For FortiGate devices equipped with Network Processor (NP) chips, which are true? (Choose three.)
For each new IP session, the first packet always goes to the CPU.
The kernel does not need to program the NPU. When the NPU sees the traffic, it determines by itself whether it can process the traffic.
Once offloaded, unless there are errors, the NP forwards all subsequent packets. The CPU does not process them.
When the last packet is sent or received, such as a TCP FIN or TCP RST signal, the NP returns this session to the CPU for tear down.
Sessions for policies that have a security profile enabled can be NP offloaded.
In "diag debug flow" output, you see the message “Allowed by Policy-1: SNAT”. Which is true?
The packet matched the topmost policy in the list of firewall policies.
The packet matched the firewall policy whose policy ID is 1.
The packet matched a firewall policy which allows the packet and skips UTM checks.
The policy allowed the packet and applied session NAT.
Which is NOT true about the settings for an IP pool type port block allocation?
A Block Size defines the number of connections.
Blocks Per User defines the number of connection blocks for each user.
An Internal IP Range defines the IP addresses permitted to use the pool.
An External IP Range defines the IP addresses in the pool.
If you enable the option "Generate Logs when Session Starts", what effect does this have on the number of traffic log messages generated for each session?
No traffic log message is generated.
One traffic log message is generated.
Two traffic log messages are generated.
A log message is only generated if there is a security event.
Which traffic can match a firewall policy's "Services" setting? (Choose three.)
Which correctly define "Section View" and "Global View" for firewall policies? (Choose two.)
Section View lists firewall policies primarily by their interface pairs.
Section View lists firewall policies primarily by their sequence number.
Global View lists firewall policies primarily by their interface pairs.
Global View lists firewall policies primarily by their policy sequence number.
The 'any' interface may be used with Section View.
Which is true of FortiGate's session table?
NAT/PAT is shown in the central NAT table, not the session table.
It shows TCP connection states.
It shows IP, SSL, and HTTP sessions.
It does not show UDP or ICMP connection state codes, because those protocols are connectionless.
Which is true about incoming and outgoing interfaces in firewall policies?
A physical interface may not be used.
A zone may not be used.
Multiple interfaces may not be used for both incoming and outgoing.
Source and destination interfaces are mandatory.
Which is NOT true about source matching with firewall policies?
A source address object must be selected in the firewall policy.
A source user/group may be selected in the firewall policy.
A source device may be defined in the firewall policy.
A source interface must be selected in the firewall policy.
A source user/group and device must be specified in the firewall policy.
Which define device identification? (Choose two.)
Device identification is enabled by default on all interfaces.
Enabling a source device in a firewall policy enables device identification on the source interfaces of that policy.
You cannot combine source user and source device in the same firewall policy.
FortiClient can be used as an agent based device identification technique.
Only agentless device identification techniques are supported.
Which are valid replies from a RADIUS server to an ACCESS-REQUEST packet from a FortiGate? (Choose two.)
Which methods can FortiGate use to send a One Time Password (OTP) to Two-Factor Authentication users? (Choose three.)
Software FortiToken (FortiToken mobile)
Which best describes the authentication timeout?
How long FortiGate waits for the user to enter his or her credentials.
How long a user is allowed to send and receive traffic before he or she must authenticate again.
How long an authenticated user can be idle (without sending traffic) before they must authenticate again.
How long a user-authenticated session can exist without having to authenticate again.
Which authentication methods does FortiGate support for firewall authentication? (Choose two.)
Remote Authentication Dial in User Service (RADIUS)
Lightweight Directory Access Protocol (LDAP)
Local Password Authentication
Remote Password Authentication
Which does FortiToken use as input when generating a token code? (Choose two.)
Which authentication scheme is not supported by the RADIUS implementation on FortiGate?
What protocol cannot be used with the active authentication type?
Which user group types does FortiGate support for firewall authentication? (Choose three.)
What is not true of configuring disclaimers on the FortiGate?
Disclaimers can be used in conjunction with captive portal.
Disclaimers appear before users authenticate.
Disclaimers can be bypassed through security exemption lists.
Disclaimers must be accepted in order to continue to the authentication login or originally intended destination.
When configuring LDAP on the FortiGate as a remote database for users, what is not a part of the configuration?
