Month End Sale Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: buysanta

Exact2Pass Menu

Login / Register

Question # 4

An administrator has configured a strict RPF check on FortiGate. Which statement is true about the strict RPF check?

A.

The strict RPF check is run on the first sent and reply packet of any new session.

B.

Strict RPF checks the best route back to the source using the incoming interface.

C.

Strict RPF checks only for the existence of at cast one active route back to the source using the incoming interface.

D.

Strict RPF allows packets back to sources with all active routes.

Full Access
Question # 5

Consider the topology:

Application on a Windows machine <--{SSL VPN} -->FGT--> Telnet to Linux server.

An administrator is investigating a problem where an application establishes a Telnet session to a Linux server over the SSL VPN through FortiGate and the idle session times out after about 90 minutes. The administrator would like to increase or disable this timeout.

The administrator has already verified that the issue is not caused by the application or Linux server. This issue does not happen when the application establishes a Telnet connection to the Linux server directly on the LAN.

What two changes can the administrator make to resolve the issue without affecting services running through FortiGate? (Choose two.)

A.

Set the maximum session TTL value for the TELNET service object.

B.

Set the session TTL on the SSLVPN policy to maximum, so the idle session timeout will not happen after 90 minutes.

C.

Create a new service object for TELNET and set the maximum session TTL.

D.

Create a new firewall policy and place it above the existing SSLVPN policy for the SSL VPN traffic, and set the new TELNET service object in the policy.

Full Access
Question # 6

Which feature in the Security Fabric takes one or more actions based on event triggers?

A.

Fabric Connectors

B.

Automation Stitches

C.

Security Rating

D.

Logical Topology

Full Access
Question # 7

Which two statements ate true about the Security Fabric rating? (Choose two.)

A.

It provides executive summaries of the four largest areas of security focus.

B.

Many of the security issues can be fixed immediately by clicking Apply where available.

C.

The Security Fabric rating must be run on the root FortiGate device in the Security Fabric.

D.

The Security Fabric rating is a free service that comes bundled with alt FortiGate devices.

Full Access
Question # 8

Refer to the exhibit.

The exhibit shows proxy policies and proxy addresses, the authentication rule and authentication scheme, users, and firewall address.

An explicit web proxy is configured for subnet range 10.0.1.0/24 with three explicit web proxy policies.

The authentication rule is configured to authenticate HTTP requests for subnet range 10.0.1.0/24 with a form-based authentication scheme for the FortiGate local user database. Users will be prompted for authentication.

How will FortiGate process the traffic when the HTTP request comes from a machine with the source IP 10.0.1.10 to the destination http://www.fortinet.com ? (Choose two.)

A.

If a Mozilla Firefox browser is used with User-B credentials, the HTTP request will be allowed.

B.

If a Google Chrome browser is used with User-B credentials, the HTTP request will be allowed.

C.

If a Mozilla Firefox browser is used with User-A credentials, the HTTP request will be allowed.

D.

If a Microsoft Internet Explorer browser is used with User-B credentials, the HTTP request will be allowed.

Full Access
Question # 9

Examine the two static routes shown in the exhibit, then answer the following question.

Which of the following is the expected FortiGate behavior regarding these two routes to the same destination?

A.

FortiGate will load balance all traffic across both routes.

B.

FortiGate will use the port1 route as the primary candidate.

C.

FortiGate will route twice as much traffic to the port2 route

D.

FortiGate will only actuate the port1 route in the routing table

Full Access
Question # 10

Examine this output from a debug flow:

Why did the FortiGate drop the packet?

A.

The next-hop IP address is unreachable.

B.

It failed the RPF check.

C.

It matched an explicitly configured firewall policy with the action DENY.

D.

It matched the default implicit firewall policy.

Full Access
Question # 11

An administrator must disable RPF check to investigate an issue.

Which method is best suited to disable RPF without affecting features like antivirus and intrusion prevention system?

A.

Enable asymmetric routing, so the RPF check will be bypassed.

B.

Disable the RPF check at the FortiGate interface level for the source check.

C.

Disable the RPF check at the FortiGate interface level for the reply check.

D.

Enable asymmetric routing at the interface level.

Full Access
Question # 12

Which downstream FortiGate VDOM is used to join the Security Fabric when split-task VDOM is enabled on all FortiGate devices?

A.

Root VDOM

B.

FG-traffic VDOM

C.

Customer VDOM

D.

Global VDOM

Full Access
Question # 13

Which two statements are true about collector agent advanced mode? (Choose two.)

