Pregunta 1
Pregunta
Regarding tunnel-mode SSL VPN, which three statements are correct? (Choose three.)
Respuesta
-
A. Split tunneling is supported.
-
B. It requires the installation of a VPN client.
-
C. It requires the use of an Internet browser.
-
D. It does not support traffic from third-party network applications.
-
E. An SSL VPN IP address is dynamically assigned to the client by the FortiGate unit.
Pregunta 2
Pregunta
Which two statements are true about IPsec VPNs and SSL VPNs? (Choose two.)
Respuesta
-
A. SSL VPN creates a HTTPS connection. IPsec does not.
-
B. Both SSL VPNs and IPsec VPNs are standard protocols.
-
C. Either a SSL VPN or an IPsec VPN can be established between two FortiGate devices.
-
D. Either a SSL VPN or an IPsec VPN can be established between an end-user workstation and a FortiGate device.
Pregunta 3
Pregunta
A user logs into a SSL VPN portal and activates the tunnel mode. The administrator has enabled split tunneling. The exhibit shows the firewall policy configuration:
Which static route is automatically added to the client’s routing table when the tunnel mode is activated?
Respuesta
-
A. A route to a destination subnet matching the Internal_Servers address object.
-
B. A route to the destination subnet configured in the tunnel mode widget.
-
C. A default route.
-
D. A route to the destination subnet configured in the SSL VPN global settings.
Pregunta 4
Pregunta
When browsing to an internal web server using a web-mode SSL VPN bookmark, which IP address is used as the source of the HTTP request?
Respuesta
-
A. The remote user's virtual IP address.
-
B. The FortiGate unit's internal IP address.
-
C. The remote user's public IP address.
-
D. The FortiGate unit's external IP address.
Pregunta 5
Pregunta
Regarding the use of web-only mode SSL VPN, which statement is correct?
Respuesta
-
A. It supports SSL version 3 only.
-
B. It requires a Fortinet-supplied plug-in on the web client.
-
C. It requires the user to have a web browser that supports 64-bit cipher length.
-
D. The JAVA run-time environment must be installed on the client.
Pregunta 6
Pregunta
An administrator wants to create an IPsec VPN tunnel between two FortiGate devices.
Which three configuration steps must be performed on both units to support this scenario? (Choose three.)
Respuesta
-
A. Create firewall policies to allow and control traffic between the source and destination IP addresses.
-
B. Configure the appropriate user groups to allow users access to the tunnel.
-
C. Set the operating mode to IPsec VPN mode.
-
D. Define the phase 2 parameters.
-
E. Define the Phase 1 parameters.
Pregunta 7
Pregunta
You are the administrator in charge of a FortiGate acting as an IPsec VPN gateway using route-based mode. Users from either side must be able to initiate new sessions. There is only 1 subnet at either end and the FortiGate already has a default route.
Which two configuration steps are required to achieve these objectives? (Choose two.)
Respuesta
-
A. Create one firewall policy.
-
B. Create two firewall policies.
-
C. Add a route to the remote subnet.
-
D. Add two IPsec phases 2.
Pregunta 8
Pregunta
An administrator has configured a route-based site-to-site IPsec VPN. Which statement is correct regarding this IPsec VPN configuration?
Respuesta
-
A. The IPsec firewall policies must be placed at the top of the list.
-
B. This VPN cannot be used as part of a hub and spoke topology.
-
C. Routes are automatically created based on the quick mode selectors.
-
D. A virtual IPsec interface is automatically created after the Phase 1 configuration is completed.
Pregunta 9
Pregunta
What is IPsec Perfect Forwarding Secrecy (PFS)?.
Respuesta
-
A. A phase-1 setting that allows the use of symmetric encryption.
-
B. A phase-2 setting that allows the recalculation of a new common secret key each time the session key
-
C. A ‘key-agreement’ protocol.
-
D. A ‘security-association-agreement’ protocol.
Pregunta 10
Pregunta
Which IPsec configuration mode can be used for implementing GRE-over-IPsec VPNs?.
Pregunta 11
Pregunta
Which antivirus and attack definition update options are supported by FortiGate units? (Choose two.)
Respuesta
-
A. Manual update by downloading the signatures from the support site.
-
B. Pull updates from the FortiGate.
-
C. Push updates from a FortiAnalyzer.
-
D. execute fortiguard-AV-AS command from the CLI.
Pregunta 12
Pregunta
Which antivirus inspection mode must be used to scan SMTP, FTP, POP3 and SMB protocols?
Respuesta
-
A. Proxy-based.
-
B. DNS-based.
-
C. Flow-based.
-
D. Man-in-the-middle.
Pregunta 13
Pregunta
Which statements regarding banned words are correct? (Choose two.)
Respuesta
-
A. Content is automatically blocked if a single instance of a banned word appears.
-
B. The FortiGate updates banned words on a periodic basis.
-
C. The FortiGate can scan web pages and email messages for instances of banned words.
-
D. Banned words can be expressed as simple text, wildcards and regular expressions.
Pregunta 14
Pregunta
Examine the exhibit; then answer the question below.
Which statement describes the green status indicators that appear next to the different FortiGuard Distribution Network services as illustrated in the exhibit?
Respuesta
-
A. They indicate that the FortiGate has the latest updates available from the FortiGuard Distribution Network.
-
B. They indicate that updates are available and should be downloaded from the FortiGuard Distribution Network to the FortiGate unit.
-
C. They indicate that the FortiGate is in the process of downloading updates from the FortiGuard Distribution Network.
-
D. They indicate that the FortiGate is able to connect to the FortiGuard Distribution Network.
Pregunta 15
Pregunta
A FortiGate is configured to receive push updates from the FortiGuard Distribution Network, however, updates are not being received.
Which are two reasons for this problem? (Choose two.)
