210212024, 20:32 FortiGate Securly and FortiGate Inkasvucture 7.2 Sample Questions: Allemot review € FoP- FortiGate Security and FortiGate Infrastructure 7.2 Sample Questions Started on Monday, February 26,2024, 11:53 PM State Finshed Completed on Tuesday, February 27, 2024, 1231 AM Time taken 37 mins 50 secs Points 27/35 Grade 77 out of 100 ouesen 1 Which two statements correctly describe the eifferences between Psec main mode and IPsec aggressive mode? (Choose two) Select one of more: Main mode cannot be used for dialup VPNs, while agoressive mode can. Aggressive mode supports XAuth, while main mode does not The fst packet of agaressive mode contains the peer ID, wile the frst packet of main mode does not. Six packets are usually exchanged during main mode, while only three packets are exchanged during aggressive mode. ¥™ aun ‘amine this FortiGate configuration: config systen global set av-failopen paas ena config ips giobal set fail-open disable end Examine the output ofthe following debug command + cingnose hardware eysingo conserve serve mode: on memory total RAM: 3040 MB nenory sad: 2706 MB 898 of total RAM renory freeable: 334 MB 11% of total RAM memory used + fre memory used threshold red: 2675 MB a8 of total RAM nenory used thrashold green: 2492 MB 828 of total RAM able thres old extrene: 2887 NB 95% of total RAM {Based on the diagnostic outputs above, how is FortiGate handling new packets that require PS inspection? Select one They are allowed, but with no inspection They are dropped ¥ They are allowed and inspected, They are allowed and inspected, as long as no additonal proxy-based inspection is required. ntipsutrainng frinet.commodiquizreview-php?attempt= 18908951 &cmid=298084 ana210212026, 20:32 FortiGate Securly and FortiGate Inkasvucture 7.2 Sample Questions: Alemot review austen 3 points outof Which two statements about antivirus scanning ina firewall policy set to proxy-based inspection mode, are true? (Choose two) Select one or more: Afile does not need to be buffered completely befor it's moved to the antivirus engine for scanning, % Ia virus is detected, a block replacement message is cisplayed immediately FortiGate sends a reset packet to the client if antivies reports the fle as infected. % The client must wait for the antivirus scan to finish scanning before it receives the file 1 points oto View the exhibit Came: [te ca leas Sstinpecien Opn pein Siobhan ESRI chetete & Foret CASS. onto Bcadeartete © tou BIH viewincedcormets nian steerees DE 20 ree View necAstat Senercrttenescieck OEE ser osle \Which two behaviors result from ths full (deep) SSL configuration? (Choose two) Select one of more: temporary tusted FortiGate certificate replaces the serve ceticate, even when the server certificate is untrusted [temporary trusted FortiGate certificate replaces the server certificate when the server certificate is trusted. ¥ ‘The browser bypasses all certificate warnings and allows the connection. [temporary untrusted FortiGate certificate replaces the server certificate when the server certificate is untrusted. ¥ \Which additional load balancing method is supported in equal cost multipath (ECMP) load balancing when SO-WAN is enabled? Select one Volume based Source P based ® Source-destination P based Weight based ntipsutrainng frinet.commodiquizreview-php?attempt= 18908951 &cmid=298084 24210212026, 20:32 FortiGate Securly and FortiGate Inkasvucture 7.2 Sample Questions: Alemot review 1 points out Which three methods can you use to deliver the token code ta a user whois configured to use two-factor authentication? (Choose three) Select one or more: SMS text message¥ Email Voicemail message FortToken Instant message app oe Which are two benefts of using SD-WAN? (Choose two) Select one or more: Firewall policies are not required FortiGate performs per-packet distribution across multiple SO-WAN members, Application steering is avalable ¥ WAN is used effectively ¥ points out of Which swo IP pool types enable you to identity user connections without having to log user trafic? (Choose two) Select one or more: One-to-one ® Port blockallocation¥ Overload Fixed port range tipstraining fortnet commadquizreview-php?attempt=18308951 &cmid=298084 ana210212026, 20:32 FortiGate Securly and FortiGate Inkasvucture 7.2 Sample Questions: Alemot review 