Frage 1
Frage
Which configuration objects can be selected for the Source field of a firewall policy? (Choose
two.)
Antworten
-
Firewall service
-
User or user group
-
IP Pool
-
FQDN address
Frage 2
Frage
If the Services field is configured in a Virtual IP (VIP), which statement is true when central NAT
is used?
Antworten
-
The Services field prevents SNAT and DNAT from being combined in the same policy.
-
The Services field is used when you need to bundle several VIPs into VIP groups.
-
The Services field removes the requirement to create multiple VIPs for different services.
-
The Services field prevents multiple sources of traffic from using multiple services to connect to a
single computer.
Frage 3
Frage
Which of the following statements about central NAT are true? (Choose two.)
Antworten
-
IP tool references must be removed from existing firewall policies before enabling central NAT.
-
Central NAT can be enabled or disabled from the CLI only.
-
Source NAT, using central NAT, requires at least one central SNAT policy.
-
Destination NAT, using central NAT, requires a VIP object as the destination address in a firewall.
Frage 4
Frage
Examine the exhibit, which shows the partial output of an IKE real-time debug.
Which of the following statement about the output is true?
Antworten
-
The VPN is configured to use pre-shared key authentication.
-
Extended authentication (XAuth) was successful.
-
Remote is the host name of the remote IPsec peer.
-
Phase 1 went down.
Frage 5
Frage
An administrator is configuring an antivirus profiles on FortiGate and notices that Proxy
Options is not listed under Security Profiles on the GUI. What can cause this issue?
Antworten
-
FortiGate needs to be switched to NGFW mode.
-
Proxy options section is hidden by default and needs to be enabled from the Feature Visibility
menu.
-
Proxy options are no longer available starting in FortiOS 5.6.
-
FortiGate is in flow-based inspection mode.
Frage 6
Frage
Which of the following services can be inspected by the DLP profile? (Choose three.)
Antworten
-
NFS
-
FTP
-
IMAP
-
CIFS
-
HTTP-POST
Frage 7
Frage
Examine the following web filtering log. Which statement about the log message is true?
Antworten
-
The action for the category Games is set to block.
-
The usage quota for the IP address 10.0.1.10 has expired
-
The name of the applied web filter profile is default.
-
The web site miniclip.com matches a static URL filter whose action is set to Warning.
Frage 8
Frage
Which of the following static routes are not maintained in the routing table?
Antworten
-
Named Address routes
-
Dynamic routes
-
ISDB routes
-
Policy routes
Frage 9
Frage
An administrator is attempting to allow access to https://fortinet.com through a firewall policy
that is configured with a web filter and an SSL inspection profile configured for deep inspection.
Which of the following are possible actions to eliminate the certificate error generated by deep
inspection? (Choose two.)
Antworten
-
Implement firewall authentication for all users that need access to fortinet.com.
-
Manually install the FortiGate deep inspection certificate as a trusted CA.
-
Configure fortinet.com access to bypass the IPS engine.
-
Configure an SSL-inspection exemption for fortinet.com.
Frage 10
Frage
If traffic matches a DLP filter with the action set to Quarantine IP Address, what action does
FortiGate take?
Antworten
-
It notifies the administrator by sending an email.
-
It provides a DLP block replacement page with a link to download the file.
-
It blocks all future traffic for that IP address for a configured interval.
-
It archives the data for that IP address.
Frage 11
Frage
An administration wants to throttle the total volume of SMTP sessions to their email server.
Which of the following DoS sensors can be used to achieve this?
Antworten
-
tcp_port_scan
-
ip_dst_session
-
udp_flood
-
ip_src_session
Frage 12
Frage
View the certificate shown to the exhibit, and then answer the following question:
The CA issued this certificate to which entity?
Antworten
-
A root CA
-
A person
-
A bridge CA
-
A subordinate CA
Frage 13
Frage
What information is flushed when the chunk-size value is changed in the config dlp settings?
Antworten
-
The database for DLP document fingerprinting
-
The supported file types in the DLP filters
-
The archived files and messages
-
The file name patterns in the DLP filters
Frage 14
Frage
View the exhibit.
VDOM1 is operating in transparent mode VDOM2 is operating in NAT Route mode. There is an
inteface VDOM link between both VDOMs. A client workstation with the IP address 10.0.1.10/24 is
connected to port2. A web server with the IP address 10.200.1.2/24 is connected to port1.
What is required in the FortiGate configuration to route and allow connections from the client
workstation to the web server? (Choose two.)
Antworten
-
A static or dynamic route in VDOM2 with the subnet 10.0.1.0/24 as the destination.
-
A static or dynamic route in VDOM1 with the subnet 10.200.1.0/24 as the destination.
-
One firewall policy in VDOM1 with port2 as the source interface and InterVDOM0 as the
destination interface.
