NSE 4 7.2 Flashcards

Question

An administrator is running a sniffer command as shown in the exhibit. Which three pieces of information are included in the sniffer output? (Choose three.)

Answer 1

1. Interface name 2. IP header 3. Packet payload ## Footnote Fortigate Infrastructure 7.0 pg 58 To remember the order, think of the famous Architect I.M. Pei. **IPEI** IP Header Packet Payload Ethernet Header Interface Name 1. IP Header 2. IP Header and Packet Payload 3. IP Head, Packet Payload, and Ethernet Header 4-6 is the same - just add "Interface Name" to the end of each. Reference: https://kb.fortinet.com/kb/documentLink.do?externalID=11186

Answer 2

FortiAnalyzer ## Footnote All devices must be authorized on the root Fortigate, and then after this step all must be authorized on the FortiAnalyzer.

Answer 3

The two VLAN sub-interfaces must have different VLAN IDs. ## Footnote Reference: https://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=FD31639

Answer 4

Antivirus ## Footnote Antivirus and IPS is enhanced by the IPS Engine, so that is why B is the right answer.

Answer 5

Apple FaceTime will be blocked, based on the Excessive-Bandwidth filter configuration. ## Footnote Facetime belongs to VoIP category which is monitored here and therefore should be allowed, however, because of the behavior of the facetime "Excessive-Bandwidth", the custom filter Excessive-Bandwidth will block Facetime and the lookup won't continue to the second filter.

Answer 6

1. Standard mode uses Windows convention-NetBios: Domain\Username 2. Standard mode security profiles apply to user groups ## Footnote Standard Mode does not do OU, advanced mode does. Standard Mode cannot do nested groups. Fortigate Infra 7.0 Pg 280 Fortigate Infrastructure 7.0 Study Guide P.295

Answer 7

FortiGate automatically brings up the IPsec tunnel and keeps it up, regardless of activity on the IPsec tunnel. ## Footnote "Another benefit of enabling Auto-negotiate is that the tunnel comes up and stays up automatically, even when there is no interesting traffic". When IPsec SAs expire, FortiGate needs to negotiate new SAs to continue sending and receiving traffic over the IPsec tunnel. Technically, FortiGate deletes the expired SAs from the respective phase 2 selectors, and install new ones. If IPsec SA renegotiation takes too much time, then FortiGate may drop interesting traffic because of the absence of active SAs. To prevent this, you can enable Auto-negotiate. When you do this, FortiGate not only negotiates new SAs before the current SAs expire, but it also starts using the new SAs right away. The latter prevents traffic disruption by IPsec SA renegotiation. Another benefit of enabling Auto-negotiate is that the tunnel comes up and stays up automatically, even when there is no interesting traffic. When you enable Autokey Keep Alive and keep Auto-negotiate disabled, tunnel will not come up automatically unless there is interesting traffic. However, after the tunnel is up, it stays that way because FortiGate periodically sends keep alive packets over the tunnel. Note that when you enable Auto-negotiate, Autokey Keep Alive is implicitly enabled.

Answer 8

1. FortiGuard web filter queries 2. DNS ## Footnote "NTP, FortiGuard updated/queries, SNMP, DNS Filtering, Log settings and other mgmt related services". PKI is wrong because PKI stands for Public Key Infrastructure and is associated with VPNS Traffic shaping is wrong because traffic shaping is configured on a 'Traffic Shaping Policy' FortiGuard web filter queries is correct because Fortigate will use Fortiguard for these queries DNS is correct as the management VDOM (very similar to Palo Alto) can use DNS for DNS queries Fortigate Infrastructure 7.0 Study Guide P.113 Fortigate Infrastructure 7.0 Book Pg. 122 says global settings for vdom's are: *Hostname. HA Settings. Fortiguard Settings. System time. Administrative Accounts.*

Answer 9

1. udp-echo 2. TWAMP ## Footnote Fortigate Infrastructure 7.0 pg 81 In the GUI appears HTTP, DNS and Ping.

Answer 10

1. FG-traffic 2. Root ## Footnote Root VDOM is created by default when VDOMs are enabled. FortiGate Infrastructure 7.0 Study Guide page 123

Answer 11

1. NetAPI 2. WMI 3. WinSecLog ## Footnote Fortigate Infra SG 7.0 pg 255

Answer 12

The Services field removes the requirement of creating multiple VIPs for different services. ## Footnote The Services option has been added to VIP objects. When services and port forward are configured, only a single mapped port can be configured. However, multiple external ports can be mapped to that single internal port.This configuration was made possible to allow for complex scenarios where multiple sources of traffic are using multiple services to connect to a single computer, while requiring a combination of source and destination NAT, and not requiring numerous VIPs to be bundled into VIP groups. VIPs with different services are considered non-overlapping.

Answer 13

Aggregate interface ## Footnote Link aggregation (IEEE 802.3ad) enables you to bind two or more physical interfaces together to form an aggregated (combined) link. This new link has the bandwidth of all the links combined. If a link in the group fails, traffic is transferred automatically to the remaining interfaces with the only noticeable effect being a reduced bandwidth.

Answer 14

Root VDOM ## Footnote If you enable split-task VDOM mode on the upstream FGT device, it can allow downstream FGT devices to join the Security Fabric in the root and FG-Traffic VDOMs. If split-task VDOM mode is enabled on the downstream FortiGate, it can only connect to the upstream FortiGate through the downstream FortiGate interface on the root VDOM.

Answer 15

Web application firewall ## Footnote Some FortiGate features are meant to protect clients, not servers. For example, FortiGuard web filtering blocks requests based on the category of the server’s web pages. Antivirus prevents clients from accidentally downloading spyware and worms. Neither protects a server (which doesn’t send requests—it receives them) from malicious scripts or SQL injections. Protecting web servers requires a different approach because they are subject to other kinds of attacks. This is where WAF applies. The WAF feature is available only in proxy inspection mode.

Answer 16

10.200.1.1 ## Footnote We set up the scenario when we enable port forwarding in the vip leaves with the ip associated with the wan interface (10.200.1.1), if we disable port forwarding the outgoing ip is the one associated with the VIP (10.200.1.10). The "set nat-source-vip enable" should be applied in the VIP Otherwise, the IP address of the physical interface will be used for NAT. Reference: https://kb.fortinet.com/kb/documentLink.do?externalID=FD44529

Answer 17

1. Advanced mode supports nested or inherited groups 2. FortiGate can be configured as an LDAP client and group filters can be configured on FortiGate. ## Footnote FortiGate Infra 7.0 page 280

Answer 18

By default, split tunneling is enabled ## Footnote There is a Trap here... C and D have something right but the trick is the question... Under SSL VPN settings you can see that port is 443 (same of https admin port) BUT the question is about a SSL VPN Setting FOR A VPN PORTAL... so if you go to SSL VPN Portals and hit "Create new" you will see Tunnel Mode and Split Tunnel enabled by default... so, the correct answer is C.

Answer 19

1. Log downloads from the GUI are limited to the current filter view. 2. Log backups from the CLI cannot be restored to another FortiGate. ## Footnote The question is about Backing up logs from CLI and Downloading logs from the GUI, therefore, C is incorrect because the question doesn't say anything about uploading logs from CLI, but says backing up from CLI...

Answer 20

1. Create a new service object for TELNET and set the maximum session TTL. 2. Create new firewall policy and place it above the existing SSL VPN policy for the SSL VPN traffic , and set the new TELNET servie object in the policy. ## Footnote The key here is performing the task without affecting any of the other services. - Not A - Changing the maximum TTL value for TELNET will affect every other policy that references the TELNET service - Not B - Changing the session TTL on the SSLVPN policy will impact other services referenced in the policy.

