NSE4

Question 1

Which user group types does FortiGate support for firewall authentication? (Choose three.)
A. RSSO
B. Firewall
C. LDAP
D. NTLM
E. FSSO

Answer 1

A. RSSO
B. Firewall
E. FSSO

Question 2

Which of the following settings can be configured per VDOM? (Choose three)
A. Operating mode (NAT/route or transparent)
B. Static routes
C. Hostname
D. System time
E. Firewall Policies

Answer 2

A. Operating mode (NAT/route or transparent)
B. Static routes
E. Firewall Policies

Question 3

Which best describes the mechanism of a TCP SYN flood?
A. The attackers keeps open many connections with slow data transmission so that other clients cannot start new connections.

B. The attackers sends a packets designed to sync with the FortiGate

C. The attacker sends a specially crafted malformed packet, intended to crash the target by exploiting its parser.

D. The attacker starts many connections, but never acknowledges to fully form them.

Answer 3

D. The attacker starts many connections, but never acknowledges to fully form them.

Question 4

What attributes are always included in a log header? (Choose three.)
A. policyid
B. level
C. user
D. time
E. subtype
F. duration

Answer 4

B. level
D. time
E. subtype

Question 5

When does a FortiGate load-share traffic between two static routes to the same destination subnet?
A. When they have the same cost and distance.
B. When they have the same distance and the same weight.
C. When they have the same distance and different priority.
D. When they have the same distance and same priority.

Answer 5

D. When they have the same distance and same priority.

Question 6

Which statement is in advantage of using a hub and spoke IPsec VPN configuration instead of a fully-meshed set of IPsec tunnels?
A. Using a hub and spoke topology provides full redundancy.
B. Using a hub and spoke topology requires fewer tunnels.
C. Using a hub and spoke topology uses stronger encryption protocols.
D. Using a hub and spoke topology requires more routes

Answer 6

B. Using a hub and spoke topology requires fewer tunnels.

Question 7

An administrator has configured a route-based site-to-site IPsec VPN. Which statement is correct regarding this IPsec VPN configuration?
A. The IPsec firewall policies must be placed at the top of the list.
B. This VPN cannot be used as a part of a hub and spoke topology.
C. Routes are automatically created based on the quick mode selectors.
D. A virtual IPsec interface is automatically created after the Phase 1 configuration is completed.

Answer 7

D. A virtual IPsec interface is automatically created after the Phase 1 configuration is completed.

Question 8

Which of the following email spam filtering features is NOT supported on a FortiGate unit?
A. Multipurpose Internet Mail Extensions (MIME) Header Check
B. HELO DNS Lookup
C. Greylisting
D. Banned Word

Answer 8

C. Greylisting

Question 9

Which IPSec mode includes the peer id information in the first packet?
A. Main mode.
B. Quick mode.
C. Aggressive mode.
D. IKEv2 mode.

Answer 9

C. Aggressive mode.

Question 10

What actions are possible with Application Control? (Choose three.)
A. Warn
B. Allow
C. Block
D. Traffic Shaping
E. Quarantine

Answer 10

B. Allow
C. Block
D. Traffic Shaping

Question 11

Which is not a FortiGate feature?
A. Database auditing
B. Intrusion prevention
C. Web filtering
D. Application control

Answer 11

A. Database auditing

Question 12

In FortiOS session table output, what is the correct proto_state number for an established, non-proxied TCP connection?
A. 00
B. 11
C. 01
D. 05

Answer 12

C. 01

Question 13

A FortiGate devices is configured with four VDOMs: ‘root’ and ‘vdom1’ are in NAT/route mode; ‘vdom2’ and ‘vdom2’ are in transparent mode. The management VDOM is ‘root’.
Which of the following statements are true? (Choose two.)
A. An inter-VDOM link between ‘root’ and ‘vdom1’ can be created.
B. An inter-VDOM link between ‘vdom1’ and vdom2’ can created.
C. An inter-VDOM link between ‘vdom2’ and vdom3’ can created.
D. Inter-VDOM link links must be manually configured for FortiGuard traffic.

Answer 13

A. An inter-VDOM link between ‘root’ and ‘vdom1’ can be created.
B. An inter-VDOM link between ‘vdom1’ and vdom2’ can created.

Question 14

Examine the following log message attributes and select two correct statements from the list below. (Choose two.) hostname=www.youtube.com profiletype=”Webfilter_Profile” profile=”default” status=”passthrough” msg=”URL belongs to a category with warnings enabled”
A. The traffic was blocked.
B. The user failed authentication.
C. The category action was set to warning.
D. The website was allowed

Answer 14

C. The category action was set to warning.

D. The website was allowed

Question 15

Which of the following statements are true about PKI users created in a FortiGate device?
(Choose two.)
A. Can be used for token-based authentication
B. Can be used for two-factor authentication
C. Are used for certificate-based authentication
D. Cannot be members of user groups

Answer 15

A. Can be used for token-based authentication

B. Can be used for two-factor authentication

Question 16

Which is a more accurate description of a modern firewall?

A. A device that inspects network traffic at an entry point to the internet and within a simple, easily defined network perimeter
B. A multifunctional device that inspects network traffic from the perimeter or internally, within a network that has many different entry points

Answer 16

B. A multifunctional device that inspects network traffic from the perimeter or internally, within a network that has many different entry points

Question 17

Which solution, specific to Fortinet, enhances performance and reduces latency for specific features and traffic?

A. Acceleration hardware, called SPUs (Security Processing Units)

B. Increased RAM and CPU power

Answer 17

A. Acceleration hardware, called SPUs (Security Processing Units)

Question 18

Which protocol does FortiGate use to download antivirus and IPS packages?

A. UDP

B. TCP

Answer 18

B. TCP

Question 19

How does FortiGate check content for spam or malicious websites?

