TEST-FGT-1

QUESTION 1 Which two pieces of information are synchronized between FortiGate HA members? (Choose two.). OSPF adjacencies. IPsec security associations. BGP peerings. DHCP leases.

QUESTION 2 Which two statements are true about the FGCP protocol? (Choose two.). FGCP is not used when FortiGate is in transparent mode. FGCP elects the primary FortiGate device. FGCP is used to discover FortiGate devices in different HA groups. FGCP runs only over the heartbeat links.

QUESTION 3 Which three methods are used by the collector agent for AD polling? (Choose three.). WinSecLog. WMI. NetAPI. FSSO REST API. FortiGate polling.

QUESTION 4 When FortiGate performs SSL/SSH full inspection, you can decide how it should react when it detects an invalid certificate. Which three actions are valid actions that FortiGate can perform when it detects an invalid certificate? (Choose three.). Allow & Warning. Trust & Allow. Allow. Block & Warning. Block.

QUESTION 5 Refer to the exhibit. Which algorithm does SD-WAN use to distribute traffic that does not match any of the SD- WAN rules?. All traffic from a source IP to a destination IP is sent to the same interface. Traffic is sent to the link with the lowest latency. Traffic is distributed based on the number of sessions through each interface. All traffic from a source IP is sent to the same interface.

QUESTION 6 Refer to the exhibits, which show the system performance output and the default configuration of high memory usage thresholds in a FortiGate. Based on the system performance output, what can be the two possible outcomes? (Choose two.). FortiGate will start sending all files to FortiSandbox for inspection. FortiGate has entered conserve mode. Administrators cannot change the configuration. Administrators can access FortiGate onlythrough the console port.

QUESTION 7 Refer to the exhibits, which show a diagram of a FortiGate device connected to the network. VIP object configuration, and the firewall policy configuration. TheWAN (port1)interface has the IP address10.200.1.1/24. TheLAN (port3)interface has the IP address10.0.1.254/24. If the host10.200.3.1sends a TCP SYN packet on port 8080 to10.200.1.10, what will the source address, destination address, and destination port of the packet be at the time FortiGate forwards the packet to the destination?. 10.0.1.254, 10.200.1.10, and 8080, respectively. 10.0.1.254, 10.0.1.10, and 80, respectively. 10.200.3.1, 10.0.1.10, and 80, respectively. 10.200.3.1, 10.0.1.10, and 8080, respectively.

QUESTION 8 There are multiple dial-up IPsec VPNs configured in aggressive mode on the HQ FortiGate. The requirement is to connect dial-up users to their respective department VPN tunnels. Which phase 1 setting you can configure to match the user to the tunnel?. Peer ID. Local Gateway. Dead Peer Detection. IKE Mode Config.

QUESTION 9 Refer to the exhibits. The exhibits show a diagram of a FortiGate device connected to the network, as well as the firewall policy and IP pool configuration on the FortiGate device. Two PCs, PC1 and PC2, are connected behind FortiGate and can access the internet successfully. However, when the administrator adds a third PC to the network (PC3), the PC cannot connect to the internet. Based on the information shown in the exhibit, which two configuration options can the administrator use to fix the connectivity issue for PC3? (Choose two.). In the firewall policy configuration, add 10. o. l. 3 as an address object in the source field. In the IP pool configuration, set endig to 192.2.0.12. Configure another firewall policy that matches only the address of PC3 as source, and then place the policy on top of the list. In the IP pool configuration, set cype to overload.

QUESTION 10 Refer to the exhibit to view the firewall policy. Why would the firewall policy not block a well-known virus, for example eicar?. The action on the firewall policy is not set to deny. The firewall policy is not configured in proxy-based inspection mode. Web filter is not enabled on the firewall policy to complement the antivirus profile. The firewall policy does not apply deep content inspection.

QUESTION 11 Which method allows management access to the FortiGate CLI without network connectivity?. SSH console. CLI console widget. Serial console. Telnet console.

QUESTION 12 Refer to the exhibits. The exhibits show a diagram of a FortiGate device connected to the network, and the firewall policies configuration VIP configuration and IP pool configuration on the FortiGate device The WAN (port1) interface has the IP address 10.200. l. 1/24 The LAN (port3) interface has the IP address 10.0.1.254/24 The first firewall policy has NAT enabled using the IP pool The second firewall policy is configured with a VIP as the destination address. Which IP address will be used to source NAT (SNAT) the internet traffic coming from a workstation with the IP address 10.0.1.10?. 10.200.1.1. 10.200.1.10. 10.0.1.254. 10.200.1.100.