-
One firewall policy in VDOM2 with InterVDOM1 as the source interface and port1 as the
destination interface.
Frage 15
Frage
Which of the following statements about backing up logs from the CLI and downloading logs from the GUI are true? (Choose two.)
Antworten
-
Log downloads from the GUI are limited to the current filter view
-
Log backups from the CLI cannot be restored to another FortiGate.
-
Log backups from the CLI can be configured to upload to FTP as a scheduled time
-
Log downloads from the GUI are stored as LZ4 compressed files.
Frage 16
Frage
Examine the routing database shown in the exhibit, and then answer the following question:
Which of the following statements are correct? (Choose two.)
Antworten
-
The port3 default route has the highest distance.
-
The port3 default route has the lowest metric.
-
There will be eight routes active in the routing table.
-
The port1 and port2 default routes are active in the routing table.
Frage 17
Frage
Which downstream FortiGate VDOM is used to join the Security Fabric when split-task VDOM
is enabled on all FortiGate devices?
Antworten
-
FG-traffic VDOM
-
Root VDOM
-
Customer VDOM
-
Global VDOM
Frage 18
Frage
Examine the exhibit, which contains a session diagnostic output.
Which of the following statements about the session diagnostic output is true?
Antworten
-
The session is in ESTABLISHED state.
-
The session is in LISTEN state.
-
The session is in TIME_WAIT state.
-
The session is in CLOSE_WAIT state.
Frage 19
Frage
Examine the network diagram shown in the exhibit, and then answer the following question:
A firewall administrator must configure equal cost multipath (ECMP) routing on FGT1 to ensure both
port1 and port3 links are used at the same time for all traffic destined for 172.20.2.0/24. Which of
the following static routes will satisfy this requirement on FGT1? (Choose two.)
Antworten
-
172.20.2.0/24 (1/0) via 10.10.1.2, port1 [0/0]
-
172.20.2.0/24 (25/0) via 10.10.3.2, port3 [5/0]
-
172.20.2.0/24 (1/150) via 10.10.1.2, port3 [10/0]
-
172.20.2.0/24 (1/150) via 10.30.3.2, port3 [10/0]
Frage 20
Frage
Examine this FortiGate configuration:
config system global
ser av-failopen pass
end
Examine the output of the following debug command:
Based on the diagnostic outputs above, how is the FortiGate handling the traffic for new sessions that
require inspection?
Antworten
-
It is allowed, but with no inspection
-
It is allowed and inspected as long as the inspection is flow based
-
It is dropped.
-
It is allowed and inspected, as long as the only inspection required is antivirus.
Frage 21
Frage
HTTP Public Key Pinning (HPKP) can be an obstacle to implementing full SSL inspection. What
solutions could resolve this problem? (Choose two.)
Antworten
-
Enable Allow Invalid SSL Certificates for the relevant security profile.
-
Change web browsers to one that does not support HPKP.
-
Exempt those web sites that use HPKP from full SSL inspection.
-
Install the CA certificate (that is required to verify the web server certificate) stores of users' computers.
Frage 22
Frage
Examine the exhibit, which shows the output of a web filtering real time debug.
Why is the site www.bing.com being blocked?
Antworten
-
The web site www.bing.com is categorized by FortiGuard as Malicious Websites.
-
The user has not authenticated with the FortiGate yet.
-
The web server IP address 204.79.197.200 is categorized by FortiGuard as Malicious Websites.
-
The rating for the web site www.bing.com has been locally overridden to a category that is being
blocked.
Frage 23
Frage
A FortiGate is operating in NAT mode and configured with two virtual LAN (VLAN) sub
interfaces added to the physical interface.
Which statements about the VLAN sub interfaces can have the same VLAN ID, only if they have IP
addresses in different subnets.
Antworten
-
The two VLAN sub interfaces can have the same VLAN ID, only if they have IP addresses in
different subnets.
-
The two VLAN sub interfaces must have different VLAN IDs.
-
The two VLAN sub interfaces can have the same VLAN ID, only if they belong to different VDOMs.
-
The two VLAN sub interfaces can have the same VLAN ID, only if they have IP addresses in the
same subnet.
Frage 24
Frage
Examine the network diagram and the existing FGTI routing table shown in the exhibit, and
then answer the following question:
An administrator has added the following static route on FGTI.
DESTINATION: 172.20.1.0/244
GATEWAY: 172.11.12.1
INTERFACE: port1
ADMINISTARTIVE DISTANCE: 10
Since the change, the new static route is not showing up in the routing table. Given the information
provided, which of the following describes the cause of this problem?
Antworten
-
The new route's destination subnet overlaps an existing route.
-
The new route's Distance value should be higher than 10.
-
The Gateway IP address is not in the same subnet as port1.
-
The Priority is 0, which means that this route will remain inactive.
Frage 25
Frage
Which of the following statements about NTLM authentication are correct? (Choose two.)
