efw_frost7.4

A company that acquired multiple branches across different countries needs to install new FortiGate devices on each of those branches. However, the IT staff lacks sufficient knowledge to implement the initial configuration on the FortiGate devices. Which three approaches can the company take to successfully deploy advanced initial configurations on remote branches? (Choose three.). Use metadata variables to dynamically assign values according to each FortiGate device. Use provisioning templates and install configuration settings at the device layer. Use the Global ADOM to deploy global object configurations to each FortiGate device. Apply Jinja in the FortiManager scripts for large-scale and advanced deployments. Add FortiGate devices on FortiManager as model devices, and use ZTP or LTP to connect to FortiGate devices.

An administrator is checking an enterprise network and sees a suspicious packet with the MAC address e0:23:ff:fc:00:86. What two conclusions can the administrator draw? (Choose two.). The suspicious packet is related to a cluster that has VDOMs enabled. The network includes FortiGate devices configured with the FGSP protocol. The suspicious packet is related to a cluster with a group-id value lower than 255. The suspicious packet corresponds to port 7 on a FortiGate device.

A company's guest internet policy, operating in proxy mode, blocks access to Artificial Intelligence Technology sites using FortiGuard. However, a guest user accessed a page in this category using port 8443. Which configuration changes are required for FortiGate to analyze HTTPS traffic on nonstandard ports like 8443 when full SSL inspection is active in the guest policy?. Add a URL wildcard domain to the website CA certificate and use it in the SSL/SSH Inspection Profile. In the Protocol Port Mapping section of the SSL/SSH Inspection Profile, enter 443, 8443 to analyze both standard (443) and non-standard (8443) HTTPS ports. To analyze nonstandard ports in web filter profiles, use TLSv1.3 in the SSL/SSH Inspection Profile. Administrators can block traffic on nonstandard ports by enabling the SNI check in the SSL/SSH Inspection Profile.

An administrator needs to install an IPS profile without triggering false positives that can impact applications and cause problems with the user's normal traffic flow. Which action can the administrator take to prevent false positives on IPS analysis?. Use the IPS profile extension to select an operating system, protocol, and application for all the network internal services and users to prevent false positives. Enable Scan Outgoing Connections to avoid clicking suspicious links or attachments that can deliver botnet malware and create false positives. Use an IPS profile with action monitor, however, the administrator must be aware that this can compromise network integrity. Install missing or expired SSL/TLS certificates on the client PC to prevent expected false positives.

An administrator is deploying several spokes, including the BGP configuration for the spokes to connect to the hub. Which two commands allow the administrator to minimize the configuration? (Choose two.). neighbor-group. route-reflector-client. neighbor-range. ibgp-enforce-multihop.

Why does the ISDB block layers 3 and 4 of the OSI model when applying content filtering? (Choose two.). FortiGate has a predefined list of all IPs and ports for specific applications downloaded from FortiGuard. The ISDB blocks the IP addresses and ports of an application predefined by FortiGuard. The ISDB works in proxy mode, allowing the analysis of packets in layers 3 and 4 of the OSI model. The ISDB limits access by URL and domain.

The Administrators section of a root FortiGate device and the Security Fabric Settings section of a downstream FortiGate device are shown. When prompted to sign in with Security Fabric in the downstream FortiGate device, a user enters the AdminSSO credentials. What is the next status for the user?. The user is prompted to create an SSO administrator account for AdminSSO. The user receives an authentication failure message. The user accesses the downstream FortiGate with super_admin_readonly privileges. The user accesses the downstream FortiGate with super_admin privileges.

A user reports that their computer was infected with malware after accessing a secured HTTPS website. However, when the administrator checks the FortiGate logs, they do not see that the website was detected as insecure despite having an SSL certificate and correct profiles applied on the policy. How can an administrator ensure that FortiGate can analyze encrypted HTTPS traffic on a website?. The administrator must enable reputable websites to allow only SSL/TLS websites rated by FortiGuard web filter. The administrator must enable URL extraction from SNI on the SSL certificate inspection to ensure the TLS three-way handshake is correctly analyzed by FortiGate. The administrator must enable DNS over TLS to protect against fake Server Name Indication (SNI) that cannot be analyzed in common DNS requests on HTTPS websites. The administrator must enable full SSL inspection in the SSL/SSH Inspection Profile to decrypt packets and ensure they are analyzed as expected.

