121. Refer to the exhibit.
The exhibit shows a CLI output of firewall policies, proxy policies, and proxy addresses. How does FortiGate process the traffic sent to http://www.fortinet.com? Traffic will be redirected to the transparent proxy and it will be allowed by proxy policy ID 3. Traffic will not be redirected to the transparent proxy and it will be allowed by firewall policy ID 1. Traffic will be redirected to the transparent proxy and It will be allowed by proxy policy ID 1. Traffic will be redirected to the transparent proxy and it will be denied by the proxy implicit deny policy.
122. Which certificate value can FortiGate use to determine the relationship between the issuer and the certificate? Subject Key Identifier value. SMMIE Capabilities value. Subject value. Subject Alternative Name value.
123. Refer to the exhibit.
Which contains a Performance SLA configuration?
An administrator has configured a performance SLA on FortiGate. Which failed to generate any traffic.
Why is FortiGate not generating any traffic for the performance SLA? Participants configured are not SD-WAN members. There may not be a static route to route the performance SLA traffic. The Ping protocol is not supported for the public servers that are configured. You need to turn on the Enable probe packets switch.
124. Which of the following statements is true regarding SSL VPN settings for an SSL VPN portal? By default, FortiGate uses WINS servers to resolve names. By default, the SSL VPN portal requires the installation of a client’s certificate. By default, split tunneling is enabled. By default, the admin GUI and SSL VPN portal use the same HTTPS port.
125. If the Services field is configured in a Virtual IP (VIP), which statement is true when central NAT is used?
The Services field prevents SNAT and DNAT from being combined in the same policy. The Services field is used when you need to bundle several VIPs into VIP groups. The Services field removes the requirement to create multiple VIPs for different services. The Services field prevents multiple sources of traffic from using multiple services to connect to a single computer.
126. Which statements about the firmware upgrade process on an active-active HA cluster are true? (Choose two.)
The firmware image must be manually uploaded to each FortiGate. Only secondary FortiGate devices are rebooted. Uninterruptable upgrade is enabled by default. Traffic load balancing is temporally disabled while upgrading the firmware.
127. Refer to the exhibit.
According to the certificate values shown in the exhibit, which type of entity was the certificate issued to? A user. A root CA. A bridge CA. A subordinate.
128. When browsing to an internal web server using a web-mode SSL VPN bookmark, which IP address is used as the source of the HTTP request? Remote user’s public IP address. The public IP address of the FortiGate device. The remote user’s virtual IP address. The internal IP address of the FortiGate device.
129. Which two statements are correct regarding FortiGate FSSO agentless polling mode? (Choose two.) FortiGate points the collector agent to use a remote LDAP server. FortiGate uses the AD server as the collector agent. FortiGate uses the SMB protocol to read the event viewer logs from the DCs. FortiGate queries AD by using the LDAP to retrieve user group information.
130. An administrator has configured two-factor authentication to strengthen SSL VPN access. Which additional best practice can an administrator implement? Configure Source IP Pools. Configure split tunneling in tunnel mode. Configure different SSL VPN realms. Configure host check.
131. CORRECT TEXT
If Internet Service is already selected as Destination in a firewall policy, which other configuration objects can be selected to the Destination field of a firewall policy? User or User Group. IP address. No other object can be added. FQDN address.
132. Which three authentication timeout types are availability for selection on FortiGate? (Choose three.)
hard-timeout. auth-on-demand. soft-timeout. new-session. Idle-timeout.
133. Examine the IPS sensor configuration shown in the exhibit, and then answer the question below.
An administrator has configured the WINDOWS_SERVERS IPS sensor in an attempt to determine whether the influx of HTTPS traffic is an attack attempt or not. After applying the IPS sensor, FortiGate is still not generating any IPS logs for the HTTPS traffic.
What is a possible reason for this? The IPS filter is missing the Protocol: HTTPS option. The HTTPS signatures have not been added to the sensor. A DoS policy should be used, instead of an IPS sensor. The firewall policy is not using a full SSL inspection profile.
