Copy and Edit

Practica NSE4

Description

Historia Quiz on Practica NSE4, created by Mauricio Gutierrez on 02/11/2017.
Mauricio Gutierrez
Quiz by Mauricio Gutierrez, updated more than 1 year ago
Mauricio Gutierrez
Created by Mauricio Gutierrez over 6 years ago
395
3
0

Resource summary

Question 1

Question
A FortiGate interface is configured with the following commands: What statements about the configuration are correct? (Choose two.)
Image:
Q1 (binary/octet-stream)
Answer
  • IPv6 clients connected to port1 can use SLAAC to generate their IPv6 addresses.
  • FortiGate can provide DNS settings to IPv6 clients.
  • FortiGate can send IPv6 router advertisements (RAs.)
  • FortiGate can provide IPv6 addresses to DHCPv6 client.

Question 2

Question
Which of the following Fortinet hardware accelerators can be used to offload flow-based antivirus inspection? (Choose two.)
Answer
  • SP3
  • CP8
  • NP4
  • NP6

Question 3

Question
Under what circumstance would you enable LEARN as the Action on a firewall policy?
Answer
  • You want FortiGate to compile security feature activity from various security-related logs, such as virus and attack logs.
  • You want FortiGate to monitor a specific security profile in a firewall policy, and provide recommendations for that profile.
  • You want to capture data across all traffic and security vectors, and receive learning logs and a report with recommendations.
  • You want FortiGate to automatically modify your firewall policies as it learns your networking behavior.

Question 4

Question
What methods can be used to deliver the token code to a user who is configured to use two-factor authentication? (Choose three.)
Answer
  • Code blocks
  • SMS phone message
  • FortiToken
  • Browser pop-up window
  • Email

Question 5

Question
You are tasked to architect a new IPsec deployment with the following criteria: - There are two HQ sites that all satellite offices must connect to. - The satellite offices do not need to communicate directly with other satellite offices. - No dynamic routing will be used. - The design should minimize the number of tunnels being configured. Which topology should be used to satisfy all of the requirements?
Answer
  • Redundant
  • Hub-and-spoke
  • Partial mesh
  • Fully meshed

Question 6

Question
View the exhibit. Which of the following statements are correct? (Choose two.)
Image:
Q6 (binary/octet-stream)
Answer
  • This is a redundant IPsec setup.
  • The TunnelB route is the primary one for searching the remote site. The TunnelA route is used only if the TunnelB VPN is down.
  • This setup requires at least two firewall policies with action set to IPsec.
  • Dead peer detection must be disabled to support this type of IPsec setup.

Question 7

Question
What is FortiGate’s behavior when local disk logging is disabled?
Answer
  • Only real-time logs appear on the FortiGate dashboard.
  • No logs are generated.
  • Alert emails are disabled.
  • Remote logging is automatically enabled.

Question 8

Question
What traffic and attacks can be blocked by a web application firewall (WAF) profile? (Choose three.)
Answer
  • Traffic to inappropriate web sites
  • SQL injection attacks
  • Server information disclosure attacks
  • Credit card data leaks
  • Traffic to botnet command and control (C&C) servers

Question 9

Question
Which statements about One-to-One IP pool are true? (Choose two.)
Answer
  • It allows configuration of ARP replies.
  • It allows fixed mapping of an internal address range to an external address range.
  • It is used for destination NAT.
  • It does not use port address translation.

Question 10

Question
Which statements correctly describe transparent mode operation? (Choose three.)
Answer
  • All interfaces of the transparent mode FortiGate device must be on different IP subnets.
  • The transparent FortiGate is visible to network hosts in an IP traceroute.
  • It permits inline traffic inspection and firewalling without changing the IP scheme of the network.
  • Ethernet packets are forwarded based on destination MAC addresses, not IP addresses.
  • The FortiGate acts as transparent bridge and forwards traffic at Layer-2.

Question 11

Question
View the exhibit. What is the effect of the Disconnect Cluster Member operation as shown in the exhibit? (Choose two.)
Image:
Q11 (binary/octet-stream)
Answer
  • The HA mode changes to standalone.
  • The firewall policies are deleted on the disconnected member.
  • The system hostname is set to the FortiGate serial number.
  • The port3 is configured with an IP address for management access.

