Enterprice

Why does the ISDB block layers 3 and 4 of the OSI model when applying content filtering? (Choose two.). FortiGate has a predefined list of all IPs and ports for specific applications downloaded from FortiGuard. The ISDB blocks the IP addresses and ports of an application predefined by FortiGuard. The ISDB works in proxy mode, allowing the analysis of packets in layers 3 and 4 of the OSI model. The ISDB limits access by URL and domain.

An administrator is deploying a hub and spokes network and using OSPF as dynamic protocol. Which configuration is mandatory for neighbor adjacency?. Set bfd enable in the router configuration. Set network-type point-to-multipoint in the hub interface. Set rfc1583-compatible enable in the router configuration. Set virtual-link enable in the hub interface.

Refer to the exhibit, which contains a partial VPN configuration. What can you conclude from this VPN IPsec phase 1 configuration?. This configuration is the best for networks with regular traffic intervals, providing a balance between connectivity assurance and resource utilization. Peer IDs are unencrypted and exposed, creating a security risk. FortiGate will not add a route to its routing or forwarding information base when the dynamic tunnel is negotiated. A separate interface is created for each dial-up tunnel, which can be slower and more resource intensive, especially in large networks.

An administrator is checking the OSPF status of a FortiGate device and receives the output shown in the exhibit. Which statement on this FortiGate device is correct?. The FortiGate device is in the area 0.0.0.5. The FortiGate device can inject external routing information. The FortiGate device does not support OSPF ECMP. The FortiGate device is a backup designated router.

An administrator is designing an ADVPN network for a large enterprise with spokes that have varying numbers of internet links. They want to avoid a high number of routes and peer connections at the hub. Which method should be used to simplify routing and peer management?. Deploy a full-mesh VPN topology to eliminate hub dependency. Implement static routing over IPsec interfaces for each spoke. Use a dynamic routing protocol using loopback interfaces to streamline peers and routes. Establish a traditional hub-and-spoke VPN topology with policy routes.

A company's users on an IPsec VPN between FortiGate A and B have experienced intermittent issues since implementing VXLAN. The administrator suspects that packets exceeding the 1500-byte default MTU are causing the problems. In which situation would adjusting the interface’s maximum MTU value help resolve issues caused by protocols that add extra headers to IP packets?. Adjust the MTU on interfaces only if FortiGate has the FortiGuard enterprise bundle, which allows MTU modification. Adjust the MTU on interfaces in all FortiGate devices that support the latest family of Fortinet SPUs: NP7, CP9 and SP5. Adjust the MTU on interfaces in controlled environments where all devices along the path allow MTU interface changes. Adjust the MTU on interfaces only in wired connections like PPPoE, optic fiber, and ethernet cable.

An administrator must configure an ADVPN using IBGP and EBGP to connect overlay network 1 with 2. What two options must the administrator configure in BGP? (Choose two.). set ebgp-enforce-multrhop enable. set next-hop-self enable. set ibgp-enforce-multihop advpn. set attribute-unchanged next-hop.

An administrator received a FortiAnalyzer alert that a 1 ## disk filled up in a day. Upon investigation, they found thousands of unusual DNS log requests, such as JHCMQK.website.com, with no answers. They later discovered that DNS exfiltration was occurring through both UDP and TLS. How can the administrator prevent this data theft technique?. Create an inline-CASB to protect against DNS exfiltration. Configure a File Filter profile to prevent DNS exfiltration. Enable DNS Filter to protect against DNS exfiltration. Use an IPS profile and DNS exfiltration-related signatures.

An administrator is deploying several spokes, including the BGP configuration for the spokes to connect to the hub. Which two commands allow the administrator to minimize the configuration? (Choose two.). neighbor-group. route-reflector-client. neighbor-range. ibgp-enforce-multihop.

