Pregunta 1
Pregunta
Which action will FortiGate take if a user attempts to access www.dropbox.com, which is categorized as File Sharing and Storage?
|
|
Which action will FortiGate take if a user attempts to access www.dropbox.com, which is categorized as File Sharing and Storage?
Respuesta
-
A. FortiGate will exempt the connection based on the Web Content Filter configuration.
-
B. FortiGate will block the connection based on the URL Filter configuration.
-
C. FortiGate will allow the connection based on the FortiGuard category based filter configuration.
-
D. FortiGate will block the connection as an invalid URL.
Pregunta 2
Pregunta
Which configuration can be used to reduce the number of BGP sessions in an IBGP network?
Respuesta
-
A. Neighbor range
-
B. Route reflector
-
C. Next-hop-self
-
D. Neighbor group
Pregunta 3
Pregunta
Which statements are correct regarding the output? (Choose two.)
Respuesta
-
A. The slave configuration is not synchronized with the master.
-
B. The HA management IP is 169.254.0.2.
-
C. Master is selected because it is the only device in the cluster.
-
D. port 7 is used the HA heartbeat on all devices in the cluster.
Pregunta 4
Pregunta
The CLI command set intelligent-mode <enable | disable> controls the IPS engine’s adaptive scanning behavior. Which of the following statements describes IPS adaptive scanning?
Respuesta
-
A. Determines the optimal number of IPS engines required based on system load
-
B. Downloads signatures on demand from FDS based on scanning requirements.
-
C. Determines when it is secure enough to stop scanning session traffic.
-
D. Choose a matching algorithm based on available memory and the type of inspection being performed.
Pregunta 5
Pregunta
An administrator has configured the following CLI script on FortiManager, which failed to apply any changes to the managed device after being executed
Why didn’t the script make any changes to the managed device?
Respuesta
-
A. Commands that start with the # sign are not executed.
-
B. CLI scripts will add objects only if they are referenced by policies.
-
C. Incomplete commands are ignored in CLI scripts.
-
D. Static routes can only be added using TCL scripts.
Pregunta 6
Pregunta
The VPN is currently up, there is no traffic crossing the tunnel and DPD packets are being interchanged between both IPsec gateways However, the IKE real time debug does NOT show any output. Why isn’t there any output?
Respuesta
-
A. The IKE real time shows the phases 1 and 2 negotiations only. It does not show any more output once the tunnel is up.
-
B. The log-filter setting is set incorrectly. The VPN’s traffic does not match this filter.
-
C. The IKE real time debug shows the phase 1 negotiation only. For information after that, the administrator must use the IPsec real time debug instead: diagnose debug application ipsec -1.
-
D. The IKE real time debug shows error messages only. If it does not provide any output it indicates that the tunnel is operating normally.
Pregunta 7
Pregunta
Examine the partial output from the IKE real time debug shown in the exhihit, then answer the question below:
Why didn’t the tunnel come up?
Respuesta
-
A. IKE mode configuration is not enabled in the remote IPsec gateway.
-
B. The remote gateway’s Phase-2 configuration does not match the local gateway’s phase-2 configuration
-
C. The remote gateway’s Phased configuration does not match the local gateway s phased configuration
-
D. One IPsec gateway is using main mode, while the other IPsec gateway is using aggressive mode.
Pregunta 8
Pregunta
The logs in a FSSO collector agent (CA) are showing the following error: failed to connect to registry: PIKA1026 (192.168.12.232) What can be the reason for this error?
Respuesta
-
A. The CA cannot resolve the name of the workstation.
-
B. The FortiGate cannot resolve the name of the workstation.
-
C. The remote registry service is not running in the workstation 192.168.12.232.
-
D. The CA cannot reach the FortiGate with the IP address 192.168.12.232.
Pregunta 9
Pregunta
View the exhibit, which contains the output of a debug command, and then answer the question below:
What statement is correct about this FortiGate?
Respuesta
-
A. It is currently in system conserve mode because of high CPU usage.
-
B. It is currently in FD conserve mode,
-
C. It is currently in kernel conserve mode because of high memory usage
-
D. It is currently in system conserve mode because of high memory usage
Pregunta 10
Pregunta
View the exhibit, which contains the output of diagnose sys session stat, and then answer the question below:
Which statements are correct regarding the output shown? (Choose two,)
Respuesta
-
A. There are 0 ephemeral sessions.
-
B. All the sessions in the session table are TCP sessions.
-
C. No sessions have been deleted because of memory pages exhaustion,
-
D. There are 166 TCP sessions waiting to complete the three-way handshake
Pregunta 11
Pregunta
A corporate network allows internet Access to FSSO users only. The FSSO user student does not have internet access after successfully logged into the Windows AD network. The output of the ‘diagnose debug authd fsso list’ command does not show student as an active FSSO user. Other FSSO users can access the Internet without problems. What should the administrator check? (Choose two.)