Answer 21

Subject Key Identifier value ## Footnote FortiGate can use the Subject Key Identifier and Authority Key Identifier values to determine the relationship between the issuer of the certificate (identified in the Issuer field) and the certificate.

Answer 22

1. Many of the security issues can be fixed immediately by clicking Apply where available 2. The Security Fabric rating must be on the root FortiGate device in the Security Fabric. ## Footnote Fortigate Security 7.0 pg 96-97

Answer 23

It limits the scope of the application control to the browser-based technology category only. ## Footnote The keyword is "browser-based" which we can find only in the Answer A.

Answer 24

1. Lookup is done on the trust packet from the session originator. 2. Lookup is done on the trust reply packet from the responder. ## Footnote B is a bogus response, checking the last packet is a bit too late to establish a connection. Whoever provided these answers failed this exam. Should also be "First" instead of "Trust".

Answer 25

The admin must use a FortiAuthenticator device. ## Footnote B is correct due to the FortiToken, a different OTP cannot use FortiToken. So we have to choose the fortiAuthenticator. FortiGate_Security_7.0 pages 212, 216.

Answer 26

1. Phase 2 SAs are used for encrypting and decrypting data exchanged through the tunnel. 2. A phase 1 SA is bidirectional, while a phase 2 SA is directional. 3. Phase 2 SDA expiration can be time-based, volume-based, or both.

Answer 27

1. Uninterruptable upgrade is enabled by default. 2. Traffic load-balancing is temporarily disabled while upgrading the firmware. ## Footnote Reference: https://help.fortinet.com/fos50hlp/54/Content/FortiOS/fortigate-high-availability-52/HA_operatingFirmUpgd.htm

Answer 28

1. Shutdown/reboot a downstream FortiGate device. 2. Disable FortiAnalyzer logging for a downstream FortiGate device.

Answer 29

FortiGate will use the port1 route as the primary candidate. ## Footnote FortiGate will use the port1 route as the primary candidate.

Answer 30

Flow-based inspection ## Footnote Fortigate_Security_7.0 Page 368

Answer 31

The flow-based inspection is used, which resets the last packet to the user ## Footnote Key to right answer is "unable to receive a block replacement message when downloading an infected file for the first time". * "ONLY" If the virus is detected at the "START" of the connection, the IPS engine sends the block replacement message immediately * When a virus is detected on a TCP session (FIRST TIME), but where "SOME PACKETS" have been already forwarded to the receiver, FortiGate "resets the connection" and does not send the last piece of the file. Although the receiver got most of the file content, the file has been truncated and therefore, can’t be opened. The IPS engine also caches the URL of the infected file, so that if a "SECOND ATTEMPT" to transmit the file is made, the IPS engine will then send a block replacement message to the client instead of scanning the file again. Two possible scenarios can occur when a virus is detected: - When a virus is detected on a TCP session where some packets have been already forwarded to the receiver, FG resets the connection and does not send the last piece of the file. Although the receiver got most of the file content, the file has been truncated and therefore, can't be opened. The IPS engine also caches the URL of the infected file, so that IF A SECOND ATTEMPT TO TRANSMIT THE FILE IS MADE, THE IPS ENGINE WILL SEND A BLOCK REPLACEMENT MESSAGE to the client instead of scanning the file again. - If the virus is detected at the start of the connection, the IPS engine sends the block replacement message immediately.

Answer 32

1. NTP 2. DNS

Answer 33

It is available only on a proxy-based firewall policy ## Footnote Reference: https://docs.fortinet.com/document/fortigate/7.0.0/new-features/190873/video-filtering

Answer 34

Strict RPF checks the best route back too the source using the incoming interface. ## Footnote Loose RPF checks for any route and Strict RPF check for best route Fortigate Security 7.0 pg 39-40.

Answer 35

1. The keyUsage extension must be set to keyCertSign 2. The CA extension must be set to true ## Footnote B is incorrect as It's not madatory to have a wildcard certificate. A is incorrect because certificate can be signed by any CA private or public. FortiGate Security 7.0 pp 328: "In order for FortiGate to act in these roles, its CA certificate must have the basic constraints extension set to cA=True and the value of the keyUsage extension set to keyCertSign."

Answer 36

get system arp ## Footnote D is correct. "If you suspect that there is an IP address conflict, or that an IP has been assigned to the wrong device, you may need to look at the ARP table." FortiGate Infrastructure 7.0 pg 353, 368

Answer 37

1. set protocol udp 2. set fortiguard-anycast disable ## Footnote Fortigate Security 7.0 pg 417, 422

Answer 38

1. By default, all interfaces are part of the same broadcast domain. 2. FortiGate forwards frames without changing the MAC address. ## Footnote Fortigate_Security_7.0 page 379

Answer 39

1. To detect intermediary NAT devices in the tunnel path. 2. To encapsulation ESP packets in UDP packets using port 4500. ## Footnote When NAT-T is enabled on both ends, peers can detect any NAT device along the path. If NAT is found, then the following occurs: - Both phase 2 and remaining phase 1 packets change to UDP port 4500. - Both ends encapsulate ESP within UDP port 4500. Reference: https://kb.fortinet.com/kb/documentLink.do?externalID=FD48755

Answer 40

Logs are overwritten and the first warning is issued when the log disk usage reaches the threshold of 75% ## Footnote Page 278 Fortigate Security 7.0 (New Version!!), only 75% of the disk is available to store logs, this is distributed in the existing vdoms. Diagnose sys logdisk usage -- CLI command to verify this.

Answer 41

Configure host check ## Footnote For context, Host Check uses the FortiClient to check that certain conditions on the remote PC are met, such as having AV installed, that there is a specific file located on the PC, that a certain process is running on the PC, or that specific registry entries exist on the PC. Host Check basically ensures that the PC with the VPN Client installed is setup according to your organizations standards.

Answer 42

Static URL filter, FortiGuard category filter, and advanced filters ## Footnote FortiGate_Security_7.0_Study_Guide-Online.pdf page 414 shows the HTTP Inspection Order (Static URL Filter -> FortiGuard Category Filter -> Advanced Filters)

Answer 43

1. IPsec tunnels are negotiated dynamically between spokes. 2. It recommends the use of dynamic routing protocols, so that spokes can learn the routes to other spokes.

Answer 44

1. Volume 2. Session ## Footnote Session is the name of a mode. Spillover is not the real name for SD-WAN that is in ECMP. Spillover is called Usage in SD-WAN. Reference: https://help.fortinet.com/fos60hlp/60/Content/FortiOS/fortigate-networking/SD-WAN/SD-WAN_load_balancing.htm

Answer 45

1. Web-filter in flow-based inspection. 2. Antivirus in flow-based inspection mode. 3. Application control ## Footnote It asks what uses the IPS system. And that is: Application control Anti-virus (flow-based) Web filter (flow-based) Email filter (flow-based) Data leak prevention (flow-based in one armed sniffer mode) Fortigate 7.0 Security pg 520, 525

Answer 46

1. This is known as many-to-one NAT. 2. Source IP is translated to the outgoing interface IP. ## Footnote Because the fixed port is disabled (default). If it is enable, then the answer would be C&D.

Answer 47

IMAP.Login.brute.Force ## Footnote Anomalies can be zero-day or denial of service attack Are Detected by behaivoral analysis: Rate Based IPS Signatures. DoS Policies. Protocol Constraint Inspections. DoS policy disabled in this scenario.