134.View the exhibit:
Which the FortiGate handle web proxy traffic rue? (Choose two.) Broadcast traffic received in port1-VLAN10 will not be forwarded to port2-VLAN10. port-VLAN1 is the native VLAN for the port1 physical interface. C. port1-VLAN10 and port2-VLAN10 can be assigned to different VDOMs. Traffic between port1-VLAN1 and port2-VLAN1 is allowed by default.
135. Which downstream FortiGate VDOM is used to join the Security Fabric when split-task VDOM is enabled on all FortiGate devices? Root VDOM. FG-traffic VDOM. Customer VDOM. Global VDOM.
136. Examine this output from a debug flow:
Why did the FortiGate drop the packet? The next-hop IP address is unreachable. It failed the RPF check. It matched an explicitly configured firewall policy with the action DENY. It matched the default implicit firewall policy.
137. Which of statement is true about SSL VPN web mode? The tunnel is up while the client is connected. It supports a limited number of protocols. The external network application sends data through the VPN. It assigns a virtual IP address to the client.
138. When a firewall policy is created, which attribute is added to the policy to support recording logs to a FortiAnalyzer or a FortiManager and improves functionality when a FortiGate is integrated with these devices? Log ID. Universally Unique Identifier. Policy ID. Sequence ID.
139. What is the primary FortiGate election process when the HA override setting is disabled? Connected monitored ports > System uptime > Priority > FortiGate Serial number Connected monitored ports > HA uptime > Priority > FortiGate Serial number Connected monitored ports > Priority > HA uptime > FortiGate Serial number Connected monitored ports > Priority > System uptime > FortiGate Serial number.
140. Which three pieces of information does FortiGate use to identify the hostname of the SSL server when SSL certificate inspection is enabled? (Choose three.) The subject field in the server certificate. The serial number in the server certificate. The server name indication (SNI) extension in the client hello message. The subject alternative name (SAN) field in the server certificate. The host field in the HTTP header.
141.Refer to the FortiGuard connection debug output.
Based on the output shown in the exhibit, which two statements are correct? (Choose two.) A local FortiManager is one of the servers FortiGate communicates with. One server was contacted to retrieve the contract information. There is at least one server that lost packets consecutively. FortiGate is using default FortiGuard communication settings.
142. Which Security rating scorecard helps identify configuration weakness and best practice violations in your network? Fabric Coverage. Automated Response. Security Posture. Optimization.
143. Refer to the exhibit, which contains a radius server configuration.
An administrator added a configuration for a new RADIUS server. While configuring, the administrator selected the Include in every user group option.
What will be the impact of using Include in every user group option in a RADIUS configuration?
This option places the RADIUS server, and all users who can authenticate against that server, into every FortiGate user group. This option places all FortiGate users and groups required to authenticate into the RADIUS server, which, in this case, is FortiAuthenticator. This option places all users into every RADIUS user group, including groups that are used for the LDAP server on FortiGate. This option places the RADIUS server, and all users who can authenticate against that server, into every RADIUS group.
144. Which statement regarding the firewall policy authentication timeout is true? It is an idle timeout. The FortiGate considers a user to be “idle” if it does not see any packets coming from the user’s source IP. It is a hard timeout. The FortiGate removes the temporary policy for a user’s source IP address after this timer has expired. It is an idle timeout. The FortiGate considers a user to be “idle” if it does not see any packets coming from the user’s source MAC. It is a hard timeout. The FortiGate removes the temporary policy for a user’s source MAC address after this timer has expired.
145. An administrator is running the following sniffer command:
diagnose sniffer packet any "host 192.1.68.2.12” 5
Which three pieces of Information will be Included in me sniffer output? (Choose three.)
Interface name. Packet payload. Ethernet header. IP header. Application header.
146. Which two protocol options are available on the CLI but not on the GUI when configuring an SD- WAN Performance SLA? (Choose two.) DNS. Ping. udp-echo. TWAMP.
147. Which three statements are true regarding session-based authentication? (Choose three.) HTTP sessions are treated as a single user. IP sessions from the same source IP address are treated as a single user. It can differentiate among multiple clients behind the same source IP address. It requires more resources. It is not recommended if multiple users are behind the source NAT.
