Loading [MathJax]/jax/output/HTML-CSS/fonts/TeX/fontdata.js
Lucas Roveda
Quiz by , created more than 1 year ago

Treinamento prova NSE 4 (7.2)

283
0
0
Lucas Roveda
Created by Lucas Roveda about 1 year ago
Rate this resource by clicking on the stars below:
1 2 3 4 5 (0)
Ratings (0)
0
0
0
0
0

0 comments

There are no comments, be the first and leave one below:

Close

Simulado NSE 4 (7.2)

Simulado NSE 4 (7.2)

Question 38 of 64 Question 1 of 64

1

An administrator needs to configure VPN user access for multiple sites using the same soft FortiToken. Each site has a FortiGate VPN gateway
What must the administrator do to achieve this objective?

Select one of the following:

  • The administrator must register the same FortiToken on more than one FortiGate device

  • The administrator must use the user self-registration server

  • The administrator must use a FortiAuthenticator device

  • The administrator must use a third-party RADIUS OTP server

Explanation

Question 18 of 64 Question 2 of 64

1

What is a reason for triggering IPS fail open?

Select one of the following:

  • The IPS socket buffer 1s full and the IPS engine cannot process additional packets.

  • The IPS engine cannot decode a packet.

  • The administrator enabled NTurbo acceleration

  • The IPS engine is upgraded.

Explanation

Question 50 of 64 Question 3 of 64

1

An organization requires remote users to send external application data running on their PCs and access FTP resources through an SSL/TLS connection

Which FortiGate configuration can achieve this goal?

Select one of the following:

  • SSL VPN quick connection

  • SSL VPN bookmark

  • SSL VPN tunnel

  • Zero trust network access

Explanation

Question 47 of 64 Question 4 of 64

1

Refer to the exhibit
The exhibit shows the FortiGuard Category Based Filter section of a corporate web
filter profile
An administrator must block access to download.com, which belongs to the Freeware
and Software Downloads category The administrator must also allow other websites in
the same category
What are two solutions for satisfying the requirement? (Choose two.)

Select one or more of the following:

  • Set the Freeware and Software Downloads category Action to Warning

  • Configure a web override rating for downlead. com and select Malicious Websites
    as the subcategory.

  • Configure a separate firewall policy with action Deny and an FQDN address object for
    *, download.com as destination address

  • Configure a static URL filter entry for download.com with Type and Action set to
    Wildcard and Block, respectively

Explanation

Question 21 of 64 Question 5 of 64

1

What are two features of collector agent advanced mode? (Choose two.)

Select one or more of the following:

  • In advanced mode, security profiles can be applied only to user groups, not individual users.

  • Advanced mode uses the Windows convention—NetBios: Domain\Username

  • Advanced mode supports nested or inherited groups

  • In advanced mode, FortiGate can be configured as an LDAP client and group filters can be configured on FortiGate

Explanation

Question 60 of 64 Question 6 of 64

1

Refer to the exhibits
Exhibit A shows a network diagram. Exhibit B
shows the firewall policy configuration and a VIP ”
object configuration
|
The WAN (port1) interface has the IP address
10.200.1.1/24
The LAN (port3) interface has the IP address
10.0.1.254/24. 10.200.1.1/24
The administrator disabled the WebServer firewall policy.
Which IP address will be used to source NAT the traffic, if a user with address 10.0.1.10 connects over SSH to the host with address 10.200.3.17

Select one of the following:

  • 10.200.1.10

  • 10.200.3.1

  • 10.200.1.1

  • 10.0.1.254

Explanation

Question 2 of 64 Question 7 of 64

1

A network administrator has enabled full SSL inspection and web filtering on FortiGate. When visiting any HTTPS websites, the browser reports certificate warning errors. When visiting HTTP websites, the browser does not report errors.
What is the reason for the certificate warning errors?

Select one of the following:

  • The full SSL inspection feature does not have a valid license.

  • The certificate used by FortiGate for SSL inspection does not contain the required certificate extensions

  • The matching firewall policy is set to proxy inspection mode

  • The browser does not trust the certificate used by FortiGate for SSL inspection

Explanation

Question 22 of 64 Question 8 of 64

1

Which three methods are used by the collector agent for AD polling? (Choose three.)

