NSE4

Description

Quiz on NSE4, created by Rob M on 07/02/2017.
Rob M
Quiz by Rob M, updated more than 1 year ago
Rob M
Created by Rob M almost 8 years ago
236
1

Resource summary

Question 1

Question
Regarding tunnel-mode SSL VPN, which three statements are correct? (Choose three.)
Answer
  • A. Split tunneling is supported.
  • B. It requires the installation of a VPN client.
  • C. It requires the use of an Internet browser.
  • D. It does not support traffic from third-party network applications.
  • E. An SSL VPN IP address is dynamically assigned to the client by the FortiGate unit.

Question 2

Question
Which two statements are true about IPsec VPNs and SSL VPNs? (Choose two.)
Answer
  • A. SSL VPN creates a HTTPS connection. IPsec does not.
  • B. Both SSL VPNs and IPsec VPNs are standard protocols.
  • C. Either a SSL VPN or an IPsec VPN can be established between two FortiGate devices.
  • D. Either a SSL VPN or an IPsec VPN can be established between an end-user workstation and a FortiGate device.

Question 3

Question
A user logs into a SSL VPN portal and activates the tunnel mode. The administrator has enabled split tunneling. The exhibit shows the firewall policy configuration: Which static route is automatically added to the client’s routing table when the tunnel mode is activated?
Answer
  • A. A route to a destination subnet matching the Internal_Servers address object.
  • B. A route to the destination subnet configured in the tunnel mode widget.
  • C. A default route.
  • D. A route to the destination subnet configured in the SSL VPN global settings.

Question 4

Question
When browsing to an internal web server using a web-mode SSL VPN bookmark, which IP address is used as the source of the HTTP request?
Answer
  • A. The remote user's virtual IP address.
  • B. The FortiGate unit's internal IP address.
  • C. The remote user's public IP address.
  • D. The FortiGate unit's external IP address.

Question 5

Question
Regarding the use of web-only mode SSL VPN, which statement is correct?
Answer
  • A. It supports SSL version 3 only.
  • B. It requires a Fortinet-supplied plug-in on the web client.
  • C. It requires the user to have a web browser that supports 64-bit cipher length.
  • D. The JAVA run-time environment must be installed on the client.

Question 6

Question
An administrator wants to create an IPsec VPN tunnel between two FortiGate devices. Which three configuration steps must be performed on both units to support this scenario? (Choose three.)
Answer
  • A. Create firewall policies to allow and control traffic between the source and destination IP addresses.
  • B. Configure the appropriate user groups to allow users access to the tunnel.
  • C. Set the operating mode to IPsec VPN mode.
  • D. Define the phase 2 parameters.
  • E. Define the Phase 1 parameters.

Question 7

Question
You are the administrator in charge of a FortiGate acting as an IPsec VPN gateway using route-based mode. Users from either side must be able to initiate new sessions. There is only 1 subnet at either end and the FortiGate already has a default route. Which two configuration steps are required to achieve these objectives? (Choose two.)
Answer
  • A. Create one firewall policy.
  • B. Create two firewall policies.
  • C. Add a route to the remote subnet.
  • D. Add two IPsec phases 2.

Question 8

Question
An administrator has configured a route-based site-to-site IPsec VPN. Which statement is correct regarding this IPsec VPN configuration?
Answer
  • A. The IPsec firewall policies must be placed at the top of the list.
  • B. This VPN cannot be used as part of a hub and spoke topology.
  • C. Routes are automatically created based on the quick mode selectors.
  • D. A virtual IPsec interface is automatically created after the Phase 1 configuration is completed.

Question 9

Question
What is IPsec Perfect Forwarding Secrecy (PFS)?.
Answer
  • A. A phase-1 setting that allows the use of symmetric encryption.
  • B. A phase-2 setting that allows the recalculation of a new common secret key each time the session key
  • C. A ‘key-agreement’ protocol.
  • D. A ‘security-association-agreement’ protocol.

Question 10

Question
Which IPsec configuration mode can be used for implementing GRE-over-IPsec VPNs?.
Answer
  • A. Policy-based only.
  • B. Route-based only.
  • C. Either policy-based or route-based VPN.
  • D. GRE-based only.

Question 11

Question
Which antivirus and attack definition update options are supported by FortiGate units? (Choose two.)
Answer
  • A. Manual update by downloading the signatures from the support site.
  • B. Pull updates from the FortiGate.
  • C. Push updates from a FortiAnalyzer.
  • D. execute fortiguard-AV-AS command from the CLI.

Question 12

Question
Which antivirus inspection mode must be used to scan SMTP, FTP, POP3 and SMB protocols?
Answer
  • A. Proxy-based.
  • B. DNS-based.
  • C. Flow-based.
  • D. Man-in-the-middle.

Question 13

Question
Which statements regarding banned words are correct? (Choose two.)
Answer
  • A. Content is automatically blocked if a single instance of a banned word appears.
  • B. The FortiGate updates banned words on a periodic basis.
  • C. The FortiGate can scan web pages and email messages for instances of banned words.
  • D. Banned words can be expressed as simple text, wildcards and regular expressions.

Question 14

Question
Examine the exhibit; then answer the question below. Which statement describes the green status indicators that appear next to the different FortiGuard Distribution Network services as illustrated in the exhibit?
Answer
  • A. They indicate that the FortiGate has the latest updates available from the FortiGuard Distribution Network.
  • B. They indicate that updates are available and should be downloaded from the FortiGuard Distribution Network to the FortiGate unit.
  • C. They indicate that the FortiGate is in the process of downloading updates from the FortiGuard Distribution Network.
  • D. They indicate that the FortiGate is able to connect to the FortiGuard Distribution Network.

