Which of the following statements are correct concerning the IPsec phase 1 and phase 2, shown in the exhibit? (choose two) A. The quick mode selector in the remote site must also be 0.0.0.0/0 for the source and destination addresses. B. Only remote peers with the peer ID ‘fortinet’ will be able to establish a VPN. C. The FortiGate device will automatically add a static route to the source quick mode selector address received from each remote VPN peer. D. The configuration will work only to establish FortiClient-to-FortiGate tunnels. A FortiGate tunnel requires a different configuration.
Which of the following statement are correct concerning this output?
The exhibit shows a part output of the diagnostic command ‘diagnose debug application ike 255’, taken during establishment of a VPN. Which of the following statement are correct concerning this output? (choose two) A. The quick mode selectors negotiated between both IPsec VPN peers is 0.0.0.0/32 for both source and destination addresses. B. The output corresponds to a phase 2 negotiation C. NAT-T enabled and there is third device in the path performing NAT of the traffic between both IPsec VPN peers. D. The IP address of the remote IPsec VPN peer is 172.20.187.114.
What is required in a FortiGate configuration to have more than one dialup IPsec VPN using aggressive mode? A. All the aggressive mode dialup VPNs MUST accept connections from the same peer ID. B. Each peer ID MUST match the FQDN of each remote peer. C. Each aggressive mode dialup MUST accept connections from different peer ID. D. The peer ID setting must NOT be used.
Which of the following statements are correct concerning IKE mode config? (two answers) A. It can dynamically assign IP addresses to IPsec VPN clients. B. It can dynamically assign DNS settings to IPsec VPN clients. C. It uses the ESP protocol. D. It can be enabled in the phase 2 configuration.
Which statement is correct concerning an IPsec VPN with the remote gateway setting configured as ‘Dynamic DNS’?
A. The FortiGate will accept IPsec VPN connection from any IP address. B. The FQDN resolution of the local FortiGate IP address where the VPN is terminated must be provided by a dynamic DNS provider. C. The FortiGate will Accept IPsec VPN connections only from IP addresses included on a dynamic DNS access list. D. The remote gateway IP address can change dynamically.
Which of the following protocols are defined in the IPsec Standard? (Choose two) A. AH B. GRE C. SSL/TLS D. ESP.
What configuration objects are automatically added when using the FortiGate’s FortiClient VPN Configurations Wizard?(Choose two)
A. Static route B. Phase 1 C. Users group D. Phase 2.
Which configuration changes are required to properly forward users traffic to the Internet?
The workstation, 172.16.1.1/24, connects to port2 of the FortiGate device, and the ISP router, 172.16.1.2, connects to port1. Without changing IP addressing, which configuration changes are required to properly forward users traffic to the Internet?(Choose two) A. At least one firewall policy from port2 to port1 to allow outgoing traffic. B. A default route configured in the FortiGuard devices pointing to the ISP’s router. C. Static or dynamic IP addresses in both ForitGate interfaces port1 and port2. D. The FortiGate devices configured in transparent mode.
Which of the following statement correct describes the use of the "diagnose sys ha reset-uptime" command? A. To force an HA failover when the HA override setting is disabled. B. To force an HA failover when the HA override setting is enabled. C. To clear the HA counters. D. To restart a FortiGate unit that is part of an HA cluster.
What are required to be the same for two FortiGate units to form an HA cluster? (Choose two) A. Firmware. B. Model. C. Hostname. D. System time zone.
Which of the following statements describes the objectives of the gratuitous ARP packets sent by an HA cluster? A. To synchronize the ARp tables in all the FortiGate Unis that are part of the HA cluster. B. To notify the network switches that a new HA master unit has been elected. C. To notify the master unit that the slave devices are still up and alive. D. To notify the master unit about the physical MAC addresses of the slave units.
Which of the following statements are correct regarding a master HA unit? (Choose two) A. There should be only one master unit is each HA virtual cluster. B. The Master synchronizes cluster configuration with slaves. C. Only the master has a reserved management HA interface. D. Heartbeat interfaces are not required on a master uni.