Respuesta
-
A. The user student must not be listed in the CA’s ignore user list.
-
B. The user student must belong to one or more of the monitored user groups.
-
C. The student workstation’s IP subnet must be listed in the CA’s trusted list.
-
D. At least one of the student’s user groups must be allowed by a FortiGate firewall policy.
Pregunta 12
Pregunta
what events are recorded in the crashlogs of a ForitGate device? (Choose two)
Respuesta
-
A. A process crash.
-
B. Configuration changes.
-
C. Changes in the status of any of the FortiGuard licenses.
-
D. System entering to and leaving from the proxy conserve mode.
Pregunta 13
Pregunta
what does the dirty flag mean in a FortiGate session?
Respuesta
-
A. Traffic has heen hlocked hy the antivirus inspection
-
B. The next packet must be re-evaluated against the firewall policies.
-
C. The session must be removed from the former primary unit after an HA failover
-
D. Traffic has been identified as from an application that is not allowed.
Pregunta 14
Pregunta
Examine the following partial output from a sniffer command; then answer the question below
What is the meaning of the packets dropped counter at the end of the sniffer?
Respuesta
-
A. Number of packets that didn’t match the sniffer filter
-
B. Number of total packets dropped by the FortiGate.
-
C. Number of packets that matched the sniffer filter and were dropped by the FortiGate.
-
D. Number of packets that matched the sniffer filter but could not be captured by the sniffer
Pregunta 15
Pregunta
which statements about bulk configuration changes using FortiManager CLI scripts are correct? (Choose two.)
Respuesta
-
A. When executed on the Policy Package, ADOM database, changes are applied directly to the managed FortiGate.
-
B. When executed on the Device Database, you must use the installation wizard to apply the changes to the managed FortiGate.
-
C. When executed on the All FortiGate in ADOM, changes are automatically installed without creating a new revision history.
-
D. When executed on the Remote FortiGate directly, administrators do not have the option to review the changes prior to installation.
Pregunta 16
Pregunta
Examine the partial output from two web filter debug commands; then answer the question below:
Based on the above outputs, which is the FortiGuard web filter category for the web site www.fgt99.com?
Pregunta 17
Pregunta
23.-View the IPS exit log, and then answer the question below.
What is the status of IPS on this FortiGate?
Respuesta
-
A. IPS engine memory consumption has exceeded the model-specific predefined value.
-
B. IPS daemon experienced a crash.
-
C. There are communication problems between the IPS engine and the management database
-
D. All IPS-related features have been disabled in FortiGate’s configuration.
Pregunta 18
Pregunta
View the exhibit, which contains the output of a real-time debug, and then answer the question below
Which of the following statements is true regarding this output? (Choose two.)
Respuesta
-
A. This web request was inspected using the root web filter profile.
-
B. FortiGate found the requested URL in its local cache.
-
C. The requested URL belongs to category ID 52.
-
D. The weh request was allowed by FortiGate.
Pregunta 19
Pregunta
How does FortiManager handle FortiGuard requests from FortiGate devices, when it is configured as a local FDS?
Respuesta
-
A. FortiManager can download and maintain local copies of FortiGuard databases.
-
B. FortiManager supports only FortiGuard push to managed devices.
-
C. FortiManager will respond to update requests only if they originate from a managed device.
-
D. FortiManager does not support rating requests.
Pregunta 20
Pregunta
which of the following statements are correct regarding application layer test commands? (Choose two.)
Respuesta
-
A. They are used to filter real-time debugs.
-
B. They display real-time application debugs.
-
C. Some of them display statistics and configuration information about a feature or process,
-
D. Some of them can be used to restart an application.
Pregunta 21
Pregunta
Examine the output of the ‘get router info ospf neighbor’ command shown in the exhibit; then answer the question below:
Which statements are true regarding the output in the exhibit? (Choose two.)
Respuesta
-
A. The interface ToRemote is OSPF network type point-to-point.
-
B. The OSPF router with the ID 0.0.0.2 is the designated router for the ToRemote network.
-
C. The local FortiGate is the backup designated router for the wan1 network.
-
D. The OSPF routers with the IDs 0 0.0.69 and 0.0.0.117 are both designated routers for the wan1 network
Pregunta 22
Pregunta
A FortiGate device has the following LDAP configuration:
The LDAP user student cannot authenticate. The exhibit shows the output of the authentication real time debug while testing the student account:
Based on the above output, what FortiGate LDAP settings must the administer check? (Choose two.)
