Question 1
Question
For FortiGate devices equipped with Network Processor (NP) chips, which are true? (Choose three.)
Answer
-
For each new IP session, the first packet always goes to the CPU.
-
The kernel does not need to program the NPU. When the NPU sees the traffic, it determines by itself whether it can process the traffic.
-
Once offloaded, unless there are errors, the NP forwards all subsequent packets. The CPU does not process them.
-
When the last packet is sent or received, such as a TCP FIN or TCP RST signal, the NP returns this session to the CPU for tear down.
-
Sessions for policies that have a security profile enabled can be NP offloaded.
Question 2
Question
In "diag debug flow" output, you see the message “Allowed by Policy-1: SNAT”. Which is true?
Answer
-
The packet matched the topmost policy in the list of firewall policies.
-
The packet matched the firewall policy whose policy ID is 1.
-
The packet matched a firewall policy which allows the packet and skips UTM checks.
-
The policy allowed the packet and applied session NAT.
Question 3
Question
Which is NOT true about the settings for an IP pool type port block allocation?
Answer
-
A Block Size defines the number of connections.
-
Blocks Per User defines the number of connection blocks for each user.
-
An Internal IP Range defines the IP addresses permitted to use the pool.
-
An External IP Range defines the IP addresses in the pool.
Question 4
Question
If you enable the option "Generate Logs when Session Starts", what effect does this have on the number of traffic log messages generated for each session?
Answer
-
No traffic log message is generated.
-
One traffic log message is generated.
-
Two traffic log messages are generated.
-
A log message is only generated if there is a security event.
Question 5
Question
Which traffic can match a firewall policy's "Services" setting? (Choose three.)
Question 6
Question
Which correctly define "Section View" and "Global View" for firewall policies? (Choose two.)
Answer
-
Section View lists firewall policies primarily by their interface pairs.
-
Section View lists firewall policies primarily by their sequence number.
-
Global View lists firewall policies primarily by their interface pairs.
-
Global View lists firewall policies primarily by their policy sequence number.
-
The 'any' interface may be used with Section View.
Question 7
Question
Which is true of FortiGate's session table?
Answer
-
NAT/PAT is shown in the central NAT table, not the session table.
-
It shows TCP connection states.
-
It shows IP, SSL, and HTTP sessions.
-
It does not show UDP or ICMP connection state codes, because those protocols are connectionless.
Question 8
Question
Which is true about incoming and outgoing interfaces in firewall policies?
Answer
-
A physical interface may not be used.
-
A zone may not be used.
-
Multiple interfaces may not be used for both incoming and outgoing.
-
Source and destination interfaces are mandatory.
Question 9
Question
Which is NOT true about source matching with firewall policies?
Answer
-
A source address object must be selected in the firewall policy.
-
A source user/group may be selected in the firewall policy.
-
A source device may be defined in the firewall policy.
-
A source interface must be selected in the firewall policy.
-
A source user/group and device must be specified in the firewall policy.
Question 10
Question
Which define device identification? (Choose two.)
Answer
-
Device identification is enabled by default on all interfaces.
-
Enabling a source device in a firewall policy enables device identification on the source interfaces of that policy.
-
You cannot combine source user and source device in the same firewall policy.
-
FortiClient can be used as an agent based device identification technique.
-
Only agentless device identification techniques are supported.
Question 11
Question
Which are valid replies from a RADIUS server to an ACCESS-REQUEST packet from a FortiGate? (Choose two.)
Answer
-
ACCESS-CHALLENGE
-
ACCESS-RESTRICT
-
ACCESS-PENDING
-
ACCESS-REJECT
Question 12
Question
Which methods can FortiGate use to send a One Time Password (OTP) to Two-Factor Authentication users? (Choose three.)
Question 13
Question
Which best describes the authentication timeout?
Answer
-
How long FortiGate waits for the user to enter his or her credentials.
-
How long a user is allowed to send and receive traffic before he or she must authenticate again.
-
How long an authenticated user can be idle (without sending traffic) before they must authenticate again.
-
How long a user-authenticated session can exist without having to authenticate again.
Question 14
Question
Which authentication methods does FortiGate support for firewall authentication? (Choose two.)
Answer
-
Remote Authentication Dial in User Service (RADIUS)
-
Lightweight Directory Access Protocol (LDAP)
-
Local Password Authentication
-
POP3
-
Remote Password Authentication
Question 15
Question
Which does FortiToken use as input when generating a token code? (Choose two.)
Answer
-
User password
-
Time
-
User name
-
Seed
Question 16
Question
Which authentication scheme is not supported by the RADIUS implementation on FortiGate?
