Copy and Edit

mdmp

Description

Quiz on mdmp, created by Debian Diez on 31/12/2022.
Debian Diez
Quiz by Debian Diez, updated more than 1 year ago
Debian Diez
Created by Debian Diez about 3 years ago
66
0
0

Resource summary

Question 1

Question
1. An Admintrator has configure the following settings
Image:
P1 (binary/octet-stream)
Answer
  • A. Device detection on all interfaces is enforced for 30 minutes
  • B. A sesión for denied traffic is created
  • C. Denied User are blocked for 30 minutes
  • D. The number of logs generated by denied traffic is reduced

Question 2

Question
2 Which CLI command allows administrators to troubleshoot Layer 2 issues, such as an IP address conflict?
Answer
  • A. get sys statue
  • B. diagnose sys top
  • C. get system performance status
  • D. get system arp

Question 3

Question
3 Refer to the exhibit
Image:
P3 (binary/octet-stream)
Answer
  • A. 10.200.3.1
  • B. 10.200.1.1
  • C. 10.200.1.100
  • D. 10.200.1.10

Question 4

Question
The exhibit shows the IPS sensor configuration If traffic matches this IPS sensor, which two actions is the sensor expected to take? (choose two.)
Image:
P4 (binary/octet-stream)
Answer
  • A. The sensor Will allow attackers matching the NTP.Spoofed.KoD.Dos signature
  • B. The sensor Will block all attacks aimed at Windows server.
  • C. The sensor Will all connections that match these signatures.
  • D. The sensor Will gather a packet log for all matched traffic.

Question 5

Question
5 Which two settings can be separately configured per VDOM on a FortiGate device? (choose two).
Answer
  • A. Operating mode
  • B. FortiGuard update servers
  • C. NGFW mode
  • D. System time

Question 6

Question
6 An administrator wants to configure timeouts for users Regardless of the users behavior, the timer should start as son a the user authenticates and expire after configure value Which timeout option should be configure on FortiGate?
Answer
  • A. New sesión
  • B. Hard-timeout
  • C. Idle-timeout
  • D. Auth-on-demand
  • E. Soft-timeout

Question 7

Question
7 Wich statement about the policy ID number of a firewall policy is true?
Answer
  • A. It defines the order in which rules are processed
  • B. It represents the number of objects user in the firewall policy
  • C. It is required to modify a firewall policy using the CLI
  • D. It changes when firewall policies are reordered

Question 8

Question
8. Which engine handles application control traffic on the next-generation firewall (NGFW) FortiGate?
Answer
  • A. Flow engine
  • B. Intrusion prevention system engine
  • C. Detection engine
  • D. Antivirus engine

Question 9

Question
9. Refer to the exhibits to view the firewall policy (Exhibit A) and the antivirus profiles (Exhibit B). Which statement is correct if a user is unable to receive a block replacement message when downloading an infected for the firt time?
Image:
Imagen5 (binary/octet-stream)
Answer
  • A. The intrusión prevention security profile needs to be enabled when using flow-based inspection mode.
  • B. The flow based inspection is used, which resets the last packet to the user.
  • C. The firewall policy perform the full content inpection on the file.
  • D. The volumen of traffic being inspected i too high for this model of FortiGate.

Question 10

Question
10. A network adminitrator is configuring a new Ipsec VPN tunnel on FortiGate The remote peer IP address is Dynamic. In addition the remote peer not support a Dynamic DN update service.
Answer
  • A. Dialup User
  • B. Static IP Address
  • C. Dynamic DNS
  • D. Pre-shared Key

Question 11

Question
11 Which three statements about a flow-based antivirus profile are correct? (Chooe three)
Answer
  • A. Optimized performance compared to proxy-based inspection.
  • B. FortiGate buffers the whole file but transmits to the client simultaneously.
  • C. Flow-based inpection uses a hybrid of scanning modes available in proxy-based inspection.
  • D. If the virus is detected the last packet is delivered to the client
  • E. IPS engine handles the process as a standalone.

Question 12

Question
12 Refer to the exhibits. The SSL VPN connection fail when a user attempts to connect to it What should the user do to succesfully connect to SSL VPN?
Image:
P12 (binary/octet-stream)
Answer
  • a. Change the SSL VPN portal to the tunnel
  • b. Change the Server IP address
  • c. Change the idle-timeout
  • d. Change the SSL VPN port on the client

Question 13

Question
13. Which two protocols are used to enable administrator access of a FortiGate device? (Choose two).
Answer
  • A. FortiTelemtry
  • B. HTTPS
  • C. FTM
  • D. SHH

Question 14

Question
14. Which three options are the remote log storage options you can configure on FortiGate? (Chooe three).
Answer
  • A. FortiSIEM
  • B. FortiCache
  • C. FortiAnalyzer
  • D. FortiSandbox
  • E. FortiCloud

Question 15

Question
15 Refer to the exhibits. An administrator creates a new address object on the root FortiGate (Local-FortiGate) in the security fabric. After synchronization, this object is not available on the downstream FortiGate (ISFW). What must the adminitrator do to synchronize the address object?
Image:
P15 (binary/octet-stream)
Answer
  • A. Change the csf setting on Local-FortiGate (root) to set configuration-sync local
  • B. Change the csf setting on ISFW (downstream) to set configuration sync local
  • C. Change the csf setting on Local FortiGate (root) set fabric-object-unification default
  • D. Change the csf setting on ISFW (downstream) to set fabric-object-unification default.

Question 16

Question
16 Which type of log on FortiGate record information about traffic directly to and from the FortiGate management IP address?
Answer
  • A. Forward traffic logs
  • B. Local traffic logs
  • C. System event logs
  • D. Security logs

Question 17

Question
17 Refer to exhibit. Which contains a session list output. Based on the information shown int the exhibit, which statement is true?
Image:
P17 (binary/octet-stream)
Answer
  • A. Destionation NAT is disable in the firewall policy
  • B. Port block allocation IP pool is user in the firewall policy
  • C. Overload NAT IP pool is used in the firewall policy
  • D. One-to-one NAT IP pool is used int the firewall policy.

Question 18

Question
18 Which two statements about FortiGate FSSO agentless polling mode are true? (Choose two).
Answer
  • A. FortiGate directs the collector agent to use a remote LDAP server
  • B. FortiGate does not support worktation check.
  • C. FortiGate uses the AD server as the collector agent.
  • D. FortiGate uses the SMB protocol to read the event viewer logs from the DCs.