Respuesta
-
A. cnid.
-
B. username.
-
C. password.
-
D. dn.
Pregunta 23
Pregunta
Two independent FortiGate HA clusters are connected to the same broadcast domain. The administrator has reported that both clusters are using the same HA virtual MAC address. This creates a duplicated MAC address problem in the network. What HA setting must be changed in one of the HA clusters to fix the problem?
Respuesta
-
A. Group ID.
-
B. Group name.
-
C. Session pickup.
-
D. Gratuitous ARPs.
Pregunta 24
Pregunta
An administrator has configured two FortiGate devices for an HA cluster While testing the HA failover, the administrator noticed that some of the switches in the network continue to send traffic to the former primary unit. The administrator decides to enable the setting link-failed – signal to fix the problem. Which statement is correct regarding this command?
Respuesta
-
A. Forces the former primary device to shut down all its non-heartbeat interfaces for one second while the failover occurs.
-
B. Sends an ARP packet to all connected devices, indicating that the HA virtual MAC address is reachable through a new master after a failover.
-
C. Sends a link failed signal to all connected devices
-
D. Disables all the non-heartbeat interfaces in all the HA members for two seconds after a failover.
Pregunta 25
Pregunta
what is the purpose of an internal segmentation firewall (ISFW)?
Respuesta
-
A. it inspects incoming traffic to protect services in the corporate DMZ.
-
B. It is the first line of defense at the network perimeter.
-
C. It splits the network into multiple security segments to minimize the impact of breaches.
-
D. It is an all-in-one security appliance that is placed at remote sites to extend the enterprise network
Pregunta 26
Pregunta
A FortiGate is configured as an explicit web proxy. Clients using this web proxy are reposting DNS errors when accessing any website The administrator executes the following debug commands and observes that the n-dns-timeout counter is increasing:
What should the administrator check to fix the problem?
Respuesta
-
A. The connectivity between the FortiGate unit and the DNS server.
-
B. The connectivity between the client workstations and the DNS server.
-
C. That DNS traffic from client workstations is allowed by the explicit web proxy policies
-
D. That DNS service is enabled in the explicit web proxy interface.
Pregunta 27
Pregunta
which of the following tasks are automated using the Install Wizard on FortiManager? (Choose two.)
Respuesta
-
A. Preview pending configuration changes for managed devices
-
B. Add devices to FortiManager.
-
C. Import policy packages from managed devices.
-
D. Install configuration changes to managed devices.
-
E. Import interface mappings from managed devices.
Pregunta 28
Pregunta
An administrator has configured a dial-up iPsec VPN with one phase 2, extended authentication (XAuth) and IKE mode configuration The administrator has also enabled the IKE real time debug: diagnose debug application ike-1 diagnose debug enable
In which order is each step and phase displayed in the debug output each time a new dial-up user is connecting to the VPN?
Respuesta
-
A. Phase1; IKE mode configuration; XAuth; phase 2.
-
B. Phase1, XAuth, IKE mode configuration; phase2
-
C. Phase1; XAuth; phase 2; IKE mode configuration.
-
D. Phase1; IKE mode configuration; phase 2; XAuth.
Pregunta 29
Pregunta
Which one of the following statements explains why the cache statistics are all zeros?
View the exhibit, which contains the output of a web diagnose command, and then answer the question below:
Respuesta
-
A. The administrator has reallocated the cache memory to a separate process.
-
B. There are no users making web requests.
-
C. The FortiGuard web filter cache is disabled in the FortiGate’s configuration.
-
D. FortiGate is using a flow-based web filter and the cache applies only to proxy-based inspection.
Pregunta 30
Pregunta
View the exhibit, which contains a partial output of an IKE real-time debug, and then answer the question below. Based on the debug output which phase-1 setting is enabled in the configuration of this VPN?
Respuesta
-
A. auto-discovery-sender
-
B. auto-discovery-forwarder
-
C. auto-discovery-shortcut
-
D. auto-discovery-receiver
Pregunta 31
Pregunta
Examine the output of the ‘diagnose sys session list expectation’ command shown in the exhibit, than answer the question below:
Which statement is true regarding the session in the exhibit?
Respuesta
-
A. It was created by the FortiGate kernel to allow push updates from FotiGuard
-
B. It is for management traffic terminating at the FortiGate.
-
C. It is for traffic originated from the FortiGate.
-
D. It was created by a session helper or ALG.
Pregunta 32
Pregunta
A FortiGate has two default routes:
All Internet traffic is currently using port1. The exhibit shows partial information for one sample session of Internet traffic from an internal user:
What would happen with the traffic matching the above session if the priority on the first default route (IDd1) were changed from 5 to 20?
