30000

Which action will FortiGate take when using the default settings for SSL certificate inspection, where the server name indicator not match either the common name (CN) or any of the subjet altenative names (SAN) in the server certificate?. FortiGate uses the CN information from the subject field in the server certificate. FortiGate uses the first entry listed in the SAN field in the server certificate. FortiGate uses the SNI from the user´s web browser. FortiGate closes the connection because this respresents an invalid SSL/TLS configuration.

What two statements about this session are correct? (Choose two.) Select one or more: This session terminates or originates on the FortiGate device. It is a TCP session in SYN_SENT state. It is a UDP session that has seen traffic flow both ways. This is a TCP session that was blocked by firewall policy ID 0.

which contains the output of the diagnase vpn tunnel list Which command will capture ESP traffic for the VPN named Dialup_0?. diagnose sniffer packet any 'port 4500'. diagnose sniffer packet any 'esp and host 10.200.3.2'. diagnose sniffer packet any 'ip proto 50'. diagnose sniffer packet any 'host 10.0.10.10'.

Which three tasks are part of the manual registration process for adding a FortiGate device to FortiManager for central management? (Choose three.). Add the FortiManager IP address to the FortiGate central management configuration. Import the policy package from the managed FortiGate device. In FortiManager, add the unregistered FortiGate device. Wait for the rating databases to download on FortiManager. Start the rating services on FortiManager.

An administrator wants to capture encrypted phase 2 traffic between two FortiGate devices using the built-n sniffer. If the administrator knows that there is no NAT device located between both FortiGate devices, which command should the administrator run?. diagnose sniffer packet any 'ah'. diagnose sniffer packet any 'udp port 500'. diagnose sniffer packet any 'udp port 4500'. diagnose sniffer packet any 'ip proto 50'.

Which two statements about the BGP peer are true? (Choose two.) Select one or more: For the peer 10.125.0.60, the BGP state is Escablished. The local BGP peer has not established a TCP session to the BGP peer 10.200.3.1. Since the BGP counters were last reset the BGP peer 10.200.3.1 has never been down. The local BGP peer has received a total of three BGP prefixes.

which shows a partial routing table. Assuming all the appropiate firewall policies are configured, what two changes would an administrator need to make if they wanted to send traffic from a client directly connected fo port3, to a server directly connected to port4?(Choose two.). Configure route leaking between VRF 12 and VRF 21. Enable SNAT on the relevant firewal policies to prevent RPF check drops. Disable auto-asic-offload as this is not supported between VRF instances. Configure route leaking between port3 and port4. Configure RiPv2 to exchange route intormation between the VRF Instances.

which contains a hub-and-spoke VPN topology with two hubs. An administrator wants to configure ADVPN Which ADVPN setting must be enabled in the tunnel between the Hub1 and Hub2 FortiGate devices?. set auto-discovery-forwarder enabled. set auto-discovery-receiver enabled. set auto-discovery-ipsec enabled. set auto-discovery-sender enabled.

Which statement about protocol optons is true?. Protocol options allows administrators a streamined method to instruct FortiGate to block all sessions corresponding to disabled protocols. Protocol options allows administrators to configure whicn Layer 4 port numbers map to upper-layer protocols such as HTTP, SMTP, FTP and so on. Protocol options allows administrators the ability to configure the Any setting for all enabled protocols whicn provides the most efficient use of Sysem resources. Protocol options allow administrators to configure a maximum number of sessions for each configured protocol.

View the following exhibit: Given the output showing a real-time debug, which statement describes why the update is failing? Select one: The update should be using port 53 or port 8888, instead of port 443. FortiGate is unable to establish a TCP connection with FDS. The administrator should use the execute update-wf command instead. FortiGate is unable to resolve the required FQDN (service.fortiguard.net) for AV and IPS updates.