Question 15

Question
A FortiGate is configured to receive push updates from the FortiGuard Distribution Network, however, updates are not being received. Which are two reasons for this problem? (Choose two.)
Answer
  • A. The FortiGate is connected to multiple ISPs.
  • B. There is a NAT device between the FortiGate and the FortiGuard Distribution Network.
  • C. The FortiGate is in Transparent mode.
  • D. The external facing interface of the FortiGate is configured to get the IP address from a DHCP server.

Question 16

Question
Which statement is correct regarding virus scanning on a FortiGate unit?
Answer
  • A. Virus scanning is enabled by default.
  • B. Fortinet customer support enables virus scanning remotely for you.
  • C. Virus scanning must be enabled in a security profile, which must be applied to a firewall policy.
  • D. Enabling virus scanning in a security profile enables virus protection for all traffic flowing through the FortiGate.

Question 17

Question
Which statements are true regarding the use of a PAC file to configure the web proxy settings in an Internet browser? (Choose two.)
Answer
  • A. Only one proxy is supported.
  • B. Can be manually imported to the browser.
  • C. The browser can automatically download it from a web server
  • D. Can include a list of destination IP subnets where the browser can connect directly to without using a proxy.

Question 18

Question
Examine the following FortiGate web proxy configuration; then answer the question below: config web-proxy explicit set pac-file-server-status enable set pac-file-server-port 8080 set pac-file-name wpad.dat end Assuming that the FortiGate proxy IP address is 10.10.1.1, which URL must an Internet browser use to download the PAC file?
Answer
  • A. https://10.10.1.1:8080
  • B. https://10.10.1.1:8080/wpad.dat
  • C. http://10.10.1.1:8080/
  • D. http://10.10.1.1:8080/wpad.dat

Question 19

Question
Which two methods are supported by the web proxy auto-discovery protocol (WPAD) to automatically learn the URL where a PAC file is located? (Choose two.)
Answer
  • A. DHCP
  • B. BOOTP
  • C. DNS
  • D. IPv6 autoconfiguration

Question 20

Question
What is a valid reason for using session based authentication instead of IP based authentication in a FortiGate web proxy solution?
Answer
  • A. Users are required to manually enter their credentials each time they connect to a different web site.
  • B. Proxy users are authenticated via FSSO.
  • C. There are multiple users sharing the same IP address.
  • D. Proxy users are authenticated via RADIUS.

Question 21

Question
Which statements are correct regarding URL filtering on a FortiGate unit? (Choose two.)
Answer
  • A. The allowed actions for URL filtering include allow, block, monitor and exempt.
  • B. The allowed actions for URL filtering are Allow and Block only.
  • C. URL filters may be based on patterns using simple text, wildcards and regular expressions.
  • D. URL filters are based on simple text only and require an exact match.

Question 22

Question
Which of the following regular expression patterns make the terms "confidential data" case insensitive?
Answer
  • A. [confidential data]
  • B. /confidential data/i
  • C. i/confidential data/
  • D. "confidential data"

Question 23

Question
Which two web filtering inspection modes inspect the full URL? (Choose two.)
Answer
  • A. DNS-based.
  • B. Proxy-based.
  • C. Flow-based.
  • D. URL-based.

Question 24

Question
Which web filtering inspection mode inspects DNS traffic?
Answer
  • A. DNS-based.
  • B. FQDN-based.
  • C. Flow-based.
  • D. URL-based.

Question 25

Question
How do you configure a FortiGate to apply traffic shaping to P2P traffic, such as BitTorrent?
Answer
  • A. Apply a traffic shaper to a BitTorrent entry in an application control list, which is then applied to a firewall policy.
  • B. Enable the shape option in a firewall policy with service set to BitTorrent.
  • C. Define a DLP rule to match against BitTorrent traffic and include the rule in a DLP sensor with traffic shaping enabled.
  • D. Apply a traffic shaper to a protocol options profile.

Question 26

Question
Which statements are correct regarding application control? (Choose two.)
Answer
  • A. It is based on the IPS engine.
  • B. It is based on the AV engine.
  • C. It can be applied to SSL encrypted traffic.
  • D. Application control cannot be applied to SSL encrypted traffic.

Question 27

Question
Which statements are true regarding traffic shaping that is applied in an application sensor, and associated with a firewall policy? (Choose two.)
Answer
  • A. Shared traffic shaping cannot be used.
  • B. Only traffic matching the application control signature is shaped.
  • C. Can limit the bandwidth usage of heavy traffic applications.
  • D. Per-IP traffic shaping cannot be used.

Question 28

Question
In this scenario, the FortiGate unit in Ottawa has the following routing table: S* 0.0.0.0/0 [10/0] via 172.20.170.254, port2 C 172.20.167.0/24 is directly connected, port1 C 172.20.170.0/24 is directly connected, port2 Sniffer tests show that packets sent from the source IP address 172.20.168.2 to the destination IP address 172.20.169.2 are being dropped by the FortiGate located in Ottawa. Which of the following correctly describes the cause for the dropped packets?
Answer
  • A. The forward policy check.
  • B. The reverse path forwarding check.
  • C. The subnet 172.20.169.0/24 is NOT in the Ottawa FortiGate’s routing table.
  • D. The destination workstation 172.20.169.2 does NOT have the subnet 172.20.168.0/24 in its routing table.

Question 29

Question
Examine the two static routes to the same destination subnet 172.20.168.0/24 as shown below; then answer the question following it. config router static edit 1 set dst 172.20.168.0 255.255.255.0 set distance 20 set priority 10 set device port1 next edit 2 set dst 172.20.168.0 255.255.255.0 set distance 20 set priority 20 set device port2 next end Which of the following statements correctly describes the static routing configuration provided above?
Answer
  • A. The FortiGate evenly shares the traffic to 172.20.168.0/24 through both routes.
  • B. The FortiGate shares the traffic to 172.20.168.0/24 through both routes, but the port2 route will carry approximately twice as much of the traffic.
  • C. The FortiGate sends all the traffic to 172.20.168.0/24 through port1.
  • D. Only the route that is using port1 will show up in the routing table.