The client behind Spoke-1 generates traffic to the device located behind Spoke-2. What is the first message that the hub sends to Spoke-1 to bring up the dynamic tunnel?. Shortcut query. Shortcut offer. Shortcut reply. Shortcut forward.

An administrator applied a block-all IPS profile for client and server targets to secure the server, but the database team reported the application stopped working immediately after. How can an administrator apply IPS in a way that ensures it does not disrupt existing applications in the network?. Use an IPS profile with all signatures in monitor mode and verify patterns before blocking. Limit the IPS profile to server targets only to avoid blocking connections from the server to clients. Select flow mode in the IPS profile to accurately analyze application patterns. Set the IPS profile signature action to default to discard all possible false positives.

An administrator is extensively using VXLAN on FortiGate. Which specialized acceleration hardware does FortiGate need to improve its performance?. NP7. SP5. CP9. NTurbo.

An administrator would like the area 0.0.0.0 to detect the external network. What must the administrator configure?. Enable RIP redistribution on FortiGate B. Configure a distribute-route-map-in on FortiGate B. Configure a virtual link between FortiGate A and B. Set the area 0.0.0.l type to stub on FortiGate A and B.

Refer to the exhibit, which shows the ADVPN network topology and partial BGP configuration. Which two parameters must an administrator configure in the config neighbor range for spokes shown in the exhibit? (Choose two.). set max-neighbor-num 2. set neighbor-group advpn. set route-reflector-client enable. set prefix 172.16.1.0 255.255.255.0.

Which two statements about IKEv2 are true if an administrator decides to implement IKEv2 in the VPN topology? (Choose two.). It includes stronger Diffie-Hellman (DH) groups, such as Elliptic Curve (ECP) groups. It supports interoperability with devices using IKEv1. It exchanges a minimum of two messages to establish a secure tunnel. It supports the extensible authentication protocol (EAP).

An administrator must enable direct communication between multiple spokes in a company's network. Each spoke has more than one internet connection. The requirement is for the spokes to connect directly without passing through the hub, and for the links to automatically switch to the best available connection. How can this automatic detection and optimal link utilization between spokes be achieved?. Set up OSPF routing over static VPN tunnels between spokes. Utilize ADVPN 2.0 to facilitate dynamic direct tunnels and automatic link optimization. Establish static VPN tunnels between spokes with predefined backup routes. Implement SD-WAN policies at the hub to manage spoke link quality.

What does the command set forward-domain <domain_ID> in a transparent VDOM interface do?. It configures the interface to prioritize traffic based on the domain ID, enhancing quality of service for specified VLANs. It isolates traffic within a specific VLAN by assigning a broadcast domain to an interface based on the VLAN ID. It restricts the interface to managing traffic only from the specified VLAN, effectively segregating network traffic. It assigns a unique domain ID to the interface, allowing it to operate across multiple VLANs within the same VDOM.

The administrator is checking on FortiAnalyzer traffic from the device with IP address 10.1.10.1, located behind the FortiGate ISFW device. The firewall policy in on the ISFW device does not have UTM enabled and the administrator is surprised to see a log with the action Malware, as shown in the exhibit. What are the two reasons FortiAnalyzer would display this log? (Choose two.). Security rating is enabled in ISFW. ISFW is in a Security Fabric environment. ISFW is not connected to FortiAnalyzer and must go through NGFW-1. The firewall policy in NGFW-1 has UTM enabled.

