the FortiGate is set for proxy inspection mode are Application Control and IPS. In this mode, the FortiGate acts as an intermediary between the client and the server, intercepting and inspecting traffic to enforce security policies. The IPS engine is responsible for analyzing network traffic and identifying any malicious or suspicious activity based on predefined rules and signatures.

Question #40

Which two statements correctly describe the differences between IPsec main mode and IPsec aggressive mode? (Choose two.)

A . The first packet of aggressive mode contains the peer ID, while the first packet of main mode does not.
B . Main mode cannot be used for dialup VPNs, while aggressive mode can.
C . Aggressive mode supports XAuth, while main mode does not.
D . Six packets are usually exchanged during main mode, while only three packets are exchanged during aggressive mode.

Reveal Solution Hide Solution

Correct Answer: A,D
A,D

Explanation:

The correct statements describing the differences between IPsec main mode and IPsec aggressive mode are:

Question #41

What does the command diagnose debug fsso-polling refresh-user do?

A . It refreshes all users learned through agentless polling.
B . It displays status information and some statistics related to the polls done by FortiGate on each DC.
C . It refreshes user group information from any servers connected to FortiGate using a collector agent.
D . It enables agentless polling mode real-time debug.

Reveal Solution Hide Solution

Correct Answer: A
A

Explanation:

It refreshes all users learned through agentless polling.

The command diagnose debug fsso-polling refresh-user is used in Fortinet’s FortiGate firewall to refresh all users learned through agentless polling. This means it updates the list of users that have been identified through agentless polling methods, which may include methods such as monitoring network traffic to detect user activity. This command helps ensure that the firewall has the most up-to-date information about users on the network for security and access control purposes.

Question #42

View the exhibit.

Both VDOMs are operating in NAT/route mode. The subnet 10.0.1.0/24 is connected to VDOM1. The subnet 10.0.2.0/24 is connected to VDOM2. There is an inter-VDOM link between VDOM1 and VDOM2. Also, necessary firewall policies are configured in VDOM1 and VDOM2.

Which two static routes are required in the FortiGate configuration, to route traffic between both subnets through an inter-VDOM link? (Choose two.)

A . A static route in VDOM1 with the destination subnet matching the subnet assigned to the inter-VDOM link
B . A static route in VDOM2 for the destination subnet 10.0.1.0/24
C . A static route in VDOM1 for the destination subnet 10.0.2.0/24
D . A static route in VDOM2 with the destination subnet matching the subnet assigned to the inter-VDOM link

Reveal Solution Hide Solution

Correct Answer: B,C
B,C

Explanation:

The two static routes required in the FortiGate configuration to route traffic between both subnets through an inter-VDOM link are:

B. A static route in VDOM2 for the destination subnet 10.0.1.0/24

C. A static route in VDOM1 for the destination subnet 10.0.2.0/24

In VDOM1, a static route for the destination subnet 10.0.2.0/24 is needed to route traffic destined for VDOM2’s subnet through the inter-VDOM link.

In VDOM2, a static route for the destination subnet 10.0.1.0/24 is needed to route traffic destined for VDOM1’s subnet through the inter-VDOM link.

Question #43

An administrator configured the antivirus profile in a firewall policy set to flow-based inspection mode. While testing the configuration, the administrator noticed that eicar.com test files can be downloaded using HTTPS protocol only.

What is causing this issue?

A . Hardware acceleration is in use.
B . The test file is larger than the oversize limit.
C . HTTPS protocol is not enabled under Inspected Protocols.
D . Full SSL inspection is disabled.

Reveal Solution Hide Solution

Correct Answer: D
D

Explanation:

The issue is likely caused by:

D. Full SSL inspection is disabled.

In flow-based inspection mode, if full SSL inspection is disabled, the FortiGate device may not be inspecting the contents of the HTTPS traffic, allowing the eicar.com test files to be downloaded without being scanned for viruses. To address this, you would need to enable full SSL inspection to ensure that the antivirus profile can inspect the contents of encrypted traffic.

Question #44

An administrator wants to monitor their network for any probing attempts aimed to exploit existing vulnerabilities in their servers.

Which two items must they configure on their FortiGate to accomplish this? (Choose two.)

A . A web application firewall profile to check protocol constraints
B . A DoS policy, and log all UDP and TCP scan attempts
C . An IPS sensor to monitor all signatures applicable to the server
D . An application control profile, and set all application signatures to monitor

Reveal Solution Hide Solution

Correct Answer: B,C
B,C

Explanation:

B. Configure a DoS policy and log all UDP and TCP scan attempts.

A Denial of Service (DoS) policy can help monitor and mitigate scan attempts. By logging UDP and TCP scan attempts, the administrator can identify potential probing activities.

C. Configure an IPS sensor to monitor all signatures applicable to the server.

An Intrusion Prevention System (IPS) sensor is crucial for monitoring and preventing various types of attacks, including those targeting server vulnerabilities. Monitoring all relevant IPS signatures enhances the detection capabilities.

So, the correct choices are indeed B and C.

Question #45

Which three settings and protocols can be used to provide secure and restrictive administrative access to FortiGate? (Choose three.)

A . SSH
B . FortiTelemetry
C . Trusted host
D . HTTPS
E . Trusted authentication

Reveal Solution Hide Solution

Correct Answer: A,C,D
A,C,D

Explanation:

To provide secure and restrictive administrative access to FortiGate, the following three settings and protocols can be used:

Question #46

Which statement about firewall policy NAT is true?

A . DNAT is not supported.
B . DNAT can automatically apply to multiple firewall policies, based on DNAT rules.
C . You must configure SNAT for each firewall policy.
D . SNAT can automatically apply to multiple firewall policies, based on SNAT rules.

Reveal Solution Hide Solution

Correct Answer: C
C

Explanation:

C. You must configure SNAT for each firewall policy.

The correct statement about firewall policy Nat (Network Address Translation) is: You must configure SNAT for each firewall policy.

SNAT (Source Network Address Translation) and DNAT (Destination Network Address Translation) are important components of a firewall’s policy.