Select one or more of the following:

  • NetAPI

  • FortiGate polling

  • FSSO RESTAPI

  • WMl

  • WinSeclLog

Explanation

Question 43 of 64 Question 9 of 64

1

Refer to the exhibit
Based on the administrator profile settings. what permissions must the administrator set
torun the diagnose firewall auth list CLI command on FortiGate?

Select one of the following:

  • CLI diagnostics commands permission

  • Custom permission for Network

  • Read/Write permission for Firewall

  • Read/Write permission for Log & Report

Explanation

Question 32 of 64 Question 10 of 64

1

Which two features of IPsec IKEv1 authentication are supported by FortiGate? (Choose two.)

Select one or more of the following:

  • Pre-shared key and certificate signature as authentication methods

  • No certificate is required on the remote peer when you set the certificate signature as the authentication method

  • Extended authentication (XAuth) to request the remote peer to provide a username and password

  • Extended authentication (XAuth) for faster authentication because fewer packets are exchanged

Explanation

Question 46 of 64 Question 11 of 64

1

What is the primary FortiGate election process when the HA override setting is disabled?

Select one of the following:

  • Connected monitored ports > HA uptime > Priority > FortiGate serial number

  • Connected monitored ports > System uptime > Priority > FortiGate serial number

  • Connected monitored ports > Priority > System uptime > FortiGate serial number

  • Connected monitored ports > Priority > HA uptime > FortiGate serial number

Explanation

Question 56 of 64 Question 12 of 64

1

Refer to the exhibit, which contains a static route configuration
An administrator created a static route for Amazon Web Services.
Which CLI command must the administrator use to view the route?

Select one of the following:

  • get internet-service route list

  • diagnose firewall proute list

  • get router info routing-table all

  • get router info routing-table database

Explanation

Question 4 of 64 Question 13 of 64

1

Refer to the exhibit
The Root and To_Internet VDOMs are configured in NAT mode. The DMZ and Local
VDOMs are configured in transparent mode
The Root VDOM is the management VDOM. The To_Internet VDOM allows LAN users
to access the internet. The To_Internet VDOM is the only VDOM with internet access
and is directly connected to the ISP modem
What can you conclude about this configuration?

Select one of the following:

  • default static route is not required on the To_lnternet VDOM to allow LAN users to
    access the intemet.

  • Inter-VDOM links are required to allow traffic between the Local and DMZ VDOMs

  • Inter-VDOM links are not required between the Root and To_Internet VDOMs
    because the Root VDOM is used only as a management VDOM

  • Inter-VDOM links are required to allow traffic between the Local and Root VDOMs

Explanation

Question 8 of 64 Question 14 of 64

1

How can you disable RPF checking?

Select one of the following:

  • Unset fail-alert-interfaces on the interface level settings

  • Disable strict-sre-check under system settings

  • Disable fail-detect on the interface level settings

  • Disable src-check on the interface level settings

Explanation

Question 16 of 64 Question 15 of 64

1

You have enabled logging on a FortiGate device for event logs and all security logs, and you have set up logging to use the FortiGate local disk
What is the default behavior when the local disk is full?

Select one of the following:

  • No new log is recorded after the warning is issued when log disk use reaches the threshold of 95%

  • No new log is recorded until you manually clear logs from the local disk

  • Logs are overwritten and the only warning is issued when log disk use reaches the threshold of 95%

  • Logs are overwritten and the first warning is issued when log disk use reaches the threshold of 75%

Explanation

Question 11 of 64 Question 16 of 64

1

Which timeout setting can be responsible for deleting SSL VPN associated sessions?

Select one of the following:

  • SSLVPN login-timsout

  • SSLVPN idle-timeocut

  • SSLVPN dtls-helle-timeout

  • SSLVPN http-request-body-timecut

Explanation

Question 41 of 64 Question 17 of 64

1

An administrator wants to simplify remote access without asking users to provide user credentials
Which access control method provides this solution?

Select one of the following:

  • L2TP

  • ZTNA access proxy

  • SSL VPN

  • ZTNA IP/MAC filtering mode

Explanation

Question 27 of 64 Question 18 of 64

1

Refer to the exhibits
The exhibits show a firewall policy (ExhibitA ) and an antivirus profile (Exhibit B)
Why is the user unable to receive a block replacement message when downloading an
infected file for the first time?