QUESTION 13 Refer to the exhibit. Examine Examine the intrusion prevention system (IPS) diagnostic command shown in the exhibit. If option 5 is used with the IPS diagnostic command and the outcome is a decrease in the CPU usage, what is the correct conclusion?. The IPS engine is blocking all traffic. The IPS engine is inspecting a high volume of traffic. The IPS engine is unable to prevent an intrusion attack. The IPS engine will continue to run in a normal state.

QUESTION 14 Which two statements explain antivirus scanning modes? (Choose two.). In flow-based inspection mode, FortiGate buffers the file, but also simultaneously transmits it to the client. In flow-based inspection mode files bigger than the buffer size are scanned. In proxy-based inspection mode files bigger than the buffer size are scanned. In proxy-based inspection mode antivirus scanning buffers the whole file for scanning, before sending it to the client.

QUESTION 15 Which two features of IPsec IKEv1 authentication are supported by FortiGate? (Choose two.). Pre-shared key and certificate signature as authentication methods. Extended authentication (XAuth)to request the remote peer to provide a username and password. Extended authentication (XAuth) for faster authentication because fewer packets are exchanged. No certificate is required on the remote peer when you set the certificate signature as the authentication method.

QUESTION 16 Refer to the exhibits. FGT-1 and FGT-2 are updated with HA configuration commands shown in the exhibit. What would be the expected outcome in the HA cluster?. FGT-1 will remain the primary because FGT-2 has lower priority. FGT-2 will take over as the primary because it has the override enable setting and higher priority than FGT-1. FGT-1 will synchronize the override disable setting with FGT-2. The HA cluster will become out of sync because the override setting must match on all HA members.

QUESTION 17 An administrator configures FortiGuard servers as DNS servers on FortiGate using default settings. What is true about the DNS connection to a FortiGuard server?. It uses UDP 8888. It uses DNS over HTTPS. It uses DNS over TLS. It uses UDP 53.

QUESTION 18 Refer to the exhibits. The exhibits show a diagram of a FortiGate device connected to the network, as well as the IP pool configuration and firewall policy objects. The WAN (port1) interface has the IP address10.200.1.1/24. The LAN (port3) interface has the IPaddress10.0.1.254/24. Which IP address will be used to source NAT (SNAT) the traffic, if the user on Local-Client (10.0.1.10) pings the IP address of Remote-FortiGate (10.200.3.1)?. 10.200.1.1. 10.200.1.149. 10.200.1.99. 10.200.1.49.

QUESTION 19 FortiGate is integrated with FortiAnalyzer and FortiManager. When a firewall policy is created, which attribute is added to the policy to improve functionality and to support recording logs to FortiAnalyzer or FortiManager?. Log ID. Policy ID. Sequence ID. Universally Unique Identifier.

QUESTION 20 Refer to the exhibit, which shows an SD-WAN zone configuration on the FortiGate GUI. Based on the exhibit, which statement is true?. The underlay zone contains port1 and. The d-wan zone contains no member. The d-wan zone cannot be deleted. The virtual-wan-link zone contains no member.

QUESTION 21 Which inspection mode does FortiGate use for application profiles if it is configured as a profile-based next-generation firewall (NGFW)?. Full content inspection. Proxy-based inspection. Certificate inspection. Flow-based inspection.

QUESTION 22 Refer to the exhibits. The exhibits show a diagram of a FortiGate device connected to the network, and the firewall configuration. An administrator created a Deny policy with default settings to deny Webserver access for Remote-User2. The policy should work such that Remote-User1 must be able to access the Webserver while preventing Remote-User2 from accessing the Webserver. Which two configuration changes can the administrator make to the policy to deny Webserver access for Remote-User2? (Choose two.). Enable match-vip in the Deny policy. Set the Destination address as Webserver in the Deny policy. Disable match-vip in the Deny policy. Set the Destination address as Deny_IP in the Allow_access policy.

QUESTION 23 Refer to the exhibit. Why did FortiGate drop the packet?. 11 matched an explicitly configured firewall policy with the action DENY. It failed the RPF check. The next-hop IP address is unreachable. It matched the default implicit firewall policy.