Antworten
-
It is useful when users log in to DCs that are not monitored by a collector agent.
-
It takes over as the primary authentication method when configured alongside FSSO.
-
Multi-domain environments require DC agents on every domain controller.
-
NTLM-enabled web browsers are required.
Frage 26
Frage
Examine the exhibit, which contains a virtual IP and firewall policy configuration.
The WAN (port1) interface has the IP address 10.200.1.1/24. The LAN (port2) interface has the IP
address
The first firewall policy has NAT enabled on the outgoing interface address. The second firewall policy
is configured with a VIP as the destination address.
Which IP address will be used to source NAT the Internet traffic coming from a workstation with the
IP address 10.0.1.10/24?
Frage 27
Frage
Which statements about antivirus scanning mode are true? (Choose two.)
Antworten
-
In proxy-based inspection mode antivirus buffers the whole file for scarring before sending it to
the client.
-
In flow-based inspection mode, you can use the CLI to configure antivirus profiles to use protocol
option profiles.
-
In proxy-based inspection mode, if a virus is detected, a replacement message may not be
displayed immediately.
-
In quick scan mode, you can configure antivirus profiles to use any of the available signature data
bases.
Frage 28
Frage
Which of the following statements are true when using WPAD with the DHCP discovery
method? (Choose two.)
Antworten
-
If the DHCP method fails, browsers will try the DNS method.
-
The browser needs to be preconfigured with the DHCP server's IP address.
-
The browser sends a DHCPONFORM request to the DHCP server.
-
The DHCP server provides the PAC file for download.
Frage 29
Frage
Which statements correctly describe transparent mode operation? (Choose three.)
Antworten
-
All interfaces of the transparent mode FortiGate device must be on different IP subnets.
-
Ethernet packets are forwarded based on destination MAC addresses, not IP addresses.
-
The transparent FortiGate is visible to network hosts in an IP traceroute.
-
It permits inline traffic inspection and firewalling without changing the IP scheme of the network.
-
FortiGate acts as transparent bridge and forwards traffic at Layer 2.
Frage 30
Frage
A team manager has decided that while some members of the team need access to particular
website, the majority of the team does not. Which configuration option is the most effective option
to support this request?
Antworten
-
Implement a web filter category override for the specified website.
-
Implement web filter authentication for the specified website
-
Implement web filter quotas for the specified website.
-
Implement DNS filter for the specified website.
Frage 31
Frage
Examine the IPS sensor configuration shown in the exhibit, and then answer the question
below.
An administrator has configured the WINDOWS_SERVERS IPS sensor in an attempt to determine
whether the influx of HTTPS traffic is an attack attempt or not. After applying the IPS sensor,
FortiGate is still not generating any IPS logs for the HTTPS traffic.
What is a possible reason for this?
Antworten
-
The IPS filter is missing the Protocol: HTTPS option.
-
The HTTPS signatures have not been added to the sensor.
-
A DoS policy should be used, instead of an IPS sensor.
-
A DoS policy used, instead of an IPS sensor.
-
The firewall policy is not using a full SSL inspection profile.
Frage 32
Frage
View the exhibit.
Why is the administrator getting the error shown in the exhibit?
Antworten
-
The administrator must first enter the command edit global.
-
The administrator admin does not have the privileges required to configure global settings.
-
The global settings cannot be configured from the root VDOM context.
-
The command config system global does not exist in FortiGate.
Frage 33
Frage
View the exhibit.
Based on this output, which statements are correct? (Choose two.)
Antworten
-
The all VDOM is not synchronized between the primary and secondary FortiGate devices.
-
The root VDOM is not synchronized between the primary and secondary FortiGate devices.
-
The global configuration is synchronized between the primary and secondary FortiGate devices.
-
The FortiGate devices have three VDOMs.
Frage 34
Frage
A company needs to provide SSL VPN access to two user groups. The company also needs to
display different welcome messages on the SSL VPN login screen for both user groups.
What is required in the SSL VPN configuration to meet these requirements?
Antworten
-
Different SSL VPN realms for each group.
-
Two separate SSL VPNs in different interfaces mapping the same ssl.root.
-
Two firewall policies with different captive portals.
-
Different virtual SSL VPN IP addresses for each group.
Frage 35
Frage
View the exhibit.
Which of the following statements are correct? (Choose two.)
Antworten
-
This setup requires at least two firewall policies with the action set to IPsec.
-
Dead peer detection must be disabled to support this type of IPsec setup.
-
The TunnelB route is the primary route for reaching the remote site. The TunnelA route is used only if the TunnelB VPN is down.
-
This is a redundant IPsec setup.
Frage 36
Frage
What types of traffic and attacks can be blocked by a web application firewall (WAF) profile?
(Choose three.)