Question 17
Question
What protocol cannot be used with the active authentication type?
Question 18
Question
Which user group types does FortiGate support for firewall authentication? (Choose three.)
Answer
-
RSSO
-
Firewall
-
LDAP
-
NTLM
-
FSSO
Question 19
Question
What is not true of configuring disclaimers on the FortiGate?
Answer
-
Disclaimers can be used in conjunction with captive portal.
-
Disclaimers appear before users authenticate.
-
Disclaimers can be bypassed through security exemption lists.
-
Disclaimers must be accepted in order to continue to the authentication login or originally intended destination.
Question 20
Question
When configuring LDAP on the FortiGate as a remote database for users, what is not a part of the configuration?
Answer
-
The name of the attribute that identifies each user (Common Name Identifier).
-
The user account or group element names (user DN).
-
The server secret to allow for remote queries (Primary server secret).
-
The credentials for an LDAP administrator (password).
Question 21
Question
Which statement best describes what SSL VPN Client Integrity Check does?
Answer
-
Blocks SSL VPN connection attempts from users that has been blacklisted.
-
Detects the Windows client security applications running in the SSL VPN client's PCs
-
Validates the SSL VPN user credential.
-
Verifies which SSL VPN portal must be presented to each SSL VPN user.
-
Verifies that the latest SSL VPN client is installed in the client's PC.
Question 22
Question
Which statement best describes what SSL.root is?
Answer
-
The name of the virtual network adapter required in each user's PC for SSL VPN Tunnel mode.
-
he name of a virtual interface in the root VDOM where all the SSL VPN user traffic comes from
-
A Firewall Address object that contains the IP addresses assigned to SSL VPN users.
-
The virtual interface in the root VDOM that the remote SSL VPN tunnels connect to.
Question 23
Question
Which of the following authentication methods can be used for SSL VPN authentication? (Choose three.)
Answer
-
Remote Password Authentication (RADIUS, LDAP)
-
Two-Factor Authentication
-
Local Password Authentication
-
FSSO
-
RSSO
Question 24
Question
A FortiGate is configured with the 1.1.1.1/24 address on the wan2 interface and HTTPS Administrative Access, using the default tcp port, is enabled for that interface. Given the SSL VPN settings in the exhibit. Which of the following SSL VPN login portal URLs are valid? (Choose two.)
Question 25
Question
Which of the following statements are correct regarding SSL VPN Web-only mode? (Choose two.)
Answer
-
It can only be used to connect to web services.
-
IP traffic is encapsulated over HTTPS.
-
Access to internal network resources is possible from the SSL VPN portal.
-
The standalone FortiClient SSL VPN client CANNOT be used to establish a Web-only SSL VPN.
-
It is not possible to connect to SSH servers through the VPN.
Question 26
Question
Which statement is not correct regarding SSL VPN Tunnel mode?
Answer
-
IP traffic is encapsulated over HTTPS.
-
The standalone FortiClient SSL VPN client can be used to establish a Tunnel mode SSL VPN.
-
A limited amount of IP applications are supported.
-
The FortiGate device will dynamically assign an IP address to the SSL VPN network adapter.
Question 27
Question
Which of the following statements are true about IPsec VPNs? (Choose three.)
Answer
-
IPsec increases overhead and bandwidth.
-
IPsec operates at the layer 2 of the OSI model.
-
End-user's network applications must be properly pre-configured to send traffic across the IPsec VPN.
-
IPsec protects upper layer protocols.
-
IPsec operates at the layer 3 of the OSI model.
Question 28
Question
Which of the following statements is true regarding the differences between route-based and policy-based IPsec VPNs? (Choose two.)
Answer
-
The firewall policies for policy-based are bidirectional. The firewall policies for route-based are unidirectional.
-
In policy-based VPNs the traffic crossing the tunnel must be routed to the virtual IPsec interface. In route-based, it does not.
-
The action for firewall policies for route-based VPNs may be Accept or Deny, for policy-based VPNs it is Encrypt.
-
Policy-based VPN uses an IPsec interface, route-based does not.
Question 29
Question
Which of the following IPsec configuration modes can be used for implementing L2TP-over-IPSec VPNs?
Question 30
Question
Which of the following authentication methods are supported in an IPsec phase 1? (Choose two.)
Question 31
Question
How many packets are interchanged between both IPSec ends during the negotiation of a main-mode phase 1?
Question 32
Question
Which of the following IPsec configuration modes can be used when the FortiGate is running in NAT mode?