An administrator has created a VPN community within VPN Manager on FortManager. They also added galeways to the VPN communty and are now trying to create firewall policies to permit traffic over the tunnel; however, the VPN interfaces are not listed as avaliable options. What step must the administrator take to resolve this issue?. Install the VPN community and gateway configuration to the FortiGate devices, in order for the interfaces to be displayed within Policy & Objects on FortManager. Create interface mappings for the IPsec VPN interfaces, before they can be used in a policy. Set up all of the phase 1 settings in the VPN community that they neglected to set up initially. The intertaces will be automatically generated after the administrator configures all of the required settings. Refresh the device status from the Device Manager so that FortiGate wil populate the IPsec interfaces.

Which troubleshooting step is applicable when investigating antivirus and IPS update issues on FortiGate?. Use the diagnose debug rating command to check active servers. Validate DNS resolution for update.fortiguard.net. Verify outbound ICMP connectivity. Use the alternate service port 8888.

Which statement about the designated router (DR) and backup designated router (BDR) in an OSPF multi-access network is true?. Only the DR receives link state information from non-DR routers. Non-DR and non-BDR routers send link state updates and acknowledgements to 224.0.0.6. FortiGate first checks the OSPF ID to elect a DR. Non-DR and non-BDR routers form full adjacencies to DR only.

An administrator is configuring ADVPN in a hub-and-spoke topology. The administrator will use IBGP to route traffic between the VPN sites. Which IBGP setting needs to be enabled on the hub, for dynamic routing to work properly for on-demand tunnels?. route-reflector-client. route-server-client. next-hop-self. ibgp-multipath.

Which two conditions would prevent a static route from being added to the routing table? (Choose two). The interface specified in the route configuration is down. there is another other route to the same destination, with a lower distance. The next-hop IP address is unreachable. The route has a lower priority value than another route to the same destnation.

View the exhibit, which contains the partial output of an IKE real-time debug Which statement about this debug output is correct?. Quick mode selectors do not match; therefore, the tunnel will not come up. It shows a phase 2 negotiation. The SA life soft and hard seconds do not match; therefore, the tunnel will not come up. It shows the negotiation of an IPsec tunnel in transport mode.

Refer to the exhibit, which shows the output of get system ha status NGFW-1 and NGFW-2 have been up for a week. Which two statements about the output are true? (choose two). If port7 becomes disconnected on te secondary, both FortiGate devices will elect itself the primary. If FGVM...649 is rebooted, FGVM...650. If no action is taken, the primary FortiGate will leave the cluster due to the current sysnc status. If a configuration change is made to the primary FortiGate at this time the secondary will initiate a synchronizaton reset.

xamine these partial outputs from two routing debug commands # get router info routing-table database S 0.0.0.0/0 [20/0] via 100.64.2.254, port2, [10/0] S *> 0.0.0.0/0 [10/0] via 100.64.1.254, port1 # get router info routing-table all s+ 0.0.0.0/0 [10/0] via 100.64.1.254, port1 Why is the default route that uses port2 not in the output of the second command?. There can be only one default route present in an active routing table. It has a higher distance than the default route using port1. It has a higher priority than the default route using port1. It is disabled in the FortiGate configuration.

What are two functions of automation stitches? (Choose two). Automation stitches can be configured on any FortiGate device in a Security Fabric environment. Automation stitches can be created to run dianostic commands and attach the results to an email messages when CPU or memory usage exceeds specified thresholds. An automation stitch configured to execute actions sequentially can take parameters from previous actions as input for the current action. An automation stitch configured to execute actions in parallel can be set to insert a specific delay between actions.

Which two configuration changes can be applied to optimize the memory usage on FortiGate? (Choose two.). Reduce the FortiGuard cache TTL. Decrease the sessions TTL. Increase the maximum file size for AV inspection. Use flow-based inspection. Increase TCP session timers.

Refer to the exhibit, which shows the output of a BGP debug command Which statement explains why the state of the 10.200.3.1 peer is connect?. The router 10.200.3. 1 has authentication configured for BGP and the local router does not. The local router initiated the BGP session to 10.200.3.1 but did not receive a response. The local router has a different AS number than the remote peer. The local router is receiving BGP keepalives from the remote peer, but the local peer has not received the OpenConfig yet.

Which two statements correctly describe the characteristics of the Fortinet Security Fabric? (Choose two.). It supports an open API, allowing third-party product integration. It provides a single pane of glass for reporting for all devices in the Security Fabric. The core of the Security Fabric includes FortiMail, FortiWeb, and FortiSandbox. It contains individual management platforms for each device to provide granular control.

