Frage 1
Frage
Regarding tunnel-mode SSL VPN, which three statements are correct? (Choose three.)
Antworten
-
A. Split tunneling is supported.
-
B. It requires the installation of a VPN client.
-
C. It requires the use of an Internet browser.
-
D. It does not support traffic from third-party network applications.
-
E. An SSL VPN IP address is dynamically assigned to the client by the FortiGate unit.
Frage 2
Frage
Which two statements are true about IPsec VPNs and SSL VPNs? (Choose two.)
Antworten
-
A. SSL VPN creates a HTTPS connection. IPsec does not.
-
B. Both SSL VPNs and IPsec VPNs are standard protocols.
-
C. Either a SSL VPN or an IPsec VPN can be established between two FortiGate devices.
-
D. Either a SSL VPN or an IPsec VPN can be established between an end-user workstation and a FortiGate device.
Frage 3
Frage
A user logs into a SSL VPN portal and activates the tunnel mode. The administrator has enabled split tunneling. The exhibit shows the firewall policy configuration:
Which static route is automatically added to the client’s routing table when the tunnel mode is activated?
Antworten
-
A. A route to a destination subnet matching the Internal_Servers address object.
-
B. A route to the destination subnet configured in the tunnel mode widget.
-
C. A default route.
-
D. A route to the destination subnet configured in the SSL VPN global settings.
Frage 4
Frage
When browsing to an internal web server using a web-mode SSL VPN bookmark, which IP address is used as the source of the HTTP request?
Antworten
-
A. The remote user's virtual IP address.
-
B. The FortiGate unit's internal IP address.
-
C. The remote user's public IP address.
-
D. The FortiGate unit's external IP address.
Frage 5
Frage
Regarding the use of web-only mode SSL VPN, which statement is correct?
Antworten
-
A. It supports SSL version 3 only.
-
B. It requires a Fortinet-supplied plug-in on the web client.
-
C. It requires the user to have a web browser that supports 64-bit cipher length.
-
D. The JAVA run-time environment must be installed on the client.
Frage 6
Frage
An administrator wants to create an IPsec VPN tunnel between two FortiGate devices.
Which three configuration steps must be performed on both units to support this scenario? (Choose three.)
Antworten
-
A. Create firewall policies to allow and control traffic between the source and destination IP addresses.
-
B. Configure the appropriate user groups to allow users access to the tunnel.
-
C. Set the operating mode to IPsec VPN mode.
-
D. Define the phase 2 parameters.
-
E. Define the Phase 1 parameters.
Frage 7
Frage
You are the administrator in charge of a FortiGate acting as an IPsec VPN gateway using route-based mode. Users from either side must be able to initiate new sessions. There is only 1 subnet at either end and the FortiGate already has a default route.
Which two configuration steps are required to achieve these objectives? (Choose two.)
Antworten
-
A. Create one firewall policy.
-
B. Create two firewall policies.
-
C. Add a route to the remote subnet.
-
D. Add two IPsec phases 2.
Frage 8
Frage
An administrator has configured a route-based site-to-site IPsec VPN. Which statement is correct regarding this IPsec VPN configuration?
Antworten
-
A. The IPsec firewall policies must be placed at the top of the list.
-
B. This VPN cannot be used as part of a hub and spoke topology.
-
C. Routes are automatically created based on the quick mode selectors.
-
D. A virtual IPsec interface is automatically created after the Phase 1 configuration is completed.
Frage 9
Frage
What is IPsec Perfect Forwarding Secrecy (PFS)?.
Antworten
-
A. A phase-1 setting that allows the use of symmetric encryption.
-
B. A phase-2 setting that allows the recalculation of a new common secret key each time the session key
-
C. A ‘key-agreement’ protocol.
-
D. A ‘security-association-agreement’ protocol.
Frage 10
Frage
Which IPsec configuration mode can be used for implementing GRE-over-IPsec VPNs?.
Frage 11
Frage
Which antivirus and attack definition update options are supported by FortiGate units? (Choose two.)
Antworten
-
A. Manual update by downloading the signatures from the support site.
-
B. Pull updates from the FortiGate.
-
C. Push updates from a FortiAnalyzer.
-
D. execute fortiguard-AV-AS command from the CLI.
Frage 12
Frage
Which antivirus inspection mode must be used to scan SMTP, FTP, POP3 and SMB protocols?
Antworten
-
A. Proxy-based.
-
B. DNS-based.
-
C. Flow-based.
-
D. Man-in-the-middle.
Frage 13
Frage
Which statements regarding banned words are correct? (Choose two.)
Antworten
-
A. Content is automatically blocked if a single instance of a banned word appears.
-
B. The FortiGate updates banned words on a periodic basis.
-
C. The FortiGate can scan web pages and email messages for instances of banned words.
-
D. Banned words can be expressed as simple text, wildcards and regular expressions.
Frage 14
Frage
Examine the exhibit; then answer the question below.
Which statement describes the green status indicators that appear next to the different FortiGuard Distribution Network services as illustrated in the exhibit?
Antworten
-
A. They indicate that the FortiGate has the latest updates available from the FortiGuard Distribution Network.
-
B. They indicate that updates are available and should be downloaded from the FortiGuard Distribution Network to the FortiGate unit.
-
C. They indicate that the FortiGate is in the process of downloading updates from the FortiGuard Distribution Network.
-
D. They indicate that the FortiGate is able to connect to the FortiGuard Distribution Network.
Frage 15
Frage
A FortiGate is configured to receive push updates from the FortiGuard Distribution Network, however, updates are not being received.
Which are two reasons for this problem? (Choose two.)