A.

Advanced mode uses Windows convention—NetBios: Domain\Username.

B.

FortiGate can be configured as an LDAP client and group filters can be configured on FortiGate

C.

Advanced mode supports nested or inherited groups

D.

Security profiles can be applied only to user groups, not individual users.

Full Access
Question # 14

Which two statements are true about collector agent standard access mode? (Choose two.)

A.

Standard mode uses Windows convention-NetBios: Domain\Username.

B.

Standard mode security profiles apply to organizational units (OU).

C.

Standard mode security profiles apply to user groups.

D.

Standard access mode supports nested groups.

Full Access
Question # 15

Which of the following are purposes of NAT traversal in IPsec? (Choose two.)

A.

To detect intermediary NAT devices in the tunnel path.

B.

To dynamically change phase 1 negotiation mode aggressive mode.

C.

To encapsulation ESP packets in UDP packets using port 4500.

D.

To force a new DH exchange with each phase 2 rekey.

Full Access
Question # 16

Refer to the exhibit.

The exhibit displays the output of the CLI command: diagnose sys ha dump-by vcluster.

Which two statements are true? (Choose two.)

A.

FortiGate SN FGVM010000065036 HA uptime has been reset.

B.

FortiGate devices are not in sync because one device is down.

C.

FortiGate SN FGVM010000064692 is the primary because of higher HA uptime.

D.

FortiGate SN FGVM010000064692 has the higher HA priority.

Full Access
Question # 17

Which statement correctly describes NetAPI polling mode for the FSSO collector agent?

A.

The collector agent uses a Windows API to query DCs for user logins.

B.

NetAPI polling can increase bandwidth usage in large networks.

C.

The collector agent must search security event logs.

D.

The NetSession Enum function is used to track user logouts.

Full Access
Question # 18

An administrator has configured outgoing Interface any in a firewall policy. Which statement is true about the policy list view?

A.

Policy lookup will be disabled.

B.

By Sequence view will be disabled.

C.

Search option will be disabled

D.

Interface Pair view will be disabled.

Full Access
Question # 19

Refer to the exhibit.

The exhibit contains a network diagram, virtual IP, IP pool, and firewall policies configuration.

The WAN (port1) interface has the IP address 10.200.1.1/24.

The LAN (port3) interface has the IP address 10 .0.1.254. /24.

The first firewall policy has NAT enabled using IP Pool.

The second firewall policy is configured with a VIP as the destination address.

Which IP address will be used to source NAT the internet traffic coming from a workstation with the IP address 10.0.1.10?

A.

10.200.1.1

B.

10.200.3.1

C.

10.200.1.100

D.

10.200.1.10

Full Access
Question # 20

Refer to the exhibit.

Based on the raw log, which two statements are correct? (Choose two.)

A.

Traffic is blocked because Action is set to DENY in the firewall policy.

B.

Traffic belongs to the root VDOM.

C.

This is a security log.

D.

Log severity is set to error on FortiGate.

Full Access
Question # 21

FortiGate is configured as a policy-based next-generation firewall (NGFW) and is applying web filtering and application control directly on the security policy.

Which two other security profiles can you apply to the security policy? (Choose two.)

A.

Antivirus scanning

B.

File filter

C.

DNS filter

D.

Intrusion prevention

Full Access
Question # 22

Which type of logs on FortiGate record information about traffic directly to and from the FortiGate management IP addresses?

A.

System event logs

B.

Forward traffic logs

C.

Local traffic logs

D.

Security logs

Full Access
Question # 23

By default, FortiGate is configured to use HTTPS when performing live web filtering with FortiGuard servers.

Which CLI command will cause FortiGate to use an unreliable protocol to communicate with FortiGuard servers for live web filtering?

A.

set fortiguard-anycast disable

B.

set webfilter-force-off disable

C.

set webfilter-cache disable

D.

set protocol tcp

Full Access
Question # 24

Refer to the exhibit.

Which contains a session diagnostic output. Which statement is true about the session diagnostic output?

A.

The session is in SYN_SENT state.

B.

The session is in FIN_ACK state.

C.

The session is in FTN_WAIT state.

D.

The session is in ESTABLISHED state.

Full Access
Question # 25

Which two statements are true about the FGCP protocol? (Choose two.)

A.

Not used when FortiGate is in Transparent mode

B.

Elects the primary FortiGate device

C.

Runs only over the heartbeat links

D.

Is used to discover FortiGate devices in different HA groups

Full Access