MATEMATICAS II

Which two options help reduce false positives in an IPS profile? (Choose two.). Use operating system and application-specific filters. Enable monitor-only mode before enforcing blocking actions. Enable antivirus scanning simultaneously with IPS. Disable flow-based inspection for accurate results.

A FortiGate administrator must ensure that all interfaces participating in BGP sessions use loopback interfaces as update sources. Which command should be used in the BGP configuration?. set network-import-check enable. set update-source loopback0. set ebgp-enforce-multihop enable. set route-reflector-client enable.

An administrator is setting up an ADVPN configuration and wants to ensure that peer IDs are not exposed during VPN establishment. Which protocol can the administrator use to enhance security?. Use IKEv2, which encrypts peer IDs and prevents exposure. Opt for SSL VPN web mode because it does not use peer IDs at all. Choose IKEv1 aggressive mode because it simplifies peer identification. Stick with IKEv1 main mode because it offers better performance.

Refer to the exhibit, which contains the partial output of an OSPF command. An administrator is checking the OSPF status of a FortiGate device and receives the output shown in the exhibit. What two conclusions can the administrator draw? (Choose two.). The FortiGate device is a backup designated router. The FortiGate device is connected to multiple areas. The FortiGate device injects external routing information. The FortiGate device has OSPF ECMP enabled.

A company's users on an IPsec VPN between FortiGate A and B have experienced intermittent issues since implementing VXLAN. The administrator suspects that packets exceeding the 1500-byte default MTU are causing the problems. In which situation would adjusting the interface's maximum MTU value help resolve issues caused by protocols that add extra headers to IP packets?. Adjust the MTU on interfaces only if FortiGate has the FortiGuard enterprise bundle, which allows MTU modification. Adjust the MTU on interfaces in all FortiGate devices that support the latest family of Fortinet SPUs: NP7, CP9 and SP5. Adjust the MTU on interfaces in controlled environments where all devices along the path allow MTU interface changes. Adjust the MTU on interfaces only in wired connections like PPPoE, optic fiber, and ethernet cable.

Refer to the exhibit. An administrator is deploying a hub and spokes network and using OSPF as dynamic protocol. Which configuration is mandatory for neighbor adjacency?. Set bfd enable in the router configuration. Set network-type point-to-multipoint in the hub interface. Set rfc1583-compatible enable in the router configuration. Set virtual-link enable in the hub interface.

A FortiGate device with UTM profiles is reaching the resource limits, and the administrator expects the traffic in the enterprise network to increase. The administrator has received an additional FortiGate of the same model. Which two protocols should the administrator use to integrate the additional FortiGate device into this enterprise network? (Choose two.). FGSP with external load balancers. FGCP in active-active mode and with switches. FGCP in active-passive mode and with VDOM disabled. VRRP with switches.

Refer to the exhibit, which shows an enterprise network connected to an internet service provider. The administrator must configure the BGP section of FortiGate A to give internet access to the enterprise network. Which command must the administrator use to establish a connection with the internet service provider?. config neighbor. config redistribute bgp. config router route-map. config redistribute ospf.

An administrator is extensively using VXLAN on FortiGate. Which specialized acceleration hardware does FortiGate need to improve its performance?. NP7. SP5. ##9. NTurbo.

What action can be taken on a FortiGate to block traffic using IPS protocol decoders, focusing on network transmission patterns and application signatures?. Use the DNS filter to block application signatures and protocol decoders. Use application control to limit non-URL-based software handling. Enable application detection-based SD-WAN rules. Configure a web filter profile in flow mode.

Refer to the exhibit, which shows an OSPF network. Which configuration must the administrator apply to optimize the OSPF database?. Set a route map in the AS boundary FortiGate. Set the area 0.0.0.1 to the type STUB in the area border FortiGate. Set an access list in the AS boundary FortiGate. Set the area 0.0.0.1 to the type NSSA in the area border FortiGate.