A. Live queries to FortiGuard over UDP or HTTPS

B. Local verification using downloaded web filter database locally on FortiGate

Answer 19

A. Live queries to FortiGuard over UDP or HTTPS

Question 20

How do you restrict logins to FortiGate from only specific IP addresses?

A. Change FortiGate management interface IP addresses

B. Configure trusted host

Answer 20

B. Configure trusted host

Question 21

As a best security practice when configuring administrative access to FortiGate, which protocol should you disable?

A. Telnet

B. SSH

Answer 21

A. Telnet

Question 22

When configuring FortiGate as a DHCP server, to restrict access by MAC address, what does the Assign IP option do?

A. Assigns a specific IP address to a MAC address

B. Dynamically assigns an IP to a MAC address

Answer 22

B. Dynamically assigns an IP to a MAC address

Question 23

When configuring FortiGate as a DNS server, which resolution method only uses the FortiGate DNS database to try to resolve queries?

A. Non-recursive

B. Recursive

Answer 23

A. Non-recursive

Question 24

Which traffic is always generated from the management VDOM?

A. Link Health Monitor

B. FortiGuard

Answer 24

B. FortiGuard

Question 25

Which statement about the management VDOM is true?

A. It is root by default and cannot be changed in multi-vdom mode.

B. It is root by default, but can be changed to any VDOM in multi-vdom mode.

Answer 25

B. It is root by default, but can be changed to any VDOM in multi-vdom mode.

Question 26

When restoring an encrypted system configuration file, in addition to needing the FortiGate model and firmware version from the time the configuration file was produced, what must you also provied?

A. The password to decrypt the file

B. The private decryption key to decrypt the file

Answer 26

A. The password to decrypt the file

Question 27

Which document should you consult to increase the chances of success before upgrading or downgrading firmware?

A. Cookbook

B. Release Notes

Answer 27

B. Release Notes

Question 28

What is the Fortinet Security Fabric?

A. A Fortinet solution that enables communication and visibility among devices of your network

B. A device that can manage all your firewalls

Answer 28

A. A Fortinet solution that enables communication and visibility among devices of your network

Question 29

Which combination of devices must participate in the Security Fabric

A. A FortiAnalyzer and two or more FortiGate devices

B. A device that can manage all your firewalls

Answer 29

A. A FortiAnalyzer and two or more FortiGate devices

Question 30

What are the two mandatory settings of the Security Fabric configuration?

A. Fabric name and Security Fabric role

B. Fabric name and FortiManager IP address

Answer 30

A. Fabric name and Security Fabric role

Question 31

From where do you authorize a device to participate in the Security Fabric?

A. From the downstream FortiGate

B. From the root FortiGate

Answer 31

B. From the root FortiGate

Question 32

Why should an administrator extend the Security Fabric to other devices?

A. To provide a single pane of glass for management and reporting purposes

B. To eliminate the need to purschase the licenses for FortiGate devices in the Security Fabric

Answer 32

A. To provide a single pane of glass for management and reporting purposes

Question 33

What is the purpose of Security Fabric external connectors?

A. External connectors allow you to integrate multi-cloud support with the Security Fabric

B. External connectors allow you to connect the FortiGate command line interface (CLI)

Answer 33

A. External connectors allow you to integrate multi-cloud support with the Security Fabric

Question 34

Which one is a part of the Security Rating scorecard?

A. Firewall Policy

B. Optimization

Answer 34

B. Optimization

Question 35

From which view can an administrator deauthorize a device from the Security Fabric?

A. From the physical topology view

B. From the Fortiview

Answer 35

A. From the physical topology view

Question 36

What criteria does FortiGate use to match traffic to a firewall policy?

A. Secure and destination interfaces

B. Security profiles

Answer 36

A. Secure and destination interfaces

Question 37

What must be selected in the Source field of a firewall policy?

A. At least one address object or ISDB

B. At least one source user and one source address object

Answer 37

A. At least one address object or ISDB

Question 38

To configure a firewall policy, you must include a firewall policy name when configuring using the ____.

A. CLI

B. GUI

Answer 38

B. GUI

Question 39

What is the purpose of applying security profiles to a firewall policy?

A. To allow access to specific subnets

B. To protect your network from threats, and control access to specific applications and URLs

Answer 39

B. To protect your network from threats, and control access to specific applications and URLs

Question 40

If you configure a firewall policy with any interface, you can view the firewall policy list only in which view?____.

A. The By Sequence View

B. The Interface Pair View

Answer 40

A. The By Sequence View

Question 41

Which of the following naming formats is correct when configuring a name for a firewall address object?

A. Good_Training

B. Good(Training)

Answer 41

A. Good_Training

Question 42

What is the purpose of the policy lookup feature on FortiGate?

A. To find a matching policy based on input criteria

B. To block traffic based on input criteria

Answer 42

A. To find a matching policy based on input criteria

Question 43

What is NAT used for?

A. Preserving IP addresses

B. Traffic shaping

Answer 43

A. Preserving IP addresses

Question 44

Which statement about NAT66 is true?

A. It is NAT between two IPv6 networks.

B. It is NAT between two IPv4 networks.

Answer 44

A. It is NAT between two IPv6 networks.

Question 45

What is the default IP pool type?

A. One-to-one

B. Overload

Answer 45

B. Overload

Question 46

Which of the following is the default VIP type?

A. static-nat

B. load-balance

Answer 46

A. static-nat

Question 47

Which statement is true?

A. Central NAT is not enabled by default

B. Both central NAT and firewall policy NAT can be enabled together

Answer 47

A. Central NAT is not enabled by default

Question 48

What happens if there is no matching central SNAT policy or no central SNAT policy configured?

