MATIMATICAS II

A vulnerability scan report has revealed that a user has generated traffic to the website example.com (10.10.10.10) using a weak SSL/TLS version supported by the HTTPS web server. What can the firewall administrator do to block all outdated SSL/TLS versions on any HTTPS web server to prevent possible attacks on user traffic?. Configure the unsupported SSL version and set the minimum allowed SSL version in the HTTPS settings of the SSL/SSH inspection profile. Enable auto-detection of outdated SSL/TLS versions in the SSL/SSH inspection profile to block vulnerable websites. Install the required certificate in the client's browser or use Active Directory policies to block specific websites as defined in the SSL/SSH inspection profile. Use the latest certificate, Fortinet_SSL_ECDSA256, and replace the CA certificate in the SSL/SSH inspection profile.

Refer to the exhibit, which shows a partial troubleshooting command output. An administrator is extensively using IPsec on FortiGate. Many tunnels show information similar to the output shown in the exhibit. What can the administrator conclude?. IPsec SAs cannot be offloaded. The two IPsec SAs, inbound and outbound, are copied to the NPU. Only the outbound IPsec SA is copied to the NPU. Only the inbound IPsec SA is copied to the NPU.

Refer to the exhibit, which shows the FortiGuard Distribution Network of a FortiGate device. FortiGuard Distribution Network on FortiGate An administrator is trying to find the web filter database signature on FortiGate to resolve issues with websites not being filtered correctly in a flow-mode web filter profile. Why is the web filter database version not visible on the GUI, such as with IPS definitions?. The web filter database is stored locally, but the administrator must run over CLI diagnose autoupdate versions. The web filter database is stored locally on FortiGate, but it is hidden behind the GUI. It requires enabling debug mode to make it visible. The web filter database is not hosted on FortiGate: FortiGate queries FortiGuard or FortiManager for web filter ratings on demand. The web filter database is only accessible after manual syncing with a valid FDS server using diagnose test update info.

Refer to the exhibits. The Administrators section of a root FortiGate device and the Security Fabric Settings section of a downstream FortiGate device are shown. When prompted to sign in with Security Fabric in the downstream FortiGate device, a user enters the AdminSSO credentials. What is the next status for the user?. The user is prompted to create an SSO administrator account for AdminSSO. The user receives an authentication failure message. The user accesses the downstream FortiGate with super_admin_readonly privileges. The user accesses the downstream FortiGate with super_admin privileges.

During the maintenance window, an administrator must sniff all the traffic going through a specific firewall policy, which is handled by NP6 interfaces. The output of the sniffer trace provides just a few packets. Why is the output of sniffer trace limited?. The traffic corresponding to the firewall policy is encrypted. Auto-asic-off load is set to enable in the firewall policy,. Inspection-mode is set to proxy in the firewall policy. The option npudbg is not added in the diagnose sniff packet command.

An administrator must minimize CPU and RAM use on a FortiGate firewall while also enabling essential security features, such as web filtering and application control for HTTPS traffic. Which SSL inspection setting helps reduce system load while also enabling security features, such as web filtering and application control for encrypted HTTPS traffic?. Use full SSL inspection to thoroughly inspect encrypted payloads. Disable SSL inspection entirely to conserve resources. Configure SSL inspection to handle HTTPS traffic efficiently. Enable SSL certificate inspection mode to perform basic checks without decrypting traffic.

Refer to the exhibit. The routing tables of FortiGate_A and FortiGate_B are shown. FortiGate_A and FortiGate_B are in the same autonomous system. The administrator wants to dynamically add only route 172.16.1.248/30 on FortiGate_A. What must the administrator configure?. The prefix 172.16.1.248/30 in the BGP Networks section on FortiGate_B. A BGP route map out for 172.16.1.248/30 on FortiGate_B. Enable Redistribute Connected in the BGP section on FortiGate_B. A BGP route map in for 172.16.1.248/30 on FortiGate_A.

Refer to the exhibit, which shows a corporate network and a new remote office network. An administrator must integrate the new remote office network with the corporate enterprise network. What must the administrator do to allow routing between the two networks?. The administrator must implement BGP to inject the new remote office network into the corporate FortiGate device. The administrator must configure a static route to the subnet 192.168.1.0/24 on the corporate FortiGate device. The administrator must configure virtual links on both FortiGate devices. The administrator must implement OSPF over IPsec on both FortiGate devices.