Question 30

Question
The Vancouver FortiGate initially had the following information in its routing table: S 172.20.0.0/16 [10/0] via 172.21.1.2, port2 C 172.21.0.0/16 is directly connected, port2 C 172.11.11.0/24 is directly connected, port1 Afterwards, the following static route was added: config router static edit 6 set dst 172.20.1.0 255.255.255.0 set pririoty 0 set device port1 set gateway 172.11.12.1 next end Since this change, the new static route is NOT showing up in the routing table. Given the information provided, which of the following describes the cause of this problem?
Answer
  • A. The subnet 172.20.1.0/24 is overlapped with the subnet of one static route that is already in the routing table (172.20.0.0/16), so, we need to enable allow-subnet-overlap first.
  • B. The 'gateway' IP address is NOT in the same subnet as the IP address of port1.
  • C. The priority is 0, which means that the route will remain inactive.
  • D. The static route configuration is missing the distance setting.

Question 31

Question
Examine the static route configuration shown below; then answer the question following it. config router static edit 1 set dst 172.20.1.0 255.255.255.0 set device port1 set gateway 172.11.12.1 set distance 10 set weight 5 next edit 2 set dst 172.20.1.0 255.255.255.0 set blackhole enable set distance 5 set weight 10 next end Which of the following statements correctly describes the static routing configuration provided? (Choose two.)
Answer
  • A. All traffic to 172.20.1.0/24 is dropped by the FortiGate.
  • B. As long as port1 is up, all traffic to 172.20.1.0/24 is routed by the static route number 1. If the interface port1 is down, the traffic is routed using the blackhole route.
  • C. The FortiGate unit does NOT create a session entry in the session table when the traffic is being routed by the blackhole route.
  • D. The FortiGate unit creates a session entry in the session table when the traffic is being routed by the blackhole route.

Question 32

Question
In the case of TCP traffic, which of the following correctly describes the routing table lookups performed by a FortiGate operating in NAT/Route mode, when searching for a suitable gateway?
Answer
  • A. A lookup is done only when the first packet coming from the client (SYN) arrives.
  • B. A lookup is done when the first packet coming from the client (SYN) arrives, and a second one is performed when the first packet coming from the server (SYN/ACK) arrives.
  • C. Three lookups are done during the TCP 3-way handshake (SYN, SYN/ACK, ACK).
  • D. A lookup is always done each time a packet arrives, from either the server or the client side.

Question 33

Question
A static route is configured for a FortiGate unit from the CLI using the following commands: config router static edit 1 set device "wan1" set distance 20 set gateway 192.168.100.1 next end Which of the following conditions are required for this static default route to be displayed in the FortiGate unit’s routing table? (Choose two.)
Answer
  • A. The administrative status of the wan1 interface is displayed as down.
  • B. The link status of the wan1 interface is displayed as up.
  • C. All other default routes should have a lower distance.
  • D. The wan1 interface address and gateway address are on the same subnet.

Question 34

Question
Review the output of the command get router info routing-table database shown in the exhibit below; then answer the question following it. Which two statements are correct regarding this output? (Choose two.)
Answer
  • A. There will be six routes in the routing table.
  • B. There will be seven routes in the routing table.
  • C. There will be two default routes in the routing table.
  • D. There will be two routes for the 10.0.2.0/24 subnet in the routing table.

Question 35

Question
When does a FortiGate load-share traffic between two static routes to the same destination subnet?
Answer
  • A. When they have the same cost and distance.
  • B. When they have the same distance and the same weight.
  • C. When they have the same distance and different priority.
  • D. When they have the same distance and same priority.

Question 36

Question
A FortiGate is configured with multiple VDOMs. An administrative account on the device has been assigned a Scope value of VDOM:root. Which of the following settings will this administrator be able to configure? (Choose two.)
Answer
  • A. Firewall addresses.
  • B. DHCP servers.
  • C. FortiGuard Distribution Network configuration.
  • D. System hostname.

Question 37

Question
Which statements are correct regarding virtual domains (VDOMs)? (Choose two.)
Answer
  • A. VDOMs divide a single FortiGate unit into two or more virtual units that each have dedicated memory and CPUs.
  • B. A management VDOM handles SNMP, logging, alert email, and FDN-based updates.
  • C. VDOMs share firmware versions, as well as antivirus and IPS databases.
  • D. Different time zones can be configured in each VDOM.

Question 38

Question
A FortiGate unit is configured with three Virtual Domains (VDOMs) as illustrated in the exhibit. Which of the following statements are true if the network administrator wants to route traffic between all the VDOMs? (Choose three.)
Answer
  • A. The administrator can configure inter-VDOM links to avoid using external interfaces and routers.
  • B. As with all FortiGate unit interfaces, firewall policies must be in place for traffic to be allowed to pass through any interface, including inter-VDOM links.
  • C. This configuration requires a router to be positioned between the FortiGate unit and the Internet for proper routing.
  • D. Inter-VDOM routing is automatically provided if all the subnets that need to be routed are locally attached.
  • E. As each VDOM has an independent routing table, routing rules need to be set (for example, static routing, OSPF) in each VDOM to route traffic between VDOMs.

Question 39

Question
A FortiGate is configured with three virtual domains (VDOMs). Which of the following statements is correct regarding multiple VDOMs?
Answer
  • A. The FortiGate must be a model 1000 or above to support multiple VDOMs.
  • B. A license has to be purchased and applied to the FortiGate before VDOM mode could be enabled.
  • C. Changing the operational mode of a VDOM requires a reboot of the FortiGate.
  • D. The FortiGate supports any combination of VDOMs in NAT/Route and transparent modes.