A. The egress interface IP will be used.

B. NAT will not be applied to the firewall session.

Answer 48

B. NAT will not be applied to the firewall session.

Question 49

Which method would you use for advanced application tracking and control?

A. Session helper

B. Application layer gateway

Answer 49

B. Application layer gateway

Question 50

Which profile is an example of application layer gateway?

A. WAF (Web Application Firewall) profile

B. VOIP (Voice over IP) profile

Answer 50

B. VOIP (Voice over IP) profile

Question 51

If session diagnostic output indicates that a TCP protocol state is proto_state=01, which is true?

A. The session is established

B. The session is not established

Answer 51

A. The session is established

Question 52

An administrator wants to check the total number of TCP sessions for an IP pool named INTERNAL. Which CLI command should the administrator use?

A. diagnose firewall ippool-all stats INTERNAL

B. diagnose firewall ippool-all list INTERNAL

Answer 52

A. diagnose firewall ippool-all stats INTERNAL

Question 53

Which firewall authentication method does FortiGate support?

A. Local password authentication

B. Biometric authentication

Answer 53

A. Local password authentication

Question 54

Which type of token can generate OTPs to provide two-factor authentication to users in your network?

A. FortiToken Mobile

B. USB FortiToken

Answer 54

A. FortiToken Mobile

Question 55

When FortiGate uses a RADIUS server for remote authentication, which statement about RADIUS is true?

A. FortiGate must query the remote RADIUS server using the distinguished name (dn).

B. RADIUS group memberships are provided by vendor-specific attributes (VSAs) configured on the RADIUS server.

Answer 55

B. RADIUS group memberships are provided by vendor-specific attributes (VSAs) configured on the RADIUS server.

Question 56

What is a valid reply from RADIUS server to an ACCESS_REQUEST packet from FortiGate?

A. ACCESS-PENDING

B. ACCESS-REJECT

Answer 56

B. ACCESS-REJECT

Question 57

A remote LDAP user is trying to authenticate with a username and password. How does FortiGate verify the login credentials?

A. FortiGate queries its own database for user credentials.

B. FortiGate sends the user-entered credentials to the remote server verification.

Answer 57

B. FortiGate sends the user-entered credentials to the remote server verification.

Question 58

Which statement about guest user groups is true?

A. Guest user group accounts are temporary.

B. Guest user group accounts passwords are temporary.

Answer 58

A. Guest user group accounts are temporary.

Question 59

Guests accounts are most commonly used for which purposes?

A. To provide temporary visitor access to corporate network resources

B. To provide temporary visitor access to wireless networks

Answer 59

B. To provide temporary visitor access to wireless networks

Question 60

Firewall policies dictate whether a user or device can or cannot authenticate on a network. Which statement about firewall authentication is true?

A. Firewall policies can be configured to authenticate certificate users.

B. The order of the firewall polices always determines whether user’s credentials are determined actively or passively.

Answer 60

A. Firewall policies can be configured to authenticate certificate users.

Question 61

Which statement about active authentication is true?

A. Active authentication is always used before passive authentication.

B. The firewall policy must allow the HTTP, HTTPS, FTP, and/or Telnet protocols in order for the user to be prompted for credentials.

Answer 61

B. The firewall policy must allow the HTTP, HTTPS, FTP, and/or Telnet protocols in order for the user to be prompted for credentials.

Question 62

Which statement about captive portal is true?

A. Captive portal must be hosted on a FortiGate device.

B. Captive portal can exempt specific devices from authenticating.

Answer 62

B. Captive portal can exempt specific devices from authenticating.

Question 63

Which statement best describes the authentication idle timeout feature on FortiGate?

A. The length of time FortiGate waits for the user to enter their authentication credentials

B. The length of time an authenticated user is allowed to remain authenticated user is allowed to remain authenticated without any packets being generated by the host device

Answer 63

B. The length of time an authenticated user is allowed to remain authenticated user is allowed to remain authenticated without any packets being generated by the host device

Question 64

Which command would you use to identify the IP addresses of all authenticated users?

A. diagnose firewall auth clear

B. diagnose firewall auth list

Answer 64

B. diagnose firewall auth list

Question 65

Which type of logs are application control, web filter, antivirus, and DLP?

A. Event

B. Security

Answer 65

B. Security

Question 66

The log _______ contains fields that are common to all log types, such as originating date and time, log identifier, log category, and VDOM.

A. header

B. body

Answer 66

A. header

Question 67

Which storage type is preferred for logging?

A. Remote Logging

B. Hard drive

Answer 67

A. Remote Logging

Question 68

Which protocol does FortiGate use to send encrypted logs to FortiAnalyzer?

A. OFTPS

B. SSL

Answer 68

A. OFTPS

Question 69

If you enable reliable logging, which transport protocol will FortiGate use?

A. UDP

B. TCP

Answer 69

B. TCP

Question 70

In your firewall policy, which setting must you enable to generate logs on traffic sent through that firewall policy?

A. Log Allowed Traffic

B. Event Logging

Answer 70

A. Log Allowed Traffic

Question 71

With email alerts, you can trigger alert emails based on ____ or log severity level.

A. event

B. threat weight

Answer 71

A. event

Question 72

What happens when logs roll?

A. It lowers the space requirements needed to contain those logs.

B. They are uploaded to an FTP server.

Answer 72

A. It lowers the space requirements needed to contain those logs.

Question 73

When you download logs on the GUI, ____

A. all logs in the SQL database are downloaded.

B. only your current view, including any filters set, are downloaded.

Answer 73

B. only your current view, including any filters set, are downloaded.

Question 74

Which attribute or extension identifies the owner or a certificate?`

A. The subject name in the certificate

B. The unique serial number in the certificate

Answer 74

A. The subject name in the certificate

Question 75

How does FortiGate determine if a certificate has been revoked?