Refer to the exhibit, which shows a revision history window in the FortiManager device layer. The IT team is trying to identify the administrator responsible for the most recent update in the FortiGate device database. Which conclusion can you draw about this scenario?. This retrieved process was automatically triggered by a Remote FortiGate Directly (via CLI) script. The user script_manager is an API user from the Fortinet Developer Network (FDN) retrieving a configuration. To identify the user who created the event, check it on the Configuration and Installation widget on FortiGate within the FortiManager device layer. Find the user in the FortiManager system logs and use the type=script command to find the administrator user in the user field.

A user reports that their computer was infected with malware after accessing a secured HTTPS website. However, when the administrator checks the FortiGate logs, they do not see that the website was detected as insecure despite having an SSL certificate and correct profiles applied on the policy. How can an administrator ensure that FortiGate can analyze encrypted HTTPS traffic on a website?. The administrator must enable reputable websites to allow only SSL/TLS websites rated by FortiGuard web filter. The administrator must enable URL extraction from SNI on the SSL certificate inspection to ensure the TLS three-way handshake is correctly analyzed by FortiGate. The administrator must enable DNS over TLS to protect against fake Server Name Indication (SNI) that cannot be analyzed in common DNS requests on HTTPS websites. The administrator must enable full SSL inspection in the SSL/SSH Inspection Profile to decrypt packets and ensure they are analyzed as expected.

An administrator received a FortiAnalyzer alert that a 1 ## disk filled up in a day. Upon investigation, they found thousands of unusual DNS log requests, such as JHCMQK.website.com, with no answers. They later discovered that DNS exfiltration was occurring through both UDP and TLS. How can the administrator prevent this data theft technique?. Create an inline-CASB to protect against DNS exfiltration. Configure a File Filter profile to prevent DNS exfiltration. Enable DNS Filter to protect against DNS exfiltration. Use an IPS profile and DNS exfiltration-related signatures.

Refer to the exhibit, which shows a network diagram. An administrator would like to modify the MED value advertised from FortiGate_1 to a BGP neighbor in the autonomous system 30. What must the administrator configure on FortiGate_1 to implement this?. route-map-out. network-import-check. prefix-list-out. distribute-list-out.

Refer to the exhibit, which shows a LAN interface connected from FortiGate to two FortiSwitch devices. What two conclusions can you draw from the corresponding LAN interface? (Choose two.). You must enable STP or RSTP on FortiGate and FortiSwitch to avoid layer 2 loopbacks. The LAN interface must use a 802.3ad type interface. This connection is using a FortiLInk to manage VLANs on FortiGate. FortiGate is using an SD-WAN-type interface to connect to a FortiSwitch device with MCLAG.

What does the command set forward-domain <domain_ID> in a transparent VDOM interface do?. It configures the interface to prioritize traffic based on the domain ID, enhancing quality of service for specified VLANs. It isolates traffic within a specific VLAN by assigning a broadcast domain to an interface based on the VLAN ID. It restricts the interface to managing traffic only from the specified VLAN, effectively segregating network traffic. It assigns a unique domain ID to the interface, allowing it to operate across multiple VLANs within the same VDOM.

Refer to the exhibit, which contains a partial command output. The administrator has configured BGP on FortiGate. The status of this new BGP configuration is shown in the exhibit. What configuration must the administrator consider next?. Configure a static route to 100.65.4.1. Configure the local AS to 65300. Contact the remote peer administrator to enable BGP. Enable ebgp-enforce-multihop.

A company that acquired multiple branches across different countries needs to install new FortiGate devices on each of those branches. However, the IT staff lacks sufficient knowledge to implement the initial configuration on the FortiGate devices. Which three approaches can the company take to successfully deploy advanced initial configurations on remote branches? (Choose three.). Use metadata variables to dynamically assign values according to each FortiGate device. Use provisioning templates and install configuration settings at the device layer. Use the Global ADOM to deploy global object configurations to each FortiGate device. Apply Jinja in the FortiManager scripts for large-scale and advanced deployments. Add FortiGate devices on FortiManager as model devices, and use ZTP or LTP to connect to FortiGate devices.