Question #47

Which statement about traffic flow in an active-active HA cluster is true?

A . The SYN packet from the client always arrives at the primary device first.
B . The secondary device responds to the primary device with a SYN/ACK, and then the primary device forwards the SYN/ACK to the client.
C . All FortiGate devices are assigned the same virtual MAC addresses for the HA heartbeat interfaces to redistribute to the sessions.
D . The ACK from the client is received on the physical MAC address of the primary device.

Reveal Solution Hide Solution

Correct Answer: A
A

Explanation:

The correct statement about traffic flow in an active-active High Availability (HA) cluster is:

Question #48

Which two statements about incoming and outgoing interfaces in firewall policies are true? (Choose two.)

A . Only the "any" interface can be chosen as an incoming interface.
B . An incoming interface is mandatory in a firewall policy, but an outgoing interface is optional.
C . Multiple interfaces can be selected as incoming and outgoing interfaces.
D . A zone can be chosen as the outgoing interface.

Reveal Solution Hide Solution

Correct Answer: C,D
C,D

Explanation:

C. Multiple interfaces can be selected as incoming and outgoing interfaces.

This statement is correct. You can specify multiple interfaces as both incoming and outgoing interfaces in a firewall policy.

D. A zone can be chosen as the outgoing interface.

This statement is correct as well. In FortiGate firewalls, you can choose a zone as the outgoing interface in a firewall policy, providing a convenient way to apply policies to multiple physical or logical interfaces grouped under the same zone.

So, the correct choices are C and D.

Question #49

View the exhibit.

date=2022-06-14 time=14:45:16 logid=0317013312 type=utm subtype=webfilter eventtype=ftgd_allow level=notice vd="root" policyid=2 identidx=1 sessionid=31232959 user="anonymous" group="ldap_users" srcip=192.168.1.24 srcport=63355 srcintf="port2" dstip=66.171.121.44 dstport=80 dstintf="port1" service="http" hostname="www.fortinet.com" profiletype="Webfilter_Profile" profile="default" status="passthrough" reqtype="direct" url="/" sentbyte=304 rcvdbyte=60135 msg="URL belongs to an allowed category in policy" method=domain class=0 cat=140 catdesc="custom1"

What two things does this raw log indicate? (Choose two.)

A . FortiGate allowed the traffic to pass.
B . 192.168.1.24 is the IP address for www.fortinet.com.
C . The traffic matches the webfilter profile on firewall policy ID 2.
D . The traffic originated from 66.171.121.44.

Reveal Solution Hide Solution

Correct Answer: A,C
A,C

Explanation:

The raw log indicates the following:

Question #50

Refer to the exhibit.

FortiGate is configured for firewall authentication. When attempting to access an external website, the user is not presented with a login prompt.

What is the most likely reason for this situation?

A . No matching user account exists for this user.
B . The user is using a guest account profile.
C . The user was authenticated using passive authentication.
D . The user is using a super admin account.

Reveal Solution Hide Solution

Correct Answer: C
C

Explanation:

The most likely reason for a user not being presented with a login prompt when attempting to access an external website in a FortiGate firewall authentication scenario is:

C. The user was authenticated using passive authentication.

Passive authentication allows the FortiGate to authenticate users transparently without presenting them with a login prompt. This often involves the use of authentication methods such as Captive Portal or single sign-on (SSO) techniques where users are authenticated based on their network activity without actively entering credentials.

Options A, B, and D are less likely to cause the absence of a login prompt in this context: A is less likely because if there was no matching user account, it would typically result in an authentication prompt.

B is less likely unless the guest account profile specifically has a passive authentication mechanism.

D is less likely because super admin accounts are typically not subject to transparent or passive authentication mechanisms.

So, the most likely reason is C.

Question #51

An administrator has configured central DNAT and virtual IPs.

Which item can be selected in the firewall policy Destination field?

A . An IP pool
B . A VIP object
C . A VIP group
D . The mapped IP address object of the VIP object

Reveal Solution Hide Solution

Correct Answer: D
D

Explanation:

– when central NAT is enabled => put the mapped IP address of the VIP object.

– when central NAT is disabled => put the VIP object.

In the context of central DNAT and virtual IPs in FortiGate, the correct option for the firewall policy

Destination field is:

D. The mapped IP address object of the VIP object

When configuring central DNAT, you typically select the mapped IP address object associated with the VIP object in the firewall policy Destination field. This mapped IP address represents the internal destination to which traffic will be redirected.

So, the correct choice is D.

Question #52

Which three actions are valid for static URL filtering? (Choose three.)

A . Block
B . Warning
C . Shape
D . Exempt
E . Allow

Reveal Solution Hide Solution

Correct Answer: A,D,E
A,D,E

Explanation:

The correct actions for static URL filtering in FortiGate are:

Question #53

Which two settings must you configure when FortiGate is being deployed as a root FortiGate in a Security Fabric topology? (Choose two.)

A . FortiManager IP address
B . FortiAnalyzer IP address
C . Pre-authorize downstream FortiGate devices
D . Fabric name

Reveal Solution Hide Solution

Correct Answer: B,D
B,D

Explanation:

The correct choices for settings to configure when FortiGate is being deployed as a root FortiGate in a Security Fabric topology are:

B. FortiAnalyzer IP address – This setting is required to send logs and reports to the FortiAnalyzer for analysis and storage.

D. Fabric name – This setting is essential to identify the Security Fabric and differentiate it from other fabrics in the network.

Question #54

Which two statements about the application control profile mode are true? (Choose two.)

A . It uses flow-based scanning techniques, regardless of the inspection mode used.
B . It cannot be used in conjunction with IPS scanning.
C . It can be selected in either flow-based or proxy-based firewall policy.
D . It can scan only unsecure protocols.

Reveal Solution Hide Solution

Correct Answer: A,C
A,C

Explanation:

The two statements about the application control profile mode that are true are:

Question #55

Which are two benefits of using SD-WAN? (Choose two.)

A . FortiGate performs per-packet distribution across multiple SD-WAN members.
B . WAN is used effectively.
C . Application steering is available.
D . Firewall policies are not required.