Refer to the exhibit which contains partial output from an IKE real time debug. The administrator does not have access to the remote gateway Based on the debug output, which configuration change can the administrator make to the local gateway to resolve the phase 1 negotiation error?. In the phase 1 proposal configuration add AES256-SHA256 to the list of encryption algorithms. In the phase 1 network canfiguration. set the IKE version to 2. in the phase 1 propasal configuration, add AES128-SHA128 to the list of encryption alganthms. in the phase 1 proposal configuration add AESCBG-SHA2 to the list of encryption algonthms.

Which three steps are executed to get antivirus and IPS updates using the pull method? (Choose three.). FortiGate periodically queries for pending updates. FortiGate gets a list of server IP addresses that can be contacted. FortiGate contacts a DNS server to resolve the FortiGuard domain name. FortiGate registers its public IP address in FortiGuard. FortiGate starts sending rating queries to one of the servers in the list.

Refer to the exhibit, which shows the output of a BGP debug command Which statement explains why the state of the 10. 200.3.1 peer is connect?. The local router initiated the BGP session to 10.200.3.1 but did not receive a response. The local router is receiving BGP keepalives from the remote peer, but the local peer has not received the OpenConfig yet. The local router has a different AS number than the remote peer. The router 10.200.3.1 has authentication configured for BGP and the local router does not.

Which two events can trigger an HA failover? (Choose two.). The physical disconnection of a monitored interface. The failure of a solid-state drive. A session sync failure. A configuration sync failure.

An administrator has configured two FortiGate devices for an HA cluster. While testing HA falover, the administrator notices that some of the switches in the network continue to send traffic to the former primary device What can the administrator do to fix this problem?. Configure remote link monitoring to detect an issue in the forwarding path. Configure set link-failed-signal enable under config aystem ha on both cluster members. Verify that the speed and duplex settings match between the FortiGate interfaces and the connected switch ports. Configure set send-garp-on-failover enable under config system ha on both cluster members.

When investigating FortiGuard connectivity issues, which action is a valid troubleshooting step?. Configure a virtual IP to forward port 443 to the FortiGate external IP. Verify management VDOM internet access. Use the FortiGuard real-time debug command to verity rating requests. Verifv that DNS requests are being proxied if auto-update tunneling is enabled.

Reter to the exhibit which shows the output of a real-time debug Which statement about this output is true?. The server hostname was extracted from the SNI in the client requests, or from the CNI in the server certificate. The requested URL belongs to category ID 255. FortiGate found the requested URL in its local cache. This web request was inspected using the ftgd-allow web filter profle.

Which two conditions would prevent a static route from being added to the routing table? (Choose two). There is another other route to the same destination, with a lower distance. The interface specified in the route configuration is down. The next-hop IP address is unreachable. The route has a lower priority value than another route the same destination.

Refer to the exhibit, which shows the output of a debug command. What can be concluded from the debug command output?. There are more than two OSPF routers on the wan2 network. The interface ToRemote is a broadcast OSPF network. The OSPF router with the ID 0.0.0.69 has its OSPF priority set to 0. The local FortiGate has a different MTU value from the OSPF router with ID 0.0.0.2, based on the state information.

An administrator has been assigned the task of creating a set of firewall policies which must be evaluated before any custom policies defired within the policy packages of managed FortiGate devices, across all 25 ADOMs in FortiManager How should the administrator accomplish this task?. Create a header policy in the Global ADOM containing the firewall policies that must be evaluated first, and then assign this header policy to all other ADOMs. Move the FortiGate devices into a single globally scoped ADOM, and merge policy packages, inserting the new firewal policies at the top. Create a footer policy in the Global ADOM containing the firewall policies that must be evaluated first, and then assign this footer policy to all other ADOMs. Use a CLI script from the root ADOM on FortiManager to push these new policies to all FortiGate devices, through the FGFM tunnel.