Select one of the following:

  • The volume of traffic being inspected is too high for this model of FortiGate

  • Flow-based inspection is used, which resets the last packet to the user

  • The firewall policy performs a full content inspection on the file

  • The intrusion prevention security profile must be enabled when using flow-based
    inspection mode.

Explanation

Question 51 of 64 Question 19 of 64

1

Refer to the exhibits
The exhibits contain a network interface configuration, firewall policies, and a CLI :
console configuration
How will the FortiGate device handle user authentication for traffic that arrives on the LAN interface?

Select one of the following:

  • If there is a fall-through policy in place, users will not be prompted for authentication.

  • All users will be prompted for authentication; users from the HR group can
    authenticate successfully with the correct credentials

  • Authentication is enforced only at a policy level, all users will be prompted for
    authentication.

  • All users will be prompted for authentication; users from the sales group can
    authenticate successfully with the correct credentials.

Explanation

Question 29 of 64 Question 20 of 64

1

Which two settings can be separately configured per VDOM on a FortiGate device? (Choose two.)

Select one or more of the following:

  • NGFW mode

  • Operating mode

  • System time

  • FortiGuard update servers

Explanation

Question 25 of 64 Question 21 of 64

1

Which three CLI commands can you use to troubleshoot Layer 3 issues, if the issue is in neither the physical layer nor the link layer? (Choose three)

Select one or more of the following:

  • O diagnose sys top

  • get system arp

  • execute traceroute

  • execute ping

  • Diagnose sniffer packet any

Explanation

Question 10 of 64 Question 22 of 64

1

Refer to the exhibits
An administrator creates a new address object on the root FortiGate (Local-FortiGate) in
the security fabric. After synchronization, this object is not available on the downstream & Qs
FortiGate (ISFW)
What must the administrator do to synchronize the address object?

Select one of the following:

  • Change the csf setting on ISFW (downstream)to set configuraticn-sync
    local

  • Change the csf setting on ISFW (downstream)to set authorization-request-type certificate

  • Change the csf setting on Local-FortiGate (root) to set fabric-object-unification default.

  • Change the csf setting on both devices to set downstream-access enable.

Explanation

Question 55 of 64 Question 23 of 64

1

Refer to the exhibit
The exhibit shows a diagram of a FortiGate device connected to the network and the
firewall policy and IP pool configuration on the FortiGate device
Which two actions does FortiGate take on internet traffic sourced from the subscribers?(Choose two.)

Select one or more of the following:

  • FortiGate allocates 128 port blocks per user

  • FortiGate allocates port blocks on a first-come, first-served basis

  • FortiGate generates a system event log for every port block allocation made per user.

  • FortiGate allocates port blocks per user, based on the configured range of internal IP addresses

Explanation

Question 3 of 64 Question 24 of 64

1

Refer to the exhibit
The exhibit shows a diagram of a FortiGate device connected to the network and the
firewall policy and IP pool configuration on the FortiGate device
Two PCs, PC1 and PC2, are connected behind FortiGate and can access the internet
successfully However, when the administrator adds a third PC to the network (PC3), the
PC cannot connect to the internet.
Based on the information shown in the exhibit, which three configuration changes should
the administrator make to fix the connectivity issue for PC3? (Choose three )

Select one or more of the following:

  • Configure another firewall policy that matches only the address of PC3 as source, and then place the policy on top of the list

  • In the firewall policy disable ippool.

  • In the IP pool configuration, set type to overload

  • Configure 192.2.0.12/24 as the secondary IP address on port1 .

  • In the IP pool configuration, set endip to 192.2.0.12

Explanation

Question 49 of 64 Question 25 of 64

1

Which statement about the deployment of the Security Fabric in a multi-VDOM environment is true?

Select one of the following:

  • Each VDOM in the environment can be part of a different Security Fabric.

  • Security rating reports can be run individually for each configured VDOM

  • Downstream devices can connect to the upstream device from any of their VDOMs

  • VDOMSs without ports with connected devices are not displayed in the topology.

Explanation

Question 19 of 64 Question 26 of 64

1

FortiGate is integrated with FortiAnalyzer and FortiManager
When a firewall policy is created, which attribute is added to the policy to improve functionality and to support recording logs to FortiAnalyzer or FortiManager?

Select one of the following:

  • Sequence ID

  • Universally Unique Identifier

  • Policy ID

  • Log ID

Explanation

Question 33 of 64 Question 27 of 64

1

Refer to the exhibit
Based on the raw log, what can you
conclude from the output? (Choose two.)