Antworten
-
A. The FortiGate is connected to multiple ISPs.
-
B. There is a NAT device between the FortiGate and the FortiGuard Distribution Network.
-
C. The FortiGate is in Transparent mode.
-
D. The external facing interface of the FortiGate is configured to get the IP address from a DHCP server.
Frage 16
Frage
Which statement is correct regarding virus scanning on a FortiGate unit?
Antworten
-
A. Virus scanning is enabled by default.
-
B. Fortinet customer support enables virus scanning remotely for you.
-
C. Virus scanning must be enabled in a security profile, which must be applied to a firewall policy.
-
D. Enabling virus scanning in a security profile enables virus protection for all traffic flowing through the FortiGate.
Frage 17
Frage
Which statements are true regarding the use of a PAC file to configure the web proxy settings in an Internet browser? (Choose two.)
Antworten
-
A. Only one proxy is supported.
-
B. Can be manually imported to the browser.
-
C. The browser can automatically download it from a web server
-
D. Can include a list of destination IP subnets where the browser can connect directly to without using a proxy.
Frage 18
Frage
Examine the following FortiGate web proxy configuration; then answer the question below: config web-proxy explicit set pac-file-server-status enable set pac-file-server-port 8080 set pac-file-name wpad.dat
end
Assuming that the FortiGate proxy IP address is 10.10.1.1, which URL must an Internet browser use to download the PAC file?
Antworten
-
A. https://10.10.1.1:8080
-
B. https://10.10.1.1:8080/wpad.dat
-
C. http://10.10.1.1:8080/
-
D. http://10.10.1.1:8080/wpad.dat
Frage 19
Frage
Which two methods are supported by the web proxy auto-discovery protocol (WPAD) to automatically learn the URL where a PAC file is located? (Choose two.)
Frage 20
Frage
What is a valid reason for using session based authentication instead of IP based authentication in a FortiGate web proxy solution?
Antworten
-
A. Users are required to manually enter their credentials each time they connect to a different web site.
-
B. Proxy users are authenticated via FSSO.
-
C. There are multiple users sharing the same IP address.
-
D. Proxy users are authenticated via RADIUS.
Frage 21
Frage
Which statements are correct regarding URL filtering on a FortiGate unit? (Choose two.)
Antworten
-
A. The allowed actions for URL filtering include allow, block, monitor and exempt.
-
B. The allowed actions for URL filtering are Allow and Block only.
-
C. URL filters may be based on patterns using simple text, wildcards and regular expressions.
-
D. URL filters are based on simple text only and require an exact match.
Frage 22
Frage
Which of the following regular expression patterns make the terms "confidential data" case insensitive?
Antworten
-
A. [confidential data]
-
B. /confidential data/i
-
C. i/confidential data/
-
D. "confidential data"
Frage 23
Frage
Which two web filtering inspection modes inspect the full URL? (Choose two.)
Antworten
-
A. DNS-based.
-
B. Proxy-based.
-
C. Flow-based.
-
D. URL-based.
Frage 24
Frage
Which web filtering inspection mode inspects DNS traffic?
Antworten
-
A. DNS-based.
-
B. FQDN-based.
-
C. Flow-based.
-
D. URL-based.
Frage 25
Frage
How do you configure a FortiGate to apply traffic shaping to P2P traffic, such as BitTorrent?
Antworten
-
A. Apply a traffic shaper to a BitTorrent entry in an application control list, which is then applied to a firewall policy.
-
B. Enable the shape option in a firewall policy with service set to BitTorrent.
-
C. Define a DLP rule to match against BitTorrent traffic and include the rule in a DLP sensor with traffic shaping enabled.
-
D. Apply a traffic shaper to a protocol options profile.
Frage 26
Frage
Which statements are correct regarding application control? (Choose two.)
Antworten
-
A. It is based on the IPS engine.
-
B. It is based on the AV engine.
-
C. It can be applied to SSL encrypted traffic.
-
D. Application control cannot be applied to SSL encrypted traffic.
Frage 27
Frage
Which statements are true regarding traffic shaping that is applied in an application sensor, and associated with a firewall policy? (Choose two.)
Antworten
-
A. Shared traffic shaping cannot be used.
-
B. Only traffic matching the application control signature is shaped.
-
C. Can limit the bandwidth usage of heavy traffic applications.
-
D. Per-IP traffic shaping cannot be used.
Frage 28
Frage
In this scenario, the FortiGate unit in Ottawa has the following routing table: S* 0.0.0.0/0 [10/0] via 172.20.170.254, port2
C 172.20.167.0/24 is directly connected, port1
C 172.20.170.0/24 is directly connected, port2
Sniffer tests show that packets sent from the source IP address 172.20.168.2 to the destination IP address 172.20.169.2 are being dropped by the FortiGate located in Ottawa. Which of the following correctly describes the cause for the dropped packets?
Antworten
-
A. The forward policy check.
-
B. The reverse path forwarding check.
-
C. The subnet 172.20.169.0/24 is NOT in the Ottawa FortiGate’s routing table.
-
D. The destination workstation 172.20.169.2 does NOT have the subnet 172.20.168.0/24 in its routing table.
Frage 29
Frage
Examine the two static routes to the same destination subnet 172.20.168.0/24 as shown below; then answer the question following it.
config router static
edit 1
set dst 172.20.168.0 255.255.255.0
set distance 20
set priority 10
set device port1
next
edit 2
set dst 172.20.168.0 255.255.255.0
set distance 20
set priority 20
set device port2
next
end
Which of the following statements correctly describes the static routing configuration provided above?