Question 40

Question
A FortiGate administrator with the super_admin profile configures a virtual domain (VDOM) for a new customer. After creating the VDOM, the administrator is unable to reassign the dmz interface to the new VDOM as the option is greyed out in the GUI in the management VDOM. What would be a possible cause for this problem?
Answer
  • A. The administrator does not have the proper permissions to reassign the dmz interface.
  • B. The dmz interface is referenced in the configuration of another VDOM.
  • C. Non-management VDOMs cannot reference physical interfaces.
  • D. The dmz interface is in PPPoE or DHCP mode.

Question 41

Question
A FortiGate is operating in NAT/Route mode and configured with two virtual LAN (VLAN) sub-interfaces added to the same physical interface. Which one of the following statements is correct regarding the VLAN IDs in this scenario?
Answer
  • A. The two VLAN sub-interfaces can have the same VLAN ID only if they have IP addresses in different subnets.
  • B. The two VLAN sub-interfaces must have different VLAN IDs.
  • C. The two VLAN sub-interfaces can have the same VLAN ID only if they belong to different VDOMs.
  • D. The two VLAN sub-interfaces can have the same VLAN ID if they are connected to different L2 IEEE 802.1Q compliant switches.

Question 42

Question
Which statements correctly describe transparent mode operation? (Choose three.)
Answer
  • A. The FortiGate acts as transparent bridge and forwards traffic at Layer-2.
  • B. Ethernet packets are forwarded based on destination MAC addresses, NOT IP addresses.
  • C. The transparent FortiGate is clearly visible to network hosts in an IP trace route.
  • D. Permits inline traffic inspection and firewalling without changing the IP scheme of the network.
  • E. All interfaces of the transparent mode FortiGate device must be on different IP subnets.

Question 43

Question
In transparent mode, forward-domain is an CLI setting associate with ______________.
Answer
  • A. a static route.
  • B. a firewall policy.
  • C. an interface.
  • D. a virtual domain.

Question 44

Question
Which statements are correct for port pairing and forwarding domains? (Choose two.)
Answer
  • A. They both create separate broadcast domains.
  • B. Port Pairing works only for physical interfaces.
  • C. Forwarding Domain only applies to virtual interfaces.
  • D. They may contain physical and/or virtual interfaces.

Question 45

Question
Examine the following spanning tree configuration on a FortiGate in transparent mode: config system interface edit <interface name> set stp-forward enable end Which statement is correct for the above configuration?
Answer
  • A. The FortiGate participates in spanning tree.
  • B. The FortiGate device forwards received spanning tree messages.
  • C. Ethernet layer-2 loops are likely to occur
  • D. The FortiGate generates spanning tree BPDU frames.

Question 46

Question
An administrator has formed a high availability cluster involving two FortiGate units. [ Multiple upstream Layer 2 switches] -- [ FortiGate HA Cluster ] -- [ Multiple downstream Layer 2 switches ] The administrator wishes to ensure that a single link failure will have minimal impact upon the overall throughput of traffic through this cluster. Which of the following options describes the best step the administrator can take? The administrator should _____________________.
Answer
  • A. Increase the number of FortiGate units in the cluster and configure HA in active-active mode.
  • B. Enable monitoring of all active interfaces.
  • C. Set up a full-mesh design which uses redundant interfaces.
  • D. Configure the HA ping server feature to allow for HA failover in the event that a path is disrupted.

Question 47

Question
Which of the following sequences describes the correct order of criteria used for the selection of a master unit within a FortiGate high availability (HA) cluster when override is disabled?
Answer
  • A. 1. port monitor, 2. unit priority, 3. up time, 4. serial number.
  • B. 1. port monitor, 2. up time, 3. unit priority, 4. serial number.
  • C. 1. unit priority, 2. up time, 3. port monitor, 4. serial number.
  • D. 1. up time, 2. unit priority, 3. port monitor, 4. serial number.

Question 48

Question
In a high availability cluster operating in active-active mode, which of the following correctly describes the path taken by the SYN packet of an HTTP session that is offloaded to a slave unit?
Answer
  • A. Request: internal host; slave FortiGate; master FortiGate; Internet; web server.
  • B. Request: internal host; slave FortiGate; Internet; web server.
  • C. Request: internal host; slave FortiGate; master FortiGate; Internet; web server.
  • D. Request: internal host; master FortiGate; slave FortiGate; Internet; web server.

Question 49

Question
Two devices are in an HA cluster, the device hostnames are STUDENT and REMOTE. Exhibit A shows the command output of diagnose sys session stat for the STUDENT device. Exhibit B shows the command output of diagnose sys session stat for the REMOTE device. Given the information provided in the exhibits, which of the following statements are correct? (Choose two.)
Answer
  • A. STUDENT is likely to be the master device.
  • B. Session-pickup is likely to be enabled.
  • C. The cluster mode is active-passive.
  • D. There is not enough information to determine the cluster mode.

Question 50

Question
Which of the following statements are correct about the HA command diagnose sys ha reset-uptime? (Choose two.)
Answer
  • A. The device this command is executed on is likely to switch from master to slave status if override is disabled.
  • B. The device this command is executed on is likely to switch from master to slave status if override is enabled.
  • C. This command has no impact on the HA algorithm.
  • D. This command resets the uptime variable used in the HA algorithm so it may cause a new master to become elected.

Question 51

Question
In HA, the option Reserve Management Port for Cluster Member is selected as shown in the exhibit below. Which statements are correct regarding this setting? (Choose two.)
Answer
  • A. Interface settings on port7 will not be synchronized with other cluster members.
  • B. The IP address assigned to this interface must not overlap with the IP address subnet assigned to another interface.
  • C. When connecting to port7 you always connect to the master device.
  • D. A gateway address may be configured for port7.