Reveal Solution Hide Solution

Correct Answer: B,C
B,C

Explanation:

The two benefits of using SD-WAN are:

B. WAN is used effectively.

SD-WAN optimizes the utilization of Wide Area Network (WAN) resources, improving efficiency and

performance in the network.

C. Application steering is available.

SD-WAN provides the capability to steer and prioritize traffic based on the specific applications, ensuring

better application performance and user experience.

The other options are not accurate:

A is incorrect because FortiGate typically performs per-session, not per-packet, distribution across multiple SD-WAN members.

D is incorrect because firewall policies may still be required, especially for security and traffic control purposes.

So, the correct choices are B and C.

Question #56

Which two statements about advanced AD access mode for the FSSO collector, agent are true? (Choose two.)

A . FortiGate can act as an LDAP client to configure the group filters.
B . It uses the Windows convention for naming; that is, DomainUsername.
C . It supports monitoring of nested groups.
D . It is only supported if DC agents are deployed.

Reveal Solution Hide Solution

Correct Answer: A,C
A,C

Explanation:

The correct statements about the advanced AD access mode for the FSSO collector agent are:

Question #57

An administrator needs to create a tunnel mode SSL-VPN to access an internal web server from the Internet. The web server is connected to port1. The Internet is connected to port2. Both interfaces belong to the VDOM named Corporation.

What interface must be used as the source for the firewall policy that will allow this traffic?

A . ssl.root
B . ssl.Corporation
C . port2
D . port1

Reveal Solution Hide Solution

Correct Answer: B
B

Explanation:

ssl.Corporation

If you are working within a specific VDOM named "Corporation," and the SSL VPN is associated with that VDOM, then the correct choice is:

B. ssl.Corporation

Using the "ssl.Corporation" interface as the source for the firewall policy makes sense in the context of a VDOM-specific SSL VPN.

Question #58

View the exhibit.

Which two behaviors result from this full (deep) SSL configuration? (Choose two.)

A . The browser bypasses all certificate warnings and allows the connection.
B . A temporary trusted FortiGate certificate replaces the server certificate, even when the server certificate is untrusted.
C . A temporary trusted FortiGate certificate replaces the server certificate when the server certificate is trusted.
D . A temporary untrusted FortiGate certificate replaces the server certificate when the server certificate is untrusted.

Reveal Solution Hide Solution

Correct Answer: C,D
C,D

Explanation:

C. A temporary trusted FortiGate certificate replaces the server certificate when the server certificate is trusted.

D. A temporary untrusted FortiGate certificate replaces the server certificate when the server certificate is untrusted.

In a full (deep) SSL configuration, a temporary untrusted FortiGate certificate replaces the server certificate when the server certificate is untrusted, and a temporary trusted FortiGate certificate replaces the server certificate when the server certificate is trusted.

The behavior that results from this full (deep) SSL configuration is that a temporary untrusted FortiGate certificate replaces the server certificate when the server certificate is untrusted. Additionally, a temporary trusted FortiGate certificate replaces the server certificate when the server certificate is trusted.

Question #59

Which statement best describes the role of a DC agent in an FSSO DC agent mode solution?

A . It captures the login and logoff events and forwards them to the collector agent.
B . It captures the login events and forwards them to the collector agent.
C . It captures the login events and forwards them to FortiGate.
D . It captures the user IP address and workstation name and forwards them to FortiGate.

Reveal Solution Hide Solution

Correct Answer: B
B

Explanation:

There is no requirement to record this information as it is a FSSO role to auth logon events. If it were to log logoff events if would just be a waste of resources.

The DC agent captures login events on the domain controller and forwards this information to the Collector Agent.

Question #60

Which two IP pool types enable you to identify user connections without having to log user traffic? (Choose two.)

A . Fixed port range
B . Port block allocation
C . One-to-one
D . Overload

Reveal Solution Hide Solution

Correct Answer: A,B
A,B

Explanation:

Question #61

An administrator wants to block https://www.example.com/videos and allow all other URLs on the website.

What are two configuration changes that the administrator can make to satisfy the requirement? (Choose two.)

A . Configure web override for the URL and select a blocked FortiGuard subcategory
B . Enable full SSL inspection
C . Configure a video filter profile to block the URL
D . Configure a static URL filter entry for the URL and select Block as the action

Reveal Solution Hide Solution

Correct Answer: B,D
B,D

Explanation:

If the goal is to block the specific URL https://www.example.com/videos and allow all other URLs on the website, the correct configuration changes are:

B. Enable full SSL inspection.

Enabling full SSL inspection allows the FortiGate to inspect and filter HTTPS traffic, including the specific URL https://www.example.com/videos.

D. Configure a static URL filter entry for the URL and select Block as the action.

Create a static URL filter entry for the specific URL https://www.example.com/videos and set the action to Block. This will block access to the specified URL.

Enabling full SSL inspection is necessary to inspect and filter HTTPS traffic effectively, including the specific URL within the encrypted traffic.

So, the correct choices are B and D.

Question #62

Which three methods can you use to deliver the token code to a user who is configured to use two-factor authentication? (Choose three.)

A . Instant message app
B . FortiToken
C . Email
D . Voicemail message
E . SMS text message

Reveal Solution Hide Solution

Correct Answer: B,C,E
B,C,E

Explanation:

The three methods that can be used to deliver the token code to a user configured to use two-factor authentication are:

B. FortiToken

FortiToken is a physical or software-based token that generates time-based or event-based codes for two-factor authentication.

C. Email

The token code can be delivered to the user via email, where the user has access to the code through their email account.

E. SMS text message

The token code can be sent to the user as a text message (SMS) to their mobile device.

These methods provide flexibility in delivering the token code to users for two-factor authentication.

So, the correct choices are B, C, and E.

Question #63

View the exhibit.

A user at 192.168.32.15 is trying to access the web server at 172.16.32.254.

Which two statements best describe how the FortiGate will perform reverse path forwarding (RPF)

checks on this traffic? (Choose two.)

