51. Which two statements about the Security Fabric are true? (Choose two.)
Only the root FortiGate collects network topology information and forwards it to FortiAnalyzer. Only the root FortiGate sends logs to FortiAnalyzer. Only FortiGate devices with fabric-object-unification set to default will receive and synchronize global CMDB objects sent by the root FortiGate. FortiGate uses FortiTelemetry protocol to communicate with FortiAnalyzer.
52. View the exhibit, which contains the output of a debug command, and then answer the question below.
Which one of the following statements about this FortiGate is correct? It is currently in system conserve mode because of high CPU usage. It is currently in extreme conserve mode because of high memory usage. It is currently in proxy conserve mode because of high memory usage. It is currently in memory conserve mode because of high memory usage.
53. Which the following events can trigger the election of a new primary unit in a HA cluster? (Choose two.)
Primary unit stops sending HA heartbeat keepalives. The FortiGuard license for the primary unit is updated. One of the monitored interfaces in the primary unit is disconnected. A secondary unit is removed from the HA cluster.
54. Examine the output of the ‘get router info bgp summary’ command shown in the exhibit; then answer the question below.
Which statements are true regarding the output in the exhibit? (Choose two.)
BGP state of the peer 10.125.0.60 is Established. BGP peer 10.200.3.1 has never been down since the BGP counters were cleared. Local BGP peer has not received an OpenConfirm from 10.200.3.1. The local BGP peer has received a total of 3 BGP prefixes.
55. Refer to the exhibit, which contains the output of a BGP debug command.
Which statement about the exhibit is true?
The local router has received a total of three BGP prefixes from all peers. The local router has not established a TCP session with 100.64.3.1. Since the counters were last reset, the 10.200.3.1 peer has never been down. The local router BGP state is OpenConfirm with the 10.127.0.75 peer.
56. What is the purpose of an internal segmentation firewall (ISFW)? It inspects incoming traffic to protect services in the corporate DMZ. It is the first line of defense at the network perimeter. It splits the network into multiple security segments to minimize the impact of breaches. It is an all-in-one security appliance that is placed at remote sites to extend the enterprise network.
57. Which two tasks are automated using the Install Wizard on FortiManager? (Choose two.) Preview pending configuration changes for managed devices. Add devices to FortiManager. Import policy packages from managed devices. Install configuration changes to managed devices. Import interface mappings from managed devices.
58. Refer to the exhibit, which contains the partial output of the get vpn ipsec tunnel details command.
Based on the output, which two statements are correct? (Choose two.) The npu_flag for this tunnel is 03. Different SPI values are a result of auto-negotiation being disabled for phase 2 selectors. Anti-replay is enabled. The npu_flag for this tunnel is 02.
59. Which two tasks are automated using the Import Configuration wizard on FortiManager? (Choose two.)
Importing firewall address objects from managed devices. Importing interface mappings from managed devices. Importing static and dynamic route configurations from managed devices. Importing devices to FortiManager.
60. An administrator has configured a dial-up IPsec VPN with one phase 2, extended authentication (XAuth) and IKE mode configuration.
The administrator has also enabled the IKE real time debug:
diagnose debug application ike-1
diagnose debug enable
In which order is each step and phase displayed in the debug output each time a new dial-up user is connecting to the VPN? Phase1; IKE mode configuration; XAuth; phase 2. Phase1; XAuth; IKE mode configuration; phase2. Phase1; XAuth; phase 2; IKE mode configuration. Phase1; IKE mode configuration; phase 2; XAuth.
61. An administrator has configured the following CLI script on FortiManager, which failed to apply any changes to the managed device after being executed.
Why didn’t the script make any changes to the managed device? Commands that start with the # sign are not executed. CLI scripts will add objects only if they are referenced by policies. Incomplete commands are ignored in CLI scripts. Static routes can only be added using TCL scripts.