Question 12

Question
What step is required an SSL VPN to access to an internal server using port forward mode?
Answer
  • Configure the virtual IP addresses to be assigned to the SSL VPN users.
  • Install FortiClient SSL VPN client
  • Create a SSL VPN realm reserved for clients using port forward mode.
  • Configure the client application to forward IP traffic to a Java applet proxy.

Question 13

Question
View the exhibit. This is a sniffer output of a telnet connection request from 172.20.120.186 to the port1 interface of FGT1. In this scenario. FGT1 has the following routing table: Assuming telnet service is enabled for port1, which of the following statements correctly describes why FGT1 is not responding?
Image:
Q13 (binary/octet-stream)
Answer
  • The port1 cable is disconnected.
  • The connection is dropped due to reverse path forwarding check.
  • The connection is denied due to forward policy check.
  • FGT1’s port1 interface is administratively down.

Question 14

Question
An administrator needs to be able to view logs for application usage on your network. What configurations are required to ensure that FortiGate generates logs for application usage activity? (Choose two.)
Answer
  • Enable a web filtering profile on the firewall policy.
  • Create an application control policy.
  • Enable logging on the firewall policy.
  • Enable an application control security profile on the firewall policy.

Question 15

Question
A company needs to provide SSL VPN access to two user groups. The company also needs to display different welcome messages on the SSL VPN login screen for both user groups. What is required in the SSL VPN configuration to meet these requirements?
Answer
  • Two separated SSL VPNs in different interfaces of the same VDOM
  • Different SSL VPN realms for each group
  • Different virtual SSLVPN IP addresses for each group
  • Two firewall policies with different captive portals

Question 16

Question
Examine the routing database. Which of the following statements are correct? (Choose two.)
Image:
Q16 (binary/octet-stream)
Answer
  • The port3 default route has the lowest metric, making it the best route.
  • There will be eight routes active in the routing table.
  • The port3 default has a higher distance than the port1 and port2 default routes.
  • Both port1 and port2 default routers are active in the routing table.

Question 17

Question
View the exhibit. When a user attempts to connect to an HTTPS site, what is the expected result with this configuration?
Image:
Q17 (binary/octet-stream)
Answer
  • The user is required to authenticate before accessing sites with untrusted SSL certificates.
  • The user is presented with certificate warnings when connecting to sites that have untrusted SSL certificates.
  • The user is allowed access all sites with untrusted SSL certificates, without certificate warnings.
  • The user is blocked from connecting to sites that have untrusted SSL certificates (no exception provided).

Question 18

Question
View the exhibit. When Role is set to Undefined, which statement is true?
Image:
Q18 (binary/octet-stream)
Answer
  • The GUI provides all the configuration options available for the port1 interface.
  • You cannot configure a static IP address for the port1 interface because it allows only DHCP addressing mode.
  • Firewall policies can be created from only the port1 interface to any interface.
  • The port1 interface is reserved for management only.

Question 19

Question
Which statement is true regarding the policy ID numbers of firewall policies?
Answer
  • Change when firewall policies are re-ordered.
  • Defined the order in which rules are processed.
  • Are required to modify a firewall policy from the CLI.
  • Represent the number of objects used in the firewall policy.

Question 20

Question
An administrator needs to inspect all web traffic (including Internet web traffic) coming from users connecting to SSL VPN. How can this be achieved?
Answer
  • Disabling split tunneling
  • Configuring web bookmarks
  • Assigning public IP addresses to SSL VPN clients
  • Using web-only mode

Question 21

Question
Which traffic inspection features can be executed by a security processor (SP)? (Choose three.)
Answer
  • TCP SYN proxy
  • SIP session helper
  • Proxy-based antivirus
  • Attack signature matching
  • Flow-based web filtering

Question 22

Question
An administrator has configured two VLAN interfaces: A DHCP server is connected to the VLAN10 interface. A DHCP client is connected to the VLAN5 interface. However, the DHCP client cannot get a dynamic IP address from the DHCP server. What is the cause of the problem?
Image:
Q22 (binary/octet-stream)
Answer
  • Both interfaces must be in different VDOMs
  • Both interfaces must have the same VLAN ID.
  • The role of the VLAN10 interface must be set to server.
  • Both interfaces must belong to the same forward domain.

