Loading [MathJax]/jax/output/HTML-CSS/fonts/TeX/fontdata.js
Lucas Roveda
Quiz by , created more than 1 year ago

Treinamento prova NSE 4 (7.2)

282
0
0
Lucas Roveda
Created by Lucas Roveda about 1 year ago
Rate this resource by clicking on the stars below:
1 2 3 4 5 (0)
Ratings (0)
0
0
0
0
0

0 comments

There are no comments, be the first and leave one below:

Close

Simulado NSE 4 (7.2)

Question 55 of 64 Question 1 of 64

1

An administrator needs to configure VPN user access for multiple sites using the same soft FortiToken. Each site has a FortiGate VPN gateway
What must the administrator do to achieve this objective?

Select one of the following:

  • The administrator must use a third-party RADIUS OTP server

  • The administrator must use the user self-registration server

  • The administrator must register the same FortiToken on more than one FortiGate device

  • The administrator must use a FortiAuthenticator device

Explanation

Question 51 of 64 Question 2 of 64

1

What is a reason for triggering IPS fail open?

Select one of the following:

  • The administrator enabled NTurbo acceleration

  • The IPS engine cannot decode a packet.

  • The IPS socket buffer 1s full and the IPS engine cannot process additional packets.

  • The IPS engine is upgraded.

Explanation

Question 22 of 64 Question 3 of 64

1

An organization requires remote users to send external application data running on their PCs and access FTP resources through an SSL/TLS connection

Which FortiGate configuration can achieve this goal?

Select one of the following:

  • SSL VPN tunnel

  • Zero trust network access

  • SSL VPN quick connection

  • SSL VPN bookmark

Explanation

Question 32 of 64 Question 4 of 64

1

Refer to the exhibit
The exhibit shows the FortiGuard Category Based Filter section of a corporate web
filter profile
An administrator must block access to download.com, which belongs to the Freeware
and Software Downloads category The administrator must also allow other websites in
the same category
What are two solutions for satisfying the requirement? (Choose two.)

Select one or more of the following:

  • Set the Freeware and Software Downloads category Action to Warning

  • Configure a static URL filter entry for download.com with Type and Action set to
    Wildcard and Block, respectively

  • Configure a separate firewall policy with action Deny and an FQDN address object for
    *, download.com as destination address

  • Configure a web override rating for downlead. com and select Malicious Websites
    as the subcategory.

Explanation

Question 48 of 64 Question 5 of 64

1

What are two features of collector agent advanced mode? (Choose two.)

Select one or more of the following:

  • Advanced mode supports nested or inherited groups

  • In advanced mode, FortiGate can be configured as an LDAP client and group filters can be configured on FortiGate

  • Advanced mode uses the Windows convention—NetBios: Domain\Username

  • In advanced mode, security profiles can be applied only to user groups, not individual users.

Explanation

Question 61 of 64 Question 6 of 64

1

Refer to the exhibits
Exhibit A shows a network diagram. Exhibit B
shows the firewall policy configuration and a VIP ”
object configuration
|
The WAN (port1) interface has the IP address
10.200.1.1/24
The LAN (port3) interface has the IP address
10.0.1.254/24. 10.200.1.1/24
The administrator disabled the WebServer firewall policy.
Which IP address will be used to source NAT the traffic, if a user with address 10.0.1.10 connects over SSH to the host with address 10.200.3.17

Select one of the following:

  • 10.200.1.1

  • 10.200.3.1

  • 10.200.1.10

  • 10.0.1.254

Explanation

Question 18 of 64 Question 7 of 64

1

A network administrator has enabled full SSL inspection and web filtering on FortiGate. When visiting any HTTPS websites, the browser reports certificate warning errors. When visiting HTTP websites, the browser does not report errors.
What is the reason for the certificate warning errors?

Select one of the following:

  • The matching firewall policy is set to proxy inspection mode

  • The browser does not trust the certificate used by FortiGate for SSL inspection

  • The certificate used by FortiGate for SSL inspection does not contain the required certificate extensions

  • The full SSL inspection feature does not have a valid license.

Explanation

Question 47 of 64 Question 8 of 64

1

Which three methods are used by the collector agent for AD polling? (Choose three.)