62. A corporate network allows Internet Access to FSSO users only. The FSSO user student does not have Internet access after successfully logged into the Windows AD network. The output of the ‘diagnose debug authd fsso list’ command does not show student as an active FSSO user. Other FSSO users can access the Internet without problems.
What should the administrator check? (Choose two.) The user student must not be listed in the CA’s ignore user list. The user student must belong to one or more of the monitored user groups. The student workstation’s IP subnet must be listed in the CA’s trusted list. At least one of the student’s user groups must be allowed by a FortiGate firewall policy.
63. Refer to the exhibit, which shows the output of a web filtering diagnose command.
Which configuration change would result in non-zero results in the cache statistics section?
set server-type rating under config system central-management set webfilter-cache enable under config system fortiguard set webfilter-force-off disable under config system fortiguard set ngfw-mode policy-based under config system settings.
64. Examine the following partial outputs from two routing debug commands; then answer the question below.
# get router info kernel
tab=254 vf=0 scope=0type=1 proto=11 prio=0 0.0.0.0/0.0.0.0/0->0.0.0.0/0 pref=0.0.0.0 gwy=10.200.1.254 dev=2(port1)
tab=254 vf=0 scope=0type=1 proto=11 prio=10 0.0.0.0/0.0.0.0/0->0.0.0.0/0 pref=0.0.0.0 gwy=10.200.2.254 dev=3(port2)
tab=254 vf=0 scope=253type=1 proto=2 prio=0 0.0.0.0/0.0.0.0/.->10.0.1.0/24 pref=10.0.1.254 gwy=0.0.0.0 dev=4(port3)
# get router info routing-table all
s* 0.0.0.0/0 [10/0] via 10.200.1.254, port1
[10/0] via 10.200.2.254, port2, [10/0]
c 10.0.1.0/24 is directly connected, port3
c 10.200.1.0/24 is directly connected, port1
c 10.200.2.0/24 is directly connected, port2
Which outbound interface or interfaces will be used by this FortiGate to route web traffic from internal users to the Internet?
port1 port2 Both port1 and port2 port3.
65. View the exhibit, which contains a partial routing table, and then answer the question below.
Assuming all the appropriate firewall policies are configured, which of the following pings will FortiGate route? (Choose two.)
Source IP address 10.1.0.24, Destination IP address 10.72.3.20. Source IP address 10.72.3.27, Destination IP address 10.1.0.52. Source IP address 10.72.3.52, Destination IP address 10.1.0.254. Source IP address 10.73.9.10, Destination IP address 10.72.3.15.
66. What events are recorded in the crashlogs of a FortiGate device? (Choose two.) A process crash. Configuration changes. Changes in the status of any of the FortiGuard licenses. System entering to and leaving from the proxy conserve mode.
67. Refer to the exhibit, which contains the output of the diagnose vpn tunnel list. Which command will capture ESP traffic for the VPN named DialUp_0? diagnose sniffer packet any ‘esp and host 10.200.3.2’ diagnose sniffer packet any ‘ip proto 50’ diagnose sniffer packet any ‘host 10.0.10.10’ diagnose sniffer packet any ‘port 4500’.
68. Examine the IPsec configuration shown in the exhibit; then answer the question below.
An administrator wants to monitor the VPN by enabling the IKE real time debug using these commands:
diagnose vpn ike log-filter src-addr4 10.0.10.1
diagnose debug application ike -1
diagnose debug enable
The VPN is currently up, there is no traffic crossing the tunnel and DPD packets are being interchanged between both IPsec gateways. However, the IKE real time debug does NOT show any output. Why isn’t there any output? The IKE real time shows the phases 1 and 2 negotiations only. It does not show any more output once the tunnel is up. The log-filter setting is set incorrectly. The VPN’s traffic does not match this filter. The IKE real time debug shows the phase 1 negotiation only. For information after that, the administrator must use the IPsec real time debug instead: diagnose debug application ipsec -1. The IKE real time debug shows error messages only. If it does not provide any output, it indicates that the tunnel is operating normally.