148. Which of the following statements about central NAT are true? (Choose two.) IP tool references must be removed from existing firewall policies before enabling central NAT. Central NAT can be enabled or disabled from the CLI only. Source NAT, using central NAT, requires at least one central SNAT policy. Destination NAT, using central NAT, requires a VIP object as the destination address in a firewall.
149. What is the effect of enabling auto-negotiate on the phase 2 configuration of an IPsec tunnel? FortiGate automatically negotiates different local and remote addresses with the remote peer. FortiGate automatically negotiates a new security association after the existing security association expires. FortiGate automatically negotiates different encryption and authentication algorithms with the remote peer. FortiGate automatically brings up the IPsec tunnel and keeps it up, regardless of activity on the IPsec tunnel.
150. Which statement about the IP authentication header (AH) used by IPsec is true? AH does not provide any data integrity or encryption. AH does not support perfect forward secrecy. AH provides data integrity bur no encryption. AH provides strong data integrity but weak encryption.
151. Which security feature does FortiGate provide to protect servers located in the internal networks from attacks such as SQL injections? Denial of Service. Web application firewall. Antivirus. Application control.
152. An administrator has configured a route-based IPsec VPN between two FortiGate devices. Which statement about this IPsec VPN configuration is true? A phase 2 configuration is not required. This VPN cannot be used as part of a hub-and-spoke topology. A virtual IPsec interface is automatically created after the phase 1 configuration is completed. The IPsec firewall policies must be placed at the top of the list.
153. What types of traffic and attacks can be blocked by a web application firewall (WAF) profile? (Choose three.) Traffic to botnetservers. Traffic to inappropriate web sites. Server information disclosure attacks. Credit card data leaks. SQL injection attacks.
154. Which three security features require the intrusion prevention system (IPS) engine to function? (Choose three.) Web filter in flow-based inspection. Antivirus in flow-based inspection. DNS filter. Web application firewall. Application control.
155. Refer to the exhibit.
Based on the raw log, which two statements are correct? (Choose two.) Traffic is blocked because Action is set to DENY in the firewall policy. Traffic belongs to the root VDOM. This is a security log. Log severity is set to error on FortiGate.
156. FortiGate is configured as a policy-based next-generation firewall (NGFW) and is applying web filtering and application control directly on the security policy.
Which two other security profiles can you apply to the security policy? (Choose two.) Antivirus scanning. File filter. DNS filter. Intrusion prevention.
157. Examine the exhibit, which contains a virtual IP and firewall policy configuration.
The WAN (port1) interface has the IP address 10.200.1.1/24. The LAN (port2) interface has the IP address 10.0.1.254/24.
The first firewall policy has NAT enabled on the outgoing interface address. The second firewall policy is configured with a VIP as the destination address.
Which IP address will be used to source NAT the Internet traffic coming from a workstation with the IP address 10.0.1.10/24? 10.200.1.10
Any available IP address in the WAN (port1) subnet 10.200.1.0/24 10.200.1.1 10.0.1.254.
158. Examine the two static routes shown in the exhibit, then answer the following question.
Which of the following is the expected FortiGate behavior regarding these two routes to the same destination? FortiGate will load balance all traffic across both routes. FortiGate will use the port1 route as the primary candidate. FortiGate will route twice as much traffic to the port2 route. FortiGate will only actuate the port1 route in the routing table.
159. Which two types of traffic are managed only by the management VDOM? (Choose two.) FortiGuard web filter queries. PKI. Traffic shaping. DNS.
160. Which two statements are correct about a software switch on FortiGate? (Choose two.) It can be configured only when FortiGate is operating in NAT mode. Can act as a Layer 2 switch as well as a Layer 3 router. All interfaces in the software switch share the same IP address. It can group only physical interfaces.
161. Refer to the exhibit.
The exhibit contains a network diagram, central SNAT policy, and IP pool configuration. The WAN (port1) interface has the IP address 10.200.1.1/24.
The LAN (port3) interface has the IP address 10.0.1.254/24.
A firewall policy is configured to allow to destinations from LAN (port3) to WAN (port1).
Central NAT is enabled, so NAT settings from matching Central SNAT policies will be applied.
Which IP address will be used to source NAT the traffic, if the user on Local-Client (10.0.1.10) pings the IP address of Remote-FortiGate (10.200.3.1)? 10.200.1.149 10.200.1.1 10.200.1.49 10.200.1.99.