Respuesta
-
A. The FortiGate is connected to multiple ISPs.
-
B. There is a NAT device between the FortiGate and the FortiGuard Distribution Network.
-
C. The FortiGate is in Transparent mode.
-
D. The external facing interface of the FortiGate is configured to get the IP address from a DHCP server.
Pregunta 16
Pregunta
Which statement is correct regarding virus scanning on a FortiGate unit?
Respuesta
-
A. Virus scanning is enabled by default.
-
B. Fortinet customer support enables virus scanning remotely for you.
-
C. Virus scanning must be enabled in a security profile, which must be applied to a firewall policy.
-
D. Enabling virus scanning in a security profile enables virus protection for all traffic flowing through the FortiGate.
Pregunta 17
Pregunta
Which statements are true regarding the use of a PAC file to configure the web proxy settings in an Internet browser? (Choose two.)
Respuesta
-
A. Only one proxy is supported.
-
B. Can be manually imported to the browser.
-
C. The browser can automatically download it from a web server
-
D. Can include a list of destination IP subnets where the browser can connect directly to without using a proxy.
Pregunta 18
Pregunta
Examine the following FortiGate web proxy configuration; then answer the question below: config web-proxy explicit set pac-file-server-status enable set pac-file-server-port 8080 set pac-file-name wpad.dat
end
Assuming that the FortiGate proxy IP address is 10.10.1.1, which URL must an Internet browser use to download the PAC file?
Respuesta
-
A. https://10.10.1.1:8080
-
B. https://10.10.1.1:8080/wpad.dat
-
C. http://10.10.1.1:8080/
-
D. http://10.10.1.1:8080/wpad.dat
Pregunta 19
Pregunta
Which two methods are supported by the web proxy auto-discovery protocol (WPAD) to automatically learn the URL where a PAC file is located? (Choose two.)
Pregunta 20
Pregunta
What is a valid reason for using session based authentication instead of IP based authentication in a FortiGate web proxy solution?
Respuesta
-
A. Users are required to manually enter their credentials each time they connect to a different web site.
-
B. Proxy users are authenticated via FSSO.
-
C. There are multiple users sharing the same IP address.
-
D. Proxy users are authenticated via RADIUS.
Pregunta 21
Pregunta
Which statements are correct regarding URL filtering on a FortiGate unit? (Choose two.)
Respuesta
-
A. The allowed actions for URL filtering include allow, block, monitor and exempt.
-
B. The allowed actions for URL filtering are Allow and Block only.
-
C. URL filters may be based on patterns using simple text, wildcards and regular expressions.
-
D. URL filters are based on simple text only and require an exact match.
Pregunta 22
Pregunta
Which of the following regular expression patterns make the terms "confidential data" case insensitive?
Respuesta
-
A. [confidential data]
-
B. /confidential data/i
-
C. i/confidential data/
-
D. "confidential data"
Pregunta 23
Pregunta
Which two web filtering inspection modes inspect the full URL? (Choose two.)
Respuesta
-
A. DNS-based.
-
B. Proxy-based.
-
C. Flow-based.
-
D. URL-based.
Pregunta 24
Pregunta
Which web filtering inspection mode inspects DNS traffic?
Respuesta
-
A. DNS-based.
-
B. FQDN-based.
-
C. Flow-based.
-
D. URL-based.
Pregunta 25
Pregunta
How do you configure a FortiGate to apply traffic shaping to P2P traffic, such as BitTorrent?
Respuesta
-
A. Apply a traffic shaper to a BitTorrent entry in an application control list, which is then applied to a firewall policy.
-
B. Enable the shape option in a firewall policy with service set to BitTorrent.
-
C. Define a DLP rule to match against BitTorrent traffic and include the rule in a DLP sensor with traffic shaping enabled.
-
D. Apply a traffic shaper to a protocol options profile.
Pregunta 26
Pregunta
Which statements are correct regarding application control? (Choose two.)
Respuesta
-
A. It is based on the IPS engine.
-
B. It is based on the AV engine.
-
C. It can be applied to SSL encrypted traffic.
-
D. Application control cannot be applied to SSL encrypted traffic.
Pregunta 27
Pregunta
Which statements are true regarding traffic shaping that is applied in an application sensor, and associated with a firewall policy? (Choose two.)
Respuesta
-
A. Shared traffic shaping cannot be used.
-
B. Only traffic matching the application control signature is shaped.
-
C. Can limit the bandwidth usage of heavy traffic applications.
-
D. Per-IP traffic shaping cannot be used.
Pregunta 28
Pregunta
In this scenario, the FortiGate unit in Ottawa has the following routing table: S* 0.0.0.0/0 [10/0] via 172.20.170.254, port2
C 172.20.167.0/24 is directly connected, port1
C 172.20.170.0/24 is directly connected, port2
Sniffer tests show that packets sent from the source IP address 172.20.168.2 to the destination IP address 172.20.169.2 are being dropped by the FortiGate located in Ottawa. Which of the following correctly describes the cause for the dropped packets?
Respuesta
-
A. The forward policy check.
-
B. The reverse path forwarding check.
-
C. The subnet 172.20.169.0/24 is NOT in the Ottawa FortiGate’s routing table.
-
D. The destination workstation 172.20.169.2 does NOT have the subnet 172.20.168.0/24 in its routing table.
Pregunta 29
Pregunta
Examine the two static routes to the same destination subnet 172.20.168.0/24 as shown below; then answer the question following it.
config router static
edit 1
set dst 172.20.168.0 255.255.255.0
set distance 20
set priority 10
set device port1
next
edit 2
set dst 172.20.168.0 255.255.255.0
set distance 20
set priority 20
set device port2
next
end
Which of the following statements correctly describes the static routing configuration provided above?