69. Examine the partial output from the IKE real time debug shown in the exhibit; then answer the question below.
Why didn’t the tunnel come up? IKE mode configuration is not enabled in the remote IPsec gateway. The remote gateway’s Phase-2 configuration does not match the local gateway’s phase-2 configuration. The remote gateway’s Phase-1 configuration does not match the local gateway’s phase-1 configuration. One IPsec gateway is using main mode, while the other IPsec gateway is using aggressive mode.
70. Refer to the exhibit, which shows the output of a debug command.
Which two statements about the output are true? (Choose two.) In the network connected to port 4, two OSPF routers are down. Based on the network type of port 4, OSPF hello packets will be sent to 224.0.0.5. Based on the network type of port 4, OSPF hello packets will be sent to 224.0.0.6. There are a total of 5 OSPF routers attached to the Port4 network segment.
71. View the exhibit, which contains the output of a BGP debug command, and then answer the question below.
Which of the following statements about the exhibit are true? (Choose two.) The local router's BGP state is Established with the 10.125.0.60 peer. Since the counters were last reset; the 10.200.3.1 peer has never been down. The local router has received a total of three BGP prefixes from all peers. The local router has not established a TCP session with 100.64.3.1.
72. You have configured FortiManager as a local FDS to provide FortiGate AV and IPS updates, but FortiGate devices are not receiving updates to their AV signature databases, IPS engines, or IPS signature databases.
Which two settings need to be verified for these features to function? (Choose two.) FortiGate needs to have the server list entry for FortiManager set to server-type update under config system central-management. FortiManager needs to be the license validation server for FortiGate devices trying to retrieve updated AV and IPS packages. Service access needs to be enabled on FortiManager under System Settings > Network. FortiGate needs to have include-default-servers disabled under config system central-management.
73. Which statement about NGFW policy-based application filtering is true? After the application has been identified, the kernel uses only the Layer 4 header to match the traffic. The IPS security profile is the only security option you can apply to the security policy with the action set to ACCEPT. After IPS identifies the application, it adds an entry to a dynamic ISDB table. FortiGate will drop all packets until the application can be identified.
74. Which configuration can be used to reduce the number of BGP sessions in an IBGP network? route-reflector enable route-reflector-server enable route-reflector-client enable route-reflector-peer enable.
75. Refer to the exhibit, which shows the output of diagnose sys session stat.
Which statement about the output shown in the exhibit is correct? There are two sessions that have not been removed in case of any out-of-order packets that arrive. There are 166 TCP sessions waiting to complete the three-way handshake. 162 sessions have been deleted because of memory page exhaustion. All the sessions in the session table are TCP sessions.
76. Which statement about the designated router (DR) and backup designated router (BDR) in an OSPF multi-access network is true? Only the DR receives link state information from non-DR routers. Non-DR and non-BDR routers form full adjacencies to DR only. Non-DR and non-BDR routers send link state updates and acknowledgements to 224.0.0.6. FortiGate first checks the OSPF ID to elect a DR.
77. Refer to the exhibit, which shows partial outputs from two routing debug commands.
Why is the port2 default route not in the second command output? The port2 interface is disabled in the FortiGate configuration. The port1 default route has a lower distance than the default route using port2. The port1 default route has a higher priority value than the default route using port2. The port1 default route has a lower priority value than the default route using port2.
78. An administrator has configured two FortiGate devices for an HA cluster. While testing HA failover, the administrator notices that some of the switches in the network continue to send traffic to the former primary device. The administrator decides to enable the setting link-failed-signal to fix the problem.
Which statement about this setting is true? It sends an ARP packet to all connected devices, indicating that the HA virtual MAC address is reachable through a new master after a failover. It sends a link failed signal to all connected devices. It disabled all the non-heartbeat interfaces in all HA members for two seconds after a failover. It forces the former primary device to shut down all its non-heartbeat interfaces for one second, while the failover occurs.