An administrator is checking an enterprise network and sees a suspicious packet with the MAC address e0:23:ff:fc:00:86. What two conclusions can the administrator draw? (Choose two.). The suspicious packet is related to a cluster that has VDOMs enabled. The network includes FortiGate devices configured with the FGSP protocol. The suspicious packet is related to a cluster with a group-id value lower than 255. The suspicious packet corresponds to port 7 on a FortiGate device.

Refer to the exhibits. The configuration of a user's Windows PC, which has a default MTU of 1500 bytes, along with FortiGate interfaces set to an MTU of1000bytes, and the results of PC1 pinging server172.16.0.254are shown. Why is the user in Windows PC1 unable to ping server172.16.0.254and is seeing the message:Packet needs to be fragmented but DF set?. Option ip.flags.mf must be set to enable on FortiGate. The user has to adjust the ping MTU to 1000 to succeed. Fragmented packets must be encrypted. To connect any application successfully, the user must install the Fortinet_CA certificate in the Microsoft Management Console. FortiGate honors the do not fragment bit and the packets are dropped. The user has to adjust the ping MTU to 972 to succeed. The user must trigger different traffic because path MTU discovery techniques do not recognize ICMP payloads.

A company's guest internet policy, operating in proxy mode, blocks access to Artificial Intelligence Technology sites using FortiGuard. However, a guest user accessed a page in this category using port 8443. Which configuration changes are required for FortiGate to analyze HTTPS traffic on nonstandard ports like 8443 when full SSL inspection is active in the guest policy?. Add a URL wildcard domain to the website CA certificate and use it in the SSL/SSH Inspection Profile. In the Protocol Port Mapping section of the SSL/SSH Inspection Profile, enter 443, 8443 to analyze both standard (443) and non-standard (8443) HTTPS ports. To analyze nonstandard ports in web filter profiles, use TLSv1.3 in the SSL/SSH Inspection Profile. Administrators can block traffic on nonstandard ports by enabling the SNI check in the SSL/SSH Inspection Profile.

Why does the ISDB block layers 3 and 4 of the OSI model when applying content filtering? (Choose two.). FortiGate has a predefined list of all IPs and ports for specific applications downloaded from FortiGuard. The ISDB blocks the IP addresses and ports of an application predefined by FortiGuard. The ISDB works in proxy mode, allowing the analysis of packets in layers 3 and 4 of the OSI model. The ISDB limits access by URL and domain.

Refer to the exhibit, which contains the partial output of an OSPF command. An administrator is checking the OSPF status of a FortiGate device and receives the output shown in the exhibit. Which statement on this FortiGate device is correct?. The FortiGate device can inject external routing information. The FortiGate device is in the area 0.0.0.5. The FortiGate device does not support OSPF ECMP. The FortiGate device is a backup designated router.

An administrator wants to scale the IBGP sessions and optimize the routing table in an IBGP network. Which parameter should the administrator configure?. network-import-check. ibgp-enforce-multihop. neighbor-group. route-reflector-client.

An administrator must enable direct communication between multiple spokes in a company's network. Each spoke has more than one internet connection. The requirement is for the spokes to connect directly without passing through the hub, and for the links to automatically switch to the best available connection. How can this automatic detection and optimal link utilization between spokes be achieved?. Set up OSPF routing over static VPN tunnels between spokes. Utilize ADVPN 2.0 to facilitate dynamic direct tunnels and automatic link optimization. Establish static VPN tunnels between spokes with predefined backup routes. Implement SD-WAN policies at the hub to manage spoke link quality.

Refer to the exhibit. A pre-run CLI template that is used in zero-touch provisioning (ZTP) and low-touch provisioning (LTP) with FortiManager is shown. The template is not assigned even though the configuration has already been installed on FortiGate. What is true about this scenario?. The administrator did not assign the template correctly when adding the model device because pre-CLI templates remain permanently assigned to the firewall. Pre-run CLI templates are automatically unassigned after their initial installation. Pre-run CLI templates for ZTP and LTP must be unassigned manually after the first installation to avoid conflicting error objects when importing a policy package. The administrator must use post-run CLI templates that are designed for ZTP and LTP.