Question 23

Question
View the exhibit. A user behind the FortiGate is trying to go to http://www.addictinggames.com (Addicting.Games). Based on this configuration, which statement is true?
Image:
Q23 (binary/octet-stream)
Answer
  • Addicting.Games is allowed based on the Application Overrides configuration.
  • Addicting.Games is blocked based on the Filter Overrides configuration.
  • Addicting.Games can be allowed only if the Filter Overrides actions is set to Exempt.
  • Addicting.Games is allowed based on the Categories configuration.

Question 24

Question
What are the purposes of NAT traversal in IPsec? (Choose two.)
Answer
  • To detect intermediary NAT devices in the tunnel path.
  • To encapsulate ESP packets in UDP packets using port 4500.
  • To force a new DH exchange with each phase 2 re-key
  • To dynamically change phase 1 negotiation mode to Aggressive.

Question 25

Question
Which statements about application control are true? (Choose two.)
Answer
  • Enabling application control profile in a security profile enables application control for all the traffic flowing through the FortiGate.
  • It cannot take an action on unknown applications.
  • It can inspect encrypted traffic.
  • It can identify traffic from known applications, even when they are using non-standard TCP/UDP ports.

Question 26

Question
View the exhibit. The client cannot connect to the HTTP web server. The administrator run the FortiGate built-in sniffer and got the following output: What should be done next to troubleshoot the problem?
Image:
Q26 (binary/octet-stream)
Answer
  • Execute another sniffer in the FortiGate, this time with the filter “host 10.0.1.10”.
  • Run a sniffer in the web server.
  • Capture the traffic using an external sniffer connected to port1.
  • Execute a debug flow.

Question 27

Question
Which of the following statements about NTLM authentication are correct? (Choose two.)
Answer
  • It is useful when users log in to DCs that are not monitored by a collector agent.
  • It takes over as the primary authentication method when configured alongside FSSO.
  • Multi-domain environments require DC agents on every domain controller.
  • NTLM-enabled web browsers are required.

Question 28

Question
What FortiGate feature can be used to allow IPv6 clients to connect to IPv4 servers?
Answer
  • IPv6-over-IPv4 IPsec
  • NAT64
  • IPv4-over-IPv6 IPsec
  • NAT66

Question 29

Question
Which statements best describe auto discovery VPN (ADVPN). (Choose two.)
Answer
  • It requires the use of dynamic routing protocols so that spokes can learn the routes to other spokes.
  • ADVPN is only supported with IKEv2.
  • Tunnels are negotiated dynamically between spokes.
  • Every spoke requires a static tunnel to be configured to other spokes so that phase 1 and phase 2 proposals are defined in advance.

Question 30

Question
View the exhibit. Which statements about the exhibit are true? (Choose two.)
Image:
Q30 (binary/octet-stream)
Answer
  • port1-VLAN10 and port2-VLAN10 can be assigned to different VDOMs.
  • port1-VLAN1 is the native VLAN for the port1 physical interface.
  • Traffic between port1-VLAN1 and port2-VLAN1 is allowed by default.
  • Broadcast traffic received in port1-VLAN10 will not be forwarded to port2-VLAN10.

Question 31

Question
Which statement about the firewall policy authentication timeout is true?
Answer
  • It is a hard timeout. The FortiGate removes the temporary policy for a user’s source IP address after this times expires.
  • It is a hard timeout. The FortiGate removes the temporary policy for a user’s source MAC address after this times expires.
  • It is an idle timeout. The FortiGate considers a user to be idle if it does not see any packets coming from the user’s source MAC address.
  • It is an idle timeout. The FortiGate considers a user to be idle if it does not see any packets coming from the user’s source IP.

Question 32

Question
Which of the following settings and protocols can be used to provide secure and restrictive administrative access to FortiGate? (Choose three.)
Answer
  • Trusted host
  • HTTPS
  • Trusted authentication
  • SSH
  • FortiTelemetry

Question 33

Question
If traffic matches a DLP filter with the action set to Quarantine IP Address, what action does the FortiGate take?
Answer
  • It blocks all future traffic for that IP address for a configured interval.
  • It archives the data for that IP address.
  • It provides a DLP block replacement page with a link to download the file.
  • It notifies the administrator by sending an email.