What are two functions of automation stitches? (Choose two).----------. Automation stitches can be created to run diagnostic commands and attach the results to an email message when CPU or memary usage exceeds specified thresholds. An automation stitch configured to execute actions sequentially can take parameters from previous actions as input for the current action. An automation stitch configured to execute actions, in parallel can be set to insert a specific delay between actions. Automation stitches can be configured on any FortiGate device m a Secunity Fabnic environment.

in which two ways does FortiManager function when it is deployed as a local FDS? (Choose two). it can be configured as an update server, a rating server, or both. It provides VM license validation services. It caches avalable firmware updates for unmanaqed devices. It supports rating requests from non-FontiGale devices.

Refer to the exhibit, which contains a CLI script configuration on FortiManager An administrator configured the CLI script on FortiManager, but the script failed to apply any changes to the managed device after being executed What are two reasons why the script did not make any changes to the managed device? (Choose two). Incomplete commands can cause CLI scripts to fail. The commands that start with the # sign did not run. CLI scripts must start with #!. Static routes can be added using only TCL scripts.

Refer to the exhibits, which show the configuration on FortiGate and partial internet session information from a user on the internal network. An administrator would like to test session failover between the two service provider connections. What changes must the administrator make to force this existing session to inmediately start using the other interface? (Choose two). Change the priority of the port1 static route to 11. Configure set snat-route-change enable. unset snat-route-change to return in to default setting. Change the priority of the port2 static route to 5.

Refer to the exhibit, which shows partial outputs from two routing debug commands Why is the port2 default route not in the second command output?. The port1 default route has a lower distance than the default route using port2. The port1 default route has a higher priority value than the default route using port2. The port2 interface is disabled in the FortiGate configuration. The port1 default route has a lower priority value than the default route using port2.

You have configured FortiManager as a local FDS to provide FortiGate AV and IPS updates, but FortiGate devices are not receiving updates to their AV signature database, IPS engins, or IPS signature databases. Which two settings need to be verified for these features to function? (Choose two.). FortiGate needs to have the server list entry for FortiManager set to server-type update under config system central-management. Service access needs to be enabled on FortiManager under System Settings > Network. FortiManager needs to be the license validation server for FortiGate devices trying to retrieve updated AV and IPS packages. FortiGate needs to have include-default-servers disabled under contig system central-management.

Which ADVPN configuration must be configured using a script on Fortimanager, when using VPN Manager to manager FortiGate VPN tunnels?. Enable AD-VPN in IPsec phase 1. Configure iP addresses on ipsec virtual interfaces. Disable add-route on hub. Set protected retwork to all.

Refer to the exhibit, which shows a central management configuration Which senver will FortiGate choose for web filter rating requests, if 10.0.1.240 is experiencing an outage?. Public FortiGuard servers. 10.0.1.244. 10.0.1.242. 10.0.1.243.

Which configuration can be used to reduce the number of BGP sessions in an IBGP network?. route-reflector-client enable. route-reflector enable. route-reflector-peer enable. route-reflector-server enable.

In which two states is a given session categrized as ephemeral? (Choose two.). A UDP session with only one packet received. A TCP session waiting for the SYN ACK. A UDP session with packets sent and received. A TCP session waiting for FIN ACK.

Refer to the exhibits, which contain the network topology and BGP configuration for a hub. An administrator is trying to configure ADVPN with a hub and spoke VPN setup using IBGP All the VPNs are up and connected to the hub. The hub receiving route information from both spokes over IBGP, however, the spokes are not receiving route information from each other. Add a prefix list to the hub that permits routes to be shared between the spokes. Configure the hub as a route reflector. Enable route redistribution under config router bgp. Configure auto-diseovery-sender on the hub.

Refer to the exhibit_ which shows a FortiGate configuration An administrator is troubleshooting a webfilter issue on ForiGate. The admidistrator has configured a web filter profile and applied it to a policy; however, the web filter is not inspecting any traffic that is passing through the policy. What must the administrator change to fix the issue?. The administrator must disable webfilter-force-off. The administrator must increase webfilter-timeout. The administrator must enable fortiguard-anycast. The administrator must change protocol to TCP.