Respuesta
-
A. The FortiGate evenly shares the traffic to 172.20.168.0/24 through both routes.
-
B. The FortiGate shares the traffic to 172.20.168.0/24 through both routes, but the port2 route will carry approximately twice as much of the traffic.
-
C. The FortiGate sends all the traffic to 172.20.168.0/24 through port1.
-
D. Only the route that is using port1 will show up in the routing table.
Pregunta 30
Pregunta
The Vancouver FortiGate initially had the following information in its routing table:
S 172.20.0.0/16 [10/0] via 172.21.1.2, port2
C 172.21.0.0/16 is directly connected, port2
C 172.11.11.0/24 is directly connected, port1 Afterwards, the following static route was added: config router static
edit 6
set dst 172.20.1.0 255.255.255.0
set pririoty 0
set device port1
set gateway 172.11.12.1
next
end
Since this change, the new static route is NOT showing up in the routing table. Given the information provided, which of the following describes the cause of this problem?
Respuesta
-
A. The subnet 172.20.1.0/24 is overlapped with the subnet of one static route that is already in the routing table (172.20.0.0/16), so, we need to enable allow-subnet-overlap first.
-
B. The 'gateway' IP address is NOT in the same subnet as the IP address of port1.
-
C. The priority is 0, which means that the route will remain inactive.
-
D. The static route configuration is missing the distance setting.
Pregunta 31
Pregunta
Examine the static route configuration shown below; then answer the question following it.
config router static
edit 1
set dst 172.20.1.0 255.255.255.0
set device port1
set gateway 172.11.12.1
set distance 10
set weight 5
next
edit 2
set dst 172.20.1.0 255.255.255.0
set blackhole enable
set distance 5
set weight 10
next
end
Which of the following statements correctly describes the static routing configuration provided? (Choose two.)
Respuesta
-
A. All traffic to 172.20.1.0/24 is dropped by the FortiGate.
-
B. As long as port1 is up, all traffic to 172.20.1.0/24 is routed by the static route number 1. If the interface port1 is down, the traffic is routed using the blackhole route.
-
C. The FortiGate unit does NOT create a session entry in the session table when the traffic is being routed by the blackhole route.
-
D. The FortiGate unit creates a session entry in the session table when the traffic is being routed by the blackhole route.
Pregunta 32
Pregunta
In the case of TCP traffic, which of the following correctly describes the routing table lookups performed by a FortiGate operating in NAT/Route mode, when searching for a suitable gateway?
Respuesta
-
A. A lookup is done only when the first packet coming from the client (SYN) arrives.
-
B. A lookup is done when the first packet coming from the client (SYN) arrives, and a second one is performed when the first packet coming from the server (SYN/ACK) arrives.
-
C. Three lookups are done during the TCP 3-way handshake (SYN, SYN/ACK, ACK).
-
D. A lookup is always done each time a packet arrives, from either the server or the client side.
Pregunta 33
Pregunta
A static route is configured for a FortiGate unit from the CLI using the following commands:
config router static
edit 1
set device "wan1"
set distance 20
set gateway 192.168.100.1
next
end
Which of the following conditions are required for this static default route to be displayed in the FortiGate unit’s routing table? (Choose two.)
Respuesta
-
A. The administrative status of the wan1 interface is displayed as down.
-
B. The link status of the wan1 interface is displayed as up.
-
C. All other default routes should have a lower distance.
-
D. The wan1 interface address and gateway address are on the same subnet.
Pregunta 34
Pregunta
Review the output of the command get router info routing-table database shown in the exhibit below; then answer the question following it.
Which two statements are correct regarding this output? (Choose two.)
Respuesta
-
A. There will be six routes in the routing table.
-
B. There will be seven routes in the routing table.
-
C. There will be two default routes in the routing table.
-
D. There will be two routes for the 10.0.2.0/24 subnet in the routing table.
Pregunta 35
Pregunta
When does a FortiGate load-share traffic between two static routes to the same destination subnet?
Respuesta
-
A. When they have the same cost and distance.
-
B. When they have the same distance and the same weight.
-
C. When they have the same distance and different priority.
-
D. When they have the same distance and same priority.
Pregunta 36
Pregunta
A FortiGate is configured with multiple VDOMs. An administrative account on the device has been assigned a Scope value of VDOM:root.
Which of the following settings will this administrator be able to configure? (Choose two.)
Pregunta 37
Pregunta
Which statements are correct regarding virtual domains (VDOMs)? (Choose two.)
Respuesta
-
A. VDOMs divide a single FortiGate unit into two or more virtual units that each have dedicated memory and CPUs.
-
B. A management VDOM handles SNMP, logging, alert email, and FDN-based updates.
-
C. VDOMs share firmware versions, as well as antivirus and IPS databases.
-
D. Different time zones can be configured in each VDOM.
Pregunta 38
Pregunta
A FortiGate unit is configured with three Virtual Domains (VDOMs) as illustrated in the exhibit.
Which of the following statements are true if the network administrator wants to route traffic between all the VDOMs? (Choose three.)
Respuesta
-
A. The administrator can configure inter-VDOM links to avoid using external interfaces and routers.
-
B. As with all FortiGate unit interfaces, firewall policies must be in place for traffic to be allowed to pass through any interface, including inter-VDOM links.
-
C. This configuration requires a router to be positioned between the FortiGate unit and the Internet for proper routing.
-
D. Inter-VDOM routing is automatically provided if all the subnets that need to be routed are locally attached.
-
E. As each VDOM has an independent routing table, routing rules need to be set (for example, static routing, OSPF) in each VDOM to route traffic between VDOMs.
Pregunta 39
Pregunta
A FortiGate is configured with three virtual domains (VDOMs). Which of the following statements is correct regarding multiple VDOMs?