The name of the attribute that identifies each user (Common Name Identifier).
The user account or group element names (user DN).
The server secret to allow for remote queries (Primary server secret).
The credentials for an LDAP administrator (password).
Which statement best describes what SSL VPN Client Integrity Check does?
Blocks SSL VPN connection attempts from users that has been blacklisted.
Detects the Windows client security applications running in the SSL VPN client's PCs
Validates the SSL VPN user credential.
Verifies which SSL VPN portal must be presented to each SSL VPN user.
Verifies that the latest SSL VPN client is installed in the client's PC.
Which statement best describes what SSL.root is?
The name of the virtual network adapter required in each user's PC for SSL VPN Tunnel mode.
he name of a virtual interface in the root VDOM where all the SSL VPN user traffic comes from
A Firewall Address object that contains the IP addresses assigned to SSL VPN users.
The virtual interface in the root VDOM that the remote SSL VPN tunnels connect to.
Which of the following authentication methods can be used for SSL VPN authentication? (Choose three.)
Remote Password Authentication (RADIUS, LDAP)
Local Password Authentication
A FortiGate is configured with the 126.96.36.199/24 address on the wan2 interface and HTTPS Administrative Access, using the default tcp port, is enabled for that interface. Given the SSL VPN settings in the exhibit. Which of the following SSL VPN login portal URLs are valid? (Choose two.)
Which of the following statements are correct regarding SSL VPN Web-only mode? (Choose two.)
It can only be used to connect to web services.
IP traffic is encapsulated over HTTPS.
Access to internal network resources is possible from the SSL VPN portal.
The standalone FortiClient SSL VPN client CANNOT be used to establish a Web-only SSL VPN.
It is not possible to connect to SSH servers through the VPN.
Which statement is not correct regarding SSL VPN Tunnel mode?
IP traffic is encapsulated over HTTPS.
The standalone FortiClient SSL VPN client can be used to establish a Tunnel mode SSL VPN.
A limited amount of IP applications are supported.
The FortiGate device will dynamically assign an IP address to the SSL VPN network adapter.
Which of the following statements are true about IPsec VPNs? (Choose three.)
IPsec increases overhead and bandwidth.
IPsec operates at the layer 2 of the OSI model.
End-user's network applications must be properly pre-configured to send traffic across the IPsec VPN.
IPsec protects upper layer protocols.
IPsec operates at the layer 3 of the OSI model.
Which of the following statements is true regarding the differences between route-based and policy-based IPsec VPNs? (Choose two.)
The firewall policies for policy-based are bidirectional. The firewall policies for route-based are unidirectional.
In policy-based VPNs the traffic crossing the tunnel must be routed to the virtual IPsec interface. In route-based, it does not.
The action for firewall policies for route-based VPNs may be Accept or Deny, for policy-based VPNs it is Encrypt.
Policy-based VPN uses an IPsec interface, route-based does not.
Which of the following IPsec configuration modes can be used for implementing L2TP-over-IPSec VPNs?
Policy-based IPsec only.
Route-based IPsec only.
Both policy-based and route-based VPN.
L2TP-over-IPSec is not supported by FortiGate devices.
Which of the following authentication methods are supported in an IPsec phase 1? (Choose two.)
CA root digital certificates
How many packets are interchanged between both IPSec ends during the negotiation of a main-mode phase 1?
Which of the following IPsec configuration modes can be used when the FortiGate is running in NAT mode?
Policy-based VPN only
Route-based VPN only.
D. IPSec VPNs are not supported when the FortiGate is running in NAT mode.
Which portion of the configuration does an administrator specify the type of IPsec configuration (either policy-based or route-based)?
Under the IPsec VPN global settings.
Under the phase 2 settings.
Under the phase 1 settings.
Under the firewall policy settings.
Which of the following IKE modes is the one used during the IPsec phase 2 negotiation
Which of the following options best defines what Diffie-Hellman is?
A symmetric encryption algorithm.
A "key-agreement" protocol.
A "Security-association-agreement" protocol.
An authentication algorithm
What action does an IPsec Gateway take with the user traffic routed to an IPsec VPN when it does not match any phase 2 quick mode selector?
Traffic is dropped.
Traffic is routed across the default phase 2.
Traffic is routed to the next available route in the routing table.