Frage 37
Frage
An administrator has configured central DNAT and virtual IPs. Which of the following can be
selected in the firewall policy Destination field?
Frage 38
Frage
Examine this output from a debug flow:
Why did the FortiGate drop the packet?
Antworten
-
The next-hop IP address is unreachable.
-
It failed the RPF check.
-
It matched an explicitly configured firewall policy with the action DENY.
-
It matched the default implicit firewall policy.
Frage 39
Frage
View the exhibit.
What does this raw log indicate? (Choose two.)
Antworten
-
FortiGate blocked the traffic.
-
type indicates that a security event was recorded.
-
10.0.1.20 is the IP address for lavito.tk.
-
policyid indicates that traffic went through the IPS firewall policy.
Frage 40
Frage
View the exhibit. Which of the following statements is true regarding the configuration
settings?
Antworten
-
When a remote user accesses https://11.200.1.1:443, the FortiGate login page appears.
-
When a remote user accesses https://10.200.1.1:443, the FortiGate login page appears.
-
When a remote user accesses http: //10.200.1.1 :443, the FortiGate login page appears.
-
When a remote user accesses http: /110.200.1.1:443, the SSL VPN login page appears.
-
The settings are invalid. The administrator settings and the SSL VPN settings cannot use the same port.
Frage 41
Frage
Which certificate value can FortiGate use to determine the relationship between the issuer
and the certificate?
Frage 42
Frage
To complete the final step of a Security Fabric configuration, an administrator must authorize
all the devices on which device?
Antworten
-
FortiManager
-
Root FortiGate
-
FortiAnalyzer
-
Downstream FortiGate
Frage 43
Frage
Which statements best describe auto discovery VPN (ADVPN). (Choose two.)
Antworten
-
It requires the use of dynamic routing protocols so that spokes can learn the routes to other spokes.
-
ADVPN is only supported with IKEv2.
-
Tunnels are negotiated dynamically between spokes.
-
Every spoke requires a static tunnel to be configured to other spokes so that phase 1 and phase 2 proposals are defined in advance.
Frage 44
Frage
Which of the following conditions must be met in order for a web browser to trust a web
server certificate signed by a third-party CA?
Antworten
-
The public key of the web server certificate must be installed on the browser.
-
The web-server certificate must be installed on the browser.
-
The CA certificate that signed the web-server certificate must be installed on the browser.
-
The private key of the CA certificate that signed the browser certificate must be installed on the browser.
Frage 45
Frage
View the exhibit.
Based on the configuration shown in the exhibit, what statements about application control behavior
are true?
Antworten
-
Access to all unknown applications will be allowed.
-
Access to browser-based Social.Media applications will be blocked.
-
Access to mobile social media applications will be blocked.
-
Access to all applications in Social.Media category will be blocked.
Frage 46
Frage
An administrator needs to create an SSL-VPN connection for accessing an internal server
using the bookmark Port Forward. What step is required for this configuration?
Antworten
-
Configure an SSL VPN realm for clients to use the port forward bookmark.
-
Configure the client application to forward IP traffic through FortiClient.
-
Configure the virtual IP address to be assigned t the SSL VPN users.
-
Configure the client application to forward IP traffic to a Java applet proxy.
Frage 47
Frage
A FortiGate device has multiple VDOMs. Which statement about an administrator account
configured with the default prof_admin profile is true?
Antworten
-
It can create administrator accounts with access to the same VDOM.
-
It cannot have access to more than one VDOM.
-
It can reset the password for the admin account.
-
It can upgrade the firmware on the FortiGate device.
Frage 48
Frage
When override is enabled, which of the following shows the process and selection criteria
that are used to elect the primary FortiGate in an HA cluster?
Antworten
-
Connected monitored ports > HA uptime > priority > serial number
-
Priority > Connected monitored ports > HA uptime > serial number
-
Connected monitored ports > priority > HA uptime > serial number
-
HA uptime > priority > Connected monitored ports > serial number
Frage 49
Frage
Which Statements about virtual domains (VDOMs) arc true? (Choose two.)
Antworten
-
Transparent mode and NAT/Route mode VDOMs cannot be combined on the same FortiGate.
-
Each VDOM can be configured with different system hostnames.
-
Different VLAN sub-interface of the same physical interface can be assigned to different VDOMs.
-
Each VDOM has its own routing table.
Frage 50
Frage
Which of the following conditions are required for establishing an IPSec VPN between two
FortiGate devices?
(Choose two.)
Antworten
-
If XAuth is enabled as a server in one peer, it must be enabled as a client in the other peer.
-
If the VPN is configured as route-based, there must be at least one firewall policy with the action set to IPSec.
-
If the VPN is configured as DialUp User in one peer, it must be configured as either Static IP Address or Dynamic DNS in the other peer.
-
If the VPN is configured as a policy-based in one peer, it must also be configured as policy-based in the other peer.