A. It checks the CRL that resides on the FortiGate

B. It retrieves the CRL from a directory server

Answer 75

A. It checks the CRL that resides on the FortiGate

Question 76

Which certificate extension and value is required in the FortiGate CA certificate in order to enable full SSL inspection?

A. CRL DP=ca_arl.arl

B. cA=True

Answer 76

B. cA=True

Question 77

Which configuration requires FortiGate to act as a CA for full SSL inspection?

A. Multiple clients connecting to multiple servers

B. Protecting the SSL server

Answer 77

A. Multiple clients connecting to multiple servers

Question 78

Which CSR enrollment method is supported by FortiGate?

A. Enrollment over Secure Transport (EST)

B. Simple Certificate Enrollment Protocol (SCEP)

Answer 78

B. Simple Certificate Enrollment Protocol (SCEP)

Question 79

After a CSR has been enrolled and imported into FortiGate, the status of the certificate should change to:

A. Valid

B. Pending

Answer 79

A. Valid

Question 80

Which is the default inspection mode on a firewall policy?

A. Proxy based

B. Flow based

Answer 80

B. Flow based

Question 81

How does NGFW policy-based mode differ from profile-based mode?

A. Policy-based flow inspection supports web profile overrides.

B. Policy-based flow inspection defines URL filters directly in the firewall policy.

Answer 81

B. Policy-based flow inspection defines URL filters directly in the firewall policy.

Question 82

Which statement about proxy-based web filtering is true?

A. It requires more resources than flow-based

B. It transparently analyzes the TCP flow of the traffic

Answer 82

A. It requires more resources than flow-based

Question 83

Which is a valid action for FortiGuard web category filtering?

A. Allow

B. Deny

Answer 83

A. Allow

Question 84

Which is a valid action for static URL filtering?

A. Exempt

B. Warning

Answer 84

A. Exempt

Question 85

Which action can be used with the FortiGuard quota feature?

A. Monitor

B. Shape

Answer 85

A. Monitor

Question 86

Which statement about web profile overrides is true?

A. It is used to change the website category.

B. Configured users can activate this setting through an override link on the FortiGurd block page.

Answer 86

B. Configured users can activate this setting through an override link on the FortiGurd block page.

Question 87

Which is required to configure YouTube video filtering?

A. YouTube API key

B. username

Answer 87

A. YouTube API key

Question 88

Which action can be used with the video FortiGuard categories?

A. Authenticate

B. Monitor

Answer 88

B. Monitor

Question 89

Which statement about blocking the known bothnet command and control domains is true?

A. DNS lookups are checked against the botnet command and control database.

B. The botnet command and control domains can be enabled on the web filter profile.

Answer 89

A. DNS lookups are checked against the botnet command and control database.

Question 90

Which security profile inspects only the fully qualified domain name?

A. Web Filter

B. DNS Filter

Answer 90

B. DNS Filter

Question 91

You have configured your security profiles, but they are not performing web or DNS inspection. Why?

A. The certificate is not installed correctly

B. The profiles is not associated with the correct firewall policy.

Answer 91

B. The profiles is not associated with the correct firewall policy.

Question 92

Which statement about application control is true?

A. Application control uses the IPS engine to scan traffic for application patterns.

B. Application control is unable to scan P2P architecture traffic.

Answer 92

A. Application control uses the IPS engine to scan traffic for application patterns.

Question 93

Which statement about the application control database is true?

A. The application control database is separate from the IPS database.

B.A. The application control database must be updated manually.

Answer 93

A. The application control database is separate from the IPS database.

Question 94

Which statement about application control in a NGFW policy-based configuration is true?

A. Applications are applied directly to the security policies.

B. The application control profiles must be applied to firewall polices.

Answer 94

A. Applications are applied directly to the security policies.

Question 95

Which statement about the HTTP block page for application control is true?

A. It can be used only for web applications.

B. It works for all types of applications.

Answer 95

A. It can be used only for web applications.

Question 96

Where do you enable logging of application control events?

A. Application control logs are enabled in the firewall policy configuration.

B. Application control logs are enabled on the FortiView Applications page of FortiGate.

Answer 96

A. Application control logs are enabled in the firewall policy configuration.

Question 97

Which piece of information is not included in the application event log when using NGFW policy-based mode?

A. Application control profile name

B. Application name

Answer 97

A. Application control profile name

Question 98

Which protocol does FortiGate use with FortiGuard to recive updates for application control?

A. UDP

B. TCP

Answer 98

B. TCP

Question 99

Which SSL/SSH inspection method is recommended for use with application control scanning to improve application detection?

A. Certificate-based inspection profile

B. Deep-inspection profile

Answer 99

B. Deep-inspection profile

Question 100

If antivirus, grayware, and AI scans are enabled, in what order are they performed?

A. AI scan. followed by grayware scan, followed by antivirus scan

B. Antivirus scan, followed by grayware scan, followed by AI scan

Answer 100

B. Antivirus scan, followed by grayware scan, followed by AI scan

Question 101

Which database can be manually selected for use in antivirus scanning?

A. Extended and Extreme

B. Quick, Normal, and Extreme

Answer 101

A. Extended and Extreme

Question 102

What three additional features of an antivirus profile are available in proxy-based inspection mode?

A. MAPI, SSH and CDR

B. Full and quick

Answer 102

A. MAPI, SSH and CDR

Question 103

What antivirus database is limited to specific FortiGate models?

A. Extended

B. Extreme

Answer 103

B. Extreme

Question 104

What is the default scanning behavior for files over 10 MB?

A. Allow the file without scanning

B. Block all large files that exceed the buffer threshold

Answer 104

A. Allow the file without scanning

Question 105

Which type of inspection mode can be offloaded using NTurbo hardware acceleration?

A. Proxy-based

B. Flow-based

Answer 105

B. Flow-based

Question 106

What does the logging of oversized files option do?