1 points out {An administrator configured the antivirus profile ina frewall policy set to flow-based inspection mode, While testing the configuration the administrator noticed that eicar.com test files ean be downloaded using HTTPS protocol ony. What is causing this issue? Select one: The test files larger than the oversize limit. HIPS protacol isnot enabled under Inspected Protocols. Full SSL inspection is cisabled ¥ Hareware acceleration sin use, cuvon 10, 1 pein out Which statement about frewall policy NAT is true? Select one SNAT can automatically apply to multiple firewall polices, based on SNAT policies. DNAT isnot supported, DNAT can automaticaly apply to multinle firewall policies, based on DNAT rules. ‘You must configure SNAT for each firewall policy ¥ auesion 11 1 points oto Which two configuration settings are global settings? (Choose two.) Select one or more: FortiGuard settings Firewall policies HA settings User & Device settings cussion 12 1 points oto Which two statements about FortiGate antivirus databases are tue? (Choose two) Select one of more: The extended database is available only if Al scanning is enabled The extended database is available on all FortiGate models. ¥ Te quick scan database i pat ofthe normal database. The extreme database is available only on certain FortiGate models. ¥ tipstraining fortnet commadquizreview-php?attempt=18308951 &cmid=298084210212026, 20:32 FortiGate Securly and FortiGate Inkasvucture 7.2 Sample Questions: Alemot review 1 pein out Which statement about traffic flow in an active-active HA clusteris true? Select one All FortiGate devices are assigned the same virtual MAC addresses for the HA heartbeat interfaces to redistribute to the sesions. The secondary device responds tothe primary device with a SYN/ACK, and then the primary device forwards the SYN/ACK to the client The SYN packet from the client always arrives atthe primary device fist The ACK from the cients received on the physical MAC adress ofthe primary device 14 1 points oto View the exhibit Both VOOM are operating in NAT/route mode. The subnet 10.0.2.0/24 is connected to VDOMI. The subnet 10.0.2.2/24 is connected to DOM, The is an inter-VDOM link between VDOM1 and VDOM2. Also, necessary firewall policies are configured in VOOM! and VDOM2, Ba QS “> fy] v “t ee | 2 | fro a a |" ” Say = S ae mane sone \Whic so static routes are required in the FortiGate configuration, to route traffic between bath subnets through an inter-VDOM link? (Choose wo) Select one or more: {static route in VDOM forthe destination subnet 2°.9.2.0/28 | static route in VDOMI with the destination subnet matching the subnet assigned to the inter-VDOM link A static route in VDOM2 for the destination subnet 10.0.1.0/20 [A static route in VDOM2 with the destination subnet matching the subnet assigned! to the inter-VDOM ink tipstraining fortnet commadquizreview-php?attempt=18308951 &cmid=298084 sn4210212026, 20:32 FortiGate Securly and FortiGate Inkasvucture 7.2 Sample Questions: Alemot review points outof Which statement best describes the role of a DC agent in an FSS0 DC agent mode solution? Select one Itcaptures the user IP address and workstation name and forwards them to FortiGate Icaptures the login events and forwards them tothe collector agent Itcaptures the login events and forwards them to FortiGate Itcaptures the login and logoff events and forwards them to the collector agent. % 6 1 points oto Which two statements about incoming and outgoing interfaces in firewall policies are true? (Choose two.) Select one or more: Only the any interface can be chosen a an incoming interface "Multiple interfaces can be selected as incoming and outgoing interfaces. ¥| Azone can be chosen as the outgoing interface. ¥ {an incoming interface is mandatory in firewall poy, but an outgoing interface i optional. cussion 17 View the exhibit [Aclient workstation is connected to FortiGate port2 FortiGate port is connected to an ISP router Port2 and port3 are bath configured as a software switch, Which IP address must be configured on the workstation asthe default gateway? Select one The FortiGate management IP address The port2 IP address The router IP address The softwate switch interface IP address tipstraining fortnet commadquizreview-php?attempt=18308951 &cmid=298084 ena210212026, 