Which statement describes how traffic flows in sessions handled by a slave unit in an active-active HA cluster? A. Packet are sent directly to the slave unit using the slave physical MAC address. B. Packets are sent directly to the slave unit using the HA virtual MAC address. C. Packets arrived at both units simultaneously, but only the salve unit forwards the session. D. Packets are first sent to the master unit, which then forwards the packets to the slave unit.
Which of the following statements are correct concerning the FortiGate session life support protocol? (Choose two) A. By default, UDP sessions are not synchronized. B. Up to four FortiGate devices in standalone mode are supported. C. only the master unit handles the traffic. D. Allows per-VDOM session synchronization.
What is the default criteria for selecting the HA master unit in a HA cluster? A. port monitor, priority, uptime, serial number B. Port monitor, uptime, priority, serial number C. Priority, uptime, port monitor, serial number D. uptime, priority, port monitor, serial number.
What information is synchronized between two FortiGate units that belong to the same HA cluster? (Choose three) A. IP addresses assigned to DHCP enabled interface. B. The master devices hostname. C. Routing configured and state. D. Reserved HA management interface IP configuration. E. Firewall policies and objects.
A FortiGate devices is configured with four VDOMs: ‘root’ and ‘vdom1’ are in NAT/route mode; ‘vdom2’ and ‘vdom2’ are in transparent mode. The management VDOM is ‘root’. Which of the following statements are true? (Choose two.) A. An inter-VDOM link between ‘root’ and ‘vdom1’ can be created. B. An inter-VDOM link between ‘vdom1′ and vdom2’ can created. C. An inter-VDOM link between ‘vdom2′ and vdom3’ can created. D. Inter-VDOM link links must be manually configured for FortiGuard traffic.
Which of the following statements is true regarding a FortiGate device operating in transparent mode? ( Choose three.) A. It acts as a layer 2 bridge B. It acts as a layer 3 router C. It forwards frames using the destination MAC address. D. It forwards packets using the destination IP address. E. It can perform content inspection (antivirus, web filtering, etc).
Which of the following statements are correct concerning IPsec dialup VPN configurations for FortiGate devices? (Choose two) A. Main mode mist be used when there is no more than one IPsec dialup VPN configured on the same FortiGate device. B. A FortiGate device with an IPsec VPN configured as dialup can initiate the tunnel connection to any remote IP address. C. Peer ID must be used when there is more than one aggressive-mode IPsec dialup VPN on the same FortiGate device. D. The FortiGate will automatically add a static route to the source quick mode selector address received from each remote peer.
Which of the following combinations of two FortiGate device configurations (side A and side B), can be used to successfully establish an IPsec VPN between them? (choose two) A. Side A:main mode, remote gateway as static IP address, policy based VPN. Side B: aggressive mode, remote Gateway as static IP address policybased VPN. B. Side A:main mode, remote gateway as static IP address, policy based VPN. Side B: main mode, remote gateway as static IP address, route-based VPN C. Side A:main mode, remote gateway as static IP address, policy based VPN. Side B: main mode, remote gateway as dialup, route-based VPN. D. Side A: main mode, remote gateway as dialup policy based VPN, Side B: main mode, remote gateway as dialup, policy based VPN.
Which of the following statements are correct differences between NAT/route and transparent mode? (Choose two.) A. In transparent mode, interfaces do not have IP addresses. B. Firewall polices are only used in NAT/ route mode. C. Static routers are only used in NAT/route mode. D. Only transparent mode permits inline traffic inspection at layer 2.
Which of the following are operating mode supported in FortiGate devices? (Choose two) A. Proxy B. Transparent C. NAT/route D. Offline inspection.