Select one or more of the following:

  • Traffic belongs to the root VDOM

  • Traffic is blocked because Action is set
    to DENY in the firewall policy.

  • Log severity is set to error on
    FortiGate

  • This is a security log.

Explanation

Question 14 of 64 Question 28 of 64

1

What are two functions of the ZTNA rule? (Choose two.)

Select one or more of the following:

  • It applies security profiles to protect traffic

  • It redirects the client request to the access proxy.

  • It enforces access control

  • It defines the access proxy.

Explanation

Question 5 of 64 Question 29 of 64

1

Refer to the exhibit
Review the intrusion prevention system (IPS) profile signature settings shown in the exhibit
What do you conclude when adding the FTP.Login.Failed signature to the IPS sensor profile?

Select one of the following:

  • The signature setting includes a group of other signatures

  • Traffic matching the signature will be allowed and logged

  • The signature setting uses a custom rating threshold.

  • Traffic matching the signature will be silently dropped and logged.

Explanation

Question 9 of 64 Question 30 of 64

1

Refer to the exhibit to view the firewall policy
Why would the firewall policy not block a well-known virus. for example eicar?

Select one of the following:

  • The action on the firewall policy is not set to deny

  • The firewall policy is not configured in proxy-based inspection mode

  • Web filter is not enabled on the firewall policy to complement the antivirus profile.

  • The firewall policy does not apply deep content inspection

Explanation

Question 12 of 64 Question 31 of 64

1

Refer to the exhibits
Exhibit A shows a topology for a FortiGate HA cluster that performs proxy-based inspection on traffic. Exhibit B shows the HA configuration and the partial output of the get system ha status command.
Based on the exhibits, which two statements about the traffic passing through the cluster are true? (Choose two.

Select one or more of the following:

  • For non-load balanced connections, packets forwarded by cluster to the server contain the virtual MAC address of port2 as source

  • The cluster can load balance ICMP connections to the
    secondary

  • The traffic sourced from the client and destined to the
    server is sent to FGT-1.

  • For load balanced connections, the primary encapsulates TCP SYN packets before forwarding them to the secondary.

Explanation

Question 31 of 64 Question 32 of 64

1

An administrator configures FortiGuard servers as DNS servers on FortiGate using default settings.
What is true about the DNS connection to a FortiGuard server?

Select one or more of the following:

  • It uses UDP 53

  • It uses UDP 8888

  • It uses DNS over HTTPS

  • It uses DNS over TLS

Explanation

Question 26 of 64 Question 33 of 64

1

If Internet Service is already selected as Destination in a firewall policy, which other configuration object can be selected for the Destination field of a firewall policy?

Select one or more of the following:

  • FQDN address

  • IP address

  • User or User Group

  • No other object can be added

Explanation

Question 40 of 64 Question 34 of 64

1

Which statement correctly describes NetAPI polling mode for the FSSO collector agent?

Select one or more of the following:

  • The collector agent must search Windows application event logs.

  • NetAPI polling can increase bandwidth usage in large networks.

  • The NetSessionEnum function is used to track user logouts

  • The collector agent uses a Windows API to query DCs for user logins.

Explanation

Question 37 of 64 Question 35 of 64

1

An administrator configures FortiGuard servers as DNS servers on FortiGate using default settings.
What is true about the DNS connection to a FortiGuard server?

Select one or more of the following:

  • It uses DNS over TLS

  • It uses UDP 8888

  • It uses DNS over HTTPS

  • lt uses UDP 53

Explanation

Question 62 of 64 Question 36 of 64

1

What is the effect of enabling auto-negotiate on the phase 2 configuration of an IPsec tunnel?

Select one or more of the following:

  • FortiGate automatically negotiates a new security association after the existing security association expires

  • FortiGate automatically negotiates different local and remote addresses with the remote peer

  • FortiGate automatically brings up the IPsec tunnel and keeps it up, regardless of activity on the IPsec tunnel

  • FortiGate automatically negotiates different encryption and authentication algorithms with the remote peer.

Explanation

Question 54 of 64 Question 37 of 64

1

The HTTP inspection process in web filtering follows a specific order when multiple features are enabled in the web filter profile
Which order must FortiGate use when the web filter profile has features such as safe search enabled?