20:32 FortiGate Securly and FortiGate Inkasvucture 7.2 Sample Questions: Alemot review 18 points outof ‘An administrator wants to monitor their network fr any probing attempts aimed to exploit existing vulnerabilities in ther servers \Which twa items must they configure on their FortiGate to accomplish this? (Choose two) Select one or more: [AOS policy, and log all UDP and TCP scan attempts ‘Aweb application frewall profile to check protocol constraints % [An IPS sensor to monitor all signatures applicable to the server {An application control profle, and set all application signatures to monitor cunson 19 Examine the exhibit, which shows a firewall policy configured with mutiple security profiles. ‘Action EMG 2 env Inspection Mode _Flow-based FirewallNetwork Options NAT © | Poot Configuration Cris: Use Dynamic IP Pool PreserveSource Port CD Protocol Options [ESD faut oar Security Profiles ‘otivieus © Dib eefauit ys Web Fiter © Wbectaut -e VideoFiter = © HE raining 70 ONS Fier © Lb cctauit 24 ‘pplication Control €© GM default 74 ips © Tb ectaut 74 File Filter © Becta ard SSL Inspection certificate-inspection + ‘Which twa security profes are handled by the IPS engine? (Choose wo) Select one or more: Web Fiter Application Control¥ Ipsv AntiVirus ntipsutrainng frinet.commodiquizreview-php?attempt= 18908951 &cmid=298084 74210212026, 20:32 FortiGate Securly and FortiGate Inkasvucture 7.2 Sample Questions: Alemot review cuesien 20 comet 1 points out View the exhibit ‘A ser at 192.168.3215 is trying to access the web server at 172.1632254 nema messi Sg (72 16321 Ay, min Th - sor Noh Gateral Eye's WZ - OOP NDA external type ? ‘Which two statements best describe how the FortiGate will perform reverse path forwarding (RPF) checks on this traffic? (Choose two) Select one or mare: Strict RPE check will alow the traffic. ¥ Strict RPE check will deny the traffic Loose RPF check wll deny the traf Loose RPF check wl allow the traffic ¥ coesien 21 1 pein out Which three actions are valid for statie URL tering? (Choose three) Select one or more: Exempt Block Allow Waming Shope ntipsutrainng frinet.commodiquizreview-php?attempt= 18908951 &cmid=298084 ana210212026, 20:32 FortiGate Securly and FortiGate Inkasvucture 7.2 Sample Questions: Alemot review cueson 22 comet 1 eins out View the exhibit. 020.0.0/0 {10/0} via 172.20.221.2, port, (1/0) 30-30. 30:0/20 {1070} nis 272: 20c1e8 254, pore2, (1/0) 430°20.20.0/24 [ofa] vis 172:20.160-254, post) [2 jovSelaeceres [oral via i7eca0cts1- 3 noted a, Which route willbe selected when tying to reach 10.20.90.2547 Select one 10.20.30.0/26 (10/0) vis 172.20.168.254, poee2, (1/0) 0/o] vie 272.20.221.2, portt, (1/01 19.90.20.0/24 (10/0) via 192.20.121.2, por 112/01 24.20.30.0/2¢ 10/0) via 172.20.167.254, pare, (1/0) cueson 23 comet “point out of View the exhibit. polleylde2 identidnet sevstontdes1232959 yaer="anonymous" groups" idap users" exeipei92.168.1.28 szcporte6330s profiletype-twebttiter roveby:e=60198 msg-"0Ri belongs to an allowed ca site" prottietderanit™ stat gory in pobioy" method-comain class-0 eat=149 catdess="ovstoml* ‘What two things does this raw log indicate? (Choose two) Select one or more: 392.168.1.24 5 the P address for wes, fort ine.con. The traffic originated from 6e.171.:21 48 FortiGate allowed the traffic to pass. ¥ The traffic matches the webfier profile on firewall policy ID 2. ntipsutrainng frinet.commodiquizreview-php?attempt= 18908951 &cmid=298084 ona210212026, 20:32 FortiGate Securly and FortiGate Inkasvucture 7.2 Sample Questions: Alemot review cusin 28 1 eins out Which two settings must you configure when FortiGate is being deployed asa root FortiGate in a Security Fabric topology? (Choose two) Select one or more: Pre-authorize downstream FortiGate devices FortiAnalyzer IP address Fabric name FortiManager IP adress 1 points oto Which two statements about advanced AD access mode for the FSO collector, agent are true? (Choose two) Select one or more: Itis only supported if 0C agents are deployed FortiGate can act as an LDAP client to configure the group fiers. ¥ Ituses the Windows convention for naming: thats, Domain\Username Itsupports monitoring of nested groups. cuesen 26 Which thre settings and protocols can be used to provide secure and restrictive administrative access to FortiGate? (Choose