Question 34

Question
How can a browser trust a web-server certificate signed by a third party CA?
Answer
  • The browser must have the CA certificate that signed the web-server certificate installed.
  • The browser must have the web-server certificate installed.
  • The browser must have the private key of CA certificate that signed the web-browser certificate installed.
  • The browser must have the public key of the web-server certificate installed.

Question 35

Question
How does FortiGate verify the login credentials of a remote LDAP user?
Answer
  • FortiGate sends the user entered credentials to the LDAP server for authentication.
  • FortiGate re-generates the algorithm based on the login credentials and compares it against the algorithm stored on the LDAP server.
  • FortiGate queries its own database for credentials.
  • FortiGate queries the LDAP server for credentials.

Question 36

Question
An administrator has enabled proxy-based antivirus scanning and configured the following settings: Which statement about the above configuration is true?
Image:
Q36 (binary/octet-stream)
Answer
  • Files bigger than 10 MB are not scanned for viruses and will be blocked.
  • FortiGate scans only the first 10 MB of any file.
  • Files bigger than 10 MB are sent to the heuristics engine for scanning.
  • FortiGate scans the files in chunks of 10 MB.

Question 37

Question
Examine this output from the diagnose sys top command: Which statements about the output are true? (Choose two.)
Image:
Q37 (binary/octet-stream)
Answer
  • sshd is the process consuming most memory
  • sshd is the process consuming most CPU
  • All the processes listed are in sleeping state
  • The sshd process is using 123 pages of memory

Question 38

Question
An administrator has created a custom IPS signature. Where does the custom IPS signature have to be applied?
Answer
  • In an IPS sensor
  • In an interface.
  • In a DoS policy.
  • In an application control profile.

Question 39

Question
An administrator wants to configure a FortiGate as a DNS server. The FortiGate must use its DNS database first, and then relay all irresolvable queries to an external DNS server. Which of the following DNS method must you use?
Answer
  • Non-recursive
  • Recursive
  • Forward to primary and secondary DNS
  • Forward to system DNS

Question 40

Question
What information is flushed when the chunk-size value is changed in the config dlp settings?
Answer
  • The database for DLP document fingerprinting
  • The supported file types in the DLP filters
  • The archived files and messages
  • The file name patterns in the DLP filters

Question 41

Question
How does FortiGate select the central SNAT policy that is applied to a TCP session?
Answer
  • It selects the SNAT policy specified in the configuration of the outgoing interface.
  • It selects the first matching central-SNAT policy from top to bottom.
  • It selects the central-SNAT policy with the lowest priority.
  • It selects the SNAT policy specified in the configuration of the firewall policy that matches the traffic.

Question 42

Question
When using WPAD DNS method, what is the FQDN format that browsers use to query the DNS server?
Answer
  • wpad.<local-domain>
  • srv_tcp.wpad.<local-domain>
  • srv_proxy.<local-domain>/wpad.dat
  • proxy.<local-domain>.wpad

Question 43

Question
An administrator is using the FortiGate built-in sniffer to capture HTTP traffic between a client and a server, however, the sniffer output shows only the packets related with TCP session setups and disconnections. Why?
Answer
  • The administrator is running the sniffer on the internal interface only.
  • The filter used in the sniffer matches the traffic only in one direction.
  • The FortiGate is doing content inspection.
  • TCP traffic is being offloaded to an NP6.

Question 44

Question
Which of the following statements about advanced AD access mode for FSSO collector agent are true? (Choose two.)
Answer
  • It is only supported if DC agents are deployed.
  • FortiGate can act as an LDAP client configure the group filters.
  • It supports monitoring of nested groups.
  • It uses the Windows convention for naming, that is, Domain\Username.

Question 45

Question
Which configuration objects can be selected for the Source filed of a firewall policy? (Choose two.)
Answer
  • FQDN address
  • IP pool
  • User or user group
  • Firewall service

Question 46

Question
Examine the exhibit, which contains a virtual IP and a firewall policy configuration. The WAN(port1) interface has the IP address 10.200.1.1/24. The LAN(port2) interface has the IP address 10.0.1.254/24. The top firewall policy has NAT enabled using outgoing interface address. The second firewall policy configured with a virtual IP (VIP) as the destination address. Which IP address will be used to source NAT the Internet traffic coming from a workstation with the IP address 10.0.1.10/24?
Image:
Q46 (binary/octet-stream)
Answer
  • 10.200.1.1
  • 10.0.1.254
  • Any available IP address in the WAN(port1) subnet 10.200.1.0/24
  • 10.200.1.10

Question 47

Question
Which statement about data leak prevention (DLP) on a FortiGate is true?
Answer
  • Traffic shaping can be applied to DLP sensors.
  • It can be applied to a firewall policy in a flow-based VDOM.
  • Files can be sent to FortiSandbox for detecting DLP threats.
  • It can archive files and messages.