Question 33
Question
Which portion of the configuration does an administrator specify the type of IPsec configuration (either policy-based or route-based)?
Answer
-
Under the IPsec VPN global settings.
-
Under the phase 2 settings.
-
Under the phase 1 settings.
-
Under the firewall policy settings.
Question 34
Question
Which of the following IKE modes is the one used during the IPsec phase 2 negotiation
Answer
-
Aggressive mode
-
Quick mode
-
Main mode
-
Fast mode
Question 35
Question
Which of the following options best defines what Diffie-Hellman is?
Answer
-
A symmetric encryption algorithm.
-
A "key-agreement" protocol.
-
A "Security-association-agreement" protocol.
-
An authentication algorithm
Question 36
Question
What action does an IPsec Gateway take with the user traffic routed to an IPsec VPN when it does not match any phase 2 quick mode selector?
Answer
-
Traffic is dropped.
-
Traffic is routed across the default phase 2.
-
Traffic is routed to the next available route in the routing table.
-
Traffic is routed unencrypted to the interface where the IPsec VPN is terminating.
Question 37
Question
An Internet browser is using the WPAD DNS method to discover the PAC file’s URL. The DNS server replies to the browser’s request with the IP address 10.100.1.10. Which URL will the browser use to download the PAC file?
Answer
-
Test
FortiGate I: 07. Explicit Proxy Quiz
Question 1 of 6
An Internet browser is using the WPAD DNS method to discover the PAC file’s URL. The DNS server replies to the browser’s request with the IP address 10.100.1.10. Which URL will the browser use to download the PAC file?
http://10.100.1.10/proxy.pac
https://10.100.1.10/
http://10.100.1.10/wpad.dat
https://10.100.1.10/proxy.pac
-
https://10.100.1.10/
-
http://10.100.1.10/wpad.dat
-
https://10.100.1.10/proxy.pac
Question 38
Question
Which of the following statements is true regarding the TCP SYN packets that go from a client, through an implicit web proxy (transparent proxy), to a web server listening at TCP port 80? (Choose three.)
Answer
-
The source IP address matches the client IP address.
-
The source IP address matches the proxy IP address.
-
The destination IP address matches the proxy IP address.
-
The destination IP address matches the server IP addresses.
-
The destination TCP port number is 80.
Question 39
Question
Review the exhibit of an explicit proxy policy configuration. If there is a proxy connection attempt coming from the IP address 10.0.1.5, and from a user that has not authenticated yet, what action does the FortiGate proxy take?
Answer
-
User is prompted to authenticate. Traffic from the user Student will be allowed by the policy #1. Traffic from any other user will be allowed by the policy #2.
-
User is not prompted to authenticate. The connection is allowed by the proxy policy #2.
-
User is not prompted to authenticate. The connection will be allowed by the proxy policy #1.
-
User is prompted to authenticate. Only traffic from the user Student will be allowed. Traffic from any other user will be blocked.
Question 40
Question
Which protocol can an Internet browser use to download the PAC file with the web proxy configuration?
Question 41
Question
Which of the following are benefits of using web caching? (Choose three.)
Answer
-
Decrease bandwidth utilization
-
Reduce server load
-
Reduce FortiGate CPU usage
-
Reduce FortiGate memory usage
-
Decrease traffic delay
Question 42
Question
Question 6 of 6
Which of the following statements is true regarding the use of a PAC file to configure the web proxy settings in an Internet browser? (Choose two.)
Answer
-
More than one proxy is supported.
-
Can contain a list of destinations that will be exempt from the use of any proxy.
-
Can contain a list of URLs that will be exempted from the FortiGate web filtering inspection.
-
Can contain a list of users that will be exempted from the use of any proxy.
Question 43
Question
What is longest length of time allowed on a FortiGate device for the virus scan to complete?
Answer
-
20 seconds
-
30 seconds
-
45 seconds
-
10 seconds
Question 44
Question
Which type of conserve mode writes a log message immediately, rather than when the device exits conserve mode?
Answer
-
Kernel
-
Proxy
-
System
-
Device
Question 45
Question
Files that are larger than the oversized limit are subjected to which Antivirus check?
Answer
-
Grayware
-
Virus
-
Sandbox
-
Heuristic
Question 46
Question
Files reported to be infected by the "Suspicious" virus were subject to which Antivirus check?
Answer
-
Grayware
-
Virus
-
Sandbox
-
Heuristic
Question 47
Question
Which are the three different types of Conserve Mode that can occur on a FortiGate device? (Choose three.)