Select one or more of the following:

  • FortiGuard category filter and rating filter

  • DNS-based web filter and proxy-based web filter

  • Static domain filter, SSL inspection filter, and external connectors filters

  • Static URL filter, FortiGuard category filter, and advanced filters

Explanation

Question 45 of 64 Question 38 of 64

1

The IPS engine is used by which three security features? (Choose three.)

Select one or more of the following:

  • Application control

  • Antivirus in flow-based inspection

  • Web filter in flow-based inspection

  • DNS filter

  • Web application firewall

Explanation

Question 7 of 64 Question 39 of 64

1

Refer to the exhibit showing a FortiGuard connection debug output
Based on the output, which two facts does the administrator know about the FortiGuard
connection? (Choose two.)

Select one or more of the following:

  • There is at least one server that lost packets consecutively.

  • A local FortiManager is one of the servers FortiGate communicates with

  • FortiGate is using default FortiGuard communication settings

  • One server was contacted to retrieve the contract information

Explanation

Question 28 of 64 Question 40 of 64

1

What are two benefits of flow-based inspection compared to proxy-based inspection? (Choose two.)

Select one or more of the following:

  • FortiGate adds less latency to traffic.

  • FortiGate uses fewer resources

  • FortiGate allocates two sessions per connection

  • FortiGate performs a more exhaustive inspection on traffic

Explanation

Question 1 of 64 Question 41 of 64

1

What is the imitation of using a URL list and application control on the same firewall policy, in NGFW policy-based mode?

Select one or more of the following:

  • It limits the scanning of application traffic to the browser-based technology category only.

  • It limits the scanning of application traffic to use parent signatures only

  • It limits the scanning of application traffic to the application category only

  • It limits the scanning of application traffic to the DNS protocol only

Explanation

Question 58 of 64 Question 42 of 64

1

What are two scanning techniques supported by FortiGate? (Choose two.)

Select one or more of the following:

  • Trojan scan

  • Ransomware scan

  • Machine learning scan

  • Antivirus scan

Explanation

Question 13 of 64 Question 43 of 64

1

An employee needs to connect to the office through a high-latency internet connection
Which SSL VPN setting should the administrator adjust to prevent SSL VPN negotiation failure?

Select one of the following:

  • udp-idle-timer

  • sessiocn=-ttl

  • idle-timeout

  • login-timeout

Explanation

Question 44 of 64 Question 44 of 64

1

Which three pieces of information does FortiGate use to identify the hostname of the SSL server when SSL certificate inspection is enabled? (Choose three.)

Select one or more of the following:

  • The server name indication (SNI) extension in the client hello message

  • The host field in the HTTP header

  • The serial number in the server certificate

  • The subject alternative name (SAN) field in the server certificate

  • The subject field in the server certificate

Explanation

Question 15 of 64 Question 45 of 64

1

Refer to the exhibits
Exhibit A shows a network diagram. Exhibit B shows the central SNAT policy and IP pool
configuration
The WAN (port1) interface has the IP address 10.200.1.1/24.
The LAN (port3) interface has the IP 10.0.1.254/24.
A firewall policy is configured to allow all destinations from LAN (port3) to WAN (port1)
Central NAT is enabled, so NAT settings from matching central SNAT policies will be
applied.
Which IP address will be used to source NAT (SNAT) the traffic, if the user on LocalClient (10.0.1.10) pings the IP address of Remote-FortiGate (10.200.3.1)?

Select one of the following:

  • 10.200.1.49

  • 10.200.1.1

  • 10.200.1.149

  • 10.200.1.99

Explanation

Question 36 of 64 Question 46 of 64

1

Refer to the exhibit.
A network administrator is troubleshooting an IPsec tunnel between two FortiGate
devices The administrator has determined that phase 1 status is up, but phase 2 fails to
come up.
Based on the phase 2 configuration shown in the exhibit, which configuration change will
bring phase 2 up?

Select one or more of the following:

  • On HQ-FortiGate, enable Auto-negotiate.

  • On Remote-FortiGate, set Seconds to 43200.

  • On HQ-FortiGate, set Encryption to AES256.

  • On HQ-FortiGate, enable Diffie-Hellman Group 2.

Explanation

Question 30 of 64 Question 47 of 64

1

Which two statements describe how the RPF check is used? (Choose two.)

