What is the maximum number of different virus databases a FortiGate can have?
A. 5 B. 2 C. 3 D. 4.
Which of the following are possible actions for static URL filtering? A. Allow B. Block C. Exempt D. Warning E. Shape.
Which of the following statements are true regarding the web filtering modes? (Choose two.) A. Proxy based mode allows for customizable block pages to display when sites are prevented. B. Proxy based mode requires more resources than flow-based. C. Flow based mode offers more settings under the advanced configuration section of the GUI. D. Proxy based mode offers higher throughput than flow-based mode.
Review the exhibit of an explicit proxy policy configuration.
If there is a proxy connection attempt coming from the IP address 10.0.1.5, and from a user that has not authenticated yet, what action does the FortiGate proxy take? A. User is prompted to authenticate. Traffic from the user Student will be allowed by the policy #1. Traffic from any other user will be allowed by the policy #2. B. User is not prompted to authenticate. The connection is allowed by the proxy policy #2. C. User is not prompted to authenticate. The connection will be allowed by the proxy policy #1. D. User is prompted to authenticate. Only traffic from the user Student will be allowed. Traffic from any other user will be blocked.
Which protocol can an Internet browser use to download the PAC file with the web proxy configuration? A. HTTPS B. FTP C. TFTP D. HTTP.
Which are the three different types of Conserve Mode that can occur on a FortiGate device? (Choose three.) A. Proxy B. Operating system C. Kernel D. System E. Device.
What is longest length of time allowed on a FortiGate device for the virus scan to complete? A. 20 seconds B. 30 seconds C. 45 seconds D. 10 seconds.
Files reported as "suspicious" were subject to which Antivirus check"? A. Grayware B. Virus C. Sandbox D. Heuristic.
Which type of conserve mode writes a log message immediately, rather than when the device exits conserve mode? A. Kernel B. Proxy C. System D. Device.
Files that are larger than the oversized limit are subjected to which Antivirus check? A. Grayware B. Virus C. Sandbox D. Heuristic.
Which of the following options best defines what Diffie-Hellman is? A. A symmetric encryption algorithm. B. A "key-agreement" protocol. C. A "Security-association-agreement" protocol. D. An authentication algorithm.
How many packets are interchanged between both IPSec ends during the negotiation of a main-mode phase 1? A. 5
B. 3
C. 2
D. 6.
Which of the following IKE modes is the one used during the IPsec phase 2 negotiation? A. Aggressive mode B. Quick mode C. Main mode D. Fast mode.
Which of the following statements are true about IPsec VPNs? (Choose three.) A. IPsec increases overhead and bandwidth. B. IPsec operates at the layer 2 of the OSI model. C. End-user’s network applications must be properly pre-configured to send traffic across the IPsec VPN. D. IPsec protects upper layer protocols. E. IPsec operates at the layer 3 of the OSI model.
Which of the following statements is true regarding the TCP SYN packets that go from a client, through an implicit web proxy (transparent proxy), to a web server listening at TCP port 80? (Choose three.) A. The source IP address matches the client IP address. B. The source IP address matches the proxy IP address. C. The destination IP address matches the proxy IP address. D. The destination IP address matches the server IP addresses. E. The destination TCP port number is 80.
Which of the following statements is true regarding the use of a PAC file to configure the web proxy settings in an Internet browser? (Choose two.) A. More than one proxy is supported. B. Can contain a list of destinations that will be exempt from the use of any proxy. C. Can contain a list of URLs that will be exempted from the FortiGate web filtering inspection. D. Can contain a list of users that will be exempted from the use of any proxy.
An Internet browser is using the WPAD DNS method to discover the PAC file’s URL. The DNS server replies to the browser’s request with the IP address 10.100.1.10. Which URL will the browser use to download the PAC file? A. http://10.100.1.10/proxy.pac B. https://10.100.1.10/ C. http://10.100.1.10/wpad.dat D. https://10.100.1.10/proxy.pac.
Which of the following are benefits of using web caching? (Choose three.) A. Decrease bandwidth utilization B. Reduce server load C. Reduce FortiGate CPU usage D. Reduce FortiGate memory usage E. Decrease traffic delay.
Which of the following authentication methods are supported in an IPsec phase 1? (Choose two.) A. Asymmetric Keys B. CA root digital certificates C. RSA signature D. Pre-shared keys.