What can you conclude from this VPN IPsec phase 1 configuration?. This configuration is the best for networks with regular traffic intervals, providing a balance between connectivity assurance and resource utilization. Peer IDs are unencrypted and exposed, creating a security risk. FortiGate will not add a route to its routing or forwarding information base when the dynamic tunnel is negotiated. A separate interface is created for each dial-up tunnel, which can be slower and more resource intensive, especially in large networks.

A company's users on an IPsec VPN between FortiGate A and B have experienced intermittent issues since implementing VXLAN. The administrator suspects that packets exceeding the 1500-byte default MTU are causing the problems. In which situation would adjusting the interface’s maximum MTU value help resolve issues caused by protocols that add extra headers to IP packets?. Adjust the MTU on interfaces only if FortiGate has the FortiGuard enterprise bundle, which allows MTU modification. Adjust the MTU on interfaces in all FortiGate devices that support the latest family of Fortinet SPUs: NP7, CP9 and SP5. Adjust the MTU on interfaces in controlled environments where all devices along the path allow MTU interface changes. Adjust the MTU on interfaces only in wired connections like PPPoE, optic fiber, and ethernet cable.

An administrator is extensively using IPsec on FortiGate. Many tunnels show information similar to the output shown in the exhibit. What can the administrator conclude?. IPsec SAs cannot be offloaded. The two IPsec SAs, inbound and outbound, are copied to the NPU. Only the outbound IPsec SA is copied to the NPU. Only the inbound IPsec SA is copied to the NPU.

An administrator must integrate the new remote office network with the corporate enterprise network. What must the administrator do to allow routing between the two networks?. The administrator must implement BGP to inject the new remote office network into the corporate FortiGate device. The administrator must configure a static route to the subnet 192.168.l.0/24 on the corporate FortiGate device. The administrator must configure virtual links on both FortiGate devices. The administrator must implement OSPF over IPsec on both FortiGate devices.

The administrator must configure the BGP section of FortiGate A to give internet access to the enterprise network. Which command must the administrator use to establish a connection with the internet service provider?. config neighbor. config redistribute bgp. config router route-map. config redistribute ospf.

An administrator is trying to find the web filter database signature on FortiGate to resolve issues with websites not being filtered correctly in a flow-mode web filter profile. Why is the web filter database version not visible on the GUI, such as with IPS definitions?. The web filter database is stored locally, but the administrator must run over CLI diagnose autoupdate versions. The web filter database is stored locally on FortiGate, but it is hidden behind the GUI. It requires enabling debug mode to make it visible. The web filter database is not hosted on FortiGate: FortiGate queries FortiGuard or FortiManager for web filter ratings on demand. The web filter database is only accessible after manual syncing with a valid FDS server using diagnose test update info.

An administrator must configure an ADVPN using IBGP and EBGP to connect overlay network 1 with 2. What two options must the administrator configure in BGP? (Choose two.). set ebgp-enforce-multrhop enable. set next-hop-self enable. set ibgp-enforce-multihop advpn. set attribute-unchanged next-hop.

The template is not assigned even though the configuration has already been installed on FortiGate. What is true about this scenario?. The administrator did not assign the template correctly when adding the model device because pre-CLI templates remain permanently assigned to the firewall. Pre-run CLI templates are automatically unassigned after their initial installation. Pre-run CLI templates for ZTP and LTP must be unassigned manually after the first installation to avoid conflicting error objects when importing a policy package. The administrator must use post-run CLI templates that are designed for ZTP and LTP.

The IT team is trying to identify the administrator responsible for the most recent update in the FortiGate device database. Which conclusion can you draw about this scenario?. This retrieved process was automatically triggered by a Remote FortiGate Directly (via CLI) script. The user script_manager is an API user from the Fortinet Developer Network (FDN) retrieving a configuration. To identify the user who created the event, check it on the Configuration and Installation widget on FortiGate within the FortiManager device layer. Find the user in the FortiManager system logs and use the type=script command to find the administrator user in the user field.

An administrator is checking the OSPF status of a FortiGate device and receives the output shown in the exhibit. What two conclusions can the administrator draw? (Choose two.). The FortiGate device is a backup designated router. The FortiGate device is connected to multiple areas. The FortiGate device injects external routing information. The FortiGate device has OSPF ECMP enabled.