Question 19

Question
19 Which two attributes are required on a certificate so it can be used as a CA certificate on SSL inspection? (Chooe two).
Answer
  • A. The issuer must be a public CA
  • B. The common name on the subject field must ue a wildcard name
  • C. The CA extension must be set to TRUE
  • D. The key Usage extension must be set to keyCertSign

Question 20

Question
20 Refer to the exhibit. The Root and To_internet VDOMs are configured in NAT mode The DMZ and Local VDOMs are configured in transparent mode. The Root VDOM is the management VDOM The To_internet VDOM allows LAN users to access the internet. The To_internet VDOMs is the only VDOM which internet access and is directly connected to ISP modem. Which this configuration which statement is true?
Image:
P20 (binary/octet-stream)
Answer
  • A. Inter-VDOM links are required to allow traffic between the Local and Root VDOMs
  • B. Inter-VDOM links are not required between the Root and To_internet VDOMs because the Toot VDOM is use only as a management VDOM.
  • C. Inter-VDOM links are required to allos traffic between the Local and DMZ VDOMs.
  • D. A static route is requored pm tje To_internet VDOM to allos LAN users to access the internet.

Question 21

Question
21. Which two statements are correct about SLA targets? (choose two)
Answer
  • A. SLA targets are optional
  • B. SLA targets are used only when referenced by an SD-WAN rule.
  • C. SLA targets are required for SD-WAN rules with a Best Quality strategy
  • D. You can configure only two SLA targets per one Performance SLA

Question 22

Question
22. Which two statements about antivirus scanning mode are true? (Choose two)
Answer
  • A. in proxy-based inspection mode files bigger than the buffer size are scanned
  • B. In flow-based inspection mode files bigger than the buffer size are scanned.
  • C. in proxy-based inspection mode antivirus scanning buffers the whole file for scanning, before sending it to the client.
  • D. In flow-based inspection mode. FortiGate buffers the file but also simultaneosuly transmits it to the client.

Question 23

Question
23. An administrator has configured a stnct RPF check on FortiGate. Which statement is true about the strict RPF check?
Answer
  • A. Strict RPF checks the best route back to the source using the incoming interfae.
  • B. Strict RPF allow packets back to sources whith all active routes.
  • C. Strict RPF check only for the existence of at least one active route back to the source using incoming interface.
  • D. The Strict RPF check is run on the first sent and reply paccket of any new session.

Question 24

Question
24. Which two configuration settings are synchronized when FortiGate devices are in an active-active HA cluster? (Choose two).
Answer
  • A. FotiGate hostname
  • B. DNS
  • C. FortiGuard web filter cache
  • D. NTP

Question 25

Question
25. What inspection mode does FortiGate use if it is configured as a policiy-based next-generation firewall (NGFW)?
Answer
  • A. Proxy-based inspection
  • B. Full Content inspection
  • C. Certificate inspection
  • D. Flow-based inspection

Question 26

Question
26. An administrator is configuring an Ipsec VPN between site A and site B. The Remote Gateway setting in both sites has been configured as Static IP Address For site A the local quick mode selector is 192.168.1.0/24 and the remote quick mode selector is 192.168.2.0/24. Which subnet must the administrator configure for the local quick mode selector for site B?
Answer
  • A. 192.168.0.0/8
  • B. 192.168.2.0/24
  • C. 192.168.1.0/24
  • D. 192.168.3.0/24

Question 27

Question
27. A network administrator want to set up redundant Ipsec VPN tunnels on FortiGate by using two Ipsec VPN tunnel and static routers. 1. All traffic must be routed through the primary tunnel when both tunnels are up 2. The secondary tunnel must be used only if the primary tunnel goes down 3. In addition FortiGate should be able to detect a dead tunnel to speed up tunnel failover Which two key configuration changes are needed on FortiGAte to meet the design requirements? (Choose two)
Answer
  • A. Configure a lower distance on the static route for the primary tunnel, and a higher distance on the static route for the secondary tunnel.
  • B. Configure a higher distance on the static route for the primary tunnel and lower distance on the static route for the secondary tunnel.
  • C. Enable Dead Peer Detection.
  • D. Enalbe Auto negotiate and Autokey keep Alive on the phase 1 configuration of both tunnels.

Question 28

Question
28. An administrator does not want to report the logon events of service accounts to FortiGate. What setting on the collector agent is required to archieve this?
Answer
  • A. Add user accounts tho the FortiGate group filter.
  • B. Add the suppot on NTLM authentication.
  • C. Add user acoounts to the Ignore User List
  • D. Add user accounts to Active Directory (AD)

Question 29

Question
29. Refer to the exhibit. Review the Instruction Prevention System (IPS) profile signature settings. Which statement is correct in adding the FTP.Login.Failed signature to the IPS sensor profile?
Image:
P29 (binary/octet-stream)
Answer
  • A. Traffic matching the signature will be allowed and logged.
  • B. Traffic matching the signature will be silently dropped and logged.
  • C. The signature setting uses a custom rating threshold.
  • D. The signature setting includes a group of other signatures.

Question 30

Question
30. Which two statements are correct about NGFW Policy-based mode? (Choose two)
Answer
  • A. NGFW policy based mode can only be applied globaly and not on individual VDOM.
  • B. NGFW policy based mode support creating applications and web filtering categories directly in a firewall policy.
  • C. NGFW policy based mode policies suppot only flow inspection.
  • D. NGFW policy based mode does not requires the use of central sourece NAT policy.

Question 31

Question
31. Refer to the exhibit. The global settings on a FortiGate device must be chnaged to align with company security policies. What does the Administrator account need to access the FortiGate global settings?
Image:
P31 (binary/octet-stream)
Answer
  • A . Change password
  • B. Enable two-factor authentication
  • C. Change Adminitrator profile
  • D. Enable restrict access to trusted hosts

Question 32

Question
32.Refer to the exhibit. Given the interfaces shown in the exhibit, which two statements are true? (Choose two)
Image:
P32 (binary/octet-stream)
Answer
  • A. port1-vlan10 and port2-vlan10 are part of the same bradcast domain.
  • B. port1 is a native VLAN
  • C. port1-vlan1 and port2-vlan1 can be assigned in the same VDOM or to different VDOMs.
  • D. Traffic between port2 and port2-vlan1 is alloweb by default.