Respuesta
-
A. The FortiGate must be a model 1000 or above to support multiple VDOMs.
-
B. A license has to be purchased and applied to the FortiGate before VDOM mode could be enabled.
-
C. Changing the operational mode of a VDOM requires a reboot of the FortiGate.
-
D. The FortiGate supports any combination of VDOMs in NAT/Route and transparent modes.
Pregunta 40
Pregunta
A FortiGate administrator with the super_admin profile configures a virtual domain (VDOM) for a new customer. After creating the VDOM, the administrator is unable to reassign the dmz interface to the new VDOM as the option is greyed out in the GUI in the management VDOM. What would be a possible cause for this problem?
Respuesta
-
A. The administrator does not have the proper permissions to reassign the dmz interface.
-
B. The dmz interface is referenced in the configuration of another VDOM.
-
C. Non-management VDOMs cannot reference physical interfaces.
-
D. The dmz interface is in PPPoE or DHCP mode.
Pregunta 41
Pregunta
A FortiGate is operating in NAT/Route mode and configured with two virtual LAN (VLAN) sub-interfaces added to the same physical interface.
Which one of the following statements is correct regarding the VLAN IDs in this scenario?
Respuesta
-
A. The two VLAN sub-interfaces can have the same VLAN ID only if they have IP addresses in different subnets.
-
B. The two VLAN sub-interfaces must have different VLAN IDs.
-
C. The two VLAN sub-interfaces can have the same VLAN ID only if they belong to different VDOMs.
-
D. The two VLAN sub-interfaces can have the same VLAN ID if they are connected to different L2 IEEE 802.1Q compliant switches.
Pregunta 42
Pregunta
Which statements correctly describe transparent mode operation? (Choose three.)
Respuesta
-
A. The FortiGate acts as transparent bridge and forwards traffic at Layer-2.
-
B. Ethernet packets are forwarded based on destination MAC addresses, NOT IP addresses.
-
C. The transparent FortiGate is clearly visible to network hosts in an IP trace route.
-
D. Permits inline traffic inspection and firewalling without changing the IP scheme of the network.
-
E. All interfaces of the transparent mode FortiGate device must be on different IP subnets.
Pregunta 43
Pregunta
In transparent mode, forward-domain is an CLI setting associate with ______________.
Respuesta
-
A. a static route.
-
B. a firewall policy.
-
C. an interface.
-
D. a virtual domain.
Pregunta 44
Pregunta
Which statements are correct for port pairing and forwarding domains? (Choose two.)
Respuesta
-
A. They both create separate broadcast domains.
-
B. Port Pairing works only for physical interfaces.
-
C. Forwarding Domain only applies to virtual interfaces.
-
D. They may contain physical and/or virtual interfaces.
Pregunta 45
Pregunta
Examine the following spanning tree configuration on a FortiGate in transparent mode:
config system interface
edit <interface name>
set stp-forward enable
end
Which statement is correct for the above configuration?
Respuesta
-
A. The FortiGate participates in spanning tree.
-
B. The FortiGate device forwards received spanning tree messages.
-
C. Ethernet layer-2 loops are likely to occur
-
D. The FortiGate generates spanning tree BPDU frames.
Pregunta 46
Pregunta
An administrator has formed a high availability cluster involving two FortiGate units.
[ Multiple upstream Layer 2 switches] -- [ FortiGate HA Cluster ] -- [ Multiple downstream Layer 2 switches ]
The administrator wishes to ensure that a single link failure will have minimal impact upon the overall throughput of traffic through this cluster.
Which of the following options describes the best step the administrator can take? The administrator should _____________________.
Respuesta
-
A. Increase the number of FortiGate units in the cluster and configure HA in active-active mode.
-
B. Enable monitoring of all active interfaces.
-
C. Set up a full-mesh design which uses redundant interfaces.
-
D. Configure the HA ping server feature to allow for HA failover in the event that a path is disrupted.
Pregunta 47
Pregunta
Which of the following sequences describes the correct order of criteria used for the selection of a master unit within a FortiGate high availability (HA) cluster when override is disabled?
Respuesta
-
A. 1. port monitor, 2. unit priority, 3. up time, 4. serial number.
-
B. 1. port monitor, 2. up time, 3. unit priority, 4. serial number.
-
C. 1. unit priority, 2. up time, 3. port monitor, 4. serial number.
-
D. 1. up time, 2. unit priority, 3. port monitor, 4. serial number.
Pregunta 48
Pregunta
In a high availability cluster operating in active-active mode, which of the following correctly describes the path taken by the SYN packet of an HTTP session that is offloaded to a slave unit?
Respuesta
-
A. Request: internal host; slave FortiGate; master FortiGate; Internet; web server.
-
B. Request: internal host; slave FortiGate; Internet; web server.
-
C. Request: internal host; slave FortiGate; master FortiGate; Internet; web server.
-
D. Request: internal host; master FortiGate; slave FortiGate; Internet; web server.
Pregunta 49
Pregunta
Two devices are in an HA cluster, the device hostnames are STUDENT and REMOTE. Exhibit A shows the command output of diagnose sys session stat for the STUDENT device. Exhibit B shows the command output of diagnose sys session stat for the REMOTE device.
Given the information provided in the exhibits, which of the following statements are correct? (Choose two.)
Respuesta
-
A. STUDENT is likely to be the master device.
-
B. Session-pickup is likely to be enabled.
-
C. The cluster mode is active-passive.
-
D. There is not enough information to determine the cluster mode.
Pregunta 50
Pregunta
Which of the following statements are correct about the HA command diagnose sys ha reset-uptime? (Choose two.)
Respuesta
-
A. The device this command is executed on is likely to switch from master to slave status if override is disabled.
-
B. The device this command is executed on is likely to switch from master to slave status if override is enabled.
-
C. This command has no impact on the HA algorithm.
-
D. This command resets the uptime variable used in the HA algorithm so it may cause a new master to become elected.
Pregunta 51
Pregunta
In HA, the option Reserve Management Port for Cluster Member is selected as shown in the exhibit below.