The administrator has configured BGP on FortiGate. The status of this new BGP configuration is shown in the exhibit. What configuration must the administrator consider next?. Configure a static route to 100.65.4.1. Configure the local AS to 65300. Contact the remote peer administrator to enable BGP. Enable ebgp-enforce-multihop.

What two conclusions can you draw from the exhibit? (Choose two.). FortiGate will receive a certificate that supports multiple domains because FortiManager operates in a cloud computing environment. FortiGate is connecting to the same IP server and will receive an independent certificate for its connection between FortiGate and FortiManager Cloud. If the TLS handshake contains 17 cipher suites it means the TLS version must be 1.0 on this three-way handshake. The wildcard for the domain *.fortinet-ca2.support.fortinet.com must be supported by FortiManager Cloud.

What two conclusions can you draw from the corresponding LAN interface? (Choose two.). You must enable STP or RSTP on FortiGate and FortiSwitch to avoid layer 2 loopbacks. The LAN interface must use a 802.3ad type interface. This connection is using a FortiLInk to manage VLANs on FortiGate. FortiGate is using an SD-WAN-type interface to connect to a FortiSwitch device with MCLAG.

An administrator wants FortiGate_B to handle the Core2 VDOM traffic. Which modification must the administrator apply to achieve this?. The administrator must disable override on FortiGate_A. The administrator must change the priority from 100 to 160 for FortiGate_B. The administrator must change the load balancing method on FortiGate_B. The administrator must change the priority from 128 to 200 for FortiGate_B.

During the maintenance window, an administrator must sniff all the traffic going through a specific firewall policy, which is handled by NP6 interfaces. The output of the sniffer trace provides just a few packets. Why is the output of sniffer trace limited?. The traffic corresponding to the firewall policy is encrypted. auto-asic-off load is set to enable in the firewall policy,. inspection-mode is set to proxy in the firewall policy. The option npudbg is not added in the diagnose sniff packet command.

An administrator would like to modify the MED value advertised from FortiGate_1 to a BGP neighbor in the autonomous system 30. What must the administrator configure on FortiGate_1 to implement this?. route-map-out. network-import-check. prefix-list-out. distribute-list-out.

An administrator received a FortiAnalyzer alert that a 1 ТВ disk filled up in a day. Upon investigation, they found thousands of unusual DNS log requests, such as JHCMQK.website.com, with no answers. They later discovered that DNS exfiltration was occurring through both UDP and TLS. How can the administrator prevent this data theft technique?. Create an inline-CASB to protect against DNS exfiltration. Configure a File Filter profile to prevent DNS exfiltration. Enable DNS Filter to protect against DNS exfiltration. Use an IPS profile and DNS exfiltration-related signatures.

An administrator configured the FortiGate devices in an enterprise network to join the Fortinet Security Fabric. The administrator has a list of IP addresses that must be blocked by the data center firewall. This list is updated daily. How can the administrator automate a firewall policy with the daily updated list?. A. With FortiNAC. B. With FortiAnalyzer. C. With a Security Fabric automation. D. With an external connector from Threat Feeds.

Which configuration must the administrator apply to optimize the OSPF database?. Set a route map in the AS boundary FortiGate. Set the area 0.0.0.1 to the type STUB in the area border FortiGate. Set an access list in the AS boundary FortiGate. Set the area 0.0.0.1 to the type NSSA in the area border FortiGate.

The IT department discovered during the last network migration that all zero phase selectors in phase 2 IPsec configurations impacted network operations. What are two valid approaches to prevent this during future migrations? (Choose two.). A. Use routing protocols to specify allowed subnets over the tunnel. B. Configure an IPsec-aggregate to create redundancy between each firewall peer. C. Clearly indicate to the VPN which segments will be encrypted in the phase two selectors. D. Configure an IP address on the IPsec interface of each firewall to establish unique peer connections and avoid impacting network operations.

