A fortiGate is operating in NAT/Route mode and configured with two virtual LAN (VLAN) sub-interfaces added to the same physical interface. Which one of the following statements is correct regarding the VLAN IDs in this scenario? A. The two VLAN sub-interfaces can have the same VLAN ID only if they have IP addresses in different subnets. B. The two VLAN sub-interfaces must have different VLAN IDs. C. The two VLAN sub-interfaces can have the same VLAN ID only if they belong to different VDOMs. D. The two VLAN sub-interfaces can have the same VLAN ID if they are connected to different L2 IEEE 802.1Q compliant switches.
Which statement describes what the CLI command diagnose debug authd fsso list is used for?
A. Monitors communications between the FSSO collector agent and FortiGate unit. B. Displays which users are currently logged on using FSSO. C. Displays are listing of all connected FSSO collector agents. D. Lists all DC Agents installed on all domain controllers.
Examine the following spanning tree configuration on a FortiGate in transparent mode:
config system interface
edit <interface name>
set stp-forward enable end
Which statement is correct for the above configuration?
A. The FortiGate participates in spanning tree. B. The FortiGate device forwards received spanning tree messages. C. Ethernet layer-2 loops are likely to occur. D. The FortiGate generates spanning tree BPDU frames.
You are the administrator in charge of a point-to-point IPsec VPN between two FortiGate units using route based mode. Users from either side must be able to initiate new sessions with no restrictions. There is only 1 subnet at either end and the FortiGate already has a default route. Which two configuration steps are required in each FortiGate to achieve these objectives? (Choose two.)
A. Create one firewall policy. B. Create two firewall policies. C. Add a route to the remote subnet. D. Add two IPsec phases 2.
Examine the exhibit below; then answer the question-following it.
In this scenario. The FortiGate unit in Ottawa has the following routing table:
s* 0.0.0.0/0 [10/0] via 172.20.170.254, port2
c 172.20.167.0/24 is directly connected,
port1 c 172.20.170.0/24 is directly
connected, port2
Sniffer tests show that packets sent from the source IP address 170.20.168.2 to the destination IP address 172.20.169.2 are being dropped by the FortiGate located in Ottawa. Which of the following correctly describes the cause for the dropped packets?
A. The forward policy check. B. The reserve path forwarding check. C. The subnet 172.20.169.0/24 is NOT in the Ottawa FortiGate’s routing table. D. The destination workstation 172.20.169.2 does NOT have the subnet 172.20.168.0/24 in its routing table.
In which order are firewall policies processed on a FortiGate unit?
A. From top to bottom, according with their sequence number. B. From top to bottom, according with their policy ID number. C. Based on best match. D. Based on the priority value.
Regarding the header and body sections in raw log messages, which statement is correct?
A. The header and body section layouts change depending on the log type. B. The header section layout is always the same regardless of the log type. The body section layout changes depending on the log type. C. Some log types include multiple body sections. D. Some log types do not include a body section.
Which is one of the conditions that must be met for offloading the encryption and decryption of IPsec traffic to an NP6 processor?
A. no protection profile can be applied over the IPsec traffic. B. Phase-2 anti-replay must be disabled. C. Phase 2 must have an encryption algorithm supported by the NP6. D. IPsec traffic must not be inspected by any FortiGate session helper.
With FSSO DC-agent mode, a domain user could authenticate either against the domain controller running the collector agent and domain controller agent, or a domain controller running only the domain controller agent.
If you attempt to authenticate with a domain controller running only the domain controller agent, which statements are correct? (Choose two.)
A. The login event is sent to a collector agent by the DC agent. B. the login event is sent to the FortiGate by the DC agent. C. The domain collector agent may perform a DNS lookup for the authenticated client’s IP address. D. The user cannot be authenticated with the FortiGate in this manner because each domain controller agent requires a dedicated collector agent.
Regarding the use of web-only mode SSL VPN, which statement is correct?
A. It support SSL version 3 only. B. It requires a Fortinet-supplied plug-in on the web client. C. It requires the user to have a web browser that suppports 64-bit cipher length. D. The JAVA run-time environment must be installed on the client.
Review the IPsec diagnostics output of the command diagnose vpn tunnel list shown in the exhibit below.
Which statements are correct regarding this output (Choose two.)
A. The connecting client has been allocated address 172.20.1.1. B. In the Phase 1 settings, dead peer detection is enabled. C. The tunnel is idle. D. The connecting client has been allocated address 10.200.3.1.
If there are no changes in the routing table and in the case of TCP traffic, which of the following correctly describes the routing table lookups performed by a FortiGate in NAT /Route mode, when searching for a suitable gateway?
A. A lookup is done only when the first packet coming from the client (SYN) arrives. B. A lookup is done when the first packet coming from the client (SYN) arrives, and a second one is performed when the first packet coming from the server (SYN/ACK) arrives. C. Three lookups are done during the TCP 3-way handshake (SYN, SYN/ACK, ACK). D. A lookup is always done each time a packet arrives, from either the server or the client side.
What are valid options for handling DNS requests sent directly to a FortiGate’s interface IP? (Choose three.)
A. Conditional-forward. B. Forward-only. C. Non-recursive. D. Iterative. E. Recursive.
A FortiGate is configured to receive push updates from the FortiGuard Distribution Network, however, they are not being received. Which is one reason for this problem?
A. The FortiGate is connected to multiple ISPs. B. FortiGuard scheduled updates are enabled in the FortiGate configuration. C. The FortiGate is in Transparent mode. D. The external facing interface of the FortiGate is configured to get the IP address from a DHCP server.