A . Strict RPF check will deny the traffic.
B . Loose RPF check will allow the traffic.
C . Strict RPF check will allow the traffic.
D . Loose RPF check will deny the traffic.

Reveal Solution Hide Solution

Correct Answer: B,C
B,C

Explanation:

B. Loose RPF check will allow the traffic.

C. Strict RPF check will allow the traffic.

Question #64

Which two statements about antivirus scanning in a firewall policy set to proxy-based inspection mode, are true? (Choose two.)

A . A file does not need to be buffered completely before it is moved to the antivirus engine for scanning.
B . The client must wait for the antivirus scan to finish scanning before it receives the file.
C . FortiGate sends a reset packet to the client if antivirus reports the file as infected.
D . If a virus is detected, a block replacement message is displayed immediately.

Reveal Solution Hide Solution

Correct Answer: B,D
B,D

Explanation:

In a firewall policy set to proxy-based inspection mode:

B. The client must wait for the antivirus scan to finish scanning before it receives the file.

In proxy-based inspection, the client may need to wait for the antivirus scan to complete before receiving the file. The file may need to be fully scanned before being delivered to the client, depending on the specific configuration and circumstances.

D. If a virus is detected, a block replacement message is displayed immediately.

If a virus is detected during the antivirus scan in proxy-based inspection mode, FortiGate can generate a block replacement message immediately, informing the user that the file is infected. So, both statements B and D are valid in the context of proxy-based inspection mode.

Question #65

Which two statements about FortiGate antivirus databases are true? (Choose two.)

A . The quick scan database is part of the normal database.
B . The extreme database is available only on certain FortiGate models.
C . The extended database is available on all FortiGate models.
D . The extended database is available only if AI scanning is enabled.

Reveal Solution Hide Solution

Correct Answer: B,C
B,C

Explanation:

B. The extreme database is available only on certain FortiGate models.

The Extreme database is available on certain FortiGate models and provides an even higher level of protection with additional signatures. It’s designed for FortiGate models that support this extended feature set.

C. The extended database is available on all FortiGate models.

The Extended database is indeed available on all FortiGate models, providing additional signatures and detection capabilities beyond the normal database.

So, both statements B and C are accurate, with the understanding that the availability of the Extreme database is indeed limited to certain FortiGate models.

Question #66

Refer to the exhibit.

The exhibit displays the output of the CLI command: diagnose sys ha dump-by vcluster.

Which two statements are true? (Choose two.)

A . FortiGate SN FGVM010000065036 HA uptime has been reset.
B . FortiGate devices are not in sync because one device is down.
C . FortiGate SN FGVM010000064692 is the primary because of higher HA uptime.
D . FortiGate SN FGVM010000064692 has the higher HA priority.

Reveal Solution Hide Solution

Correct Answer: A,D
A,D

Explanation:

Question #66

Refer to the exhibit.

The exhibit displays the output of the CLI command: diagnose sys ha dump-by vcluster.

Which two statements are true? (Choose two.)

A . FortiGate SN FGVM010000065036 HA uptime has been reset.
B . FortiGate devices are not in sync because one device is down.
C . FortiGate SN FGVM010000064692 is the primary because of higher HA uptime.
D . FortiGate SN FGVM010000064692 has the higher HA priority.

Reveal Solution Hide Solution

Correct Answer: A,D
A,D

Explanation:

Question #66

Refer to the exhibit.

The exhibit displays the output of the CLI command: diagnose sys ha dump-by vcluster.

Which two statements are true? (Choose two.)

A . FortiGate SN FGVM010000065036 HA uptime has been reset.
B . FortiGate devices are not in sync because one device is down.
C . FortiGate SN FGVM010000064692 is the primary because of higher HA uptime.
D . FortiGate SN FGVM010000064692 has the higher HA priority.

Reveal Solution Hide Solution

Correct Answer: A,D
A,D

Explanation:

Question #69

Refer to the exhibit.

Examine the intrusion prevention system (IPS) diagnostic command.

Which statement is correct If option 5 was used with the IPS diagnostic command and the outcome was a decrease in the CPU usage?

A . The IPS engine was inspecting high volume of traffic.
B . The IPS engine was unable to prevent an intrusion attack.
C . The IPS engine was blocking all traffic.
D . The IPS engine will continue to run in a normal state.

Reveal Solution Hide Solution

Correct Answer: A
A

Explanation:

If there are high-CPU use problems caused by the IPS, you can use the diagnose test application ipsmonitor command with option 5 to isolate where the problem might be. Option 5 enables IPS bypass mode.

In this mode, the IPS engine is still running, but it is not inspecting traffic.

If the CPU use decreases after that, it usually indicates that the volume of traffic being inspected is too high for that FortiGate model.

If the CPU use remains high after enabling IPS bypass mode, it usually indicates a problem in the IPS engine, which you must report to Fortinet Support.

If there are high-CPU use problems caused by the IPS, you can use the diagnose test application ipsmonitor command with option 5 to isolate where the problem might be. Option 5 enables IPS bypass mode. In this mode, the IPS engine is still running, but it is not inspecting traffic. If the CPU use decreases after that, it usually indicates that the volume of traffic being inspected is too high for that FortiGate model.

Question #70

Refer to the exhibit.

A network administrator is troubleshooting an IPsec tunnel between two FortiGate devices. The administrator has determined that phase 1 status is up, but phase 2 fails to come up.

Based on the phase 2 configuration shown in the exhibit, what configuration change will bring phase 2 up?

A . On HQ-FortiGate, enable Diffie-Hellman Group 2.
B . On HQ-FortiGate, enable Auto-negotiate.
C . On Remote-FortiGate, set Seconds to 43200.
D . On HQ-FortiGate, set Encryption to AES256.

Reveal Solution Hide Solution

Correct Answer: D
D

Explanation:

D. On HQ-FortiGate, set Encryption to AES256.

A phase 2 proposal defines the algorithms supported by the peer for encrypting and decrypting the data over the tunnel. You can configure multiple proposals to offer more options to the remote peer when negotiating the IPsec SAs.