Answer
-
Proxy
-
Operating system
-
Kernel
-
System
-
Device
Question 48
Question
A FortiGate device is configure to perform an AV & IPS scheduled update every hour. Given the information in the exhibit, when will the next update happen?
Question 49
Question
What is the maximum number of different virus databases a FortiGate can have?
Question 50
Question
Which of the following are possible actions for static URL filtering? (Choose three.)
Answer
-
Allow
-
Block
-
Exempt
-
Warning
-
Shape
Question 51
Question
Which of the following are possible actions for FortiGuard web category filtering? (Choose three.)
Answer
-
Allow
-
Block
-
Exempt
-
Warning
-
Shape
Question 52
Question
Examine the following log message attributes and select two correct statements from the list below. (Choose two.) hostname=www.youtube.com profiletype="Webfilter_Profile" profile="default" status="passthrough" msg="URL belongs to a category with warnings enabled"
Question 53
Question
Which of the following actions can be used with the FortiGuard quota feature? (Choose three.)
Answer
-
Allow
-
Block
-
Monitor
-
Warning
-
Authenticate
Question 54
Question
Which of the following statements are true regarding the web filtering modes? (Choose two.)
Answer
-
Proxy based mode allows for customizable block pages to display when sites are prevented.
-
Proxy based mode requires more resources than flow-based.
-
Flow based mode offers more settings under the advanced configuration section of the GUI.
-
Proxy based mode offers higher throughput than flow-based mode.
Question 55
Question
Which of the following web filtering modes can inspect the full URL? (Choose two.)
Answer
-
Proxy based
-
DNS based
-
Policy based
-
Flow based
Question 56
Question
The exhibit is a screen shot of an Application Control profile. Different settings are circled and numbered. Select the number identifying the setting which will provide additional information about YouTube access, such as the name of the video watched.
Question 57
Question
Which of the following statements are true regarding application control? (Choose two.)
Answer
-
Application control is based on TCP destination port numbers.
-
Application control is proxy based.
-
Encrypted traffic can be identified by application control.
-
Traffic shaping can be applied to the detected application traffic.
Question 58
Question
Which answer best describes what an "Unknown Application" is?
Answer
-
All traffic that matches the internal signature for unknown applications.
-
Traffic that does not match the RFC pattern for its protocol.
-
Any traffic that does not match an application control signature.
-
A packet that fails the CRC check.
Question 59
Question
What actions are possible with Application Control? (Choose three.)
Answer
-
Warn
-
Allow
-
Block
-
Traffic Shaping
-
Quarantine
Question 60
Question
How do application control signatures update on a FortiGate device?
Answer
-
Through FortiGuard updates.
-
Upgrade the FortiOS firmware to a newer release.
-
By running the Application Control auto-learning feature.
-
Signatures are hard coded to the device and cannot be updated.
Question 61
Question
The exhibit shows two static routes to the same destination subnet 172.20.168.0/24. Which of the following statements correctly describes this static routing configuration? (Choose two.)
Answer
-
Both routes will show up in the routing table.
-
The FortiGate unit will evenly share the traffic to 172.20.168.0/24 between both routes.
-
Only one route will show up in the routing table.
-
The FortiGate will route the traffic to 172.20.168.0/24 only through one route.
Question 62
Question
Which of the following fields contained in the IP/TCP/UDP headers can be used to make a routing decision when using policy-based routing? (Choose three.)
Answer
-
Source IP address
-
TCP flags
-
Source TCP/UDP port
-
Type of service
-
Checksum
Question 63
Question
Which of the following statements are true regarding WAN Link Load Balancing? (Choose two.)
Answer
-
There can be only one virtual WAN Link per VDOM.
-
FortiGate can measure the quality of each link based on latency, jitter, or lost packets percentage.
-
Link health check can be performed over each link member of the virtual WAN interface.
-
Distance and priority values are configured in each link member of the virtual WAN interface.
Question 64
Question
The exhibit shows a FortiGate routing table. Which of the following statements are correct? (Choose two.)
Answer
-
There is only one active default route.
-
The distance value for the route to 192.168.1.0/24 is 200.
-
An IP address in the subnet 172.16.78.0/24 has been assigned to the dmz interface.
-
The FortiGate will route the traffic to 172.17.1.2 to the next hop with the IP address 192.168.11.254.
Question 65
Question
Which of the following statements best describes what a FortiGate does when packets match a black hole route?
Answer
-
Packets are dropped.
-
Packets are routed based on the information in the policy-based routing table.
-
An ICMP error message is sent back to the originator.