A FortiGate devices has two VDOMs in NAT/route mode. Which of the following solutions can be implemented by a network administrator to route traffic between the two VDOMs.(Choose two) A. Use the inter-VDOMs links automatically created between all VDOMS. B. Manually create and configured an inter-VDOM link between yours. C. Interconnect and configure an external physical interface in one VDOM to another physical interface in the second VDOM. D. Configure both VDOMs to share the same table.
A FortiGate device is configured with two VDOMs. The management VDOM is ‘root’ , and is configured in transparent mode,’vdom1′ is configured as NAT/route mode. Which traffic is generated only by ‘root’ and not ‘vdom1’? (Choose three.) A. SNMP traps B. FortiGaurd C. ARP D. NTP E. ICMP redirect.
Which of the following settings can be configured per VDOM? (Choose three) A. Operating mode (NAT/route or transparent) B. Static routes C. Hostname D. System time E. Firewall Policies.
Which of the following statements are correct regarding FortiGate virtual domains (VDOMs)? (Choose two) A. VDOMs divide a single FortiGate unit into two or more independent firewall. B. A management VDOM handles SNMP. logging, alert email and FortiGuard updates. C. Each VDOM can run different firmware versions. D. Administrative users with a ‘super_admin’ profile can administrate only one VDOM.
Which of the following statements is correct concerning multiple vdoms configured in a FortiGate device? A. FortiGate devices,from the FGT/FWF 60D and above, all support VDOMS. B. All FortiGate devices scale to 250 VDOMS. C. Each VDOM requires its own FortiGuard license. D. FortiGate devices support more NAT/route VDOMs than Transparent Mode VDOMs.
A FortiGate unit has multiple VDOMs in NAT/route mode with multiple VLAN interfaces in each VDOM. Which of the following statements is correct regarding the IP addresses assigned to each VLAN interface? A. Different VLANs can share the same IP address as long as they have different VLAN IDs. B. Different VLANs can share the same IP address as long as they are in different physical interface. C. Different VLANs can share the same IP address as long as they are in different VDOMs. D. Different VLANs can never share the same IP addresses.
A FortiGate unit operating in NAT/route mode and configured with two sub-interface on the same physical interface. Which of the following statement is correct regarding the VLAN IDs in this scenario? A. The two VLAN sub-interfaces can have the same VLAN IDs only if they have IP addresses in different subnets. B. The two VLAN sub-interfaces must have different VLAN IDs. C. The two VLAN sub-interfaces can have VLAN ID only if they belong to different VDOMs. D. The two VLAN sub-interfaces can have the same VLAN if they are connected to different L2 IEEE 802.1Q complaint switches.
Which of the following statements are true regarding WAN Link Load Balancing? (Choose two). A. There can be only one virtual WAN Link per VDOM. B. FortiGate can measure the quality of each link based on latency, jitter, or packets percentage. C. Link health checks can be performed over each link member if the virtual WAN interface. D. Distance and priority values are configured in each link member if the virtual WAN interface.
In the debug command output shown in the exhibit, which of the following best described the MAC address 00:09:0f:69:03:7e ? A. It is one of the secondary MAC addresses of the port1 interface. B. It is the primary MAC address of the port interface. C. It is the MAC address of another network devices located in the same LAN segment as the FortiGate unit’s port1 interface. D. It is the HA virtual MAC address.
Which action does the FortiGate take when link health monitor times out? A. All routes to the destination subnet configured in the link health monitor are removed from the routing table. B. The distance values of all routes using interface configured in the link health monitor are increased. C. The priority values of all routes using configured in the link health monitor are increased. D. All routes using the next-hop gateway configured in the link health monitor are removed from the routing table.
What must be configured in order to keep two static routes to the same destination in the routing table? A. The same priority. B. The same distance and same priority. C. The same distance. D. The same metric.
Which routes will be used to route the packets to the destination IP address 172.20.168.1?
The exhibit shoes three static routes. A. The route with the ID number 2 and 3. B. Only the route with the ID number 3. C. Only the route with the ID number 2. D. Only the route with the ID number 1.