Question 48

Question
Which statements about an IPv6-over-IPv4 IPsec configuration are correct? (Choose two.)
Answer
  • The remote gateway IP must be an IPv6 address.
  • The source quick mode selector must be an IPv4 address.
  • The local gateway IP must an IPv4 address.
  • The destination quick mode selector must be an IPv6 address.

Question 49

Question
Which statements about DNS filter profiles are true? (Choose two.)
Answer
  • They can inspect HTTP traffic.
  • They must be applied in firewall policies with SSL inspection enabled.
  • They can block DNS request to known botnet command and control servers.
  • They can redirect blocked requests to a specific portal.

Question 50

Question
An administrator needs to offload logging to FortiAnalyzer from a FortiGate with an internal hard drive. Which statements are true? (Choose two.)
Answer
  • Logs must be stored on FortiGate first, before transmitting to FortiAnalyzer
  • FortiGate uses port 8080 for log transmission
  • Log messages are transmitted as plain text in LZ4 compressed format (store-and-upload method).
  • FortiGate can encrypt communications using SSL encrypted OFTP traffic.

Question 51

Question
Which of the following statements describe WMI polling mode for FSSO collector agent? (Choose two.)
Answer
  • The collector agent does not need to search any security event logs.
  • WMI polling can increase bandwidth usage with large networks.
  • The NetSessionEnum function is used to track user logoffs.
  • The collector agent uses a Windows API to query DCs for user logins.

Question 52

Question
An administrator observes that the port1 interface cannot be configured with an IP address. What can be the reasons for that? (Choose three.)
Answer
  • The interface has been configured for one-arm sniffer.
  • The interface is a member of a virtual wire pair.
  • The operation mode is transparent.
  • The interface is a member of a zone.
  • Captive portal is enabled in the interface.

Question 53

Question
When browsing to an internal web server using a web-mode SSL VPN bookmark, which IP address is used as the source of the HTTP request?
Answer
  • The FortiGate unit’s public IP address
  • The FortiGate unit’s internal IP address
  • The remote user’s virtual IP address
  • The remote user’s public IP address

Question 54

Question
View the example routing table. Which route will be selected when trying to reach 10.20.30.254?
Image:
Q2 (binary/octet-stream)
Answer
  • 10.20.30.0/26 [10/0] via 172.20.168.254, port2
  • The traffic will be dropped because it cannot be routed.
  • 10.20.30.0/24 [10/0] via 172.20.167.254, port3
  • 0.0.0.0/0 [10/0] via 172.20.121.2, port1

Question 55

Question
Which statements about IP-based explicit proxy authentication are true? (Choose two.)
Answer
  • IP-based authentication is best suited to authenticating users behind a NAT device.
  • Sessions from the same source address are treated as a single user.
  • IP-based authentication consumes less FortiGate’s memory than session-based authentication.
  • FortiGate remembers authenticated sessions using browser cookies.

Question 56

Question
Which statements about high availability (HA) for FortiGates are true? (Choose two.)
Answer
  • Virtual clustering can be configured between two FortiGate devices with multiple VDOM.
  • Heartbeat interfaces are not required on the primary device.
  • HA management interface settings are synchronized between cluster members.
  • Sessions handled by UTM proxy cannot be synchronized.

Question 57

Question
Which statement about the FortiGuard services for the FortiGate is true?
Answer
  • Antivirus signatures are downloaded locally on the FortiGate.
  • FortiGate downloads IPS updates using UDP port 53 or 8888.
  • FortiAnalyzer can be configured as a local FDN to provide antivirus and IPS updates.
  • The web filtering database is downloaded locally on the FortiGate.