Which two statements about the Security Fabric are true? (Choose two.). Only the root FortiGate collects network information and forwards it to FortiAnalyzer. All FortiGate devices in the Security Fabric must have bidirectional FortiTelemetry connectivity. Branch FortiGate devices must be configured first. FortiGate uses FortiTelemetry protocol to communicate with FortiAnalyzer.

Which configuration can be used to reduce the number of BGP sessions in an IBGP network?. route-reflector-client enable. route-reflector-server enable. route-reflector-peer enable. route-reflector enable.

Refer to the exhibit, which shows the output of a BGP debug command What can be concluded about the router in this scenario?. All of the neighbors displayed are part of a single BGP configuration on the local router with the neighbor-range set to a value of 4. The BGP session with peer 10.127.0.75 is up. The router 100.64.3.1 needs to update the local AS number in Its BGP configuration in order to bring up the BGP session with the local router. The state/PfxRcd for neighbor 100.64.3.1 will not change until an administrator on the local router adjusts the inbound router filitering so that prefixes received can be added to the RIB.

Reter to the exhibit, which contains a screenshot of some phase 1 settings. The VPN is not up. To diagnose the issue, the administrator enters the following CLI commands to an SSH session on FortiGate: diagnose vpn ike log-filter dst-addr4 10.0.10.1 diagnose debug application ike -1 However, the IKE real-time debug does not show any output. Why?. The administrator must also run the command diagnose debug enable. The debug shows only error messages. If there is no output, then the phase 1 and phase 2 configurations match. The log-filter setting Is incorrect. The VPN traffic does not match this filter. The administrator must enable the following real-time debug: diagnose debug application IPsec -1.

How are bulk configuration changes made using FortiManager CLI scripts? (Choose two.). When run on the Device Database, changes are applied directly to the managed FortiGate device. When run on the Remote FortiGate directly, administrators do not have the option to review the changes prior to installation. When run on the Policy Package, ADOM database, you must use the installation wizard to apply the changes to the management FortiGate. When run on the All FortiGate in ADOM, changes are automatically Installed without the creation of a new revision history.

Refer to the exhibit, which shows a central management configuration. Which server will FortiGate choose for web filter rating requests, If 10.0.1.240 is experiencing an outage?. 10.0.1.244. Public FortiGuard servers. 10.0.1.242. 10.0.1.243.

Refer to the exhibits, which show the configuration on FortiGate and partial session information for internet traffic from a user on the internal network. If the priority on route ID 2 were changed from 10 to 0, what would happen to traffic matching that user session?. The session would remain in the session table, and its traffic would egress from port2. The session would remain in the session table, but its traffic would now egress from both port1 and port2. The session would be deleted, and the client would need to start a new session. The session would remain in the session table, and its traffic would egress from port 1.

Which three conditions are required for two FortiGate devices to form an OSPF adjacency? (Choose three). OSPF interface network types match. Authentication settings match. OSPF router IDs are unique. OSPF interface priority settings are unique. OSPF link costs match.

Which two statements about the Security Fabric are true? (Choose two.). Only the root FortiGate collects network topology information and forwards it to FortiAnalyzer. Only FortiGate devices with fabric-object-unification set to default will receive and synchronize global CMDB object sent by root FortiGate. Only the root FortiGate sends logs to FortiAnalyzer. FortiGate uses FortiTelemetry protocol to communicate with FortiAnalyzer.

Which two statements about application-layer test commands are true? (Choose two.). Some of them display statistics and configuration information about a feature or process. Some of them can be used to restart an application. Some of them display real-time application debugs. Some of them only display output, after you run the diagnose debug console enable command.

Refer to the exhibits, which contain the network topology and BGP configuration for a hub. An administrator is trying to configure ADVPN with a hub and spoke VPN setup using IBGP. Al the VPNs are up and connected to the hub. The hub is receiving route information from both spokes over IBGP, however the spokes are not recelving route information from each other. What change must the administrator make to the hub BGP conflguration so that the routes learned from one spoke are forwarded to the other spoke?. Configure the hub as a route reflector. Configure auto-discovery-sender on the hub. Enable route redistribution under config router bgp. Add a prefix list to the hub that permits routes to be shared between the spokes.