Select one or more of the following:

  • FSSO RESTAPI

  • NetAPI

  • WMl

  • FortiGate polling

  • WinSeclLog

Explanation

Question 63 of 64 Question 9 of 64

1

Refer to the exhibit
Based on the administrator profile settings. what permissions must the administrator set
torun the diagnose firewall auth list CLI command on FortiGate?

Select one of the following:

  • Custom permission for Network

  • Read/Write permission for Firewall

  • Read/Write permission for Log & Report

  • CLI diagnostics commands permission

Explanation

Question 38 of 64 Question 10 of 64

1

Which two features of IPsec IKEv1 authentication are supported by FortiGate? (Choose two.)

Select one or more of the following:

  • Extended authentication (XAuth) to request the remote peer to provide a username and password

  • No certificate is required on the remote peer when you set the certificate signature as the authentication method

  • Extended authentication (XAuth) for faster authentication because fewer packets are exchanged

  • Pre-shared key and certificate signature as authentication methods

Explanation

Question 19 of 64 Question 11 of 64

1

What is the primary FortiGate election process when the HA override setting is disabled?

Select one of the following:

  • Connected monitored ports > HA uptime > Priority > FortiGate serial number

  • Connected monitored ports > System uptime > Priority > FortiGate serial number

  • Connected monitored ports > Priority > System uptime > FortiGate serial number

  • Connected monitored ports > Priority > HA uptime > FortiGate serial number

Explanation

Question 57 of 64 Question 12 of 64

1

Refer to the exhibit, which contains a static route configuration
An administrator created a static route for Amazon Web Services.
Which CLI command must the administrator use to view the route?

Select one of the following:

  • diagnose firewall proute list

  • get router info routing-table database

  • get router info routing-table all

  • get internet-service route list

Explanation

Question 15 of 64 Question 13 of 64

1

Refer to the exhibit
The Root and To_Internet VDOMs are configured in NAT mode. The DMZ and Local
VDOMs are configured in transparent mode
The Root VDOM is the management VDOM. The To_Internet VDOM allows LAN users
to access the internet. The To_Internet VDOM is the only VDOM with internet access
and is directly connected to the ISP modem
What can you conclude about this configuration?

Select one of the following:

  • default static route is not required on the To_lnternet VDOM to allow LAN users to
    access the intemet.

  • Inter-VDOM links are required to allow traffic between the Local and Root VDOMs

  • Inter-VDOM links are required to allow traffic between the Local and DMZ VDOMs

  • Inter-VDOM links are not required between the Root and To_Internet VDOMs
    because the Root VDOM is used only as a management VDOM

Explanation

Question 41 of 64 Question 14 of 64

1

How can you disable RPF checking?

Select one of the following:

  • Disable src-check on the interface level settings

  • Disable fail-detect on the interface level settings

  • Disable strict-sre-check under system settings

  • Unset fail-alert-interfaces on the interface level settings

Explanation

Question 21 of 64 Question 15 of 64

1

You have enabled logging on a FortiGate device for event logs and all security logs, and you have set up logging to use the FortiGate local disk
What is the default behavior when the local disk is full?

Select one of the following:

  • No new log is recorded until you manually clear logs from the local disk

  • Logs are overwritten and the first warning is issued when log disk use reaches the threshold of 75%

  • No new log is recorded after the warning is issued when log disk use reaches the threshold of 95%

  • Logs are overwritten and the only warning is issued when log disk use reaches the threshold of 95%

Explanation

Question 40 of 64 Question 16 of 64

1

Which timeout setting can be responsible for deleting SSL VPN associated sessions?

Select one of the following:

  • SSLVPN login-timsout

  • SSLVPN dtls-helle-timeout

  • SSLVPN idle-timeocut

  • SSLVPN http-request-body-timecut

Explanation

Question 10 of 64 Question 17 of 64

1

An administrator wants to simplify remote access without asking users to provide user credentials
Which access control method provides this solution?

Select one of the following:

  • ZTNA access proxy

  • ZTNA IP/MAC filtering mode

  • SSL VPN

  • L2TP

Explanation

Question 45 of 64 Question 18 of 64

1

Refer to the exhibits
The exhibits show a firewall policy (ExhibitA ) and an antivirus profile (Exhibit B)
Why is the user unable to receive a block replacement message when downloading an
infected file for the first time?

Select one of the following:

  • The intrusion prevention security profile must be enabled when using flow-based
    inspection mode.