Question 58

Question
Which statements about antivirus scanning using flow-based full scan are true? (Choose two.)
Answer
  • The antivirus engine starts scanning a file after the last packet arrives.
  • It does not support FortiSandbox inspection.
  • FortiGate can insert the block replacement page during the first connection attempt only if a virus is detected at the start of the TCP stream.
  • It uses the compact antivirus database.

Question 59

Question
An administrator has configured a route-based IPsec VPN between two FortiGates. Which statement about this IPsec VPN configuration is true?
Answer
  • A phase 2 configuration is not required.
  • This VPN cannot be used as part of a hub and spoke topology.
  • The IPsec firewall policies must be placed at the top of the list.
  • A virtual IPsec interface is automatically created after the phase 1 configuration is completed.

Question 60

Question
The administrator needs to confirm that FortiGate 2 is properly routing that traffic to the 10.0.1.0/24 subnet. The administrator needs to confirm it by sending ICMP pings to FortiGate 2 from the CLI of FortiGate 1. What ping option needs to be enabled before running the ping?
Image:
Q60 (binary/octet-stream)
Answer
  • Execute ping-options source port1
  • Execute ping-options source 10.200.1.1.
  • Execute ping-options source 10.200.1.2
  • Execute ping-options source 10.0.1.254

Question 61

Question
How can you format the FortiGate flash disk?
Answer
  • Load the hardware test (HQIP) image.
  • Execute the CLI command execute formatlogdisk.
  • Load a debug FortiOS image.
  • Select the format boot device option from the BIOS menu.

Question 62

Question
How do you configure inline SSL inspection on a firewall policy? (Choose two.)
Answer
  • Enable one or more flow-based security profiles on the firewall policy.
  • Enable the SSL/SSH Inspection profile on the firewall policy.
  • Execute the inline ssl inspection CLI command.
  • Enable one or more proxy-based security profiles on the firewall policy.

Question 63

Question
Which traffic sessions can be offloaded to a NP6 processor? (Choose two.)
Answer
  • IPv6
  • RIP
  • GRE
  • NAT64

Question 64

Question
Based on this output, which statements are correct? (Choose two.)
Image:
Q64 (binary/octet-stream)
Answer
  • FortiGate generated an event log for system conserve mode.
  • FortiGate has entered in to system conserve mode.
  • By default, the FortiGate blocks new sessions.
  • FortiGate changed the global av-failopen settings to idledrop.

Question 65

Question
An administrator has blocked Netflix login in a cloud access security inspection (CASI) profile. The administrator has also applied the CASI profile to a firewall policy. What else is required for the CASI profile to work properly?
Answer
  • You must enable logging for security events on the firewall policy.
  • You must activate a FortiCloud account.
  • You must apply an application control profile to the firewall policy.
  • You must enable SSL inspection on the firewall policy.

Question 66

Question
How does FortiGate look for a matching firewall policy to process traffic?
Answer
  • From top to bottom, based on the sequence numbers.
  • Based on best match.
  • From top to bottom, based on the policy ID numbers.
  • From lower to higher, based on the priority value.

Question 67

Question
How do you configure a FortiGate to do traffic shaping of P2P traffic, such as BitTorrent?
Answer
  • Apply an application control profile allowing BitTorrent to a firewall policy and configure a traffic shaping policy.
  • Enable the shape option in a firewall policy with service set to BitTorrent.
  • Apply a traffic shaper to a BitTorrent entry in the SSL/SSH inspection profile.
  • Apply a traffic shaper to a protocol options profile.

Question 68

Question
Which file names will match the *.tiff file name pattern configured in a data leak prevention filter? (Choose two.)
Answer
  • tiff.tiff
  • tiff.png
  • tiff.jpeg
  • gif.tiff

Question 69

Question
An administrator has configured a dialup IPsec VPN with XAuth. Which method statement best describes this scenario?
Answer
  • Only digital certificates will be accepted as an authentication method in phase 1.
  • Dialup clients must provide a username and password for authentication.
  • Phase 1 negotiations will skip pre-shared key exchange.
  • Dialup clients must provide their local ID during phase 2 negotiations.

Question 70

Question
Examine this output from a debug flow Which statements about the output are correct? (Choose two.)
Image:
Q70 (binary/octet-stream)
Answer
  • FortiGate received a TCP SYN/ACK packet.
  • The source IP address of the packet was translated to 10.0.1.10.
  • FortiGate routed the packet through port 3.
  • The packet was allowed by the firewall policy with the ID 00007fc0.

