Black Friday / Cyber Monday Special 65% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: ex2p65

Exact2Pass Menu

Login / Register

Question # 4

Which three statements are true regarding session-based authentication? (Choose three.)

A.

HTTP sessions are treated as a single user.

B.

IP sessions from the same source IP address are treated as a single user.

C.

It can differentiate among multiple clients behind the same source IP address.

D.

It requires more resources.

E.

It is not recommended if multiple users are behind the source NAT

Full Access
Question # 5

Which three security features require the intrusion prevention system (IPS) engine to function? (Choose three.)

A.

Web filter in flow-based inspection

B.

Antivirus in flow-based inspection

C.

DNS filter

D.

Web application firewall

E.

Application control

Full Access
Question # 6

Which Security rating scorecard helps identify configuration weakness and best practice violations in your network?

A.

Fabric Coverage

B.

Automated Response

C.

Security Posture

D.

Optimization

Full Access
Question # 7

Consider the topology:

Application on a Windows machine <--{SSL VPN} -->FGT--> Telnet to Linux server.

An administrator is investigating a problem where an application establishes a Telnet session to a Linux server over the SSL VPN through FortiGate and the idle session times out after about 90 minutes. The administrator would like to increase or disable this timeout.

The administrator has already verified that the issue is not caused by the application or Linux server. This issue does not happen when the application establishes a Telnet connection to the Linux server directly on the LAN.

What two changes can the administrator make to resolve the issue without affecting services running through FortiGate? (Choose two.)

A.

Set the maximum session TTL value for the TELNET service object.

B.

Set the session TTL on the SSLVPN policy to maximum, so the idle session timeout will not happen after 90 minutes.

C.

Create a new service object for TELNET and set the maximum session TTL.

D.

Create a new firewall policy and place it above the existing SSLVPN policy for the SSL VPN traffic, and set the new TELNET service object in the policy.

Full Access
Question # 8

Which three methods are used by the collector agent for AD polling? (Choose three.)

A.

FortiGate polling

B.

NetAPI

C.

Novell API

D.

WMI

E.

WinSecLog

Full Access
Question # 9

An administrator needs to configure VPN user access for multiple sites using the same soft FortiToken. Each site has a FortiGate VPN gateway.

What must an administrator do to achieve this objective?

A.

The administrator can register the same FortiToken on more than one FortiGate.

B.

The administrator must use a FortiAuthenticator device.

C.

The administrator can use a third-party radius OTP server.

D.

The administrator must use the user self-registration server.

Full Access
Question # 10

Examine the IPS sensor and DoS policy configuration shown in the exhibit, then answer the question below.

When detecting attacks, which anomaly, signature, or filter will FortiGate evaluate first?

A.

SMTP.Login.Brute.Force

B.

IMAP.Login.brute.Force

C.

ip_src_session

D.

Location: server Protocol: SMTP

Full Access
Question # 11

What inspection mode does FortiGate use if it is configured as a policy-based next-generation firewall (NGFW)?

A.

Full Content inspection

B.

Proxy-based inspection

C.

Certificate inspection

D.

Flow-based inspection

Full Access
Question # 12

Examine the exhibit, which contains a virtual IP and firewall policy configuration.

The WAN (port1) interface has the IP address 10.200.1.1/24. The LAN (port2) interface has the IP address 10.0.1.254/24.

The first firewall policy has NAT enabled on the outgoing interface address. The second firewall policy is configured with a VIP as the destination address.

Which IP address will be used to source NAT the Internet traffic coming from a workstation with the IP address 10.0.1.10/24?

A.

10.200.1.10

B.

Any available IP address in the WAN (port1) subnet 10.200.1.0/24

C.

10.200.1.1

D.

10.0.1.254

Full Access
Question # 13

Which two statements are correct regarding FortiGate HA cluster virtual IP addresses? (Choose two.)

A.

Heartbeat interfaces have virtual IP addresses that are manually assigned.

B.

A change in the virtual IP address happens when a FortiGate device joins or leaves the cluster.

C.

Virtual IP addresses are used to distinguish between cluster members.

D.

The primary device in the cluster is always assigned IP address 169.254.0.1.

Full Access
Question # 14

Refer to the exhibit.

An administrator has configured a performance SLA on FortiGate, which failed to generate any traffic.

Why is FortiGate not sending probes to 4.2.2.2 and 4.2.2.1 servers? (Choose two.)