  • The firewall policy performs a full content inspection on the file

  • Flow-based inspection is used, which resets the last packet to the user

  • The volume of traffic being inspected is too high for this model of FortiGate

Explanation

Question 60 of 64 Question 19 of 64

1

Refer to the exhibits
The exhibits contain a network interface configuration, firewall policies, and a CLI :
console configuration
How will the FortiGate device handle user authentication for traffic that arrives on the LAN interface?

Select one of the following:

  • All users will be prompted for authentication; users from the HR group can
    authenticate successfully with the correct credentials

  • All users will be prompted for authentication; users from the sales group can
    authenticate successfully with the correct credentials.

  • Authentication is enforced only at a policy level, all users will be prompted for
    authentication.

  • If there is a fall-through policy in place, users will not be prompted for authentication.

Explanation

Question 36 of 64 Question 20 of 64

1

Which two settings can be separately configured per VDOM on a FortiGate device? (Choose two.)

Select one or more of the following:

  • Operating mode

  • FortiGuard update servers

  • NGFW mode

  • System time

Explanation

Question 56 of 64 Question 21 of 64

1

Which three CLI commands can you use to troubleshoot Layer 3 issues, if the issue is in neither the physical layer nor the link layer? (Choose three)

Select one or more of the following:

  • execute traceroute

  • O diagnose sys top

  • get system arp

  • Diagnose sniffer packet any

  • execute ping

Explanation

Question 5 of 64 Question 22 of 64

1

Refer to the exhibits
An administrator creates a new address object on the root FortiGate (Local-FortiGate) in
the security fabric. After synchronization, this object is not available on the downstream & Qs
FortiGate (ISFW)
What must the administrator do to synchronize the address object?

Select one of the following:

  • Change the csf setting on ISFW (downstream)to set authorization-request-type certificate

  • Change the csf setting on Local-FortiGate (root) to set fabric-object-unification default.

  • Change the csf setting on ISFW (downstream)to set configuraticn-sync
    local

  • Change the csf setting on both devices to set downstream-access enable.

Explanation

Question 20 of 64 Question 23 of 64

1

Refer to the exhibit
The exhibit shows a diagram of a FortiGate device connected to the network and the
firewall policy and IP pool configuration on the FortiGate device
Which two actions does FortiGate take on internet traffic sourced from the subscribers?(Choose two.)

Select one or more of the following:

  • FortiGate allocates port blocks per user, based on the configured range of internal IP addresses

  • FortiGate generates a system event log for every port block allocation made per user.

  • FortiGate allocates 128 port blocks per user

  • FortiGate allocates port blocks on a first-come, first-served basis

Explanation

Question 29 of 64 Question 24 of 64

1

Refer to the exhibit
The exhibit shows a diagram of a FortiGate device connected to the network and the
firewall policy and IP pool configuration on the FortiGate device
Two PCs, PC1 and PC2, are connected behind FortiGate and can access the internet
successfully However, when the administrator adds a third PC to the network (PC3), the
PC cannot connect to the internet.
Based on the information shown in the exhibit, which three configuration changes should
the administrator make to fix the connectivity issue for PC3? (Choose three )

Select one or more of the following:

  • In the IP pool configuration, set type to overload

  • Configure another firewall policy that matches only the address of PC3 as source, and then place the policy on top of the list

  • In the firewall policy disable ippool.

  • Configure 192.2.0.12/24 as the secondary IP address on port1 .

  • In the IP pool configuration, set endip to 192.2.0.12

Explanation

Question 35 of 64 Question 25 of 64

1

Which statement about the deployment of the Security Fabric in a multi-VDOM environment is true?

Select one of the following:

  • Downstream devices can connect to the upstream device from any of their VDOMs

  • VDOMSs without ports with connected devices are not displayed in the topology.

  • Each VDOM in the environment can be part of a different Security Fabric.

  • Security rating reports can be run individually for each configured VDOM

Explanation

Question 58 of 64 Question 26 of 64

1

FortiGate is integrated with FortiAnalyzer and FortiManager
When a firewall policy is created, which attribute is added to the policy to improve functionality and to support recording logs to FortiAnalyzer or FortiManager?

Select one of the following:

  • Policy ID

  • Log ID

  • Universally Unique Identifier

  • Sequence ID

Explanation

Question 17 of 64 Question 27 of 64

1

Refer to the exhibit
Based on the raw log, what can you
conclude from the output? (Choose two.)

