You are configuring the root FortiGate to implement the security fabric. You are configuring port10 to communicate with a downstream FortiGate. View the default Edit Interface in the exhibit below:
When configuring the root FortiGate to communicate with a downstream FortiGate, which settings are
required to be configured? (Choose two.) Device detection enabled. Administrative Access: FortiTelemetry. IP/Network Mask. Role: Security Fabric.
When browsing to an internal web server using a web-mode SSL VPN bookmark, which IP address is used as the source of the HTTP request? remote user’s public IP address The public IP address of the FortiGate device. The remote user’s virtual IP address. The internal IP address of the FotiGate device.
Examine this output from a debug flow:
Why did the FortiGate drop the packet? The next-hop IP address is unreachable. It failed the RPF check. It matched an explicitly configured firewall policy with the action DENY. It matched the default implicit firewall policy.
Examine the exhibit, which shows the output of a web filtering real time debug.
Why is the site www.bing.com being blocked? The web site www.bing.com is categorized by FortiGuard as Malicious Websites. The user has not authenticated with the FortiGate yet. The web server IP address 204.79.197.200 is categorized by FortiGuard as Malicious Websites. The rating for the web site www.bing.com has been locally overridden to a category that is being blocked.
View the exhibit:
Which statement about the exhibit is true? (Choose two.) Broadcast traffic received in port1-VLAN10 will not be forwarded to port2-VLAN10. port-VLAN1 is the native VLAN for the port1 physical interface. port1-VLAN10 and port2-VLAN10 can be assigned to different VDOMs. Traffic between port1-VLAN1 and port2-VLAN1 is allowed by default.
Which of the following statements about backing up logs from the CLI and downloading logs from the GUI are true? (Choose two.) Log downloads from the GUI are limited to the current log filter view Log backups from the CLI cannot be restored to another FortiGate. Log backups from the CLI can be configured to upload to FTP at a scheduled time Log downloads from the GUI are stored as LZ4 compressed files.
Examine the network diagram shown in the exhibit, then answer the following question:
Which one of the following routes is the best candidate route for FGT1 to route traffic from the Workstation to the Web server? 172.16.0.0/16 [50/0] via 10.4.200.2, port2 [5/0] 0.0.0.0/0 [20/0] via 10.4.200.2, port2 10.4.200.0/30 is directly connected, port2 172.16.32.0/24 is directly connected, port1.
A team manager has decided that while some members of the team need access to particular website,
the majority of the team does not.
Which configuration option is the most effective option to support this request? Implement a web filter category override for the specified website. Implement web filter authentication for the specified website Implement web filter quotas for the specified website. Implement DNS filter for the specified website.
Examine this output from a debug flow:
Which statements about the output are correct? (Choose two.) FortiGate received a TCP SYN/ACK packet. The source IP address of the packet was translated to 10.0.1.10. FortiGate routed the packet through port 3. The packet was allowed by the firewall policy with the ID 00007fc0.
Examine this FortiGate configuration:
How does the FortiGate handle web proxy traffic coming from the IP address 10.2.1.200 that requires authorization? It always authorizes the traffic without requiring authentication. It drops the traffic. It authenticates the traffic using the authentication scheme SCHEME2. It authenticates the traffic using the authentication scheme SCHEME1.
Which of the following statements are best practices for troubleshooting FSSO? (Choose two.) Include the group of guest users in a policy. Extend timeout timers. Guarantee at least 34 Kbps bandwidth between FortiGate and domain controllers. Ensure all firewalls allow the FSSO required ports.
Which statements about antivirus scanning mode are true? (Choose two.) In proxy-based inspection mode antivirus buffers the whole file for scarring before sending it to the client. In flow-based inspection mode, you can use the CLI to configure antivirus profiles to use protocol option profiles. In proxy-based inspection mode, if a virus is detected, a replacement message may not be displayed immediately. In quick scan mode, you can configure antivirus profiles to use any of the available signature data bases.
In a high availability (HA) cluster operating in active-active mode, which of the following correctly describes the path taken by the SYN packet of an HTTP session that is offloaded to a secondary FortiGate? Client > primary FortiGate> secondary FortiGate> primary FortiGate> web server. Client > secondary FortiGate> web server. Client >secondary FortiGate> primary FortiGate> web server. Client> primary FortiGate> secondary FortiGate> web server.
An administrator is configuring an IPsec between site A and site B. The Remotes Gateway setting in both sites has been configured as Static IP Address. For site A, the local quick mode selector is 192.16.1.0/24 and the remote quick mode selector is 192.16.2.0/24.