Traffic is routed unencrypted to the interface where the IPsec VPN is terminating.
An Internet browser is using the WPAD DNS method to discover the PAC file’s URL. The DNS server replies to the browser’s request with the IP address 10.100.1.10. Which URL will the browser use to download the PAC file?
FortiGate I: 07. Explicit Proxy Quiz
Question 1 of 6
An Internet browser is using the WPAD DNS method to discover the PAC file’s URL. The DNS server replies to the browser’s request with the IP address 10.100.1.10. Which URL will the browser use to download the PAC file?
Which of the following statements is true regarding the TCP SYN packets that go from a client, through an implicit web proxy (transparent proxy), to a web server listening at TCP port 80? (Choose three.)
The source IP address matches the client IP address.
The source IP address matches the proxy IP address.
The destination IP address matches the proxy IP address.
The destination IP address matches the server IP addresses.
The destination TCP port number is 80.
Review the exhibit of an explicit proxy policy configuration. If there is a proxy connection attempt coming from the IP address 10.0.1.5, and from a user that has not authenticated yet, what action does the FortiGate proxy take?
User is prompted to authenticate. Traffic from the user Student will be allowed by the policy #1. Traffic from any other user will be allowed by the policy #2.
User is not prompted to authenticate. The connection is allowed by the proxy policy #2.
User is not prompted to authenticate. The connection will be allowed by the proxy policy #1.
User is prompted to authenticate. Only traffic from the user Student will be allowed. Traffic from any other user will be blocked.
Which protocol can an Internet browser use to download the PAC file with the web proxy configuration?
Which of the following are benefits of using web caching? (Choose three.)
Decrease bandwidth utilization
Reduce server load
Reduce FortiGate CPU usage
Reduce FortiGate memory usage
Decrease traffic delay
Question 6 of 6
Which of the following statements is true regarding the use of a PAC file to configure the web proxy settings in an Internet browser? (Choose two.)
More than one proxy is supported.
Can contain a list of destinations that will be exempt from the use of any proxy.
Can contain a list of URLs that will be exempted from the FortiGate web filtering inspection.
Can contain a list of users that will be exempted from the use of any proxy.
What is longest length of time allowed on a FortiGate device for the virus scan to complete?
Which type of conserve mode writes a log message immediately, rather than when the device exits conserve mode?
Files that are larger than the oversized limit are subjected to which Antivirus check?
Files reported to be infected by the "Suspicious" virus were subject to which Antivirus check?
Which are the three different types of Conserve Mode that can occur on a FortiGate device? (Choose three.)
A FortiGate device is configure to perform an AV & IPS scheduled update every hour. Given the information in the exhibit, when will the next update happen?
What is the maximum number of different virus databases a FortiGate can have?
Which of the following are possible actions for static URL filtering? (Choose three.)
Which of the following are possible actions for FortiGuard web category filtering? (Choose three.)
Examine the following log message attributes and select two correct statements from the list below. (Choose two.) hostname=www.youtube.com profiletype="Webfilter_Profile" profile="default" status="passthrough" msg="URL belongs to a category with warnings enabled"
The traffic was blocked.
The user failed authentication.
The category action was set to warning.
The website was allowed.
Which of the following actions can be used with the FortiGuard quota feature? (Choose three.)
Which of the following statements are true regarding the web filtering modes? (Choose two.)
Proxy based mode allows for customizable block pages to display when sites are prevented.
Proxy based mode requires more resources than flow-based.
Flow based mode offers more settings under the advanced configuration section of the GUI.
Proxy based mode offers higher throughput than flow-based mode.
Which of the following web filtering modes can inspect the full URL? (Choose two.)
The exhibit is a screen shot of an Application Control profile. Different settings are circled and numbered. Select the number identifying the setting which will provide additional information about YouTube access, such as the name of the video watched.
Which of the following statements are true regarding application control? (Choose two.)
Application control is based on TCP destination port numbers.
Application control is proxy based.
Encrypted traffic can be identified by application control.
Traffic shaping can be applied to the detected application traffic.
Which answer best describes what an "Unknown Application" is?
All traffic that matches the internal signature for unknown applications.
Traffic that does not match the RFC pattern for its protocol.
Any traffic that does not match an application control signature.