Answer 48

1. Warning 2. Allow ## Footnote Exempt is not FortiGuard category action.

Answer 49

1. Hard-timeout 2. New-session 3. Idle-timeout ## Footnote Reference: https://community.fortinet.com/t5/FortiGate/Technical-Tip-Explanation-of-auth-timeout-types-for-Firewall/ta-p/189423?externalID=FD37221

Answer 50

Machine learning (AI) scan ## Footnote For FortiOS 7.0 the answer is Machine learning (AI) scan instead of Heuristics. See FortiGate Security 7.0 page 476

Answer 51

It is dropped ## Footnote Because it exceeded the Extreme memory threshold. "However, if the memory usage exceeds the extreme threshold, new sessions are ALWAYS DROPPED, regardless of the FortiGate configuration." Note: "Extreme threshold is when the memory usage goes above 95%, and all NEW sessions are dropped.

Answer 52

1. HTTP Sessions are treated as a single user. 2. It can differentiate among multiple clients behind the same source IP address. 3. It requires more resources. ## Footnote For 1: Each session-based authenticated user is counted as a single user using their authentication membership (RADIUS, LDAP, FSSO, local database etc.) to match users in other sessions. So one authenticated user in multiple sessions is still one user.

Answer 53

Apple FaceTime belongs to the custom blocked filter. ## Footnote FaceTime categorized (filtered) under "Excessive-Bandwidth" and custom filter override set to block this. Also we know that users can't use FaceTime.

Answer 54

1. Shutdown/reboot a dowwnstream FortiGate device. 2. Disable FortiAnalyzer logging for a doownstream FortiGate device.

Answer 55

AH provides data integrity but no encryption ## Footnote "IPsec is a suite of protocols that is used for authenticating and encrypting traffic between two peers. The three most used protocols in the suite are the following: - Internet Key Exchange (IKE), which does the handshake, tunnel maintenance, and disconnection. - Encapsulation Security Payload (ESP), which ensures data integrity and encryption. - Authentication Header (AH), which offers only data integrity - not encryption."

Answer 56

1. Administrators cannot change the configuration 2. FortiGate has entered conserve mode ## Footnote Fortigate Infrastructure 7.0 pg 367-368 Fortigate Infra 7.0 page 383: Not accept config changes, does not run quarantine action - forwarding files to SandBox.

Answer 57

hard-timeout ## Footnote Fortigate Security 7.0 pg 254

Answer 58

1. Enable Dead Peer detection. 2. Configure a lower distance oon the static route for the primary tunnel, add a high distance on the static route for the secondary tunnel. ## Footnote 1 because the customer requires the tunnels to notify when a tunnel goes down. DPD is designed for that purpose. To send a packet over a firewall to determine a failover for the next tunnel after a specific amount of time of not receiving a response from its peer. For 2, remember when it comes to choosing a route with regards to Administrative Distance. The route with the lowest distance for that particular route will be chosen. So, by configuring a lower routing distance on the primary tunnel, means that the primary tunnel will be chosen to route packets towards their destination.

Answer 59

To allow for out-of-order packets that could arrive after the FIN/ACK packets ## Footnote TCP provides the ability for one end of a connection to terminate its output while still receiving data from the other end. This is called a half-close. FortiGate unit implements a specific timer before removing an entry in the firewall session table.

Answer 60

10.200.1.99 ## Footnote Ping is ICMP protocol - protocol number = 1 => SNAT policy ID 1 is policy that used. => Translated address is "SNAT-Remote1" that 10.200.1.99

Answer 61

1. The port3 default route has the lowest metric. 2. The port1 and port2 default routes are active in the routing table. ## Footnote *> mean active routes first square bracked mean administrative distance second bracket square mean priority (valid only on static routes) metric applies only in multiroutes with same administrative distance.

Answer 62

Social networking web filter catesgory is configured with the action set to authenticate ## Footnote 1 is correct. We have two logs, first with action deny and second with passthrough. A incorrect - second log shows: action="passthrough". B incorrect - Firewall action can be allow or deny. D incorrect - CLI don't show policy name, only ID. Remember ... action="passthrough" mean that authentication has occurred/ At first attempt from the same IP source connection is blocked, but a warning message is displayed. At the second attempt with the same IP source connection passtrough, so considering the first block and the second pass, the user must authenticate to be granted with access.

Answer 63

Change Administrator profile ## Footnote Fortigate security 7.0 pg 24 Prof_admin is only vdom admin not global.

Answer 64

1. The debug flow is of ICMP traffic 2. A new traffic session is created ## Footnote Proto 1 is icmp. Obviously a new session was created. The ping is being sent to the gateway from a local device so no policy is needed. "gw-10.0.1.250 via root" Fortigate Infrastructure 7.0 pg 358-360

Answer 65

Any number of virtual wire pairs can be included in each policy, regardless of the policy traffic direction settings.

Answer 66

One-to-one NAT IP pool is used in the firewall policy | In one-to-one, PAT is not required.

Answer 67

1. Runs only over the heartbeat links 2. Elects the primary FortiGate device

Answer 68

The session is in SYN_SENT state ## Footnote In the first line "Session info: proto=6 proto_state=02" Indicates TCP (proto=6) session in SYN_SENT state (proto=state=2) FortiGate_Security_7.0 page 191. 0=None 1=Established 2=Syn_Sent Reference: https://kb.fortinet.com/kb/viewContent.do?externalId=FD30042 https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-FortiGate-session-table-information/ta-p/196988#:~:text=the%20Reply%20direction-,State,-Value

Answer 69

1. SSH 2. HTTPS

Answer 70

1. A session for denied traffic is created 2. The number of logs generated by denied traffic is reduced ## Footnote ses-denied-traffic Enable/disable including denied session in the session table. https://docs.fortinet.com/document/fortigate/7.0.6/cli-reference/20620/config-system-settings block-session-timer Duration in seconds for blocked sessions . integer Minimum value: 1 Maximum value: 300 30 https://docs.fortinet.com/document/fortigate/7.0.6/cli-reference/1620/config-system-global

Answer 71

The IPS engine was inspecting high volume traffic ## Footnote "Option 5 enables IPS bypass mode. In this mode, the IPS engine is still running (answer B) , but it is not inspecting traffic. ----> If the CPU use decreases after that <---- , it usually indicates that the volume of traffic being inspected is too high for that FortiGate model." So D is correct to answer the question "decrease in CPU usage" Fortigate Security 7.0 pg 567

Answer 72

The first reply packet for student failed the RPF check. This issue can be resolved by adding a static route to 203.0.114.24/32 through port3.

Answer 73

One FortiGate device and on FortiManager device ## Footnote FortiGate_Security_7.0 page 67.

Answer 74

Adicting.Games will be allowed, based on the Application Overrides configuration.

Answer 75

1. The RPF check is run on the first sent packet of any new session. 2. RPF is a mechanism that protects FortiGuard and your network from IP spoofing attacks ## Footnote RPF protect against IP spoofing attacks. The source IP address is checked against the routing table for a return path. RPF is only carried out on: The first packet in the session, not on reply.

Answer 76

1. Enable match-vip in the Deny policy. 2. Set the Destination address as Web_server in the Deny policy. ## Footnote By default does not match vip in deny policy for destination all. So 2 options we have: 1. Enable match vip in the Deny policy. 2. Add destination as webserver in deny policy.