Like in phase 1, you need to select a combination of encryption and authentication algorithms. D is correct, the Encryption and authentication algorithm needs to match inorder for IPSEC be successfully established Encryption algorithm must be the same.

Question #71

Which three options are the remote log storage options you can configure on FortiGate? (Choose three.)

A . FortiSIEM
B . FortiCloud
C . FortiCache
D . FortiSandbox
E . FortiAnalyzer

Reveal Solution Hide Solution

Correct Answer: A,B,E
A,B,E

Explanation:

The three remote log storage options you can configure on FortiGate are:

Question #72

Which two settings can be separately configured per VDOM on a FortiGate device? (Choose two.)

A . FortiGuard update servers
B . System time
C . Operating mode
D . NGFW mode

Reveal Solution Hide Solution

Correct Answer: C,D
C,D

Explanation:

C: Operating mode is per-VDOM setting. You can combine transparent mode VDOM’s with NAT mode VDOMs on the same physical Fortigate.

D: Inspection-mode selection has moved from VDOM to firewall policy, and the default inspection-mode is flow, so NGFW Mode can be changed from Profile-base (Default) to Policy-base directly in System > Settings from the VDOM.

A and B are incorrect: The firmware on your Fortigate and some settings, such as system time, apply to the entire device-they are not specific to each VDOM.

NGFW mode is a per-VDOM setting.

Operation mode is a per-VDOM setting. You can combine transparent mode VDOMs with NAT mode VDOMs on the same physical FortiGate.

Question #73

Refer to the exhibit.

Review the Intrusion Prevention System (IPS) profile signature settings.

Which statement is correct in adding the FTP .Login.Failed signature to the IPS sensor profile?

A . Traffic matching the signature will be silently dropped and logged.
B . The signature setting uses a custom rating threshold.
C . The signature setting includes a group of other signatures.
D . Traffic matching the signature will be allowed and logged.

Reveal Solution Hide Solution

Correct Answer: A
A

Explanation:

"pass" is only default action.

The Pass action on the specific signature would only be chosen, if the Action (on the top) was set to Default. But instead its set to Block, se the action is will be to block and drop.

Select Allow to allow traffic to continue to its destination. Select Monitor to allow traffic to continue to its destination and log the activity. Select Block to silently drop traffic matching any of the signatures included in the entry. Select Reset to generate a TCP RST packet whenever the signature is triggered. Select Default to use the default action of the signatures.

If you enable Packet logging, FortiGate saves a copy of the packet that matches the signature.

Question #74

Which two statements are correct regarding FortiGate FSSO agentless polling mode? (Choose two.)

A . FortiGate uses the AD server as the collector agent
B . FortiGate uses the SMB protocol to read the event viewer logs from the DCs
C . FortiGate points the collector agent to use a remote LDAP server
D . FortiGate queries AD by using the LDAP to retrieve user group information

Reveal Solution Hide Solution

Correct Answer: B,D
B,D

Explanation:

The two correct statements regarding FortiGate FSSO agentless polling mode are:

B. FortiGate uses the SMB protocol to read the event viewer logs from the DCs.

In agentless polling mode, FortiGate uses the Server Message Block (SMB) protocol to access and read event viewer logs from the Domain Controllers (DCs).

D. FortiGate queries AD by using the LDAP to retrieve user group information.

In agentless polling mode, FortiGate queries Active Directory (AD) using the Lightweight Directory Access Protocol (LDAP) to retrieve user group information. So, the correct choices are B and D.

Question #75

Which type of logs on FortiGate record information about traffic directly to and from the FortiGate management IP addresses?

A . Local traffic logs
B . Forward traffic logs
C . System event logs
D . Security logs

Reveal Solution Hide Solution

Correct Answer: A
A

Explanation:

The type of logs on FortiGate that records information about traffic directly to and from the FortiGate nmanagement IP addresses is:

Question #76

Which two inspection modes can you use to configure a firewall policy on a profile-based next-generation firewall (NGFW)? (Choose two.)

A . Proxy-based inspection
B . Certificate inspection
C . Flow-based inspection
D . Full Content inspection

Reveal Solution Hide Solution

Correct Answer: A,C
A,C

Explanation:

The two inspection modes that you can use to configure a firewall policy on a profile-based next-generation firewall (NGFW) are:

Question #77

An administrator wants to configure Dead Peer Detection (DPD) on IPSEC VPN for detecting dead tunnels. The requirement is that FortiGate sends DPD probes only when no traffic is observed in the tunnel.

Which DPD mode on FortiGate will meet the above requirement?

A . Disabled
B . On Demand
C . Enabled
D . On Idle

Reveal Solution Hide Solution

Correct Answer: D
D

Explanation:

The Dead Peer Detection (DPD) mode on FortiGate that will meet the requirement of sending DPD probes only when no traffic is observed in the tunnel is "On Idle."

Therefore, the correct answer is:

D. On Idle

Disabled:

DPD is turned off. No detection probes are sent.

On Demand:

DPD probes are sent when there is no traffic detected in the tunnel for a specified period.

Enabled:

DPD probes are sent periodically, regardless of whether there is traffic in the tunnel or not.

On Idle:

DPD probes are sent only when there is no traffic observed in the tunnel for a certain period. This mode is often preferred when you want to conserve bandwidth by sending DPD probes only when the tunnel is not actively transmitting data.

In the context of the administrator’s requirement to send DPD probes only when no traffic is observed in the tunnel, the appropriate choice is "On Idle." This ensures that the DPD probes are triggered only during periods of inactivity, helping to detect and address potential issues in a more bandwidth-efficient manner.

Question #78

Refer to the exhibit.

The exhibit shows the IPS sensor configuration.

If traffic matches this IPS sensor, which two actions is the sensor expected to take? (Choose two.)

A . The sensor will allow attackers matching the NTP.Spoofed.KoD.DoS signature.
B . The sensor will block all attacks aimed at Windows servers.
C . The sensor will reset all connections that match these signatures.
D . The sensor will gather a packet log for all matched traffic.