Respuesta
-
A. Session would remain in the session table and its traffic would keep using port1 as the outgoing interface.
-
B. Session would remain in the session table and its traffic would start using port2 as the outgoing interface.
-
C. Session would be deleted, so the client would need to start a new session
-
D. Session would remain in the session table and its traffic would be shared between port1 and port2.
Pregunta 33
Pregunta
Examine the output of the ‘get router info bgp summary’ command shown in the exhibit; then answer the question below:
Which statements are true regarding the output in the exhibit? (Choose two.)
Respuesta
-
A. BGP state of the peer 10.125.0.60 is Established.
-
B. BGP peer 10.200 3.1 has never been down since the BGP counters were cleared
-
C. Local BGP peer has not received an OpenConfirm from 10.200.3.1.
-
D. The local BGP peer has received a total of 3 BGP prefixes.
Pregunta 34
Pregunta
An administrator wants to capture ESP traffic between two FortiGates using the built-in sniffer, if the administrator knows that there is no NAT device located between both FortiGates, what command should the administrator execute?
Respuesta
-
A. diagnose sniffer packet any ‘udp port 500’
Lo correcto debería ser '50' ya que no aplica NAT
-
B. diagnose sniffer packet any ‘udp port 4500’
-
C. diagnose sniffer packet any 'ESP' -.-no acepta mayus-.-
-
D. diagnose sniffer packet any ‘udp port 500 or udp port 4500’
Pregunta 35
Pregunta
View the exhibit, which contains the partial output of an IKE real-time debug, and then answer the question below:
Why didn’t the tunnel come up?
Respuesta
-
A. The pre-shared keys do not match
-
B. The remote gateway’s phase 2 configuration does not match the local gateway’s phase 2 configuration.
-
C. The remote gateway’s phase 1 configuration does not match the local gateway’s phase 1 configuration
-
D. The remote gateway is using aggressive mode and the local gateway is configured to use man mode.
Pregunta 36
Pregunta
View the central management configuration shown in the exhibit, and then answer the question below.
Which server will FortiGate choose for antivirus and IPS updates if 10.0.1.243 is experiencing an outage?
Pregunta 37
Pregunta
which of the following statements are true regarding the SIP session helper and the SIP application layer gateway (ALG)? (Choose three)
Respuesta
-
A. SIP session helper runs in the kernel; SIP ALG runs as a user space process.
-
B. SIP ALG supports SIP HA failover; SIR helper does not
-
C. SIP ALG supports SIP over IPv6; SIR helper does not.
-
D. SIP ALG can create expected sessions for media traffic; SIP helper does not.
-
E. SIP helper supports SIP over TCP and UDP; SIP ALG supports only SIP over UDP.
Pregunta 38
Pregunta
Based on the output, which of the following statements is correct?
Respuesta
-
A. Anti-reply is enabled.
-
B. DPD is disabled.
-
C. Quick mode selectors are disabled.
-
D. Remote gateway IP is 10.200.5.1.
Pregunta 39
Pregunta
when does a RADIUS server send an Access-Challenge packet?
Respuesta
-
A. The server does not have the user credentials yet
-
B. The server requires more information from the user, such as the token code for two-factor authentication
-
C. The user credentials are wrong.
-
D. The user account is not found in the server.
Pregunta 40
Pregunta
View the exhibit, which contains the output of diagnose sys session list, and then answer the question below
If the HA ID for the primary unit is zero (0), which statement is correct regarding the output?
Respuesta
-
A. This session is for HA heartbeat traffic.
-
B. This session is synced with the slave unit.
-
C. The inspection of this session has been offloaded to the slave unit.
-
D. This session cannot be synced with the slave unit.
Pregunta 41
Pregunta
when using the SSL certificate inspection method for HTTPS traffic, how does FortiGate filter weh requests when the browser client does not provide the server name indication (SNI)?
Respuesta
-
A. FortiGate uses the Issued To: field in the server’s certificate,
-
B. FortiGate switches to the full SSL inspection method to decrypt the data.
-
C. FortiGate blocks the request without any further inspection.
-
D. FortiGate uses the requested URL from the user’s web browser.
Pregunta 42
Pregunta
which of the following statements is true regarding a FortiGate configured as an explicit web proxy?
Respuesta
-
A. FortiGate limits the numher of simultaneous sessions per explicit web proxy user. This limit CANNOT be modified by the administrator.
-
B. FortiGate limits the total number of simultaneous explicit web proxy users.
-
C. FortiGate limits the number of simultaneous sessions per explicit web proxy user. The limit CAN be modified by the administrator.
-
D. FortiGate limits the number of workstations that authenticate using the same web proxy user credentials. This limit CANNOT be modified by the administrator.
Pregunta 43
Pregunta
A FortiGate device has the following LDAP configuration:
The administrator executed the ‘dsquery’ command in the Windows LDAp server 10.0.1.10, and got the following output:
>dsquery user -samid administrator
"CN-Administrator, CN-Users, DC=trainingAD, DC-training, DC-lab"
Based on the output, what FortiGate LDAP setting is configured incorrectly?