Which statements are true regarding local user authentication? (Choose two.)
A. Two-factor authentication can be enabled on a per user basis. B. Local users are for administration accounts only and cannot be used to authenticate network users. C. Administrators can create the user accounts in a remote server and store the user passwords locally in the fortiGate. D. Both the usernames and passwords can be stored locally on the FortiGate.
What methods can be used to access the FortiGate CLI? (Choose two.)
A. Using SNMP. B. A direct connection to the serial console port. C. Using the CLI console widget in the GUI. D. Using RCP.
Which statements are true regarding IPv6 anycast addresses? (Choose two.)
A. Multiple interfaces can share the same anycast address. B. They are allocated from the multicast address space. C. Different nodes cannot share the same anycast address. D. An anycast packet is routed to the nearest interface.
Which firewall objects can be included in the Destination Address field of a firewall policy? (Choose three.)
A. IP address pool. B. Virtual IP address. C. IP address. D. IP address group. E. MAC address.
Regarding tunnel-mode SSL VPN, which three statements are correct? (Choose three.)
A. Split tunneling is supported. B. It requires the installation of a VPN client. C. It requires the use of an Internet browser.
unit. D. Third-party network applications cannot send IP traffic through the tunnel. E. An SSL VPN IP address is dynamically assigned to the client by the FortiGate .
Examine the output below from the diagnose sys top command:
# diagnose sys top 1
Run time: 11 days, 3 hours and 29 minutes
OU, ON, 1S, 99I; 971T, 528F, 160 KF sshd 123 S 1.9 1.2 ipsendjine 61 S < 0.0 5.2 miglogd 45 S 0.0 4.9 pyfcgid 75 S 0.0 4.5
pyfcgid 73 S 0.0 3.9
Which statements are true regarding the output above (Choose two.)
A. The sshd process is the one consuming most CPU. B. The sshd process is using 123 pages of memory. C. The command diagnose sys kill miglogd will restart the miglogd process. D. All the processes listed are in sleeping state.
A FortiGate administrator with the super_admin profile configures a virtual domain (VDOM) for a new customer. After creating the VDOM, the administrator is unable to reassign the dmz interface to the new VDOM as the option is greyed out in the GUI in the management VDOM.
What would be a possible cause for this problem? A. The administrator does not have the proper permissions the dmz interface. B. The dmz interface is referenced in the configuration of another VDOM. C. Non-management VDOMs cannot reference physical interfaces D. The dmz interface is in PPPoE or DHCP mode.
Review the static route configuration for IPsec shown in the exhibit; then answer the question-below.
Which statements are correct regarding this configuration? (Choose two.)
A. Interface remote is an IPsec interface. B. A gateway address is not required because the interface is a point-to-point connection. C. A gateway address is not required because the default route is used. D. Interface remote is a zone.
n HA, the option Reserve Management Port for Cluster Member is selected as shown in the exhibit below.
Which statements are correct regarding this setting? (Choose two.)
A. Interface settings on port7 will not be synchronized with other cluster members. B. The IP address assigned to this interface must not overlap with the IP address subnet assigned to another interface. C. When connecting to port7 you always connect to the master device. D. A gateway address may be configured for port7.
Which IPsec configuration mode can be used for implementing GRE-over-IPsec VPNs?
A. Policy-based only. B. Route-based only. C. Either policy-based or route-based VPN. D. GRE-based only.
Which tasks fall under the responsibility of the SSL proxy in a typical HTTPS connection? (Choose two.)
A. The web client SSL handshake. B. The web server SSL handshake. C. File buffering. D. Communication with the URL filter process.
Which statements are true regarding traffic shaping that is applied in an application sensor, and associated with the firewall policy? (Choose two.)
A. Shared traffic shaping cannot be used. B. Only traffic matching the application control signature is shaped. C. Can limit the bandwidth usage of heavy traffic applications. D. Per-IP traffic shaping cannot be used.
Which of the following sequences describes the correct order of criteria used for the selection of a master unit within a FortiGate high availability (HA) cluster when override is disabled?
A. 1. port monitor, 2. unit priority, 3. up time, 4. serial number. B. 1. port monitor, 2. up time, 3. unit priority, 4. serial number. C. 1. unit priority, 2. up time, 3. port monitor, 4. serial number. D. 1. up time, 2. unit priority, 3. port monitor, 4. serial number.
Which statements are correct regarding URL filtering on a FortiGate unit? (Choose two.)
A. The allowed actions for URL filtering include allow, block, monitor and exempt. B. The allow actions for URL filtering and Allow and Block only. C. URL filters may be based on patterns using simple text, wildcards and regular expressions. D. URL filters are based on simple text only and require an exact match.
Examine the following log message for IPS:
2012-07-01 09:54:28 oid=2 log_id=18433 type=ips subtype=anomaly pri=alert vd=root severity=”critical” src=”192.168.3.168” dst=”192.168.3.170”
src_int=”port2” serial=0
status=”detected” proto=1 service=”icmp” count=1 attack_name=”icmp_flood” icmp_id=”0xa8a4” icmp_type=”0x08” icmp_code=”0x00”
attack_id=16777316 sensor=”1”
ref=”http://www.fortinet.com/ids/VID16777316” msg=”anomaly: icmp_flood, 51 > threshold 50”
Which statement is correct about the above log? (Choose two.)
A. The target is 192.168.3.168. B. The target is 192.168.3.170. C. The attack was NOT blocked. D. The attack was blocked.
|