Question 52

Question
The exhibit shows the Disconnect Cluster Member command in a FortiGate unit that is part of a HA cluster with two HA members. What is the effect of the Disconnect Cluster Member command as given in the exhibit. (Choose two.)
Answer
  • A. Port3 is configured with an IP address for management access.
  • B. The firewall rules are purged on the disconnected unit.
  • C. The HA mode changes to standalone.
  • D. The system hostname is set to the unit serial number.

Question 53

Question
Two FortiGate devices fail to form an HA cluster, the device hostnames are STUDENT and REMOTE. Exhibit A shows the command output of show system ha for the STUDENT device. Exhibit B shows the command output of show system ha for the REMOTE device. Which one of the following is the most likely reason that the cluster fails to form?
Answer
  • A. Password
  • B. HA mode
  • C. Hearbeat
  • D. Override

Question 54

Question
What are the requirements for a HA cluster to maintain TCP connections after device or link failover? (Choose two.)
Answer
  • A. Enable session pick-up.
  • B. Enable override.
  • C. Connections must be UDP or ICMP.
  • D. Connections must not be handled by a proxy.

Question 55

Question
Which IPsec mode includes the peer id information in the first packet?
Answer
  • A. Main mode.
  • B. Quick mode.
  • C. Aggressive mode.
  • D. IKEv2 mode.

Question 56

Question
Which statement is an advantage of using a hub and spoke IPsec VPN configuration instead of a fullymeshed set of IPsec tunnels?
Answer
  • A. Using a hub and spoke topology provides full redundancy.
  • B. Using a hub and spoke topology requires fewer tunnels.
  • C. Using a hub and spoke topology uses stronger encryption protocols.
  • D. Using a hub and spoke topology requires more routes.

Question 57

Question
Which statements are correct properties of a partial mesh VPN deployment. (Choose two
Answer
  • A. VPN tunnels interconnect between every single location.
  • B. VPN tunnels are not configured between every single location.
  • C. Some locations are reached via a hub location.
  • D. There are no hub locations in a partial mesh.

Question 58

Question
Review the IPsec phase 1 configuration in the exhibit; then answer the question below. Which statements are correct regarding this configuration? (Choose two.)
Answer
  • A. The remote gateway address on 10.200.3.1.
  • B. The local IPsec interface address is 10.200.3.1.
  • C. The local gateway IP is the address assigned to port1.
  • D. The local gateway IP address is 10.200.3.1.

Question 59

Question
Review the IPsec phase 2 configuration shown in the exhibit; then answer the question below. Which statements are correct regarding this configuration? (Choose two.).
Answer
  • A. The Phase 2 will re-key even if there is no traffic.
  • B. There will be a DH exchange for each re-key.
  • C. The sequence number of ESP packets received from the peer will not be checked.
  • D. Quick mode selectors will default to those used in the firewall policy.

Question 60

Question
Review the static route configuration for IPsec shown in the exhibit; then answer the question below. Which statements are correct regarding this configuration? (Choose two.)
Answer
  • A. Interface remote is an IPsec interface.
  • B. A gateway address is not required because the interface is a point-to-point connection.
  • C. A gateway address is not required because the default route is used.
  • D. Interface remote is a zone.

Question 61

Question
Review the IKE debug output for IPsec shown in the exhibit below. Which statements is correct regarding this output?
Answer
  • A. The output is a phase 1 negotiation.
  • B. The output is a phase 2 negotiation.
  • C. The output captures the dead peer detection messages.
  • D. The output captures the dead gateway detection packets.

Question 62

Question
Review the IPsec diagnostics output of the command diagnose vpn tunnel list shown in the exhibit. Which statements is correct regarding this output? (Select one answer).
Answer
  • A. One tunnel is rekeying.
  • B. Two tunnels are rekeying.
  • C. Two tunnels are up.
  • D. One tunnel is up.

Question 63

Question
Review the configuration for FortiClient IPsec shown in the exhibit. Which statement is correct regarding this configuration?
Answer
  • A. The connecting VPN client will install a route to a destination corresponding to the student_internal address object.
  • B. The connecting VPN client will install a default route.
  • C. The connecting VPN client will install a route to the 172.20.1.[1-5] address range.
  • D. The connecting VPN client will connect in web portal mode and no route will be installed.

Question 64

Question
Review the IPsec diagnostics output of the command diagnose vpn tunnel list shown in the exhibit below. Which statements are correct regarding this output? (Choose two.)
Answer
  • A. The connecting client has been allocated address 172.20.1.1.
  • B. In the Phase 1 settings, dead peer detection is enabled.
  • C. The tunnel is idle.
  • D. The connecting client has been allocated address 10.200.3.1.

Question 65

Question
Examine the following log message for IPS: 2012-07-01 09:54:28 oid=2 log_id=18433 type=ips subtype=anomaly pri=alert vd=root severity="critical" src="192.168.3.168" dst="192.168.3.170" src_int="port2" serial=0 status="detected" proto=1 service="icmp" count=1 attack_name="icmp_flood" icmp_id="0xa8a4" icmp_type="0x08" icmp_code="0x00" attack_id=16777316 sensor="1" ref="http://www.fortinet.com/ids/VID16777316" msg="anomaly: icmp_flood, 51 > threshold 50" Which statement is correct about the above log? (Choose two.)
Answer
  • A. The target is 192.168.3.168.
  • B. The target is 192.168.3.170.
  • C. The attack was NOT blocked.
  • D. The attack was blocked.

Question 66

Question
Which statement correctly describes the output of the command diagnose ips anomaly list?
Answer
  • A. Lists the configured DoS policy.
  • B. List the real-time counters for the configured DoS policy.
  • C. Lists the errors captured when compiling the DoS policy.
  • D. Lists the IPS signature matches.