Question 33

Question
33 A network administraor has enabled SSL certificate inspection and antivirus on FortiGate. When downloading an EICAR test file through HTTP FortiGate detects the virus and blocks the file When downloading the same file trhough HTTPS FortiGate does not detect the virus and the file can be downloaded. What is the reason for the failed virus detection by FortiGate?
Answer
  • A. Antivirus profile configuratio is incorrect
  • B. Antivirus definitions are not up to date
  • C. SSL/SSH inspection profiles is incorrect
  • D. Application controls is not enable

Question 34

Question
34. How does FortiGate act when using SSL VPN in web mode?
Answer
  • A. FortiGate acts as an FDS server
  • B. FortiGate acts as router.
  • C. FortiGate acts as an HTTP reverse proxy
  • D. FortiGate acts as DNS server

Question 35

Question
35 Refer to the exhibits. Exhibit A shows system performance output Exhibit B shows a FortiGate configured with the default configuration of high memory usage thresholds. Based on the system performance output which two statements are correct? (Choose two)
Image:
P35 (binary/octet-stream)
Answer
  • A. FortiGate has entered conserve mode
  • B. Administrators cannot change the configuration
  • C. Administrators can access FortiGate only through the console port
  • D. FortiGate will start sending all files to FortiSandbox for inspection

Question 36

Question
36. An administrator has configured outgoing interface any in a firewall policy. Which statement is true about the policy list view?
Answer
  • A. Policy lookup will be disabled
  • B. By sequence view will be disabled
  • C. Search option will be disabled
  • D. Interface Pair view will be disabled.

Question 37

Question
37. Refer to the exhibit. An administrator is running a sniffer command as show in the exhibit. Which three pieces of information are included in the sniffer output? (Choose three)
Image:
P37 (binary/octet-stream)
Answer
  • A. Application header
  • B. IP header
  • C. Ethernet header
  • D. Packet nayload

Question 38

Question
38. Refer to exhibit Examine the instrusion prevention system (IPS) diagnostic command Which statement is correct if option 5 was used with the IPS diagnostic command and the outcome was a decrease in the CPU usage?
Image:
P38 (binary/octet-stream)
Answer
  • A. The IPS engine was blocking all traffic
  • B. The IPS engine was unable to prevent an intrusion attack
  • C. The IPS engine was inspecting high volume of traffic
  • D. The IPS engine will continue to run in a normal state

Question 39

Question
39. Refer to the exhibit. The exhibit displays the output of the CLI command: diagnose sys ha dump-by vcluste. Which two statements are true? (Choose two).
Image:
P39 (binary/octet-stream)
Answer
  • A. FortiGate SN FGVM01010000064692 is the primary because of higher HA uptime.
  • B. FortiGate SN F1V1010000064692 has the higher HA priority
  • C. FortiGate SN FGVM010000065036 HA uptime ha been reset.
  • D. FortiGate devices are not in sync because one device is down

Question 40

Question
40. Refer tho the exhibits. The exhibits show the SSL and authentication policy (Exhibit A) and the security policy (Exhibit B) for Facebook. Users are given access to the Facebook web application They can play video content hosted on Facebook but they are unable to leave reactions on video or other types of posts. Wich part of the policy configuration must you change to resolve the issue?
Image:
P40 (binary/octet-stream)
Answer
  • A. The SSL inspeciton needs to be a deep content inspection
  • B. Addiotional application signatures are required to add to the security policy
  • C. Force access to Facebook using the HTTP service
  • D. Add Facebook to the URGL category in the security policy

Question 41

Question
41. An administrator wants to configure Dear Peer Detection (DPD) on IPSEC VPN for detecting dead tunnels. The requirement is that FortiGate sends DPD probes only when no traffic is observed in the tunnel. Wich DPD mode on FortiGate will meet the above requirement?
Answer
  • A. On idle
  • B. Enable
  • C. On Demand
  • D. Disabled

Question 42

Question
42. Refer to the exhibit. Given the routing database shown in the exhibit, which two statements are correct? (Choose two)
Image:
P42 (binary/octet-stream)
Answer
  • A. The port3 default route has the highest distance.
  • B. The port1 and port 2 default routes are active in the routing table
  • C. The port3 default route has the lowest metric
  • D. Ther will be eight routes active in the routing table

Question 43

Question
43. Which statement correctly describes NetAPI polling mode for the FSSO collector agent?
Answer
  • A. The NetSessionEnum function is used to track user logouts.
  • B. The collector agent uses a Windows API to query DCs for user logins
  • C. The collector agent must search security event logs
  • D. NetAPI polling can increase badwidth usage in large networks.

Question 44

Question
44. Which two statements are true about the Security Fabric rating? (Choose two)
Answer
  • A. The Secunty Fabric rating must be run on the root FortiGate device in the Secunty Fabic
  • B. Many of the secunty issues can be fixed immediately by clicking Apply where available
  • C. The Security Fabric rating is a free service that comes bundled with all FortiGate devices
  • D. It provides executive summaries of the four largest areas of secunty focus.

Question 45

Question
45. Refer to the web filter raw logs. Based on the raw logs shown int the exhibit, which statement is correct?
Image:
P46 (binary/octet-stream)
Answer
  • A. The action on firewall policy ID 1 is set to wargning
  • B. The name of the firewall policy is all_users_web.
  • C. Social networking web filter category is configured with the action set to authenticate
  • D. Access to the socila networking web filter category was explicitly blocked to all users.

Question 46

Question
46. Which two statements are true about the FGCP protocol? (Choose two)
Answer
  • A. Is used to discover FortiGate devices in different HA groups
  • B. Runs only over the hearbeat links
  • C. Elects the primary FortiGate device
  • D. Not used when FortiGate is in Transparent mode

Question 47

Question
47. Refer to exhibit showing a debug flow output. Which two statements about the debug flow output are correct? (Choose two)
Image:
P47 (binary/octet-stream)
Answer
  • A. A new traffic setsion or is created
  • B. The debug flow is of ICMP traffic
  • C. The default route is required to received a reply
  • D. A firewall policy allowed the connection

Question 48

Question
48. FortiGuard categories can be overridden and defined in different categories. To create a web rating override for example com home page, the override must be configured using a specific syntax. Which two syntaxes are correct to configure web rating override for the home page? (Choose two).
Answer
  • A. www.exemple.com
  • B. example.com
  • C. www.expample.com/index.html
  • D. www.example.com:443

Question 49

Question
49. Refer to the exhibit. Given the security fabric topology shown in the exhibit, which two statements are true? (Choose two)
Image:
P49 (binary/octet-stream)
Answer
  • A. Device detection is disabled on all FortiGate devices
  • B. There are 19 security recommendations for the security fabric.
  • C. There are five devices that are part of the security fabric.
  • D. This security fabric topology is a logical topology view.