A. Enables logging of all files that cannot be scanned because of oversize limit

B. Logs all files that are over 5 MB

Answer 106

A. Enables logging of all files that cannot be scanned because of oversize limit

Question 107

What command do you use to force FortiGate to check for a new antivirus updates?

A. execute update antivirus

B. execute update-av

Answer 107

B. execute update-av

Question 108

Which IPS action allows traffic and logs the activity?

A. Allow

B. Monitor

Answer 108

B. Monitor

Question 109

Which IPS component is updated most frequently?

A. Protocol decoders?

B. IPS signature database

Answer 109

B. IPS signature database

Question 110

Which behavior is a characteristic of a DoS attack?

A. Attempts to exploit a known application vulnerability

B. Attempts to overload a server with TCP SYN packets

Answer 110

B. Attempts to overload a server with TCP SYN packets

Question 111

Which DoS anomaly sensor can be used to detect and block the probing attempts of a port scanner?

A. tcp_syn_flood

B. tcp_port_scan

Answer 111

B. tcp_port_scan

Question 112

WAF protocol constraints protect against which type of attacks?

A. Buffer overload

B. ICMP sweep

Answer 112

A. Buffer overload

Question 113

To use WAF feature, which inspection mode should be used in the firewall policy?

A. Flow

B. Proxy

Answer 113

B. Proxy

Question 114

Which chipset uses NTurbo to accelerate IPS sessions?

A. CP9

B. SoC4

Answer 114

B. SoC4

Question 115

Which feature requires full SSL inspection to maximize its detection capability?

A. WAF

B. DoS

Answer 115

A. WAF

Question 116

Which FQDN does FortiGate use to obtain IPS updates?

A. update.fortiguard.net

B. service.fortiguard.com

Answer 116

A. update.fortiguard.net

Question 117

When IPS fail open is triggered, what is the expected behavior, if the IPS fail-open option is set to enabled?

A. New packets pass through without inspection

B. New packets dropped

Answer 117

A. New packets pass through without inspection

Question 118

What does a VPN do?

A. Extends a private network across a public network

B. Protects a network from external attacks

Answer 118

A. Extends a private network across a public network

Question 119

Which statement about SSL VPNs is true?

A. An SSL VPN can be established between workstation and a FortiGate device only.

B. An SSL VPN can be established between an end-user workstation and a FortiGate device or two FortiGate devices.

Answer 119

B. An SSL VPN can be established between an end-user workstation and a FortiGate device or two FortiGate devices.

Question 120

A web-mode SSL VPN user connects to a remote web server. What is the source IP address of the HTTP request the web server recives?

A. The remote user IP address

B. The FortiGate device internal IP address

Answer 120

B. The FortiGate device internal IP address

Question 121

Which statement about tunnel-mode SSL VPN is correct?

A. It supports split tunneling.

B. It requires bookmarks.

Answer 121

A. It supports split tunneling.

Question 122

A web-mode SSL VPN user uses ____ to access internal network resources.

A. bookmarks

B. FortiClient

Answer 122

A. bookmarks

Question 123

Which step is necessary to configure SSL VPN connections?

A. Create a firewall policy from the SSL VPN interface to the internal interface.

B. Enable event logs for SSL VPN traffic: users, VPN, and endpoints.

Answer 123

A. Create a firewall policy from the SSL VPN interface to the internal interface.

Question 124

Which action may allow internet access in tunnel mode, if the remote network does not allow internet access to SSL VPN users?

A. Enable split tunneling

B. Configure the DNS server to use the same DNS server as the client DNS

Answer 124

A. Enable split tunneling

Question 125

What does the SSL VPN monitor feature allow you to do?

A. Monitor SSL VPN user actions, such as authentication

B. Force SSL VPN user disconnects

Answer 125

B. Force SSL VPN user disconnects

Question 126

Which statement about SSL VPN timers is correct?

A. SSL VPN timers can prevent logouts when SSL VPN users experience long network latency.

B. The login timeout is a non-customizable hard value.

Answer 126

A. SSL VPN timers can prevent logouts when SSL VPN users experience long network latency.

Question 127

Which components issues and signs the client certificate?

A. FortiClient EMS

B. FortiClient

Answer 127

A. FortiClient EMS

Question 128

Which internet browser supports Fortinet ZTNA?

A. Firefox

B. Chrome

Answer 128

B. Chrome

Question 129

What does FortiClient EMS integration ensure?

A. Device identification

B. User identification

Answer 129

A. Device identification

Question 130

An administrator needs to increase network bandwidth and provide redundancy.

What interface type must the administrator select to bind multiple FortiGate interfaces?

A. VLAN interface

B. Software Switch interface

C. Aggregate interface

D. Redundant interface

Answer 130

C. Aggregate interface

Question 131

Refer to the exhibit, which contains a static route configuration.

An administrator created a static route for Amazon Web Services.

What CLI command must the administrator use to view the route?

A. get router info routing-table all

B. get internet service route list

C. get router info routing-table database

D. diagnose firewall proute list

Answer 131

D. diagnose firewall proute list

Question 132

Which three statements are true regarding session-based authentication? (Choose three.)

A. HTTP sessions are treated as a single user.

B. IP sessions from the same source IP address are treated as a single user.

C. It can differentiate among multiple clients behind the same source IP address.

D. It requires more resources.

E. It is not recommended if multiple users are behind the source NAT

Answer 132

A. HTTP sessions are treated as a single user.

C. It can differentiate among multiple clients behind the same source IP address.

D. It requires more resources.

Question 133

What is the primary FortiGate election process when the HA override setting is disabled?