A packet that fails the CRC check.
What actions are possible with Application Control? (Choose three.)
How do application control signatures update on a FortiGate device?
Through FortiGuard updates.
Upgrade the FortiOS firmware to a newer release.
By running the Application Control auto-learning feature.
Signatures are hard coded to the device and cannot be updated.
The exhibit shows two static routes to the same destination subnet 172.20.168.0/24. Which of the following statements correctly describes this static routing configuration? (Choose two.)
Both routes will show up in the routing table.
The FortiGate unit will evenly share the traffic to 172.20.168.0/24 between both routes.
Only one route will show up in the routing table.
The FortiGate will route the traffic to 172.20.168.0/24 only through one route.
Which of the following fields contained in the IP/TCP/UDP headers can be used to make a routing decision when using policy-based routing? (Choose three.)
Source IP address
Source TCP/UDP port
Type of service
Which of the following statements are true regarding WAN Link Load Balancing? (Choose two.)
There can be only one virtual WAN Link per VDOM.
FortiGate can measure the quality of each link based on latency, jitter, or lost packets percentage.
Link health check can be performed over each link member of the virtual WAN interface.
Distance and priority values are configured in each link member of the virtual WAN interface.
The exhibit shows a FortiGate routing table. Which of the following statements are correct? (Choose two.)
There is only one active default route.
The distance value for the route to 192.168.1.0/24 is 200.
An IP address in the subnet 172.16.78.0/24 has been assigned to the dmz interface.
The FortiGate will route the traffic to 172.17.1.2 to the next hop with the IP address 192.168.11.254.
Which of the following statements best describes what a FortiGate does when packets match a black hole route?
Packets are dropped.
Packets are routed based on the information in the policy-based routing table.
An ICMP error message is sent back to the originator.
Packets are routed back to the originator.
The exhibit shows three static routes. Which static route(s) will be used to route the packets to the destination IP address 172.20.168.1?
The routes with the ID numbers 2 and 3.
Only the route with the ID number 3.
Only the route with the ID number 2.
Only the route with the ID number 1.
What must be configures in order to keep two static routes to the same destination in the routing table?
The same priority.
The same distance and same priority.
The same distance.
The same metric.
Which action does the FortiGate take when link health monitor times out?
All routes to the destination subnet configured in the link health monitor are removed from the routing table.
The distance values of all routes using the interface configured in the link health monitor are increased.
The priority values of all routes using the interface configured in the link health monitor are increased.
All routes using the next-hop gateway configured in the link health monitor are removed from the routing table.
In the debug command output shown in the exhibit, which of the following best describes the MAC address 00:09:0f:69:03:7e?
It is one of the secondary MAC addresses of the port1 interface.
It is the primary MAC address of the port1 interface.
It is the MAC address of another network device located in the same LAN segment as the FortiGate unit’s port1 interface.
It is the HA virtual MAC address.
Examine the network topology diagram in the exhibit; the workstation with the IP address 188.8.131.52 sends a TCP SYN packet to the workstation with the IP address 184.108.40.206. Which of the following sentences best describes the result of the reverse path forwarding (RPF) check executed by the FortiGate on the SYN packet? (Choose two.)
Packet is allowed if RPF is configured as loose.
Packet is allowed if RPF is configured as strict.
Packet is blocked if RPF is configured as loose.
Packet is blocked if RPF is configured as strict.
A FortiGate device has two VDOMs in NAT/route mode. Which of the following solutions can be implemented by a network administrator to route traffic between the two VDOMs? (Choose two.)
Use the inter-VDOM links automatically created between all VDOMS.
Manually create and configure an inter-VDOM link between your two VDOMs.
Interconnect and configure an external physical interface in one VDOM to another physical interface in the second VDOM.
Configure both VDOMs to share the same routing table.
Which of the following settings can be configured per VDOM? (Choose three.)
Operating mode (NAT/route or transparent)
Which of the following statements are correct regarding FortiGate virtual domains (VDOMs)? (Choose two.)
VDOMs divide a single FortiGate unit into two or more independent firewalls.
A management VDOM handles SNMP, logging, alert email, and FortiGuard updates.
Each VDOM can run different firmware versions.
Administrative users with a ‘super_admin’ profile can administrate only one VDOM.