Antworten
-
A. The FortiGate evenly shares the traffic to 172.20.168.0/24 through both routes.
-
B. The FortiGate shares the traffic to 172.20.168.0/24 through both routes, but the port2 route will carry approximately twice as much of the traffic.
-
C. The FortiGate sends all the traffic to 172.20.168.0/24 through port1.
-
D. Only the route that is using port1 will show up in the routing table.
Frage 30
Frage
The Vancouver FortiGate initially had the following information in its routing table:
S 172.20.0.0/16 [10/0] via 172.21.1.2, port2
C 172.21.0.0/16 is directly connected, port2
C 172.11.11.0/24 is directly connected, port1 Afterwards, the following static route was added: config router static
edit 6
set dst 172.20.1.0 255.255.255.0
set pririoty 0
set device port1
set gateway 172.11.12.1
next
end
Since this change, the new static route is NOT showing up in the routing table. Given the information provided, which of the following describes the cause of this problem?
Antworten
-
A. The subnet 172.20.1.0/24 is overlapped with the subnet of one static route that is already in the routing table (172.20.0.0/16), so, we need to enable allow-subnet-overlap first.
-
B. The 'gateway' IP address is NOT in the same subnet as the IP address of port1.
-
C. The priority is 0, which means that the route will remain inactive.
-
D. The static route configuration is missing the distance setting.
Frage 31
Frage
Examine the static route configuration shown below; then answer the question following it.
config router static
edit 1
set dst 172.20.1.0 255.255.255.0
set device port1
set gateway 172.11.12.1
set distance 10
set weight 5
next
edit 2
set dst 172.20.1.0 255.255.255.0
set blackhole enable
set distance 5
set weight 10
next
end
Which of the following statements correctly describes the static routing configuration provided? (Choose two.)
Antworten
-
A. All traffic to 172.20.1.0/24 is dropped by the FortiGate.
-
B. As long as port1 is up, all traffic to 172.20.1.0/24 is routed by the static route number 1. If the interface port1 is down, the traffic is routed using the blackhole route.
-
C. The FortiGate unit does NOT create a session entry in the session table when the traffic is being routed by the blackhole route.
-
D. The FortiGate unit creates a session entry in the session table when the traffic is being routed by the blackhole route.
Frage 32
Frage
In the case of TCP traffic, which of the following correctly describes the routing table lookups performed by a FortiGate operating in NAT/Route mode, when searching for a suitable gateway?
Antworten
-
A. A lookup is done only when the first packet coming from the client (SYN) arrives.
-
B. A lookup is done when the first packet coming from the client (SYN) arrives, and a second one is performed when the first packet coming from the server (SYN/ACK) arrives.
-
C. Three lookups are done during the TCP 3-way handshake (SYN, SYN/ACK, ACK).
-
D. A lookup is always done each time a packet arrives, from either the server or the client side.
Frage 33
Frage
A static route is configured for a FortiGate unit from the CLI using the following commands:
config router static
edit 1
set device "wan1"
set distance 20
set gateway 192.168.100.1
next
end
Which of the following conditions are required for this static default route to be displayed in the FortiGate unit’s routing table? (Choose two.)
Antworten
-
A. The administrative status of the wan1 interface is displayed as down.
-
B. The link status of the wan1 interface is displayed as up.
-
C. All other default routes should have a lower distance.
-
D. The wan1 interface address and gateway address are on the same subnet.
Frage 34
Frage
Review the output of the command get router info routing-table database shown in the exhibit below; then answer the question following it.
Which two statements are correct regarding this output? (Choose two.)
Antworten
-
A. There will be six routes in the routing table.
-
B. There will be seven routes in the routing table.
-
C. There will be two default routes in the routing table.
-
D. There will be two routes for the 10.0.2.0/24 subnet in the routing table.
Frage 35
Frage
When does a FortiGate load-share traffic between two static routes to the same destination subnet?
Antworten
-
A. When they have the same cost and distance.
-
B. When they have the same distance and the same weight.
-
C. When they have the same distance and different priority.
-
D. When they have the same distance and same priority.
Frage 36
Frage
A FortiGate is configured with multiple VDOMs. An administrative account on the device has been assigned a Scope value of VDOM:root.
Which of the following settings will this administrator be able to configure? (Choose two.)
Frage 37
Frage
Which statements are correct regarding virtual domains (VDOMs)? (Choose two.)
Antworten
-
A. VDOMs divide a single FortiGate unit into two or more virtual units that each have dedicated memory and CPUs.
-
B. A management VDOM handles SNMP, logging, alert email, and FDN-based updates.
-
C. VDOMs share firmware versions, as well as antivirus and IPS databases.
-
D. Different time zones can be configured in each VDOM.
Frage 38
Frage
A FortiGate unit is configured with three Virtual Domains (VDOMs) as illustrated in the exhibit.
Which of the following statements are true if the network administrator wants to route traffic between all the VDOMs? (Choose three.)
Antworten
-
A. The administrator can configure inter-VDOM links to avoid using external interfaces and routers.
-
B. As with all FortiGate unit interfaces, firewall policies must be in place for traffic to be allowed to pass through any interface, including inter-VDOM links.
-
C. This configuration requires a router to be positioned between the FortiGate unit and the Internet for proper routing.
-
D. Inter-VDOM routing is automatically provided if all the subnets that need to be routed are locally attached.
-
E. As each VDOM has an independent routing table, routing rules need to be set (for example, static routing, OSPF) in each VDOM to route traffic between VDOMs.
Frage 39
Frage
A FortiGate is configured with three virtual domains (VDOMs). Which of the following statements is correct regarding multiple VDOMs?