The IT department discovered during the last network migration that all zero phase selectors in phase 2 IPsec configurations impacted network operations. What are two valid approaches to prevent this during future migrations? (Choose two.). Use routing protocols to specify allowed subnets over the tunnel. Configure an IPsec-aggregate to create redundancy between each firewall peer. Clearly indicate to the VPN which segments will be encrypted in the phase two selectors. Configure an IP address on the IPsec interface of each firewall to establish unique peer connections and avoid impacting network operations.

Refer to the exhibit, which shows an ADVPN network. The client behind Spoke-1 generates traffic to the device located behind Spoke-2. What is the first message that the hub sends to Spoke-1 to bring up the dynamic tunnel?. Shortcut query. Shortcut offer. Shortcut reply. Shortcut forward.

Refer to the exhibit, which shows an ADVPN network An administrator must configure an ADVPN using IBGP and EBGP to connect overlay network 1 with 2. What two options must the administrator configure in BGP? (Choose two.). set ebgp-enforce-multihop enable. set next-hop-self enable. set ibgp-enforce-multihop advpn. set attribute-unchanged next-hop.

Refer to the exhibit, which shows the ADVPN network topology and partial BGP configuration. Which two parameters must an administrator configure in the config neighbor range for spokes shown in the exhibit? (Choose two.). set max-neighbor-num 2. set neighbor-group advpn. set route-reflector-client enable. set prefix 172.16.1.0 255.255.255.0.

What is the initial step performed by FortiGate when handling the first packets of a session?. Installation of the session key in the network processor (NP). Data encryption and decryption. Security inspections such as ACL, HPE, and IP integrity header checking. Offloading the packets directly to the content processor (CP).

Which two statements about IKEv2 are true if an administrator decides to implement IKEv2 in the VPN topology? (Choose two.). It includes stronger Diffie-Hellman (DH) groups, such as Elliptic Curve (ECP) groups. It supports interoperability with devices using IKEv1. It exchanges a minimum of two messages to establish a secure tunnel. It supports the extensible authentication protocol (EAP).

Refer to the exhibit, which shows a physical topology and a traffic log. The administrator is checking on FortiAnalyzer traffic from the device with IP address10.1.10.1, located behind the FortiGate ISFW device. The firewall policy in on the ISFW device does not have UTM enabled and the administrator is surprised to see a log with the action Malware , as shown in the exhibit. What are the two reasons FortiAnalyzer would display this log? (Choose two.). Security rating is enabled in ISFW. ISFW is in a Security Fabric environment. ISFW is not connected to FortiAnalyzer and must go through NGFW-1. The firewall policy in NGFW-1 has UTM enabled.

How will configuring set tcp-mss-sender and set tcp-mss-receiver in a firewall policy affect the size and handling of TCP packets in the network?. The maximum segment size permitted in the firewall policy determines whether TCP packets are allowed or denied. Applying commands in a firewall policy determines the largest payload a device can handle in a single TCP segment. The administrator must consider the payload size of the packet and the size of the IP header to configure a correct value in the firewall policy. The TCP packet modifies the packet size only if the size of the packet is less than the one the administrator configured in the firewall policy.

An administrator must standardize the deployment of FortiGate devices across branches with consistent interface roles and policy packages using FortiManager. What is the recommended best practice for interface assignment in this scenario?. Enable metadata variables to use dynamic configurations in the standard interfaces of FortiManager. Use the Install On feature in the policy package to automatically assign different interfaces based on the branch. Create interfaces using device database scripts to use them on the same policy package of FortiGate devices. Create normalized interface types per-platform to automatically recognize device layer interfaces based on the FortiGate model and interface name.

Refer to the exhibit, which shows a network diagram showing the addition of site 2 with an overlapping network segment to the existing VPN IPsec connection between the hub and site 1. Which IPsec phase 2 configuration must an administrator make on the FortiGate hub to enable equal-cost multi-path (ECMP) routing when multiple remote sites connect with overlapping subnets?. Set route-overlap to either use-new or use-old. Set net-device to ecmp. Set single-source to enable. Set route-overlap to allow.

An administrator needs to install an IPS profile without triggering false positives that can impact applications and cause problems with the user's normal traffic flow. Which action can the administrator take to prevent false positives on IPS analysis?. Use the IPS profile extension to select an operating system, protocol, and application for all the network internal services and users to prevent false positives. Enable Scan Outgoing Connections to avoid clickingsuspicious links or attachments that can deliver botnet malware and create false positives. Use an IPS profile with action monitor, however, the administrator must be aware that this can compromise network integrity. Install missingor expired SSUTLS certificates on the client PC to prevent expected false positives.