Select one or more of the following:

  • Traffic belongs to the root VDOM

  • Traffic is blocked because Action is set
    to DENY in the firewall policy.

  • This is a security log.

  • Log severity is set to error on
    FortiGate

Explanation

Question 62 of 64 Question 28 of 64

1

What are two functions of the ZTNA rule? (Choose two.)

Select one or more of the following:

  • It applies security profiles to protect traffic

  • It redirects the client request to the access proxy.

  • It enforces access control

  • It defines the access proxy.

Explanation

Question 23 of 64 Question 29 of 64

1

Refer to the exhibit
Review the intrusion prevention system (IPS) profile signature settings shown in the exhibit
What do you conclude when adding the FTP.Login.Failed signature to the IPS sensor profile?

Select one of the following:

  • Traffic matching the signature will be silently dropped and logged.

  • The signature setting includes a group of other signatures

  • Traffic matching the signature will be allowed and logged

  • The signature setting uses a custom rating threshold.

Explanation

Question 49 of 64 Question 30 of 64

1

Refer to the exhibit to view the firewall policy
Why would the firewall policy not block a well-known virus. for example eicar?

Select one of the following:

  • The action on the firewall policy is not set to deny

  • Web filter is not enabled on the firewall policy to complement the antivirus profile.

  • The firewall policy does not apply deep content inspection

  • The firewall policy is not configured in proxy-based inspection mode

Explanation

Question 30 of 64 Question 31 of 64

1

Refer to the exhibits
Exhibit A shows a topology for a FortiGate HA cluster that performs proxy-based inspection on traffic. Exhibit B shows the HA configuration and the partial output of the get system ha status command.
Based on the exhibits, which two statements about the traffic passing through the cluster are true? (Choose two.

Select one or more of the following:

  • The cluster can load balance ICMP connections to the
    secondary

  • For load balanced connections, the primary encapsulates TCP SYN packets before forwarding them to the secondary.

  • For non-load balanced connections, packets forwarded by cluster to the server contain the virtual MAC address of port2 as source

  • The traffic sourced from the client and destined to the
    server is sent to FGT-1.

Explanation

Question 46 of 64 Question 32 of 64

1

An administrator configures FortiGuard servers as DNS servers on FortiGate using default settings.
What is true about the DNS connection to a FortiGuard server?

Select one or more of the following:

  • It uses UDP 53

  • It uses UDP 8888

  • It uses DNS over HTTPS

  • It uses DNS over TLS

Explanation

Question 33 of 64 Question 33 of 64

1

If Internet Service is already selected as Destination in a firewall policy, which other configuration object can be selected for the Destination field of a firewall policy?

Select one or more of the following:

  • User or User Group

  • IP address

  • FQDN address

  • No other object can be added

Explanation

Question 25 of 64 Question 34 of 64

1

Which statement correctly describes NetAPI polling mode for the FSSO collector agent?

Select one or more of the following:

  • NetAPI polling can increase bandwidth usage in large networks.

  • The collector agent must search Windows application event logs.

  • The NetSessionEnum function is used to track user logouts

  • The collector agent uses a Windows API to query DCs for user logins.

Explanation

Question 54 of 64 Question 35 of 64

1

An administrator configures FortiGuard servers as DNS servers on FortiGate using default settings.
What is true about the DNS connection to a FortiGuard server?

Select one or more of the following:

  • It uses DNS over TLS

  • It uses DNS over HTTPS

  • It uses UDP 8888

  • lt uses UDP 53

Explanation

Question 59 of 64 Question 36 of 64

1

What is the effect of enabling auto-negotiate on the phase 2 configuration of an IPsec tunnel?

Select one or more of the following:

  • FortiGate automatically negotiates a new security association after the existing security association expires

  • FortiGate automatically negotiates different encryption and authentication algorithms with the remote peer.

  • FortiGate automatically brings up the IPsec tunnel and keeps it up, regardless of activity on the IPsec tunnel

  • FortiGate automatically negotiates different local and remote addresses with the remote peer

Explanation

Question 11 of 64 Question 37 of 64

1

The HTTP inspection process in web filtering follows a specific order when multiple features are enabled in the web filter profile
Which order must FortiGate use when the web filter profile has features such as safe search enabled?