A.

The Detection Mode setting is not set to Passive.

B.

Administrator didn't configure a gateway for the SD-WAN members, or configured gateway is not valid.

C.

The configured participants are not SD-WAN members.

D.

The Enable probe packets setting is not enabled.

Full Access
Question # 15

A network administrator wants to set up redundant IPsec VPN tunnels on FortiGate by using two IPsec VPN tunnels and static routes.

* All traffic must be routed through the primary tunnel when both tunnels are up

* The secondary tunnel must be used only if the primary tunnel goes down

* In addition, FortiGate should be able to detect a dead tunnel to speed up tunnel failover

Which two key configuration changes are needed on FortiGate to meet the design requirements? (Choose two,)

A.

Configure a high distance on the static route for the primary tunnel, and a lower distance on the static route for the secondary tunnel.

B.

Enable Dead Peer Detection.

C.

Configure a lower distance on the static route for the primary tunnel, and a higher distance on the static route for the secondary tunnel.

D.

Enable Auto-negotiate and Autokey Keep Alive on the phase 2 configuration of both tunnels.

Full Access
Question # 16

How does FortiGate act when using SSL VPN in web mode?

A.

FortiGate acts as an FDS server.

B.

FortiGate acts as an HTTP reverse proxy.

C.

FortiGate acts as DNS server.

D.

FortiGate acts as router.

Full Access
Question # 17

An administrator has configured a strict RPF check on FortiGate. Which statement is true about the strict RPF check?

A.

The strict RPF check is run on the first sent and reply packet of any new session.

B.

Strict RPF checks the best route back to the source using the incoming interface.

C.

Strict RPF checks only for the existence of at cast one active route back to the source using the incoming interface.

D.

Strict RPF allows packets back to sources with all active routes.

Full Access
Question # 18

Refer to the exhibit.

An administrator is running a sniffer command as shown in the exhibit.

Which three pieces of information are included in the sniffer output? (Choose three.)

A.

Interface name

B.

Ethernet header

C.

IP header

D.

Application header

E.

Packet payload

Full Access
Question # 19

Which engine handles application control traffic on the next-generation firewall (NGFW) FortiGate?

A.

Antivirus engine

B.

Intrusion prevention system engine

C.

Flow engine

D.

Detection engine

Full Access
Question # 20

Refer to the exhibit.

Given the routing database shown in the exhibit, which two statements are correct? (Choose two.)

A.

The port3 default route has the highest distance.

B.

The port3 default route has the lowest metric.

C.

There will be eight routes active in the routing table.

D.

The port1 and port2 default routes are active in the routing table.

Full Access
Question # 21

A network administrator is configuring a new IPsec VPN tunnel on FortiGate. The remote peer IP address is dynamic. In addition, the remote peer does not support a dynamic DNS update service.

What type of remote gateway should the administrator configure on FortiGate for the new IPsec VPN tunnel to work?

A.

Static IP Address

B.

Dialup User

C.

Dynamic DNS

D.

Pre-shared Key

Full Access
Question # 22

Refer to the exhibit.

Review the Intrusion Prevention System (IPS) profile signature settings. Which statement is correct in adding the FTP.Login.Failed signature to the IPS sensor profile?

A.

The signature setting uses a custom rating threshold.

B.

The signature setting includes a group of other signatures.

C.

Traffic matching the signature will be allowed and logged.

D.

Traffic matching the signature will be silently dropped and logged.

Full Access
Question # 23

An administrator wants to configure timeouts for users. Regardless of the userג€™s behavior, the timer should start as soon as the user authenticates and expire after the configured value.

Which timeout option should be configured on FortiGate?

A.

auth-on-demand

B.

soft-timeout

C.

idle-timeout

D.

new-session

E.

hard-timeout

Full Access
Question # 24

By default, FortiGate is configured to use HTTPS when performing live web filtering with FortiGuard servers.

Which CLI command will cause FortiGate to use an unreliable protocol to communicate with FortiGuard servers for live web filtering?

A.

set fortiguard-anycast disable

B.

set webfilter-force-off disable

C.

set webfilter-cache disable

D.

set protocol tcp

Full Access
Question # 25

Which two configuration settings are synchronized when FortiGate devices are in an active-active HA cluster? (Choose two.)

A.

FortiGuard web filter cache

B.

FortiGate hostname

C.

NTP

D.

DNS

Full Access