Which of the following IPsec configuration modes can be used for implementing L2TP-over-IPSec VPNs? A. Policy-based IPsec only. B. Route-based IPsec only. C. Both policy-based and route-based VPN. D. L2TP-over-IPSec is not supported by FortiGate devices.
Which of the following IPsec configuration modes can be used when the FortiGate is running in NAT mode? A. Policy-based VPN only B. Both policy-based and route-based VPN. C. Route-based VPN only. D. IPSec VPNs are not supported when the FortiGate is running in NAT mode.
Which of the following statements is true regarding the differences between route-based and policy-based IPsec VPNs? (Choose two.) A. The firewall policies for policy-based are bidirectional. The firewall policies for route-based are unidirectional. B. In policy-based VPNs the traffic crossing the tunnel must be routed to the virtual IPsec interface. In route-based, it does not. C. The action for firewall policies for route-based VPNs may be Accept or Deny, for policy-based VPNs it is Encrypt. D. Policy-based VPN uses an IPsec interface, route-based does not.
Which portion of the configuration does an administrator specify the type of IPsec configuration (either policy-based or route-based)? A. Under the IPsec VPN global settings. B. Under the phase 2 settings. C. Under the phase 1 settings. D. Under the firewall policy settings.
Which of the following statements are correct regarding SSL VPN Web-only mode? (Choose two.) A. It can only be used to connect to web services. B. IP traffic is encapsulated over HTTPS. C. Access to internal network resources is possible from the SSL VPN portal. D. The standalone FortiClient SSL VPN client CANNOT be used to establish a Web-only SSL VPN. E. It is not possible to connect to SSH servers through the VPN.
Which of the following authentication methods can be used for SSL VPN authentication? (Choose three.) A. Remote Password Authentication (RADIUS, LDAP) B. Two-Factor Authentication C. Local Password Authentication D. FSSO E. RSSO.
Which statement best describes what SSL VPN Client Integrity Check does? A. Blocks SSL VPN connection attempts from users that has been blacklisted. B. Detects the Windows client security applications running in the SSL VPN client’s PCs. C. Validates the SSL VPN user credential. D. Verifies which SSL VPN portal must be presented to each SSL VPN user. E. Verifies that the latest SSL VPN client is installed in the client’s PC.
Which statement is not correct regarding SSL VPN Tunnel mode? A. IP traffic is encapsulated over HTTPS. B. The standalone FortiClient SSL VPN client can be used to establish a Tunnel mode SSL VPN. C. A limited amount of IP applications are supported. D. The FortiGate device will dynamically assign an IP address to the SSL VPN network adapter.
What action does an IPsec Gateway take with the user traffic routed to an IPsec VPN when it does not match any phase 2 quick mode selector? A. Traffic is dropped B. Traffic is routed across the default phase 2. C. Traffic is routed to the next available route in the routing table. D. Traffic is routed unencrypted to the interface where the IPsec VPN is terminating.
Which authentication methods does FortiGate support for firewall authentication? (Choose two.) A. Remote Authentication Dial in User Service (RADIUS) B. Lightweight Directory Access Protocol (LDAP) C. Local Password Authentication D. POP3 E. Remote Password Authentication.
Which methods can FortiGate use to send a One Time Password (OTP) to Two-Factor Authentication users? (Choose three.)
A. Hardware FortiToken B. Web Portal C. Email D. USB Token E. Software FortiToken (FortiToken mobile).
Which user group types does FortiGate support for firewall authentication? (Choose three.) A. RSSO B. Firewall C. LDAP D. NTLM E. FSSO.
Which does FortiToken use as input when generating a token code? (Choose two.) A. User password B. Time C. User name D. Seed.
What is not true of configuring disclaimers on the FortiGate? A. Disclaimers can be used in conjunction with captive portal. B. Disclaimers appear before users authenticate. C. Disclaimers can be bypassed through security exemption lists. D. Disclaimers must be accepted in order to continue to the authentication login or originally intended destination.
Which statement best describes what SSL.root is?
A. The name of the virtual network adapter required in each user’s PC for SSL VPN Tunnel mode. B. The name of a virtual interface in the root VDOM where all the SSL VPN user traffic comes from. C. A Firewall Address object that contains the IP addresses assigned to SSL VPN users. D. The virtual interface in the root VDOM that the remote SSL VPN tunnels connect to.