How will configuring set tcp-mss-sender and set tcp-mss-receiver in a firewall policy affect the size and handling of TCP packets in the network?. A. The maximum segment size permitted in the firewall policy determines whether TCP packets are allowed or denied. B. Applying commands in a firewall policy determines the largest payload a device can handle in a single TCP segment. C. The administrator must consider the payload size of the packet and the size of the IP header to configure a correct value in the firewall policy. D. The TCP packet modifies the packet size only if the size of the packet is less than the one the administrator configured in the firewall policy.

A vulnerability scan report has revealed that a user has generated traffic to the website example.com (10.10.10.10) using a weak SSL/TLS version supported by the HTTPS web server. What can the firewall administrator do to block all outdated SSL/TLS versions on any HTTPS web server to prevent possible attacks on user traffic?. A. Configure the unsupported SSL version and set the minimum allowed SSL version in the HTTPS settings of the SSL/SSH inspection profile. B. Enable auto-detection of outdated SSL/TLS versions in the SSL/SSH inspection profile to block vulnerable websites. C. Install the required certificate in the client's browser or use Active Directory policies to block specific websites as defined in the SSL/SSH inspection profile. D. Use the latest certificate, Fortinet_SSL_ECDSA256, and replace the CA certificate in the SSL/SSH inspection profile.

An administrator is checking the OSPF status of a FortiGate device and receives the output shown in the exhibit. Which statement on this FortiGate device is correct?. A. The FortiGate device can inject external routing information. B. The FortiGate device is in the area 0.0.0.5. C. The FortiGate device does not support OSPF ECMP. D. The FortiGate device is a backup designated router.

An administrator is setting up an ADVPN configuration and wants to ensure that peer IDs are not exposed during VPN establishment. Which protocol can the administrator use to enhance security?. A. Use IKEv2, which encrypts peer IDs and prevents exposure. B. Opt for SSL VPN web mode because it does not use peer IDs at all. C. Choose IKEv1 aggressive mode because it simplifies peer identification. D. Stick with IKEv1 main mode because it offers better performance.

Why is FortiGate unable to detect HTTPS attacks on firewall policy ID 3 targeting the Linux server?. A. The administrator must set the policy to inspection mode to analyze the HTTPS packets as expected. B. The administrator must enable HTTPS in the protocol port mapping of the deep- inspection SSL/SSH inspection profile. C. The administrator must enable SSL inspection of the SSL server and upload the certificate of the Linux server website to the SSL/SSH inspection profile. D. The administrator must enable cipher suites in the SSL/SSH inspection profile to decrypt the message.

An administrator must minimize CPU and RAM use on a FortiGate firewall while also enabling essential security features, such as web filtering and application control for HTTPS traffic. Which SSL inspection setting helps reduce system load while also enabling security features, such as web filtering and application control for encrypted HTTPS traffic?. A. Use full SSL inspection to thoroughly inspect encrypted payloads. B. Disable SSL inspection entirely to conserve resources. C. Configure SSL inspection to handle HTTPS traffic efficiently. D. Enable SSL certificate inspection mode to perform basic checks without decrypting traffic.

An administrator must standardize the deployment of FortiGate devices across branches with consistent interface roles and policy packages using FortiManager. What is the recommended best practice for interface assignment in this scenario?. A. Enable metadata variables to use dynamic configurations in the standard interfaces of FortiManager. B. Use the Install On feature in the policy package to automatically assign different interfaces based on the branch. C. Create interfaces using device database scripts to use them on the same policy package of FortiGate devices. D. Create normalized interface types per-platform to automatically recognize device layer interfaces based on the FortiGate model and interface name.

What action can be taken on a FortiGate to block traffic using IPS protocol decoders, focusing on network transmission patterns and application signatures?. A. Use the DNS filter to block application signatures and protocol decoders. B. Use application control to limit non-URL-based software handling. C. Enable application detection-based SD-WAN rules. D. Configure a web filter profile in flow mode.