How must the administrator configure the local quick mode selector for site B? 192.168.3.0.24 192.168.2.0.24 192.168.1.0.24 192.168.0.0.8.
Which of the following are purposes of NAT traversal in IPsec? (Choose two.) To delete intermediary NAT devices in the tunnel path. To dynamically change phase 1 negotiation mode aggressive mode. To encapsulation ESP packets in UDP packets using port 4500. To force a new DH exchange with each phase 2 rekey.
Which of the following statements correctly describes FortiGates route lookup behavior when searching for a suitable gateway? (Choose two) Lookup is done on the trust packet from the session originator Lookup is done on the last packet sent from the re spender Lookup is done on every packet, regardless of direction Lookup is done on the trust reply packet from the re spender.
Examine the two static routes shown in the exhibit, then answer title following question.
Which of the following is the expected FortiGate behavior regarding these two routes to the same destination? FortiGate will load balance all traffic across both routes. FortiGate will use the port1 route as the primary candidate. FortiGate will route twice as much traffic to the port2 route FortiGate will only actuate the portl route m tlie routing table.
Which of the following statements about central NAT are true? (Choose two.) IP tool references must be removed from existing firewall policies before enabling central NAT. Central NAT can be enabled or disabled from the CLI only. Source NAT, using central NAT, requires at least one central SNAT policy. Destination NAT, using central NAT, requires a VIP object as the destination.
An administrator wants to create a policy-based IPsec VPN tunnel between two FortiGate devices
Winch configuration steps must be performed on both devices to support this scenario? (Choose three.) Define the phase 1 parameters, without enabling IPsec interface mode Define the phase 2 parameters. Set the phase 2 encapsulation method to transport mode Define at least one firewall policy, with the action set to IPsec. Define a route to the remote network over the IPsec tunnel.
Which of the following statements about NTLM authentication are correct? (Choose two.) It is useful when users log in to DCs that are not monitored by a collector agent. It takes over as the primary authentication method when configured alongside FSSO. Multi-domain environments require DC agents on every domain controller. NTLM-enabled web browsers are required.
View the certificate shown to the exhibit, and then answer the following question:
The CA issued this certificate to which entity? A root CA A person A bridge CA A subordinate CA.
Why does FortiGate keep TCP sessions in the session table for some seconds even after both sides (client and server) have terminated the session? To remove the NAT operation. To generate logs To finish any inspection operations. To allow for out-of-order packets that could arrive after the FIN/ACK packets.
A FortiGate is operating in NAT mode and configured with two virtual LAN (VLAN) sub interfaces
added to the physical interface.
Which statements about the VLAN sub interfaces can have the same VLAND ID, only if they have IP addresses in different subnets. The two VLAN sub interfaces can have the same VLAN ID, only if they have IP addresses in different subnets. The two VLAN sub interfaces must have different VLAN IDs. The two VLAN sub interfaces can have the same VLAN ID, only if they belong to different VDOMs. The two VLAN sub interfaces can have the same VLAN ID, only if they have IP addresses in the same subnet.
You mc tasked to design a new IPsec deployment with the following criteria:
- There are two HQ sues that all satellite offices must connect to
- The satellite offices do not need to communicate directly with other satellite offices
- No dynamic routing will be used
- The design should minimize the number of tannels being configured.
Winch topology should be used to satisfy all of the requirements? Partial mesh Hub-and-spoke Fully meshed Redundant.
Which of the following statements is true regarding SSL VPN settings for an SSL VPN portal? By default, FortiGate uses WINS servers to resolve names. By default, the SSL VPN portal requires the installation of a client’s certificate. By default, split tunneling is enabled. By default, the admin GUI and SSL VPN portal use the same HTTPS port.
Which of the following conditions roust be met in order for a web browser to trust a web server certificate signed by a third-party CA? The web-server certificate DM be installed on the browser The public key of the web server certificate must be installed on die browser The CA certificate that signed the web-server certificate inutile installed on the browser The private key of the CA certificate that signed the browser certificate must be installed on the browser.
An administrator has configured the following settings:
What does the configuration do? (Choose two.) Reduces the amount of logs generated by denied traffic. Enforces device detection on all interfaces for 30 minutes. Blocks denied users for 30 minutes. Creates a session for traffic being denied.
An administrator observes that the port1 interface cannot be configured with an IP address.
What can be the reasons for that? (Choose three.) The interface has been configured for one-arm sniffer. The interface is a member of a virtual wire pair. The operation mode is transparent. The interface is a member of a zone. Captive portal is enabled in the interface.