A. Connected monitored ports > System uptime > Priority > FortiGate Serial number

B. Connected monitored ports > HA uptime > Priority > FortiGate Serial number

C. Connected monitored ports > Priority > HA uptime > FortiGate Serial number

D.Connected monitored ports > Priority > System uptime > FortiGate Serial number

Answer 133

B. Connected monitored ports > HA uptime > Priority > FortiGate Serial number

Question 134

Which Security rating scorecard helps identify configuration weakness and best practice violations in your network?

A. Fabric Coverage

B. Automated Response

C. Security Posture

D. Optimization

Answer 134

C. Security Posture

Question 135

Which statement best describes the role of a DC agent in an FSSO DC agent mode solution?

Select one:
A. It captures the login events and forwards them to the collector agent.
B. It captures the user IP address and workstation name and forwards them to FortiGate.
C. It captures the login and logoff events and forwards them to the collector agent.
D. It captures the login events and forwards them to FortiGate.

Answer 135

A. It captures the login events and forwards them to the collector agent.

Question 136

FortiGate has been configured for firewall authentication. When attempting to access an external website, the user is not presented with a login prompt.

What is the most likely reason for this situation?
Select one:
A. No matching user account exists for this user.
B. The user is using a guest account profile.
C. The user is using a super admin account.
D. The user was authenticated using passive authentication.

Answer 136

D. The user was authenticated using passive authentication.

Question 137

Which two statements about FortiGate antivirus databases are true? (Choose two.)
Select one or more:
A. The quick scan database is part of the normal database.
B. The extended database is available only if AI scanning is enabled.
C. The extended database is available on all FortiGate models.
D. The extreme database is available only on certain FortiGate models.

Answer 137

C. The extended database is available on all FortiGate models.
D. The extreme database is available only on certain FortiGate models.

Question 138

Examine the exhibit, which shows a firewall policy configured with multiple security profiles.

Which two security profiles are handled by the IPS engine? (Choose two.)
Select one or more:
A. Web Filter
B. AntiVirus
C. Application Control 
D. IPS

Answer 138

C. Application Control

D. IPS

Question 139

View the exhibit.
A user at 192.168.32.15 is trying to access the web server at 172.16.32.254.
Exhib_route
Which two statements best describe how the FortiGate will perform reverse path forwarding (RPF) checks on this traffic? (Choose two.)
Select one or more:

A. Strict RPF check will deny the traffic.
B. Loose RPF check will deny the traffic.
C. Strict RPF check will allow the traffic.
D. Loose RPF check will allow the traffic.

Answer 139

C. Strict RPF check will allow the traffic.

D. Loose RPF check will allow the traffic.

Question 140

What two settings must you configure when FortiGate is being deployed as a root FortiGate in a Security Fabric topology? (Choose two.)
Select one or more:

A. Fabric name
B. FortiAnalyzer IP address
C. FortiManager IP address
D. Pre-authorize downstream FortiGate devices

Answer 140

A. Fabric name

B. FortiAnalyzer IP address

Question 141

Examine this FortiGate configuration:
config system global
set av-failopen pass
end
config ips global
set fail-open disable
end
Examine the output of the following debug command:
# diagnose hardware sysinfo conserve
memory conserve mode: on
total RAM: 3040 MB
memory used: 2706 MB 89% of total RAM
memory freeable: 334 MB 11% of total RAM
memory used + freeable threshold extreme: 2887 MB 95% of total RAM
memory used threshold red: 2675 MB 88% of total RAM
memory used threshold green: 2492 MB 82% of total RAM
Based on the diagnostic outputs above, how is FortiGate handling new packets that require IPS inspection?

Select one:
A. They are allowed and inspected as long as no additional proxy-based inspection is required.
B. They are allowed, but with no inspection.
C. They are allowed and inspected.
D. They are dropped.

Answer 141

D. They are dropped.

Question 142

Examine the following log message attributes:
subtype=”webfilter” hostname=www.youtube.com profile=”default” action=”passthrough” msg=”URL belongs to a category with warnings enabled”

Which two statements about the log are correct? (Choose two.)

Select one or more:
A. The user failed authentication.
B. The user was prompted to decide whether to proceed or go back.
C. The category action was set to warning.
D. The website was allowed on the first attempt.

Answer 142

B. The user was prompted to decide whether to proceed or go back.
C. The category action was set to warning.

Question 143

Which two configuration settings are global settings? (Choose two.)
Select one or more:
A. FortiGuard settings 
B. User & Device settings
C. Firewall policies
D. HA settings

Answer 143

A. FortiGuard settings

D. HA settings

Question 144

An administrator needs to create a tunnel mode SSL-VPN to access an internal web server from the internet. The web server is connected to port1. The internet is connected to port2. Both interfaces belong to the VDOM named Corporation.

What interface must be used as the source for the firewall policy that will allow this traffic?
Select one:
A. ssl.Corporation 
B. ssl.root
C. port2
D. port1

Answer 144

A. ssl.Corporation

Question 145

Which statement about firewall policy NAT is true?
Select one:
A. DNAT is not supported.
B. SNAT can automatically apply to multiple firewall policies, based on SNAT policies.
C. DNAT can automatically apply to multiple firewall policies, based on DNAT rules.
D. You must configure SNAT for each firewall policy.

Answer 145

D. You must configure SNAT for each firewall policy.

Question 146

Which two statements about advanced AD access mode for the FSSO collector agent are true? (Choose two.)
Select one or more:
A. It supports monitoring of nested groups.
B. FortiGate can act as an LDAP client to configure the group filters.
C. It uses the Windows convention for naming; that is, Domain\Username.
D. It is only supported if DC agents are deployed.

Answer 146

A. It supports monitoring of nested groups.

B. FortiGate can act as an LDAP client to configure the group filters.

Question 147

What is eXtended Authentication (XAuth)?
Select one:
A. It is an IPsec extension that authenticates remote VPN peers using a preshared key.
B. It is an IPsec extension that forces remote VPN users to authenticate using their local ID.
C. It is an IPsec extension that forces remote VPN users to authenticate using their credentials (username and password).
D. It is an IPsec extension that authenticates remote VPN peers using digital certificates.