Question 50

Question
50. Why does FortiGate keep TCP sessions in the session table for several seconds, even after both sides (client and server) have terminated the session?
Answer
  • A. To generate logs
  • B. To allow for out-of-order packets that could arrive after the FIN ACK packets
  • C. To remove the NAT operation.
  • D. To finish any inspection operation

Question 51

Question
51. Refer to the exihibit. Which contains a radius server configuration. An administrator added a configuration for a new RADIUS server While configuring the administrator selected the include in every user group option. What will ve the impact of using include in every user group option in a RADIUS configuration?
Image:
P51 (binary/octet-stream)
Answer
  • A. This option pleace all users into every RADIUS user group, including groups that are used for the LDAP server on FortiGate.
  • B. This option places the RADIUS server and all users who can authenticate against that server into every RADIUS group.
  • C. This option places all FortiGate users and groups required to autenticate into the RADIUS server which in this case in FortiAutehnticato.
  • D. This option places the RADIUS server, and all users who can authenticate against that server into every FortiGate user group.

Question 52

Question
52. By default, FortiGate is configured to use HTTP when performing live web filtering whith FortiGuard servers. Which twho CLI command will cause FortiGate to use an unreliable protocol to communicate with FortiGuard servers for live web filtering? (choose two).
Answer
  • A. set fortiguard anycast disable
  • B. set protocol udp
  • C. set webfilter face off disable
  • D. set webfilter-cache disable

Question 53

Question
53. When configuring a firewall virtual wire pair policy, which following statement is true?
Answer
  • A. Only a sinlge virtual wire pair can be included in each policy.
  • B. Any numbre of virtual wire pairs can be included, as long as the policy traffic direction is the same.
  • C. Any number of virtual wire pairs can be included in each policy, regardess of the policy traffic direction settings.
  • D. Exactly two virtual wire pairs need to be included in each policy.

Question 54

Question
54. Which two statements about SSL VPN between two FortiGate devices are true? (Choose two)
Answer
  • A. Server FortiGate requires a CA certificate a CA certificate to verify the client FortiGate certificate.
  • B. The client FortiGate uses the SSL VPN tunnel interface type to connect SSL VPN.
  • C. The client FortiGate requires a manually added route to remote subnets
  • D. The client FortiGate requires a client certificate signed by the CA on the server FortiGate.

Question 55

Question
55. Refer to the exhibit. A network administrator is troubleshooting an IPsec tunnel between two FortiGate device. The administrator has determined that phase 1 status is up, but phase 2 falls to come up. Based on the phase 2 configuration shown in the exhibit, what configuration change will bring pahse 2 up?
Image:
P55 (binary/octet-stream)
Answer
  • A. on HQ-FortiGate enable Auto-negotiate
  • B. On HQ-FortiGate enable Deffie_Hellman Group 2
  • C. On HQ-FortiGate set Encryption to AES256
  • D. On Remote-FortiGate, set Seconds to 43200

Question 56

Question
56. Refer to the exhibit, which contains a session diagnostic output. Which statement is true about the session diagnostic output?
Image:
P56 (binary/octet-stream)
Answer
  • A. The session is in FIN ACK state.
  • B. The session is in FIN WAIT state.
  • C. The session is in ESTABLISHED state.
  • D. The session is in SYN SENT state.

Question 57

Question
57. Which statement about video filtering on FortiGate is true?
Answer
  • A. Video filtering FortiGuard categories are base on web filter FortiGuard categorie.
  • B. Full SSL inspection is not required.
  • C. It inspects video file hosted on the file sharing services.
  • D. It is available only on a proxy-based firewall policy.

Question 58

Question
58. Refer to the exhibit. An administrator has configured a performance SLA on FortiGate, which failed to generate any traffic. Why is FortiGate not ending probes to 4.2.2.2 and 4.2.2.1 servers? (choose two)
Image:
P58 (binary/octet-stream)
Answer
  • A. Administrator didn’t configure a gateway for the SD-WAN members, or configured gateway is not valid.
  • B. The enable probe packet setting is not enable.
  • C. The Detection Mode setting is not set to Passive.
  • D. The confgiured participants are not SD-WAN members.

Question 59

Question
59. Which statement is correct regarding the inspection of some of the service available by web applications embedded in third-party websites?
Answer
  • A. FortiGate can inspect sub-application traffic regardless where it was originate.
  • B. The security actions applied on the web applications will also be explicity applied on the thrid party websites.
  • C. FortiGuard maintains only one signature of each web application that is unique.
  • D. The application signature database inspects traffic only from the original web application server.

Question 60

Question
60. Refer to the exhibits. The exhibit contains the configuration for an SD-WAN Performance SLA as well as the output of diagnose sys virtual-wan-link health-check. Which interface will be selected as an outgoing interface?
Image:
P60 (binary/octet-stream)
Answer
  • A. port1
  • B. port4
  • port2
  • port3

Question 61

Question
61. When a firewall policy is created, which attribute is added to the policy to support recording logs to a FortiAnalyzer or a FortiManager and improve functionality when a FortiGate is integrated with these devices?
Answer
  • A. Sequence ID
  • B. Log ID
  • C. Univerally Uniqued Identifier
  • D. Policy ID

Question 62

Question
62. Which three statements are true regarding session-based authentication? (Choose three)
Answer
  • A. HTTP sessions are treated as a single user.
  • B. It can differentiate among multiple clients behind the same source IP address.
  • D. It requires more resources.
  • D. IP sessions from the same source IP address are treated as a single user.
  • E. It is not recommended if mulitple users are behind the source NAT.

