Given the security fabric topology shown in the exhibit, which two statements are true? (Choose two.) There are five devices that are part of the security fabric. There are 19 security recommendations for the security fabric. Device detection is disabled on all FortiGate devices. This security fabric topology is a logical topology view.
A network administrator is configuring a new IPsec VPN tunnel on FortiGate. The remote peer IP address is dynamic. In addition, the remote peer does not support a dynamic DNS update service.
What type of remote gateway should the administrator configure on FortiGate for the new IPsec VPN tunnel to work? Dialup User Static IP Address Pre-shared Key Dynamic DNS.
An administrator wants to configure Dead Peer Detection (DPD) on IPSEC VPN for detecting dead tunnels. The requirement is that FortiGate sends DPD probes only when no traffic is observed in the tunnel.
Which DPD mode on FortiGate will meet the above requirement? On Demand Disabled On Idle Enabled.
Which three statements about a flow-based antivirus profile are correct? (Choose three.) IPS engine handles the process as a standalone Flow-based inspection uses a hybrid of scanning modes available in proxy-based inspection. If the virus is detected, the last packet is delivered to the client. Optimized performance compared to proxy-based inspection. FortiGate buffers the whole file but transmits to the client simultaneously.
An administrator has configured a strict RPF check on FortiGate.
Which statement is true about the strict RPF check? The strict RPF check is run on the first sent and reply packet of any new session. Strict RPF checks the best route back to the source using the incoming interface. Strict RPF checks only for the existence of at least one active route back to the source using the incoming interface. Strict RPF allows packets back to sources with all active routes.
Review the Intrusion Prevention System (IPS) profile signature settings.
Which statement is correct in adding the FTP.Login.Failed signature to the IPS sensor profile? Traffic matching the signature will be silently dropped and logged. The signature setting uses a custom rating threshold. The signature setting includes a group of other signatures. Traffic matching the signature will be allowed and logged.
The exhibit shows the IPS sensor configuration.
If traffic matches this IPS sensor, which two actions is the sensor expected to take? (Choose two.) The sensor will block all attacks aimed at Windows servers. The sensor will gather a packet log for all matched traffic. The sensor will allow attackers matching the NTP.Spoofed.KoD.DoS signature. The sensor will reset all connections that match these signatures.
Which two attributes are required on a certificate so it can be used as a CA certificate on SSL Inspection? (Choose two.) The CA extension must be set to TRUE. The issuer must be a public CA. The common name on the subject field must use a wildcard name. The keyUsage extension must be set to keyCertSign.
A network administrator has enabled SSL certificate inspection and antivirus on FortiGate. When downloading an EICAR test file through HTTP, FortiGate detects the virus and blocks the file. When downloading the same file through HTTPS, FortiGate does not detect the virus and the file can be downloaded.
What is the reason for the failed virus detection by FortiGate? Antivirus definitions are not up to date. SSL/SSH Inspection profile is incorrect. Antivirus profile configuration is incorrect. Application control is not enabled.
Which two protocols are used to enable administrator access of a FortiGate device? (Choose two.) FortiTelemetry HTTPS SSH FTM.
|