Antworten
-
A. The FortiGate must be a model 1000 or above to support multiple VDOMs.
-
B. A license has to be purchased and applied to the FortiGate before VDOM mode could be enabled.
-
C. Changing the operational mode of a VDOM requires a reboot of the FortiGate.
-
D. The FortiGate supports any combination of VDOMs in NAT/Route and transparent modes.
Frage 40
Frage
A FortiGate administrator with the super_admin profile configures a virtual domain (VDOM) for a new customer. After creating the VDOM, the administrator is unable to reassign the dmz interface to the new VDOM as the option is greyed out in the GUI in the management VDOM. What would be a possible cause for this problem?
Antworten
-
A. The administrator does not have the proper permissions to reassign the dmz interface.
-
B. The dmz interface is referenced in the configuration of another VDOM.
-
C. Non-management VDOMs cannot reference physical interfaces.
-
D. The dmz interface is in PPPoE or DHCP mode.
Frage 41
Frage
A FortiGate is operating in NAT/Route mode and configured with two virtual LAN (VLAN) sub-interfaces added to the same physical interface.
Which one of the following statements is correct regarding the VLAN IDs in this scenario?
Antworten
-
A. The two VLAN sub-interfaces can have the same VLAN ID only if they have IP addresses in different subnets.
-
B. The two VLAN sub-interfaces must have different VLAN IDs.
-
C. The two VLAN sub-interfaces can have the same VLAN ID only if they belong to different VDOMs.
-
D. The two VLAN sub-interfaces can have the same VLAN ID if they are connected to different L2 IEEE 802.1Q compliant switches.
Frage 42
Frage
Which statements correctly describe transparent mode operation? (Choose three.)
Antworten
-
A. The FortiGate acts as transparent bridge and forwards traffic at Layer-2.
-
B. Ethernet packets are forwarded based on destination MAC addresses, NOT IP addresses.
-
C. The transparent FortiGate is clearly visible to network hosts in an IP trace route.
-
D. Permits inline traffic inspection and firewalling without changing the IP scheme of the network.
-
E. All interfaces of the transparent mode FortiGate device must be on different IP subnets.
Frage 43
Frage
In transparent mode, forward-domain is an CLI setting associate with ______________.
Antworten
-
A. a static route.
-
B. a firewall policy.
-
C. an interface.
-
D. a virtual domain.
Frage 44
Frage
Which statements are correct for port pairing and forwarding domains? (Choose two.)
Antworten
-
A. They both create separate broadcast domains.
-
B. Port Pairing works only for physical interfaces.
-
C. Forwarding Domain only applies to virtual interfaces.
-
D. They may contain physical and/or virtual interfaces.
Frage 45
Frage
Examine the following spanning tree configuration on a FortiGate in transparent mode:
config system interface
edit <interface name>
set stp-forward enable
end
Which statement is correct for the above configuration?
Antworten
-
A. The FortiGate participates in spanning tree.
-
B. The FortiGate device forwards received spanning tree messages.
-
C. Ethernet layer-2 loops are likely to occur
-
D. The FortiGate generates spanning tree BPDU frames.
Frage 46
Frage
An administrator has formed a high availability cluster involving two FortiGate units.
[ Multiple upstream Layer 2 switches] -- [ FortiGate HA Cluster ] -- [ Multiple downstream Layer 2 switches ]
The administrator wishes to ensure that a single link failure will have minimal impact upon the overall throughput of traffic through this cluster.
Which of the following options describes the best step the administrator can take? The administrator should _____________________.
Antworten
-
A. Increase the number of FortiGate units in the cluster and configure HA in active-active mode.
-
B. Enable monitoring of all active interfaces.
-
C. Set up a full-mesh design which uses redundant interfaces.
-
D. Configure the HA ping server feature to allow for HA failover in the event that a path is disrupted.
Frage 47
Frage
Which of the following sequences describes the correct order of criteria used for the selection of a master unit within a FortiGate high availability (HA) cluster when override is disabled?
Antworten
-
A. 1. port monitor, 2. unit priority, 3. up time, 4. serial number.
-
B. 1. port monitor, 2. up time, 3. unit priority, 4. serial number.
-
C. 1. unit priority, 2. up time, 3. port monitor, 4. serial number.
-
D. 1. up time, 2. unit priority, 3. port monitor, 4. serial number.
Frage 48
Frage
In a high availability cluster operating in active-active mode, which of the following correctly describes the path taken by the SYN packet of an HTTP session that is offloaded to a slave unit?
Antworten
-
A. Request: internal host; slave FortiGate; master FortiGate; Internet; web server.
-
B. Request: internal host; slave FortiGate; Internet; web server.
-
C. Request: internal host; slave FortiGate; master FortiGate; Internet; web server.
-
D. Request: internal host; master FortiGate; slave FortiGate; Internet; web server.
Frage 49
Frage
Two devices are in an HA cluster, the device hostnames are STUDENT and REMOTE. Exhibit A shows the command output of diagnose sys session stat for the STUDENT device. Exhibit B shows the command output of diagnose sys session stat for the REMOTE device.
Given the information provided in the exhibits, which of the following statements are correct? (Choose two.)
Antworten
-
A. STUDENT is likely to be the master device.
-
B. Session-pickup is likely to be enabled.
-
C. The cluster mode is active-passive.
-
D. There is not enough information to determine the cluster mode.
Frage 50
Frage
Which of the following statements are correct about the HA command diagnose sys ha reset-uptime? (Choose two.)
Antworten
-
A. The device this command is executed on is likely to switch from master to slave status if override is disabled.
-
B. The device this command is executed on is likely to switch from master to slave status if override is enabled.
-
C. This command has no impact on the HA algorithm.
-
D. This command resets the uptime variable used in the HA algorithm so it may cause a new master to become elected.
Frage 51
Frage
In HA, the option Reserve Management Port for Cluster Member is selected as shown in the exhibit below.