-
Packets are routed back to the originator.
Question 66
Question
The exhibit shows three static routes. Which static route(s) will be used to route the packets to the destination IP address 172.20.168.1?
Answer
-
The routes with the ID numbers 2 and 3.
-
Only the route with the ID number 3.
-
Only the route with the ID number 2.
-
Only the route with the ID number 1.
Question 67
Question
What must be configures in order to keep two static routes to the same destination in the routing table?
Question 68
Question
Which action does the FortiGate take when link health monitor times out?
Answer
-
All routes to the destination subnet configured in the link health monitor are removed from the routing table.
-
The distance values of all routes using the interface configured in the link health monitor are increased.
-
The priority values of all routes using the interface configured in the link health monitor are increased.
-
All routes using the next-hop gateway configured in the link health monitor are removed from the routing table.
Question 69
Question
In the debug command output shown in the exhibit, which of the following best describes the MAC address 00:09:0f:69:03:7e?
Answer
-
It is one of the secondary MAC addresses of the port1 interface.
-
It is the primary MAC address of the port1 interface.
-
It is the MAC address of another network device located in the same LAN segment as the FortiGate unit’s port1 interface.
-
It is the HA virtual MAC address.
Question 70
Question
Examine the network topology diagram in the exhibit; the workstation with the IP address 212.10.11.110 sends a TCP SYN packet to the workstation with the IP address 212.10.11.20. Which of the following sentences best describes the result of the reverse path forwarding (RPF) check executed by the FortiGate on the SYN packet? (Choose two.)
Answer
-
Packet is allowed if RPF is configured as loose.
-
Packet is allowed if RPF is configured as strict.
-
Packet is blocked if RPF is configured as loose.
-
Packet is blocked if RPF is configured as strict.
Question 71
Question
A FortiGate device has two VDOMs in NAT/route mode. Which of the following solutions can be implemented by a network administrator to route traffic between the two VDOMs? (Choose two.)
Answer
-
Use the inter-VDOM links automatically created between all VDOMS.
-
Manually create and configure an inter-VDOM link between your two VDOMs.
-
Interconnect and configure an external physical interface in one VDOM to another physical interface in the second VDOM.
-
Configure both VDOMs to share the same routing table.
Question 72
Question
Which of the following settings can be configured per VDOM? (Choose three.)
Question 73
Question
Which of the following statements are correct regarding FortiGate virtual domains (VDOMs)? (Choose two.)
Answer
-
VDOMs divide a single FortiGate unit into two or more independent firewalls.
-
A management VDOM handles SNMP, logging, alert email, and FortiGuard updates.
-
Each VDOM can run different firmware versions.
-
Administrative users with a ‘super_admin’ profile can administrate only one VDOM.
Question 74
Question
Which of the following statements is correct concerning multiple VDOMs configured in a FortiGate device?
Answer
-
FortiGate devices, from the FGT/FWF 60D and above, all support VDOMS.
-
All FortiGate devices scale to 250 VDOMS.
-
Each VDOM requires its own FortiGuard license.
-
FortiGate devices support more NAT/Route VDOMs than Transparent Mode VDOMs.
Question 75
Question
A FortiGate device is configured with two VDOMs. The management VDOM is 'root', and is configured in transparent mode, 'vdom1' is configured as NAT/route mode. Which traffic is generated only by 'root' and not 'vdom1'? (Choose three.)
Answer
-
SNMP traps
-
FortiGuard
-
ARP
-
NTP
-
ICMP redirect
Question 76
Question
A FortiGate unit is operating in NAT/route mode and configured with two VLAN sub-interfaces on the same physical interface. Which of the following statement is correct regarding the VLAN IDs in this scenario?
Answer
-
The two VLAN sub-interfaces can have the same VLAN ID only if they have IP addresses in different subnets.
-
The two VLAN sub-interfaces must have different VLAN IDs.
-
The two VLAN sub-interfaces can have the same VLAN ID only if they belong to different VDOMs.
-
The two VLAN sub-interfaces can have the same VLAN ID if they are connected to different L2 IEEE 802.1Q compliant switches.
Question 77
Question
A FortiGate unit has multiple VDOMs in NAT/route mode with multiple VLAN interfaces in each VDOM. Which of the following statements is correct regarding the IP addresses assigned to each VLAN interface?
Answer
-
Different VLANs can share the same IP address as long as they have different VLAN IDs.
-
Different VLANs can share the same IP address as long as they are in different physical interfaces.
-
Different VLANs can share the same IP address as long as they are in different VDOMs.