Refer to the exhibit, which shows an enterprise network connected to an internet service provider. An administrator must configure a loopback as a BGP source to connect to the ISP. Which two commands are required to establish the connection? (Choose two.). ebgp-enforce-multihop. update-source. ibgp-enforce-multihop. recursive-next-hop.

Refer to the exhibit, which shows a hub and spokes deployment. An administrator is deploying several spokes, including the BGP configuration for the spokes to connect to the hub. Which two commands allow the administrator to minimize the configuration? (Choose two.). neighbor-group. route-reflector-client. neighbor-range. ibgp-enforce-multihop.

An administrator configured the FortiGate devices in an enterprise network to join the Fortinet Security Fabric. The administrator has a list of IP addresses that must be blocked by the data center firewall. This list is updated daily. How can the administrator automate a firewall policy with the daily updated list?. With FortiNAC. With FortiAnalyzer. With a Security Fabric automation. With an external connector from Threat Feeds.

An administrator applied a block-all IPS profile for client and server targets to secure the server, but the database team reported the application stopped working immediately after. How can an administrator apply IPS in a way that ensures it does not disrupt existing applications in the network?. Use an IPS profile with all signatures in monitor mode and verify patterns before blocking. Limit the IPS profile to server targets only to avoid blocking connections from the server to clients. Select flow mode in the IPS profile to accurately analyze application patterns. Set the IPS profile signature action to default to discard all possible false positives.

An administrator needs to inspect HTTPS traffic without overloading FortiGate resources. Which SSL/SSH inspection mode should be configured to achieve this goal while maintaining security visibility?. Full SSL inspection. SSL certificate inspection. No inspection. Deep certificate validation.

An administrator configures OSPF between two FortiGate devices. However, the OSPF neighbor relationship remains in the INIT state. What is the most likely reason?. The OSPF interfaces are configured in different areas. The network type on one side is broadcast and on the other side is point-to-point. OSPF authentication keys are mismatched. The OSPF priority on both sides is zero.

Which two statements about FortiGate session helpers are correct? (Choose two.). Session helpers dynamically open secondary ports for specific protocols such as FTP and SIP. Session helpers only apply to UDP traffic. Disabling session helpers for SIP prevents FortiGate from handling NAT traversal. Session helpers must be manually enabled in every firewall policy.

An administrator wants to restrict BGP neighbors to a defined subnet without manually adding each one. Which configuration should be used?. neighbor-group. prefix-list. neighbor-range. route-map.

In an HA active-passive cluster, what occurs if the heartbeat interfaces fail simultaneously on both units?. Both FortiGates become active, causing a split-brain situation. The cluster remains operational without failover. Both FortiGates reboot automatically to recover. The primary unit forces all traffic to secondary via link monitor.

An administrator configured a firewall policy with IPS, Application Control, and Web Filter. Users report slower browsing performance. Which configuration change can optimize performance without compromising security?. Switch inspection mode from proxy to flow. Disable all SSL inspection profiles. Enable only antivirus in the policy. Disable session TTL checks.

An administrator must ensure that FortiGate can receive updated threat intelligence feeds from an external source every hour. Which feature should be used?. Automation Stitch. Threat Feeds connector. FortiAnalyzer event handler. FortiManager scheduled script.

When deploying FortiGate devices across multiple branch offices using FortiManager, which method allows dynamic interface and address configuration per site?. Per-device mapping. Metadata variables. Device ADOM separation. Local script overrides.

Which two statements about FortiGate flow of packets are correct? (Choose two.). The first packet of a new session is processed by the CPU. Subsequent packets in the same session are offloaded to the NP. The session table is built only after the second packet arrives. Hardware acceleration bypasses session creation.

An administrator notices that traffic matching a security policy with "auto-asic-offload enable" does not appear in the sniffer output. Why?. NP-accelerated traffic bypasses the CPU, so it cannot be captured. The traffic is encrypted with IPsec and therefore invisible to the sniffer. The sniffer is configured for proxy mode only. The policy log setting is disabled.

An administrator configures SD-WAN health checks using latency and jitter thresholds. Which SD-WAN member will FortiGate prefer?. The link with the lowest packet loss rate. The link that meets SLA thresholds and has the lowest latency. The link with the highest bandwidth value. The link with the lowest administrative cost.

An administrator is designing an ADVPN network for a large enterprise with spokes that have varying numbers of internet links. They want to avoid a high number of routes and peer connections at the hub. Which method should be used to simplify routing and peer management?. Deploy a full-mesh VPN topology to eliminate hub dependency. Implement static routing over IPsec interfaces for each spoke. Use a dynamic routing protocol using loopback interfaces to streamline peers and routes. Establish a traditional hub-and-spoke VPN topology with policy routes.