Answer 77

1. It can be configured only when FortiGate is operating in NAT mode. 2. All interfaces in the software switch share the same IP address. ## Footnote A is correct: "Only supported in NAT mode" C is correct: "The interfaces share the same IP adress and belong to the same broadcast domain. B is incorrect: "Acts Like a traditional Layer 2 switch" the software switch ONLY acts as a layer 2 switch, it doesn't do Layer 3 routing, the FortiGate (the firewall part) does that. D is incorrect: "Can group multiple physical and wireless interfaces into a single virtual switch Interface" Fortigate Infrastructure 7.0 pg 178 Can group physical and wireless. Only works on NAT mode. Acts like traditional layer 3 switch. Interfaces share same ip and broadcast domain. Fortigate Infrastructure 7.0 Study Guide P.186

Answer 78

It supports a limited number of protocols ## Footnote Web mode requires only a web browser, but supports a limited number of protocols. FortiGate_Security_7.0_Study_Guide page 582

Answer 79

1. For a stronger authentication, you can also enable extended authentication (XAuth) to request the remote peer to provide username and password. 2. FortiGate supports pre-shared key and signature as authentication methods. ## Footnote 1 = Fortigate_Infrastructure_7.0 page 218 2 = Fortigate_Infrastructure_7.0 page 215

Answer 80

A diagnose wad session list

Answer 81

User or User Group ## Footnote 1 is correct and tested (user added and user group are added to policy but ip address or network failed to add) Version 7.0.5 We have just confirmed this on a Production Fortigate FW and you can add user/User group but you cannot add Address group with ISDB object. It will simply show a red highlighted error which is read as "Addresses/groups cannot be mixed with Internet Services" if src: you can add user, if dst: you cannot add any other object. You can't mix ISDB objects with regular address objects. User objects are not restricted in any way. Fortigate Security 7.0 pg 117

Answer 82

This option places the RADIUS server, and all users who can authenticate against that server, into evey FortiGate user group. ## Footnote FortiGate_Security_7.0 page 223 "The INCLUDE IN EVERY USER GROUP option adds the Radius server and all user that can authenticate against it, to every user group created on the FortiGate"

Answer 83

Session-based authentication is enabled ## Footnote Fortigate Infrastructure 7.0 pg 264 NTLM authentication = session-based

Answer 84

1. Enable asymmetric routing. 2. Disabled the RPF check at the FortiGate interface level for source check. ## Footnote Reference: https://kb.fortinet.com/kb/documentLink.do?externalID=FD51279

Answer 85

Change the login-timeout ## Footnote Based on FortiGate_Security_7.0 page 607 which says ... 'The first command allows you to set up the login timeout, replacing the previous hard timeout value (30 seconds)- The command is set login-timeout <10-80> FortiGate_Security_7.0 page 621

Answer 86

1. Server information disclosure attacks. 2. Credit card data leaks. 3. SQL injection attacks. ## Footnote Reference: https://help.fortinet.com/fweb/570/Content/FortiWeb/fortiweb-admin/web_protection.htm

Answer 87

Connected monitored ports > HA uptime > Priority > FortiGate serial number | PUPS - Ports/Uptime/Priority/Serial ## Footnote FortiGate_Infrastructure_7.0 page 304

Answer 88

It is an idle timeout. The FortiGate considers a user to be idle if it does not see any packets coming from the user's source IP. ## Footnote If there is no traffic received from the user IP address for the configured auth-timeout (5 minutes by default), user authentication entry will be removed. If the user tries to access resources now, FortiGate will prompt the user to authenticate again. Reference: https://kb.fortinet.com/kb/documentLink.do?externalID=FD37221

Answer 89

1. Warning 2. Allow

Answer 90

It matched the default implicit firewall policy | implicit firewall rule == (policy id 0) ## Footnote traffic is denied by implicit firewall rule.

Answer 91

To allow for out-of-order packets that could arrive after the FIN/ACK packets. ## Footnote TCP provides the ability for one end of a connection to terminate its output while still receiving data from the other end. This is called a half-close. FortiGate unit implements a specific timer before removing an entry in the firewall session table.

Answer 92

Local traffic logs ## Footnote Fortigate Security 7.0 pg 268

Answer 93

1. SLA targets are optional 2. SLA targets are used only when referenced by an SD-WAN rule. ## Footnote Fortigate Infrastructure 7.0 Study Guide P.81

Answer 94

1. FortiGate SN FGVM010000065036 HA uptime has been reset. 2. FortiGate SN FGVM010000064692 has the higher HA priority. ## Footnote 1. Override is disable by default - OK 2. "If the HA uptime of a device is AT LEAST FIVE MINUTES (300 seconds) MORE than the HA Uptime of the other FortiGate devices, it becomes the primary" The question here is : HA Uptime of FGVM01000006492 > 5 minutes? NO - 198 seconds < 300 seconds (5 minutes) Page 314 Infra Study Guide.

Answer 95

Execute a debug flow ## Footnote Because sniffer shows the ingressing and egressing packets, but we cannot see dropped packets by fortigate in a sniffer. Debugging can show the packets are not entering for any reasons caused by fortigate. So, if a packed is reached to fortigate and dropped , debug will show us.

Answer 96

To allow for out-of-order packets that could arrive after the FIN/ACK packets ## Footnote TCP provides the ability for one end of a connection to terminate its output while still receiving data from the other end. This is called a half-close. FortiGate unit implements a specific timer before removing an entry in the firewall session table.

Answer 97

1. NTP 2. DNS ## Footnote Fortigate Hostname is not synchronized between cluster member.

Answer 98

Change the csf setting on the Local-FortiGate (root) to set fabric-object-unification default.

Answer 99

NGFW policy-based mode supports creating applications and web filtering categories directly in a firewall policy. ## Footnote C is correct Fortigate Security 7.0 page 458 D is correct also Fortigate Security 7.0 page 458 Fortigate Security 7.0 page 445

Answer 100

1. One server was contacted to retrieve the contract information. 2. FortiGate is using default FortiGuard communication settings. ## Footnote Anycast is Enabled by default

Answer 101

Disable the RPF check at the FortiGate interface level for the reply check ## Footnote "B" is the answer be careful question are very tricky. RPF methods in NSE guide says: Two ways to disable RFP. 1 Enable asymetric routing, which disables RPF checking system wide (but not at interface level is through the CLI command config system settings) 2 Disable RPF checkking at the interface level (the only way at the interface level in the CLI command). A incorrect. If you enable asymetric routing, RPF not will be bypass because is disable. B Correct. You have to disable the RPF check an the interface level, for the source. C Is incorrect is for the source D is incorrect: Asymetric routing is not enable at interface level. RPF checking can be disabled in tho ways. If you enable asymmetric routing, it will disable RPF checking system wide. However this reduces the security of you network greatly. Features such us ANTIVIRUS, and IPS become non-effective. So, if you need to disable RPF checking, you can do so at the interface level using the command: config system interface edit set src-check [enable | disable] end

Answer 102

1. IP header 2. Ethernet header 3. Packet payload ## Footnote It really depends on the Verbosity Level. This specific question for Verbosity level 3 is ABC. Verbose levels in detail: 1: print header of packets. 2: print header and data from IP of packets. 3: print header and data from Ethernet of packets. 4: print header of packets with interface name. 5: print header and data from IP of packets with interface name. 6: print header and data from Ethernet of packets with interface name. Reference: https://kb.fortinet.com/kb/documentLink.do?externalID=11186

Answer 103

1. If a Google Chrome browser is used with User-B credentials, the HTTP request will be allowed. 2. If a Microsoft Internet Explorer browser is used with User-B credentials, the HTTS request will be allowed. ## Footnote 3 exibits are missing. They are: 1. proxy custom address named "Browser CAT1" for local subnet and defined user agent "Chrome and IE" 2. proxy custom address named "Browser CAT2" for local subnet and defined user agent "Firefox" 3. proxy policy with 2 lines: - Browser CAT2 & Local subnet & User B --> deny - Browser CAT1 & Local subnet & User all --> accept Beed on above exibits only users from Chrome and IE are allowed.