-
Different VLANs can never share the same IP addresses.
Question 78
Question
A FortiGate device is configured with four VDOMs: 'root' and 'vdom1' are in NAT/route mode; 'vdom2' and 'vdom3' are in transparent mode. The management VDOM is 'root'. Which of the following statements are true? (Choose two.)
Answer
-
An inter-VDOM link between 'root' and 'vdom1' can be created.
-
An inter-VDOM link between 'vdom1' and 'vdom2' can be created.
-
An inter-VDOM link between 'vdom2 ' and 'vdom3' can be created.
-
Inter-VDOM link links must be manually configured for FortiGuard traffic.
Question 79
Question
Which of the following statements are correct differences between NAT/route and transparent mode? (Choose two.)
Answer
-
In transparent mode, interfaces do not have IP addresses.
-
Firewall policies are only used in NAT/route mode.
-
Static routes are only used in NAT/route mode.
-
Only transparent mode permits inline traffic inspection at layer 2.
Question 80
Question
What is the default criteria for selecting the HA master unit in a HA cluster?
Answer
-
port monitor, priority, uptime, serial number
-
port monitor, uptime, priority, serial number
-
priority, uptime, port monitor, serial number
-
uptime, priority, port monitor, serial number
Question 81
Question
Which of the following statements describes the objective of the gratuitous ARP packets sent by an HA cluster?
Answer
-
To synchronize the ARP tables in all the FortiGate units that are part of the HA cluster.
-
To notify the network switches that a new HA master unit has been elected.
-
To notify the master unit that the slave devices are still up and alive.
-
To notify the master unit about the physical MAC addresses of the slave units.
Question 82
Question
What information is synchronized between two FortiGate units that belong to the same HA cluster? (Choose three.)
Answer
-
IP addresses assigned to DHCP enabled interfaces.
-
The master device's hostname.
-
Routing configuration and state.
-
Reserved HA management interface IP configuration.
-
Firewall policies and objects.
Question 83
Question
What are required to be the same for two FortiGate units to form an HA cluster? (Choose two.)
Answer
-
Firmware
-
Model
-
Hostname
-
System time zone
Question 84
Question
Which statement describes how traffic flows in sessions handled by a slave unit in an active-active HA cluster?
Answer
-
Packets are sent directly to the slave unit using the slave physical MAC address.
-
Packets are sent directly to the slave unit using the HA virtual MAC address.
-
Packets arrive at both units simultaneously, but only the slave unit forwards the session.
-
Packets are first sent to the master unit, which then forwards the packets to the slave unit.
Question 85
Question
Which of the following statements correctly describes the use of the “diagnose sys ha reset-uptime” command?
Answer
-
To force an HA failover when the HA override setting is disabled.
-
To force an HA failover when the HA override setting is enabled.
-
To clear the HA counters.
-
To restart a FortiGate unit that is part of an HA cluster.
Question 86
Question
Which of the following statements are correct regarding a master HA unit? (Choose two.)
Answer
-
There should be only one master unit is each HA virtual cluster.
-
The master synchronizes cluster configuration with slaves.
-
Only the master has a reserved management HA interface.
-
Heartbeat interfaces are not required on a master unit.
Question 87
Question
Which of the following statements are correct concerning the FortiGate session life support protocol? (Choose two.)
Answer
-
By default, UDP sessions are not synchronized.
-
Up to four FortiGate devices in standalone mode are supported.
-
Only the master unit handles the traffic.
-
Allows per-VDOM session synchronization.
Question 88
Question
What configuration objects are automatically added when using the FortiGate's FortiClient VPN Configuration Wizard? (Choose two.)
Answer
-
Static route
-
Phase 1
-
User group
-
Phase 2
Question 89
Question
Which of the following statements are correct concerning IPsec dialup VPN configurations for FortiGate devices? (Choose two.)
Answer
-
Main mode must be used when there is more than one IPsec dialup VPN configure on the same FortiGate device.
-
A FortiGate device with an IPsec VPN configured as dialup can initiate the tunnel connection to any remote IP address.
-
Peer ID must be used when there is more than one aggressive-mode IPsec dialup VPN on the same FortiGate device.
-
The FortiGate will automatically add a static route to the source quick mode selector address received from each remote peer.
Question 90
Question
Which statement is correct concerning an IPsec VPN with the remote gateway setting configured as 'Dynamic DNS'?
Answer
-
The FortiGate will accept IPsec VPN connections from any IP address.
-
The FQDN resolution of the local FortiGate IP address where the VPN is terminated must be provided by a dynamic DNS provider.