Question 63

Question
63. Refer to thes exhibit The exhibit contains a network diagram, central SNAT policy, and IP pool configuration. The WAN (port1) interface has the IP address 10.200.1.1/24. The LAN (port3) interface has the IP address 10.0.1.254/24. A firewall policy is configured to allow all destinations from LAN (port3) to WAN (port1) Central NAT is enabled, so NAT settigns frome matching Central SNAT policies will be applied. Which IP address will be user to source NAT the traffic, if the user on Local-Client (10.0.1.10) ping the IP address of Remote-FortiGate (10.200.3.1)?
Image:
P63 (binary/octet-stream)
Answer
  • A. 100.200.1.99
  • B. 10.200.1.1
  • C. 10.200.1.49
  • D. 10.200.1.149

Question 64

Question
64. Refer to the exhibit to view the application control profile. Users who use Apple Face Time video conferences are unable to set up meetings. In this scenario, which statement is true?
Image:
P65 (binary/octet-stream)
Answer
  • A. Apple FaceTime belongs to the custom monitored filter.
  • B. The category of Apple FaceTime is being blocked.
  • C. Apple Face Time belongs to the custom blocked filter.
  • D. The category of Apple FaceTime is being monitored.

Question 65

Question
65. A network administrator has enable full SSL inspection and web filtering on FortiGate. When visiting any HTTPS websites, the browser reports certificate warnning errors. When visiting HTTP websites the browser does not report errors. What is the reason for the certificate warning errors?
Answer
  • A. The browser requires a software update.
  • B. There are network connectivity issues.
  • C. The CA certificate set on the SSL SSH inspection profile has not been imported into the browser.
  • D. FortiGate does not support full SSL inspection when web filttering is enabled.

Question 66

Question
66. What is the effect of enabling auto-negotiate on the phase 2 configuration of an Ipsec tunnel?
Answer
  • A. FortiGate automatically brings up the IPsec tunnel and keeps it up, regardless of activity on the IPsec tunnel.
  • B. FortiGate automatically negotiates different encryption and authentication algorithms with teh remote peer.
  • C. FortiGate automatically negotiates different local and remote addresses with the remote peer.
  • D. FortiGate automatically negotiates a new security association after the existing security association expires.

Question 67

Question
67. What is the primary FortiGate election process when the HA override setting is disabled?
Answer
  • A. Connected monitored ports > Priority > HA uptime > FortiGate Serial number
  • B. Connected monitored ports > System uptime > Primary > FortiGate Serial Number
  • C. Connected monitored ports > HA uptime > Priority > FortiGate Serial number
  • D. Connected monitored ports > Priority > System uptime > FortiGate Serial number

Question 68

Question
68. Refer to the exhibit to view the firewall policy. Which statement is correct it if well-known viruses are not being blocked?
Image:
P68 (binary/octet-stream)
Answer
  • A. Web filter should be enabled on the firewall policy to complement the antivirus profile.
  • B. The firewall policy doe not apply deep content inspection.
  • C. The firewall policy must be configured in proxy-based inspection mode.
  • D. The action on the firewall policy must be set to deny.

Question 69

Question
69. Refer to the exhibit. The exhibit contains a network interface configuration firewall policies and a CLI console configuration. How will FortGate handle user authentication for traffic that arrives on the LAN interface?.
Image:
P69 (binary/octet-stream)
Answer
  • A. User frome the Sales group will be prompted for authentication and can authenticate successfuly with the correct credentials.
  • B. Autentication is enforceed at a policy level all user will be promted for authentication.
  • C. If there is a fiil-through policy in place, user will not be prompted for authentication.
  • D. Users from the HR group will be prompted for authentication and can authenticate sucessfully with the correct credentials.

Question 70

Question
70. IPS Engine is used by which three security feature? (choose three)
Answer
  • A. Application control
  • B. DNS filter
  • C. Web filter in flow based inspection
  • D. Antivirus in flow-based inspection
  • E. Web application firewall

Question 71

Question
71. Which security feature does FortiGate provide to protect servers located in the internal networks from attacks such as SQL injections?
Answer
  • A. Application control
  • B. Web application firewall
  • C. Denial of Service
  • D. Antivirus

Question 72

Question
72. Which two statements are true when FortiGate is in trasparent mode? (Choose two)
Answer
  • A. Static routes are requiered to allow traffic to the next hop.
  • B. The existing network IP schema must be changed when installing a trasparent mode FortiGate in the network.
  • C. By default, all interfaces are part of the same broadcast domain.
  • D. FortiGate forwards frame without changing the MAC address.

Question 73

Question
73. Refer to the exhibit. A network administrator is troubleshooting an IPsec tunnel between two FortiGate devices. The administrator has determined that phase 1 fails to come up. The administrator has also re-entered the pre-shared key on both FortiGate devices to make sure they match. Based on the phase 1 configuration and the diagrma shown in the exhibit which two configuration.
Image:
P73 (binary/octet-stream)
Answer
  • A. On Remote FortiGate set port2 as interface.
  • B. On HQ-FortiGate set IKE mode to Main (ID protection)
  • C. On both FortiGate devices set Dead Peer Detection to On Demand.
  • D. On HQ FortiGate disable Diffle-Helman group2

Question 74

Question
74. Wich two statements about IPsec authentication on FortiGAte are correct? (Choose two)
Answer
  • A. A certificate is not requited on the remote peer when you set the ignature as the authentication method.
  • B. Enabling XAuth results in a faster authentication because fewer packets are exchanged.
  • C. For a stronger authentication, you can also enable extended authentication (XAuth) to request the remote peer to provide a username and password.
  • D. FortiGate supports pre-shared key and signature as authentication methods.

Question 75

Question
75. Which three pieces of information does FortiGate use to identify the hostname of the SSL server when SSL certificate inspection is enabled? (Choose three).
Answer
  • A. The subject alternative name (SAN) field in the server certificate.
  • B. The server name indication (SNI) extension in the client hello message.
  • C. The subject field in the server certificate.
  • D. The host field in the HTTP header.
  • C. The serial number in the server certificate.

Question 76

Question
76. Which two policies must be configured to allow traffic on a policy based next-generation firewall (NGFW) FortiGate? (Choose two).
Answer
  • A. Security policy
  • B. SSL inspection and authentication policy
  • C. Firewall policy
  • D. Policy route

Question 77

Question
77. The HTTP inspection process in web filtering follows a specific order when multiple features are enabled in the web filter profile. What orden must FortiGate use when the web filter proile has features enabled, such as safe search?
Answer
  • A. Static URL filter FortiGuard category filter and advanced filters.
  • B. Static domain filter SSL inspection filter, and external connectors filters.
  • C. DNS based web filter and proxy based web filter.
  • D. FortiGuard category filter and rating filter.