The Administrators section of a root FortiGate device and the Security Fabric Settings section of a downstream FortiGate device are shown. When prompted to sign in with Security Fabric in the downstream FortiGate device, a user enters the AdminSSO credentials. What is the next status for the user?. The user is prompted to create an SSO administrator account for AdminSSO. The user receives an authentication failure message. The user accesses the downstream FortiGate with super_admin_readonly privileges. The user accesses the downstream FortiGate with super_admin privileges.

An administrator discovers that webfilter stopped working in Core1 and Core2 after a maintenance window. Which two reasons could explain why webfilter stopped working? (Choose two.). The root VDOM does not have access to FortiManager in a closed network. The root VDOM does not have a VDOM link to connect with the Corel and Core2 VDOMs. The Core1 and Core2 VDOMs must also be enabled as Management VDOMs to receive FortiGuard updates. The root VDOM does not have access to any valid public FDN.

An administrator is checking an enterprise network and sees a suspicious packet with the MAC address e0:23: ff:fc:00:86. What two conclusions can the administrator draw? (Choose two.). The suspicious packet is related to a cluster that has VDOMs enabled. The network includes FortiGate devices configured with the FGSP protocol. The suspicious packet is related to a cluster with a group-id value lower than 255. The suspicious packet corresponds to port 7 on a FortiGate device.

Refer to the exhibit, which shows the packet capture output of a three-way handshake between FortiGate and FortiManager Cloud. What two conclusions can you draw from the exhibit? (Choose two.). FortiGate will receive a certificate that supports multiple domains because FortiManager operates in a cloud computing environment. FortiGate is connecting to the same IP server and will receive an independent certificate for its connection between FortiGate and FortiManager Cloud. If the TLS handshake contains 17 cipher suites it means the TLS version must be 1.0 on this three-way handshake. The wildcard for the domain *.fortinet-ca2.support.fortinet.com must be supported by FortiManager Cloud.

A user reports that their computer was infected with malware after accessing a secured HTTPS website. However, when the administrator checks the FortiGate logs, they do not see that the website was detected as insecure despite having an SSL certificate and correct profiles applied on the policy. How can an administrator ensure that FortiGate can analyze encrypted HTTPS traffic on a website?. The administrator must enable reputable websites to allow only SSL/TLS websites rated by FortiGuard web filter. The administrator must enable URL extraction from SNI on the SSL certificate inspection to ensure the TLS three-way handshake is correctly analyzed by FortiGate. The administrator must enable DNS over TLS to protect against fake Server Name Indication (SNI) that cannot be analyzed in common DNS requests on HTTPS websites. The administrator must enable full SSL inspection in the SSL/SSH Inspection Profile to decrypt packets and ensure they are analyzed as expected.

An administrator configured the FortiGate devices in an enterprise network to join the Fortinet Security Fabric. The administrator has a list of IP addresses that must be blocked by the data center firewall. This list is updated daily. How can the administrator automate a firewall policy with the daily updated list?. With FortiNAC. With FortiNAC. With a Security Fabric automation. With an external connector from Threat Feeds.

The administrator has configured BGP on FortiGate. The status of this new BGP configuration is shown in the exhibit. What configuration must the administrator consider next?. Configure a static route to 100.65.4.1. Configure the local AS to 65300. Contact the remote peer administrator to enable BGP. Enable ebgp-enforce-multihop.

Refer to the exhibit, which shows theADVPNIPsec interface representing the VPN IPsec phase 1 from Hub A to Spoke 1 and Spoke 2, and from Hub # to Spoke 3 and Spoke 4. An administrator must configure an ADVPN using IBGP and EBGP to connect overlay network 1 with 2. What must the administrator configure in the phase 1 VPN IPsec configuration of theADVPNtunnels?. set auto-discovery-sender enable and set network-id x. set auto-discovery-forwarder enable and set remote-as x. set auto-discovery-crossover enable and set enforce-multihop enable. set auto-discovery-receiver enable and set npu-offload enable.