Respuesta
-
A. cnid.
-
B. username.
-
C. password.
-
D. dn.
Pregunta 44
Pregunta
View the global IPS configuration, and then answer the question below
Which of the following statements is true regarding this configuration?
Respuesta
-
A. IPS will scan every byte in every session.
-
B. FortiGate will spawn IPS engine instances based on the system load.
-
C. New packets will be passed through without inspection if the IPS socket buffer runs out of memory.
-
D. IPS will use the faster matching algorithm which is only available for units with more than 4 GB memory
Pregunta 45
Pregunta
View the exhibit, which contains the partial output of an IKE real-time debug, and then answer the question below.
Which statements about this debug output are correct? (Choose two.)
Respuesta
-
A. The remote gateway IP address is 10.0.0.1.
-
B. It shows a phase 1 negotiation.
-
C. The negotiation is using AES128 encryption with CBC hash.
-
D. The initiator has provided remote as its IP sec pear ID.
Pregunta 46
Pregunta
Examine the following partial outputs from two routing debug commands, then answer the question below:
Why the default route using port2 is not displayed in the output of the second command?
Respuesta
-
A. It has a lower priority than the default route using port1.
-
B. It has a higher priority than the default route using port1.
-
C. It has a higher distance than the default route using port1.
-
D. It is disabled in the FortiGate configuration.
Pregunta 47
Pregunta
which real time dehug should an administrator enable to troubleshoot RADIUS authentication problems?
Respuesta
-
A. Diagnose debug application radius -1.
-
B. Diagnose debug application fnbamd -1.
-
C. Diagnose authd console -log enable.
-
D. Diagnose radius console -log enable.
Pregunta 48
Pregunta
Examine the output of the ‘get router info bgp summary’ command shown in the exhibit; then answer the question below
Which statement can explain why the state of the remote BGP peer 10.200.3.1 is Connect?
Respuesta
-
A. The local peer is receiving the BGP keepalives from the remote peer but it has not received any BGP prefix yet.
-
B. The TCP session for the BGP connection to 10.200.3.1 is down.
-
C. The local peer has received the BGP prefixed from the remote peer
-
D. The local peer is receiving the BGP keepalives from the remote peer but it has not received the OpenConfirm yet.
Pregunta 49
Pregunta
An administrator has enabled HA session synchronization in a HA cluster with two members, which flag is added to a primary unit’s session to indicate that it has been synchronized to the secondary unit?
Respuesta
-
A. redir.
-
B. dirty.
-
C. synced
-
D. nds.
Pregunta 50
Pregunta
what conditions are required for two FortiGate devices to form an OSPF adjacency? (Choose three.)
Pregunta 51
Pregunta
A FortiGate is rebooting unexpectedly without any apparent reason. What troubleshooting tools could an administrator use to get more information about the problem? (Choose two.)
Respuesta
-
A. Firewall monitor.
-
B. Policy monitor.
-
C. Logs.
-
D. Crashlogs.
Pregunta 52
Pregunta
View the exhibit, which contains the output of a BGP debug command, and then answer the question below
Which of the following statements about the exhibit are true? (Choose two.)
Respuesta
-
A. For the peer 10.125.0.60, the BGP state of is Established.
-
B. The local BGP peer has received a total of three BGP prefixes.
-
C. Since the BGP counters were last reset, the BGP peer 10.200.3.1 has never been down
-
D. The local BGP peer has not established a TCP session to the BGP peer 10.200.3.1.
Pregunta 53
Pregunta
Which the following events can trigger the election of a new primary unit in a HA cluster? (Choose two.)
Respuesta
-
A. Primary unit stops sending HA heartbeat keepalives.
-
B. The FortiGuard license for the primary unit is updated.
-
C. One of the monitored interfaces in the primary unit is disconnected.
-
D. A secondary unit is removed from the HA cluster.
Answer: AB
Pregunta 54
Pregunta
View the exhibit, which contains a session entry, and then answer the question below.
Which statement is correct regarding this session?
Respuesta
-
A. It is an ICMP session from 10.1.10.10 to 10.200.1.1.
-
B. It is an ICMP session from 10.1.10.10 to 10.200.5.1.
-
C. It is a TCP session in ESTABLISHED state from 10.1.10.10 to 10.200.5.1.
-
D. It is a TCP session in CLOSE_WAIT state from 10.1.10.10 to 10.200.1.1.
Pregunta 55
Pregunta
View the exhibit, which contains the partial output of an IKE real time debug, and then answer the question below.
The administrator does not have access to the remote gateway. Based on the debug output, what configuration changes can the administrator make to the local gateway to resolve the phase 1 negotiation error?