162. Which feature in the Security Fabric takes one or more actions based on event triggers? Fabric Connectors. Automation Stitches. Security Rating. Logical Topology.
163. An organization’s employee needs to connect to the office through a high-latency internet connection.
Which SSL VPN setting should the administrator adjust to prevent the SSL VPN negotiation failure? Change the session-ttl. Change the login timeout. Change the idle-timeout. Change the udp idle timer.
164. Examine this FortiGate configuration:
Examine the output of the following debug command:
Based on the diagnostic outputs above, how is the FortiGate handling the traffic for new sessions that require inspection? It is allowed, but with no inspection. It is allowed and inspected as long as the inspection is flow based. It is dropped. It is allowed and inspected, as long as the only inspection required is antivirus.
165. Which of the following conditions must be met in order for a web browser to trust a web server certificate signed by a third-party CA? The public key of the web server certificate must be installed on the browser. The web-server certificate must be installed on the browser. The CA certificate that signed the web-server certificate must be installed on the browser. The private key of the CA certificate that signed the browser certificate must be installed on the browser.
166. Which statements are true regarding firewall policy NAT using the outgoing interface IP address with fixed port disabled? (Choose two.) This is known as many-to-one NAT. Source IP is translated to the outgoing interface IP. Connections are tracked using source port and source MAC address. Port address translation is not used.
167. Consider the topology:
Application on a Windows machine <--{SSL VPN} -->FGT--> Telnet to Linux server.
An administrator is investigating a problem where an application establishes a Telnet session to a Linux server over the SSL VPN through FortiGate and the idle session times out after about 90 minutes. The administrator would like to increase or disable this timeout.
The administrator has already verified that the issue is not caused by the application or Linux server.
This issue does not happen when the application establishes a Telnet connection to the Linux server directly on the LAN.
What two changes can the administrator make to resolve the issue without affecting services running through FortiGate? (Choose two.)
Set the maximum session TTL value for the TELNET service object. Set the session TTL on the SSLVPN policy to maximum, so the idle session timeout will not happen after 90 minutes. Create a new service object for TELNET and set the maximum session TTL. Create a new firewall policy and place it above the existing SSLVPN policy for the SSL VPN traffic, and set the new TELNET service object in the policy.
168. Which two statements are correct regarding FortiGate HA cluster virtual IP addresses? (Choose two.) Heartbeat interfaces have virtual IP addresses that are manually assigned. A change in the virtual IP address happens when a FortiGate device joins or leaves the cluster. Virtual IP addresses are used to distinguish between cluster members. The primary device in the cluster is always assigned IP address 169.254.0.1.
169. Which two actions can you perform only from the root FortiGate in a Security Fabric? (Choose two.) Shut down/reboot a downstream FortiGate device. Disable FortiAnalyzer logging for a downstream FortiGate device. Log in to a downstream FortiSwitch device. Ban or unban compromised hosts.
170. What devices form the core of the security fabric? Two FortiGate devices and one FortiManager device. One FortiGate device and one FortiManager device. Two FortiGate devices and one FortiAnalyzer device. One FortiGate device and one FortiAnalyzer device.
171. Refer to the exhibit.
Which contains a network diagram and routing table output. The Student is unable to access Webserver.
What is the cause of the problem and what is the solution for the problem? The first packet sent from Student failed the RPF check.
This issue can be resolved by adding a static route to 10.0.4.0/24 through wan1. The first reply packet for Student failed the RPF check.
This issue can be resolved by adding a static route to 10.0.4.0/24 through wan1. The first reply packet for Student failed the RPF check.
This issue can be resolved by adding a static route to 203.0.114.24/32 through port3. The first packet sent from Student failed the RPF check.
This issue can be resolved by adding a static route to 203.0.114.24/32 through port3.
172. A team manager has decided that, while some members of the team need access to a particular website, the majority of the team does not.
Which configuration option is the most effective way to support this request? Implement a web filter category override for the specified website. Implement a DNS filter for the specified website. Implement web filter quotas for the specified website. Implement web filter authentication for the specified website.
|