What information is flushed when the chunk-size value is changed in the config dlp settings? The database for DLP document fingerprinting The supported file types in the DLP filters The archived files and messages The file name patterns in the DLP filters.
Which is the correct description of a hash result as it relates to digital certificates? A unique value used to verify the input data An output value that is used to identify the person or deuce that authored the input data. An obfuscation used to mask the input data. An encrypted output value used to safe-guard die input data.
Examine the exhibit, which shows the partial output of an IKE real-time debug.
Which of the following statement about the output is true? The VPN is configured to use pre-shared key authentication. Extended authentication (XAuth) was successful. Remote is the host name of the remote IPsec peer. Phase 1 went down.
Examine the network diagram shown in the exhibit, and then answer the following question:
A firewall administrator must configure equal cost multipath (ECMP) routing on FGT1 to ensure both port1
and port3 links are used at the same time for all traffic destined for 172.20.2.0/24.
Which of the following static routes will satisfy this requirement on FGT1? (Choose two.) 172.20.2.0/24 (1/0) via 10.10.1.2, port1 [0/0] 172.20.2.0/24 (25/0) via 10.10.3.2, port3 [5/0] 172.20.2.0/24 (1/150) via 10.10.3.2, port3 [10/0] 172.20.2.0/24 (1/150) via 10.30.3.2, port3 [10/0].
On a FortiGate with a hard disk, how can you upload logs to FortiAnalyzer or FortiManager? (Choose two.) hourly real tune on-demand store-and-upload.
Examine this FortiGate configuration: Imagen 1
Examine the output of the following debug command: Imagen 2
Based on the diagnostic outputs above, how is the FortiGate handling the traffic for new sessions that require inspection? It is allowed, but with no inspection It is allowed and inspected as long as the inspection is flow based It is dropped. It is allowed and inspected, as long as the only inspection required is antivirus.
When using WPAD DNS method, winch FQDN format do browsers use to query the DNS server? srv_proxy.<local-domain>/wpad.dat srv_tcp.wpad.<local-domain> wpad.<local-domain> proxy.<local-domain>/wpad.
Examine the IPS sensor configuration and forward traffic logs shown in the exhibit; then, answer the question below.
An administrator has configured the WINDOS_SERVERS IPS sensor in an attempt to determine whether the influx of HTTPS traffic is an attack attempt or not. After applying the IPS sensor, FortiGate is still not generating any IPS logs for the HTTPS traffic.
What is a possible reason for this? The IPS filter is missing the Protocol: HTTPS option. The HTTPS signatures have not been added to the sensor. A DoS policy should be used, instead of an IPS sensor. A DoS policy should be used, instead of an IPS sensor. The firewall policy is not using a full SSL inspection profile.
What types of traffic and attacks can be blocked by a web application firewall (WAF) profile? (Choose three.) Traffic to botnet servers Traffic to inappropriate web sites Server information disclosure attacks Credit card data leaks SQL injection attacks.
Which statement about DLP on FortiGate is true? It can archive files and messages. It can be applied to a firewall policy in a flow-based VDOM Traffic shaping can be applied to DLP sensors. Files can be sent to FortiSandbox for detecting DLP threats.
Examine this PAC file configuration.
Which of the following statements are true? (Choose two.) Browsers can be configured to retrieve this PAC file from the FortiGate. Any web request to the 172.25.120.0/24 subnet is allowed to bypass the proxy. All requests not made to Fortinet.com or the 172.25.120.0/24 subnet, have to go through altproxy.corp.com: 8060. Any web request fortinet.com is allowed to bypass the proxy.
Which statements about the firmware upgrade process on an active-active HA cluster are true? (Choose two.) The firmware image must be manually uploaded to each FortiGate. Only secondary FortiGate devices are rebooted. Uninterruptable upgrade is enabled by default. Traffic load balancing is temporally disabled while upgrading the firmware.
Which statements best describe auto discovery VPN (ADVPN). (Choose two.) It requires the use of dynamic routing protocols so that spokes can learn the routes to other spokes. ADVPN is only supported with IKEv2. Tunnels are negotiated dynamically between spokes. Every spoke requires a static tunnel to be configured to other spokes so that phase 1 and phase 2 proposals are defined in advance.
An administrator needs to create an SSL-VPN connection for accessing an internal server using the bookmark Port Forward.
What step is required for this configuration? Configure an SSL VPN realm for clients to use the port forward bookmark. Configure the client application to forward IP traffic through FortiClient. Configure the virtual IP address to be assigned t the SSL VPN users. Configure the client application to forward IP traffic to a Java applet proxy.