79. When using the SSL certificate inspection method for HTTPS traffic, how does FortiGate filter web requests when the browser client does not provide the server name indication (SNI) extension? FortiGate uses CN information from the Subject field in the server’s certificate. FortiGate switches to the full SSL inspection method to decrypt the data. FortiGate blocks the request without any further inspection. FortiGate uses the requested URL from the user’s web browser.
80. Which of the following conditions must be met for a static route to be active in the routing table? (Choose three.) The next-hop IP address is up. There is no other route, to the same destination, with a higher distance. The link health monitor (if configured) is up. The next-hop IP address belongs to one of the outgoing interface subnets. The outgoing interface is up.
81. What does the dirty flag mean in a FortiGate session? Traffic has been blocked by the antivirus inspection. The next packet must be re-evaluated against the firewall policies. The session must be removed from the former primary unit after an HA failover. Traffic has been identified as from an application that is not allowed.
82. Which three conditions are required for two FortiGate devices to form an OSPF adjacency? (Choose three.) OSPF interface network types match. OSPF router IDs are unique. OSPF interface priority settings are unique. Authentication settings match. OSPF link costs match.
83. An administrator has been assigned the task of creating a set of firewall policies which must be evaluated before any custom policies defined within the policy packages of managed FortiGate devices, across all 25 ADOMSs in FortiManager.
How should the administrator accomplish this task? Create a footer policy in the Global ADOM containing the firewall policies that must be evaluated first, and then assign this footer policy to all other ADOMs. Create a header policy in the Global ADOM containing the firewall policies that must be evaluated first, and then assign this header policy to all other ADOMs. Move the FortiGate devices into a single globally scoped ADOM, and merge policy packages, inserting the new firewall policies at the top. Use a CLI script from the root ADOM on FortiManager to push these new policies to all FortiGate devices, through the FGFM tunnel.
84. View the IPS exit log, and then answer the question below.
# diagnose test application ipsmonitor 3 ipsengine exit log”
pid = 93 (cfg), duration = 5605322 (s) at Wed Apr 19 09:57:26 2017
code = 11, reason: manual
What is the status of IPS on this FortiGate? IPS engine memory consumption has exceeded the model-specific predefined value. IPS daemon experienced a crash. There are communication problems between the IPS engine and the management database. All IPS-related features have been disabled in FortiGate’s configuration.
85. Refer to the exhibit, which contains the partial output of the get vpn ipsec tunnel details command.
Based on the output, which two statements are correct? (Choose two.) Phase 2 authentication is set to sha1 on both sides. Anti-replay is disabled. Hub2Spoke1 is a policy-based VPN. Hub2Spoke1 is configured on interface wan2.
86. View the exhibit, which contains the output of a diagnose command, and then answer the question below.
Which statements are true regarding the output in the exhibit? (Choose two.) FortiGate will probe 121.111.236.179 every fifteen minutes for a respons Servers with the D flag are considered to be down. Servers with a negative TZ value are experiencing a service outage. FortiGate used 209.222.147.3 as the initial server to validate its contract.
87. Refer to the exhibit, which contains the partial output of a diagnose command.
Based on the output, which two statements are correct? (Choose two.) Anti-replay is enabled. DPD is disabled. Remote gateway IP is 10.200.4.1. Quick mode selectors are disabled.
88. When does a RADIUS server send an Access-Challenge packet? The server does not have the user credentials yet. The server requires more information from the user, such as the token code for two-factor authentication. The user credentials are wrong. The user account is not found in the server.
89. Refer to the exhibit, which contains a TCL script configuration on FortiManager.
An administrator has configured the TCL script on FortiManager, but the TCL script failed to apply any changes to the managed device after being run.
Why did the TCL script fail to make any changes to the managed device? The TCL command run_cmd has not been created. The TCL script must start with tinclude <>. Incomplete commands are ignored in TCL scripts. Changes to an interface configuration can be made only by a CLI script.
90. What is the diagnose test application ipsmonitor 99 command used for? To enable IPS bypass mode. To provide information regarding IPS sessions. To disable the IPS engine. To restart all IPS engines and monitors.