Answer 104

It Authenticates the traffic using the authentication scheme SCHEME1. ## Footnote “What happens to traffic that requires authorization, but does not match any authentication rule? The active and passive SSO schemes to use for those cases is defined under config authentication setting”.

Answer 105

1. Security policy 2. SSL inspection and authentication policy ## Footnote "NGFW policy based mode, you must configure a few policies to allow traffic: SSL inspection & Authentication, Security policy". Security policies work with SSL Inspection & Authentication policies to inspect traffic. To allow traffic from a specific user or user group, both Security and SSL Inspection & Authentication policies must be configured. Fortigate_Security_7.0 (New Version) page 369. If you are using Policy Based Mode, SSL Inspection & Authentication (consolidated) and Security Policy are required to allow traffic.

Answer 106

1. NetAPI 2. WMI 3. WinSecLog ## Footnote Fortigate Infra SG 7.0 pg 255

Answer 107

1. Source defined as Internet Services in the firewall policy. 2. Destination defined as the Internet Services in the firewall policy. 3. Services defined in the firewall policy. ## Footnote Fortigate 7.0 Security pg 110

Answer 108

Security posture ## Footnote Description of the three major scorecards is seen in Security fabric > Security rating>Security posture. Security Posture Identify configuration weaknesses and best practice violations in your deployment. Fabric Coverage Identify in your overall network, where Security Fabric can enhance visibility and control. Optimization Optimize your fabric deployment. Reference: https://www.fortinet.com/content/dam/fortinet/assets/support/fortinet-recommended-security-best-practices.pdf

Answer 109

1. A change in the virtual IP address happens whaen a FortiGate device joins or leaves the cluster. 2. Virtual IP addresses are used to distinguish between clister members. ## Footnote FortiGate_Infrastructure_7.0 page 326

Answer 110

The internal IP address of the FortiGate device ## Footnote The SSL VPN portal enables remote users to access internal network resources through a secure channel using a web browser. The portal, bookmarks are used as links to internal network resources. Source IP seen by the remote resources is FortiGate’s internal IP address and not the user’s IP address.

Answer 111

Select the format boot device option from the BIOS menu. ## Footnote Reference: https://kb.fortinet.com/kb/documentLink.do?externalID=FD46582

Answer 112

Any number of virtual wire pairs can be included in each policy, regardless of the policy traffic direction settings. ## Footnote Reference: https://docs.fortinet.com/document/fortigate/7.0.0/new-features/144614/allow-multiple-virtual-wire-pairs-in-a-virtual-wire-pair-policy

Answer 113

1. A session for denied traffic is created. 2. The number of logs generated by denied traffic is reduce. ## Footnote Reference: https://kb.fortinet.com/kb/documentLink.do?externalID=FD46328

Answer 114

The NetSessionEnum finction is used to track user logouts. ## Footnote Infrastructure 7.0 page 270 Infrastructure 7.0 page 255

Answer 115

Interface Pair view will be disabled.

Answer 116

1. port1-vlan1 and port2-vlan1 can be assigned in the same VDOM or different VDOMs. 2. port1 is native VLAN.

Answer 117

IPS engine

Answer 118

On idle ## Footnote Reference: https://kb.fortinet.com/kb/documentLink.do?externalID=FD40813

Answer 119

1. Flow-based inspection uses a hybrid of scanning modes available in proxy-based inspection. 2. Optimized performance compared to proxy-based inspection. 3. FortiGate buffers the whole file but transmits to the client simultaneously. ## Footnote Reference: https://forum.fortinet.com/tm.aspx?m=192309

Answer 120

Implement web filter authentication for the specified website.

Answer 121

1. FortiGate uses the SMB protocol to read the event viewer logs from the DCs. 2. FortiGate directs the collector agent to use remote LDAP server. ## Footnote The correct statements about FortiGate FSSO agentless polling mode are: B. FortiGate uses the SMB protocol to read the event viewer logs from the DCs. D. FortiGate directs the collector agent to use a remote LDAP server. These two statements accurately describe the behavior of FortiGate FSSO agentless polling mode. The SMB protocol is used to read the event viewer logs from the domain controllers (DCs), and the FortiGate device directs the collector agent to use a remote LDAP server. Reference: https://kb.fortinet.com/kb/documentLink.do?externalID=FD47732

Answer 122

1. FortiSIEM 2. FortiAnalyzer 3. FortiCloud ## Footnote Reference: https://docs.fortinet.com/document/fortigate/6.0.0/handbook/265052/logging-andreporting-overview

Answer 123

1. For non-load balanced connections, packets forwarded by the clister to the server contain the virtual MAC address of port2 as source. 2. For load balanced connections, the primary encapsulates TCP SYN packets before forwarding them to the secondary. ## Footnote 1: Non load balance: traffic enters port1 and go out port2 from FGT1. FGT2 is in primary mode 2: In proxy inspection mode, SYN packet goes to FGT1 port1. It is then forwarded to FGT2. the source MAC address of the packet is changed to the physical MAC address of port1 on the primary and the destination MAC address to the physical MAC address of port1 on the secondary. This is also known as MAC address rewrite. In addition, the primary encapsulates the packet in an Ethernet frame type 0x8891. The encapsulation is done only for the first packet of a load balanced session

Answer 124

1. Browsers can be configured to retrieve this PAC file from the FortiGate. 2. Any web request fortinet.com is allowed to bypass the proxy.

Answer 125

1. The incoming interface. Outgoing interface. Schedule, and Serivec fields can be shared with both IPv4 and IPv6. 2. The policy table in the GUI will be consolidated to display policies with IPv4 and IPv6 sources and destinations. 3. The IP version of the sources and destinations in a policy must match.

Answer 126

SSL VPN idle-timeout

Answer 127

Implement web filter authentication for the specified website.

Answer 128

Addicting.Games is allowed based on the Application Overrides configuration.

Answer 129

1. execute ping 2. execute traceroute 3. diagnose sniffer packet any

Answer 130

1. Disable the RPF check at the FortiGate interface level for the source check. 2. Enable asymmetric routing.

Answer 131

1. Create a new firewall policy with the new HTTP service and place it above the existing policy. 2. Create a new service object for HTTP service and set session TTL to never.

Answer 132

1. Traffic belongs to the root VDOM 2. This is a security log ## Footnote 1. "vd=root" which means vdom is root. 2. "type=utm" which means security log event. VDOM=root D. Security=UTM

Answer 133

1. It requires the use of dynamic routing protocols so that spokes can learn the routes to other spokes. 2. Tunnels are negotiated dynamincally between spokes.

Answer 134

1. SLA targets are used only when referenced by an SD-WAN rule. 2. SLA targets are optional. ## Footnote Fortigate Infrastructure 7.0 Study Guide P.81

Answer 135

The two VLAN sub-interfaces must have different VLAN IDs. ## Footnote Multiple VLANs can coexist in the same physical interface, provide they have different VLAN ID.

Answer 136

1. Reduces the amount of logs generated by denied traffic. 2. Creates session for traffic being denied. ## Footnote 1: because by keeping the denied sessions in the session table reduces the number of session denied events in the logs. 2: because you are keeping denied sessions in the session table. Reference: https://kb.fortinet.com/kb/documentLink.do?externalID=FD46328

Answer 137

1. Proxy-based inspection 2. Flow-based inspection ## Footnote Fortigate Security 7.0 pg 368 Profile based - Flow or proxy based. Policy based - flow only

Answer 138

1. There are 19 security recommendations for the security fabric. 2. This security fabric topology is a logical topology view. ## Footnote References: https://docs.fortinet.com/document/fortigate/5.6.0/cookbook/761085/results https://docs.fortinet.com/document/fortimanager/6.2.0/new-features/736125/security-fabric-topology

Answer 139

Automation stitches ## Footnote Each automation stitch pairs an event trigger and one or more actions, it allows you to monitor your network and take appropiate action when SecFabric detects a threat.

