Professional Documents
Culture Documents
Select one:
It searches the matching policy based on input criteria.
It finds duplicate objects in firewall policies.
It creates a new firewall policy based on input criteria.
It creates packet flow over FortiGate by sending real-time traffic.
Select one:
You must configure SNAT for each firewall policy.
SNAT can automatically apply to multiple firewall policies, based on SNAT policies.
DNAT is not supported.
DNAT can automatically apply to multiple firewall policies, based on DNAT rules.
Which of the following can be selected in the firewall policy Destination field?
Select one:
A VIP object
An IP pool
The mapped IP address object of the VIP object
A VIP grouP
Examine this partial output from the diagnose sys session list CLI command:
Select one:
proto_state=05 is the TCP state.
Select one:
Which two behaviors result from this full (deep) SSL configuration? (Choose two.)
The browser bypasses all certificate warnings and allows the connection.
A temporary untrusted FortiGate certificate replaces the server certificate when the
server certificate is untrusted.
A temporary trusted FortiGate certificate replaces the server certificate, even when the
server certificate is untrusted.
A temporary trusted FortiGate certificate replaces the server certificate when the server
certificate is trusted.
Which two statements about blocking known Botnet Command and Control
domains are true? (Choose two.)
The Botnet Command and Control domains can be enabled in the Web Filter profile.
You must manually download the Botnet Command and Control database and import
it into FortiGate.
This service requires a FortiGuard web filter and IPS license.
DNS lookups are checked against the Botnet Command and Control database.
Which three actions are valid for static URL filtering? (Choose three.)
Which two statements about the log are correct? (Choose two.)
Which two statements about the application control profile mode are true?
(Choose two.)
Which two statements about antivirus scanning in a firewall policy set to proxy-
based inspection mode are true? (Choose two.)
Select one:
Full-content inspection for HTTPS is disabled.
The test file is larger than the oversize limit.
HTTPS protocol is not enabled under Inspected Protocols.
Hardware acceleration is in use.
An administrator wants to monitor their network for any probing attempts aimed
to exploit existing vulnerabilities in their servers.
What must they configure on their FortiGate to accomplish this? (Choose two.)
Examine the exhibit, which shows a firewall policy configured with multiple security
profiles
Which two security profiles will be handled by the IPS engine? (Choose two.)
Web Filter
IPS
Application Control
AntiVirus
An administrator needs to inspect all web traffic (including Internet web traffic)
coming from users connecting to the SSL-VPN.
Select one:
Assigning public IP addresses to SSL-VPN users
Configuring web bookmarks
Disabling split tunneling
Using web-only mode
What interface must be used as the source for the firewall policy that will allow
this traffic?
Select one:
port1
ssl.root
port2
ssl.Corporation
View the exhibit.
Select one:
The settings are invalid. The administrator settings and the SSL-VPN settings cannot
use the same port.
When a remote user accesses http://10.200.1.1:443, the SSL-VPN login page
opens.
When a remote user accesses https://10.200.1.1:443, the FortiGate login page
opens.
When a remote user accesses https://10.200.1.1:443, the SSL-VPN login page
opens.
Which two statements correctly describe the differences between IPsec main
mode and IPsec aggressive mode? (Choose two.)
Select one:
It is an IPsec extension that authenticates remote VPN peers using a preshared key.
It is an IPsec extension that forces remote VPN users to authenticate using their
credentials (user name and password).
It is an IPsec extension that forces remote VPN users to authenticate using their local
ID.
It is an IPsec extension that authenticates remote VPN peers using digital certificates.
Assuming telnet service is enabled for port1, which statement correctly describes
why FGT1 is not responding to the SYN packets?
Select one:
The port1
interface is administratively down.
The connection is dropped because of reverse path forwarding check.
The port1
interface does not have an IP address.
The connection is denied because of forward policy check.
Examine the exhibit showing a routing table.
Select one:
10.30.20.0/24 [10/0] via 172.20.121.2, port1
Which two statements best describe how the FortiGate will perform reverse path
forwarding (RPF) checks on this traffic? (Choose two.)
Which two statements regarding the SD-WAN feature on FortiGate are true?
(Choose two.)
What is required in the FortiGate configuration to route traffic between both subnets
through an inter-VDOM link?
Select one:
A static route in VDOM1 for the destination subnet of 10.0.1.0/24
A static route in VDOM2 with the destination subnet matching the subnet assigned to
the inter-VDOM link
A firewall policy in VDOM1 to allow the traffic from 10.0.1.0/24 to 10.0.2.0/24
with port1 as the source interface and port2
as the destination interface
A static route in VDOM2 for the destination subnet 10.0.1.0/24
Select one:
The software switch interface IP address
The router IP address
The FortiGate management IP address
The port2
IP address
Which two statements about advanced AD access mode for the FSSO collector
agent are true? (Choose two.)
Select one:
It displays status information and some statistics related to the polls done by FortiGate
on each DC.
It refreshes user group information from any servers connected to FortiGate using a
collector agent.
It refreshes all users learned through agentless polling.
It enables agentless polling mode real-time debug.
Which statement best describes the role of a DC agent in an FSSO DC agent mode
solution?
Select one:
It captures the logon events and forwards them to FortiGate.
It captures the logon events and forwards them to the collector agent.
It captures the user IP address and workstation name and forwards them to FortiGate.
It captures the logon and logoff events and forwards them to the collector agent.
Which statement about traffic flow in an active-active HA cluster is true?
Select one:
All FortiGate devices are assigned the same virtual MAC addresses for the HA
heartbeat interfaces to redistribute to the sessions.
The secondary device responds to the primary device with a SYN/ACK, and then the
primary device forwards the SYN/ACK to the client.
The ACK from the client is received on the physical MAC address of the primary device.
The SYN packet from the client always arrives at the primary device first.
Select one:
It is used to enable monitored ports.
Configuring the HA override will reboot the FortiGate device.
It synchronizes device priority on all cluster members.
You must configure override settings manually and separately for each cluster
member.
Select one:
Create a firewall service that matches the HTTP method, and apply it to a proxy policy
with the action DENY.
Apply a web filter profile to a proxy policy that blocks the HTTP method.
Create a DNS filter that matches the HTTP method, and apply it to a proxy policy with
the action DENY.
Create a proxy address that matches the HTTP method, and apply it to a proxy policy
with the action DENY.
Select one:
They are dropped.
They are allowed, but with no inspection.
They are allowed and inspected.
They are allowed and inspected as long as no additional proxy-based inspection is
required.
When does the FortiGate enter into fail-open session mode?
Select one:
When memory usage goes above the red threshold.
When CPU usage goes above the red threshold.
When a proxy (for proxy-based inspection) runs out of connections.
When memory usage goes above the extreme threshold.