Question 67

Question
Review the IPS sensor filter configuration shown in the exhibit Based on the information in the exhibit, which statements are correct regarding the filter? (Choose two.)
Answer
  • A. It does not log attacks targeting Linux servers.
  • B. It matches all traffic to Linux servers.
  • C. Its action will block traffic matching these signatures.
  • D. It only takes effect when the sensor is applied to a policy.

Question 68

Question
With FSSO, a domain user could authenticate either against the domain controller running the collector agent and domain controller agent, or a domain controller running only the domain controller agent. If you attempt to authenticate with a domain controller running only the domain controller agent, which statements are correct? (Choose two.)
Answer
  • A. The login event is sent to the collector agent.
  • B. The FortiGate receives the user information directly from the receiving domain controller agent of the secondary domain controller.
  • C. The domain collector agent may perform a DNS lookup for the authenticated client's IP address.
  • D. The user cannot be authenticated with the FortiGate in this manner because each domain controller agent requires a dedicated collector agent.

Question 69

Question
Which statement describes what the CLI command diagnose debug authd fsso list is used for?
Answer
  • A. Monitors communications between the FSSO collector agent and FortiGate unit.
  • B. Displays which users are currently logged on using FSSO.
  • C. Displays a listing of all connected FSSO collector agents.
  • D. Lists all DC Agents installed on all domain controllers.

Question 70

Question
FSSO provides a single sign on solution to authenticate users transparently to a FortiGate unit using credentials stored in Windows active directory. Which of the following statements are correct regarding FSSO in a Windows domain environment when agent mode is used? (Choose two.)
Answer
  • A. An FSSO collector agent must be installed on every domain controller.
  • B. An FSSO domain controller agent must be installed on every domain controller.
  • C. The FSSO domain controller agent will regularly update user logon information on the FortiGate unit.
  • D. The FSSO collector agent will receive user logon information from the domain controller agent and will send it to the FortiGate unit.

Question 71

Question
Which are two requirements for DC-agent mode FSSO to work properly in a Windows AD environment? [Choose two.]
Answer
  • A. DNS server must properly resolve all workstation names.
  • B. The remote registry service must be running in all workstations.
  • C. The collector agent must be installed in one of the Windows domain controllers.
  • D. A same user cannot be logged in into two different workstations at the same time.

Question 72

Question
Which statement is one disadvantage of using FSSO NetAPI polling mode over FSSO Security Event Log (WinSecLog) polling mode?
Answer
  • A. It requires a DC agent installed in some of the Windows DC.
  • B. It runs slower.
  • C. It might miss some logon events.
  • D. It requires access to a DNS server for workstation name resolution.

Question 73

Question
Bob wants to send Alice a file that is encrypted using public key cryptography. Which of the following statements is correct regarding the use of public key cryptography in this scenario?
Answer
  • A. Bob will use his private key to encrypt the file and Alice will use her private key to decrypt the file.
  • B. Bob will use his public key to encrypt the file and Alice will use Bob's private key to decrypt the file.
  • C. Bob will use Alice's public key to encrypt the file and Alice will use her private key to decrypt the file.
  • D. Bob will use his public key to encrypt the file and Alice will use her private key to decrypt the file.

Question 74

Question
Which tasks fall under the responsibility of the SSL proxy in a typical HTTPS connection? (Choose two.)
Answer
  • A. The web client SSL handshake.
  • B. The web server SSL handshake.
  • C. File buffering.
  • D. Communication with the URL filter process.

Question 75

Question
When the SSL proxy is NOT doing man-in-the-middle interception of SSL traffic, which certificate field can be used to determine the rating of a website?
Answer
  • A. Organizational Unit.
  • B. Common Name.
  • C. Serial Number.
  • D. Validity.

Question 76

Question
Data leak prevention archiving gives the ability to store files and message data onto a FortiAnalyzer unit for which of the following types of network traffic? (Choose three.)
Answer
  • A. POP3
  • B. SNMP
  • C. IPsec
  • D. SMTP
  • E. HTTP

Question 77

Question
For data leak prevention, which statement describes the difference between the block and quarantine actions?
Answer
  • A. A block action prevents the transaction. A quarantine action blocks all future transactions, regardless of the protocol.
  • B. A block action prevents the transaction. A quarantine action archives the data.
  • C. A block action has a finite duration. A quarantine action must be removed by an administrator.
  • D. A block action is used for known users. A quarantine action is used for unknown users.

Question 78

Question
In which process states is it impossible to interrupt/kill a process? (Choose two.)
Answer
  • A. S – Sleep
  • B. R – Running
  • C. D – Uninterruptable Sleep
  • D. Z – Zombie

Question 79

Question
Examine at the output below from the diagnose sys top command: # diagnose sys top 1 Run Time: 11 days, 3 hours and 29 minutes 0U, 0N, 1S, 99I; 971T, 528F, 160KF sshd 123 S 1.9 1.2 ipsengine 61 S < 0.0 5.2 miglogd 45 S 0.0 4.9 pyfcgid 75 S 0.0 4.5 pyfcgid 73 S 0.0 3.9 Which statements are true regarding the output above? (Choose two.)
Answer
  • A. The sshd process is the one consuming most CPU.
  • B. The sshd process is using 123 pages of memory.
  • C. The command diagnose sys kill miglogd will restart the miglogd process.
  • D. All the processes listed are in sleeping state.