Select one or more of the following:

  • Static URL filter, FortiGuard category filter, and advanced filters

  • Static domain filter, SSL inspection filter, and external connectors filters

  • DNS-based web filter and proxy-based web filter

  • FortiGuard category filter and rating filter

Explanation

Question 16 of 64 Question 38 of 64

1

The IPS engine is used by which three security features? (Choose three.)

Select one or more of the following:

  • Antivirus in flow-based inspection

  • DNS filter

  • Web application firewall

  • Web filter in flow-based inspection

  • Application control

Explanation

Question 3 of 64 Question 39 of 64

1

Refer to the exhibit showing a FortiGuard connection debug output
Based on the output, which two facts does the administrator know about the FortiGuard
connection? (Choose two.)

Select one or more of the following:

  • There is at least one server that lost packets consecutively.

  • One server was contacted to retrieve the contract information

  • A local FortiManager is one of the servers FortiGate communicates with

  • FortiGate is using default FortiGuard communication settings

Explanation

Question 2 of 64 Question 40 of 64

1

What are two benefits of flow-based inspection compared to proxy-based inspection? (Choose two.)

Select one or more of the following:

  • FortiGate uses fewer resources

  • FortiGate allocates two sessions per connection

  • FortiGate adds less latency to traffic.

  • FortiGate performs a more exhaustive inspection on traffic

Explanation

Question 9 of 64 Question 41 of 64

1

What is the imitation of using a URL list and application control on the same firewall policy, in NGFW policy-based mode?

Select one or more of the following:

  • It limits the scanning of application traffic to use parent signatures only

  • It limits the scanning of application traffic to the DNS protocol only

  • It limits the scanning of application traffic to the browser-based technology category only.

  • It limits the scanning of application traffic to the application category only

Explanation

Question 4 of 64 Question 42 of 64

1

What are two scanning techniques supported by FortiGate? (Choose two.)

Select one or more of the following:

  • Trojan scan

  • Ransomware scan

  • Antivirus scan

  • Machine learning scan

Explanation

Question 7 of 64 Question 43 of 64

1

An employee needs to connect to the office through a high-latency internet connection
Which SSL VPN setting should the administrator adjust to prevent SSL VPN negotiation failure?

Select one of the following:

  • login-timeout

  • udp-idle-timer

  • sessiocn=-ttl

  • idle-timeout

Explanation

Question 24 of 64 Question 44 of 64

1

Which three pieces of information does FortiGate use to identify the hostname of the SSL server when SSL certificate inspection is enabled? (Choose three.)

Select one or more of the following:

  • The server name indication (SNI) extension in the client hello message

  • The host field in the HTTP header

  • The serial number in the server certificate

  • The subject field in the server certificate

  • The subject alternative name (SAN) field in the server certificate

Explanation

Question 6 of 64 Question 45 of 64

1

Refer to the exhibits
Exhibit A shows a network diagram. Exhibit B shows the central SNAT policy and IP pool
configuration
The WAN (port1) interface has the IP address 10.200.1.1/24.
The LAN (port3) interface has the IP 10.0.1.254/24.
A firewall policy is configured to allow all destinations from LAN (port3) to WAN (port1)
Central NAT is enabled, so NAT settings from matching central SNAT policies will be
applied.
Which IP address will be used to source NAT (SNAT) the traffic, if the user on LocalClient (10.0.1.10) pings the IP address of Remote-FortiGate (10.200.3.1)?

Select one of the following:

  • 10.200.1.1

  • 10.200.1.149

  • 10.200.1.99

  • 10.200.1.49

Explanation

Question 43 of 64 Question 46 of 64

1

Refer to the exhibit.
A network administrator is troubleshooting an IPsec tunnel between two FortiGate
devices The administrator has determined that phase 1 status is up, but phase 2 fails to
come up.
Based on the phase 2 configuration shown in the exhibit, which configuration change will
bring phase 2 up?

Select one or more of the following:

  • On HQ-FortiGate, enable Diffie-Hellman Group 2.

  • On Remote-FortiGate, set Seconds to 43200.

  • On HQ-FortiGate, set Encryption to AES256.

  • On HQ-FortiGate, enable Auto-negotiate.

Explanation

Question 53 of 64 Question 47 of 64

1

Which two statements describe how the RPF check is used? (Choose two.)