Answer 140

Dialup user ## Footnote Dialup user is used when the remote peer's IP address is unknown. The remote peer whose IP address is unknown acts as the dialup clien and this is often the case for branch offices and mobile VPN clients that use dynamic IP address and no dynamic DNS

Answer 141

The CA certificate that signed the wqeb-server certificate must be installed on the browser.

Answer 142

Authentication scheme

Answer 143

Web application firewall ## Footnote Some FortiGate features are meant to protect clients, not servers. For example, FortiGuard web filtering blocks requests based on the category of the server’s web pages. Antivirus prevents clients from accidentally downloading spyware and worms. Neither protects a server (which doesn’t send requests—it receives them) from malicious scripts or SQL injections. Protecting web servers requires a different approach because they are subject to other kinds of attacks. This is where WAF applies. The WAF feature is available only in proxy inspection mode.

Answer 144

Subject key identifier value

Answer 145

The firewall policy is not using a full SSL inspection profile. ## Footnote A ips sensor need a firewall policy to work... and need a policy with full inspection to inspect encripted traffic.

Answer 146

diagnose firewall proute list ## Footnote Reference: https://www.fortinetguru.com/2019/09/troubleshooting-sd-wan-fortios-6-2/

Answer 147

1. Create a new firewall policy with the new HTTP service and place it above the existing HTTP policy. 2. Create a new service object for HTTP service and set the session TTL to never. ## Footnote But there is no such possibility to configure session TTL to never. Range is from 300 to 2764800. Reference: https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-set-Session-TTL-Value-to-Never/ta-p/198289?externalID=FD48961

Answer 148

1. To detect intermediary NAT devices in the tunnel path. 2. To encapsulation ESP packets in UDP packets using port 4500. ## Footnote When NAT-T is enabled on both ends, peers can detect any NAT device along the path. If NAT is found, then the following occurs: - Both phase 2 and remaining phase 1 packets change to UDP port 4500. - Both ends encapsulate ESP within UDP port 4500. Reference: https://kb.fortinet.com/kb/documentLink.do?externalID=FD48755

Answer 149

FortiGate will use port1 route as the primary candidate. ## Footnote If multiple static routes have the same distance, they are all active; however, only the one with the lowest priority is considered the best path.

Answer 150

Change Administrator profile. ## Footnote Study Guide – Introduction and Initial Configuration – Basic Administration – Administrator Profiles. When assigning permissions to an admin profile, you can specify rw, ro, or none to each area. By default, there is a special profile super_admin, which is used by the account named admin. It cannot be changed. It provides full access to everytihing, making the admin account similar to a root superuser account. The prof_admin is another default profile. It also provides full access, but unlike super_admin, it only applies to its virtual domain and not the global settings of FG. Also, its permissions can be changed. Reference: "If you want to grant access to all VDOMs and global settings, select super_admin as the access profile when configuring the administrator account. Similar to the account named admin, this account can configure all VDOMs." Fortigate Infrastructure Study Guide v7.0, Page 117

Answer 151

1. Enable Dead Peer Detection 2. Configure a lower distance on the static route for the primary tunnel, and a higher distance on the static route for the secondary tunnel. ## Footnote Study Guide – IPsec VPN – IPsec configuration – Phase 1 Network. When Dead Peer Detection (DPD) is enabled, DPD probes are sent to detect a failed tunnel and bring it down before its IPsec SAs expire. This failure detection mechanism is very useful when you have redundant paths to the same destination, and you want to failover to a backup connection when the primary connection fails to keep the connectivity between the sites up. There are three DPD modes. On demand is the default mode. Study Guide – IPsec VPN – Redundant VPNs. Add one phase 1 configuration for each tunnel. DPD should be enabled on both ends. Add at least one phase 2 definition for each phase 1. Add one static route for each path. Use distance or priority to select primary routes over backup routes (routes for the primary VPN must have a lower distance or lower priority than the backup). Alternatively, use dynamic routing. Configure FW policies for each IPsec interface.

Answer 152

One-to-one NAT IP pool is used in the firewall policy. ## Footnote "one-to-one" is correct, See FortiGate Security 7.0 Study Guide P.164 "In one-to-one NAT, PAT is not required. Same source port is shown for both the ingress and egress address called also a single mapping of an internal to a external address"

Answer 153

1. The sensor will block all attacks aimed at Windows servers. 2. The sensor will allow attackers matching the NTP.Spoofed.KoD.DoS signature. ## Footnote Check on Fortigate Security Study Guide Page 532 ==> In the event of a false-positve outbreak, you can add the tiggered signature as an individual signature and set the action to monitor. This allows you to monitor the signature events using IPS log, while inbestigating the false-positive issue

Answer 154

1. Warning 2. Allowed ## Footnote Fortigate_Security_7.0 page 379

Answer 155

Policy with ID 5. ## Footnote It's coming from port 3 - hits Facebook-Web (Application) from the screenshot it show that it allows http and https traffic (80, 443).

Answer 156

1. The two VLAN sub0interfaces must have different VLAN IDs. 2. The only two VLAN sub-interfaces can have the same VLAN ID, only if they have IP addresses in different subnets. ## Footnote The question states that the VLANs are on a single interface. One interface can not be in two VDOMs. You can though have the same VLAN ID as long as it is in a different subnet. We have tested this and it is true. We can assume its the same as giving an interface a secondary IP address. We also tested it by creating two subinterfaces with the same VLAN ID, each under different physical interfaces all in one VDOM. Firerewall accepted it without no problem. But of course it couldn't accept the same scenario if two subinterfaces with the same VLAN ID attempted to add under the same physical interface. So answer C is definitely correct and B doesn't seem to be correct.

Answer 157

Strict RPF checks the best route back to the source using the incoming interface.

Answer 158

1. The number of logs generated by denied traffic is reduced. 2. A session for denied traffic is created. ## Footnote The timer config is by seconds not minutes. ses-denied-traffic Enable/disable including denied session in the session table. block-session-timer Duration in seconds for blocked sessions (1 - 300 sec (5 minutes), default = 30). Reference: https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-enable-denied-session-to-be-added-into-the/ta-p/195478

Answer 159

Change the csf setting on both devices to set downstream-access enable. ## Footnote Because D is already set to default (Global CMDB objects will be synchronized in Security Fabric.) The root device has downstream access disabled, so it needs to be enabled to sync the object. downstream-access - Enable/disable downstream device access to this device's configuration and data. disable - Disable downstream device access to this device's configuration and data. Reference: https://docs.fortinet.com/document/fortigate/7.2.0/cli-reference/147620/config-system-csf

Answer 160

1. Fortigate has entered conserve mode. 2. Administrators cannot change the configuration. ## Footnote What actions does FortiGate take to preserve memory while in conserve mode? * FortiGate does not accept configuration changes, because they might increase memory usage. * FortiGate does not run any quarantine action, including forwarding suspicious files to FortiSandbox. * You can configure the fail-open setting under config ips global to control how the IPS engine behaves when the IPS socket buffer is full. Based on the system performance output, it appears that FortiGate has entered conserve mode and administrators cannot change the configuration. FortiGate has entered conserve mode: When FortiGate enters conserve mode, it reduces its operational capacity in order to conserve resources and improve performance. This may be necessary if the system is experiencing high levels of traffic or if there are issues with resource utilization. Administrators cannot change the configuration: When the system is in conserve mode, administrators may not be able to change the configuration. This is because the system is prioritizing resource conservation over other activities, and making changes to the configuration may require additional resources that are not available. It is important to note that FortiGate will not start sending all files to FortiSandbox for inspection, and administrators may still be able to access FortiGate through other means besides the console port. Reference: https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-conserve-mode-is-triggered/ta-p/198580

Answer 161

192.168.2.0/24 ## Footnote Quick mode selectors need to be mirrored on both side, so the remote network on site A is the local network on site B. For an IPsec VPN between site A and site B, the administrator has configured the local quick mode selector for site A as 192.168.1.0/24 and the remote quick mode selector as 192.168.2.0/24. This means that the VPN will allow traffic to and from the 192.168.1.0/24 subnet at site A to reach the 192.168.2.0/24 subnet at site B. To complete the configuration, the administrator must configure the local quick mode selector for site B. To do this, the administrator must use the same subnet as the remote quick mode selector for site A, which is 192.168.2.0/24. This will allow traffic to and from the 192.168.2.0/24 subnet at site B to reach the 192.168.1.0/24 subnet at site A. Therefore, the administrator must configure the local quick mode selector for site B as 192.168.2.0/24.