Which statements are correct regarding this setting? (Choose two.)
Antworten
-
A. Interface settings on port7 will not be synchronized with other cluster members.
-
B. The IP address assigned to this interface must not overlap with the IP address subnet assigned to another interface.
-
C. When connecting to port7 you always connect to the master device.
-
D. A gateway address may be configured for port7.
Frage 52
Frage
The exhibit shows the Disconnect Cluster Member command in a FortiGate unit that is part of a HA cluster with two HA members.
What is the effect of the Disconnect Cluster Member command as given in the exhibit. (Choose two.)
Antworten
-
A. Port3 is configured with an IP address for management access.
-
B. The firewall rules are purged on the disconnected unit.
-
C. The HA mode changes to standalone.
-
D. The system hostname is set to the unit serial number.
Frage 53
Frage
Two FortiGate devices fail to form an HA cluster, the device hostnames are STUDENT and REMOTE. Exhibit A shows the command output of show system ha for the STUDENT device. Exhibit B shows the command output of show system ha for the REMOTE device.
Which one of the following is the most likely reason that the cluster fails to form?
Antworten
-
A. Password
-
B. HA mode
-
C. Hearbeat
-
D. Override
Frage 54
Frage
What are the requirements for a HA cluster to maintain TCP connections after device or link failover? (Choose two.)
Antworten
-
A. Enable session pick-up.
-
B. Enable override.
-
C. Connections must be UDP or ICMP.
-
D. Connections must not be handled by a proxy.
Frage 55
Frage
Which IPsec mode includes the peer id information in the first packet?
Antworten
-
A. Main mode.
-
B. Quick mode.
-
C. Aggressive mode.
-
D. IKEv2 mode.
Frage 56
Frage
Which statement is an advantage of using a hub and spoke IPsec VPN configuration instead of a fullymeshed set of IPsec tunnels?
Antworten
-
A. Using a hub and spoke topology provides full redundancy.
-
B. Using a hub and spoke topology requires fewer tunnels.
-
C. Using a hub and spoke topology uses stronger encryption protocols.
-
D. Using a hub and spoke topology requires more routes.
Frage 57
Frage
Which statements are correct properties of a partial mesh VPN deployment. (Choose two
Antworten
-
A. VPN tunnels interconnect between every single location.
-
B. VPN tunnels are not configured between every single location.
-
C. Some locations are reached via a hub location.
-
D. There are no hub locations in a partial mesh.
Frage 58
Frage
Review the IPsec phase 1 configuration in the exhibit; then answer the question below.
Which statements are correct regarding this configuration? (Choose two.)
Antworten
-
A. The remote gateway address on 10.200.3.1.
-
B. The local IPsec interface address is 10.200.3.1.
-
C. The local gateway IP is the address assigned to port1.
-
D. The local gateway IP address is 10.200.3.1.
Frage 59
Frage
Review the IPsec phase 2 configuration shown in the exhibit; then answer the question below.
Which statements are correct regarding this configuration? (Choose two.).
Antworten
-
A. The Phase 2 will re-key even if there is no traffic.
-
B. There will be a DH exchange for each re-key.
-
C. The sequence number of ESP packets received from the peer will not be checked.
-
D. Quick mode selectors will default to those used in the firewall policy.
Frage 60
Frage
Review the static route configuration for IPsec shown in the exhibit; then answer the question below.
Which statements are correct regarding this configuration? (Choose two.)
Antworten
-
A. Interface remote is an IPsec interface.
-
B. A gateway address is not required because the interface is a point-to-point connection.
-
C. A gateway address is not required because the default route is used.
-
D. Interface remote is a zone.
Frage 61
Frage
Review the IKE debug output for IPsec shown in the exhibit below.
Which statements is correct regarding this output?
Antworten
-
A. The output is a phase 1 negotiation.
-
B. The output is a phase 2 negotiation.
-
C. The output captures the dead peer detection messages.
-
D. The output captures the dead gateway detection packets.
Frage 62
Frage
Review the IPsec diagnostics output of the command diagnose vpn tunnel list shown in the exhibit.
Which statements is correct regarding this output? (Select one answer).
Frage 63
Frage
Review the configuration for FortiClient IPsec shown in the exhibit.
Which statement is correct regarding this configuration?
Antworten
-
A. The connecting VPN client will install a route to a destination corresponding to the student_internal address object.
-
B. The connecting VPN client will install a default route.
-
C. The connecting VPN client will install a route to the 172.20.1.[1-5] address range.
-
D. The connecting VPN client will connect in web portal mode and no route will be installed.
Frage 64
Frage
Review the IPsec diagnostics output of the command diagnose vpn tunnel list shown in the exhibit below.
Which statements are correct regarding this output? (Choose two.)
Antworten
-
A. The connecting client has been allocated address 172.20.1.1.
-
B. In the Phase 1 settings, dead peer detection is enabled.
-
C. The tunnel is idle.
-
D. The connecting client has been allocated address 10.200.3.1.
Frage 65
Frage
Examine the following log message for IPS:
2012-07-01 09:54:28 oid=2 log_id=18433 type=ips subtype=anomaly pri=alert vd=root severity="critical" src="192.168.3.168" dst="192.168.3.170" src_int="port2" serial=0 status="detected" proto=1 service="icmp" count=1 attack_name="icmp_flood" icmp_id="0xa8a4" icmp_type="0x08" icmp_code="0x00" attack_id=16777316 sensor="1" ref="http://www.fortinet.com/ids/VID16777316" msg="anomaly: icmp_flood, 51 > threshold 50"
Which statement is correct about the above log? (Choose two.)