Which statements are correct regarding this setting? (Choose two.)
Respuesta
-
A. Interface settings on port7 will not be synchronized with other cluster members.
-
B. The IP address assigned to this interface must not overlap with the IP address subnet assigned to another interface.
-
C. When connecting to port7 you always connect to the master device.
-
D. A gateway address may be configured for port7.
Pregunta 52
Pregunta
The exhibit shows the Disconnect Cluster Member command in a FortiGate unit that is part of a HA cluster with two HA members.
What is the effect of the Disconnect Cluster Member command as given in the exhibit. (Choose two.)
Respuesta
-
A. Port3 is configured with an IP address for management access.
-
B. The firewall rules are purged on the disconnected unit.
-
C. The HA mode changes to standalone.
-
D. The system hostname is set to the unit serial number.
Pregunta 53
Pregunta
Two FortiGate devices fail to form an HA cluster, the device hostnames are STUDENT and REMOTE. Exhibit A shows the command output of show system ha for the STUDENT device. Exhibit B shows the command output of show system ha for the REMOTE device.
Which one of the following is the most likely reason that the cluster fails to form?
Respuesta
-
A. Password
-
B. HA mode
-
C. Hearbeat
-
D. Override
Pregunta 54
Pregunta
What are the requirements for a HA cluster to maintain TCP connections after device or link failover? (Choose two.)
Respuesta
-
A. Enable session pick-up.
-
B. Enable override.
-
C. Connections must be UDP or ICMP.
-
D. Connections must not be handled by a proxy.
Pregunta 55
Pregunta
Which IPsec mode includes the peer id information in the first packet?
Respuesta
-
A. Main mode.
-
B. Quick mode.
-
C. Aggressive mode.
-
D. IKEv2 mode.
Pregunta 56
Pregunta
Which statement is an advantage of using a hub and spoke IPsec VPN configuration instead of a fullymeshed set of IPsec tunnels?
Respuesta
-
A. Using a hub and spoke topology provides full redundancy.
-
B. Using a hub and spoke topology requires fewer tunnels.
-
C. Using a hub and spoke topology uses stronger encryption protocols.
-
D. Using a hub and spoke topology requires more routes.
Pregunta 57
Pregunta
Which statements are correct properties of a partial mesh VPN deployment. (Choose two
Respuesta
-
A. VPN tunnels interconnect between every single location.
-
B. VPN tunnels are not configured between every single location.
-
C. Some locations are reached via a hub location.
-
D. There are no hub locations in a partial mesh.
Pregunta 58
Pregunta
Review the IPsec phase 1 configuration in the exhibit; then answer the question below.
Which statements are correct regarding this configuration? (Choose two.)
Respuesta
-
A. The remote gateway address on 10.200.3.1.
-
B. The local IPsec interface address is 10.200.3.1.
-
C. The local gateway IP is the address assigned to port1.
-
D. The local gateway IP address is 10.200.3.1.
Pregunta 59
Pregunta
Review the IPsec phase 2 configuration shown in the exhibit; then answer the question below.
Which statements are correct regarding this configuration? (Choose two.).
Respuesta
-
A. The Phase 2 will re-key even if there is no traffic.
-
B. There will be a DH exchange for each re-key.
-
C. The sequence number of ESP packets received from the peer will not be checked.
-
D. Quick mode selectors will default to those used in the firewall policy.
Pregunta 60
Pregunta
Review the static route configuration for IPsec shown in the exhibit; then answer the question below.
Which statements are correct regarding this configuration? (Choose two.)
Respuesta
-
A. Interface remote is an IPsec interface.
-
B. A gateway address is not required because the interface is a point-to-point connection.
-
C. A gateway address is not required because the default route is used.
-
D. Interface remote is a zone.
Pregunta 61
Pregunta
Review the IKE debug output for IPsec shown in the exhibit below.
Which statements is correct regarding this output?
Respuesta
-
A. The output is a phase 1 negotiation.
-
B. The output is a phase 2 negotiation.
-
C. The output captures the dead peer detection messages.
-
D. The output captures the dead gateway detection packets.
Pregunta 62
Pregunta
Review the IPsec diagnostics output of the command diagnose vpn tunnel list shown in the exhibit.
Which statements is correct regarding this output? (Select one answer).
Pregunta 63
Pregunta
Review the configuration for FortiClient IPsec shown in the exhibit.
Which statement is correct regarding this configuration?
Respuesta
-
A. The connecting VPN client will install a route to a destination corresponding to the student_internal address object.
-
B. The connecting VPN client will install a default route.
-
C. The connecting VPN client will install a route to the 172.20.1.[1-5] address range.
-
D. The connecting VPN client will connect in web portal mode and no route will be installed.
Pregunta 64
Pregunta
Review the IPsec diagnostics output of the command diagnose vpn tunnel list shown in the exhibit below.
Which statements are correct regarding this output? (Choose two.)
Respuesta
-
A. The connecting client has been allocated address 172.20.1.1.
-
B. In the Phase 1 settings, dead peer detection is enabled.
-
C. The tunnel is idle.
-
D. The connecting client has been allocated address 10.200.3.1.
Pregunta 65
Pregunta
Examine the following log message for IPS:
2012-07-01 09:54:28 oid=2 log_id=18433 type=ips subtype=anomaly pri=alert vd=root severity="critical" src="192.168.3.168" dst="192.168.3.170" src_int="port2" serial=0 status="detected" proto=1 service="icmp" count=1 attack_name="icmp_flood" icmp_id="0xa8a4" icmp_type="0x08" icmp_code="0x00" attack_id=16777316 sensor="1" ref="http://www.fortinet.com/ids/VID16777316" msg="anomaly: icmp_flood, 51 > threshold 50"
Which statement is correct about the above log? (Choose two.)