Question 78

Question
78. Refer to the exhibit. The exhibit shows proxy policies and proxy addresses, the authentication scheme, users and firewall address. An explicit web proxy is configured for subnet range 10.0.1.0/24 with three explicit web proxy policies. The authentication rule is configured to authenticate HTTP requests for subnet range 10.0.1.0/24 with a from-based authentication scheme for the FortiGate local user database. Users will be prompted for authentication. How will FortiGate process the traffic when the HTTP reques comes from a machine with the source IP 10.0.1.10 to the destination http://www.fortinet.com? (Choose three)
Image:
P78 (binary/octet-stream)
Answer
  • A. If a Mozilla browser is used with User-C credentials, the HTTP requet will denied.
  • B. If a Google Chrome browser is used with User-B creentials, the HTTP request will be allowed.
  • C. If a Microsoft Internet Explorer browser is used with User-B credentials the HTTP request will be allowed.
  • D. If a Mozilla Firefox browser is used with User-B credentials, the HTTP reques will be allowed.

Question 79

Question
79. Consider the topology Application on a Windows machine  (SSL VPN)  -FGT  Telnet to Linux Server An administrator is investiagating a problem where an application establishes a Telnet session to a Linux server over the SSL VPN through FortiGate and the idle session times out after about 90 minutes. The administrator would like to increase or disable this timeout. The administrator has already verified that the issue is not caused by the application or Linux server. This issue does not happen when the application establishe a telnet connection to the Linux server directly on the LAN. What two changes cane the administrator make to resolve the issue without affecting services running through FortiGate? (Choose two).
Answer
  • A. Create a new firewall policy and place if above the existing SSLVPN policy for the SSL VPN traffic, and set the new TELNET service object in the policy.
  • B. Set the maximum session TTL value for the TELNET ervice object.
  • C. Create a new service object for TELNET and set the maximum session TTL.
  • D. Set the session TTL on the SSLVPN policy to maximu so the idle session timeout will not happen after 90 minutes.

Question 80

Question
80. What devices form the core of the security fabric?
Answer
  • A. One FortiGate devices and on FortiAnalyzer device.
  • B. Two FortiGate devices and one FortiAnalyzer device.
  • C. One FortiGate devices and one FortiManager device.
  • D. Two FortiGate devices and one FortiManager device.

Question 81

Question
81. Refer to the exhibit. Based on the raw log, which two statements are correct? (Choose two).
Image:
P81 (binary/octet-stream)
Answer
  • A. This is a security log.
  • B. Traffic belongs to the root VDOM.
  • C. Log everity is set error on FortiGate
  • D. Traffic is blocked because Action i set to DENY in the firewall policy.

Question 82

Question
82. Which three criteria can a FortiGate use to look for a matching firewall policy to process traffic? (Chooe three)
Answer
  • A. Source defined as Internet Services in the firewall policy
  • B. Services defined in the firewall policy.
  • C. Destination defined as Internet Services in the firewall policy.
  • D. Lowest to highest policy ID number.
  • E. Highest to lowest priority defined in the firewall policy.

Question 83

Question
83. Which Security rating scorecard helps identify configuration weakness and best practice violations in your network?
Answer
  • A. Security Posture
  • B. Automated Response
  • C. Optimization
  • D. Fabric Coverage

Question 84

Question
84. FortiGate is configured as a policy-based next-generation firewall (NGFW) and is applying web filtering and application control directly on the security policy. Which two other security profiles can you apply to the security policy? (Choose two).
Answer
  • A. Intrusion prevention
  • B. Antivirus scanning
  • C. Files filter
  • D. DNS filter

Question 85

Question
85. Which two statements are true about the RPF check? (Choose two)
Answer
  • A. The RPF check is run on the first sent and reply packet of any new session.
  • B. The RPF check is run on the first reply packet of any new session
  • C. RPF is a mechanism that protects FortiGate and your network form IP spoofing attacks
  • D. The RPF check is run on the first sent packet of any new session

Question 86

Question
86. Which scanning technique on FortiGate can be enabled only on the CLI?
Answer
  • A. Ransomware scan
  • B. Heuristics scan
  • C. Antivirus scan
  • D. Trojan scan

Question 87

Question
87. Which three methods are used by the collector agent for AD polling? (Choose three)
Answer
  • A. WMI
  • B. ForiGate plling
  • C. Novell API
  • D. NetAPI
  • E. WinSecLog

Question 88

Question
88. Refer to the exhibit, which contains a session diagnotic output. Which statement is true about the ession diagnotic output?
Image:
P88 (binary/octet-stream)
Answer
  • A. The session is a UDP unidirectional state
  • B. The session is a bidirectional TCP connection
  • C. The session is in TCP ESTABLISHED state
  • D. The session is a bidirectional UDP connection.

Question 89

Question
89. Which two statements are true about collector agent standard access mode? (Choose two)
Answer
  • A. Standard mode security profiles apply to organizational units (OU)
  • B. Standard mode uses Windows convention- NetBios: Domain\Username
  • C. Standard access mode support nested groups
  • D. Standard mode security profiles apply to user groups.

Question 90

Question
90. Refer to the exhibit. In the network shown in the exhibit, the web client cannot connect to the HTTP web server. The administrator runs the FortiGate built-in sniffer and gets the output as shown in the exhibit. What should the administrator do next to troubleshoot the problem?
Image:
P90 (binary/octet-stream)
Answer
  • A. Execute a debud flow.
  • B. Execute another sniffer in the FortiGate, this time with the filter “host 10.0.1.10”
  • C. Run a sniffer on the web server.
  • D. Capture the traffic using an external sniffer coneect to port1.

Question 91

Question
91. Refer to the exhibit. Why did FortiGate drop the packet?
Image:
P91 (binary/octet-stream)
Answer
  • A. It matched the default implicit firewall policy.
  • B. The next-hop IP address is unreachable.
  • C. It matched an explicitly configured firewall policy with the action DENY.
  • D. It failed the RPF check.