Antworten
-
A. The target is 192.168.3.168.
-
B. The target is 192.168.3.170.
-
C. The attack was NOT blocked.
-
D. The attack was blocked.
Frage 66
Frage
Which statement correctly describes the output of the command diagnose ips anomaly list?
Antworten
-
A. Lists the configured DoS policy.
-
B. List the real-time counters for the configured DoS policy.
-
C. Lists the errors captured when compiling the DoS policy.
-
D. Lists the IPS signature matches.
Frage 67
Frage
Review the IPS sensor filter configuration shown in the exhibit
Based on the information in the exhibit, which statements are correct regarding the filter? (Choose two.)
Antworten
-
A. It does not log attacks targeting Linux servers.
-
B. It matches all traffic to Linux servers.
-
C. Its action will block traffic matching these signatures.
-
D. It only takes effect when the sensor is applied to a policy.
Frage 68
Frage
With FSSO, a domain user could authenticate either against the domain controller running the collector agent and domain controller agent, or a domain controller running only the domain controller agent. If you attempt to authenticate with a domain controller running only the domain controller agent, which statements are correct? (Choose two.)
Antworten
-
A. The login event is sent to the collector agent.
-
B. The FortiGate receives the user information directly from the receiving domain controller agent of the secondary domain controller.
-
C. The domain collector agent may perform a DNS lookup for the authenticated client's IP address.
-
D. The user cannot be authenticated with the FortiGate in this manner because each domain controller agent requires a dedicated collector agent.
Frage 69
Frage
Which statement describes what the CLI command diagnose debug authd fsso list is used for?
Antworten
-
A. Monitors communications between the FSSO collector agent and FortiGate unit.
-
B. Displays which users are currently logged on using FSSO.
-
C. Displays a listing of all connected FSSO collector agents.
-
D. Lists all DC Agents installed on all domain controllers.
Frage 70
Frage
FSSO provides a single sign on solution to authenticate users transparently to a FortiGate unit using credentials stored in Windows active directory.
Which of the following statements are correct regarding FSSO in a Windows domain environment when agent mode is used? (Choose two.)
Antworten
-
A. An FSSO collector agent must be installed on every domain controller.
-
B. An FSSO domain controller agent must be installed on every domain controller.
-
C. The FSSO domain controller agent will regularly update user logon information on the FortiGate unit.
-
D. The FSSO collector agent will receive user logon information from the domain controller agent and will send it to the FortiGate unit.
Frage 71
Frage
Which are two requirements for DC-agent mode FSSO to work properly in a Windows AD environment? [Choose two.]
Antworten
-
A. DNS server must properly resolve all workstation names.
-
B. The remote registry service must be running in all workstations.
-
C. The collector agent must be installed in one of the Windows domain controllers.
-
D. A same user cannot be logged in into two different workstations at the same time.
Frage 72
Frage
Which statement is one disadvantage of using FSSO NetAPI polling mode over FSSO Security Event Log (WinSecLog) polling mode?
Antworten
-
A. It requires a DC agent installed in some of the Windows DC.
-
B. It runs slower.
-
C. It might miss some logon events.
-
D. It requires access to a DNS server for workstation name resolution.
Frage 73
Frage
Bob wants to send Alice a file that is encrypted using public key cryptography.
Which of the following statements is correct regarding the use of public key cryptography in this scenario?
Antworten
-
A. Bob will use his private key to encrypt the file and Alice will use her private key to decrypt the file.
-
B. Bob will use his public key to encrypt the file and Alice will use Bob's private key to decrypt the file.
-
C. Bob will use Alice's public key to encrypt the file and Alice will use her private key to decrypt the file.
-
D. Bob will use his public key to encrypt the file and Alice will use her private key to decrypt the file.
Frage 74
Frage
Which tasks fall under the responsibility of the SSL proxy in a typical HTTPS connection? (Choose two.)
Antworten
-
A. The web client SSL handshake.
-
B. The web server SSL handshake.
-
C. File buffering.
-
D. Communication with the URL filter process.
Frage 75
Frage
When the SSL proxy is NOT doing man-in-the-middle interception of SSL traffic, which certificate field can be used to determine the rating of a website?
Antworten
-
A. Organizational Unit.
-
B. Common Name.
-
C. Serial Number.
-
D. Validity.
Frage 76
Frage
Data leak prevention archiving gives the ability to store files and message data onto a FortiAnalyzer unit for which of the following types of network traffic? (Choose three.)
Antworten
-
A. POP3
-
B. SNMP
-
C. IPsec
-
D. SMTP
-
E. HTTP
Frage 77
Frage
For data leak prevention, which statement describes the difference between the block and quarantine actions?
Antworten
-
A. A block action prevents the transaction. A quarantine action blocks all future transactions, regardless of the protocol.
-
B. A block action prevents the transaction. A quarantine action archives the data.
-
C. A block action has a finite duration. A quarantine action must be removed by an administrator.
-
D. A block action is used for known users. A quarantine action is used for unknown users.
Frage 78
Frage
In which process states is it impossible to interrupt/kill a process? (Choose two.)
Frage 79
Frage
Examine at the output below from the diagnose sys top command:
# diagnose sys top 1
Run Time: 11 days, 3 hours and 29 minutes
0U, 0N, 1S, 99I; 971T, 528F, 160KF
sshd 123 S 1.9 1.2 ipsengine 61 S < 0.0 5.2 miglogd 45 S 0.0 4.9 pyfcgid 75 S 0.0 4.5 pyfcgid 73 S 0.0 3.9
Which statements are true regarding the output above? (Choose two.)