A FortiGate is configured with the 1.1.1.1/24 address on the wan2 interface and HTTPS Administrative Access, using the default tcp port, is enabled for that interface. Given the SSL VPN settings in the exhibit.
Which of the following SSL VPN login portal URLs are valid? (Choose two.) A. http://1.1.1.1:443/Training B. https://1.1.1.1:443/STUDENTS C. https://1.1.1.1/login D. https://1.1.1.1/.
For FortiGate devices equipped with Network Processor (NP) chips, which are true? (Choose three.)
A. For each new IP session, the first packet always goes to the CPU. B. The kernel does not need to program the NPU. When the NPU sees the traffic, it determines by itself whether it can process the traffic C. Once offloaded, unless there are errors, the NP forwards all subsequent packets. The CPU does not process them. D. When the last packet is sent or received, such as a TCP FIN or TCP RST signal, the NP returns this session to the CPU for tear down E. Sessions for policies that have a security profile enabled can be NP offloaded.
Which traffic can match a firewall policy’s "Services" setting? (Choose three.) A. HTTP B. SSL C. DNS D. RSS E. HTTPS.
Which is NOT true about source matching with firewall policies?
A. A source address object must be selected in the firewall policy. B. A source user/group may be selected in the firewall policy. C. A source device may be defined in the firewall policy. D. A source interface must be selected in the firewall policy. E. A source user/group and device must be specified in the firewall policy.
If you enable the option "Generate Logs when Session Starts", what effect does this have on the number of traffic log messages generated for each session?
A. No traffic log message is generated. B. One traffic log message is generated. C. Two traffic log messages are generated. D. A log message is only generated if there is a security event.
Which best describes the authentication timeout? A. How long FortiGate waits for the user to enter his or her credentials. B. How long a user is allowed to send and receive traffic before he or she must authenticate again. C. How long an authenticated user can be idle (without sending traffic) before they must authenticate again. D. How long a user-authenticated session can exist without having to authenticate again.
Which authentication scheme is not supported by the RADIUS implementation on FortiGate? A. CHAP B. MSCHAP2 C. PAP D. FSSO.
Which are valid replies from a RADIUS server to an ACCESS-REQUEST packet from a FortiGate? (Choose two.) A. ACCESS-CHALLENGE B. ACCESS-RESTRICT C. ACCESS-PENDING D. ACCESS-REJECT.
What protocol cannot be used with the active authentication type? A. Local B. RADIUS C. LDAP D. RSSO.
When configuring LDAP on the FortiGate as a remote database for users, what is not a part of the configuration? A. The name of the attribute that identifies each user (Common Name Identifier). B. The user account or group element names (user DN). C. The server secret to allow for remote queries (Primary server secret). D. The credentials for an LDAP administrator (password).
What log type would indicate whether a VPN is going up or down? A. Event log B. Security log C. Forward log D. Syslog.
Which correctly define "Section View" and "Global View" for firewall policies? (Choose two.) A. Section View lists firewall policies primarily by their interface pairs. B. Section View lists firewall policies primarily by their sequence number. C. Global View lists firewall policies primarily by their interface pairs. D. Global View lists firewall policies primarily by their policy sequence number. E. The ‘any’ interface may be used with Section Vie.
In "diag debug flow" output, you see the message “Allowed by Policy-1: SNAT”. Which is true?
A. The packet matched the topmost policy in the list of firewall policies. B. The packet matched the firewall policy whose policy ID is 1. C. The packet matched a firewall policy, which allows the packet and skips UTM checks D. The policy allowed the packet and applied session NAT.
Which is NOT true about the settings for an IP pool type port block allocation? A. A Block Size defines the number of connections. B. Blocks Per User defines the number of connection blocks for each user. C. An Internal IP Range defines the IP addresses permitted to use the pool. D. An External IP Range defines the IP addresses in the pool.
Which define device identification? (Choose two.)
A. Device identification is enabled by default on all interfaces. B. Enabling a source device in a firewall policy enables device identification on the source interfaces of that policy. C. You cannot combine source user and source device in the same firewall policy. D. FortiClient can be used as an agent based device identification technique. E. Only agentless device identification techniques are supported.
Which is true of FortiGate’s session table?
A. NAT/PAT is shown in the central NAT table, not the session table. B. It shows TCP connection states. C. It shows IP, SSL, and HTTP sessions. D. It does not show UDP or ICMP connection state codes, because those protocols are connectionless.
|