An administrator is designing an ADVPN network for a large enterprise with spokes that have varying numbers of internet links. They want to avoid a high number of routes and peer connections at the hub. Which method should be used to simplify routing and peer management?. A. Deploy a full-mesh VPN topology to eliminate hub dependency. B. Implement static routing over IPsec interfaces for each spoke. C. Use a dynamic routing protocol using loopback interfaces to streamline peers and routes. D. Establish a traditional hub-and-spoke VPN topology with policy routes.

A FortiGate device with UTM profiles is reaching the resource limits, and the administrator expects the traffic in the enterprise network to increase. The administrator has received an additional FortiGate of the same model. Which two protocols should the administrator use to integrate the additional FortiGate device into this enterprise network? (Choose two.). A. FGSP with external load balancers. B. FGCP in active-active mode and with switches. C. FGCP in active-passive mode and with VDOM disabled. D. VRRP with switches.

The routing tables of FortiGate_A and FortiGate_B are shown. FortiGate_A and FortiGate_B are in the same autonomous system. The administrator wants to dynamically add only route 172.16.1.248/30 on FortiGate_A. What must the administrator configure?. A. The prefix 172.16.1.248/30 in the BGP Networks section on FortiGate_B. B. A BGP route map out for 172.16.1.248/30 on FortiGate_B. C. Enable Redistribute Connected in the BGP section on FortiGate_B. D. A BGP route map in for 172.16.1.248/30 on FortiGate_A.

Which IPsec phase 2 configuration must an administrator make on the FortiGate hub to enable equal-cost multi-path (ECMP) routing when multiple remote sites connect with overlapping subnets?. A. Set route-overlap to either use-new or use-old. B. Set net-device to ecmp. C. Set single-source to enable. D. Set route-overlap to allow.

An administrator wants to scale the IBGP sessions and optimize the routing table in an IBGP network. Which parameter should the administrator configure?. A. network-import-check. B. ibgp-enforce-multihop. C. neighbor-group. D. route-reflector-client.

An administrator discovers that webfilter stopped working in Core1 and Core2 after a maintenance window. Which two reasons could explain why webfilter stopped working? (Choose two.). A. The root VDOM does not have access to FortiManager in a closed network. B. The root VDOM does not have a VDOM link to connect with the Corel and Core2 VDOMs. B. The Core1 and Core2 VDOMs must also be enabled as Managment VDOMs to receive FortiGuard updates. D. The root VDOM does not have access to any valid public FDN.

An administrator is deploying a hub and spokes network and using OSPF as dynamic protocol. Which configuration is mandatory for neighbor adjacency?. A. Set bfd enable in the router configuration. B. Set network-type point-to-multipoint in the hub interface. C. Set rfc1583-compatible enable in the router configuration. D. Set virtual-link enable in the hub interface.

efer to the exhibit, which shows a command output. FortiGate_A and FortiGate_B are members of an FGSP cluster in an enterprise network. While testing the cluster using the ping command, the administrator monitors packet loss and found that the session output on FortiGate_B is as shown in the exhibit. What could be the cause of this output on FortiGate_B?. FortiGate_A and FortiGate_B have the same standalone-group-id value. The session synchronization is encrypted. session-pickup-connectionless is set to disable on FortiGate_B. FortiGate_B is configured in passive mode.

Refer to the exhibits. The configuration of a user's Windows PC, which has a default MTU of 1500 bytes, along with FortiGate interfaces set to an MTU of 1000 bytes, and the results of PC1 pinging server 172.16.0.254 are shown. Why is the user in Windows PC1 unable to ping server 172.16.0.254 and is seeing the message: “Packet needs to be fragmented but DF set?”. A) FortiGate honors the do not fragment bit and the packets are dropped. The user has to adjust the ping MTU to 972 to succeed. B) Fragmented packets must be encrypted. To connect any application successfully, the user must install the Fortinet_CA certificate in the Microsoft Management Console. C) Option ip.flags.mf must be set to enable on FortiGate. The user has to adjust the ping MTU to 1000 to succeed. D) The user must trigger different traffic because path MTU discovery techniques do not recognize ICMP payloads.