QUESTION 24 Refer to the exhibit, which shows the IPS sensor configuration. If traffic matches this IPS sensor, which two actions is the sensor expected to take? (Choose two.). The sensor will gather a packet log for all matched traffic. The sensor will reset all connections that match these signatures. The sensor will allow attackers matching the Microsoft.Windows.iSCSl.Target.DoS signature. The sensor will block all attacks aimed at Windows servers.

QUESTION 25 An administrator has configured the following settings: What are the two results of this configuration? (Choose two.). Denied users are blocked for 30 minutes. A session for denied traffic is created. The number of logs generated by denied traffic is reduced. Device detection on all interfaces is enforced for 30 minutes.

QUESTION 26 Which statement about the deployment of the Security Fabric in a multi-VDOM environment is true?. Downstream devices can connect to the upstream device from any of their VDOMs. Each VDOM in the environment can be part of a different Security Fabric. VDOMs without ports with connected devices are not displayed in the topology. Security rating reports can be run individually for each configured VDOM.

QUESTION 27 Refer to the exhibit, which shows a partial configuration from the remote authentication server. Why does the FortiGate administrator need this configuration?. To authenticate only the Training user group. To set up a RADIUS server Secret. To authenticate and match the Training OU on the RADIUS server. To authenticate Any FortiGate user groups.

QUESTION 28 FortiGuard categories can be overridden and defined in different categories. To create a web rating override for the example.com home page the override must be configured using a specific syntax. Which two syntaxes are correct to configure a web rating override for the home page? (Choose two.). www.example.com:443. www.example.com. www.example.com/index.hrml. example.com.

QUESTION 29 A network administrator enabled antivirus and selected an SSL inspection profile on a firewall policy. When downloading an EICAR test file through HTTP, FortiGate detects the virus and blocks the file. When downloading the same file through HTTPS, FortiGate does not detect the and does not block the file allowing it to be downloaded. The administrator confirms that the traffic matches the configured firewall policy. What are two reasons for the failed virus detection by FortiGate? (Choose two.). The selected SSL inspection profile has certificate inspection enabled. The browser does not trust the FortiGate self-siqned CA certificate. The EICAR test file exceeds the protocol options oversize limit. The website is exempted from SSL inspection.

QUESTION 30 Refer to the exhibit showing a FortiGuard connection debug output. Based on the output, which two facts does the administrator know about the FortiGuard connection? (Choose two.). One server was contacted to retrieve the contract information. There is at least one server that lost packets consecutively. A local FortiManaqer is one of the servers FortiGate communicates with. FortiGate is using default FortiGuard communication settings.

QUESTION 31 Refer to the exhibit. The exhibit shows a diagram of a FortiGate device connected to the network, the firewall policy and VIP configuration on the FortiGate device, and the routing table on the ISP router. When the administrator tries to access the web server public address (203.0.113.2) from the internet, the connection times out. At the same time the administrator runs a sniffer on FortiGate to capture incoming web traffic to the server and does not see any output. Based on the information shown in the exhibit, what configuration change must the administrator make to fix the connectivity issue?. Configure a loopback interface with address 203.0.113.2/32. In the VIP configuration, enable arp-reply. In the firewall policy configuration, enable match-vip. Enable port forwarding on the server to map the external service port to the internal service port.

QUESTION 32 Which two settings are required for SSL VPN to function between two FortiGate devices? (Choose two.). The client FortiGate requires the SSL VPN tunnel interface type to connect SSL VPN. The server FortiGate requires a CA certificate to verify the client FortiGate certificate. The client FortiGate requires a client certificate signed by the CA on the server FortiGate. The client FortiGate requires a manually added route to remote subnets.

QUESTION 33 Refer to the exhibit which contains a RADIUS server configuration. An administrator added a configuration for a new RADIUS server. While configuring, the administrator selected theInclude in every user groupoption. What is the impact of using theInclude in every user groupoption in a RADIUS configuration?. This option places the RADIUS server, and all users who can authenticate against that server, into every FortiGate user group. This option places all users into even/ RADIUS user group, including groups that are used for the LDAP server on FortiGate. This option places all FortiGate users and groups required to authenticate into the RADIUS server, which, in this case is FortiAuthenticator. This option places the RADIUS server, and all users who can authenticate against that server, into every RADIUS group.