Answer 147

C. It is an IPsec extension that forces remote VPN users to authenticate using their credentials (username and password).

Question 148

Which three methods can be used to deliver the token code to a user who is configured to use two-factor authentication? (Choose three.)
Select one or more:
A. SMS text message 
B. Email 
C. Voicemail message
D. Instant message app
E. FortiToken

Answer 148

A. SMS text message
B. Email
E. FortiToken

Question 149

What does the command diagnose debug fsso-polling refresh-user
do?
Select one:
A. It enables agentless polling mode real-time debug.
B. It refreshes user group information from any servers connected to FortiGate using a collector agent.
C. It displays status information and some statistics related to the polls done by FortiGate on each DC.
D. It refreshes all users learned through agentless polling.

Answer 149

D. It refreshes all users learned through agentless polling.

Question 150

An administrator wants to monitor their network for any probing attempts aimed to exploit existing vulnerabilities in their servers.

Which two items must they configure on their FortiGate to accomplish this? (Choose two.)
Select one or more:
A. An application control profile and set all application signatures to monitor
B. An IPS sensor to monitor all signatures applicable to the server
C. A DoS policy, and log all UDP and TCP scan attempts
D. A web application firewall profile to check protocol constraints

Answer 150

B. An IPS sensor to monitor all signatures applicable to the server
C. A DoS policy, and log all UDP and TCP scan attempts

Question 151

Examine the exhibit, which shows a FortiGate with two VDOMs: VDOM1 and VDOM2.

Both VDOMs are operating in NAT/route mode. The subnet 10.0.1.0/24 is connected to VDOM1. The subnet 10.0.2.0/24 is connected to VDOM2. There is an inter-VDOM link between VDOM1 and VDOM2. Also, necessary firewall policies are configured in VDOM1 and VDOM2.

Which two static routes are required in the FortiGate configuration to route traffic between both subnets through an inter-VDOM link? (Choose two.)
Select one or more:
A. A static route in VDOM1 for the destination subnet of 10.0.2.0/24
B. A static route in VDOM1 with the destination subnet matching the subnet assigned to the inter-VDOM link
C. A static route in VDOM2 for the destination subnet 10.0.1.0/24
D. A static route in VDOM2 with the destination subnet matching the subnet assigned to the inter-VDOM link

Answer 151

C. A static route in VDOM2 for the destination subnet 10.0.1.0/24

Question 152

Examine this partial output from the diagnose sys session list
CLI command:

diagnose sys session list
session info: proto=6 proto_state=05 duration=2 expire=78 timeout=3600 flags=00000000 sockflag=00000000 sockport=0 av_idx=0 use=3

What does this output state?
Select one:
A. proto_state=05 is the ICMP state.
B. proto_state=05 means there is only one-way traffic.
C. proto_state=05 is the UDP state.
D. proto_state=05 is the TCP state.

Answer 152

D. proto_state=05 is the TCP state.

Question 153

Which two statements about incoming and outgoing interfaces in firewall policies are true? (Choose two.)
Select one or more:
A. Only the any interface can be chosen as an incoming interface.
B. Multiple interfaces can be selected as incoming and outgoing interfaces.
C. An incoming interface is mandatory in a firewall policy, but an outgoing interface is optional.
D. A zone can be chosen as the outgoing interface.

Answer 153

B. Multiple interfaces can be selected as incoming and outgoing interfaces.
D. A zone can be chosen as the outgoing interface.

Question 154

Which two statements correctly describe the differences between IPsec main mode and IPsec aggressive mode? (Choose two.)
Select one or more:
A. Aggressive mode supports XAuth, while main mode does not.
B. The first packet of aggressive mode contains the peer ID, while the first packet of main mode does not.
C. Six packets are usually exchanged during main mode, while only three packets are exchanged during aggressive mode.
D. Main mode cannot be used for dialup VPNs, while aggressive mode can.

Answer 154

B. The first packet of aggressive mode contains the peer ID, while the first packet of main mode does not.
C. Six packets are usually exchanged during main mode, while only three packets are exchanged during aggressive mode.

Question 155

Which two statements about the application control profile mode are true? (Choose two.)
Select one or more:
A. It uses flow-based scanning techniques, regardless of the inspection mode used.
B. It cannot be used in conjunction with IPS scanning.
C. It can be selected in either flow-based or proxy-based firewall policy.
D. It can scan only unsecure protocols.

Answer 155

A. It uses flow-based scanning techniques, regardless of the inspection mode used.
C. It can be selected in either flow-based or proxy-based firewall policy.

Question 156

Which two statements about the SD-WAN feature on FortiGate are true? (Choose two.)
Select one or more:
A. An SD-WAN static route does not require a next-hop gateway IP address.
B. Each member interface requires its own firewall policy to allow traffic.
C. SD-WAN provides route failover protection, but cannot load balance traffic.
D. FortiGate supports only one SD-WAN interface per VDOM.

Answer 156

A. An SD-WAN static route does not require a next-hop gateway IP address.
D. FortiGate supports only one SD-WAN interface per VDOM.

Question 157

View the exhibit.

Which two behaviors result from this full (deep) SSL configuration? (Choose two.)
Select one or more:
A. The browser bypasses all certificate warnings and allows the connection.
B. A temporary trusted FortiGate certificate replaces the server certificate when the server certificate is trusted.
C. A temporary untrusted FortiGate certificate replaces the server certificate when the server certificate is untrusted.
D. A temporary trusted FortiGate certificate replaces the server certificate, even when the server certificate is untrusted.