Question 80

Question
Examine the following output from the diagnose sys session list command: session info: proto=6 proto_state=65 duration=3 expire=9 timeout=3600 flags=00000000 sockflag=00000000 sockport=443 av_idx=9 use=5 origin-shaper=guarantee-100kbps prio=2 guarantee 12800Bps max 134217728Bps traffic 13895Bps reply-shaper=guarantee-100kbps prio=2 guarantee 12800Bps max 134217728Bps traffic 13895Bps state=redir local may_dirty ndr npu nlb os rs statistic(bytes/packets/allow_err): org=864/8/1 reply=2384/7/1 tuples=3 orgin->sink: org pre->post, reply pre->post dev=7->6/6->7 gwy=172.17.87.3/10.1.10.1 hook=post dir=org act=snat 192.168.1.110:57999->74.201.86.29:443(172.17.87.16:57999) hook=pre dir=reply act=dnat 74.201.86.29:443->172.17.87.16:57999(192.168.1.110:57999) hook=post dir=reply act=noop 74.201.86.29:443->192.168.1.110:57999(0.0.0.0:0) misc=0 policy_id=1 id_policy_id=0 auth_info=0 chk_client_info=0 vd=0 npu info: flag=0x00/0x00, offload=0/0, ips_offload=0/0, epid=0/0, ipid=0/0, vlan=0/0 Which statements are true regarding the session above? (Choose two.)
Answer
  • A. Session Time-To-Live (TTL) was configured to 9 seconds.
  • B. FortiGate is doing NAT of both the source and destination IP addresses on all packets coming from the 192.168.1.110 address.
  • C. The IP address 192.168.1.110 is being translated to 172.17.87.16.
  • D. The FortiGate is not translating the TCP port numbers of the packets in this session.

Question 81

Question
Which statements are true regarding IPv6 anycast addresses? (Choose two.)
Answer
  • A. Multiple interfaces can share the same anycast address.
  • B. They are allocated from the multicast address space.
  • C. Different nodes cannot share the same anycast address.
  • D. An anycast packet is routed to the nearest interface.

Question 82

Question
What functions can the IPv6 Neighbor Discovery protocol accomplish? (Choose two.)
Answer
  • A. Negotiate the encryption parameters to use.
  • B. Auto-adjust the MTU setting.
  • C. Autoconfigure addresses and prefixes.
  • D. Determine other nodes reachability.

Question 83

Question
Which statements are correct regarding an IPv6 over IPv4 IPsec configuration? (Choose two.)
Answer
  • A. The source quick mode selector must be an IPv4 address.
  • B. The destination quick mode selector must be an IPv6 address.
  • C. The Local Gateway IP must be an IPv4 address.
  • D. The remote gateway IP must be an IPv6 address.

Question 84

Question
Which is one of the conditions that must be met for offloading the encryption and decryption of IPsec traffic to an NP6 processor?
Answer
  • A. No protection profile can be applied over the IPsec traffic.
  • B. Phase-2 anti-replay must be disabled.
  • C. Both the phase 1 and phases 2 must use encryption algorithms supported by the NP6.
  • D. IPsec traffic must not be inspected by any FortiGate session helper.

Question 85

Question
Two FortiGate units with NP6 processors form an active-active cluster. The cluster is doing security profile (UTM) inspection over all the user traffic. What statements are true regarding the sessions that the master unit is offloading to the slave unit for inspection? (Choose two.)
Answer
  • A. They are accelerated by hardware in the master unit.
  • B. They are not accelerated by hardware in the master unit.
  • C. They are accelerated by hardware in the slave unit.
  • D. They are not accelerated by hardware in the slave unit.

Question 86

Question
Which statements are true about offloading antivirus inspection to a Security Processor (SP)? (Choose two.)
Answer
  • A. Both proxy-based and flow-based inspection are supported.
  • B. A replacement message cannot be presented to users when a virus has been detected.
  • C. It saves CPU resources.
  • D. The ingress and egress interfaces can be in different SPs.

Question 87

Question
Which IP packets can be hardware-accelerated by a NP6 processor? (Choose two.)
Answer
  • A. Fragmented packet.
  • B. Multicast packet.
  • C. SCTP packet.
  • D. GRE packet.

Question 88

Question
Which network protocols are supported for administrative access to a FortiGate unit? (Choose three.)
Answer
  • A. SNMP
  • B. WINS
  • C. HTTP
  • D. Telnet
  • E. SSH

Question 89

Question
What capabilities can a FortiGate provide? (Choose three.)
Answer
  • A. Mail relay.
  • B. Email filtering.
  • C. Firewall.
  • D. VPN gateway.
  • E. Mail server.

Question 90

Question
What methods can be used to access the FortiGate CLI? (Choose two.)
Answer
  • A. Using SNMP.
  • B. A direct connection to the serial console port.
  • C. Using the CLI console widget in the GUI.
  • D. Using RCP.

Question 91

Question
When creating FortiGate administrative users, which configuration objects specify the account rights?
Answer
  • A. Remote access profiles.
  • B. User groups.
  • C. Administrator profiles.
  • D. Local-in policies.

Question 92

Question
How is the FortiGate password recovery process?
Answer
  • A. Interrupt boot sequence, modify the boot registry and reboot. After changing the password, reset the boot registry.
  • B. Log in through the console port using the “maintainer” account within several seconds of physically power cycling the FortiGate.
  • C. Hold down the CTRL + Esc (Escape) keys during reboot, then reset the admin password.
  • D. Interrupt the boot sequence and restore a configuration file for which the password has been modified.

Question 93

Question
Which statements are true regarding the factory default configuration? (Choose three.)
Answer
  • A. The default web filtering profile is applied to the first firewall policy.
  • B. The ‘Port1’ or ‘Internal’ interface has the IP address 192.168.1.99.
  • C. The implicit firewall policy action is ACCEPT.
  • D. The ‘Port1’ or ‘Internal’ interface has a DHCP server set up and enabled (on device models that support DHCP servers).
  • E. Default login uses the username: admin (all lowercase) and no password.