-
The FortiGate will accept IPsec VPN connections only from IP addresses included in a dynamic DNS access list.
-
The remote gateway IP address can change dynamically.
Question 91
Question
The exhibit shows a part output of the diagnostic command 'diagnose debug application ike 255', taken during the establishment of a VPN. Which of the following statements are correct concerning this output? (Choose two.)
Answer
-
The quick mode selectors negotiated between both IPsec VPN peers is 0.0.0.0/32 for both the source and destination addresses.
-
The output corresponds to a phase 2 negotiation.
-
NAT-T is enabled and there is a third device in the path performing NAT of the traffic between both IPsec VPN peers.
-
The IP address of the remote IPsec VPN peer is 172.20.187.114.
Question 92
Question
Which of the following combinations of two FortiGate device configurations (side A and side B), can be used to successfully establish an IPsec VPN between them? (Choose two.)
Answer
-
Side A: main mode, remote gateway as static IP address, policy-based VPN. Side B: aggressive Mode, remote Gateway as static IP address, policy-based VPN.
-
Side A: main mode, remote gateway as static IP Address, policy-based VPN. Side B: main mode, remote gateway as static IP address, route-based VPN.
-
Side A: main mode, remote gateway as static IP address, route-based VPN. Side B: main mode, remote gateway as dialup, route-based VPN.
-
Side A: main mode, remote gateway as dialup, policy-based VPN. Side B: main mode, remote gateway as dialup, policy-based VPN.
Question 93
Question
Which of the following statements are correct concerning the IPsec phase 1 and phase 2, shown in the exhibit? (Choose two.)
Answer
-
The quick mode selector in the remote site must also be 0.0.0.0/0 for the source and destination addresses.
-
Only remote peers with the peer ID 'fortinet' will be able to establish a VPN.
-
The FortiGate device will automatically add a static route to the source quick mode selector address received from each remote VPN peer.
-
The configuration will work only to establish FortiClient-to-FortiGate tunnels. A FortiGate-to-FortiGate tunnel requires a different configuration.
Question 94
Question
What is required in a FortiGate configuration to have more than one dialup IPsec VPN using aggressive mode?
Answer
-
All the aggressive mode dialup VPNs MUST accept connections from the same peer ID.
-
Each peer ID MUST match the FQDN of each remote peer.
-
Each aggressive mode dialup MUST accept connections from different peer ID.
-
The peer ID setting must NOT be used.
Question 95
Question
Which of the following protocols are defined in the IPsec Standard? (Choose two.)
Question 96
Question
Which of the following statements are correct concerning IKE mode config? (Choose two.)
Answer
-
It can dynamically assign IP addresses to IPsec VPN clients.
-
It can dynamically assign DNS settings to IPsec VPN clients.
-
It uses the ESP protocol.
-
It can be enabled in the phase 2 configuration.
Question 97
Question
You have configured the DHCP server on a FortiGate's port1 interface (or internal, depending on the model) to offer IPs in a range of 192.168.1.65-192.168.1.253. When the first host sends a DHCP request, what IP will the DHCP offer?
Answer
-
192.168.1.99
-
192.168.1.253
-
192.168.1.65
-
192.168.1.66
Question 98
Question
Which is not a FortiGate feature?
Answer
-
Database auditing
-
Intrusion prevention
-
Web filtering
-
Application control
Question 99
Question
Which UTM feature sends a UDP query to FortiGuard servers each time FortiGate scans a packet (unless the response is locally cached)?
Answer
-
Antivirus
-
VPN
-
IPS
-
Web Filtering
Question 100
Question
You have created a new administrator account, and assign it the prof_admin profile. Which is false about that account's permissions?
Answer
-
It cannot upgrade or downgrade firmware.
-
It can create and assign administrator accounts to parts of its own VDOM.
-
It can reset forgotten passwords for other administrator accounts such as "admin".
-
It has a smaller permissions scope than accounts with the "super_admin" profile.
Question 101
Question
When an administrator attempts to manage FortiGate from an IP address that is not a trusted host, what happens?
Answer
-
FortiGate will still subject that person's traffic to firewall policies; it will not bypass them.
-
FortiGate will drop the packets and not respond.
-
FortiGate responds with a block message, indicating that it will not allow that person to log in.
-
FortiGate responds only if the administrator uses a secure protocol. Otherwise, it does not respond.
Question 102
Question
Acme Web Hosting is replacing one of their firewalls with a FortiGate. It must be able to apply port forwarding to their back-end web servers while blocking virus uploads and TCP SYN floods from attackers. Which operation mode is the best choice for these requirements?