Select one or more of the following:

  • The RPF check is run on the first sent and reply packet of any new session.

  • The RPF check is run on the first reply packet of any new session.

  • The RPF check is run on the first sent packet of any new session

  • The RPF check is a mechanism that protects FortiGate and the network from IP spoofing attacks

Explanation

Question 1 of 64 Question 48 of 64

1

n administrator needs to increase network bandwidth and provide redundancy.
Which interface type must the administrator select to bind multiple FortiGate interfaces?

Select one or more of the following:

  • VLAN interface

  • Software switch interface

  • Aggregate interface

  • Redundant interface

Explanation

Question 34 of 64 Question 49 of 64

1

Refer to the exhibit.
A network administrator is troubleshooting an IPsec tunnel between two FortiGate
devices. The administrator has determined that phase 1 failed to come up. The administrator has also re-entered the pre-shared key on both FortiGate devices to make
sure they match.
Based on the phase 1 configuration and the diagram shown in the exhibit, which two
configuration changes can the administrator make to bring phase 1 up? (Choose two.)

Select one or more of the following:

  • On HQ-FortiGate, set IKE mode to Main (ID protection).

  • On both FortiGate devices, set Dead Peer Detection to On Demand. i)

  • On HQ-FortiGate, disable Diffie-Helman group 2.

  • On Remote-FortiGate, set port2 as Interface.

Explanation

Question 39 of 64 Question 50 of 64

1

A network administrator wants to set up redundant IPsec VPN tunnels on FortiGate by using two IPsec VPN tunnels and static routes
All traffic must be routed through the primary tunnel when both tunnels are up. The secondary tunnel must be used only if the primary tunnel goes down. In addition, FortiGate should be
able to detect a dead tunnel to speed up tunnel failover
Which two key configuration changes must the administrator make on FortiGate to meet the requirements? (Choose two.)

Select one or more of the following:

  • Configure a lower distance on the static route for the primary tunnel. and a higher distance on the static route for the secondary tunnel

  • Enable Dead Peer Detection

  • Enable Auto-negotiate and Autokey Keep Alive on the phase 2 configuration of both tunnels

  • Configure a higher distance on the static route for the primary tunnel, and a lower distance on the static route for the secondary tunnel.

Explanation

Question 12 of 64 Question 51 of 64

1

Which inspection mode does FortiGate use if it is configured as a policy-based next-generation firewall (NGFW)?

Select one or more of the following:

  • Flow-based inspection

  • Full content inspection

  • Proxy-based inspection

  • Certificate inspection

Explanation

Question 64 of 64 Question 52 of 64

1

Refer to the exhibit
Why did FortiGate drop the packet?

Select one or more of the following:

  • It failed the RPF check

  • It matched the default implicit firewall policy.

  • The next-hop IP address is unreachable

  • It matched an explicitly configured firewall policy with the action DENY

Explanation

Question 52 of 64 Question 53 of 64

1

Refer to the exhibit
Why did Fortigate drop the packet?

Select one or more of the following:

  • The next-hop IP
    address is
    unreachable

  • It matched an explicity configured firewall policy with the action DENY

  • It failed the RPF
    check

  • It matched the default
    implicit firewall policy

Explanation

Question 27 of 64 Question 54 of 64

1

Which statement about video filtering on FortiGate is true?

Select one or more of the following:

  • Video filtering FortiGuard categories are based on web filter FortiGuard categories.

  • It is available only on a proxy-based firewall policy

  • Full SSL inspection is not required

  • It does not require a separate FortiGuard license.

Explanation

Question 31 of 64 Question 55 of 64

1

An administrator configures outgoing interface any in a firewall policy
What is the result of the policy list view?

Select one or more of the following:

  • Search option is disabled

  • By Sequence view is disabled

  • Policy lookup is disabled

  • Interface Pair view is disabled.

Explanation

Question 50 of 64 Question 56 of 64

1

What are two characteristics of FortiGate HA cluster virtual IP addresses? (Choose two.)

Select one or more of the following:

  • Virtual IP addresses are used to distingui een cluster members

  • A change in the virtual IP address happens when a FortiGate device joins or leaves the cluster.