Which of the following statements is correct concerning multiple VDOMs configured in a FortiGate device?
FortiGate devices, from the FGT/FWF 60D and above, all support VDOMS.
All FortiGate devices scale to 250 VDOMS.
Each VDOM requires its own FortiGuard license.
FortiGate devices support more NAT/Route VDOMs than Transparent Mode VDOMs.
A FortiGate device is configured with two VDOMs. The management VDOM is 'root', and is configured in transparent mode, 'vdom1' is configured as NAT/route mode. Which traffic is generated only by 'root' and not 'vdom1'? (Choose three.)
A FortiGate unit is operating in NAT/route mode and configured with two VLAN sub-interfaces on the same physical interface. Which of the following statement is correct regarding the VLAN IDs in this scenario?
The two VLAN sub-interfaces can have the same VLAN ID only if they have IP addresses in different subnets.
The two VLAN sub-interfaces must have different VLAN IDs.
The two VLAN sub-interfaces can have the same VLAN ID only if they belong to different VDOMs.
The two VLAN sub-interfaces can have the same VLAN ID if they are connected to different L2 IEEE 802.1Q compliant switches.
A FortiGate unit has multiple VDOMs in NAT/route mode with multiple VLAN interfaces in each VDOM. Which of the following statements is correct regarding the IP addresses assigned to each VLAN interface?
Different VLANs can share the same IP address as long as they have different VLAN IDs.
Different VLANs can share the same IP address as long as they are in different physical interfaces.
Different VLANs can share the same IP address as long as they are in different VDOMs.
Different VLANs can never share the same IP addresses.
A FortiGate device is configured with four VDOMs: 'root' and 'vdom1' are in NAT/route mode; 'vdom2' and 'vdom3' are in transparent mode. The management VDOM is 'root'. Which of the following statements are true? (Choose two.)
An inter-VDOM link between 'root' and 'vdom1' can be created.
An inter-VDOM link between 'vdom1' and 'vdom2' can be created.
An inter-VDOM link between 'vdom2 ' and 'vdom3' can be created.
Inter-VDOM link links must be manually configured for FortiGuard traffic.
Which of the following statements are correct differences between NAT/route and transparent mode? (Choose two.)
In transparent mode, interfaces do not have IP addresses.
Firewall policies are only used in NAT/route mode.
Static routes are only used in NAT/route mode.
Only transparent mode permits inline traffic inspection at layer 2.
What is the default criteria for selecting the HA master unit in a HA cluster?
port monitor, priority, uptime, serial number
port monitor, uptime, priority, serial number
priority, uptime, port monitor, serial number
uptime, priority, port monitor, serial number
Which of the following statements describes the objective of the gratuitous ARP packets sent by an HA cluster?
To synchronize the ARP tables in all the FortiGate units that are part of the HA cluster.
To notify the network switches that a new HA master unit has been elected.
To notify the master unit that the slave devices are still up and alive.
To notify the master unit about the physical MAC addresses of the slave units.
What information is synchronized between two FortiGate units that belong to the same HA cluster? (Choose three.)
IP addresses assigned to DHCP enabled interfaces.
The master device's hostname.
Routing configuration and state.
Reserved HA management interface IP configuration.
Firewall policies and objects.
What are required to be the same for two FortiGate units to form an HA cluster? (Choose two.)
System time zone
Which statement describes how traffic flows in sessions handled by a slave unit in an active-active HA cluster?
Packets are sent directly to the slave unit using the slave physical MAC address.
Packets are sent directly to the slave unit using the HA virtual MAC address.
Packets arrive at both units simultaneously, but only the slave unit forwards the session.
Packets are first sent to the master unit, which then forwards the packets to the slave unit.
Which of the following statements correctly describes the use of the “diagnose sys ha reset-uptime” command?
To force an HA failover when the HA override setting is disabled.
To force an HA failover when the HA override setting is enabled.
To clear the HA counters.
To restart a FortiGate unit that is part of an HA cluster.
Which of the following statements are correct regarding a master HA unit? (Choose two.)
There should be only one master unit is each HA virtual cluster.
The master synchronizes cluster configuration with slaves.
Only the master has a reserved management HA interface.
Heartbeat interfaces are not required on a master unit.