Answer 162

1. The server FortiGate requires CA certificate to verify the client FortiGate certificate. 2. The client FortiGate requires SSL VPN tunnel interface type to connect to SSL VPN. ## Footnote The FortiGate can be configured as an SSL VPN client, using an SSL-VPN Tunnel interface type. The FortiGates must have a proper CA certificate installed to verify the certificate chain to the root CA that signed the certificate. Reference: https://docs.fortinet.com/document/fortigate/7.2.3/administration-guide/508779/fortigate-as-ssl-vpn-client

Answer 163

Reliable loggins required to encrypt the transmission of logs. ## Footnote Reliable logging changes the log transport delivery from UDP to TCP. Then, only if you are using Reliable logging, you can do encryption. NSE 4 training 7.2 training material: Fortigate Security: 05.Logging and Monitoring: Page 22, Reliable logging and OFTPs NSE4 - Security Training 7.2 - Study Guide, page 191. "If using reliable logging, you can encrypt communications using SSL-secured OFTP. "

Answer 164

10.200.1.100 ## Footnote From LAN to WAN, the Source NAT will use the IPPOOL with address configured 10.200.1.100 Destination NAT, from WAN to LAN, will use the VIP The question says SNAT, so the only correct answer here (looking at the IP Pool) is D.

Answer 165

In the VIP configuration, enable arp-reply. ## Footnote In the routing table of the ISP we can see that the route is C (connected) which means that if there is no ARP entry, traffic will be dropped by the ISP, and this is why there is no packets in the forti sniffer. The external interface address is different from the external address configured in the VIP. This is not a problem as long as the upstream network has its routing properly set. You can also enable ARP reply on the VPN (enabled by default, here disabled) to facilitate routing on the upstream network.

Answer 166

1. FGCP elects the primary FortiGate device. 2. FGCP runs only over the heartbeat links. ## Footnote The FGCP (FortiGate Clustering Protocol) is a protocol that is used to manage high availability (HA) clusters of FortiGate devices. It performs several functions, including the following: FGCP elects the primary FortiGate device: In an HA cluster, FGCP is used to determine which FortiGate device will be the primary device, responsible for handling traffic and making decisions about what to allow or block. FGCP uses a variety of factors, such as the device's priority, to determine which device should be the primary. FGCP runs only over the heartbeat links: FGCP communicates between FortiGate devices in the HA cluster using the heartbeat links. These are dedicated links that are used to exchange status and control information between the devices. FGCP does not run over other types of links, such as data links.

Answer 167

1. Configure a lower distance on the static route for the primary tunnel, and a high distance on the static route for the secondary tunnel. 2. Enable Dead Peer Detection. ## Footnote Lower distance = higher priority. Dead peer detection does heartbeat testing of VPN tunnels.

Answer 168

1. FortiGate uses fewer resources. 2. FortiGate adds less latency to traffic. ## Footnote Flow-based inspection is a type of traffic inspection that is used by some firewall devices, including FortiGate, to analyze network traffic. It is designed to be more efficient and less resource-intensive than proxy-based inspection, and it offers several benefits over this approach. Two benefits of flow-based inspection compared to proxy-based inspection are: FortiGate uses fewer resources: Flow-based inspection uses fewer resources than proxy-based inspection, which can help to improve the performance of the firewall device and reduce the impact on overall system performance. FortiGate adds less latency to traffic: Flow-based inspection adds less latency to traffic than proxy-based inspection, which can be important for real-time applications or other types of traffic that require low latency. 1. Fewer resources since it does not need to keep much in memory. 2. Samples traffic while it goes by, and only does makes allow or deny decision with the last package. So client does not have to wait on FortiGate to scan the bulk of the packtets.

Answer 169

1. www.example.com 2. example.com ## Footnote To create a web rating override for the home page of the example.com domain, the administrator must use one of the following syntaxes: www.example.com: This syntax specifies the fully qualified domain name (FQDN) of the website, including the www subdomain. This syntax will apply the web rating override to all pages on the website, including the home page. example.com: This syntax specifies the root domain of the website, without the www subdomain. This syntax will also apply the web rating override to all pages on the website, including the home page.

Answer 170

On the Static URL Filter configuration, set Action to Exempt. ## Footnote Based on the exhibit, the administrator has configured the FortiGuard Category Based Filter to block access to all social networking sites, and has also configured a Static URL Filter to block access to twitter.com. As a result, users are being redirected to a block page when they try to access twitter.com. To allow users to access twitter.com while blocking all other social networking sites, the administrator can make the following configuration change: On the Static URL Filter configuration, set Action to Exempt: By setting the Action to Exempt, the administrator can override the block on twitter.com that was specified in the FortiGuard Category Based Filter. This will allow users to access twitter.com, while all other social networking sites will still be blocked. Note: Tested this in a lab environment and to make this work as stated in the question the Exempt action is the only way to go, and also *.twimg.com will has to be added to the URL Filter with an Exempt action for this situation to really work!

Answer 171

1. A Flow-based inspection uses a hybrid of the scanning modes available in proxy-based inspection. 2. FortiGate buffers the while file but transmits to the client at the same time. 3. Flow-based inspection optimizes performance compared to proxy-based inspection. ## Footnote 1: Flow-based inspection mode uses a hybrid of the scanning modes available in proxy-based inspection. 2: the IPS engine reads the payload of each packet, caches a local copy, and forwards the packet to the receiver at the same time. some operations can be offloaded to SPUs to improve performance (not C). 3: If performance is your top priority, then flow inspection mode is more appropriate.

Answer 172

1. Services defined in the firewall policy 2. Destinat defined as Internet Services in the firewall policy. 3. Source defined as Internet Service in the firewall policy. ## Footnote Policy ID does not define a matching criteria, it's just for editing purposes, and there is no priority in the policies, only their order will affect the matching process.

Answer 173

1. ZTNA provides a security posture check. 2. ZTNA provides role-based access. ## Footnote ZTNA (Zero Trust Network Access) is a security architecture that is designed to provide secure access to network resources for users, devices, and applications. It is based on the principle of "never trust, always verify," which means that all access to network resources is subject to strict verification and authentication. Two functions of ZTNA are: ZTNA provides a security posture check: ZTNA checks the security posture of devices and users that are attempting to access network resources. This can include checks on the device's software and hardware configurations, security settings, and the presence of malware. ZTNA provides role-based access: ZTNA controls access to network resources based on the role of the user or device. Users and devices are granted access to only those resources that are necessary for their role, and all other access is denied. This helps to prevent unauthorized access and minimize the risk of data breaches.