Question 71

Question
Which component of FortiOS performs application control inspection?
Answer
  • Kernel
  • Antivirus engine
  • IPS engine
  • Application control engine

Question 72

Question
Which of the following statements about policy-based IPsec tunnels are true? (Choose two.)
Answer
  • They support GRE-over-IPsec.
  • They can be configured in both NAT/Route and transparent operation modes.
  • They require two firewall policies: one for each direction of traffic flow.
  • They support L2TP-over-IPsec.

Question 73

Question
What statement describes what DNS64 does?
Answer
  • Converts DNS A record lookups to AAAA record lookups.
  • Translates the destination IPv6 address of the DNS traffic to an IPv4 address.
  • Synthesizes DNS AAAA records from A records.
  • Translates the destination IPv4 address of the DNS traffic to an IPv6 address.

Question 74

Question
What does the command diagnose debuf fsso-polling refresh-user do?
Answer
  • It refreshes user group information form any servers connected to the FortiGate using a collector agent.
  • It refreshes all users learned through agentless polling.
  • It displays status information and some statistics related with the polls done by FortiGate on each DC.
  • It enables agentless polling mode real-time debug.

Question 75

Question
Why must you use aggressive mode when a local FortiGate IPsec gateway hosts multiple dialup tunnels?
Answer
  • The FortiGate is able to handle NATed connections only with aggressive mode.
  • FortiClient supports aggressive mode.
  • The remote peers are able to provide their peer IDs in the first message with aggressive mode.
  • Main mode does not support XAuth for user authentication.

Question 76

Question
An administrator has configured the following settings: What does the configuration do? (Choose two.)
Image:
Q76 (binary/octet-stream)
Answer
  • Reduces the amount of logs generated by denied traffic.
  • Enforces device detection on all interfaces for 30 minutes.
  • Blocks denied users for 30 minutes.
  • Creates a session for traffic being denied.

Question 77

Question
Which statements about FortiGate inspection modes are true? (Choose two.)
Answer
  • The default inspection mode is proxy based.
  • Switching from proxy-based mode to flow-based, then back to proxy-based mode, will not result in the original configuration.
  • Proxy-based inspection is not available in VDOMs operating in transparent mode.
  • Flow-based profiles must be manually converted to proxy-based profiles before changing the inspection mode from flow based to proxy based.

Question 78

Question
Examine the following interface configuration on a FortiGate in transparent mode: Which statement about this configuration is correct?
Image:
Q78 (binary/octet-stream)
Answer
  • The FortiGate generates spanning tree BPDU frames.
  • The FortiGate device forwards received spanning tree BPDU frames.
  • The FortiGate can block an interface if a layer-2 loop is detected.
  • Ethernet layer-2 loops are likely to occur.

Question 79

Question
Examine this PAC file configuration. Which of the following statements are true? (Choose two.)
Image:
Q79 (binary/octet-stream)
Answer
  • Browsers can be configured to retrieve this PAC file from the FortiGate.
  • Any web request to the 172.25.120.0/24 subnet is allowed to bypass the proxy.
  • All requests not made to Fortinet.com or the 172.25.120.0/24 subnet, have to go through altproxy.corp.com: 8060.
  • Any web request fortinet.com is allowed to bypass the proxy.

Question 80

Question
In a high availability (HA) cluster operating in active-active mode, which of the following correctly describes the path taken by the SYN packet of an HTTP session that is offloaded to a secondary FortiGate?
Answer
  • Client > primary FortiGate> secondary FortiGate> primary FortiGate> web server.
  • Client > secondary FortiGate> web server.
  • Client >secondary FortiGate> primary FortiGate> web server.
  • Client> primary FortiGate> secondary FortiGate> web server.

Question 81

Question
A FortiGate is operating in NAT/Route mode and configured with two virtual LAN (VLAN) sub-interfaces added to the same physical interface. Which statement about the VLAN IDs in this scenario is true?
Answer
  • The two VLAN sub-interfaces can have the same VLAN ID only if they belong to different VDOMs.
  • The two VLAN sub-interfaces must have different VLAN IDs.
  • The two VLAN sub-interfaces can have the same VLAN ID only if they have IP addresses in the same subnet.
  • The two VLAN sub-interfaces can have the same VLAN ID only if they have IP addresses in different subnets.