  • Heartbeat interfaces have virtual IP addresses that are manually assigned

  • The primary device in the cluster is alwa ed IP address 16%.254.0.1

Explanation

Question 42 of 64 Question 57 of 64

1

Refer to the exhibits
The exhibits show a network diagram and firewall configurations
An administrator created a Deny policy with default settings to deny Webserver access for Remote-User2.
Remote-User1 must be able to access the Webserver. Remote-User2 must not be able fo access the Webserver.
In this scenario, which two changes can th ator make to deny Webserver access for Remote-User2? (Choose two.)

Select one or more of the following:

  • Enable match-vip in the Deny policy

  • Set the Destination address as Deny_IP in the Allow_access policy

  • Disable match-vip in the Deny policy

  • Set the Destination address as Webserver in the Deny policy.

Explanation

Question 26 of 64 Question 58 of 64

1

Refer to the exhibits
The exhibits show a network diagram and firewall
configurations
An administrator created a Deny policy with
default settings to deny Webserver access for
Remote-User2
Remote-User1 must be able to access the
Webserver. Remote-User2 must not be able to
access the Webserver.
In this scenario, which two changes can the
administrator make to deny Webserver access for
Remote-User2? (Choose two )

Select one or more of the following:

  • Set the destination address as DENY_IP in the Allow_access policy

  • Set the Destination address as Webserver in
    the Deny policy

  • Enable match-vip in the Deny policy

  • Disable match-vip in the Deny policy.

Explanation

Question 13 of 64 Question 59 of 64

1

What are two features of the NGFW policy-based mode? (Choose two)

Select one or more of the following:

  • NGFW policy-based mode can only be applied globally and not on individual VDOMs

  • NGFW policy-based mode does not require the use of central source NAT policy

  • NGFW policy-based mode policies support only flow inspection

  • NGFW policy-based mode supports creating applications and web filtering categories directly in a firewall policy

Explanation

Question 44 of 64 Question 60 of 64

1

Refer to the exhibits
Exhibit A shows a network diagram. Exhibit B shows the firewall policy configuration and a VIP object configuration.
The WAN (port1) interface has the IP address 10.200.1.1/24
The LAN (port3) interface has the IP address 10.0.1.254/24
The administrator disabled the WebServer firewall policy.
Which IP address will be used to source NAT the traffic, if a user with address 10.0.1.10 connects over SSH to the host with address 10.200.3.1?

Select one or more of the following:

  • 10.0.1.254

  • 10.200.3.1

  • 10.200.1.10

  • 10.200.1.1

Explanation

Question 14 of 64 Question 61 of 64

1

Refer to the exhibits
Exhibit A shows the application sensor configuration. Exhibit B shows the Excessive Bandwidth and Apple filter details
Based on the configuration, what will happen to Apple FaceTime if there are only a few
calls originating or incoming?

Select one of the following:

  • Apple FaceTime will be allowed, based on the Categories configuration.

  • Apple FaceTime will be blocked, based on the Excessive-Bandwidth filter
    configuration.

  • Apple FaceTime will be allowed, based on the Apple filter configuration.

  • Apple FaceTime will be allowed only if the Apple filter in Application and Filter
    Overrides is set to Allow.

Explanation

Question 8 of 64 Question 62 of 64

1

Which statement is correct regarding the security fabric?

Select one of the following:

  • A minimum of two Fortinet devices is required.

  • FortiGate devices must be operating in NAT mode

  • FortiGate Cloud cannot be used for logging purposes.

  • FortiManager is one of the required member devices

Explanation

Question 37 of 64 Question 63 of 64

1

Refer to the exhibit
In the network shown in the exhibit, the web client cannot connect to the HTTP web server. The administrator runs the FortiGate built-in sniffer and gets the output shown in the exhibit.

Select one of the following:

  • Run a sniffer on the web server

  • Execute a debug flow

  • Capture the traffic using an external sniffer connected to port1.

  • Execute another sniffer on FortiGate, this time with the filter "host 10.0.1.10" .

Explanation

Question 28 of 64 Question 64 of 64

1

Refer to the exhibits Exhibit A
The exhibits show the firewall policies and the objects used in the firewall policies.
The administrator is using the Policy Lookup feature and has entered the search criteria shown in the exhibit.
Which policy will be highlighted, based on the input criteria?

Select one of the following:

  • Policy with ID 5.

  • Policy with ID 4.

  • Policies with ID 2 and 3.

  • Policy with ID 1.

Explanation

Previous
Check answer
Next