Select one or more of the following:

  • The RPF check is run on the first reply packet of any new session.

  • The RPF check is run on the first sent and reply packet of any new session.

  • The RPF check is run on the first sent packet of any new session

  • The RPF check is a mechanism that protects FortiGate and the network from IP spoofing attacks

Explanation

Question 63 of 64 Question 48 of 64

1

n administrator needs to increase network bandwidth and provide redundancy.
Which interface type must the administrator select to bind multiple FortiGate interfaces?

Select one or more of the following:

  • VLAN interface

  • Redundant interface

  • Software switch interface

  • Aggregate interface

Explanation

Question 34 of 64 Question 49 of 64

1

Refer to the exhibit.
A network administrator is troubleshooting an IPsec tunnel between two FortiGate
devices. The administrator has determined that phase 1 failed to come up. The administrator has also re-entered the pre-shared key on both FortiGate devices to make
sure they match.
Based on the phase 1 configuration and the diagram shown in the exhibit, which two
configuration changes can the administrator make to bring phase 1 up? (Choose two.)

Select one or more of the following:

  • On HQ-FortiGate, disable Diffie-Helman group 2.

  • On HQ-FortiGate, set IKE mode to Main (ID protection).

  • On Remote-FortiGate, set port2 as Interface.

  • On both FortiGate devices, set Dead Peer Detection to On Demand. i)

Explanation

Question 61 of 64 Question 50 of 64

1

A network administrator wants to set up redundant IPsec VPN tunnels on FortiGate by using two IPsec VPN tunnels and static routes
All traffic must be routed through the primary tunnel when both tunnels are up. The secondary tunnel must be used only if the primary tunnel goes down. In addition, FortiGate should be
able to detect a dead tunnel to speed up tunnel failover
Which two key configuration changes must the administrator make on FortiGate to meet the requirements? (Choose two.)

Select one or more of the following:

  • Configure a lower distance on the static route for the primary tunnel. and a higher distance on the static route for the secondary tunnel

  • Configure a higher distance on the static route for the primary tunnel, and a lower distance on the static route for the secondary tunnel.

  • Enable Auto-negotiate and Autokey Keep Alive on the phase 2 configuration of both tunnels

  • Enable Dead Peer Detection

Explanation

Question 23 of 64 Question 51 of 64

1

Which inspection mode does FortiGate use if it is configured as a policy-based next-generation firewall (NGFW)?

Select one or more of the following:

  • Flow-based inspection

  • Certificate inspection

  • Proxy-based inspection

  • Full content inspection

Explanation

Question 57 of 64 Question 52 of 64

1

Refer to the exhibit
Why did FortiGate drop the packet?

Select one or more of the following:

  • It matched an explicitly configured firewall policy with the action DENY

  • The next-hop IP address is unreachable

  • It failed the RPF check

  • It matched the default implicit firewall policy.

Explanation

Question 39 of 64 Question 53 of 64

1

Refer to the exhibit
Why did Fortigate drop the packet?

Select one or more of the following:

  • It failed the RPF
    check

  • The next-hop IP
    address is
    unreachable

  • It matched the default
    implicit firewall policy

  • It matched an explicity configured firewall policy with the action DENY

Explanation

Question 59 of 64 Question 54 of 64

1

Which statement about video filtering on FortiGate is true?

Select one or more of the following:

  • It is available only on a proxy-based firewall policy

  • Video filtering FortiGuard categories are based on web filter FortiGuard categories.

  • Full SSL inspection is not required

  • It does not require a separate FortiGuard license.

Explanation

Question 20 of 64 Question 55 of 64

1

An administrator configures outgoing interface any in a firewall policy
What is the result of the policy list view?

Select one or more of the following:

  • Interface Pair view is disabled.

  • Search option is disabled

  • By Sequence view is disabled

  • Policy lookup is disabled

Explanation

Question 53 of 64 Question 56 of 64

1

What are two characteristics of FortiGate HA cluster virtual IP addresses? (Choose two.)

Select one or more of the following:

  • Virtual IP addresses are used to distingui een cluster members

  • The primary device in the cluster is alwa ed IP address 16%.254.0.1

  • Heartbeat interfaces have virtual IP addresses that are manually assigned

  • A change in the virtual IP address happens when a FortiGate device joins or leaves the cluster.