Respuesta
-
A. Change phase 1 encryption to AESCBC and authentication to SHA128.
-
B. Change phase 1 encryption to 3DES and authentication to CBC.
-
C. Change phase 1 encryption to AES128 and authentication to SHA512.
-
D. Change phase 1 encryption to 3DES and authentication to SHA256.
Pregunta 56
Pregunta
View the exhibit, which contains the output of a diagnose command, and the answer the question below.
Which statements are true regarding the Weight value?
Respuesta
-
A. Its initial value is calculated based on the round trip delay (RTT).
-
B. Its initial value is statically set to 10.
-
C. Its value is incremented with each packet lost.
-
D. It determines which FortiGuard server is used for license validation.
Pregunta 57
Pregunta
In which of the following states is a given session categorized as ephemeral? (Choose two.)
Respuesta
-
A. A TCP session waiting to complete the three-way handshake.
-
B. A TCP session waiting for FIN ACK.
-
C. A UDP session with packets sent and received.
-
D. A UDP session with only one packet received.
Pregunta 58
Pregunta
View the exhibit, which contains a screenshot of some phase-1 settings, and then answer the question below.
However, the IKE real time debug does not show any output. Why?
Respuesta
-
A. The debug output shows phases 1 and 2 negotiations only. Once the tunnel is up, it does not show any more output.
-
B. The log-filter setting was set incorrectly. The VPN’s traffic does not match this filter.
-
C. The debug shows only error messages. If there is no output, then the tunnel is operating normally.
-
D. The debug output shows phase 1 negotiation only. After that, the administrator must enable the following real time debug: diagnose debug application ipsec -1
Pregunta 59
Pregunta
Why didn't the tunnel come up?
Respuesta
-
A. IKE mode configuration is not enabled in the remote IPsec gateway.
-
B. The remote gateway's Phase-1 configuration does not match the local gateway's phase-1 configuration.
-
C. The remote gateway's Phase-2 configuration does not match the local gateway's phase-2 configuration.
-
D. One IPsec gateway is using main mode, while the other IPsec gateway is using aggressive mode.
Pregunta 60
Pregunta
Which of the following statements are true about FortiManager when it is deployed as a local FDS?
(Choose two.)
Respuesta
-
A. Caches available firmware updates for unmanaged devices.
-
B. Can be configured as an update server, or a rating server, but not both.
-
C. Supports rating requests from both managed and unmanaged devices.
-
D. Provides VM license validation services.
C. Supports rating requests from both managed and unmanaged devices.
Pregunta 61
Pregunta
Examine the output of the 'diagnose sys session list expectation' command shown in the exhibit; than answer the question below.
Which statement is true regarding the session in the exhibit?
Respuesta
-
A. It is for management traffic terminating at the FortiGate.
-
B. It is for traffic originated from the FortiGate.
-
C. It was created by a session helper or ALG.
-
D. It was created by the FortiGate kernel to allow push updates from FotiGuard.
Pregunta 62
Pregunta
Which statements are true regarding the output in the exhibit? (Choose two.)
Respuesta
-
A. BGP peers have successfully interchanged Open and Keepalive messages.
-
B. Local BGP peer received a prefix for a default route.
-
C. The state of the remote BGP peer is OpenConfirm.
-
D. The state of the remote BGP peer will go to Connect after it confirms the received prefixes.
Pregunta 63
Pregunta
Which of the following statements is true regarding a FortiGate configured as an explicit web proxy?
Respuesta
-
A. FortiGate limits the number of simultaneous sessions per explicit web proxy user. This limit CANNOT be modified by the administrator.
-
B.FortiGate limits the total number of simultaneous explicit web proxy users.
-
C.FortiGate limits the number of simultaneous sessions per explicit web proxy user The limit CAN be modified by the administrator
-
D. FortiGate limits the number of workstations that authenticate using the same web proxy user credentials. This limit CANNOT be modified by the administrator.
Pregunta 64
Pregunta
Examine the following routing table and BGP configuration; then answer the question below.
The BGP connection is up, but the local peer is NOT advertising the prefix 192.168.1.0/24. Which configuration change will make the local peer advertise this prefix?
Respuesta
-
A. Enable the redistribution of connected routers into BGP.
-
B. Enable the redistribution of static routers into BGP.
-
C. Disable the setting network-import-check.
Si la tabla de enrutamiento no contiene una ruta activa cuya subred de destino coincida con el prefijo, FortiGate no anuncia el prefijo. Puede cambiar este comportamiento deshabilitando la configuración network-import-check.
-
D. Enable the setting ebgp-multipath.
Pregunta 65
Pregunta
An administrator cannot connect to the GIU of a FortiGate unit with the IP address 10.0.1.254. The administrator runs the debug flow while attempting the connection using HTTP. The output of the debug flow is shown in the exhibit:
Based on the error displayed by the debug flow, which are valid reasosns for this problem? (Choose two.)