Respuesta
-
A. The target is 192.168.3.168.
-
B. The target is 192.168.3.170.
-
C. The attack was NOT blocked.
-
D. The attack was blocked.
Pregunta 66
Pregunta
Which statement correctly describes the output of the command diagnose ips anomaly list?
Respuesta
-
A. Lists the configured DoS policy.
-
B. List the real-time counters for the configured DoS policy.
-
C. Lists the errors captured when compiling the DoS policy.
-
D. Lists the IPS signature matches.
Pregunta 67
Pregunta
Review the IPS sensor filter configuration shown in the exhibit
Based on the information in the exhibit, which statements are correct regarding the filter? (Choose two.)
Respuesta
-
A. It does not log attacks targeting Linux servers.
-
B. It matches all traffic to Linux servers.
-
C. Its action will block traffic matching these signatures.
-
D. It only takes effect when the sensor is applied to a policy.
Pregunta 68
Pregunta
With FSSO, a domain user could authenticate either against the domain controller running the collector agent and domain controller agent, or a domain controller running only the domain controller agent. If you attempt to authenticate with a domain controller running only the domain controller agent, which statements are correct? (Choose two.)
Respuesta
-
A. The login event is sent to the collector agent.
-
B. The FortiGate receives the user information directly from the receiving domain controller agent of the secondary domain controller.
-
C. The domain collector agent may perform a DNS lookup for the authenticated client's IP address.
-
D. The user cannot be authenticated with the FortiGate in this manner because each domain controller agent requires a dedicated collector agent.
Pregunta 69
Pregunta
Which statement describes what the CLI command diagnose debug authd fsso list is used for?
Respuesta
-
A. Monitors communications between the FSSO collector agent and FortiGate unit.
-
B. Displays which users are currently logged on using FSSO.
-
C. Displays a listing of all connected FSSO collector agents.
-
D. Lists all DC Agents installed on all domain controllers.
Pregunta 70
Pregunta
FSSO provides a single sign on solution to authenticate users transparently to a FortiGate unit using credentials stored in Windows active directory.
Which of the following statements are correct regarding FSSO in a Windows domain environment when agent mode is used? (Choose two.)
Respuesta
-
A. An FSSO collector agent must be installed on every domain controller.
-
B. An FSSO domain controller agent must be installed on every domain controller.
-
C. The FSSO domain controller agent will regularly update user logon information on the FortiGate unit.
-
D. The FSSO collector agent will receive user logon information from the domain controller agent and will send it to the FortiGate unit.
Pregunta 71
Pregunta
Which are two requirements for DC-agent mode FSSO to work properly in a Windows AD environment? [Choose two.]
Respuesta
-
A. DNS server must properly resolve all workstation names.
-
B. The remote registry service must be running in all workstations.
-
C. The collector agent must be installed in one of the Windows domain controllers.
-
D. A same user cannot be logged in into two different workstations at the same time.
Pregunta 72
Pregunta
Which statement is one disadvantage of using FSSO NetAPI polling mode over FSSO Security Event Log (WinSecLog) polling mode?
Respuesta
-
A. It requires a DC agent installed in some of the Windows DC.
-
B. It runs slower.
-
C. It might miss some logon events.
-
D. It requires access to a DNS server for workstation name resolution.
Pregunta 73
Pregunta
Bob wants to send Alice a file that is encrypted using public key cryptography.
Which of the following statements is correct regarding the use of public key cryptography in this scenario?
Respuesta
-
A. Bob will use his private key to encrypt the file and Alice will use her private key to decrypt the file.
-
B. Bob will use his public key to encrypt the file and Alice will use Bob's private key to decrypt the file.
-
C. Bob will use Alice's public key to encrypt the file and Alice will use her private key to decrypt the file.
-
D. Bob will use his public key to encrypt the file and Alice will use her private key to decrypt the file.
Pregunta 74
Pregunta
Which tasks fall under the responsibility of the SSL proxy in a typical HTTPS connection? (Choose two.)
Respuesta
-
A. The web client SSL handshake.
-
B. The web server SSL handshake.
-
C. File buffering.
-
D. Communication with the URL filter process.
Pregunta 75
Pregunta
When the SSL proxy is NOT doing man-in-the-middle interception of SSL traffic, which certificate field can be used to determine the rating of a website?
Respuesta
-
A. Organizational Unit.
-
B. Common Name.
-
C. Serial Number.
-
D. Validity.
Pregunta 76
Pregunta
Data leak prevention archiving gives the ability to store files and message data onto a FortiAnalyzer unit for which of the following types of network traffic? (Choose three.)
Respuesta
-
A. POP3
-
B. SNMP
-
C. IPsec
-
D. SMTP
-
E. HTTP
Pregunta 77
Pregunta
For data leak prevention, which statement describes the difference between the block and quarantine actions?
Respuesta
-
A. A block action prevents the transaction. A quarantine action blocks all future transactions, regardless of the protocol.
-
B. A block action prevents the transaction. A quarantine action archives the data.
-
C. A block action has a finite duration. A quarantine action must be removed by an administrator.
-
D. A block action is used for known users. A quarantine action is used for unknown users.
Pregunta 78
Pregunta
In which process states is it impossible to interrupt/kill a process? (Choose two.)
Pregunta 79
Pregunta
Examine at the output below from the diagnose sys top command:
# diagnose sys top 1
Run Time: 11 days, 3 hours and 29 minutes
0U, 0N, 1S, 99I; 971T, 528F, 160KF
sshd 123 S 1.9 1.2 ipsengine 61 S < 0.0 5.2 miglogd 45 S 0.0 4.9 pyfcgid 75 S 0.0 4.5 pyfcgid 73 S 0.0 3.9
Which statements are true regarding the output above? (Choose two.)