What FortiGate configuration is required to actively prompt users for credentials? You must enable one or more protocols that support active authentication on a firewall policy You must position the firewall policy for active authentication before a firewall policy foe passive authentication You must assign users to a group for active authentication You must enable the Authentication setting on the firewall policy.
Which statements are true regarding firewall policy NAT using the outgoing interface IP address with fixed port disabled? (Choose two.) This is known as many-to-one NAT. Source IP is translated to the outgoing interface IP. Connections are tracked using source port and source MAC address. Port address translation is not used.
If the Issuer and Subject values are the same in a digital certificate, which type of entity was the certificate issued to? A CRL A person A subordinate CA A root CA.
What is the limitation of using a URL list and application control on the same firewall policy, in NCFW policy-based mode? It limits the scope of application control to the browser-based technology category only. It limits the scope of application control to scan application traffic based on application category only. It limits the scope of application control to scan application traffic using parent signatures only It limits the scope of application control to scan application traffic on DNS protocol only.
The FSSO Collector Agent set to advanced access mode for the Windows Active Directory uses which of the following? LDAP convention NTLM convention Windows convention - NetBios: Domain\Usemame RSSO convention.
Examine the following web filtering log.
Which statement about the log message is true? The action for the category Games is set to block. The usage quota for the IP address 10.0.1.10 has expired. The name of the applied web filter profile is default. The web site miniclip.com matches a static URL filter whose action is set to Warning.
Which of the following SD-WAN load –balancing method use interface weight value to distribute traffic? (Choose two.) Source IP Spillover Volume Session.
Which is a requirement for creating an inter-VDOM link between two VDOMs? The inspection mode of at least one VDOM must be proxy-based. At least one of the VDOMs must operate in NAT mode. The inspection mode of both VDOMs must match. Both VDOMs must operate in NAT mode.
Which statement regarding the firewall policy authentication timeout is true? It is an idle timeout. The FortiGate considers a user to be "idle" if it does not see any packets coming from the user's source IP. It is a hard timeout. The FortiGate removes the temporary policy for a user's source IP address after this timer has expired. It is an idle timeout. The FortiGate considers a user to be "idle" if it does not see any packets coming from the user's source MAC. It is a hard timeout. The FortiGate removes the temporary policy for a user's source MAC address after this timer has expired.
Examine the exhibit, which contains a virtual IP and firewall policy configuration.
The WAN (port1) interface has the IP address 10.200.1.1/24. The LAN (port2) interface has the IP address 10.0.1.254/24.
The first firewall policy has NAT enabled on the outgoing interface address. The second firewall policy is
configured with a VIP as the destination address.
Which IP address will be used to source NAT the Internet traffic coming from a workstation with the IP address 10.0.1.10/24? 10.200.1.10 Any available IP address in the WAN (port1) subnet 10.200.1.0/24 10.200.1.1 10.0.1.254.
What FortiGate components are tested during the hardware test? (Choose three.) Administrative access HA heartbeat CPU Hard disk Network interfaces.
How do you format the FortiGate flash disk? Load a debug FortiOS image. Load the hardware test (HQIP) image. Execute the CLI command execute formatlogdisk. Select the format boot device option from the BIOS menu.
Which of the following are valid actions for FortiGuard category based filter in a web filter profile ui proxy-based inspection mode? (Choose two.) Warning Exempt Allow Learn.
Examine the IPS sensor and DoS policy configuration shown in the exhibit, then answer the question below.
When detecting attacks, which anomaly, signature, or filter will FortiGate evaluate first? SMTP.Login.Brute.Force IMAP.Login.brute.Force ip_src_session Location: server Protocol: SMTP.
NGFW mode allows policy-based configured for most impaction rules.
Which security profile’s configuration does not change when you enable policy-based impaction? Antivirus Web proxy Web filtering Application control.
Which of the following FortiGate configuration tasks will create a route in the policy route table? (Choose two.) Static route created with a Named Address object Static route created with an Internet Services object SD-WAN route created for individual member interfaces SD-WAN rule created to route traffic based on link latency.
Which statement about the IP authentication header (AH) used by IPsec is true? AH does not provide any data integrity or encryption. AH does not support perfect forward secrecy. AH provides data integrity but no encryption. AH provides strong data integrity but weak encryption.
If the Services field is configured in a Virtual IP (VIP), which of the following statements is true when central NAT is used? The Services field removes the requirement of creating multiple VIPs for different services. The Services field is used when several VIPs need to be bundled into VIP groups. The Services field does not allow source NAT and destination NAT to be combined in the same policy. The Services field does not allow multiple sources of traffic, to use multiple services, to connect to a single computer.
|