Respuesta
-
A. HTTP administrative access is disabled in the FortiGate interface with the IP address 10.0.1.254.
-
B. Redirection of HTTP to HTTPS administrative access is disabled.
-
C. HTTP administrative access is configured with a port number different than 80.
-
D. The packet is denied because of reverse path forwarding check.
Pregunta 66
Pregunta
A FortiGate's port1 is connected to a private network. Its port2 is connected to the Internet. Explicit web proxy is enabled in port1 and only explicit web proxy users can access the Internet. Web cache is NOT enabled. An internal web proxy user is downloading a file from the Internet via HTTP. Which statements are true regarding the two entries in the FortiGate session table related with this traffic? (Choose two.)
Respuesta
-
A. Both session have the local flag on.
-
B. The destination IP addresses of both sessions are IP addresses assigned to FortiGate's interfaces.
-
C. One session has the proxy flag on, the other one does not.
-
D. One of the sessions has the IP address of port2 as the source IP address.
Pregunta 67
Pregunta
An administrator added the following Ipsec VPN to a FortiGate configuration:
However, the phase 1 negotiation is failing. The administrator executed the IKE real time debug while attempting the Ipsec connection. The output is shown in the exhibit:
What is causing the IPsec problem in the phase 1?
Respuesta
-
A. The incoming IPsec connection is matching the wrong VPN configuration
-
B. The phrase-1 mode must be changed to aggressive
-
C. The pre-shared key is wrong
-
D. NAT-T settings do not match
Pregunta 68
Pregunta
Which two statements correctly describe the characteristics of the Fortinet security fabric? (Choose two.)
Select one or more:
Respuesta
-
The core of the security fabric includes FortiMail, FortiWeb, and FortiSandbox.
-
It provides a single pane of glass for reporting for all devices in the fabric.
-
It supports an open API, allowing third-party product integration.
-
It contains individual management platforms for each device to provide granular control.
Pregunta 69
Pregunta
Which three tasks are part of the manual registration process for adding a FortiGate to a FortiManager for central management? (Choose three.)
Select one or more:
Respuesta
-
In the FortiManager, add the unregistered FortiGate.
-
Import the policy package from the managed FortiGate.
-
Add the FortiManager IP address to the FortiGate central management configuration.
-
Wait for the rating databases to download on FortiManager.
-
Start the rating services on FortiManager.
Pregunta 70
Pregunta
Which statement about administrative domains (ADOMs) on FortiManager is true?
Select one:
Respuesta
-
FortiGates with multiple VDOMs must be assigned to the same ADOM on FortiManager.
-
The ADOM feature can be enabled by any administrator with super-user privileges.
-
The number of configurable ADOMs is based on the FortiManager FortiCare service contract.
-
ADOMs allow grouping of managed devices based on management criteria and administrative access.
Pregunta 71
Pregunta
What is an OSPF area border router?
Select one:
Respuesta
-
A router with all its interfaces in the backbone area.
-
A router that is redistributing non-OSPF routes into the OSPF network.
-
A router that is redistributing connected subnets into the OSPF network.
-
A router with interfaces in multiple OSPF areas.
Pregunta 72
Pregunta
Which two statements about the BGP are true? (Choose two.)
Select one or more:
Respuesta
-
The local BGP peer has not established a TCP session to the BGP peer 10.200.3.1.
-
Since the BGP counters were last reset, the BGP peer 10.200.3.1 has never been down.
-
The local BGP peer has received a total of three BGP prefixes.
-
For the peer 10.125.0.60, the BGP state is Established.
Pregunta 73
Pregunta
# get router info routing-table database
S 0.0.0.0/0 [20/0] via 100.64.2.254, port2, [10/0]
S *> 0.0.0.0/0 [10/0] via 100.64.1.254, port1
# get router info routing-table all
S* 0.0.0.0/0 [10/0] via 100.64.1.254, port1
Why is the default route that uses port2 not in the output of the second command?
Select one:
Respuesta
-
It has a higher priority than the default route using port1.
-
It is disabled in the FortiGate configuration.
-
It has a higher distance than the default route using port1.
-
It has a lower priority than the default route using port1.
Pregunta 74
Pregunta
Which layer of the FortiOS architecture does an application process or daemon run on?
Select one:
Respuesta
-
User space
-
Configuration layer
-
Kernel
-
Hardware
Pregunta 75
Pregunta
What two statements are correct regarding this session?
(Choose two.)
Select one or more:
Respuesta
-
It is a TCP session in SYN_SENT state.
-
It is an UDP session that has seen traffic flow both ways.