Refer to the exhibit, which shows an enterprise network connected to an internet service provider An administrator must configure a loopback as a BGP source to connect to the ISP. Which two commands are required to establish the connection? (Choose two.). ibgp-enforce-multihop. ebgp-enforce-multihop. recursive-next-hop. update-source.

What is the initial step performed by FortiGate when handling the first packets of a session?. Installation of the session key in the network processor (NP. Offloading the packets directly to the content processor (CP). Data encryption and decryption. Security inspections such as ACL, HPE, and IP integrity header checking.

An administrator must configure an ADVPN using IBGP and EBGP to connect overlay network 1 with 2. What must the administrator configure in the phase 1 VPN IPsec configuration of the ADVPN tunnels. A. set auto-discovery-sender enable and set network-id x. B. set auto-discovery-forwarder enable and set remote-as x. C. set auto-discovery-crossover enable and set enforce-multihop enable. D. set auto-discovery-receiver enable and set npu-offload enable.

Refer to the exhibit, which shows a partial troubleshooting command output. An administrator is extensively using IPsec on FortiGate. Many tunnels show information similar to the output shown in the exhibit. What can the administrator conclude?. Only the outbound IPsec SA is copied to the NPU. Only the inbound IPsec SA is copied to the NPU. The two IPsec SAs, inbound and outbound, are copied to the NPU. IPsec SAs cannot be offloaded.

Refer to the exhibit, which shows a normalized interface LAN on FortiManager. What two conclusions can you draw from this interface configuration? (Choose two answers). The normalized interface LAN will be used as the port2 interface for NGFW-1 [Core2]. The normalized interface LAN will be used as the Human_Resources interface for any FortiGate-40F model devices. The normalized interface LAN will be used as the private interface for FortiGate-VM64 model devices. The normalized interface LAN will be used as the wireless interface for FortiGate-81E model devices.

Refer to the exhibits, which show policy package conflict status and import device wizard information in the Core1 VDOM. When the FortiManager administrator imports the policy package, the following message appears for the Web_restrictions web filter profile and the deep-inspection SSL-SSH profile, as shown in the exhibit. The following objects were found having conflicts. Please confirm your settings, then continue. Which step should the administrator take to resolve the issue if Web_restrictions and deep-inspection are already being used by other FortiGate devices within FortiManager? (Choose one answer). Create uniquely named objects on FortiGate and reimport them into the policy package. Use non-default object values because FortiManager is unable to alter default values. Select the FortiManager configuration that accepts changes in FortiManager and preserves existing configurations on FortiGate devices. Retrieve the FortiGate configuration to automatically export correct objects and policies.

A network topology and the routing table of a FortiGate device is shown. What must the administrator configure in the BGP section to add only the subnet 100.64.2.0/24 in the routing table of FortiGate_A? (Choose one answer). The administrator must configure connected routes redistribution on FortiGate_C. The administrator must configure BGP route redistribution on FortiGate_B. The administrator must configure the 100.64.2.0/24 network on FortiGate_C. The administrator must configure route-map in on FortiGate_A.

Refer to the exhibit. The routing tables of FortiGate_A and FortiGate_B are shown. Why does FortiGate_B have only one external route available to 100.75.5.1/32? (Choose one answer). FortiGate_A advertises only one external route to FortiGate_B. The route to 100.75.5.1/32 shown on FortiGate_B has the highest cost. The subnet 10.1.5.0/24 is not located in the FortiGate B area. rfo-1583-compatible is not set to enable on the FortiGate_B device.