Question 92

Question
92. Which two VDOMs are the default VDOMS created when FortiGate is set up in split VDOM mode? (Choose two)
Answer
  • A. FG-Mgmt
  • B. Mgmt
  • C. FG-traffic
  • D. Root

Question 93

Question
93. Which two types of traffic are managed only by the management VDOM? (Choose two)
Answer
  • A. DNS
  • PKI
  • C. FortiGuard web filter queries
  • D. Traffic shaping

Question 94

Question
94. Refer to the FortiGuard connection debug output Based on the output shown in the exhibit, which two statements are coreect? (Choose two)
Image:
P94 (binary/octet-stream)
Answer
  • A. A local fortiManager is one of the servers FortiGate communicates with.
  • B. One server wes contacted to retrieve the contract information.
  • C. FortiGate is using default FortiGuard communication settings.
  • D. There is at least one server that lost packets consecutively.

Question 95

Question
95. If internet Service is already selected as Source in a firewall policy, which other configuration objects can be added to the Source field of a firewall policy?
Answer
  • A. IP address
  • B. Once internet service is selected no toher object can be added
  • C. User or User Group
  • D. FQDN address

Question 96

Question
96. An administrator need to configure VPN user access for multiple sites using the same soft FortiToken. Each site has a FortiGate VPN gateway. What must an administrator do to achieve this objective?
Answer
  • A. The administrator can use a third party radius OTP server.
  • B. The administrator can register the same FortiToketn on more than one FortiGate
  • C. The administrator must use the user elf-registration server.
  • D. The administrator must use a FortiAuthenticator device.

Question 97

Question
97. Which three CLI commands can you use the troubleshoot Layer 3 issues if the issue is in neither the physical layer nor the link layer? (Choose three)
Answer
  • A. diagnose sys top
  • B. excecute ping
  • C. execute traceroute
  • D. get system arp
  • E. diagnose sniffer packet any

Question 98

Question
98. An administrator must disable RPF check to investigate an issue. Which method is best suited to disable RPF without affecting features like antivirus and intruision prevention system?
Answer
  • a. Enable asymmetric routing, so the RPF check will be bypassed
  • B. Enable asymmetric routing at the interface level.
  • C. Disable the RPF check at the FortiGate interface level for the reply check
  • D. Disable the RPF check at the FortiGate interface level for the source check

Question 99

Question
99. Refer to the exhibit, which contains a static route configuration. An administrator created a static route for Amazon Web services. What CLI command must the administrator use to view the route?
Image:
P99 (binary/octet-stream)
Answer
  • A. get router info routing-table database
  • B. diagnose firewall route list
  • C. get internet service route list
  • D. get router info routing-table all

Question 100

Question
100. Refer to the exhibit. The exhibit contains a network diagram firewall policies, and a firewall address object configuration. An administrator created a Deny policy with default settings to deny Webserver accesss for Remote-user2 is still able to access Webserver. Which two changes can the administrator make to deny Webserver access for Remote-User2? (Choose two)
Image:
P100 (binary/octet-stream)
Answer
  • A. Set the Destination address a Deny IP in the Allow-access policy
  • B. Enable match-vip in the Deny policy
  • C. Set the Destination address as Web server in the Deny policy.
  • D. Disable match-vip in the Deny policy

Question 101

Question
101. Refer to the exhibit, which contains a Performance SLA configuration. An administrator has configured a performance SLA on FortiGate. Which failed to generate any traffic. Why is FortiGate not generating any traffic for the performance SLA?.
Image:
P101 (binary/octet-stream)
Answer
  • a. You need to turn on the Enable probe packet switch.
  • B. The may not be a static route to route the performance SLA traffic.
  • C. Partitipant configured are not SD WAN members.
  • D. The ping protocol is not supported for the public server that area configured.

Question 102

Question
102. An administrator needs to increase network bandwidth and provide redundancy. What interface type must the administrator select to bind multiple FortiGate interfaces?
Answer
  • A. VLAN interface
  • B. Aggregate interface
  • C. Software Switch interface
  • D. Redundant interface

Question 103

Question
103. An organization’s employee needs to connect to the office through a high-latency internet connection. Which SSL VPN setting should the administrator adjut to prevent the SSL VPN negotiation failure?
Answer
  • A. Change the udp idle-timer.
  • B. Change the idle-timeout.
  • C. Change the login-timeout.
  • D. Change the session-ttl.

Question 104

Question
104. You have enabled logging on your FortiGate device for Event logs and all Security logs, and you have set up logging to use the FortiGate local disk. What is the default behavior when the local disk is full?
Answer
  • A. Logs are overwriten and the first warning is issued when log disk usage reaches the threshold of 75%.
  • B. No new log is recorded until you manually clear logs from the local disk.
  • C. Logs are ovewritten and the only warning is issued when log disk usage reaches the threshold of 95%.
  • D. No new log is recorded after the warning is issued when log disk usage reaches the threshold of 95%.

Question 105

Question
105. Which downstream FortiGate VDOM is used to join the Security Fabric when split-task VDOM is enabled on all FortiGate devices?
Answer
  • A. Customer VDOM
  • B. FG-traffic VDOM
  • C. Global VDOM
  • D. Root VDOM

Question 106

Question
106. Which two statements are correct regarding FortiGate HA cluster virtual IP addresses? (Choose two)
Answer
  • A. Virtual IP addresses are used to distinguish between cluster members
  • B. A change in the virtual IP address happens when a FortiGate device joins or leaves the cluster.
  • C. Heartbeat interfaces have virtual IP addresses that area manually assigned
  • D. The primary devices in the cluster is always assigned IP address 169.254.0.1

Question 107

Question
107. Which two statements are correct about a software switch on FortiGate? (Choose two)
Answer
  • A. It can group only phyical interfaces
  • B. Can act as a Layer 2 switch as well as a Layer 3 router
  • C. All interfaces in the software switch share the same IP address
  • D. It can be configured only when FortiGate is operating in NAT mode

Question 108

Question
108. In an explicit proxy setup, where is the authentication method and database configured?
Answer
  • A. Proxy Policy
  • B. Authentication scheme
  • C. Firewall Policy
  • D. Authentication Rule

Question 109

Question
109. Which two protocol options are available on te CLI but not on the GUI when configuring an SD-WAN Performance SLA? (Choose two)
Answer
  • TWAMP
  • echo
  • C. ping
  • D. DNS

Question 110

Question
110. Which two statements are correct regarding FortiGate FSSO agentless polling mode? (Choose two)
Answer
  • A. FortiGate uses the SMB protocol to read the event viewer logs from the DCs
  • B. FortiGate quenes AD by using the LDAP to retrieve user group information.
  • C. FortiGate points the collector agent to use a remote LDAP server
  • D. FortiGate uses the AD server as the collector agent