The routing tables of FortiGate_A and FortiGate_B are shown. FortiGate_A and FortiGate_B are in the same autonomous system. The administrator wants to dynamically add only route172.16.1.248/30on FortiGate_A. What must the administrator configure?. The prefix 172.16.1.248/30 in the BGP Networks section on FortiGate_B. A BGP route map out for 172.16.1.248/30 on FortiGate_B. Enable Redistribute Connected in the BGP section on FortiGate_B. A BGP route map in for 172.16.1.248/30 on FortiGate_A.

Refer to the exhibit, which shows a revision history window in the FortiManager device layer. The IT team is trying to identify the administrator responsible for the most recent update in the FortiGate device database. Which conclusion can you draw about this scenario?. This retrieved process was automatically triggered by a Remote FortiGate Directly (via CLI) script. The user script_manager is an API user from the Fortinet Developer Network (FDN) retrieving a configuration. To identify the user who created the event, check it on the Configuration and Installation widget on FortiGate within the FortiManager device layer. Find the user in the FortiManager system logs and use the type=script command to find the administrator user in the user field.

What is the initial step performed by FortiGate when handling the first packets of a session?. Installation of the session key in the network processor (NP). Data encryption and decryption. Security inspections such as ACL, HPE, and IP integrity header checking. Offloading the packets directly to the content processor (CP).

A company's guest internet policy, operating in proxy mode, blocks access to Artificial Intelligence Technology sites using FortiGuard. However, a guest user accessed a page in this category using port 8443. Which configuration changes are required for FortiGate to analyze HTTPS traffic on nonstandard ports like 8443 when full SSL inspection is active in the guest policy?. Add a URL wildcard domain to the website CA certificate and use it in the SSL/SSH Inspection Profile. In the Protocol Port Mapping section of the SSL/SSH Inspection Profile, enter 443, 8443 to analyze both standard (443) and non-standard (8443) HTTPS ports. To analyze nonstandard ports in web filter profiles, use TLSv1.3 in the SSL/SSH Inspection Profile. Administrators can block traffic on nonstandard ports by enabling the SNI check in the SSL/SSH Inspection Profile.

An administrator must minimize CPU and RAM use on a FortiGate firewall while also enabling essential security features, such as web filtering and application control for HTTPS traffic. Which SSL inspection setting helps reduce system load while also enabling security features, such as web filtering and application control for encrypted HTTPS traffic?. Use full SSL inspection to thoroughly inspect encrypted payloads. Disable SSL inspection entirely to conserve resources. Configure SSL inspection to handle HTTPS traffic efficiently. Enable SSL certificate inspection mode to perform basic checks without decrypting traffic.

A company that acquired multiple branches across different countries needs to install new FortiGate devices on each of those branches. However, the IT staff lacks sufficient knowledge to implement the initial configuration on the FortiGate devices. Which three approaches can the company take to successfully deploy advanced initial configurations on remote branches? (Choose three.). Use metadata variables to dynamically assign values according to each FortiGate device. Use provisioning templates and install configuration settings at the device layer. Use the Global ADOM to deploy global object configurations to each FortiGate device. Apply Jinja in the FortiManager scripts for large-scale and advanced deployments. Add FortiGate devices on FortiManager as model devices, and use ZTP or LTP to connect to FortiGate devices.

An administrator wants to scale the IBGP sessions and optimize the routing table in an IBGP network. Which parameter should the administrator configure?. network-import-check. ibgp-enforce-multihop. neighbor-group. route-reflector-client.

Refer to the exhibit, which shows a network diagram showing the addition of site 2 with an overlapping network segment to the existing VPN IPsec connection between the hub and site 1. Which IPsec phase 2 configuration must an administrator make on the FortiGate hub to enable equal-cost multi-path (ECMP) routing when multiple remote sites connect with overlapping subnets?. Set route-overlap to either use-new or use-old. Set net-device to ecmp. Set single-source to enable. Set route-overlap to allow.