QUESTION 34 Refer to exhibit. An administrator configured the web filtering profile shown in the exhibit to block access to all social networking sites except Twitter. However, when users try to accesstwitter.com, they are redirected to a FortiGuard web filtering block page. Based on the exhibit, which configuration change can the administrator make to allow Twitter while blocking all other social networking sites?. On the Static URL Filter configuration set Type to Simple. On the FortiGuard Category Based Filter configuration set Action to Warning for Social Networking. On the Static URL Filter configuration set Action to Monitor. On the Static URL Filter configuration set Action to Exempt.

QUESTION 35 Refer to the exhibits. The exhibits show the application sensor configuration and theExcessive- BandwidthandApplefilter details. Based on the configuration, what will happen to Apple FaceTime if there are only a few calls originating or incoming?. Apple FaceTime will be allowed, based on the Video/Audio category configuration. Apple FaceTime will be allowed, based on the Apple filter configuration. Apple FaceTime will be allowed only if the Apple filter in Application and Filter Overrides is set to Allow. Apple FaceTime will be blocked, based on the Excessive-Bandwidth filter configuration.

QUESTION 36 Refer to the exhibit. Which two statements are true about the routing entries in this database table? (Choose two.). All of the entries in the routing database table are installed in the FortiGate routing table. The port2 interface is marked as inactive. Both default routes have different administrative distances. The default route on port2 is marked as the standby route.

QUESTION 37 Refer to the exhibits. An administrator creates a new address object on the root FortiGate (Local-FortiGate) in the security fabric. After synchronization, this object is not available on the downstream FortiGate (ISFW). What must the administrator do to synchronize the address object?. Change the csf setting on Local-FortiGate (root) to sec fabric-object-unification default. Change the csf setting on both devices to sec downscream-access enable. Change the csf setting on ISFW (downstream) to sec auchorizacion-requesc-cype certificace. Change the csf setting on ISFW (downstream) to sec configuration-sync local.

QUESTION 38 What are two features of the NGFW profile-based mode? (Choose two.). NGFW profile-based mode can only be applied globally and not on individual VDOMs. NGFW profile-based mode must require the use of central source NAT policy. NGFW profile-based mode policies support both flow inspection and proxy inspection. NGFW profile-based mode supports applying applications and web filtering profiles in a firewall policy.

QUESTION 39 Refer to the exhibits. The SSL VPN connection fails when a user attempts to connect to it. What should the user do to successfully connect to the SSL VPN?. Change the SSL VPN portal to the tunnel. Change the idle timeout. Change the server IP address. Change the SSL VPN port on the client.

QUESTION 40 A network administrator has enabled full SSL inspection and web filtering on FortiGate. When visiting any HTTPS websites, the browser reports certificate warning errors. When visiting HTTP websites, the browser does not report errors. What is the reason for the certificate warning errors?. The option invalid SSL certificates is set to allow on the SSL/SSH inspection profile. The browser does not trust the certificate used by FortiGate for SSL inspection. The certificate used by FortiGate for SSL inspection does not contain the required certificate extensions. The matching firewall policy is set to proxy inspection mode.

QUESTION 41 An administrator has configured a strict RPF check on FortiGate. How does strict RPF check work?. Strict RPF checks the best route back to the source using the incoming interface. Strict RPF allows packets back to sources with all active routes. Strict RPF checks only for the existence of at least one active route back to the source using the incoming interface. Strict RPF check is run on the first sent and reply packet of any new session.

QUESTION 42 An organization requires remote users to send external application data running on their PCs and access FTP resources through an SSUTLS connection. Which FortiGate configuration can achieve this goal?. SSL VPN quick connection. SSL VPN tunnel. SSL VPN bookmark. Zero trust network access.

QUESTION 43 Which three strategies are valid SD-WAN rule strategies for member selection? (Choose three.). Manual with load balancing. Lowest Cost (SLA) with load balancing. Best Quality with load balancing. Lowest Quality (SLA) with load balancing. Lowest Cost (SLA) without load balancing.

QUESTION 44 What are two features of FortiGate FSSO agentless polling mode? (Choose two.). FortiGate directs the collector agent to use a remote LDAP server. FortiGate uses the SMB protocol to read the event viewer logs from the DCs. FortiGate does not support workstation check. FortiGate uses the AD server as the collector agent.

QUESTION 45 Which statement is correct regarding the use of application control for inspecting web applications?. Application control can identify child and parent applications, and perform different actions on them. Application control signatures are included in Fortinet Antivirus engine. Application control does not display a replacement message for a blocked web application. Application control does not require SSL Inspection to Identity web applications.