Reveal Solution Hide Solution

Correct Answer: A,B
A,B

Explanation:

The correct answers are:

Question #79

Refer to the exhibit.

An administrator has configured a performance SLA on FortiGate, which failed to generate any traffic.

Why is FortiGate not sending probes to 4.2.2.2 and 4.2.2.1 servers? (Choose two.)

A . The Detection Mode setting is not set to Passive.
B . Administrator didn’t configure a gateway for the SD-WAN members, or configured gateway is not valid.
C . The configured participants are not SD-WAN members.
D . The Enable probe packets setting is not enabled.

Reveal Solution Hide Solution

Correct Answer: B,D
B,D

Explanation:

The correct answers are:

B. Administrator didn’t configure a gateway for the SD-WAN members, or configured gateway is not valid.

D. The Enable probe packets setting is not enabled.

For option B, if the gateway for the SD-WAN members is not configured or is not valid, the FortiGate will not be able to send traffic through the SD-WAN members to reach the servers.

For option D, if the "Enable probe packets" setting is not enabled, the FortiGate will not send probe packets to the specified servers to check the health of the SD-WAN members.

Question #80

Which engine handles application control traffic on the next-generation firewall (NGFW) FortiGate?

A . Antivirus engine
B . Intrusion prevention system engine
C . Flow engine
D . Detection engine

Reveal Solution Hide Solution

Correct Answer: B
B

Explanation:

B. Intrusion prevention system engine.

The Intrusion Prevention System (IPS) engine on FortiGate handles application control traffic, along with other functions such as detecting and preventing network attacks based on predefined signatures and behavioral analysis.

Application control can be configured in proxy-based and flow-based firewall policies. However, because application control uses the IPS engine, which uses flow-based inspection, inspection is always flow-based.

It uses an IPS engine to analyze network traffic and detect application traffic, even if the application is using standard or non-standard protocols and ports.

Question #81

An administrator does not want to report the login events of service accounts to FortiGate.

What setting on the collector agent is required to achieve this?

A . Add the support of NTLM authentication
B . Add user accounts to the FortiGate group filter
C . Add user accounts to Active Directory (AD)
D . Add user accounts to the Ignore User List

Reveal Solution Hide Solution

Correct Answer: D
D

Explanation:

D. Add user accounts to the Ignore User List

To achieve this, the administrator should add the service accounts to the Ignore User List on the collector agent. This will prevent the login events of these accounts from being reported to FortiGate.

To prevent the reporting of login events of service accounts to FortiGate using the collector agent, the appropriate setting is:

D. Add user accounts to the Ignore User List.

By adding the service accounts to the Ignore User List, you instruct the collector agent to exclude these accounts from reporting login events to FortiGate. This way, events related to the specified users will not be forwarded or logged.

Question #82

Which statement about the policy ID number of a firewall policy is true?

A . It is required to modify a firewall policy using the CLI.
B . It represents the number of objects used in the firewall policy.
C . It changes when firewall policies are reordered.
D . It defines the order in which rules are processed.

Reveal Solution Hide Solution

Correct Answer: A
A

Explanation:

Question #83

How does FortiGate act when using SSL VPN in web mode?

A . FortiGate acts as an FDS server.
B . FortiGate acts as an HTTP reverse proxy.
C . FortiGate acts as DNS server.
D . FortiGate acts as router.

Reveal Solution Hide Solution

Correct Answer: B
B

Explanation:

B. FortiGate acts as an HTTP reverse proxy.

When using SSL VPN in web mode, FortiGate acts as an HTTP reverse proxy. It allows users to access internal resources securely via a web browser without the need for a VPN client installation. The FortiGate device receives HTTP requests from the client, forwards them to the internal server, and relays the responses back to the client.

So, the correct answer is

B. FortiGate acts as an HTTP reverse proxy.

Question #84

Which statement is correct regarding the inspection of some of the services available by web applications embedded in third-party websites?

A . The security actions applied on the web applications will also be explicitly applied on the third-party websites.
B . The application signature database inspects traffic only from the original web application server.
C . FortiGuard maintains only one signature of each web application that is unique.
D . FortiGate can inspect sub-application traffic regardless where it was originated.

Reveal Solution Hide Solution

Correct Answer: D
D

Explanation:

D. FortiGate can inspect sub-application traffic regardless of where it originated.

FortiGate is capable of inspecting traffic from web applications embedded in third-party websites, regardless of where the traffic originated. This allows FortiGate to provide comprehensive security measures for web applications, including those embedded in third-party websites. FortiOS gives administrators all the tools they need to inspect sub-application traffic.

Reference: https://help.fortinet.com/fortiproxy/11/Content/Admin%20Guides/FPX-AdminGuide/300_System/303d_FortiGuard.htm

Question #85

Which two statements about SSL VPN between two FortiGate devices are true? (Choose two.)

A . The client FortiGate requires a client certificate signed by the CA on the server FortiGate.
B . The client FortiGate requires a manually added route to remote subnets.
C . The client FortiGate uses the SSL VPN tunnel interface type to connect SSL VPN.
D . Server FortiGate requires a CA certificate to verify the client FortiGate certificate.

Reveal Solution Hide Solution

Correct Answer: C,D
C,D

Explanation:

C. The client FortiGate uses the SSL VPN tunnel interface type to connect SSL VPN.

D. Server FortiGate requires a CA certificate to verify the client FortiGate certificate. Incorrect:

Question #86

A network administrator has enabled SSL certificate inspection and antivirus on FortiGate. When downloading an EICAR test file through HTTP, FortiGate detects the virus and blocks the file. When downloading the same file through HTTPS, FortiGate does not detect the virus and the file can be downloaded.

What is the reason for the failed virus detection by FortiGate?

A . Application control is not enabled
B . SSL/SSH Inspection profile is incorrect
C . Antivirus profile configuration is incorrect
D . Antivirus definitions are not up to date

Reveal Solution Hide Solution

Correct Answer: B
B

Explanation:

B is correct as https traffic requires SSL decryption. Check the ssh inspection profile.