Explanation

Question 17 of 64 Question 57 of 64

1

Refer to the exhibits
The exhibits show a network diagram and firewall configurations
An administrator created a Deny policy with default settings to deny Webserver access for Remote-User2.
Remote-User1 must be able to access the Webserver. Remote-User2 must not be able fo access the Webserver.
In this scenario, which two changes can th ator make to deny Webserver access for Remote-User2? (Choose two.)

Select one or more of the following:

  • Enable match-vip in the Deny policy

  • Disable match-vip in the Deny policy

  • Set the Destination address as Deny_IP in the Allow_access policy

  • Set the Destination address as Webserver in the Deny policy.

Explanation

Question 42 of 64 Question 58 of 64

1

Refer to the exhibits
The exhibits show a network diagram and firewall
configurations
An administrator created a Deny policy with
default settings to deny Webserver access for
Remote-User2
Remote-User1 must be able to access the
Webserver. Remote-User2 must not be able to
access the Webserver.
In this scenario, which two changes can the
administrator make to deny Webserver access for
Remote-User2? (Choose two )

Select one or more of the following:

  • Set the destination address as DENY_IP in the Allow_access policy

  • Disable match-vip in the Deny policy.

  • Set the Destination address as Webserver in
    the Deny policy

  • Enable match-vip in the Deny policy

Explanation

Question 64 of 64 Question 59 of 64

1

What are two features of the NGFW policy-based mode? (Choose two)

Select one or more of the following:

  • NGFW policy-based mode supports creating applications and web filtering categories directly in a firewall policy

  • NGFW policy-based mode policies support only flow inspection

  • NGFW policy-based mode can only be applied globally and not on individual VDOMs

  • NGFW policy-based mode does not require the use of central source NAT policy

Explanation

Question 6 of 64 Question 60 of 64

1

Refer to the exhibits
Exhibit A shows a network diagram. Exhibit B shows the firewall policy configuration and a VIP object configuration.
The WAN (port1) interface has the IP address 10.200.1.1/24
The LAN (port3) interface has the IP address 10.0.1.254/24
The administrator disabled the WebServer firewall policy.
Which IP address will be used to source NAT the traffic, if a user with address 10.0.1.10 connects over SSH to the host with address 10.200.3.1?

Select one or more of the following:

  • 10.200.1.10

  • 10.0.1.254

  • 10.200.3.1

  • 10.200.1.1

Explanation

Question 48 of 64 Question 61 of 64

1

Refer to the exhibits
Exhibit A shows the application sensor configuration. Exhibit B shows the Excessive Bandwidth and Apple filter details
Based on the configuration, what will happen to Apple FaceTime if there are only a few
calls originating or incoming?

Select one of the following:

  • Apple FaceTime will be allowed, based on the Apple filter configuration.

  • Apple FaceTime will be blocked, based on the Excessive-Bandwidth filter
    configuration.

  • Apple FaceTime will be allowed, based on the Categories configuration.

  • Apple FaceTime will be allowed only if the Apple filter in Application and Filter
    Overrides is set to Allow.

Explanation

Question 35 of 64 Question 62 of 64

1

Which statement is correct regarding the security fabric?

Select one of the following:

  • FortiGate devices must be operating in NAT mode

  • FortiManager is one of the required member devices

  • A minimum of two Fortinet devices is required.

  • FortiGate Cloud cannot be used for logging purposes.

Explanation

Question 52 of 64 Question 63 of 64

1

Refer to the exhibit
In the network shown in the exhibit, the web client cannot connect to the HTTP web server. The administrator runs the FortiGate built-in sniffer and gets the output shown in the exhibit.

Select one of the following:

  • Capture the traffic using an external sniffer connected to port1.

  • Execute a debug flow

  • Run a sniffer on the web server

  • Execute another sniffer on FortiGate, this time with the filter "host 10.0.1.10" .

Explanation

Question 24 of 64 Question 64 of 64

1

Refer to the exhibits Exhibit A
The exhibits show the firewall policies and the objects used in the firewall policies.
The administrator is using the Policy Lookup feature and has entered the search criteria shown in the exhibit.
Which policy will be highlighted, based on the input criteria?

Select one of the following:

  • Policy with ID 5.

  • Policy with ID 4.

  • Policies with ID 2 and 3.

  • Policy with ID 1.

Explanation

Previous
Check answer
Next