Which of the following statements are correct concerning the FortiGate session life support protocol? (Choose two.)
By default, UDP sessions are not synchronized.
Up to four FortiGate devices in standalone mode are supported.
Only the master unit handles the traffic.
Allows per-VDOM session synchronization.
What configuration objects are automatically added when using the FortiGate's FortiClient VPN Configuration Wizard? (Choose two.)
Which of the following statements are correct concerning IPsec dialup VPN configurations for FortiGate devices? (Choose two.)
Main mode must be used when there is more than one IPsec dialup VPN configure on the same FortiGate device.
A FortiGate device with an IPsec VPN configured as dialup can initiate the tunnel connection to any remote IP address.
Peer ID must be used when there is more than one aggressive-mode IPsec dialup VPN on the same FortiGate device.
The FortiGate will automatically add a static route to the source quick mode selector address received from each remote peer.
Which statement is correct concerning an IPsec VPN with the remote gateway setting configured as 'Dynamic DNS'?
The FortiGate will accept IPsec VPN connections from any IP address.
The FQDN resolution of the local FortiGate IP address where the VPN is terminated must be provided by a dynamic DNS provider.
The FortiGate will accept IPsec VPN connections only from IP addresses included in a dynamic DNS access list.
The remote gateway IP address can change dynamically.
The exhibit shows a part output of the diagnostic command 'diagnose debug application ike 255', taken during the establishment of a VPN. Which of the following statements are correct concerning this output? (Choose two.)
The quick mode selectors negotiated between both IPsec VPN peers is 0.0.0.0/32 for both the source and destination addresses.
The output corresponds to a phase 2 negotiation.
NAT-T is enabled and there is a third device in the path performing NAT of the traffic between both IPsec VPN peers.
The IP address of the remote IPsec VPN peer is 172.20.187.114.
Which of the following combinations of two FortiGate device configurations (side A and side B), can be used to successfully establish an IPsec VPN between them? (Choose two.)
Side A: main mode, remote gateway as static IP address, policy-based VPN. Side B: aggressive Mode, remote Gateway as static IP address, policy-based VPN.
Side A: main mode, remote gateway as static IP Address, policy-based VPN. Side B: main mode, remote gateway as static IP address, route-based VPN.
Side A: main mode, remote gateway as static IP address, route-based VPN. Side B: main mode, remote gateway as dialup, route-based VPN.
Side A: main mode, remote gateway as dialup, policy-based VPN. Side B: main mode, remote gateway as dialup, policy-based VPN.
Which of the following statements are correct concerning the IPsec phase 1 and phase 2, shown in the exhibit? (Choose two.)
The quick mode selector in the remote site must also be 0.0.0.0/0 for the source and destination addresses.
Only remote peers with the peer ID 'fortinet' will be able to establish a VPN.
The FortiGate device will automatically add a static route to the source quick mode selector address received from each remote VPN peer.
The configuration will work only to establish FortiClient-to-FortiGate tunnels. A FortiGate-to-FortiGate tunnel requires a different configuration.
What is required in a FortiGate configuration to have more than one dialup IPsec VPN using aggressive mode?
All the aggressive mode dialup VPNs MUST accept connections from the same peer ID.
Each peer ID MUST match the FQDN of each remote peer.
Each aggressive mode dialup MUST accept connections from different peer ID.
The peer ID setting must NOT be used.
Which of the following protocols are defined in the IPsec Standard? (Choose two.)
Which of the following statements are correct concerning IKE mode config? (Choose two.)
It can dynamically assign IP addresses to IPsec VPN clients.
It can dynamically assign DNS settings to IPsec VPN clients.
It uses the ESP protocol.
It can be enabled in the phase 2 configuration.
You have configured the DHCP server on a FortiGate's port1 interface (or internal, depending on the model) to offer IPs in a range of 192.168.1.65-192.168.1.253. When the first host sends a DHCP request, what IP will the DHCP offer?
Which is not a FortiGate feature?
Which UTM feature sends a UDP query to FortiGuard servers each time FortiGate scans a packet (unless the response is locally cached)?
You have created a new administrator account, and assign it the prof_admin profile. Which is false about that account's permissions?
It cannot upgrade or downgrade firmware.
It can create and assign administrator accounts to parts of its own VDOM.