The likely reason for the failed virus detection by FortiGate when downloading the EICAR test file through HTTPS is:

B. SSL/SSH Inspection profile is incorrect

SSL certificate inspection (SSL/SSH inspection) is necessary for FortiGate to inspect encrypted traffic. If the SSL/SSH Inspection profile is not correctly configured or if there are issues with the SSL certificate used for inspection, the FortiGate device may not be able to inspect the contents of the encrypted HTTPS traffic, leading to a failure in virus detection.

So, the correct answer is B. SSL/SSH Inspection profile is incorrect.

"Full inspection is required"

Question #87

An administrator is configuring an Ipsec between site A and site B. The Remotes Gateway setting in both sites has been configured as Static IP Address. For site A, the local quick mode selector is 192.16.1.0/24 and the remote quick mode selector is 192.16.2.0/24.

How must the administrator configure the local quick mode selector for site B?

A . 192.16.3.0/24
B . 192.16.2.0/24
C . 192.16.1.0/24
D . 192.16.0.0/8

Reveal Solution Hide Solution

Correct Answer: B
B

Explanation:

The local quick mode selector for site B should be configured to match the remote quick mode selector of site

Question #88

FortiGate is configured as a policy-based next-generation firewall (NGFW) and is applying web filtering and application control directly on the security policy.

Which two other security profiles can you apply to the security policy? (Choose two.)

A . Antivirus scanning
B . File filter
C . DNS filter
D . Intrusion prevention

Reveal Solution Hide Solution

Correct Answer: A,D
A,D

Explanation:

Security policy: If the traffic is allowed as per the consolidated policy, FortiGate will then process it based on the security policy to analyze additional criteria, such as URL categories for web filtering and application control. Also, if enabled, the security policy further inspects traffic using security profiles such as IPS and AV.

When FortiGate is configured as a policy-based next-generation firewall (NGFW) and is applying web filtering and application control directly on the security policy, you can also apply Antivirus scanning and Intrusion Prevention security profiles. These additional security profiles enhance the overall security posture of the network.

Extra explanation:

In addition to web filtering and application control, you can apply the following security profiles to the security policy on a FortiGate firewall:

Question #89

Which three pieces of information does FortiGate use to identify the hostname of the SSL server when SSL certificate inspection is enabled? (Choose three.)

A . The subject field in the server certificate
B . The serial number in the server certificate
C . The server name indication (SNI) extension in the client hello message
D . The subject alternative name (SAN) field in the server certificate
E . The host field in the HTTP header

Reveal Solution Hide Solution

Correct Answer: A,C,D
A,C,D

Explanation:

When SSL certificate inspection is enabled, FortiGate uses the following three pieces of information to identify the hostname of the SSL server:

Question #90

Refer to the exhibit.

An administrator is running a sniffer command as shown in the exhibit.

Which three pieces of information are included in the sniffer output? (Choose three.)

A . Interface name
B . Ethernet header
C . IP header
D . Application header
E . Packet payload

Reveal Solution Hide Solution

Correct Answer: A,C,E
A,C,E

Explanation:

Packet Capture Verbosity Level which is set to 5 in the exhibit, if it was level 6 it should also include ethernet headers. Application headers are never included.

This is Correct:

Packet payload

IP header

Interface name

Sniffer with verbose 5: IP header, IP payload, Port name.

Question #91

To complete the final step of a Security Fabric configuration, an administrator must authorize all the devices on which device?

A . FortiManager
B . Root FortiGate
C . FortiAnalyzer
D . Downstream FortiGate

Reveal Solution Hide Solution

Correct Answer: C
C

Explanation:

The correct answer is C. FortiAnalyzer.

Explanation:

In a Security Fabric configuration, after the devices are added to the Security Fabric, the final step is to authorize these devices. This authorization process is typically done through FortiAnalyzer, which manages and controls the Security Fabric. FortiAnalyzer allows administrators to centrally manage and monitor the Security Fabric, including authorizing devices to participate in the Security Fabric.

All devices must be authorized on the root Fortigate, and then after this step all must be authorized on the FortiAnalyzer.

Question #92

NGFW mode allows policy-based configuration for most inspection rules.

Which security profile’s configuration does not change when you enable policy-based inspection?

A . Web filtering
B . Antivirus
C . Web proxy
D . Application control

Reveal Solution Hide Solution

Correct Answer: B
B

Explanation:

Antivirus and IPS is enhanced by the IPS Engine, so that is why B is the right answer.

When you enable policy-based inspection in NGFW (Next-Generation Firewall) mode, the security profile configuration that typically does not change is:

B. Antivirus So, the correct answer is B. Antivirus.

Question #93

Refer to the exhibit to view the application control profile.

Based on the configuration, what will happen to Apple FaceTime?

A . Apple FaceTime will be allowed, based on the Apple filter configuration.
B . Apple FaceTime will be allowed, based on the Categories configuration.
C . Apple FaceTime will be blocked, based on the Excessive-Bandwidth filter configuration.
D . Apple FaceTime will be allowed only if the filter in Application and Filter Overrides is set to Learn.

Reveal Solution Hide Solution

Correct Answer: C
C

Explanation:

Apple facetime will be blocked according to the "Excessive Bandwidth" filter.

Facetime belongs to VoIP category which is monitored here and therefore should be allowed, however, because of the behavior of the facetime "Excessive-Bandwidth", the custom filter Excessive-Bandwidth will block Facetime and the lookup won’t continue to the second filter.

The excessive bandwidth filter contains facetime and is referenced by the application sensor with the action to block. There is no reference to a bandwidth threshold at which point the filter is applied so the number of calls is irrelevant.

Question #94

Which two statements are true about collector agent standard access mode? (Choose two.)

A . Standard mode uses Windows convention-NetBios: DomainUsername.
B . Standard mode security profiles apply to organizational units (OU).
C . Standard mode security profiles apply to user groups.
D . Standard access mode supports nested groups.

Reveal Solution Hide Solution

Correct Answer: A,C
A,C

Explanation:

Question #95

What is the effect of enabling auto-negotiate on the phase 2 configuration of an IPsec tunnel?