Refer to the exhibit, which shows a partial enterprise network. An administrator would like the area 0.0.0.0 to detect the external network. What must the administrator configure?. Enable RIP redistribution on FortiGate B. Configure a distribute-route-map-in on FortiGate B. Configure a virtual link between FortiGate A and B. Set the area 0.0.0.l type to stub on FortiGate A and B.

Refer to the exhibit, which shows a command output. FortiGate_A and FortiGate_B are members of an FGSP cluster in an enterprise network. While testing the cluster using the ping command, the administrator monitors packet loss and found that the session output on FortiGate_B is as shown in the exhibit. What could be the cause of this output on FortiGate_B?. The session synchronization is encrypted. session-pickup-connectionless is set to disable on FortiGate_B. FortiGate_B is configured in passive mode. FortiGate_A and FortiGate_B have the same standalone-group-id value.

Refer to the exhibit, which contains a partial VPN configuration. What can you conclude from this VPN IPsec phase 1 configuration?. This configuration is the best for networks with regular traffic intervals, providing a balance between connectivity assurance and resource utilization. Peer IDs are unencrypted and exposed, creating a security risk. FortiGate will not add a route to its routing or forwarding information base when the dynamic tunnel is negotiated. A separate interface is created for each dial-up tunnel, which can be slower and more resource intensive, especially in large networks.

Refer to the exhibits. The exhibits show a network topology, a firewall policy, and an SSL/SSH inspection profile configuration. Why is FortiGate unable to detect HTTPS attacks on firewall policy ID 3 targeting the Linux server?. The administrator must set the policy to inspection mode to analyze the HTTPS packets as expected. The administrator must enable HTTPS in the protocol port mapping of the deep- inspection SSL/SSH inspection profile. The administrator must enable SSL inspection of the SSL server and upload the certificate of the Linux server website to the SSL/SSH inspection profile. The administrator must enable cipher suites in the SSL/SSH inspection profile to decrypt the message.

Refer to the exhibit, which shows the VDOM section of a FortiGate device. An administrator discovers that webfilter stopped working in Core1 and Core2 after a maintenance window. Which two reasons could explain why webfilter stopped working? (Choose two.). The root VDOM does not have access to FortiManager in a closed network. The root VDOM does not have a VDOM link to connect with the Corel and Core2 VDOMs. The Core1 and Core2 VDOMs must also be enabled as Management VDOMs to receive FortiGuard updates. The root VDOM does not have access to any valid public FDN.

Refer to the exhibit, which shows the HA status of an active-passive cluster. An administrator wants FortiGate_B to handle the Core2 VDOM traffic. Which modification must the administrator apply to achieve this?. The administrator must disable override on FortiGate_A. The administrator must change the priority from 100 to 160 for FortiGate_B. The administrator must change the load balancing method on FortiGate_B. The administrator must change the priority from 128 to 200 for FortiGate_B.

Refer to the exhibit, which shows theADVPNIPsec interface representing the VPN IPsec phase 1 from Hub A to Spoke 1 and Spoke 2, and from Hub # to Spoke 3 and Spoke 4. An administrator must configure an ADVPN using IBGP and EBGP to connect overlay network 1 with 2. What must the administrator configure in the phase 1 VPN IPsec configuration of theADVPNtunnels?. set auto-discovery-sender enable and set network-id x. set auto-discovery-forwarder enable and set remote-as x. set auto-discovery-crossover enable and set enforce-multihop enable. set auto-discovery-receiver enable and set npu-offload enable.

Refer to the exhibit, which shows the packet capture output of a three-way handshake between FortiGate and FortiManager Cloud. What two conclusions can you draw from the exhibit? (Choose two.). FortiGate will receive a certificate that supports multiple domains because FortiManager operates in a cloud computing environment. FortiGate is connecting to the same IP server and will receive an independent certificate for its connection between FortiGate and FortiManager Cloud. If the TLS handshake contains 17 cipher suites it means the TLS version must be 1.0 on this three-way handshake. The wildcard for the domain *.fortinet-ca2.support.fortinet.com must be supported by FortiManager Cloud.