three) Select one of more: Trusted authentication Trusted host¥™ FortTelemetiy HrTPs¥ ssn tipstraining fortnet commadquizreview-php?attempt=18308951 &cmid=298084 son210212026, 20:32 FortiGate Securly and FortiGate Inkasvucture 7.2 Sample Questions: Alemot review cussion 27 1 pein out FortiGate is configured for firewall authentication. When attempting to access an external website the user is not presented with a login prompt (What isthe most likely reason for ths stuation? Select one ‘The user was authenticated using passive authentication ¥ The useris using a guest account profile. [No matching user account exists for this user. he user is using 2 super admin account 028 ‘An administrator wants to block htps:/Awww.example.com/vdeos and allow all ther URLs on the website \What are two configuration changes thatthe administrator can make to satisfy the requirement? (Choose two) Select one or more Configure a video filter profile to block the URL Enable full SL inspection Configure a static URL fiter entry for the URL and select Black asthe action Configure web overide for the URL and select a blocked FortiGuard subcategory tipstraining fortnet commadquizreview-php?attempt=18308951 &cmid=298084 14210212026, 20:32 FortiGate Securly and FortiGate Inkasvucture 7.2 Sample Questions: Alemot review austin 29 points out of Systemes Cee BE) eects 2 HTT treet 1 set tgn . SsuvPN Sct: ‘Which statement about the configuration settings is rue? Select one When a remote user accesses nitns//10.209.1.1:843 the SSL-VPN login page opens. he settings are invalid The administrator settings and the SSL-VPN settings cannot use the same port 443, the FortiGate login page opens. 149, the SSL-VPN login page opens. When a remote user accesses When a remote user accesses nt coeron 30 ‘An administrator has configured central ONAT and virtual IPs. [Which item can be selected inthe firewall policy Destination field? Select one AIP group AMP object ‘The mapped IP address object ofthe VIP object Aan P pool tipstraining fortnet commadquizreview-php?attempt=18308951 &cmid=298084 v4210212026, 20:32 FortiGate Securly and FortiGate Inkasvucture 7.2 Sample Questions: Alemot review austen 31 points outof What does the command diagnose debug fsso-polling refresh-user do? Select one It displays status information and some statistics related to the polls done by FortiGate on each DC. Itrefreshes user group information from any servers connected to FortiGate sing a collector agent. Itrefteshes all users learned through agentless polling Itenables agentless polling mode real-time debug a 1 points oto {An administrator needs to create a tunnel mode SSL-VPN to access an internal web serve from the internet. The web server is connected to port The internet is connected to port2,Soth interfaces belong to the VDOM named corsorsticn. ‘What interface must the administrator use as the source forthe firewall policy that will allow this traffic? Select one ast corporation port cuasion 33 Which two statements about the application control profile mode are tre? (Choose two} Select one or more: cannot be used in conjunction with IPS scanning, Iuses flow-based scanning techniques, regardless ofthe inspection mode used. Itcan be selected in either flow-based or proxy-based firewall policy. Itcan scan only unsecure protocols cueien 34 1 points out of Which statement about the HA override setting in FortiGate HA clusters is true? Select one enables monitored ports It synchronizes device priaity on all cluster members ‘You must configure override settings manually and separately foreach cluster member. ¥ It reboots FortiGate tipstraining fortnet commadquizreview-php?attempt=18308951 &cmid=298084 134210212026, 20:32 FortiGate Securly and FortiGate Inkasvucture 7.2 Sample Questions: Alemot review auton 35, 1 eins out What is eXtended Authentication (kAUth)? Select one Itis an IPsec extension that authenticates remote VPN peers using a pre-shared key. tis an IPsec extension that authenticates remote VPN peers using digital certificates tis an IPsec extension that forces remote VPN users to authenticate using their credentials (username and password). ¥ Itis an IPsec extension that forces remote VPN users to authenticate using their local ID tipstraining fortnet commadquizreview-php?attempt=18308951 &cmid=298084 saa