Answer 174

Dialup user

Answer 175

SSL VPN idle-timeout ## Footnote The SSL VPN idle-timeout setting determines how long an SSL VPN session can be inactive before it is terminated. When an SSL VPN session becomes inactive (for example, if the user closes the VPN client or disconnects from the network), the session timer begins to count down. If the timer reaches the idle-timeout value before the user reconnects or sends any new traffic, the session will be terminated and the associated resources (such as VPN tunnels and virtual interfaces) will be deleted.

Answer 176

Application control can identify child and parent applications and perform different actions on them. ## Footnote Application control is a feature that allows FortiGate to inspect and control the use of specific web applications on the network. When application control is enabled, FortiGate can identify child and parent applications, and can perform different actions on them based on the configuration. The FortiGuard application control signature database is organized in a hierarchical structure. This gives you the ability to inspect the traffic with more granularity. You can block Facebook applications while allowing users to collaborate using Facebook chat.

Answer 177

1. The website is exempted from SSL inspection. 2. The selected SSL inspection profile has certificate inspection enabled. ## Footnote Deep inspection need to be enabled. We're not talking about certificate trust warnings. The file was not decrypted, thus the antivur engine could not recognize the payload as a virus

Answer 178

1. For non-load balanced connections, packets forwarded by the cluster to the server contain the virtual MAC addres of port2 as source. 2. For load balanced connections, the primary encapsulates TCP SYN packets before forwarding them to the secondary. ## Footnote 1: Non load balance: traffic enters port1 and go out port2 from FGT1. FGT2 is in primary mode 2: In proxy inspection mode, SYN packet goes to FGT1 port1. It is then forwarded to FGT2. the source MAC address of the packet is changed to the physical MAC address of port1 on the primary and the destination MAC address to the physical MAC address of port1 on the secondary. This is also known as MAC address rewrite. In addition, the primary encapsulates the packet in an Ethernet frame type 0x8891. The encapsulation is done only for the first packet of a load balanced session

Answer 179

1. The keyUsage extension must be set to keyCertSign. 2. The CA extension must be set to TRUE. ## Footnote Full SSL inspection - Certificate requirements: FortiGate is acting as a proxy web server. In order for FortiGate to act in these roles, its CA certificate must have the basic constraints extension set to cA=True and the value of the keyUsage extension set to keyCertSign.

Answer 180

1. HA settings 2. FortiGuard settings ## Footnote HA configuration overview. The purpose of an HA configuration is to reduce downtime when a zone or instance becomes unavailable. This might happen during a zonal outage, or when an instance runs out of memory. With HA, your data continues to be available to client applications. FortiGuard > Settings provides a central location for configuring and enabling your FortiManager system's built-in FDS as an FDN override server.

Answer 181

Volume based ## Footnote Volume load balancing method is supported in equal cost multipath (ECMP) load balancing when SD-WAN is enabled. What is load balancing method? Load balancing means are regarded as a form of an algorithms or method that is used to rightly share an incoming server request or traffic in the midst or among servers that is from the server pool. Note that Volume load balancing method is supported in equal cost multipath (ECMP) load balancing when SD-WAN is enabled as that is its role.

Answer 182

1. IPS 2. Application Control

Answer 183

1. The first packet of aggressive mode contains the peer ID, while the first packet of main mode does not. 2. Six packets are usually exchanged during main mode, while three packers are exchanged during aggressive mode.

Answer 184

10.20.30.0/24 [10/0] via 172.20.167.254, port3, [1/0]

Answer 185

It refreshes all users learned through agentless polling. | It refreshes all users learned through agentless polling.

Answer 186

1. A static route in VDOM2 for the destination subnet 10.0.1.0/24. 2. A static route in VDOM1 for the destination subnet 10.0.2.0/24.

Answer 187

Full SSL inspection is disabled.

Answer 188

1. A DoS policy, and log all UDP and TCP scan attempts. 2. An IPS sensor to monitor all signatures applicable to the server.

Answer 189

1. SSH 2. Trusted host 3. HTTPS

Answer 190

You must configure SNAT for each firewall policy.

Answer 191

The SYN packet from the client always arrives at the primary device first.

Answer 192

1. Multiple interfaces can be selected as incoming and outgoing interfaces. 2. A zone can be chosen as the outgoing interface.

Answer 193

1. A FortiGate allowed the traffic to pass. 2. The traffic matches webfilter profile on firewall policy ID 2.

Answer 194

The user was authenticated using passive authentication.

Answer 195

The mapped IP address object of the VIP object. ## Footnote - when central NAT is enabled => put the mapped IP address of the VIP object. - when central NAT is disabled => put the VIP object. Reference: https://kb.fortinet.com/kb/documentLink.do?externalID=FD38995

Answer 196

1. Block 2. Exempt 3. Allow

Answer 197

1. FortiAnalyzer IP address 2. Fabric name

Answer 198

1. It uses flow-based scanning techniques, regardless of the inspection mode used. 2. It can be selected in either flow-based or proxy-based firewall.

Answer 199

1. WAN is used effectively. 2. Application steering is available.

Answer 200

1. FortiGate can act as an LDAP client to configure group filters. 2. It supports monitoring of nested groups.

Answer 201

ssl.Corporation

Answer 202

1. A temporary trusted FortiGate certificate replaces the server certificate when the server certificate is trusted. 2. A temporary untrusted FortiGate certificate replaces the server certificate when the server certificate is untrusted.

Answer 203

It captures the login events and forwards them to the collector agent. ## Footnote There is no requirement to record this information as it is a FSSO role to auth logon events. If it were to log logoff events if would just be a waste of resources. Reference: https://docs.fortinet.com/document/fortimanager/6.0.0/managing-fortios-and-fsso/869241/dc-agent-mode-and-polling-mode#:~:text=DC%20agent%20mode%20is%20the,it%20to%20the%20FortiGate%20unit.

Answer 204

1. Fixed port range 2. Port block allocation

Answer 205

1. Enable full SSL inspection. 2. Configure a static URL filter entry for the URL and select block as the action.

Answer 206

1. FortiToken 2. Email 3. SMS text message

Answer 207

1. Loose RPF check will allow the traffic. 2. Strict RPF check will deny the traffic.

Answer 208

1. The client must wait for the antivirus scan to finish scanning before it receives the file. 2. If a virus is detected, a block replacement message is displayed immediately.

Answer 209

1. The extreme database is available only on certain FortiGate models. 2. The extended database is available on all FortiGate models.

Answer 210

1. FortiGate SN FGVM010000065036 HA uptime has been reset. 2. FortiGate SN FGVM010000064692 has the higher priority. ## Footnote 1. Override is disable by default - OK 2. "If the HA uptime of a device is AT LEAST FIVE MINUTES (300 seconds) MORE than the HA Uptime of the other FortiGate devices, it becomes the primary" The QUESTION NO: here is : HA Uptime of FGVM01000006492 > 5 minutes? NO - 198 seconds < 300 seconds (5 minutes) Page 314 Infra Study Guide. https://docs.fortinet.com/document/fortigate/6.0.0/handbook/666653/primary-unit-selection-with-override-disab

Answer 211

The IPS engine was inspecting high volume of traffic. ## Footnote If there are high-CPU use problems caused by the IPS, you can use the diagnose test application ipsmonitor command with option 5 to isolate where the problem might be. Option 5 enables IPS bypass mode. In this mode, the IPS engine is still running, but it is not inspecting traffic. If the CPU use decreases after that, it usually indicates that the volume of traffic being inspected is too high for that FortiGate model. If the CPU use remains high after enabling IPS bypass mode, it usually indicates a problem in the IPS engine, which you must report to Fortinet Support.

NSE 4 7.2 Flashcards

(236 cards)