Answer 157

B. A temporary trusted FortiGate certificate replaces the server certificate when the server certificate is trusted.
C. A temporary untrusted FortiGate certificate replaces the server certificate when the server certificate is untrusted.

Question 158

An administrator has configured central DNAT and virtual IPs.

Which item can be selected in the firewall policy Destination field?
Select one:
A. An IP pool
B. A VIP object
C. A VIP group
D. The mapped IP address object of the VIP object

Answer 158

D. The mapped IP address object of the VIP object

Question 159

An administrator configured antivirus profile in a firewall policy set to flow-based inspection mode. While testing the configuration, the administrator noticed that eicar.com test files can be downloaded using HTTPS protocol only.

What is causing this issue?
Select one:
A. Full content inspection for HTTPS is disabled.
B. The test file is larger than the oversize limit.
C. Hardware acceleration is in use.
D. HTTPS protocol is not enabled under Inspected Protocols.

Answer 159

A. Full content inspection for HTTPS is disabled.

Question 160

Which two statements about antivirus scanning in a firewall policy set to proxy-based inspection mode are true? (Choose two.)
Select one or more:
A. The client must wait for the antivirus scan to finish scanning before it receives the file.
B. A file does not need to be buffered completely before it is moved to the antivirus engine for scanning.
C. If a virus is detected, a block replacement message is displayed immediately.
D. FortiGate sends a reset packet to the client if antivirus reports the file as infected.

Answer 160

A. The client must wait for the antivirus scan to finish scanning before it receives the file.
C. If a virus is detected, a block replacement message is displayed immediately.

Question 161

View the exhibit.

Which statement about the configuration settings is true?
Select one:
A. When a remote user accesses http://10.200.1.1:443, the SSL-VPN login page opens.
B. The settings are invalid. The administrator settings and the SSL-VPN settings cannot use the same port.
C. When a remote user accesses https://10.200.1.1:443, the SSL-VPN login page opens.
D. When a remote user accesses https://10.200.1.1:443, the FortiGate login page opens.

Answer 161

C. When a remote user accesses https://10.200.1.1:443, the SSL-VPN login page opens.

Question 162

Which three actions are valid for static URL filtering? (Choose three.)
Select one or more:
A. Warning
B. Exempt 
C. Allow 
D. Block 
E. Shape

Answer 162

B. Exempt
C. Allow
D. Block

Question 163

Which statement about traffic flow in an active-active HA cluster is true?
Select one:
A. The secondary device responds to the primary device with a SYN/ACK, and then the primary device forwards the SYN/ACK to the client.
B. All FortiGate devices are assigned the same virtual MAC addresses for the HA heartbeat interfaces to redistribute to the sessions.
C. The ACK from the client is received on the physical MAC address of the primary device.
D. The SYN packet from the client always arrives at the primary device first.

Answer 163

D. The SYN packet from the client always arrives at the primary device first.

Question 164

Examine the exhibit showing a routing table.
Exhib_route
Which route will be selected when trying to reach 10.20.30.254?
Select one:
A. 10.20.30.0/24 [10/0] via 172.20.167.254, port3
B. 0.0.0.0/0 [10/0] via 172.20.121.2, port1
C. 10.30.20.0/24 [10/0] via 172.20.121.2, port1
D. 10.20.30.0/26 [10/0] via 172.20.168.254, port2

Answer 164

A. 10.20.30.0/24 [10/0] via 172.20.167.254, port3

Question 165

Which load balancing method is not supported in equal cost multipath (ECMP) load balancing, but is supported in SD-WAN?
Select one:
A. Source-destination IP based 
B. Weight based
C. Source IP based
D. Volume based

Answer 165

C. Source IP based

Question 166

Which statement about the HA override setting in FortiGate HA clusters is true?
Select one:
A. You must configure override settings manually and separately for each cluster member.
B. It reboots FortiGate.
C. It synchronizes device priority on all cluster members.
D. It enables monitored ports.

Answer 166

A. You must configure override settings manually and separately for each cluster member.

Question 167

View the exhibit.

date=2021-03-16 time=14:45:16 logid=0317013312 type=utm subtype=webfilter eventtype=ftgd_allow level=notice vd=”root” policyid=2 identidx=1 sessionid=31232959 user=”anonymous” group=”ldap_users” srcip=192.168.1.24 srcport=63355 srcintf=”port2” dstip=66.171.121.44 dstport=80 dstintf=”port1” service=”http” hostname=”www.fortinet.com” profiletype=”Webfilter_Profile” profile=”default” status=”passthrough” reqtype=”direct” url=”/” sentbyte=304 rcvdbyte=60135 msg=”URL belongs to an allowed category in policy” method=domain class=0 cat=140 catdesc=”custom1”

What does this raw log indicate? (Choose two.)
Select one or more:
A. 192.168.1.24 is the IP address for www.fortinet.com.
B. FortiGate allowed the traffic to pass
C. The traffic matches the webfilter profile on firewall policy ID 2.
D. The traffic originated from 66.171.121.44.

Answer 167

B. FortiGate allowed the traffic to pass

C. The traffic matches the webfilter profile on firewall policy ID 2.

Question 168

Which three settings and protocols can be used to provide secure and restrictive administrative access to FortiGate? (Choose three.)
Select one or more:
A. HTTPS 
B. FortiTelemetry
C. Trusted authentication
D. SSH 
E. Trusted host

Answer 168

A. HTTPS
D. SSH
E. Trusted host

Question 169

A client workstation is connected to FortiGate port2. FortiGate port1 is connected to an ISP router. port2 and port3 are both configured as a software switch.

Which IP address must be configured on the workstation as the default gateway?
Select one:
A. The software switch interface IP address
B. The FortiGate management IP address
C. The port2 IP address
D. The router IP address

Answer 169

A. The software switch interface IP address