Question 103
Question
if you have lost your password for the "admin" account on your FortiGate, how should you reset it?
Answer
-
Log in with another administrator account that has "super_admin" profile permissions, then reset the password for the "admin" account.
-
Reboot the FortiGate. Via the local console, during the boot loader, use the menu to format the flash disk and reinstall the firmware. Then you can log in with the default password.
-
Power off the FortiGate. After several seconds, restart it. Via the local console, within 30 seconds after booting has completed, log in as "maintainer" and enter the CLI commands to set the password for the "admin" account.
-
Reboot the FortiGate. Via the local console, during the boot loader, use the menu to log in as "maintainer" and enter the CLI commands to set the password for the "admin" account.
Question 104
Question
A backup file begins with this line: #config-version=FGVM64-5.02-FW-build589-140613:opmode=0:vdom=0:user=admin #conf_file_ver=3881503152630288414 #buildno=0589 #global_vdom=1 Can you restore it to a FortiWiFi 60D?
Answer
-
Yes
-
Yes, but only if you replace the "#conf_file_ver" line so that it contains the serial number of that specific FortiWiFi 60D.
-
Yes, but only if it is running the same version of FortiOS, or a newer compatible version.
-
No
Question 105
Question
Which protocols can you use for secure administrative access to a FortiGate? (Choose two)
Question 106
Question
A new version of FortiOS firmware has just been released. When you upload new firmware, which is true?
Answer
-
If you upload the firmware image via the boot loader's menu from a TFTP server, it will not preserve the configuration. But if you upload new firmware via the GUI or CLI, as long as you are following a supported upgrade path, FortiOS will attempt to convert the existing configuration to be valid with any new or changed syntax.
-
No settings are preserved. You must completely reconfigure.
-
No settings are preserved. After the upgrade, you must upload a configuration backup file. FortiOS will ignore any commands that are not valid in the new OS. In those cases, you must reconfigure settings that are not compatible with the new firmware.
-
You must use FortiConverter to convert a backup configuration file into the syntax required by the new FortiOS, then upload it to FortiGate.
Question 107
Question
In a Crash log, what does a status of 0 indicate?
Answer
-
Abnormal termination of a process
-
A process closed for any reason
-
Normal shutdown with no abnormalities
-
DHCP process crashed
Question 108
Question
Which of the following are considered log types? (Choose three.)
Answer
-
Forward log
-
Traffic log
-
Syslog
-
Event log
-
Security log
Question 109
Question
What determines whether a log message is generated or not?
Question 110
Question
Where are most of the security events logged?
Answer
-
Security log
-
Forward Traffic log
-
Event log
-
Alert log
-
Alert Monitoring Console
Question 111
Question
What are the ways FortiGate can monitor logs? (Choose three.)
Answer
-
MIB
-
SMS
-
Alert Emails
-
SNMP
-
FortiAnalyzer
-
Alert Message Console
Question 112
Question
What attributes are always included in a log header? (Choose three.)
Answer
-
policyid
-
level
-
user
-
time
-
subtype
-
duration
Question 113
Question
Examine this log entry. What does the log indicate? (Choose three.) date=2013-12-04 time=09:30:18 logid=0100032001 type=event subtype=system level=information vd="root" user="admin" ui=http(192.168.1.112) action=login status=success reason=none profile="super_admin" msg="Administrator admin logged in successfully from http(192.168.1.112)"
Answer
-
In the GUI, the log entry was located under “Log & Report > Event Log > User”.
-
In the GUI, the log entry was located under “Log & Report > Event Log > System”.
-
In the GUI, the log entry was located under “Log & Report > Traffic Log > Local Traffic”.
-
The connection was encrypted
-
The connection was unencrypted.
-
The IP of the FortiGate interface that “admin” connected to was 192.168.1.112.
-
The IP of the computer that “admin” connected from was 192.168.1.112.
Question 114
Question
To which remote device can the FortiGate send logs? (Choose three.)
Answer
-
Syslog
-
FortiAnalyzer
-
Hard drive
-
Memory
-
FortiCloud
Question 115
Question
What log type would indicate whether a VPN is going up or down?
Answer
-
Event log
-
Security log
-
Forward log
-
Syslog
Question 116
Question
There are eight (8) log severity levels that indicate the importance of an event. Not including Debug, which is only needed to log diagnostic data, what are both the lowest AND highest severity levels?
Answer
-
Notification, Emergency
-
Information, Critical
-
Error, Critical
-
Information, Emergency
-
Information, Alert