-
This session terminates or originates in the FortiGate device.
-
This is a TCP session that was blocked by firewall policy ID 0.
Pregunta 76
Pregunta
Which two configuration changes can be applied to optimize the memory usage on FortiGate? (Choose two.)
Select one or more:
Respuesta
-
Reduce the FortiGuard cache TTL.
-
Decrease the sessions TTL.
-
Use flow-based inspection.
-
Increase TCP session timers.
-
Increase the maximum file size for AV inspection.
Pregunta 77
Pregunta
Which command is used to enable timestamp in a real-time debug?
Select one:
Respuesta
-
diagnose debug console timestamp enable
-
diagnose debug application timestamp enable
-
diagnose application timestamp enable
-
diagnose timestamp enable
Pregunta 78
Pregunta
Which two events can trigger an HA failover? (Choose two.)
Select one or more:
Respuesta
-
A session sync failure
-
The physical disconnection of a heartbeat interface
-
The failure of a solid-state drive
The physical disconnection of a heartbeat interface
-
A configuration sync failure
Pregunta 79
Pregunta
Which troubleshooting step is applicable when investigating antivirus and IPS update issues on FortiGate?
Select one:
Respuesta
-
Verify outbound ICMP connectivity.
-
Validate DNS resolution for update.fortiguard.net.
-
Use the diagnose debug rating command to check active servers.
Rating services hace referencia a la clasificación de URLs
-
Use the alternate service port 8888.
Pregunta 80
Pregunta
Given the output showing a real-time debug, which statement describes why the update is failing?
Select one:
Respuesta
-
FortiGate is unable to establish a TCP connection with FDS.
-
FortiGate is unable to resolve the required FQDN (service.fortiguard.net) for AV and IPS updates.
-
The update should be using port 53 or port 8888, instead of port 443.
-
The administrator should use the execute update-wf command instead.
Pregunta 81
Pregunta
Which three steps are executed to get antivirus and IPS updates using the pull method? (Choose three.)
Select one or more:
Respuesta
-
FortiGate registers its public IP address in FortiGuard.
-
FortiGate gets a list of server IP addresses that can be contacted.
-
FortiGate starts sending rating queries to one of the servers in the list.
-
FortiGate periodically queries for pending updates.
-
FortiGate contacts a DNS server to resolve the FortiGuard domain name.
Pregunta 82
Pregunta
When investigating FortiGuard connectivity issues, which action is a valid troubleshooting step?
Select one:
Respuesta
-
Verify management VDOM internet access.
-
Verify DNS requests are being proxied if auto-update tunneling is enabled.
-
Use the FortiGuard real-time debug command to verify rating requests.
-
Configure a virtual IP to forward port 443 to the FortiGate external IP.
Pregunta 83
Pregunta
View the following exhibit, which contains the sniffer output for a passive mode FTP request.
An administrator has created the following custom IPS signature to block all FTP requests for passive mode:
F-SBID (--attack_id 1002; --name "Block.FTP "; --protocol tcp; --flow from_client; --pattern "PASV"; --no_case;)
Soon after the signature is enabled in an active IPS sensor, some false positive detections are generated.
Which option and value pair will allow more specific detection?
Select one:
Respuesta
-
--protocol ftp
-
--attack_id 1001
-
--name "Block.FTP.PASV"
-
--service ftp
Pregunta 84
Pregunta
An administrator is configuring ADVPN in a Hub-and-spoke topology. The administrator will use IBGP to route traffic between the VPN sites.
Which IBGP setting needs to be enabled on the hub for dynamic routing to work properly for on-demand tunnels?
Select one:
Respuesta
-
next-hop-self
-
route-server-client
-
ibgp-multipath
-
route-reflector-client
Pregunta 85
Pregunta
Which setting must be enabled in an in a Spoke IPsec phase 1 configuration to indicate that it wants to participate in ADVPN?
Select one:
Respuesta
-
auto-discovery-sender
-
auto-discovery-receiver
-
auto-discovery-forwarder
-
auto-discovery-ipsec
Pregunta 86
Pregunta
Which statement about this debug output is correct?
Select one:
Respuesta
-
Quick mode selectors do not match; therefore, the tunnel will not come up.
-
The SA life soft and hard seconds do not match; therefore, the tunnel will not come up.
-
It shows a phase 2 negotiation.
-
It shows the negotiation of an IPsec tunnel in transport mode.
Pregunta 87
Pregunta
An administrator wants to configure ADVPN.
Which ADVPN setting must be enabled in the tunnel between Hub1 and Hub2 FortiGates?
Select one:
Respuesta
-
set auto-discovery-receiver enabled
-
set auto-discovery-forwarder enabled
-
set auto-discovery-ipsec enabled
-
set auto-discovery-sender enabled