Which of the following statements are correct?(Choose two)
The exhibit shows a FortiGate routing table. A. There is only one active default route. B. The distance values for the route to 192.168.1.0/24 is 200 C. An IP address in the subnet 172.16.78.0/24 has been assigned to the dmz interface. D. The FortiGate will route the traffic to 172.17.1.2 to next hop with the IP address 192.168.11.254.
Which answer best describes what an "Unknown Application" is? A. All traffic that matches the internal signature for unknown applications. B. Traffic that does not match the RFC pattern for its protocol. C. Any traffic that does not match an application control signature D. A packet that fails the CRC check.
What actions are possible with Application Control? (Choose three.) A. Warn B. Allow C. Block D. Traffic Shaping E. Quarantine.
Which is the following statement are true regarding application control? (choose two) A. Application control is based on TCP destination port numbers. B. Application control is proxy based. C. Encrypted traffic can be identified by application control. D. Traffic Shaping can be applied to the detected application traffic.
Which of the following fields contained in the IP/TCP/UDP headers can be used to make a routing decision when using policy-based routing? (Choose three) A. Source IP address. B. TCP flags C. Source TCP/UDP ports D. Type of service. E. Checksum.
Examine the network topology diagram in the exhibit; the workstation with the IP address 212.10.11.110 sends a TCP SYN packet to the workstation with the IP address 212.10.11.20.
Which of the following sentences best describes the result of the reverse path forwarding (RFP) check executed by the FortiGate on the SYN packets? (Choose two). A. Packets is allowed if RPF is configured as loose. B. Packets is allowed if RPF is configured as strict. C. Packets is blocked if RPF is configured as loose. D. Packets is blocked if RPF is configured as strict.
Which of the following statements best describe what a FortiGate does when packets match a black hole route? A. Packets are dropped. B. Packets are routed based on the information in the policy-based routing table. C. An ICMP error message is sent back to the originator. D. Packet are routed back to the originator.
The exhibit shows two static routes to the same destinations subnet 172.20.168.0/24.
Which of the following statements correctly describes this static routing configuration? (choose two) A. Both routes will show up in the routing table. B. The FortiGate unit will evenly share the traffic to 172.20.168.0/24 between routes. C. Only one route will show up in the routing table. D. The FortiGate will route the traffic to 172.20.168.0/24 only through one route.
Which of the following web filtering modes can inspect the full URL? (Choose two.) A. Proxy based B. DNS based C. Policy based D. Flow based.
Examine the following log message attributes and select two correct statements from the list below. (Choose two.)
hostname=www.youtube.com profiletype="Webfilter_Profile" profile="default" status="passthrough" msg="URL belongs to a category with warnings enabled" A. The traffic was blocked. B. The user failed authentication. C. The category action was set to warning. D. The website was allowed.
Which of the following are possible actions for FortiGuard web category filtering? (Choose three.) A. Allow B. Block C. Exempt D. Warning E. Shape.
Which of the following actions can be used with the FortiGuard quota feature? (Choose three.) A. Allow B. Block C. Monitor D. Warning E. Authenticate.
Which of the following statements are true regarding application control? (Choose two.) A. Application control is based on TCP destination port numbers. B. Application control is proxy based. C. Encrypted traffic can be identified by application control. D. Traffic shaping can be applied to the detected application traffic.
The exhibit is a screen shot of an Application Control profile.
Different settings are circled and numbered. Select the number identifying the setting which will provide additional information about YouTube access, such as the name of the video watched. A. 1 B. 2 C. 3 D. 4 E. 5.
How do application control signatures update on a FortiGate device? A. Through FortiGuard updates. B. Upgrade the FortiOS firmware to a newer release. C. By running the Application Control auto-learning feature. D. Signatures are hard coded to the device and cannot be updated.
A FortiGate device is configure to perform an AV & IPS scheduled update every hour.
Given the information in the exhibit, when will the next update happen? A. 01:00 B. 02:05 C. 11:00 D. 11:08.
|