The exhibits show the firewall policy ID 1 of the policy package DCFW and the reinstall preview windows for the policy package installation. Why is FortiManager installing set srcaddr "SSLVPN TUNNEL ADDRI" on the firewall policy ID 1 when policy package DCFW has the source address 10.1.4. on the firewall policy ID 1? (Choose one answer). FortiManager has assigned to DCFW firewall a CLI template that can overwrite configurations in the policy layer. The firewall policy and reinstall preview use the same addresses, but they have different names because of per-device mapping. The reinstall policy package ignores recent changes to the policy layer. The administrator must run the Install Wizard. FortiManager is installing the global policy package, which was higher priority than the ADOM policy package.

Which two ways will applications be impacted when you adjust the TCP maximum segment size (MSS) on FortiGate? (Choose two.). The network efficiency improves when there is a decrease in the MSS value. The packet count increases adding unnecessary TCP headers when the MSS value is increased. The overall data throughput is decreased when the MSS value is decreased. The MSS configuration is prone to errors because it requires a thorough understanding of the network path.

You must automate a weekly backup of all FortiGate devices in an enterprise network. Which two steps must you take to implement this automation? (Choose two.). Create a script to be run in the device database. Integrate all FortiGate devices in a Security Fabric environment. Create an automation stitch. Create metadata variables for all FortiGate devices.

In an enterprise firewall, one firewall policy is being used for intrusion prevention. Which configuration in the firewall policy must you check to confirm the optimum performance for intrusion prevention?. set np-acceleration enable. set offload enable. set inspection-mode proxy. set cp-accel-mode enable.

A network diagram, the output from the command config system ha, and a firewall policy are shown. What is the destination MAC address of the reply packet from the web server?. The virtual MAC address of FortiGate B. The physical MAC address of FortiGate A. The physical MAC address of FortiGate B. The virtual MAC address of FortiGate A.

What do np0 and np1 represent in the VDOM link shown in the exhibit?. They represent the virtual routing and forwarding (VRF) ID numbers of each VDOM interface. They represent the unique names that FortiGate automatically assigns to VDOM links by appending 0 and 1. They represent the ID number of each VDOM for traffic management. They represent the native ASIC network processors (NP) that FortiGate assigns to available VDOM interfaces.

You want to simplify a new hub-and-spoke network deployment with the BGP recommended configuration. Which two sections on FortiManager must you use? (Choose two.). Meta Fields. Metadata Variables. Provisioning Templates. Automation Stitch.

The device and policy layers for FortiGate key operations are shown. How can you restore a previous FortiGate configuration, which has more policies than the current configuration, without layer synchronization between the device and policy layers on FortiManager?. Find the configuration file by date and time in the provisioning templates, then reinstall the policy package to apply the configuration changes. Locate the configuration ID in the FortiGate revision history, revert to that configuration, install the device settings, and import policies to sync the policy package. Use the global ADOM to access the previous configuration and install policies on ADOM devices to synchronize all layers. Retrieve the configuration, import system templates, and reinstall the policy package on FortiGate.

You must ensure that users cannot access sites containing malware and spyware, while also protecting them from phishing attempts. What is the most resource-efficient method to block access to these sites?. Set up a DNS filter and block domains related to these categories to stop users from reaching malicious content. Create a custom intrusion prevention system (IPS) policy to monitor and block all outbound traffic related to malware, spyware, and phishing sites. Enable antivirus profiles to scan all web traffic and block downloads from these malicious sites. Configure FortiGuard web filtering and block the categories malware, spyware, and phishing to prevent access to such sites.

You configured FortiGate Session Life Support Protocol (FGSP) cluster members to encrypt the session synchronization. When you perform a sniffer trace on the interface dedicated for synchronization, the sniffer trace shows UDP packets only. What are two reasons why the sniffer trace captures only UDP packets? (Choose two.). The psksecret value does not match. The encryption is encapsulated in UDP packets. encryption is not set to enable on both members. The administration has not configured the SESSYNC_1 tunnel.

What does hyperscale capability in data center firewalls typically support?. Network speeds ranging from 10 Gbps to 1000 Gbps. Enhanced encryption and decryption processes only. Application layer operations such as intrusion prevention. Bundling of multiple physical interfaces for a single logical interface.