Question 111

Question
111. Refer to the exhibit. Based on the administrator profile settings what permissions must the administrator set to run the diagnose firewall auth lit CLI command on FortiGate?
Image:
P111 (binary/octet-stream)
Answer
  • A. CLI diagnostic command permission
  • B. Read/Write permission for Firewall
  • C. Custom permission for Network
  • D. Read/Write permission for Log & Report

Question 112

Question
112. An administrator has configured two factor authentication to strengthen SSL VPN access which additional best practice can an administrator implement?
Answer
  • A. Configure host check
  • B. Configure differente SSL VPN realms
  • C. Configure Source IP Pools
  • D. Configure split tunneling in tunnei mode

Question 113

Question
113 Which of statement is true about SSL VPN web mode?
Answer
  • A. It assigns a virtual IP address to the client
  • B. The tunnel is up while the cliente is connected
  • C. It supports a limited number of protocol
  • D. The external network application sends data through the VPN

Question 114

Question
114. Refer to the exhibit. The exhibit shows a CLI output of firewall policies, proxy policies, and proxy addreses. How does FortiGate process the traffic sent to http://www.fortinet.com?
Image:
P114 (binary/octet-stream)
Answer
  • A. Traffic will be redirected to the transparent proxy and it will be denied by the proxy implicit deny policy.
  • B. Traffic will not be redirected to the transparent proxy and if will be allowed by firewall policy ID 1.
  • C. Traffic will be redirected to the transparent proxy adn if will be allowed by proxy policy ID 3.
  • D. Traffic will be redirected to the transparent proxy and it will be allowed by proxy policy ID 1.

Question 115

Question
115. Which two inspect on modes can you use to configure a firewall policy on a policy-based next-neration firewall (NGFW)? (Choose two.)
Answer
  • A. Flow-based inspection
  • B. Proxy-based inspection
  • C. Certificate inspection
  • D. Full Content inspection

Question 116

Question
116. Refer to the exhibit to view the authentication rule configuration. In this scenario, which statement is true?
Image:
P116 (binary/octet-stream)
Answer
  • A. Route-based authentication is enabled.
  • B. IP-based authentication is enabled.
  • C. Session-based authentication is enabled.
  • D. Policy-based authentication is enabled.

Question 117

Question
117. Refer to the exhibit. The exhibit shows a FortiGate configuration. How does FortiGate handle web proxy traffic coming from the IP addres 10.2.1.200, that requires authorization?
Image:
P117 (binary/octet-stream)
Answer
  • A. It authentication the traffic using the authentication scheme SCHEME2.
  • B. It drops the traffic
  • C. It always authorizes the traffic without requiring authentication.
  • D. It authenticates the traffic using the authentication scheme SCHEME1.

Question 118

Question
118. In which two ways can RPF checking be disabled? (Choose two)
Answer
  • A. Disable the RPF check at the FortiGate interface level for the source check.
  • B. Disable strict-src check under system settings.
  • C. Enable symmetric routing.
  • D. Enable anti-replay in firewall policy.

Question 119

Question
119. A team manager has decided that, while some member of the team need access to a particular website, the majority of the team does not. Which configuration option is the most effective way to support this request?
Answer
  • A. Implement web filter authentication for the specified website.
  • B. Implement a DNS filter for the specified website
  • C. Implement web filter quotas for the specified website
  • D. Implement a web filter category override for the specified website.

Question 120

Question
120. An administrator has a requirement to keep an application sesion from timing out on port 80. What two changes can the administrator make to resolve the issue without affecting any existing services running through FotiGate? (Choose two)
Answer
  • A. Set the session TTL on the HTTP policy to maximum
  • B. Set the TTL value to never under config system ttl.
  • C. Create a new firewall policy with the net HTTP service and place it above the exiting HTTP policy.
  • D. Create a new service object for HTTP service and set the session TTL to never.

Question 121

Question
121. FortiGate is operating in NAT mode and is configured with two virtual LAN ML AN subinterface added to the same physical interface. In this scenario, which statement about the VLAN ID is true?
Answer
  • A. The two VLAN ubinterfaces can have the same VLAN ID only if they have IP addresses in the same subnet.
  • B. The two VLAN subinterfaces can have the same VLAN ID only if they have IP addresses in different subnets.
  • C. The two VLAN subinterfaces can have the same VLAN ID only if they belong to differente VDOMs.
  • D. The two VLAN subinterfaces must have different VLAN IDs.

Question 122

Question
122. What is the limitation of using a URL list and application control on the same firewall policy, in NGFW policy-based mode?
Answer
  • A. It limits the scanning of application traffic to the browser-based technology category only.
  • B. It limits the scanning of application traffic to the application category only.
  • C. It limits the scanning of application traffic to use parent signatures only.
  • D. It limits the scanning of application traffic to the DNS protocol only.

Question 123

Question
123. Which two statements are true about collector agent advanced mode? (Choose two)
Answer
  • A. Advanced mode uses Windows convention-NetBios Domain\Username
  • B. Security profiles can be applied only to user groups not individual users.
  • C. FortiGate can be configured as an LDAP client and group filters can be configured on FortiGate.
  • D. Advanced mode support nested or inherited groups.

Question 124

Question
124. Which feature in the Security Fabric takes one or more actions based on event triggers?
Answer
  • A. Logical Topology
  • B. Fabric Connectors
  • C. Security Rating
  • D. Automation Stitches

Question 125

Question
125. If internet Services is already selected as Destination in a firewall policy, which other configuration objects can be selected for the Destination field of a firewall policy?
Answer
  • A. IP address
  • B. User or User Group
  • C. No other object can be added
  • D. FQDN address

Question 126

Question
126. Refer to the exhibit to view the application control profile. Based on the configuration, what will happen to Apple Face Time?
Image:
S126 (binary/octet-stream)
Answer
  • A. Apple Face Time will be allowed based on the Apple filter configuration
  • B. Apple Face Time will be allowed, based on the Categories configuration
  • C. Apple Face Time will be allowed only if the filter in Application and Filter Overrides is set to Learn
  • D. Apple Face Time will be blocked, based on the Excessive-Bandwidth filter configuration
Show full summary Hide full summary

Want to create your own Quizzes for free with GoConqr? Learn more.

Similar

Browse Library