Question 82

Question
Which of the following statements are true when using Web Proxy Auto-discovery Protocol (WPAD) with the DHCP discovery method? (Choose two.)
Answer
  • The browser sends a DHCPINFORM request to the DHCP server.
  • The browser will need to be preconfigured with the DHCP server’s IP address.
  • The DHCP server provides the PAC file for download.
  • If the DHCP method fails, browsers will try the DNS method.

Question 83

Question
What inspections are executed by the IPS engine? (Choose three.)
Answer
  • Application control
  • Flow-based data leak prevention
  • Proxy-based antispam
  • Flow-based web filtering
  • Proxy-based antivirus

Question 84

Question
Examine the exhibit. A client workstation is connected to FortiGate port2. The Fortigate port1 is connected to an ISP router. Port2 and port3 are both configured as a software switch. What IP address must be configured in the workstation as the default gateway?
Image:
Q84 (binary/octet-stream)
Answer
  • The port2’s IP address
  • The router’s IP address.
  • The FortiGate’s management IP address.
  • The software switch interface’s IP address.

Question 85

Question
Which of the following statements about central NAT are true? (Choose two.)
Answer
  • IP tool references must be removed from existing firewall policies before enabling central NAT.
  • Central NAT can be enabled or disabled from the CLI only.
  • Source NAT, using central NAT, requires at least one central SNAT policy.
  • Destination NAT, using central NAT, requires a VIP object as the destination address in a firewall policy.

Question 86

Question
Which of the following statements about the FSSO collector agent timers is true?
Answer
  • The dead entry timeout interval is used to age out entries with an unverified status.
  • The workstation verify interval is used to periodically check if a workstation is still a domain member.
  • The user group cache expiry is used to age out the monitored groups.
  • The IP address change verify interval monitors the server IP address where the collector agent is installed, and updates the collector agent configuration if it changes.

Question 87

Question
An administrator has enabled the DHCP Server on the port1 interface and configured the following based on the exhibit. Which statement is correct based on this configuration?
Image:
Q87 (binary/octet-stream)
Answer
  • The MAC address 00:0c:29:29:38:da belongs to the port1 interface.
  • Access to the network is blocked for the devices with the MAC address 00:0c:29:29:38:da and the IP address 10.0.1.254.
  • 00:0c:29:29:38:da is the virtual MAC address assigned to the secondary IP address (10.0.1.254) of the port1 interface.
  • The IP address 10.0.1.254 is reserves for the device with the MAC address 00:0c:29:29:38:da.

Question 88

Question
An administrator wants to create a policy-based IPsec VPN tunnel between two FortiGate devices. Which configuration steps must be performed on both units to support this scenario? (Choose three.)
Answer
  • Define the phase 2 parameters.
  • Set the phase 2 encapsulation method to transport mode.
  • Define at least one firewall policy, with the action set to IPsec.
  • Define a route to the remote network over the IPsec tunnel.
  • Define the phase 1 parameters, without enabling IPsec interface mode.

Question 89

Question
View the Exhibit. Which statements are correct based on this output? (Choose two.)
Image:
Q89 (binary/octet-stream)
Answer
  • The global configuration is synchronized between the primary and secondary FortiGate.
  • The all VDOM is not synchronized between the primary and secondary FortiGate.
  • The root VDOM is not synchronized between the primary and secondary FortiGate.
  • The FortiGates have three VDOMs.
Show full summary Hide full summary

Want to create your own Quizzes for free with GoConqr? Learn more.

Similar

Historia Contemporánea: Los fascismos
María Salinas
Arte Egipcio
maya velasquez
Primera Guerra Mundial
Diego Santos
LA EDAD MEDIA - EDUpunto.com
EDUpunto Por: Ernesto De Frías
Historia de la Ética
hectorleyva
La crisis del antiguo régimen (RESUMEN)
Marina García Chip
La Guerra Fría y la formación del mundo bipolar
Maitane Gajate
Arte en el siglo XX
Rafael Cardozo
Independencia de los paises latinoamericanos
Estefani Tretto
Guerra civil española
Saul Barrios Guz
Historia Argentina
Nicolas Ñancucheo
Browse Library