Antworten
-
A. The sshd process is the one consuming most CPU.
-
B. The sshd process is using 123 pages of memory.
-
C. The command diagnose sys kill miglogd will restart the miglogd process.
-
D. All the processes listed are in sleeping state.
Frage 80
Frage
Examine the following output from the diagnose sys session list command:
session info: proto=6 proto_state=65 duration=3 expire=9 timeout=3600 flags=00000000 sockflag=00000000 sockport=443 av_idx=9 use=5 origin-shaper=guarantee-100kbps prio=2 guarantee 12800Bps max 134217728Bps traffic 13895Bps reply-shaper=guarantee-100kbps prio=2 guarantee 12800Bps max 134217728Bps traffic 13895Bps state=redir local may_dirty ndr npu nlb os rs
statistic(bytes/packets/allow_err): org=864/8/1 reply=2384/7/1 tuples=3 orgin->sink: org pre->post, reply pre->post dev=7->6/6->7 gwy=172.17.87.3/10.1.10.1 hook=post dir=org act=snat 192.168.1.110:57999->74.201.86.29:443(172.17.87.16:57999) hook=pre dir=reply act=dnat 74.201.86.29:443->172.17.87.16:57999(192.168.1.110:57999) hook=post dir=reply act=noop 74.201.86.29:443->192.168.1.110:57999(0.0.0.0:0) misc=0 policy_id=1 id_policy_id=0 auth_info=0 chk_client_info=0 vd=0
npu info: flag=0x00/0x00, offload=0/0, ips_offload=0/0, epid=0/0, ipid=0/0, vlan=0/0 Which statements are true regarding the session above? (Choose two.)
Antworten
-
A. Session Time-To-Live (TTL) was configured to 9 seconds.
-
B. FortiGate is doing NAT of both the source and destination IP addresses on all packets coming from the 192.168.1.110 address.
-
C. The IP address 192.168.1.110 is being translated to 172.17.87.16.
-
D. The FortiGate is not translating the TCP port numbers of the packets in this session.
Frage 81
Frage
Which statements are true regarding IPv6 anycast addresses? (Choose two.)
Antworten
-
A. Multiple interfaces can share the same anycast address.
-
B. They are allocated from the multicast address space.
-
C. Different nodes cannot share the same anycast address.
-
D. An anycast packet is routed to the nearest interface.
Frage 82
Frage
What functions can the IPv6 Neighbor Discovery protocol accomplish? (Choose two.)
Antworten
-
A. Negotiate the encryption parameters to use.
-
B. Auto-adjust the MTU setting.
-
C. Autoconfigure addresses and prefixes.
-
D. Determine other nodes reachability.
Frage 83
Frage
Which statements are correct regarding an IPv6 over IPv4 IPsec configuration? (Choose two.)
Antworten
-
A. The source quick mode selector must be an IPv4 address.
-
B. The destination quick mode selector must be an IPv6 address.
-
C. The Local Gateway IP must be an IPv4 address.
-
D. The remote gateway IP must be an IPv6 address.
Frage 84
Frage
Which is one of the conditions that must be met for offloading the encryption and decryption of IPsec traffic to an NP6 processor?
Antworten
-
A. No protection profile can be applied over the IPsec traffic.
-
B. Phase-2 anti-replay must be disabled.
-
C. Both the phase 1 and phases 2 must use encryption algorithms supported by the NP6.
-
D. IPsec traffic must not be inspected by any FortiGate session helper.
Frage 85
Frage
Two FortiGate units with NP6 processors form an active-active cluster. The cluster is doing security profile (UTM) inspection over all the user traffic. What statements are true regarding the sessions that the master unit is offloading to the slave unit for inspection? (Choose two.)
Antworten
-
A. They are accelerated by hardware in the master unit.
-
B. They are not accelerated by hardware in the master unit.
-
C. They are accelerated by hardware in the slave unit.
-
D. They are not accelerated by hardware in the slave unit.
Frage 86
Frage
Which statements are true about offloading antivirus inspection to a Security Processor (SP)? (Choose two.)
Antworten
-
A. Both proxy-based and flow-based inspection are supported.
-
B. A replacement message cannot be presented to users when a virus has been detected.
-
C. It saves CPU resources.
-
D. The ingress and egress interfaces can be in different SPs.
Frage 87
Frage
Which IP packets can be hardware-accelerated by a NP6 processor? (Choose two.)
Antworten
-
A. Fragmented packet.
-
B. Multicast packet.
-
C. SCTP packet.
-
D. GRE packet.
Frage 88
Frage
Which network protocols are supported for administrative access to a FortiGate unit? (Choose three.)
Antworten
-
A. SNMP
-
B. WINS
-
C. HTTP
-
D. Telnet
-
E. SSH
Frage 89
Frage
What capabilities can a FortiGate provide? (Choose three.)
Antworten
-
A. Mail relay.
-
B. Email filtering.
-
C. Firewall.
-
D. VPN gateway.
-
E. Mail server.
Frage 90
Frage
What methods can be used to access the FortiGate CLI? (Choose two.)
Frage 91
Frage
When creating FortiGate administrative users, which configuration objects specify the account rights?
Frage 92
Frage
How is the FortiGate password recovery process?
Antworten
-
A. Interrupt boot sequence, modify the boot registry and reboot. After changing the password, reset the boot registry.
-
B. Log in through the console port using the “maintainer” account within several seconds of physically power cycling the FortiGate.
-
C. Hold down the CTRL + Esc (Escape) keys during reboot, then reset the admin password.
-
D. Interrupt the boot sequence and restore a configuration file for which the password has been modified.
Frage 93
Frage
Which statements are true regarding the factory default configuration? (Choose three.)