A . FortiGate automatically negotiates different local and remote addresses with the remote peer.
B . FortiGate automatically negotiates a new security association after the existing security association expires.
C . FortiGate automatically negotiates different encryption and authentication algorithms with the remote peer.
D . FortiGate automatically brings up the IPsec tunnel and keeps it up, regardless of activity on the IPsec tunnel.

Reveal Solution Hide Solution

Correct Answer: D
D

Explanation:

When IPsec SAs expire, FortiGate needs to negotiate new SAs to continue sending and receiving traffic over the IPsec tunnel. Technically, FortiGate deletes the expired SAs from the respective phase 2 selectors, and installs new ones. If IPsec SA renegotiation takes too much time, then FortiGate might drop interesting traffic because of the absence of active SAs. To prevent this, you can enable Auto-negotiate. When you do this, FortiGate not only negotiates new SAs before the current SAs expire, but it also starts using the new SAs right away. The latter prevents traffic disruption by IPsec SA renegotiation. Enable auto-negotiate by default enabling auto-keep-alive too which brings up tunnel automatically. Answer B is little bit tricky, auto-negotiate will negotiate new SA "before" existing SA expired not "after" existing SA expired.

Question #96

Which two types of traffic are managed only by the management VDOM? (Choose two.)

A . FortiGuard web filter queries
B . PKI
C . Traffic shaping
D . DNS

Reveal Solution Hide Solution

Correct Answer: A,D
A,D

Explanation:

"NTP, FortiGuard updated/queries, SNMP, DNS Filtering, Log settings and other mgmt related services". B is wrong because PKI stands for Public Key Infrastructure and is associated with VPNS C is wrong because traffic shaping is configured on a ‘Traffic Shaping Policy’ A is correct because Fortigate will use Fortiguard for these queries

D is correct as the management VDOM (very similar to Palo Alto) can use DNS for DNS queries

The FortiGate uses DNS, FortiGuard and other servers through the management VDOM

Regardless of of question:

Global settings for vdom’s are:

Hostname.

HA Settings.

Fortiguard Settings.

System time.

Administrative Accounts.

Question #97

Which two protocol options are available on the CLI but not on the GUI when configuring an SD-WAN Performance SLA? (Choose two.)

A . udp-echo
B . DNS
C . TWAMP
D . ping

Reveal Solution Hide Solution

Correct Answer: A,C
A,C

Explanation:

The correct answers are:

Question #98

Which two VDOMs are the default VDOMs created when FortiGate is set up in split VDOM mode? (Choose two.)

A . FG-traffic
B . Mgmt
C . FG-Mgmt
D . Root

Reveal Solution Hide Solution

Correct Answer: A,D
A,D

Explanation:

Root VDOM is created by default when VDOMs are enabled.

configure on Fortigate:

– captive portal authentication required

– Authentication failed message for Sales users

– Authentication success for HR users

– second policy used by HR users

In FortiOS, when setting up a FortiGate in split VDOM mode, the default VDOMs created are FG-traffic and Root.

So, in this case, the correct answers would be A. FG-traffic and D. Root.

Question #99

Which three methods are used by the collector agent for AD polling? (Choose three.)

A . WMI
B . Novell API
C . WinSecLog
D . NetAPI
E . FortiGate polling

Reveal Solution Hide Solution

Correct Answer: A,C,D
A,C,D

Explanation:

The correct options for the methods used by the collector agent for AD polling are:

Question #100

If the Services field is configured in a Virtual IP (VIP), which of the following statements is true when central NAT is used?

A . The Services field removes the requirement of creating multiple VIPs for different services.
B . The Services field is used when several VIPs need to be bundled into VIP groups.
C . The Services field does not allow source NAT and destination NAT to be combined in the same policy.
D . The Services field does not allow multiple sources of traffic, to use multiple services, to connect to a
single computer.

Reveal Solution Hide Solution

Correct Answer: A
A

Explanation:

The Services option has been added to VIP objects. When services and port forward are configured, only a single mapped port can be configured. However, multiple external ports can be mapped to that single internal port. This configuration was made possible to allow for complex scenarios where multiple sources of traffic are using multiple services to connect to a single computer, while requiring a combination of source and destination NAT, and not requiring numerous VIPs to be bundled into VIP groups. VIPs with different services are considered non-overlapping.

When the Services field is configured in a Virtual IP (VIP), it allows you to specify multiple services or ports for the same VIP. This eliminates the need to create separate VIPs for different services, as you can define multiple services within a single VIP using the Services field. This is particularly useful for simplifying configuration and management.

Question #101

An administrator needs to increase network bandwidth and provide redundancy.

What interface type must the administrator select to bind multiple FortiGate interfaces?

A . VLAN interface
B . Software Switch interface
C . Aggregate interface
D . Redundant interface

Reveal Solution Hide Solution

Correct Answer: C
C

Explanation:

Link aggregation (IEEE 802.3ad) enables you to bind two or more physical interfaces together to form an aggregated (combined) link. This new link has the bandwidth of all the links combined. If a link in the group fails, traffic is transferred automatically to the remaining interfaces with the only noticeable effect being a reduced bandwidth.

To increase network bandwidth and provide redundancy, an administrator can use an Aggregate Interface (also known as Link Aggregation or Port Channel). This interface type allows multiple physical interfaces to be combined into a single logical interface, providing increased bandwidth and fault tolerance. This logical interface appears as a single interface to the rest of the network, and it distributes traffic across the member interfaces.

Question #102

Which downstream FortiGate VDOM is used to join the Security Fabric when split-task VDOM is enabled on all FortiGate devices?

A . FG-traffic VDOM
B . Root VDOM
C . Customer VDOM
D . Global VDOM

Reveal Solution Hide Solution

Correct Answer: B
B

Explanation:

If you enable split-task VDOM mode on the upstream FGT device, it can allow downstream FGT devices to join the Security Fabric in the root and FG-Traffic VDOMs. If split-task VDOM mode is enabled on the downstream FortiGate, it can only connect to the upstream FortiGate through the downstream FortiGate interface on the root VDOM.