It can reset forgotten passwords for other administrator accounts such as "admin".
It has a smaller permissions scope than accounts with the "super_admin" profile.
When an administrator attempts to manage FortiGate from an IP address that is not a trusted host, what happens?
FortiGate will still subject that person's traffic to firewall policies; it will not bypass them.
FortiGate will drop the packets and not respond.
FortiGate responds with a block message, indicating that it will not allow that person to log in.
FortiGate responds only if the administrator uses a secure protocol. Otherwise, it does not respond.
Acme Web Hosting is replacing one of their firewalls with a FortiGate. It must be able to apply port forwarding to their back-end web servers while blocking virus uploads and TCP SYN floods from attackers. Which operation mode is the best choice for these requirements?
NAT mode with an interface in one-arm sniffer mode
No appropriate operation mode exists
if you have lost your password for the "admin" account on your FortiGate, how should you reset it?
Log in with another administrator account that has "super_admin" profile permissions, then reset the password for the "admin" account.
Reboot the FortiGate. Via the local console, during the boot loader, use the menu to format the flash disk and reinstall the firmware. Then you can log in with the default password.
Power off the FortiGate. After several seconds, restart it. Via the local console, within 30 seconds after booting has completed, log in as "maintainer" and enter the CLI commands to set the password for the "admin" account.
Reboot the FortiGate. Via the local console, during the boot loader, use the menu to log in as "maintainer" and enter the CLI commands to set the password for the "admin" account.
A backup file begins with this line: #config-version=FGVM64-5.02-FW-build589-140613:opmode=0:vdom=0:user=admin #conf_file_ver=3881503152630288414 #buildno=0589 #global_vdom=1 Can you restore it to a FortiWiFi 60D?
Yes, but only if you replace the "#conf_file_ver" line so that it contains the serial number of that specific FortiWiFi 60D.
Yes, but only if it is running the same version of FortiOS, or a newer compatible version.
Which protocols can you use for secure administrative access to a FortiGate? (Choose two)
A new version of FortiOS firmware has just been released. When you upload new firmware, which is true?
If you upload the firmware image via the boot loader's menu from a TFTP server, it will not preserve the configuration. But if you upload new firmware via the GUI or CLI, as long as you are following a supported upgrade path, FortiOS will attempt to convert the existing configuration to be valid with any new or changed syntax.
No settings are preserved. You must completely reconfigure.
No settings are preserved. After the upgrade, you must upload a configuration backup file. FortiOS will ignore any commands that are not valid in the new OS. In those cases, you must reconfigure settings that are not compatible with the new firmware.
You must use FortiConverter to convert a backup configuration file into the syntax required by the new FortiOS, then upload it to FortiGate.
In a Crash log, what does a status of 0 indicate?
Abnormal termination of a process
A process closed for any reason
Normal shutdown with no abnormalities
DHCP process crashed
Which of the following are considered log types? (Choose three.)
What determines whether a log message is generated or not?
Firewall policy setting
Log Settings in the GUI
'config log' command in the CLI
Where are most of the security events logged?
Forward Traffic log
Alert Monitoring Console
What are the ways FortiGate can monitor logs? (Choose three.)
Alert Message Console
What attributes are always included in a log header? (Choose three.)
Examine this log entry. What does the log indicate? (Choose three.) date=2013-12-04 time=09:30:18 logid=0100032001 type=event subtype=system level=information vd="root" user="admin" ui=http(192.168.1.112) action=login status=success reason=none profile="super_admin" msg="Administrator admin logged in successfully from http(192.168.1.112)"
In the GUI, the log entry was located under “Log & Report > Event Log > User”.
In the GUI, the log entry was located under “Log & Report > Event Log > System”.
In the GUI, the log entry was located under “Log & Report > Traffic Log > Local Traffic”.
The connection was encrypted
The connection was unencrypted.
The IP of the FortiGate interface that “admin” connected to was 192.168.1.112.
The IP of the computer that “admin” connected from was 192.168.1.112.
To which remote device can the FortiGate send logs? (Choose three.)
What log type would indicate whether a VPN is going up or down?
There are eight (8) log severity levels that indicate the importance of an event. Not including Debug, which is only needed to log diagnostic data, what are both the lowest AND highest severity levels?