Respuesta
-
A. The sshd process is the one consuming most CPU.
-
B. The sshd process is using 123 pages of memory.
-
C. The command diagnose sys kill miglogd will restart the miglogd process.
-
D. All the processes listed are in sleeping state.
Pregunta 80
Pregunta
Examine the following output from the diagnose sys session list command:
session info: proto=6 proto_state=65 duration=3 expire=9 timeout=3600 flags=00000000 sockflag=00000000 sockport=443 av_idx=9 use=5 origin-shaper=guarantee-100kbps prio=2 guarantee 12800Bps max 134217728Bps traffic 13895Bps reply-shaper=guarantee-100kbps prio=2 guarantee 12800Bps max 134217728Bps traffic 13895Bps state=redir local may_dirty ndr npu nlb os rs
statistic(bytes/packets/allow_err): org=864/8/1 reply=2384/7/1 tuples=3 orgin->sink: org pre->post, reply pre->post dev=7->6/6->7 gwy=172.17.87.3/10.1.10.1 hook=post dir=org act=snat 192.168.1.110:57999->74.201.86.29:443(172.17.87.16:57999) hook=pre dir=reply act=dnat 74.201.86.29:443->172.17.87.16:57999(192.168.1.110:57999) hook=post dir=reply act=noop 74.201.86.29:443->192.168.1.110:57999(0.0.0.0:0) misc=0 policy_id=1 id_policy_id=0 auth_info=0 chk_client_info=0 vd=0
npu info: flag=0x00/0x00, offload=0/0, ips_offload=0/0, epid=0/0, ipid=0/0, vlan=0/0 Which statements are true regarding the session above? (Choose two.)
Respuesta
-
A. Session Time-To-Live (TTL) was configured to 9 seconds.
-
B. FortiGate is doing NAT of both the source and destination IP addresses on all packets coming from the 192.168.1.110 address.
-
C. The IP address 192.168.1.110 is being translated to 172.17.87.16.
-
D. The FortiGate is not translating the TCP port numbers of the packets in this session.
Pregunta 81
Pregunta
Which statements are true regarding IPv6 anycast addresses? (Choose two.)
Respuesta
-
A. Multiple interfaces can share the same anycast address.
-
B. They are allocated from the multicast address space.
-
C. Different nodes cannot share the same anycast address.
-
D. An anycast packet is routed to the nearest interface.
Pregunta 82
Pregunta
What functions can the IPv6 Neighbor Discovery protocol accomplish? (Choose two.)
Respuesta
-
A. Negotiate the encryption parameters to use.
-
B. Auto-adjust the MTU setting.
-
C. Autoconfigure addresses and prefixes.
-
D. Determine other nodes reachability.
Pregunta 83
Pregunta
Which statements are correct regarding an IPv6 over IPv4 IPsec configuration? (Choose two.)
Respuesta
-
A. The source quick mode selector must be an IPv4 address.
-
B. The destination quick mode selector must be an IPv6 address.
-
C. The Local Gateway IP must be an IPv4 address.
-
D. The remote gateway IP must be an IPv6 address.
Pregunta 84
Pregunta
Which is one of the conditions that must be met for offloading the encryption and decryption of IPsec traffic to an NP6 processor?
Respuesta
-
A. No protection profile can be applied over the IPsec traffic.
-
B. Phase-2 anti-replay must be disabled.
-
C. Both the phase 1 and phases 2 must use encryption algorithms supported by the NP6.
-
D. IPsec traffic must not be inspected by any FortiGate session helper.
Pregunta 85
Pregunta
Two FortiGate units with NP6 processors form an active-active cluster. The cluster is doing security profile (UTM) inspection over all the user traffic. What statements are true regarding the sessions that the master unit is offloading to the slave unit for inspection? (Choose two.)
Respuesta
-
A. They are accelerated by hardware in the master unit.
-
B. They are not accelerated by hardware in the master unit.
-
C. They are accelerated by hardware in the slave unit.
-
D. They are not accelerated by hardware in the slave unit.
Pregunta 86
Pregunta
Which statements are true about offloading antivirus inspection to a Security Processor (SP)? (Choose two.)
Respuesta
-
A. Both proxy-based and flow-based inspection are supported.
-
B. A replacement message cannot be presented to users when a virus has been detected.
-
C. It saves CPU resources.
-
D. The ingress and egress interfaces can be in different SPs.
Pregunta 87
Pregunta
Which IP packets can be hardware-accelerated by a NP6 processor? (Choose two.)
Respuesta
-
A. Fragmented packet.
-
B. Multicast packet.
-
C. SCTP packet.
-
D. GRE packet.
Pregunta 88
Pregunta
Which network protocols are supported for administrative access to a FortiGate unit? (Choose three.)
Respuesta
-
A. SNMP
-
B. WINS
-
C. HTTP
-
D. Telnet
-
E. SSH
Pregunta 89
Pregunta
What capabilities can a FortiGate provide? (Choose three.)
Respuesta
-
A. Mail relay.
-
B. Email filtering.
-
C. Firewall.
-
D. VPN gateway.
-
E. Mail server.
Pregunta 90
Pregunta
What methods can be used to access the FortiGate CLI? (Choose two.)
Pregunta 91
Pregunta
When creating FortiGate administrative users, which configuration objects specify the account rights?
Pregunta 92
Pregunta
How is the FortiGate password recovery process?
Respuesta
-
A. Interrupt boot sequence, modify the boot registry and reboot. After changing the password, reset the boot registry.
-
B. Log in through the console port using the “maintainer” account within several seconds of physically power cycling the FortiGate.
-
C. Hold down the CTRL + Esc (Escape) keys during reboot, then reset the admin password.
-
D. Interrupt the boot sequence and restore a configuration file for which the password has been modified.
Pregunta 93
Pregunta
Which statements are true regarding the factory default configuration? (Choose three.)