Question 94

Question
What are valid options for handling DNS requests sent directly to a FortiGates interface IP? (Choose three.)
Answer
  • A. Conditional-forward.
  • B. Forward-only.
  • C. Non-recursive.
  • D. Iterative.
  • E. Recursive.

Question 95

Question
What logging options are supported on a FortiGate unit? (Choose two.)
Answer
  • A. LDAP
  • B. Syslog
  • C. FortiAnalyzer
  • D. SNMP

Question 96

Question
Regarding the header and body sections in raw log messages, which statement is correct?
Answer
  • A. The header and body section layouts change depending on the log type.
  • B. The header section layout is always the same regardless of the log type. The body section layout changes depending on the log type.
  • C. Some log types include multiple body sections.
  • D. Some log types do not include a body section.

Question 97

Question
Which is an advantage of using SNMP v3 instead of SNMP v1/v2 when querying a FortiGate unit?
Answer
  • A. MIB-based report uploads.
  • B. SNMP access limited by access lists.
  • C. Packet encryption.
  • D. Running SNMP service on a non-standard port is possible.

Question 98

Question
What is the maximum number of FortiAnalyzer/FortiManager devices a FortiGate unit can be configured to send logs to?
Answer
  • A. 1
  • B. 2
  • C. 3
  • D. 4

Question 99

Question
For traffic that does match any configured firewall policy, what is the default action taken by the FortiGate?
Answer
  • A. The traffic is allowed and no log is generated.
  • B. The traffic is allowed and logged.
  • C. The traffic is blocked and no log is generated.
  • D. The traffic is blocked and logged.

Question 100

Question
In which order are firewall policies processed on a FortiGate unit?
Answer
  • A. From top to down, according with their sequence number.
  • B. From top to down, according with their policy ID number.
  • C. Based on best match.
  • D. Based on the priority value.

Question 101

Question
Which firewall objects can be included in the Destination Address field of a firewall policy? (Choose three.)
Answer
  • A. IP address pool.
  • B. Virtual IP address.
  • C. IP address.
  • D. IP address group.
  • E. MAC address.

Question 102

Question
The order of the firewall policies is important. Policies can be re-ordered from either the GUI or the CLI. Which CLI command is used to perform this function?
Answer
  • A. set order
  • B. edit policy
  • C. reorder
  • D. move

Question 103

Question
Which header field can be used in a firewall policy for traffic matching?
Answer
  • A. ICMP type and code.
  • B. DSCP.
  • C. TCP window size.
  • D. TCP sequence number.

Question 104

Question
Examine the following CLI configuration: config system session-ttl set default 1800 end What statement is true about the effect of the above configuration line?
Answer
  • A. Sessions can be idle for no more than 1800 seconds.
  • B. The maximum length of time a session can be open is 1800 seconds.
  • C. After 1800 seconds, the end user must re-authenticate.
  • D. After a session has been open for 1800 seconds, the FortiGate sends a keepalive packet to both client and server.

Question 105

Question
Which statement regarding the firewall policy authentication timeout is true?
Answer
  • A. It is an idle timeout. The FortiGate considers a user to be “idle” if it does not see any packets coming from the user’s source IP.
  • B. It is a hard timeout. The FortiGate removes the temporary policy for a user’s source IP address after this timer has expired.
  • C. It is an idle timeout. The FortiGate considers a user to be “idle” if it does not see any packets coming from the user’s source MAC.
  • D. It is a hard timeout. The FortiGate removes the temporary policy for a user’s source MAC address after this timer has expired.

Question 106

Question
What methods can be used to deliver the token code to a user that is configured to use two-factor authentication? (Choose three.)
Answer
  • A. Browser pop-up window.
  • B. FortiToken.
  • C. Email.
  • D. Code books.
  • E. SMS phone message.

Question 107

Question
Which statements are true regarding local user authentication? (Choose two.)
Answer
  • A. Two-factor authentication can be enabled on a per user basis.
  • B. Local users are for administration accounts only and cannot be used to authenticate network users.
  • C. Administrators can create the user accounts is a remote server and store the user passwords locally in the FortiGate.
  • D. Both the usernames and passwords can be stored locally on the FortiGate

Question 108

Question
Which two statements are true regarding firewall policy disclaimers? (Choose two.)
Answer
  • A. They cannot be used in combination with user authentication.
  • B. They can only be applied to wireless interfaces.
  • C. Users must accept the disclaimer to continue.
  • D. The disclaimer page is customizable.

Question 109

Question
When firewall policy authentication is enabled, which protocols can trigger an authentication challenge? (Choose two.)
Answer
  • A. SMTP
  • B. POP3
  • C. HTTP
  • D. FTP

Question 110

Question
The FortiGate port1 is connected to the Internet. The FortiGate port2 is connected to the internal network. Examine the firewall configuration shown in the exhibit; then answer the question below.
Answer
  • A. A user that has not authenticated can access the Internet using any protocol that does not trigger an authentication challenge.
  • B. A user that has not authenticated can access the Internet using any protocol except HTTP, HTTPS, Telnet, and FTP.
  • C. A user must authenticate using the HTTP, HTTPS, SSH, FTP, or Telnet protocol before they can access all Internet services.
  • D. DNS Internet access is always allowed, even for users that has not authenticated.
Show full summary Hide full summary

Similar

Mapa Mental - Como Criar um Mapa Mental
miminoma
Nouns & Definite Articles Notes
Selam H
FCE Practice Quiz - B2
Christine Sang
Biology AS Level Vocab- OCR- Chapters 1 and 2
Laura Perry
Chemistry C1
Chloe Winn
Geography - Case Studies
jacobhatcher97
Mind Maps with GoConqr
Elysa Din
Teaching students to be digitally literate
Micheal Heffernan
Photosynthesis and Respiration
Jessica Phillips
1PR101 2.test - Část 9.
Nikola Truong
1PR101 2.test - Část 16.
Nikola Truong