91. Refer to the exhibit, which contains partial output from an IKE real-time debug.
The administrator does not have access to the remote gateway.
Based on the debug output, which configuration change can the administrator make to the local gateway to resolve the phase 1 negotiation error? In the phase 1 network configuration, set the IKE version to 2. In the phase 1 proposal configuration, add AES128-SHA128 to the list of encryption algorithms. In the phase 1 proposal configuration, add AESCBC-SHA2 to the list of encryption algorithms. In the phase 1 proposal configuration, add AES256-SHA256 to the list of encryption algorithms.
92. In which two ways does FortiManager function when it is deployed as a local FDS? (Choose two.) It provides VM license validation services. It supports rating requests from non-FortiGate devices. It caches available firmware updates for unmanaged devices. It can be configured as an update server, a rating server, or both.
93. Which two configuration commands change the default behavior for content-inspected traffic while FortiGate is in conserve mode? (Choose two.) set av-failopen off set av-failopen pass set fail-open enable set ips fail-open disable.
94. Examine the following partial output from two system debug commands; then answer the question below.
Which of the following statements are true regarding the above outputs? (Choose two.) The unit is running a 32-bit FortiOS The unit is in kernel conserve mode The Cached value is always the Active value plus the Inactive value Kernel indirectly accesses the low memory (LowTotal) through memory paging.
95. Refer to the exhibit, which shows the output of a diagnose command
What can you conclude from the RTT value? Its value represents the time it takes to receive a response after a rating request is sent to a particular server. Its value is incremented with each packet lost. It determines which FortiGuard server is used for license validation. Its initial value is statically set to 10.
96. Refer to the exhibit, which shows a session table entry.
Which statement about FortiGate behavior relating to this session is true? FortiGate redirected the client to the captive portal to authenticate, so that a correct policy match could be made. FortiGate forwarded this session without any inspection. FortiGate is performing security profile inspection using the CPU. FortiGate applied only IPS inspection to this session.
97. Refer to the exhibit, which shows the output of a BGP debug command.
What can be concluded about the router in this scenario? The router 100.64.3.1 needs to update the local AS number in its BGP configuration in order to bring up the BGP session with the local router. The State/PfxRcd for neighbor 100.64.3.1 will not change until an administrator on the local router adjusts the inbound route filtering so that prefixes received can be added to the RIB. All of the neighbors displayed are part of a single BGP configuration on the local router with the neighbor-range set to a value of 4. The BGP session with peer 10.127.0.75 is up.
98. Examine the following routing table and BGP configuration; then answer the question below.
The BGP connection is up, but the local peer is NOT advertising the prefix 192.168.1.0/24. Which configuration change will make the local peer advertise this prefix? Enable the redistribution of connected routers into BGP. Enable the redistribution of static routers into BGP. Disable the setting network-import-check. Enable the setting ebgp-multipath.
99. Refer to the exhibit, which shows the output of diagnose sys session list.
If the HA ID for the primary device is 0, what will happen if the primary fails and the secondary becomes the primary? Traffic for this session continues to be permitted on the new primary device after failover, without requiring the client to restart the session with the server. The secondary device has this session synchronized; however, because application control is applied, the session will be marked dirty and have to be re-evaluated after failover. The session state will be preserved but the kernel will need to re-evaluate the session due to NAT being applied. The session will be removed from the session table of the secondary device due to the presence of allowed error packets, which will force the client to restart the session with the server.
100. Refer to the exhibit, which shows a partial routing table.
Assuming all the appropriate firewall policies are configured, what two changes would an administrator need to make if they wanted to send traffic from a client directly connected to port3, to a server directly connected to port4? (Choose two.) Configure route leaking between VRF 12 and VRF 21. Disable auto-asic-offload as this is not supported between VRF instances. Configure RIPv2 to exchange route information between the VRF instances. Configure route leaking between port3 and port4. Enable SNAT on the relevant firewall policies to prevent RPF check drops.
|