Antworten
-
A. The default web filtering profile is applied to the first firewall policy.
-
B. The ‘Port1’ or ‘Internal’ interface has the IP address 192.168.1.99.
-
C. The implicit firewall policy action is ACCEPT.
-
D. The ‘Port1’ or ‘Internal’ interface has a DHCP server set up and enabled (on device models that support DHCP servers).
-
E. Default login uses the username: admin (all lowercase) and no password.
Frage 94
Frage
What are valid options for handling DNS requests sent directly to a FortiGates interface IP? (Choose three.)
Antworten
-
A. Conditional-forward.
-
B. Forward-only.
-
C. Non-recursive.
-
D. Iterative.
-
E. Recursive.
Frage 95
Frage
What logging options are supported on a FortiGate unit? (Choose two.)
Antworten
-
A. LDAP
-
B. Syslog
-
C. FortiAnalyzer
-
D. SNMP
Frage 96
Frage
Regarding the header and body sections in raw log messages, which statement is correct?
Antworten
-
A. The header and body section layouts change depending on the log type.
-
B. The header section layout is always the same regardless of the log type. The body section layout changes depending on the log type.
-
C. Some log types include multiple body sections.
-
D. Some log types do not include a body section.
Frage 97
Frage
Which is an advantage of using SNMP v3 instead of SNMP v1/v2 when querying a FortiGate unit?
Antworten
-
A. MIB-based report uploads.
-
B. SNMP access limited by access lists.
-
C. Packet encryption.
-
D. Running SNMP service on a non-standard port is possible.
Frage 98
Frage
What is the maximum number of FortiAnalyzer/FortiManager devices a FortiGate unit can be configured to send logs to?
Frage 99
Frage
For traffic that does match any configured firewall policy, what is the default action taken by the FortiGate?
Antworten
-
A. The traffic is allowed and no log is generated.
-
B. The traffic is allowed and logged.
-
C. The traffic is blocked and no log is generated.
-
D. The traffic is blocked and logged.
Frage 100
Frage
In which order are firewall policies processed on a FortiGate unit?
Antworten
-
A. From top to down, according with their sequence number.
-
B. From top to down, according with their policy ID number.
-
C. Based on best match.
-
D. Based on the priority value.
Frage 101
Frage
Which firewall objects can be included in the Destination Address field of a firewall policy? (Choose three.)
Antworten
-
A. IP address pool.
-
B. Virtual IP address.
-
C. IP address.
-
D. IP address group.
-
E. MAC address.
Frage 102
Frage
The order of the firewall policies is important. Policies can be re-ordered from either the GUI or the CLI. Which CLI command is used to perform this function?
Antworten
-
A. set order
-
B. edit policy
-
C. reorder
-
D. move
Frage 103
Frage
Which header field can be used in a firewall policy for traffic matching?
Antworten
-
A. ICMP type and code.
-
B. DSCP.
-
C. TCP window size.
-
D. TCP sequence number.
Frage 104
Frage
Examine the following CLI configuration: config system session-ttl set default 1800
end
What statement is true about the effect of the above configuration line?
Antworten
-
A. Sessions can be idle for no more than 1800 seconds.
-
B. The maximum length of time a session can be open is 1800 seconds.
-
C. After 1800 seconds, the end user must re-authenticate.
-
D. After a session has been open for 1800 seconds, the FortiGate sends a keepalive packet to both client and server.
Frage 105
Frage
Which statement regarding the firewall policy authentication timeout is true?
Antworten
-
A. It is an idle timeout. The FortiGate considers a user to be “idle” if it does not see any packets coming from the user’s source IP.
-
B. It is a hard timeout. The FortiGate removes the temporary policy for a user’s source IP address after this timer has expired.
-
C. It is an idle timeout. The FortiGate considers a user to be “idle” if it does not see any packets coming from the user’s source MAC.
-
D. It is a hard timeout. The FortiGate removes the temporary policy for a user’s source MAC address after this timer has expired.
Frage 106
Frage
What methods can be used to deliver the token code to a user that is configured to use two-factor authentication? (Choose three.)
Frage 107
Frage
Which statements are true regarding local user authentication? (Choose two.)
Antworten
-
A. Two-factor authentication can be enabled on a per user basis.
-
B. Local users are for administration accounts only and cannot be used to authenticate network users.
-
C. Administrators can create the user accounts is a remote server and store the user passwords locally in the FortiGate.
-
D. Both the usernames and passwords can be stored locally on the FortiGate
Frage 108
Frage
Which two statements are true regarding firewall policy disclaimers? (Choose two.)
Antworten
-
A. They cannot be used in combination with user authentication.
-
B. They can only be applied to wireless interfaces.
-
C. Users must accept the disclaimer to continue.
-
D. The disclaimer page is customizable.
Frage 109
Frage
When firewall policy authentication is enabled, which protocols can trigger an authentication challenge? (Choose two.)
Antworten
-
A. SMTP
-
B. POP3
-
C. HTTP
-
D. FTP
Frage 110
Frage
The FortiGate port1 is connected to the Internet. The FortiGate port2 is connected to the internal network. Examine the firewall configuration shown in the exhibit; then answer the question below.
Antworten
-
A. A user that has not authenticated can access the Internet using any protocol that does not trigger an authentication challenge.
-
B. A user that has not authenticated can access the Internet using any protocol except HTTP, HTTPS, Telnet, and FTP.
-
C. A user must authenticate using the HTTP, HTTPS, SSH, FTP, or Telnet protocol before they can access all Internet services.
-
D. DNS Internet access is always allowed, even for users that has not authenticated.