Respuesta
-
A. The default web filtering profile is applied to the first firewall policy.
-
B. The ‘Port1’ or ‘Internal’ interface has the IP address 192.168.1.99.
-
C. The implicit firewall policy action is ACCEPT.
-
D. The ‘Port1’ or ‘Internal’ interface has a DHCP server set up and enabled (on device models that support DHCP servers).
-
E. Default login uses the username: admin (all lowercase) and no password.
Pregunta 94
Pregunta
What are valid options for handling DNS requests sent directly to a FortiGates interface IP? (Choose three.)
Respuesta
-
A. Conditional-forward.
-
B. Forward-only.
-
C. Non-recursive.
-
D. Iterative.
-
E. Recursive.
Pregunta 95
Pregunta
What logging options are supported on a FortiGate unit? (Choose two.)
Respuesta
-
A. LDAP
-
B. Syslog
-
C. FortiAnalyzer
-
D. SNMP
Pregunta 96
Pregunta
Regarding the header and body sections in raw log messages, which statement is correct?
Respuesta
-
A. The header and body section layouts change depending on the log type.
-
B. The header section layout is always the same regardless of the log type. The body section layout changes depending on the log type.
-
C. Some log types include multiple body sections.
-
D. Some log types do not include a body section.
Pregunta 97
Pregunta
Which is an advantage of using SNMP v3 instead of SNMP v1/v2 when querying a FortiGate unit?
Respuesta
-
A. MIB-based report uploads.
-
B. SNMP access limited by access lists.
-
C. Packet encryption.
-
D. Running SNMP service on a non-standard port is possible.
Pregunta 98
Pregunta
What is the maximum number of FortiAnalyzer/FortiManager devices a FortiGate unit can be configured to send logs to?
Pregunta 99
Pregunta
For traffic that does match any configured firewall policy, what is the default action taken by the FortiGate?
Respuesta
-
A. The traffic is allowed and no log is generated.
-
B. The traffic is allowed and logged.
-
C. The traffic is blocked and no log is generated.
-
D. The traffic is blocked and logged.
Pregunta 100
Pregunta
In which order are firewall policies processed on a FortiGate unit?
Respuesta
-
A. From top to down, according with their sequence number.
-
B. From top to down, according with their policy ID number.
-
C. Based on best match.
-
D. Based on the priority value.
Pregunta 101
Pregunta
Which firewall objects can be included in the Destination Address field of a firewall policy? (Choose three.)
Respuesta
-
A. IP address pool.
-
B. Virtual IP address.
-
C. IP address.
-
D. IP address group.
-
E. MAC address.
Pregunta 102
Pregunta
The order of the firewall policies is important. Policies can be re-ordered from either the GUI or the CLI. Which CLI command is used to perform this function?
Respuesta
-
A. set order
-
B. edit policy
-
C. reorder
-
D. move
Pregunta 103
Pregunta
Which header field can be used in a firewall policy for traffic matching?
Respuesta
-
A. ICMP type and code.
-
B. DSCP.
-
C. TCP window size.
-
D. TCP sequence number.
Pregunta 104
Pregunta
Examine the following CLI configuration: config system session-ttl set default 1800
end
What statement is true about the effect of the above configuration line?
Respuesta
-
A. Sessions can be idle for no more than 1800 seconds.
-
B. The maximum length of time a session can be open is 1800 seconds.
-
C. After 1800 seconds, the end user must re-authenticate.
-
D. After a session has been open for 1800 seconds, the FortiGate sends a keepalive packet to both client and server.
Pregunta 105
Pregunta
Which statement regarding the firewall policy authentication timeout is true?
Respuesta
-
A. It is an idle timeout. The FortiGate considers a user to be “idle” if it does not see any packets coming from the user’s source IP.
-
B. It is a hard timeout. The FortiGate removes the temporary policy for a user’s source IP address after this timer has expired.
-
C. It is an idle timeout. The FortiGate considers a user to be “idle” if it does not see any packets coming from the user’s source MAC.
-
D. It is a hard timeout. The FortiGate removes the temporary policy for a user’s source MAC address after this timer has expired.
Pregunta 106
Pregunta
What methods can be used to deliver the token code to a user that is configured to use two-factor authentication? (Choose three.)
Pregunta 107
Pregunta
Which statements are true regarding local user authentication? (Choose two.)
Respuesta
-
A. Two-factor authentication can be enabled on a per user basis.
-
B. Local users are for administration accounts only and cannot be used to authenticate network users.
-
C. Administrators can create the user accounts is a remote server and store the user passwords locally in the FortiGate.
-
D. Both the usernames and passwords can be stored locally on the FortiGate
Pregunta 108
Pregunta
Which two statements are true regarding firewall policy disclaimers? (Choose two.)
Respuesta
-
A. They cannot be used in combination with user authentication.
-
B. They can only be applied to wireless interfaces.
-
C. Users must accept the disclaimer to continue.
-
D. The disclaimer page is customizable.
Pregunta 109
Pregunta
When firewall policy authentication is enabled, which protocols can trigger an authentication challenge? (Choose two.)
Respuesta
-
A. SMTP
-
B. POP3
-
C. HTTP
-
D. FTP
Pregunta 110
Pregunta
The FortiGate port1 is connected to the Internet. The FortiGate port2 is connected to the internal network. Examine the firewall configuration shown in the exhibit; then answer the question below.
Respuesta
-
A. A user that has not authenticated can access the Internet using any protocol that does not trigger an authentication challenge.
-
B. A user that has not authenticated can access the Internet using any protocol except HTTP, HTTPS, Telnet, and FTP.
-
C. A user must authenticate using the HTTP, HTTPS, SSH, FTP, or Telnet protocol before they can access all Internet services.
-
D. DNS Internet access is always allowed, even for users that has not authenticated.